Lumora Privacy Policy
Effective Date: May 6, 2026
Japanese / Korean translations coming soon. Until then, please refer to this English version.
1. Introduction
Lumora ("we", "our", "us") respects your privacy. This Privacy Policy explains how we collect, use, store, and protect your information when you use the Lumora mobile application ("App"). By using the App, you consent to the practices described in this policy.
2. Information We Collect
2.1 Information You Provide
- Camera images and photos selected from your photo library for skin analysis, makeup simulation, body reshaping, and image editing
- Account credentials (email, password) if you create an account via email registration
- Apple ID information if you sign in with Apple
2.2 Automatically Collected Information
- Device information (model, OS version, app version)
- App usage analytics and crash reports (via Firebase Analytics and Crashlytics)
- Subscription and purchase information managed by Apple
- Advertising identifiers for personalized ads (via Google AdMob)
2.3 Facial and Biometric Data
- Facial depth and landmark data accessed via Apple's TrueDepth API for AR filters and skin analysis
- Face detection data processed by on-device CoreML models (FaceParsing) for skin segmentation
- Facial landmark positioning for face reshaping features (V-line, eye enlargement, nose slimming, etc.)
3. Use of TrueDepth API and Face Data
Lumora uses Apple's TrueDepth API and ARKit to access real-time facial depth and landmark positioning for the following purposes:
- AR face filters and 3D face mesh rendering
- Face reshaping and virtual makeup simulation
Important: All TrueDepth depth-map data, ARKit facial mesh data, and on-device CoreML output is processed locally on the user's device. We do not store, transmit, retain, or share raw facial depth maps, biometric identifiers, or facial templates with any server or third party.
3.1 Cloud Image Processing for AI Features
Some Lumora AI features require sending the photo you select or capture to our backend in order to be processed. The image is transmitted over HTTPS, processed transiently, and is not retained after the response is returned:
- Beauty DNA Report — selected selfie sent to our AWS Lambda endpoint (
ap-northeast-2, Seoul) which forwards it to a self-hosted CPU AI inference server for skin/style scoring. Result returned within seconds. Source image is discarded after the response.
- AI photo transforms (age transform, gender swap, cartoon, photo restore, smile generate, beauty filter, virtual makeup) — image sent to our AWS Lambda endpoints which call self-hosted AI models. No server-side retention.
- Virtual try-on / clothes change / Recruit Photo / Matching App Photo modes — image sent to our AWS Lambda endpoint which forwards to FASHN.ai (a third-party virtual try-on service) for garment swapping. FASHN.ai operates under its own privacy policy and uses the image solely to render the requested output. We never persist the image or the result on our backend.
You can use the App offline-only by limiting yourself to features that do not invoke these cloud endpoints (filters, on-device makeup, AR effects). The Beauty DNA Report is intentionally network-dependent.
4. How We Use Your Information
- Provide AI skin analysis results, scores, and heatmap visualizations
- Enable AR filters, virtual makeup, face/body reshaping, and image editing features
- Manage your account, BeautyCoin balance, and subscription status
- Process in-app purchases and verify receipts
- Display relevant advertisements via Google AdMob
- Analyze app usage to improve features and user experience
- Send crash reports to diagnose and fix issues
5. Third-Party Services
We use the following third-party services that may collect data:
| Service | Purpose | Data Collected |
|---|
| Firebase Analytics | Usage analytics | App events, device info |
| Firebase Crashlytics | Crash reporting | Crash logs, device info |
| Google AdMob | Advertising | Ad identifiers, ad interactions |
| AWS Cognito (ap-northeast-2) | User authentication | Account credentials, tokens |
| AWS Lambda + API Gateway (ap-northeast-2) | AI image transforms, Beauty DNA scoring | Photos transiently processed; not retained |
| FASHN.ai | Virtual try-on / clothes change / Recruit + Matching photo modes | Photos transiently sent for garment swap; not retained on our side |
| Apple StoreKit | In-app purchases (subscription, BeautyCoin) | Purchase receipts |
Each third-party service operates under its own privacy policy. We encourage you to review them.
6. Data Storage and Retention
- TrueDepth and on-device CoreML data: Processed locally on-device and never transmitted off the device.
- Cloud-processed images (Beauty DNA, AI transforms, virtual try-on): Transmitted over HTTPS, processed transiently, and discarded after the response is returned. We do not retain copies on our backend servers.
- Account data: Stored securely via AWS Cognito (ap-northeast-2 / Seoul region) for the duration of your account.
- BeautyCoin transaction history: Maintained on our AWS DynamoDB tables (ap-northeast-2) for account integrity.
- Analytics data: Retained according to Firebase's standard retention policies.
- Subscription data: Managed by Apple according to their policies.
- Local preferences: Stored on-device via UserDefaults and can be cleared by uninstalling the App.
7. Data Sharing
We do not sell, rent, or share your facial data or personal images with third parties. We may share data only in the following circumstances:
- With third-party service providers listed above, solely for the purposes described
- When required by law or to comply with legal process
- To protect the rights, safety, or property of Lumora or its users
8. Data Security
We implement reasonable security measures including:
- HTTPS encryption for all network communications
- JWT token-based authentication with automatic token refresh
- On-device processing for sensitive facial and biometric data
- Image compression before any network transmission (max 1024px, 70% quality)
9. Children's Privacy
Lumora is not intended for use by children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will take steps to delete such information.
10. User Rights
You have the right to:
- Access the personal data we hold about you
- Request correction of inaccurate data
- Request deletion of your account and associated data
- Opt out of personalized advertising through your device settings
- Withdraw consent at any time by discontinuing use of the App
Users in Japan, the EEA, the United Kingdom, California, and other jurisdictions with comparable data-protection laws (e.g. APPI, GDPR, UK GDPR, CCPA/CPRA) retain all rights granted under their local law. Requests can be sent to the contact address below; we respond within 30 days.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any significant changes by posting the new policy within the App. Your continued use of the App after changes constitutes acceptance of the updated policy.
12. Contact Information
If you have questions or requests regarding this Privacy Policy, please contact us at:
Email: jimmy@junsoft.org