LUMERA

LUMERA privacy

Privacy Policy

This policy explains how Superstar Software Ltd trading as Lumera handles personal information for account owners, gallery viewers, and people whose images or details may appear in private galleries.

Last updated: 20 May 2026

1. Who we are

Superstar Software Ltd trading as Lumera provides private photo and video gallery software for uploading, making non-destructive photo edits, processing videos, and sharing galleries. You can contact us about privacy at hello@lumeragallery.com.

This Privacy Policy applies when you visit our website, create an account, use Lumera, upload photos or videos, receive or open a private gallery link, contact support, or interact with our billing and service providers.

2. Information we collect

We collect account information such as name, email address, hashed password authentication data, subscription plan, billing status, support messages, and settings.

We collect Customer Content you choose to upload or create in Lumera, including photos, videos, gallery names, client names, brand names, logos, filenames, metadata, edit settings, download settings, expiry settings, and share settings.

When someone views a private gallery, we may collect viewer and usage information such as IP address, browser and device details, approximate location inferred from technical data such as country or region, access time, gallery token used, image views, downloads, share events, and password-attempt signals needed for security and analytics.

We collect payment and subscription information from Stripe. We do not store full card numbers in Lumera.

3. Account owner responsibility and Lumera's role

For Customer Content uploaded by account owners, the account owner is generally responsible for determining the purpose of collection, use, editing, storage, and sharing of that content. Lumera provides the service used to host, process, display, and share that content according to the account owner's settings.

Account owners are responsible for ensuring they have the rights, permissions, notices, consents, and lawful basis required for personal information and photos uploaded to Lumera, including information about clients, staff, children, homes, workplaces, events, travel locations, and other people shown or described in a gallery.

Depending on the law that applies, Lumera may act as a service provider, processor, or similar role for Customer Content, while also deciding how we use account, billing, security, analytics, support, and operational information needed to run Lumera.

4. How we use information

We use personal information to provide Lumera, create and secure accounts, process uploads, generate previews and edited outputs, display private galleries, manage billing, send service emails, provide support, prevent abuse, diagnose problems, improve reliability, and comply with legal obligations.

We may use aggregated or de-identified information to understand service performance, storage usage, product usage, and business trends. We do not use private gallery photos to train generative AI models unless we clearly ask for and receive the required permission.

5. Uploaded photos and private galleries

Uploaded photos and videos may contain personal information about people, places, events, homes, workplaces, or clients. Account owners are responsible for making sure they have the rights and privacy permissions needed to upload, store, edit, process, and share those files.

Private gallery links are designed for controlled sharing, but they are still access credentials. People who receive a link may be able to view the gallery according to the gallery settings chosen by the account owner. Gallery passwords, expiry settings, download settings, and removal of access are controlled by the account owner.

Gallery viewers may have limited technical data collected for security, analytics, abuse prevention, and service operation even when they do not create Lumera accounts. This helps us operate private links, protect galleries, understand delivery activity, and diagnose problems.

6. Sharing and disclosure

We share personal information only as needed to operate Lumera, support customers, comply with law, protect rights and safety, process payments, deliver email, host files, monitor reliability, investigate abuse, or complete a business transfer such as a merger, acquisition, or sale of assets.

Our providers may include Fly.io for application hosting, object storage providers for uploaded files, Stripe for billing and payments, email delivery providers, monitoring providers, analytics providers, support tools, and professional advisers.

We do not sell personal information. Some privacy laws define "sale" or "sharing" differently, and we will update this policy if Lumera needs jurisdiction-specific notices or opt-out rights.

7. Cookies, analytics, and tracking technologies

Lumera may use cookies, session storage, local storage, pixels, log files, and similar technologies to keep you signed in, remember settings, protect forms, maintain security, measure product usage, understand website performance, diagnose errors, and prevent abuse.

Some cookies and similar technologies are necessary for account access, private gallery access, security, checkout, and core service functions. If you block all cookies in your browser, parts of Lumera may not work properly.

We may use analytics, error monitoring, and performance tools to understand aggregated usage, page performance, gallery delivery activity, and technical issues. We do not use these tools to train generative AI models on private gallery photos.

8. Overseas hosting, worldwide access, and IPP 12

Lumera is hosted on Fly.io and may use other infrastructure and service providers outside New Zealand. Your information may be stored, processed, routed, accessed, backed up, or supported in New Zealand, Australia, the United States, Europe, or other countries depending on our providers, regions, routing, support, resilience, and security needs.

Because Lumera can be accessed worldwide, gallery links and account access may also involve international transmission over the internet.

Where the New Zealand Privacy Act 2020 and Information Privacy Principle 12 apply, we will take reasonable steps to ensure overseas providers protect personal information in a way that provides comparable safeguards to the New Zealand Privacy Act, or rely on another permitted basis.

9. Security

We use reasonable technical and organisational safeguards to protect personal information, including access controls, encrypted transport, private gallery tokens, password protections where enabled, throttling for repeated failed gallery password attempts, provider controls, and operational monitoring.

No internet service is perfectly secure. You are responsible for choosing strong passwords, protecting your devices and email accounts, limiting who receives private links, and keeping your own backup copies of important photos.

10. Retention and deletion

We keep personal information for as long as reasonably needed to provide Lumera, meet legal obligations, resolve disputes, prevent abuse, maintain records, and support legitimate business needs.

Account owners can delete galleries and content through the product where available. After cancellation, non-payment, or termination, we may delete Customer Content after a reasonable retention period unless we need to keep it for legal, security, billing, backup, or dispute reasons. Backup copies may remain for a limited time before routine deletion.

11. Privacy rights

If the New Zealand Privacy Act 2020 applies to your information, you have access or correction rights and can ask us for personal information we hold about you or ask us to correct it. We may need to verify your identity and may refuse or limit a request where the law allows.

Depending on where you live and which law applies, you may also have rights to request deletion, export, restriction, objection, or other privacy controls. We will handle those requests where required by applicable law.

Account owners can update some account information directly in Lumera. For other access, correction, deletion, export, objection, or privacy questions, contact hello@lumeragallery.com.

12. Privacy breaches

If we become aware of a privacy incident, we will assess it and take reasonable steps to contain, investigate, and remediate it. If we believe a notifiable privacy breach has occurred under the New Zealand Privacy Act 2020, we will notify affected people and the New Zealand Privacy Commissioner where required.

13. Marketing and service messages

We may send service messages about accounts, billing, security, privacy, product changes, and support. We may send marketing messages where permitted by law, and you can unsubscribe from marketing emails using the link in the email or by contacting us.

14. Children

Lumera is not intended for children to create owner accounts. Galleries may contain photos of children if the account owner has the rights and permissions needed to upload and share those photos.

15. Changes to this policy

We may update this Privacy Policy as Lumera, our providers, or the law changes. If a change is material, we will use reasonable efforts to notify account owners.

16. Complaints and contact

If you have a privacy concern, contact us first at hello@lumeragallery.com so we can try to resolve it. If you are not satisfied, you may be able to contact the New Zealand Office of the Privacy Commissioner.