Skip to main content

Privacy Policy

Last updated: 11 May 2026

1. Who we are

Lumera (“we”, “us”, “our”) operates the website lumera.com.ph and the Lumera progressive web application (collectively, the “Platform”). As the Personal Information Controller under the Philippine Data Privacy Act of 2012 (Republic Act No. 10173, “DPA”), we are responsible for the personal data we collect and process through the Platform.

2. Data we collect

2.1 Account information

When you register, we collect your name, email address, and chosen role (Couple or Supplier). If you sign in via Google or Facebook, we receive your public profile name, email, and profile photo URL from the provider.

2.2 Supplier business data

Suppliers provide a business name, category, service area (city, province), pricing range in Philippine Pesos (PHP), a business description, contact details, and portfolio images. This information is displayed publicly on the supplier’s profile.

2.3 Verification documents

To earn a Lumera Verified badge, suppliers upload identity and business registration documents (e.g. DTI/SEC certificate, government-issued ID). These files are stored in a private bucket and are accessible only to Lumera administrators during the review process. They are never displayed on public profiles or shared with third parties.

2.4 Inquiry and booking data

When a couple sends an inquiry, we store the event date, budget range, guest count, venue preference, message content, and any file attachments. Messages exchanged between couples and suppliers within an inquiry thread are also stored.

2.5 Usage data

We collect standard web analytics: pages visited, referral source, browser type, device type, and approximate location derived from IP address. We use this to improve Platform performance and understand usage patterns. We do not use third-party tracking pixels or advertising cookies.

2.6 WebAuthn credentials

If you enable passwordless login, we store a public-key credential identifier and public key associated with your device. Your biometric data (fingerprint, face) never leaves your device and is not accessible to Lumera.

3. How we use your data

  • Operate the Platform — authenticate your identity, display supplier profiles, facilitate inquiries and bookings.
  • Verify suppliers — review uploaded documents to grant or deny the Verified badge.
  • Communicate with you — send transactional emails (inquiry notifications, verification status, booking confirmations) and in-app notifications.
  • Improve the service — analyse aggregated, anonymised usage data to fix bugs, improve search ranking, and plan new features.
  • Comply with law — respond to lawful requests from Philippine government agencies and courts.

4. Legal bases for processing

Under the DPA, we process your personal data based on:

  • Consent — you provide personal data voluntarily when you create an account or submit verification documents.
  • Contract — processing is necessary to deliver the services you requested (account management, inquiry facilitation, booking tracking).
  • Legitimate interest — aggregated analytics and fraud prevention, balanced against your privacy rights.
  • Legal obligation — retention of booking and transaction records for tax and regulatory compliance.

5. Who we share data with

  • Suppliers and couples — inquiry data is shared between the couple and the supplier involved in that inquiry. Contact details are visible only to authenticated users.
  • Infrastructure providers — Supabase (database, authentication, file storage), Cloudinary (image optimisation), and Railway (hosting). These providers process data on our behalf under data processing agreements.
  • Payment gateways — when you make a subscription payment, transaction data is processed by PayMongo. We do not store full card numbers.

We do not sell, rent, or trade your personal data. We do not share data with advertisers.

6. Data storage and security

Your data is stored in Supabase-managed PostgreSQL databases with row-level security (RLS) policies that restrict access at the database layer. Verification documents are stored in private Supabase Storage buckets with no public URL. All data in transit is encrypted via TLS. Passwords are hashed using bcrypt and are never stored in plaintext.

Our infrastructure is hosted on Railway with automatic deployments from a protected main branch. Access to production systems is restricted to authorised personnel.

7. Data retention

  • Account data — retained while your account is active. Deleted within 30 days of an account deletion request.
  • Verification documents — retained for 1 year after verification decision, then permanently deleted.
  • Inquiry and booking records — retained for 5 years to support dispute resolution and regulatory compliance, then anonymised.
  • Usage logs — retained for 90 days, then purged.

8. Your rights under the DPA

As a data subject under RA 10173, you have the right to:

  • Be informed — know what data we collect and why (this policy).
  • Access — request a copy of the personal data we hold about you.
  • Correct — request correction of inaccurate or incomplete data.
  • Erase — request deletion of your personal data, subject to legal retention requirements.
  • Object — object to processing based on legitimate interest.
  • Data portability — receive your data in a structured, commonly-used format.
  • Lodge a complaint — file a complaint with the National Privacy Commission (NPC) at privacy.gov.ph.

To exercise any of these rights, email privacy@lumera.com.ph. We will respond within 15 days as required by the DPA.

9. Cookies

Lumera uses only essential cookies required for authentication, session management, and antiforgery protection. We do not use advertising, analytics, or social-media tracking cookies. No cookie consent banner is needed because all cookies are strictly necessary for the Platform to function.

10. Children’s privacy

The Platform is intended for users aged 18 and above. We do not knowingly collect personal data from anyone under 18. If we become aware that we have collected data from a minor, we will delete it promptly.

11. Changes to this policy

We may update this policy to reflect changes in our practices or legal requirements. Material changes will be communicated via email or an in-app notification. The “Last updated” date at the top of this page indicates the most recent revision.

12. Contact us

For privacy-related questions or to exercise your data rights:

Reconnecting…

Hang tight — restoring your session.

Attempt , next try in s

Couldn't reconnect

The connection dropped and we've stopped retrying. Try again, or reload the page.

Session expired

The server doesn't recognise your session anymore. A fresh page should sort it.