Lumin — Privacy Policy / 隐私政策

Last updated / 最后更新: 2026-06-06
Contact / 联系: support@luminmap.com

English

Lumin (the "App") is a personal travel journal. We collect only the minimum data needed to run the App and we never share your data with advertisers.

What we store on your behalf

An account identifier from the sign-in method you choose:
- Sign in with Apple — a pseudonymous user ID issued by Apple. You may also share your real email or use Apple's Hide My Email proxy.
- Sign in with Google — your Google account identifier and email address. We request only the basic email and profile scopes, and we never access your Google account server-side.
- Email sign-in — the email address you enter, used to send you a magic sign-in link.
Apple OAuth refresh token (encrypted at rest with AES via PostgreSQL pgcrypto). Used solely to call Apple's token-revoke endpoint at the moment you delete your Lumin account, so that Lumin disappears from your iPhone's Settings → Apple ID → Sign in with Apple list. The plaintext token is never logged or shared.
Visits you record: countries, regions, cities, dates, and notes. All entered manually by you.
Souvenir stickers you create. When you make a sticker, the subject cut-out (a small PNG produced on your device) is uploaded to a private storage bucket readable only by you. Stickers are deleted together with the visit they belong to, and with your account.
Your avatar (optional). If you set a profile picture, that image is stored in a private storage bucket readable only by you, and is deleted with your account.
Subscription state from Apple, received via RevenueCat.
App preferences: locale, appearance (light/dark), map style choice, alternate icon selection.

What we never store

Your photo library. Lumin reads EXIF GPS coordinates locally on your device to suggest visits, then discards the result. Original photos, thumbnails, and photo-library asset identifiers are never uploaded. The only image data ever uploaded is content you explicitly create — sticker cut-outs and an optional avatar, both described above. Sticker cut-outs are produced entirely on-device, with EXIF metadata stripped before processing; the original photo never leaves your device.
Continuous or background location. Location is used only on-demand — to detect your current city for quick visit logging and to look up the city/country of photos you import — never continuously and never in the background.
Advertising or analytics IDs. There is zero third-party analytics SDK in the App.

Health & workout data

Read-only GPS routes. If you enable Workout Memories, Lumin reads only the GPS route of your past outdoor workouts from Apple HealthKit, on your device, to light up the places you've been on the map.
What we never read. We never read any health or fitness metrics — heart rate, calories, steps, distance, sleep, or any other HealthKit data type other than the workout route.
Never uploaded, never for advertising. Workout routes are processed entirely on-device; only the derived country/city is saved as an ordinary visit, and the raw route is never uploaded, shared, or stored on our servers. Data obtained through HealthKit is never used for advertising or marketing and is never sold to third parties.
You can turn this off any time in Settings → Account → Workout Memories, and revoke HealthKit access in iOS Settings → Privacy & Security → Health.

Where data lives

Supabase (Postgres, hosted in the AP-Northeast / AP-East region). Row-Level Security ensures every row is readable only by its owner.
RevenueCat handles subscription state and forwards events to Supabase via webhook.
Apple App Store handles payment, receipts, and Sign in with Apple.
Apple Sign-In REST API is called server-side at sign-in (to capture a long-lived refresh token) and at account deletion (to revoke that token). The refresh token never leaves our backend in plaintext form.
Google verifies Sign in with Google on your device; our backend receives only the resulting identity token (your Google ID and email) and stores no Google credentials.

Map tile providers

All four map styles (North Star, Vintage, Dark, 3D Effect) stream vector map tiles from Mapbox. To deliver tiles, your IP address is shared with Mapbox, governed by Mapbox's privacy policy at https://www.mapbox.com/legal/privacy.
Mapbox's in-app telemetry / analytics collection is disabled by Lumin.

Your rights

Access & portability: You can request a copy of your data in a structured, machine-readable JSON format, free of charge, by emailing support@luminmap.com. Lumin Club members can also export it instantly in-app via Settings → Data Export. This fulfils the GDPR Article 20 right to data portability.
Erasure: Settings → Account → Delete Account wipes all server-side data immediately and free of charge — including your visits, stickers, and avatar. For Sign in with Apple users, deletion also revokes your Apple authorization, so Lumin disappears from your iPhone's Settings → Apple ID → Sign in with Apple list.
EU residents may also lodge a complaint with their local supervisory authority.

Data retention

We keep your data only as long as your account exists. Account deletion is immediate, irreversible, and cascades through every Lumin-controlled record.

Children

Lumin is not directed at children under 13. We do not knowingly collect data from anyone under that age.

California residents

We do not sell or share personal information for cross-context behavioral advertising.

Changes

Material changes to this policy will be announced in-app before they take effect, and this URL will reflect the change with an updated Last updated date.

