1. Scope and notice at collection
This Privacy Policy explains how Lumiere collects, uses, stores, discloses, exports, and deletes information for the Lumiere beta, including account access, protected app workflows, Local Connector materials, journal workflows, forecast preview surfaces, and optional research telemetry.
At or before collection, Lumiere should disclose the categories of personal information collected, purposes of use, whether information is sold or shared, retention expectations, privacy rights, and how to exercise those rights. This draft is intended for counsel review and should not be treated as final production notice language.
2. Account and authentication data
Lumiere may collect account email, user id, role, requested plan, billing status, entitlement state, login challenge metadata, session metadata, legal acceptance versions, research consent versions, connector version, and connector download timestamps.
3. Billing data
Lumiere may store billing status, Stripe customer id, subscription id, checkout session id, price id, current period end, and webhook event metadata. Payment card details are handled by the payment processor and should not be stored by Lumiere.
4. Journal and workflow data
Lumiere may store saved journal entries, symbols, setup titles, setup descriptions, tags, selected side, trade-plan fields, chart-state summaries, compact evidence, outcome fields, and timestamps. Journal notes are user content and should not be used for optional research telemetry unless a future policy and consent path explicitly authorizes that use.
5. Market-data and analysis data
Lumiere may process stock symbols, chart timeframe, session settings, thresholds, quote data, candle data, provider status, source provenance, news metadata, chart patterns, risk calculations, forecast requests, model status, and analysis outputs to provide the requested workflow.
6. Local connector diagnostics
The Local Connector is designed to run on the user's machine and provide read-only Paper TWS market context. Lumiere may process connector health, socket status, worker status, provider status, request metadata, and market-data provenance. Research telemetry is not designed to store broker credentials, account numbers, balances, fills, or raw order history.
7. Screen, voice, and AI data
If a user chooses screen-read, upload, capture, voice, or AI mentor features, selected user-provided content and context may be sent to configured AI providers to generate educational analysis. Users should not submit passwords, API keys, broker credentials, account numbers, balances, screenshots containing private financial profile data, or other sensitive data through these features.
8. Optional research telemetry
Optional research telemetry is disabled by default. If enabled locally or later in production after review, it requires separate consent by scope. Forecast improvement consent may collect metadata such as event id, anonymous user id, session id, event type, symbol, timeframe, horizon, model id, forecast run id, provider id, latency, UI surface, timestamp, and app version.
Paper outcome research consent may collect linked forecast run id, symbol, timeframe, side, bucketed planned entry/stop/target/risk ranges, outcome status, opened timestamp, reviewed timestamp, event timestamp, and app version. Product analytics consent is reserved for coarse product diagnostics.
9. Research telemetry exclusions
Research telemetry must reject or avoid broker credentials, account numbers, balances, fills, raw order history, free-text journal notes, screenshots, API keys, cookies, raw authentication payloads, emails supplied by the browser, and private financial profile data. Server-side filters should reject unknown fields rather than storing arbitrary payloads.
10. Anonymous research identifiers
Research events use salted hashes for user and session identifiers. The server derives these identifiers. Browser event payloads cannot supply their own identity fields. Production must maintain a salt-rotation and deletion-mapping plan before broad collection is enabled.
11. Sources of information
Lumiere may receive information directly from users, account flows, protected app interactions, local connector requests, configured market-data providers, payment providers, email/login providers, AI providers, browser/runtime diagnostics, and server logs.
12. How Lumiere uses information
Lumiere uses information to operate accounts, authenticate users, provide app features, manage plans and billing, provide educational analysis, save journals, run local connector workflows, enforce safety gates, prevent misuse, debug errors, improve reliability, honor privacy controls, comply with legal obligations, and conduct optional consented research diagnostics.
13. Model improvement boundary
User behavior and paper outcome metadata may prioritize diagnostics, tuning, personalization research, and calibration review. They cannot promote Kronos, TimesFM, trained variants, or baselines into the default UI. Default model visibility remains controlled by the exact IBKR walk-forward evaluation gate and the separate default UI flag.
