LumoraLogin

Privacy Policy

Last updated: May 19, 2026

1. Overview

Lumora ("we", "us", or "our") operates booklumora.com. This Privacy Policy explains how we collect, use, and protect information when you use our platform — whether you are a tutor managing your business or a parent booking sessions for your child.

By using Lumora, you agree to the collection and use of information as described in this policy.

2. Information We Collect

Account information

When you register, we collect your name, email address, and account type (tutor or parent). If you sign in with Google, we receive your name and email from Google.

Booking and session data

We collect information needed to facilitate bookings, including student names, grade levels, session dates and times, service types, and booking status.

Payment information

Payments are processed by Stripe. We do not store full card numbers or sensitive payment details. We receive confirmation of payment status and retain transaction records for billing purposes.

Usage data

We may collect standard server log data such as IP addresses, browser type, and pages visited, used only for security and operational purposes.

3. How We Use Your Information

  • To create and manage your account
  • To facilitate session bookings between tutors and parents
  • To process payments and send receipts
  • To send booking confirmation and reminder emails
  • To provide customer support
  • To improve the reliability and security of the platform

We do not sell your personal information. We do not use your data for advertising.

4. Third-Party Services

Lumora uses the following third-party services to operate:

  • Supabase — database and authentication infrastructure
  • Stripe — payment processing
  • Google OAuth and Google Calendar API — optional sign-in and calendar sync
  • Resend — transactional email delivery
  • Vercel — hosting and deployment

Each of these providers has their own privacy policy governing how they handle data on our behalf.

5. Google User Data

Tutors may optionally connect their Google account to enable Google Calendar sync. When connected, Lumora requests access to create, update, and delete events on your Google Calendar (scope: https://www.googleapis.com/auth/calendar.events).

What we access

We only create, update, and delete calendar events on your behalf. We do not read existing calendar events, access your contacts, or access any other Google account data.

How we store it

Your Google OAuth refresh token is stored encrypted in our database (Supabase) and is used solely to interact with Google Calendar on your behalf. Your connected Google account email address is also stored so you can identify which account is linked.

Sharing and disclosure

We do not share, sell, transfer, or disclose your Google user data (including your OAuth tokens or Google account email) to any third parties for any purpose. Google user data is never used for advertising, analytics, or any purpose beyond providing the calendar sync feature you explicitly enabled.

You can disconnect Google Calendar at any time from your account settings. Upon disconnection, your OAuth refresh token is immediately deleted from our database.

Lumora's use of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements.

6. Data Security

We implement appropriate technical and organizational measures to protect your personal information:

  • Encryption in transit — all data is transmitted over HTTPS/TLS. We do not support unencrypted connections.
  • Encrypted storage — sensitive credentials such as OAuth refresh tokens are stored in Supabase, which encrypts data at rest.
  • Least privilege access — we request only the minimum OAuth scopes necessary to provide the calendar sync feature. We do not request broader account permissions.
  • No plaintext secrets — payment card numbers and full financial credentials are never stored on our servers. Payments are handled directly by Stripe.
  • Access controls — database access is restricted to the application and authorized personnel only. We use row-level security policies to ensure users can only access their own data.

While we take reasonable steps to protect your information, no method of transmission or storage over the internet is completely secure. If you believe your account has been compromised, contact us immediately at support@booklumora.com.

7. Data Retention

We retain your account and booking data for as long as your account is active or as needed to provide the service. You may request deletion of your account and associated data at any time by contacting us at support@booklumora.com.

8. Cookies and Sessions

Lumora uses cookies solely to manage authenticated sessions. We do not use tracking cookies or third-party advertising cookies.

9. Children's Privacy

Lumora is intended for use by tutors and parents. Student information (names and grade levels) is provided by parents when booking sessions. We do not knowingly collect personal information directly from children under 13.

10. Your Rights

You have the right to access, correct, or delete your personal information. To exercise these rights, contact us at support@booklumora.com.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated date. Continued use of Lumora after changes constitutes acceptance of the updated policy.

12. Contact

Questions about this Privacy Policy? Contact us at support@booklumora.com.