Privacy Policy
Lumicid ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy describes how we collect, use, store, and share personal information when you use the Lumicid platform at lumicid.com (the "Service"). The Service includes TikTok and Instagram performance monitoring, video transcription, brand-deal outreach (Collably), and competitor analytics.
1. Information We Collect
Account Information
When you create an account through Zitadel (our authentication provider), we receive your email address, name, and profile information. We do not store passwords — authentication is handled entirely by Zitadel.
Monitored Profile Data
When you add a TikTok or Instagram profile for monitoring, we collect publicly available data only — username, post URLs, captions, post thumbnails, and engagement metrics (views, likes, shares, comments, saves, follower count). We do not access login-walled, private, or DM content. We do not require your TikTok or Instagram credentials.
Competitor Profile Data
Lumicid allows you to add third-party (competitor) profiles for analytics. When you do, we collect the same publicly available metrics described above for those profiles. We treat these as legitimate-interest processing under GDPR Article 6(1)(f) — see Section 13 (Lawful Basis). If a third party objects to our processing of their public data, they may submit a request via our Data Subject Request form (see Section 9).
Transcript Data
When you submit a TikTok or Instagram URL for transcription, we fetch the publicly available video, extract audio, and run automated speech-to-text. Transcripts are stored against your account for retrieval and may be used to surface keyword/topic analytics. Audio files are deleted after transcription completes; transcript text is retained per your retention setting.
Outreach Data (Collably Module)
If you connect a Google account to Collably, we use Google's OAuth flow to obtain a token that lets us draft and send emails on your behalf to creators you select. We store only the OAuth refresh token and metadata about messages we send (recipient, subject, sent timestamp, thread ID) — we do not store the full content of unrelated emails in your inbox. You can revoke access at any time from your Google Account settings.
Billing Information
Payment processing is handled by Stripe. We receive subscription status, plan tier, and billing period information but do not store credit card numbers or detailed payment information directly.
Usage Data
We collect information about how you interact with the Service: monitoring configurations, alert preferences, notification email addresses, IP address, browser/device metadata for security and abuse-prevention, and feature usage patterns.
2. How We Use Your Information
We use your information to:
- Provide and maintain the monitoring service, including fetching public TikTok and Instagram metrics on a schedule and detecting significant drops.
- Send email alerts when significant metric drops are detected on your monitored posts.
- Generate transcripts and topic/keyword analytics from video URLs you submit.
- Send brand-deal outreach emails on your behalf via the Collably module, when you have explicitly authorized this via Google OAuth.
- Process subscription payments and manage your billing through Stripe.
- Communicate with you about your account, service updates, and support requests.
- Improve and optimize the Service based on aggregated usage patterns and feedback.
- Ensure the security and integrity of the Service, including detecting abuse and fraud.
3. Data Storage and Security
Your data is stored on a self-hosted PostgreSQL database running on dedicated servers in Hetzner data centers in the European Union (Germany / Finland). We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. Database access is restricted to a small number of authorized engineers, all traffic is encrypted in transit (TLS 1.2+), and database backups are encrypted at rest.
Metric snapshots are stored as immutable records to maintain data integrity (we never modify a snapshot once written; we only insert new ones). Snapshot retention periods are tied to your subscription plan (typically 7 to 30 days, with longer retention available on enterprise plans). Older snapshots are pruned automatically by a daily retention job.
4. Third-Party Services (Sub-processors)
We use the following third-party services ("sub-processors") to operate Lumicid. Each is bound by its own privacy policy and data processing terms:
Zitadel (Authentication)
Manages user authentication, login sessions, and identity verification. Self-hosted on our infrastructure (auth.lumicid.com).
Stripe (Payments)
Handles all payment processing, subscription billing, and invoicing. Stripe maintains PCI DSS Level 1 compliance.
Bright Data (Public-Data Collection)
Provides anti-detection proxy and remote-browser infrastructure used to fetch publicly available TikTok and Instagram profile pages on your behalf. Bright Data does not receive any personal account information from us beyond the target URL.
IPRoyal (Residential Proxy)
Provides residential IP addresses used by our self-hosted scraping layer to avoid being misclassified as bot traffic. IPRoyal does not receive any personal account information from us.
OpenAI Whisper / Transcription Provider
Used to transcribe audio extracted from videos you submit to the Transcripts module. Audio is sent to the transcription provider, processed, and the resulting text is returned to us. Audio is not retained beyond the transcription request.
Google (Gmail OAuth — Collably only)
When you connect a Google account to Collably, we use Google's OAuth API to draft and send emails on your behalf. We use Google API Services User Data Policy-compliant scopes only.
Resend (Transactional Email)
Delivers email alerts and transactional emails (account, billing, drop alerts) from [email protected].
Hetzner Online GmbH (Hosting)
Hosts our application infrastructure on dedicated servers in the European Union (Germany / Finland).
