Lumen Privacy Policy
Effective date: June 28, 2026
Last updated: June 28, 2026
This Privacy Policy explains how Warren Lavallee ("Lumen," "we," "us," or "our") collects, uses, discloses, and protects information in connection with Lumen, an AI image generation service available at lavall.ee and through associated API and Model Context Protocol (MCP) endpoints (collectively, the "Service").
By using the Service, you agree to the practices described in this Policy. If you do not agree, do not use the Service.
1. Information We Collect
Information you provide.
- Prompts and inputs. The text prompts, parameters, and any images or files you submit to generate Output.
- Account and contact information. When you create an account or contact us: your email address, a hashed (not plaintext) password, and your plan and usage records.
- Your provider API key. Lumen is a "bring your own key" service. You supply your own OpenAI or Google API key, which we encrypt at rest using envelope encryption and use only to generate images on your behalf. We never display it back to you after you save it, and we never share it with anyone.
- Payment information. The Service is paid. Billing details are processed through our third-party payment provider. We do not store full payment card numbers ourselves.
Information collected automatically.
- Generated content. The images the Service produces in response to your prompts, which are temporarily stored and hosted at URLs we provide.
- Technical and usage data. IP address, browser or client type, device and connection information, request timestamps, the endpoints accessed, and similar log data generated when you use the Service.
- Cookies. We use a single essential session cookie to keep you signed in to the dashboard. We do not use third-party analytics, advertising, or tracking cookies.
2. How We Use Information
We use the information described above to:
- provide, operate, and maintain the Service, including generating and delivering Output;
- authenticate users and secure the Service against abuse, fraud, and unauthorized access, including per-user rate limiting;
- monitor and enforce our Terms of Service and Acceptable Use requirements, including content moderation and detection of prohibited content;
- diagnose problems, improve performance, and develop new features;
- process payments and manage accounts;
- communicate with you about the Service, including service-related notices and password resets; and
- comply with legal obligations and respond to lawful requests.
3. How Information Is Shared
We do not sell your personal information. We share information only as follows:
- Service providers. With third parties that help us operate the Service: our cloud infrastructure provider (Cloudflare), the AI model provider you direct us to use (OpenAI or Google) to process your prompts, and our payment processor. These providers are authorized to use information only as necessary to provide their services to us — except that prompts you send to OpenAI or Google are processed under your own provider account and their terms (see Section 4).
- Legal and safety. When we believe disclosure is reasonably necessary to comply with a law, regulation, legal process, or governmental request; to enforce our Terms; to detect, prevent, or address fraud, security, or technical issues; or to protect the rights, property, or safety of Lumen, our users, or the public. Content involving the sexual exploitation of minors will be reported to the appropriate authorities.
- Business transfers. In connection with a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction, subject to this Policy.
- With your direction. When you ask us to share information or make it available, for example by sharing an Output URL.
4. Third-Party AI Processing
Lumen does not run its own image models. To generate images, your prompts and related inputs are transmitted to and processed by the AI model provider whose key you have supplied — OpenAI (`gpt-image-1`) or Google (`gemini-2.5-flash-image`). Because the Service uses your own API key, this processing occurs under your own account with that provider and is governed by that provider's terms and privacy policy. As of the effective date, both OpenAI's and Google's standard API terms state that they do not use data submitted through their paid APIs to train their models, but you are responsible for reviewing and relying on your provider's current terms. We transmit only what is necessary to fulfill your generation request.
5. Data Retention
We retain information for as long as necessary to provide the Service, comply with our legal obligations, resolve disputes, and enforce our agreements.
- Generated images and their prompts are retained for up to 90 days, after which they are automatically deleted from storage and from our records.
- Account information (email, hashed password, encrypted provider key, plan, and usage history) is retained while your account is active and deleted when you delete your account or ask us to delete it.
- Server logs are retained for a short period consistent with our infrastructure provider's defaults and our security needs.
When information is no longer needed, we will delete or de-identify it.
6. Security
We maintain reasonable administrative, technical, and physical safeguards designed to protect information against unauthorized access, use, alteration, and destruction, consistent with applicable law, including Massachusetts data security requirements (201 CMR 17.00) where applicable. Provider API keys are encrypted at rest; passwords are stored only as salted hashes. No method of transmission or storage is completely secure, however, and we cannot guarantee absolute security.
7. Your Rights and Choices
Depending on where you live, you may have rights regarding your personal information, including the right to access, correct, delete, or obtain a copy of it, and the right to object to or restrict certain processing. To exercise any of these rights, contact us using the details in Section 11. We will respond as required by applicable law and may need to verify your identity before acting on a request.
If you are a resident of California or another U.S. state with applicable privacy laws, you may have additional rights, including the right to know what personal information we collect and the right not to be discriminated against for exercising your rights. We do not sell personal information.
If you are located in the European Economic Area or the United Kingdom, our legal bases for processing include performance of a contract, compliance with legal obligations, and our legitimate interests in operating and securing the Service. You may also have the right to lodge a complaint with a supervisory authority.
8. Children's Privacy
The Service is not directed to, and is not intended for use by, children under 18. We do not knowingly collect personal information from children under 18. If you believe a child has provided us with personal information, contact us and we will take appropriate steps to delete it.
9. International Data Transfers
We are based in the United States, and the Service is operated using infrastructure that may process data in the United States and other countries. If you access the Service from outside the United States, you understand that your information may be transferred to and processed in jurisdictions that may have different data protection laws than your own.
10. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will update the "Last updated" date and, where appropriate, provide additional notice. Your continued use of the Service after changes take effect constitutes acceptance of the revised Policy.
11. Contact
Questions, concerns, or requests regarding this Privacy Policy may be directed to:
Warren Lavallee
warren@lavall.ee