Privacy Policy
Last updated: April 2026
Who we are
Lumen is open-source software. This policy applies to the hosted instance you are using. Self-hosters of the source code are responsible for their own privacy policies. The contact for this instance is the operator listed in the footer or in the GitHub repository.
What we collect
To provide an account: your email address, your display name, and a hashed password. To deliver the service: the documents you create, comments you write, the workspaces you belong to, files you upload, and standard server logs (IP address, user agent, request path, timestamps) for security and abuse prevention.
What we do not collect
No analytics or tracking pixels on your documents. No behavioural profiling. No selling of data to third parties. No advertising.
How we use your data
We use your data only to operate the service: render your documents, authenticate you, share with your collaborators, and send the rare transactional email if you initiate one (e.g. password reset). Your documents are not used to train any AI model.
Third-party processors
When you invoke an AI feature (inline edit, summarize, fact-check), the relevant passage is sent to the configured LLM provider (DeepSeek by default) and search provider (Serper for fact-check) to return a result. We do not retain those API exchanges beyond standard server logs. Self-hosters can swap or disable these providers in configuration.
Storage and security
Data is stored in PostgreSQL and S3-compatible object storage on our infrastructure. Passwords are hashed with bcrypt. Auth tokens are HTTP-only cookies. We do not encrypt document contents at the application layer; if you need stronger guarantees, run your own self-hosted instance.
Your rights
You can export your documents as Markdown or PDF at any time. You can delete your account from Settings, which anonymizes your personal information and removes your private documents. Documents you co-authored in shared workspaces remain with the workspace, attributed to a deleted user. If you need a full data export or a different deletion treatment, email the operator.
Cookies
We set one HTTP-only authentication cookie when you sign in. No marketing or analytics cookies.
Changes
If we make material changes, we will note them here and update the “Last updated” date. Substantive changes will be communicated via the dashboard.