简体中文

Lumin(以下称「本应用」)是一款个人旅行日志。我们仅收集运行所必需的最少数据,且绝不与广告商共享。

我们为你存储

你所选登录方式的账户标识符:
- Sign in with Apple —— Apple 颁发的一个伪匿名 user ID。你也可选择共享真实邮箱或使用 Apple 的「隐藏邮箱」代理。
- Google 登录 —— 你的 Google 账户标识符与邮箱地址。我们仅请求基础的 email 与 profile 权限,绝不在服务端访问你的 Google 账户。
- 邮箱登录 —— 你输入的邮箱地址,用于向你发送魔法登录链接。
Apple OAuth refresh token(使用 PostgreSQL pgcrypto 的 AES 算法加密存储)。仅用于在你删除 Lumin 账户的瞬间调用 Apple 的 token revoke 接口,以确保 Lumin 从你 iPhone 的设置 → Apple ID → 使用 Apple 登录的 App 列表里消失。明文 token 永不被记录、永不共享。
你主动记录的足迹: 国家、省/州、城市、日期、文字笔记。完全由你手动输入。
你制作的纪念贴纸。 制作贴纸时,主体抠图(一张在你设备上生成的小 PNG)会上传到仅你本人可读的私有存储桶。贴纸随其所属足迹删除而删除,也随账号删除而清空。
你的头像(可选)。 若你设置头像,该图片存储在仅你本人可读的私有存储桶中,随账号删除而清空。
订阅状态 —— Apple 通过 RevenueCat 同步给我们。
应用偏好: 语言、主题(浅色/深色)、地图风格、备用图标选择。

我们绝不存储

你的照片库。 Lumin 仅在你的设备本地读取 EXIF GPS 坐标用于推荐足迹,读取后立即丢弃。原始照片、缩略图、相册资源标识符绝不上传。唯一会上传的图像数据是你主动创建的内容 —— 贴纸抠图与可选头像(均见上文)。贴纸抠图完全在设备本地生成,处理前已剥离 EXIF 元数据;原始照片绝不离开你的设备。
持续或后台定位。 仅按需使用定位 —— 用于识别你当前所在城市以便快速记录足迹,以及查询你导入照片的城市/国家 —— 绝不持续、绝不在后台进行。
广告或分析 ID。 应用内零第三方分析 SDK。

健康与运动数据

只读 GPS 路线。 若你开启「运动记忆」,Lumin 仅在你的设备本地从 Apple HealthKit 读取你过往户外运动的 GPS 路线,用于在地图上点亮你去过的地方。
我们绝不读取的。 我们绝不读取任何健康或健身指标 —— 心率、卡路里、步数、距离、睡眠,或除运动路线之外的任何 HealthKit 数据类型。
绝不上传、绝不用于广告。 运动路线完全在设备本地处理;仅将推导出的国家/城市作为普通足迹保存,原始路线绝不上传、共享或存储在我们的服务器上。通过 HealthKit 获取的数据绝不用于广告或营销,也绝不出售给第三方。
你可随时在设置 → 账号 → 运动记忆关闭此功能,并在 iOS 设置 → 隐私与安全性 → 健康中撤销 HealthKit 授权。

数据托管

Supabase(Postgres,托管于 AP-Northeast / AP-East 区域)。行级安全(RLS)确保每行数据仅其所有者可访问。
RevenueCat 处理订阅状态,并通过 webhook 同步到 Supabase。
Apple App Store 处理付费、凭证以及 Sign in with Apple。
Apple Sign-In REST API 在你登录时被调用(获取一个长期有效的 refresh token),以及在你删除账户时被调用(撤销那个 token)。refresh token 永不以明文形式离开我们的后端。
Google 的登录验证在你的设备端完成;我们的后端仅收到一个身份令牌(你的 Google ID 与邮箱),不保存任何 Google 凭据。

地图瓦片来源

四种地图风格(北极星、复古、暗黑、3D立体)均从 Mapbox 拉取矢量地图瓦片。为投递瓦片,你的 IP 地址会暴露给 Mapbox,受 Mapbox 隐私政策约束(https://www.mapbox.com/legal/privacy)。
Lumin 已关闭 Mapbox 的应用内遥测 / 分析采集。

你的权利

访问与数据可携带: 你可随时发邮件至 support@luminmap.com,免费索取一份结构化、机器可读的 JSON 数据副本。Lumin Club 成员还可在设置 → 数据导出一键即时导出。此举满足 GDPR 第 20 条的数据可携带权。
删除: 设置 → 账号 → 删除账号,所有云端数据立即且免费清除 —— 包括你的足迹、贴纸与头像。对于使用 Sign in with Apple 的用户,删除还会同步撤销 Apple 那侧的授权 —— Lumin 会从你 iPhone 的设置 → Apple ID → 使用 Apple 登录的 App 列表里消失。
欧盟居民 也可向当地监管机构投诉。

数据保留

我们仅在你账号存在期间保留数据。账号删除即时生效、不可恢复,且会级联清空所有 Lumin 控制的记录。

儿童

Lumin 不面向 13 岁以下儿童。我们不会主动收集低于此年龄用户的数据。

加州居民

我们不销售或共享个人信息用于跨上下文行为广告。

变更

本政策的重大变更将在应用内通知,本 URL 也会同步更新「最后更新」日期。