Lume
Privacy Policy
Last updated and effective: May 21, 2026
Radish Retail, LLC ("Radish", "we", "us", "our") operates the Lume mobile application, public Lume share pages, Radish-hosted Lume pages, and related services (the "Service"). This Privacy Policy explains what personal information we collect, how we use and share it, and the choices and rights you have.
This Privacy Policy is incorporated into our Terms of Service by reference.
1. Summary
- We collect face photos you choose to scan, scan-derived skin scores and insights, account identifiers, onboarding answers, routine activity, subscription status, product/cart activity, share/referral activity, and usage/device data.
- Lume uses Scans to provide skin-wellness scoring, trend tracking, routine feedback, and product recommendations. Lume is not a medical device and does not diagnose, treat, cure, or prevent any condition.
- We do not sell personal information, do not show ads, and do not use IDFA or cross-app advertising tracking.
- Private scan photos are stored in Supabase under your user account and processed by Google Gemini/Vertex AI to generate scores and insights. We do not use Scans to train publicly released AI models.
- PostHog session replay is disabled. We collect product analytics and error events, not screen recordings of app use.
- If you create a public share or invite link, a privacy-safe snapshot and preview image may be visible to anyone with that link and to link preview crawlers. The original private scan photo is not made public by a share link.
- You can delete your account and associated server data from the app or by emailing privacy@radish.software.
- We do not knowingly collect personal information from children under 13.
2. Information We Collect
2.1 Information you provide
- Account information. Email address if you use email/password auth, OAuth provider identifiers if you use Apple or Google sign-in, and Supabase user IDs. Passwords are handled by Supabase and are not visible to us in plaintext.
- Anonymous profiles. If you start anonymously, Supabase creates an anonymous user identifier. Lume may later migrate scans, routine data, cart state, referral claims, and local state to a full account.
- Onboarding answers. Motivation, skin type, routine level, and skin concerns you select during onboarding.
- Scans. Selfies captured through the camera, plus the timestamp and storage path associated with the scan.
- Routine data. Routine templates, steps, schedules, product links, completion check-ins, active plans, and related history.
- Product and commerce data. Product searches, product detail views, barcode/QR scans, catalog matches, cart items, quantities, retailer link clicks, and affiliate checkout attempts.
- Share and referral data. Public scan-share snapshots, routine-share snapshots, product-share links, invite/referral identifiers, open counts, and promotional Ultra grant status when a referral is claimed.
- Support and other text. Any text you send to us through support or manually enter into app fields.
- Subscription information. RevenueCat and Apple provide subscription identifiers, entitlement status, product identifiers, eligibility signals, renewal/expiration status, and purchase/restore results. We do not receive your full payment card details.
2.2 Information we generate or collect automatically
- Scan-derived scores and insights. Overall Lume Score, Clarity, Hydration, Acne, Evenness, Dark Circles, apparent Skin Age in years, zone scores, zone placement hints, quality warnings, trend summaries, and AI-generated observations.
- Product-fit signals. Product match scores, product reasons, matched categories/targets, external barcode lookup results, lookup provider, normalized product metadata, and lookup cache status.
- Usage analytics. App launches, screen views, taps, scan funnel events, paywall events, purchase/restore events, share events, referral events, product events, notification preference events, errors, and feature flag exposure needed to operate and improve the product.
- Device and environment data. Device model, operating system, app version, platform, language/locale, timezone, and diagnostic context.
- Logs. Server-side request logs may include IP address, request path, timestamp, response status, and security or debugging metadata.
2.3 Information we do not collect or use
- We do not collect precise GPS location.
- We do not access contacts or HealthKit.
- We do not record microphone audio.
- We do not use advertising identifiers, do not show ads, and do not track you across other companies' apps or websites for advertising.
- We do not use face recognition to identify you, verify identity, or compare your face against other people.
- We access the photo library only when you choose a share/export action that saves a Lume share card or opens a social posting workflow requiring a saved image.
