Lumen Financial — Privacy Policy

Last updated: May 4, 2026

1. Introduction

1.1 Overview

This Privacy Policy describes how Lumen Financial ("Lumen," "the Company," "we," "us," or "our") collects, uses, stores, shares, and protects personal information and financial data when you use our AI-powered personal finance analytics platform available at https://lumenfinancial.co (the "Service").

Lumen provides spending analytics, net worth tracking, and AI-powered financial insights by securely connecting to your financial institution accounts through Plaid, a third-party financial data aggregation service. We are committed to protecting your privacy and handling your data with transparency, care, and in compliance with applicable data protection laws.

1.2 Acceptance

By creating an account, linking a financial institution, or otherwise using the Service, you acknowledge that you have read, understood, and agree to the terms of this Privacy Policy. If you do not agree with this Privacy Policy, you must not use the Service.

1.3 Scope

This Privacy Policy applies to all personal information and financial data collected through:

The Lumen website and web application at https://lumenfinancial.co;

The Plaid Link integration used to connect financial institution accounts;

Communications with us via email or other channels.

2. Information We Collect

2.1 Information You Provide Directly

When you create an account or interact with the Service, we collect the following information that you provide directly:

Data Type	Description	Purpose

Name	Your first and last name as provided during registration	Account identification and personalization
Email Address	Your email address used for account registration	Account authentication, communications, and account recovery
Password	Your chosen password (stored only as a bcrypt hash — we never store or have access to your plaintext password)	Account authentication

2.2 Financial Data Collected via Plaid

When you connect a financial institution through the Plaid Link integration, Plaid securely retrieves the following types of financial data on our behalf:

Data Type	Description	Purpose

Account Information	Account names, types (checking, savings, credit card, investment, etc.), and masked account numbers	Displaying your connected accounts and categorizing financial data
Account Balances	Current and available balances for connected accounts	Net worth calculation and balance tracking
Transaction Data	Transaction descriptions, amounts, dates, categories, and merchant information	Spending analytics, categorization, trend analysis, and AI-powered insights
Institution Information	The name and identifier of your connected financial institution	Display purposes and data organization

Important: We never receive, process, or store your bank login credentials (username, password, security questions, or MFA codes). Authentication with your financial institution is handled entirely by Plaid through their secure Plaid Link interface. Lumen receives only a Plaid access token, which authorizes read-only data retrieval and cannot be used to initiate transactions, transfers, or any changes to your accounts.

2.3 Information Collected Automatically

When you use the Service, we may automatically collect:

Data Type	Description	Purpose

Log Data	IP address, browser type, operating system, referring URL, pages visited, and timestamps	Security monitoring, troubleshooting, and service improvement
Cookies	Session cookies and authentication tokens	Session management and authentication (see Section 10)

3. How We Use Your Information

3.1 Primary Uses

We use the information we collect for the following purposes:

Providing the Service — Displaying your connected financial accounts, account balances, and transaction history within the Lumen application;

Spending Analytics — Categorizing and analyzing your transactions to provide insights into spending patterns, trends, and summaries;

Net Worth Tracking — Calculating and displaying your net worth based on connected account balances over time;

AI-Powered Financial Insights — Processing your financial data to generate personalized, AI-powered insights, recommendations, and analysis using Anthropic's AI services;

Account Management — Managing your account, authenticating your identity, and processing your requests;

Security — Detecting, preventing, and responding to fraud, unauthorized access, and other security threats;

Communications — Sending account-related notifications, security alerts, and service updates;

Service Improvement — Analyzing aggregated, de-identified usage patterns to improve the Service.

3.2 Legal Bases for Processing

We process your personal information based on the following legal grounds:

Consent: You provide explicit consent when creating an account and linking financial institutions through Plaid Link;

Contract Performance: Processing is necessary to provide the Service you have requested;

Legitimate Interest: Processing for security, fraud prevention, and service improvement;

Legal Obligation: Processing required to comply with applicable laws and regulations.

4. Third-Party Services

4.1 Overview

Lumen uses the following third-party services to operate the Service. We share only the minimum data necessary for each service to perform its function.

4.2 Plaid

Provider: Plaid Inc.

Purpose: Plaid provides the secure connection between Lumen and your financial institutions. Plaid handles all authentication with your bank and retrieves financial data on our behalf.

Data Shared: Plaid processes your bank login credentials (which Lumen never sees) and provides us with account information, balances, and transactions. We store a Plaid access token (encrypted with AES-256-GCM) that authorizes ongoing data retrieval.

Data Access: Read-only access to financial account data. Plaid and Lumen cannot initiate transactions, transfers, or modifications to your accounts.

Privacy Policy: https://plaid.com/legal/#end-user-privacy-policy

Security: Plaid is SOC 2 Type II certified and maintains comprehensive security controls for handling consumer financial data.