14. Consent and withdrawal
Research consent is separate from Terms acceptance and can be managed in account settings. Users can withdraw all optional research scopes. Withdrawal stops future optional research collection for those scopes but may not automatically delete already collected data unless the user also uses the delete-research control or submits a verified deletion request.
15. Sharing and service providers
Lumiere may share limited information with service providers that help operate the product, depending on configuration. Examples may include hosting and database providers, Stripe for billing, email/auth providers such as Resend if configured, OpenAI or other AI providers if configured, market-data providers such as Polygon or Yahoo fallback, and local IBKR/TWS software running on the user's machine.
Service providers should be limited by contract, security obligations, and purpose limitations before production launch. Lumiere should not sell personal information. Counsel must finalize whether any activity is considered "sharing" for cross-context behavioral advertising and whether a "Do Not Sell or Share" link is required.
16. No broker credential storage
Lumiere's V1 research layer and Local Connector design should not store broker credentials, broker account numbers, balances, fills, or raw order history. If any future workflow requires broader broker data, it must receive separate security, privacy, broker, and legal review before launch.
17. Retention
Lumiere should keep personal information only as long as needed for the purpose collected, legal requirements, security, auditability, billing, dispute resolution, product operation, or user-requested retention. Production must define retention periods for account data, sessions, login challenges, billing metadata, journal entries, connector logs, research telemetry, model-evaluation artifacts, support requests, and backups.
18. Export, deletion, and correction
Signed-in users can export local account, journal, connector, legal, consent, and anonymized research-event data through the account page. Signed-in users can delete local research telemetry events associated with the current salted anonymous id. Production must add a verified request workflow for access, correction, deletion, portability, and appeal where required by law.
19. State privacy rights
Depending on user location and business thresholds, users may have rights to know, access, delete, correct, opt out of sale or sharing, limit certain uses of sensitive personal information, receive portability, and avoid discrimination for exercising privacy rights. Counsel must finalize state-specific notices, request methods, verification steps, authorized-agent handling, and response timelines.
20. International privacy rights
If Lumiere serves users outside the United States, additional rights and obligations may apply, including legal bases for processing, consent withdrawal, legitimate-interest assessments, international transfer safeguards, data-protection contacts, and regulator complaint rights. Counsel must finalize GDPR/UK GDPR and other international terms before international launch.
21. Security
Lumiere uses technical and organizational safeguards appropriate for a beta product, including strict research event schemas, sensitive-field rejection, CSRF controls, security headers, local-first telemetry defaults, secret scanning, and separation of forecast promotion from research behavior. No system is perfectly secure. Production launch requires a written security and incident-response plan.
22. Incident response
Lumiere should maintain procedures to detect, respond to, recover from, and notify affected users or regulators about unauthorized access to sensitive information where legally required. Counsel and security reviewers must finalize breach-notification triggers, timing, templates, and escalation ownership.
23. Children
Lumiere is not intended for children or minors. Production must define the minimum age, parental-consent handling if any, and deletion process for information submitted by minors before public launch.
24. Cookies and local storage
Lumiere may use cookies or local storage for login sessions, CSRF protection, account state, UI state, and product operation. Production must finalize a cookie table and any consent banner obligations before using non-essential analytics or advertising technologies.
25. Changes to this policy
Lumiere may update this Privacy Policy. Material changes should bump the privacy version and require renewed acceptance before protected workflows open. Optional research consent versions should also be bumped when consent language materially changes.
26. Contact and production blockers
Privacy request channels must be finalized before production collection. Placeholder: privacy@lumiere.money. Production research telemetry must stay disabled until counsel approves this policy, the Terms, consent UX, retention schedule, deletion/export workflow, vendor list, incident-response process, contact method, and state/international privacy-rights language.