Privacy Policy

Introduction

Lumina is built by Soma AI. We take the privacy of your health data seriously. This policy describes what data we collect, how we use it, who we share it with, and your rights over your information. We believe your health data belongs to you — we are the custodian, not the owner.

Data we collect

When you use Lumina, we collect:

• Account information: your email address and password (encrypted) for authentication.
• Health data you provide: lab results, biomarker values, medical imaging metadata, protocols, supplements, body composition measurements, and any notes you add. This is Protected Health Information (PHI).
• Usage data: which features you use, how often, and general interaction patterns. We do not track individual page views or keystrokes.
• Device information: browser type, operating system, and IP address for security (audit logging, rate limiting, session management).

How we use your data

• To provide the Lumina service: storing your health data, displaying trends, generating insights.
• To generate AI-powered analysis: your biomarker data is sent to Anthropic (Claude) for interpretation. We send only the data needed for the specific analysis — never your name, email, or other identifying information. See the AI Processing section below.
• To protect your account: audit logging, rate limiting, session management, and abuse detection.
• To improve Lumina: aggregated, anonymized usage patterns help us understand which features are valuable. We never use individual health data for product development.

AI processing

Lumina uses Anthropic's Claude AI to analyze your biomarker data, extract lab results from uploaded documents, and generate health insights. When your data is sent to Anthropic for processing, it is transmitted over encrypted connections (TLS). Anthropic does not use your data to train their models. We are pursuing a Business Associate Agreement (BAA) with Anthropic to formalize PHI handling obligations.

Who we share your data with

Your health data is shared only in these circumstances:

• Infrastructure providers: Supabase (database hosting), Vercel (application hosting), Upstash (rate limiting), and Anthropic (AI analysis). Each processes data only as needed to provide their service.
• People you choose: when you use Lumina's sharing features to grant access to practitioners, family members, or health coaches. You control who has access and can revoke it anytime.
• We never sell your data. We never share your data with advertisers. We never use your health data for marketing.

Data security

Your data is encrypted in transit (TLS/HTTPS enforced via HSTS) and at rest (Supabase provides encryption at rest). All API access requires authentication. Row-Level Security (RLS) ensures you can only access your own data. Every access to health data is audit-logged. Sessions expire after 30 minutes of inactivity. Accounts are locked after 5 failed login attempts.

Your rights

• Access: you can view all your health data at any time through the Lumina dashboard.
• Export: you can export all your data in CSV or JSON format at any time from Settings.
• Deletion: you can delete your account and all associated data from Settings. Deletion has a 30-day grace period, after which all data is permanently removed.
• Revoke sharing: you can revoke any shared access or shared report link at any time, effective immediately.

Cookies

Lumina uses cookies solely for authentication (maintaining your login session) and language preference. We do not use tracking cookies, advertising cookies, or analytics cookies. No third-party cookies are set.

Contact

For privacy questions or to exercise your data rights, contact us at privacy@lumina.health.