5. Cookies and Tracking Technologies
Lumicid uses cookies and similar technologies for the following purposes:
- Authentication Cookies: Zitadel sets cookies to maintain your login session and verify your identity across page loads.
- Essential Cookies: Required for the Service to function properly, including session management, CSRF protection, and security tokens.
We do not use advertising cookies or third-party tracking pixels. We do not sell your browsing data to advertisers or data brokers. We do not use Google Analytics or similar profile-based analytics tools at this time.
6. Data Sharing and Disclosure
We do not sell, trade, or rent your personal information to third parties. We may share your information only in the following circumstances:
- Service Providers (Sub-processors): With the third-party providers listed in Section 4, solely for the limited purposes described.
- Legal Requirements: When required by law, regulation, legal process, court order, or a valid governmental request.
- Safety and Rights: To protect the safety, rights, or property of Lumicid, our users, or the public, and to investigate suspected fraud or security incidents.
- Business Transfers: In connection with a merger, acquisition, financing, or sale of all or a portion of our assets, with notice to affected users.
7. Data Retention
We retain your personal data only for as long as your account is active or as needed to provide the Service:
- Account Data: Retained until you delete your account.
- Profile Metric Snapshots: Retained per subscription plan (typically 7 to 30 days; older snapshots are pruned automatically).
- Transcripts: Retained per your retention setting (default: indefinite while account is active).
- Outreach Logs: Email metadata (recipient, subject, timestamp, thread ID) retained while account is active and for one year afterward for audit purposes.
- Alert History: Retained for the duration of your account.
- Billing Records: Retained as required by applicable tax and financial regulations (typically 7-10 years).
Upon account deletion, we will delete or anonymize your personal data within 30 days, except where retention is required by law (e.g., tax records).
8. Your Rights
Depending on your jurisdiction (in particular if you are located in the EU/EEA, UK, or Switzerland), you have the following rights under GDPR / UK GDPR:
- Right of Access: Request a copy of the personal data we hold about you.
- Right to Rectification: Request correction of inaccurate or incomplete personal data.
- Right to Erasure ("Right to Be Forgotten"): Request deletion of your personal data, subject to legal retention requirements.
- Right to Data Portability: Request a copy of your data in a structured, commonly used, machine-readable format.
- Right to Object: Object to processing of your personal data, including processing based on legitimate interest.
- Right to Restriction: Request that we restrict processing of your personal data in certain circumstances.
- Right to Withdraw Consent: Withdraw consent for data processing where consent is the legal basis (e.g., Google OAuth for Collably).
- Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in the EU/EEA member state of your habitual residence, place of work, or place of the alleged infringement.
To exercise any of these rights, contact us at [email protected] or submit a request via our Data Subject Request form at lumicid.com/privacy/data-request. We will respond within 30 days.
9. Data Subject Requests (Including Non-Customers)
If you are not a Lumicid customer but believe your public profile data has been processed by our Service (for example, you appear as a competitor profile in a customer's account), you may submit a deletion or objection request at lumicid.com/privacy/data-request. We will verify the request and respond within 30 days. We honor erasure requests for legitimate-interest-based processing unless we have overriding legitimate grounds (e.g., legal claims, fraud investigation).
10. Children's Privacy
Lumicid is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we learn we have collected personal data from a child, we will delete it. Customers also confirm that the profiles they monitor are not those of minors.
11. International Data Transfers
Your information is primarily processed and stored in the European Union (Hetzner data centers in Germany / Finland). Some sub-processors may be located outside the EU/EEA — including Stripe (United States), Bright Data (Israel/EU), OpenAI (United States), and Google (United States). For these transfers we rely on the European Commission's Standard Contractual Clauses (SCCs), the EU-U.S. Data Privacy Framework where applicable, and supplementary technical and organizational measures (encryption in transit and at rest).
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by updating the "Last updated" date and, where appropriate, sending you an email notification at least 30 days before the change takes effect.
13. Lawful Basis for Processing (GDPR)
Where GDPR applies, we rely on the following legal bases for processing personal data:
- Consent (Art. 6(1)(a)): For Google OAuth integration in Collably; for marketing communications you opt into.
- Contract (Art. 6(1)(b)): To provide the Service to you under our Terms of Service — account management, billing, monitoring of profiles you authorize.
- Legitimate Interest (Art. 6(1)(f)): For competitor profile monitoring, security and abuse prevention, aggregate analytics, and direct customer communications about the Service. We have conducted a balancing test and concluded that our interest in operating a creator-analytics platform — and our customers' interest in benchmarking against competitors — does not override the rights and freedoms of data subjects, given that we process only public data and provide an erasure mechanism.
- Legal Obligation (Art. 6(1)(c)): For tax, accounting, and law-enforcement disclosures.
14. Contact Us
If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us at:
Email: [email protected]
Website: lumicid.com