Privacy policy

Last updated: 16 April 2026

Language: This is the English version of Luma’s privacy policy. The Norwegian version is the primary document for users in Norway; both describe the same processing. Norwegian version.

1. Controller

Luma AS is the controller for the personal data you provide when you use our website (luma.no), web application, and mobile apps (collectively, the “Service”). For privacy questions contact hei@luma.no.

2. Scope

This policy applies to all processing carried out in connection with the Service, whether you access it in a browser or through our iOS or Android apps.

3. Categories of personal data

Depending on how you use the Service, we may process:

  • Account and identity: name, email address, authentication identifiers, and preferences stored on your profile.
  • Financial and budget data: transactions, categories, budgets, rules, imports, and similar information you enter or upload (including CSV or other supported files).
  • Bank connection data (optional): if you connect accounts via our bank integration partner (Tink), we process data necessary to retrieve and display account and transaction information in line with the permissions you grant. We do not use this integration for purposes unrelated to providing the Service.
  • Technical and security data: IP address, device/browser type, timestamps, cookies or similar technologies needed to operate and secure the Service, and diagnostic logs from our hosting providers.
  • Product analytics: when product analytics is enabled in production, event and usage data is sent to PostHog (hosted in the EU) to understand feature usage, improve reliability, and develop the product. Some events may be associated with your user account identifier or email where our client identifies you after sign-in or sign-up.

4. Purposes and legal bases (GDPR)

We process personal data on the following bases:

  • Performance of a contract (Art. 6(1)(b)) — providing accounts, syncing data you choose to connect, storing your financial records, budgets, and imports, and communicating about the Service.
  • Legitimate interests (Art. 6(1)(f)) — securing the Service, preventing abuse, limited product analytics that do not override your rights, service improvement, and internal reporting in aggregated form where possible.
  • Legal obligation (Art. 6(1)(c)) — where applicable, retaining or disclosing information to comply with law or competent authorities.

5. Automated processing and suggestions

The Service may suggest categories or detect patterns (for example internal transfers or import mapping) using rules and models applied to your data. These tools support you and do not produce legal or similarly significant effects solely by automated means without human involvement; you can always review and change categories and related settings.

6. Processors and recipients

We use vetted service providers who process personal data on our instructions (processors), including where relevant:

  • Supabase (database, authentication, and related infrastructure in the EEA).
  • Tink (optional bank account aggregation).
  • PostHog (product analytics in the EU).
  • Infrastructure and email delivery providers required to host and operate the Service.

We do not sell your personal data. We do not share personal data with third parties for their independent marketing purposes.

7. Transfers outside the EEA

We primarily store and process data in the European Economic Area (EEA). If a processor transfers data outside the EEA, we rely on appropriate safeguards under GDPR (such as the EU Commission Standard Contractual Clauses) and supplementary measures where required.

8. Retention

We keep your data for as long as your account is active. If you delete your account, we delete or anonymise personal data within a reasonable period (typically within 30 days) unless a longer retention is required by law or necessary to resolve disputes or enforce our terms.

9. Security

We use industry-standard measures including encryption in transit (TLS), access controls, separation of environments, and processor agreements. No method of transmission or storage is completely secure; we work continuously to protect your information.

10. Cookies and local storage (web)

Our website and web app use cookies and similar technologies that are strictly necessary for authentication and session management, and to remember display preferences where you opt in to saving them. Analytics may use browser storage as configured for PostHog.

11. Your rights

Under the GDPR and Norwegian privacy law you may, subject to conditions in the law:

  • Request access to personal data we hold about you.
  • Request rectification of inaccurate data.
  • Request erasure (“right to be forgotten”) where applicable.
  • Request restriction of processing or object to processing based on legitimate interests.
  • Request data portability for data you provided, where processing is based on contract or consent and is automated.
  • Lodge a complaint with a supervisory authority.

Contact hei@luma.no to exercise your rights. In Norway the supervisory authority is Datatilsynet.

12. Children

The Service is not directed at children under 16. If you believe we have collected data from a child, please contact us and we will take appropriate steps to delete it.

13. Changes

We may update this policy to reflect changes in the Service or legal requirements. We will publish the updated version on this page with a new “Last updated” date. Where changes are material, we will provide additional notice as appropriate (for example by email or in-app message).

14. Legal notice

This policy is provided for transparency. It does not constitute legal advice. If you need certainty for your specific situation, consult a qualified lawyer.