3. Biometric Data and Face Scans
3.1 Purpose and consent
Scans may be considered biometric data or sensitive personal information under some laws. We collect and process Scans only to generate your skin scores, apparent skin-age estimate, zone map, quality warnings, trends, routine feedback, and related recommendations. By taking a Scan and continuing through the consent screen, you consent to that processing.
3.2 Storage and access
Scans are uploaded over HTTPS to a private Supabase storage bucket under a path scoped to your authenticated user ID. Database rows reference the private storage path. App surfaces that need to display a scan request a short-lived signed URL rather than making the bucket public.
3.3 AI processing
The analyze-scan function validates your session, confirms that the storage path belongs to you, downloads the scan server-side, and submits the image plus selected onboarding context to Google Gemini/Vertex AI for structured analysis. Google returns scores and insights, which Lume stores with your account.
3.4 Retention and deletion
We retain Scans and scan-derived rows until you delete individual scans, delete your account, or request deletion, unless a longer retention period is required by law, security, fraud prevention, or dispute handling. Failed or invalid analysis attempts are designed to delete orphaned upload objects when no score row is created.
3.5 No sale or public model training
We do not sell, rent, or license Scans. We do not use Scans to train publicly released AI models. AI providers may process data to deliver and secure the requested service and enforce abuse policies, subject to their applicable terms and data processing commitments.
3.6 State-specific biometric laws
Residents of jurisdictions with biometric privacy laws, including Illinois, Texas, and Washington, may have additional notice, consent, retention, and deletion rights. This policy provides notice of collection, purpose, service-provider disclosure, and retention. Contact privacy@radish.software for additional requests.
4. Product Scanning, Retailer Links, and Affiliate Commerce
Lume includes product discovery and product-fit features. You may scan Lume product links, Amazon product links/ASINs, UPC/EAN/GTIN barcodes, and QR codes. The app first checks the Lume catalog. If a retail barcode is not in our catalog, Lume may query Open Beauty Facts and UPCitemdb and may normalize skincare metadata with Google Gemini/Vertex AI. We cache lookup results to improve speed, reduce cost, and limit repeated external API calls.
Product prices, images, availability, retailer names, reviews, and claims may come from public retailer feeds, affiliate feeds, or third-party catalog sources. These can be incomplete, delayed, or inaccurate. Retailer links may open Amazon, Sephora, Ulta, Target, Walmart, official brand sites, or other destinations, which process your visit and purchase under their own terms and privacy policies.
Some links are affiliate links. If you buy through those links, Radish may earn a commission at no additional cost to you.
5. Public Sharing and Referrals
If you choose to share from Lume, we may create a public snapshot:
- Scan shares include a privacy-safe score snapshot such as overall score, tier, headline, scan date, creation date, preview image path, open count, and last-opened timestamp. They do not publish the original scan photo or all scan sub-scores.
- Routine shares include selected routine metadata and up to six displayed steps. Later edits do not change a previously shared snapshot.
- Product shares link to product catalog pages and may include public product metadata.
- Invite/referral links can connect a recipient claim to the referrer and can create a promotional Ultra grant for the recipient.
Share URLs and preview PNGs are intended to be public. Anyone with the link, including social platforms and link-preview crawlers, may access the public snapshot. Do not share content that you do not want others to see.
6. How We Use Information
- provide scans, scores, history, trends, zone maps, insights, routines, product matching, cart behavior, sharing, referrals, and subscriptions;
- authenticate users, migrate anonymous accounts, and protect access;
- personalize scores, routines, product recommendations, paywall copy, and app surfaces based on scans and onboarding answers;
- process subscriptions, restores, entitlements, introductory-offer eligibility, and promotional grants;
- send local reminder notifications if you enable them;
- debug, secure, rate-limit, monitor, and improve the Service;
- measure aggregate product performance and conversion funnels;
- comply with law, enforce our Terms, and defend legal claims.
We do not use personal information for automated decisions that produce legal or similarly significant effects.
7. How We Share Information
We share information only as described in this policy. We do not sell your personal information.