4.3 Anthropic (AI Services)

Provider: Anthropic PBC

Purpose: Anthropic's AI models power the intelligent financial insights, analysis, and recommendations provided by the Service.

Data Shared: Anonymized or pseudonymized financial data (transaction descriptions, amounts, categories, and spending patterns) is sent to Anthropic's API to generate personalized insights. We minimize the personal information included in AI requests — we do not send your name, email, bank login credentials, or full account numbers to Anthropic.

Data Retention by Anthropic: Anthropic processes data sent via their API in accordance with their data processing terms. API inputs and outputs are not used to train Anthropic's models.

Privacy Policy: https://www.anthropic.com/privacy

4.4 Cloudflare

Provider: Cloudflare, Inc.

Purpose: DDoS protection, web application firewall, and content delivery.

Data Shared: Web traffic passes through Cloudflare's network. Cloudflare may process IP addresses, request headers, and other network-level data for security purposes.

Privacy Policy: https://www.cloudflare.com/privacypolicy/

4.5 Hetzner

Provider: Hetzner Online GmbH

Purpose: Server hosting infrastructure.

Data Shared: All application data resides on Hetzner's infrastructure. Hetzner provides the physical and virtual server environment but does not have application-level access to user data.

Privacy Policy: https://www.hetzner.com/legal/privacy-policy/

4.6 Let's Encrypt

Provider: Internet Security Research Group (ISRG)

Purpose: TLS certificate issuance for encrypted HTTPS connections.

Data Shared: Domain name and server IP address during certificate issuance. No user data is shared.

Privacy Policy: https://letsencrypt.org/privacy/

5. Consumer Consent

5.1 Account Creation Consent

When you create a Lumen account, you provide consent by:

Providing your name and email address;

Creating a password;

Agreeing to this Privacy Policy and our Terms of Service.

5.2 Financial Data Consent via Plaid Link

When you connect a financial institution, you provide explicit, informed consent through the Plaid Link flow:

You initiate the connection by choosing to link a financial account within the Lumen application;

Plaid Link presents you with a consent screen disclosing the types of data that will be shared with Lumen and how it will be used;

You authenticate with your financial institution through Plaid's secure interface;

You explicitly authorize the data sharing by completing the Plaid Link flow.

You may revoke this consent at any time by disconnecting your financial institution from the Lumen application (see Section 6).

5.3 AI Insights Consent

By using the Service, you consent to your financial data being processed by AI services (Anthropic) to generate personalized insights. If you do not wish for your data to be processed by AI services, you should not use the Service, as AI-powered analysis is a core function.

6. Data Retention and Deletion

6.1 Data Retention

We retain your personal information and financial data for as long as your account is active and as needed to provide the Service. Specifically:

Data Type	Retention Period

Account Information (name, email)	Duration of active account plus 30 days after deletion request
Financial Data (transactions, balances)	Duration of active account plus 30 days after deletion request
Plaid Access Tokens	Duration of active account; revoked immediately upon account deletion or account disconnection
Authentication Logs	90 days
Hashed Passwords	Duration of active account; deleted upon account deletion

6.2 Account Deletion

You may request deletion of your account and all associated data at any time. Upon receiving a deletion request:

Plaid Token Revocation: All Plaid access tokens associated with your account are revoked immediately, terminating Lumen's ability to retrieve any further data from your financial institutions;

Data Deletion: All personal information, financial data, and account records are permanently deleted from our database within 30 days of the request;

Backup Purge: Data is removed from any backups within the normal backup rotation cycle, not to exceed 90 days;

Confirmation: You will receive email confirmation when your data deletion is complete.

To request account deletion, contact us at [email protected] or use the account deletion feature within the application.

6.3 Data After Disconnecting a Financial Institution

When you disconnect a specific financial institution from Lumen (without deleting your entire account):

The Plaid access token for that institution is revoked immediately;

No further data will be retrieved from that institution;

Previously retrieved transaction and balance data for that institution may be retained to maintain the integrity of your historical analytics, unless you specifically request its deletion.

7. Data Sharing and Disclosure

7.1 We Do Not Sell Your Data

Lumen does not sell, rent, lease, or trade your personal information or financial data to any third party. This commitment applies to all categories of data we collect.

7.2 Limited Sharing

We share data only with the third-party service providers described in Section 4, and only to the extent necessary to provide the Service:

Plaid: Receives our API requests to retrieve your financial data. We share the encrypted access token and account identifiers required for data retrieval;

Anthropic: Receives anonymized/pseudonymized financial data for generating AI-powered insights. Personal identifiers (name, email) are not sent;

Cloudflare: Processes web traffic for security purposes. Does not receive application-level financial data;

Hetzner: Hosts our infrastructure. Does not have application-level access to user data.

