Lumin — Privacy Policy / 隐私政策
English
Lumin (the "App") is a personal travel journal. We collect only the minimum data needed to run the App and we never share your data with advertisers.
What we store on your behalf
- Sign in with Apple identifier — a pseudonymous user ID issued by Apple. You may also share your real email or use Apple's Hide My Email proxy.
- Apple OAuth refresh token (encrypted at rest with AES via PostgreSQL
pgcrypto). Used solely to call Apple's token-revoke endpoint at the moment you delete your Lumin account, so that Lumin disappears from your iPhone's Settings → Apple ID → Sign in with Apple list. The plaintext token is never logged or shared. - Visits you record: countries, regions, cities, dates, and notes. All entered manually by you.
- Subscription state from Apple, received via RevenueCat.
- App preferences: locale, appearance (light/dark), map style choice, alternate icon selection.
What we never store
- Your photos. Lumin reads EXIF GPS coordinates locally on your device to suggest visits, then discards the result. Photos and thumbnails are never uploaded.
- Continuous or background location. Location services are used only when you explicitly trigger photo geolocation import.
- Advertising or analytics IDs. There is zero third-party analytics SDK in the App.
Where data lives
- Supabase (Postgres, hosted in the AP-Northeast / AP-East region). Row-Level Security ensures every row is readable only by its owner.
- RevenueCat handles subscription state and forwards events to Supabase via webhook.
- Apple App Store handles payment, receipts, and Sign in with Apple.
- Apple Sign-In REST API is called server-side at sign-in (to capture a long-lived refresh token) and at account deletion (to revoke that token). The refresh token never leaves our backend in plaintext form.
Map tile providers
- Illustrated and Particle styles render entirely on-device with no network calls.
- Parchment style streams vector tiles from Stadia Maps. Your IP address is shared with Stadia per their privacy policy at https://stadiamaps.com/privacy/.
- Apple Maps style uses MapKit; Apple receives standard MapKit telemetry per Apple's privacy policy.
Your rights
- Access / Export: Settings → Data Export downloads your full record as JSON.
- Erasure: Settings → Account → Delete Account wipes all server-side data immediately. For Sign in with Apple users, deletion also revokes your Apple authorization, so Lumin disappears from your iPhone's Settings → Apple ID → Sign in with Apple list.
- Portability: the Export action satisfies GDPR Article 20.
- EU residents may also lodge a complaint with their local supervisory authority.
Data retention
We keep your data only as long as your account exists. Account deletion is immediate, irreversible, and cascades through every Lumin-controlled record.
Children
Lumin is not directed at children under 13. We do not knowingly collect data from anyone under that age.
California residents
We do not sell or share personal information for cross-context behavioral advertising.
Changes
Material changes to this policy will be announced in-app before they take effect, and this URL will reflect the change with an updated Last updated date.
简体中文
Lumin(以下称「本应用」)是一款个人旅行日志。我们仅收集运行所必需的最少数据,且绝不与广告商共享。
我们为你存储
- Sign in with Apple 标识符 —— Apple 颁发的一个伪匿名 user ID。你也可选择共享真实邮箱或使用 Apple 的「隐藏邮箱」代理。
- Apple OAuth refresh token(使用 PostgreSQL
pgcrypto的 AES 算法加密存储)。仅用于在你删除 Lumin 账户的瞬间调用 Apple 的 token revoke 接口,以确保 Lumin 从你 iPhone 的 设置 → Apple ID → 使用 Apple 登录的 App 列表里消失。明文 token 永不被记录、永不共享。 - 你主动记录的足迹: 国家、省/州、城市、日期、文字笔记。完全由你手动输入。
- 订阅状态 —— Apple 通过 RevenueCat 同步给我们。
- 应用偏好: 语言、主题(浅色/深色)、地图风格、备用图标选择。
我们绝不存储
- 你的照片。 Lumin 仅在你的设备本地读取 EXIF GPS 坐标用于推荐足迹,读取后立即丢弃。照片与缩略图绝不上传。
- 持续或后台定位。 仅在你显式触发照片地理位置导入时使用定位服务。
- 广告或分析 ID。 应用内零第三方分析 SDK。
数据托管
- Supabase(Postgres,托管于 AP-Northeast / AP-East 区域)。行级安全(RLS)确保每行数据仅其所有者可访问。
- RevenueCat 处理订阅状态,并通过 webhook 同步到 Supabase。
- Apple App Store 处理付费、凭证以及 Sign in with Apple。
- Apple Sign-In REST API 在你登录时被调用(获取一个长期有效的 refresh token),以及在你删除账户时被调用(撤销那个 token)。refresh token 永不以明文形式离开我们的后端。
地图瓦片来源
- Illustrated(插画)与 Particle(粒子)风格完全在设备本地渲染,零联网请求。
- Parchment(羊皮卷)风格从 Stadia Maps 拉取矢量瓦片。你的 IP 地址会按 Stadia 的隐私政策(https://stadiamaps.com/privacy/)暴露给 Stadia。
- Apple Maps 风格使用 MapKit;Apple 按其隐私政策接收标准 MapKit 遥测数据。
你的权利
- 访问 / 导出: 设置 → 数据导出,可下载完整 JSON 数据。
- 删除: 设置 → 账号 → 删除账号,所有云端数据立即清除。对于使用 Sign in with Apple 的用户,删除还会同步撤销 Apple 那侧的授权 —— Lumin 会从你 iPhone 的 设置 → Apple ID → 使用 Apple 登录的 App 列表里消失。
- 数据可携带: 导出动作满足 GDPR 第 20 条。
- 欧盟居民 也可向当地监管机构投诉。
数据保留
我们仅在你账号存在期间保留数据。账号删除即时生效、不可恢复,且会级联清空所有 Lumin 控制的记录。
儿童
Lumin 不面向 13 岁以下儿童。我们不会主动收集低于此年龄用户的数据。
加州居民
我们不销售或共享个人信息用于跨上下文行为广告。
变更
本政策的重大变更将在应用内通知,本 URL 也会同步更新「最后更新」日期。