7.1 Service providers and processors
| Provider | Purpose | Data received |
|---|---|---|
| Supabase | Authentication, database, Edge Functions, private scan storage, public share-preview storage | Account IDs, emails where provided, anonymous IDs, scans, scores, routines, shares, referrals, products, logs |
| Google sign-in and Gemini/Vertex AI scan/product analysis | OAuth identifiers where used, scan images submitted for analysis, selected onboarding context, product metadata submitted for normalization | |
| Apple | Sign in with Apple, App Store subscriptions, app distribution, crash/diagnostic ecosystem | Apple account identifiers, subscription transactions, eligibility and refund/cancellation status managed by Apple |
| RevenueCat | Subscription entitlement management and purchase/restore flow | App user IDs, product identifiers, entitlement status, transaction metadata, diagnostics |
| PostHog | Product analytics, feature exposure, errors, conversion measurement | Pseudonymous user IDs, account email/name where identified, device/app metadata, event properties, error messages and stack traces when captured; session replay disabled |
| Open Beauty Facts and UPCitemdb | Barcode and product lookup fallback | Barcode values and lookup requests; returned product metadata |
| Retailers and affiliate programs | Retailer links, affiliate attribution, checkout routing | Information sent when you click or open third-party retailer destinations, subject to their policies |
| Cloudflare, Vercel, Expo/EAS, and infrastructure providers | Hosting, domains, builds, networking, security, app delivery | Technical logs, IP addresses, device/app metadata, request metadata as needed to provide infrastructure |
7.2 Public sharing chosen by you
Public share pages, product pages, invite links, social share targets, and link previews receive the information needed to render the share or route the recipient.
7.3 Business transfers
If Radish is acquired, merged, reorganized, financed, or sells assets, information may be transferred as part of that transaction.
7.4 Legal and safety
We may disclose information when necessary to comply with law, respond to valid legal requests, protect rights, prevent fraud or abuse, or enforce our Terms.
7.5 With your consent
We may share information for other purposes disclosed to you with consent.
8. Your Rights and Choices
- Access, correction, export, and deletion. You may request a copy, correction, export, or deletion of your personal data.
- Scan deletion. You may delete scans in the app where supported or request deletion by email.
- Account deletion. You may delete your account in the app or email privacy@radish.software.
- Push reminders. Reminder notifications are local and optional. You can disable them in app settings or device settings.
- Analytics opt-out. Contact us if you want to opt out of non-essential analytics tied to your account where required by law.
- Subscriptions. Manage or cancel App Store subscriptions in Apple account settings.
California residents and residents of other jurisdictions with privacy laws may have additional rights to know, access, correct, delete, portability, limit sensitive data use, opt out of sale/share, and not be discriminated against. We do not sell personal information or share it for cross-context behavioral advertising.
EEA/UK residents may have rights to access, rectify, erase, restrict, object, portability, withdraw consent, and complain to a supervisory authority. Where GDPR/UK GDPR applies, our legal bases include contract, consent, legitimate interests, legal obligations, and vital/public safety interests where applicable.
9. Retention
We retain account data, Scans, scan-derived results, routines, product activity, shares, referrals, subscription records, analytics, and logs for as long as needed to provide the Service, maintain security, resolve disputes, comply with law, or enforce agreements. Account deletion removes associated server records and owned storage objects where technically supported, subject to backups, legal obligations, and fraud/security retention.
10. Security
We use HTTPS, Supabase authentication, private storage buckets, row-level security, short-lived signed URLs for private scans, service role isolation for server operations, and access controls. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security.
11. Children
Lume is not directed to children under 13, and we do not knowingly collect personal information from children under 13. We do not ask for date of birth in the current onboarding flow. If you believe a child under 13 has used Lume or provided personal information, contact privacy@radish.software.
12. International Transfers
Radish is based in the United States, and providers may process data in the United States and other countries. Where required, we rely on appropriate transfer mechanisms and service-provider commitments.
13. Changes to This Policy
We may update this Privacy Policy from time to time. If changes are material, we will provide notice by email, in-app notice, app update notes, or another reasonable method where required. The effective date above shows when this policy version applies.
14. Contact
Privacy: privacy@radish.software
Legal: legal@radish.software
Support: support@radish.software