Privacy Policy

Effective date: 2026-04-25

⚠️ Draft for legal review. This document is a working draft prepared before launch. It is presented in good faith but has not yet been reviewed by counsel. The final version may differ. Use of LumensHub before the final policy is published implies acceptance of this draft.

1. Who We Are

“LumensHub”, “we”, “us”, or “our” refers to the operator of lumenshub.com, app.lumenshub.com, and the related bridge backend. This Policy explains what personal data we process when you use our services and what rights you have under applicable data-protection law, including the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

2. Data We Collect

2.1 Data you provide voluntarily

Email address — only if you contact support, subscribe to status updates, or apply for something we offer in the future. We do not require an email to use the Service.
Information in support tickets — transaction hashes, addresses, screenshots, or anything else you choose to share when asking for help.

2.2 Data we receive automatically

Stellar public keys — necessarily visible on-chain; we record them when they interact with the bridge.
Source-chain addresses (Polygon, XRP Ledger, Solana) used to fund deposits or receive payouts.
IP address — used for sanctions / geo-restriction compliance and for fraud detection. Logged at the edge layer (Vercel) and at the bridge service.
User-agent and approximate location (country, derived from IP).
Aggregated usage analytics via Vercel Analytics — pageviews, route, referrer; does not include personally identifiable user data.
On-chain transaction data related to deposits, withdrawals, and reconciliation.

2.3 Data we do not collect

Private keys, mnemonics, or passwords — the wallet is non-custodial. These never leave your browser.
Government-issued identification documents — we do not perform full KYC at this time.
Device fingerprints, advertising identifiers, or third-party tracking pixels.

3. Why We Process This Data

To provide the bridge and wallet services — processing addresses and transaction data is what the Service technically does.
To comply with sanctions and AML obligations — screening against OFAC SDN and similar lists; geo-restricting access where required.
To prevent fraud and abuse — rate-limiting, anomaly detection, blocking suspected attackers.
To support you — debugging your reported issue, correlating logs to your transaction.
To maintain and improve the Service — aggregated analytics, performance monitoring.

4. Legal Bases (GDPR Art. 6)

Contractual necessity — we cannot run the bridge without processing your transaction data.
Legal obligation — sanctions screening, AML, fraud reporting.
Legitimate interest — security, fraud prevention, product improvement.
Consent — for any optional analytics or communications you opt into.

5. Third Parties Who See Your Data

We rely on the following service providers to operate the Service. Each is bound by their own privacy policy. We do not sell your data to anyone.

Vercel, Inc. — hosting (web, marketing, admin), edge analytics
Railway Corp. — backend (bridge service, Postgres, Redis)
Stellar Development Foundation — public Stellar Horizon API (necessarily sees the on-chain queries we make on your behalf)
Onramper Technologies B.V. — only when you explicitly use the “Buy” flow; their iframe processes the fiat-on-ramp transaction
WalletConnect Inc. / RainbowKit — only if you connect an external EVM wallet
Telegram Messenger Inc. — only for delivering operational alerts to our internal team (no user data sent)
U.S. Treasury OFAC — we periodically download their SDN sanctions list (no data sent to them)

6. Data Retention

Transaction records: retained for seven (7) years to satisfy AML record-keeping requirements.
Server logs: 30 days.
Audit logs: 1 year.
Risk flags: retained until resolved + 1 year.
Support correspondence: 2 years from last interaction.
Marketing data (if you sign up for updates): until you unsubscribe.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

access the personal data we hold about you;
correct inaccurate or incomplete data;
request deletion (subject to our legal obligation to retain transaction records);
restrict or object to certain processing;
portability — receive a copy of your data in machine-readable form;
withdraw consent at any time;
lodge a complaint with your local data-protection authority.

Address requests to privacy@lumenshub.com. We will respond within thirty (30) days.

8. Cookies & Local Storage

The wallet uses browser localStorage (not cookies) to keep your encrypted secret key, your session preferences, and a short-lived unlock state. None of this is transmitted to our servers. Vercel Analytics sets a session cookie purely for page-view aggregation.

9. International Transfers

Our backend runs in the United States (Vercel) and the United States or Europe (Railway), depending on the region you connect from. By using the Service you consent to your data being processed in those countries, which may have data-protection regimes different from your own. For EU/UK users we rely on Standard Contractual Clauses with our U.S. processors.

10. Children

The Service is not intended for anyone under eighteen (18). We do not knowingly collect data from minors. If you believe we have inadvertently received data from a minor, please contact us and we will delete it.

11. Changes to This Policy

We may update this Policy from time to time. Material changes will be announced via the Service or by email; the “Effective date” at the top will reflect the most recent revision.

12. Contact

For privacy-related questions or to exercise your rights, contact privacy@lumenshub.com.