Security

Lumingo takes reasonable technical and organizational measures to protect accounts, learning data, AI interactions, and uploads. While we strive to protect your information, no system is perfectly secure.

We use Supabase Auth for identity management, supporting email/password and Google sign-in where available, along with password recovery flows.

You are responsible for keeping access to your email and Lumingo account secure.

We implement database security rules, including row-level security where applicable, to help enforce access controls.

Service-role and administrative access is intended to stay server-side and limited to operational needs.

We also provide an account deletion flow for removing app-owned account data when needed.

Lumingo is designed to minimize raw user content in AI and debug logs where practical.

AI requests may be processed by AI providers and subprocessors as described in our Privacy Policy.

Uploaded files and images may be processed for AI responses.

Do not upload secrets, private keys, passwords, medical, legal or financial documents, identity documents, confidential data, or third-party personal data.

We may use rate limiting, monitoring, and operational safeguards to reduce abuse and keep the service reliable.

Lumingo may restrict accounts that abuse the service or attack the system.

We appreciate reports of potential security vulnerabilities.

Please send security reports to security@lumingo.me.

Include clear steps to reproduce, the affected URL or feature, the potential impact, and a safe proof of concept.

Please do not access, modify, delete, or exfiltrate other users' data.

The following activities are not allowed:

Lumingo does not currently run a paid bug bounty program. We appreciate responsible reports, but no financial reward is guaranteed.