Privacy Policy

1. Introduction

Pretzel AI GmbH, operating the Lumen billing platform ("we," "our," or "us") respects your privacy and is committed to protecting your personal data. This privacy policy explains how we collect, use, store, and protect your information when you use our billing and payment platform services.

2. Information We Collect

2.1 Merchant Account Information

When you create a merchant account, we collect:

• Name and email address
• Account credentials (encrypted)
• Business information and tax identification
• Billing addresses
• Payment provider API keys (encrypted)

2.2 Customer Data (Processed on Your Behalf)

As a billing platform, we process your customers' data on your behalf:

• Customer names, emails, and contact information
• Billing and shipping addresses
• Subscription and usage data
• Invoice and payment history

2.3 Payment Processing

Important: We do not collect or store payment card information directly. Payment data is handled securely by our payment processors (Stripe) using their payment elements.

We do collect and store:

• Transaction metadata and status
• Invoice records and payment history
• Tax exemption certificates (if applicable)
• Payment method preferences (not card details)

2.4 Usage and Analytics Data

To improve our platform, we use PostHog to collect:

• Page views, clicks, and user interactions
• Session recordings and heatmaps
• Performance metrics and error tracking
• Feature usage patterns

2.5 System Logs

We maintain system logs for security and debugging purposes, including:

• API requests and responses (excluding sensitive data)
• System errors and performance metrics
• Access logs and security events

Retention: System logs are automatically deleted after 90 days.

2.6 Communications

We may collect information from your communications with us, including support tickets, emails, and feedback submissions.

3. How We Use Your Information

3.1 Service Provision

• Process payments and manage subscriptions
• Generate invoices and handle billing
• Manage your account and authenticate access
• Provide customer support
• Send service-related communications

3.2 Platform Improvement

• Analyze usage patterns to enhance user experience
• Identify and fix technical issues
• Develop new features and services
• Optimize platform performance

3.3 Legal and Security

• Comply with legal obligations and regulations
• Prevent fraud and ensure platform security
• Protect our rights and interests
• Respond to legal requests and court orders

4. Legal Basis for Processing

Under GDPR, we process your personal data based on:

• Contract Performance: To provide our billing and payment services
• Legitimate Interest: For analytics, platform improvement, and security
• Legal Obligation: For tax reporting, fraud prevention, and regulatory compliance
• Consent: For certain analytics features with persistent storage

5. Service Providers and Infrastructure

We do not sell, rent, or share your personal data with third parties.We use trusted service providers to help us operate our platform. These providers process data on our behalf under strict contractual obligations:

• AWS (Amazon Web Services): Secure cloud hosting for our platform and databases
• Stripe: Payment processing (they handle card data directly, not us)
• Dodo Payments: Alternative payment processing service
• PostHog: Privacy-focused analytics platform
• Trigger.dev: Background job processing

These providers are data processors acting on our instructions only. They cannot use your data for their own purposes and must meet strict security and privacy standards.

6. Data Security

We implement industry-standard security measures to protect your data:

• No payment card storage: We never store credit card information - payment data is handled directly by Stripe using secure payment elements
• Encrypted sensitive data: Payment provider API keys and credentials are encrypted at rest using industry-standard encryption
• Secure authentication protocols and session management
• Regular security monitoring and access controls
• Secure cloud infrastructure hosted on AWS

7. Data Retention

We retain your data for as long as necessary to provide our services and comply with legal obligations:

• Account Data: While your account is active and for 7 years after closure for legal compliance
• Transaction Records: For 7 years to comply with financial regulations (no card data stored)
• Analytics Data: For 2 years to improve our platform
• System Logs: Automatically deleted after 90 days
• Communications: For 3 years for support and legal purposes

8. Your Rights

Under GDPR and other privacy laws, you have the right to:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your personal data
• Portability: Receive your data in a machine-readable format
• Restriction: Limit how we process your data
• Objection: Object to processing based on legitimate interests
• Withdraw Consent: For processing based on consent

To exercise any of these rights, please contact us at help@getlumen.dev. We will respond within 30 days of your request.

9. Cookies and Tracking

We use cookies and similar technologies to:

• Maintain your login session (essential cookies)
• Remember your preferences and settings
• Analyze platform usage and performance
• Improve user experience through session recordings and heatmaps

You can control cookie preferences through our cookie banner or in your browser settings. Disabling essential cookies may affect platform functionality.

10. International Transfers

Your data may be transferred to and processed in countries outside the European Union, including the United States where our cloud infrastructure (AWS) is located.

We ensure appropriate safeguards are in place for all international transfers:

• Standard Contractual Clauses (SCCs): We use EU-approved contractual clauses with all service providers
• Adequacy Decisions: Where available, we rely on EU Commission adequacy decisions
• Data Processing Agreements: All third-party processors sign comprehensive data protection agreements
• Technical Safeguards: Data is encrypted in transit and at rest regardless of location

11. Children's Privacy

Our services are not intended for children under 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete such information.

12. Automated Decision Making

We do not use automated decision making or profiling that produces legal effects or significantly affects you. Any automated processing we perform (such as fraud detection or usage analytics) is for operational purposes only and does not result in automated decisions about your access to services.

13. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any material changes by posting the new policy on our website and updating the "Last Updated" date. Your continued use of our services after such changes constitutes acceptance of the updated policy.

14. Company Information & Contact