7.3 Legal Disclosure

We may disclose your information if required to do so by law, regulation, legal process, or enforceable governmental request. In such cases, we will:

Comply with the legal requirement;

Notify you of the disclosure unless prohibited by law;

Disclose only the minimum information required to satisfy the legal obligation.

7.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your data may be transferred to the successor entity. You will be notified via email and/or a prominent notice on the Service prior to any such transfer, and this Privacy Policy will continue to apply to your data until a new privacy policy is accepted by you.

8. Security Measures

8.1 Technical Safeguards

Lumen implements comprehensive technical security measures to protect your data, as detailed in our Information Security Policy (LUMEN-ISP-001). Key measures include:

Encryption in Transit: All data is transmitted over TLS 1.2 or higher;

Encryption at Rest: Plaid access tokens are encrypted using AES-256-GCM. User passwords are hashed with bcrypt;

Network Security: Cloudflare WAF and DDoS protection, UFW firewall with minimal open ports, Docker container isolation;

Access Controls: SSH key-only authentication, role-based access control, principle of least privilege;

Infrastructure Isolation: The database is not exposed to the public internet;

No Bank Credential Storage: We never receive or store your bank login credentials.

8.2 Incident Response

In the event of a data breach affecting your personal or financial data, we will:

Notify you via email within 72 hours of confirming the breach;

Describe the nature of the breach, the data affected, and the steps we are taking to address it;

Provide guidance on steps you can take to protect yourself;

Notify relevant regulatory authorities as required by law.

For full details, see the Incident Response section of our Information Security Policy.

9. Your Rights

9.1 Right of Access

You have the right to request a copy of all personal information and financial data we hold about you. We will provide this information in a commonly used, machine-readable format within 30 days of your request.

9.2 Right to Correction

You have the right to request correction of any inaccurate personal information we hold about you. You may update your name and email address directly through your account settings. For corrections to financial data, please note that transaction data is sourced from your financial institutions via Plaid and reflects the data provided by those institutions.

9.3 Right to Deletion

You have the right to request deletion of your personal information and financial data. See Section 6.2 for the deletion process and timeline.

9.4 Right to Data Portability

You have the right to receive your data in a structured, commonly used, and machine-readable format (such as CSV or JSON). To request a data export, contact us at [email protected].

9.5 Right to Withdraw Consent

You may withdraw your consent to data processing at any time by:

Disconnecting your linked financial institutions;

Deleting your account;

Contacting us at [email protected].

Withdrawal of consent does not affect the lawfulness of processing that occurred prior to withdrawal.

9.6 Right to Restrict Processing

You have the right to request that we restrict the processing of your personal information in certain circumstances, such as while a dispute about data accuracy is being resolved.

9.7 How to Exercise Your Rights

To exercise any of the rights described above, contact us at:

Email: [email protected]

We will respond to all legitimate requests within 30 days. We may ask you to verify your identity before processing your request to protect against unauthorized access.

10. Cookie Policy

10.1 Cookies We Use

Lumen uses a minimal set of cookies that are strictly necessary for the operation of the Service:

Cookie Type	Purpose	Duration

Session/Authentication Cookie	Stores the JWT session token to maintain your authenticated session	Duration of the session or until token expiration
CSRF Token	Prevents cross-site request forgery attacks	Duration of the session

10.2 Cookies We Do Not Use

Lumen does not use:

Third-party advertising or tracking cookies;

Analytics cookies (e.g., Google Analytics);

Social media tracking pixels;

Cross-site tracking cookies.

10.3 Cloudflare Cookies

Cloudflare may set cookies as part of its security services (e.g., the `__cf_bm` bot management cookie). These cookies are used solely for security purposes and are governed by Cloudflare's privacy policy.

10.4 Managing Cookies

Because our cookies are strictly necessary for the Service to function, disabling them may prevent you from using the Service. You can manage cookies through your browser settings.

11. Children's Privacy

11.1 Age Restriction

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18.

11.2 Parental Notification

If we become aware that we have collected personal information from a child under 18, we will:

Delete the information promptly;

Terminate the associated account;

Notify the parent or guardian if contact information is available.

If you believe a child under 18 has provided personal information to Lumen, please contact us immediately at [email protected].

12. California Privacy Rights (CCPA/CPRA)

12.1 Applicability

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

12.2 Categories of Personal Information

The following table describes the categories of personal information we collect, as defined by the CCPA:

CCPA Category	Examples	Collected	Sold	Shared for Cross-Context Behavioral Advertising

A. Identifiers	Name, email address	Yes	No	No
B. Personal Information (Cal. Civ. Code 1798.80)	Name, financial account information (masked)	Yes	No	No
D. Commercial Information	Transaction records, account balances	Yes	No	No
F. Internet Activity	Browsing history on our Service, log data	Yes	No	No

12.3 Your California Rights

As a California resident, you have the right to:

Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share your information;

Right to Delete: Request deletion of your personal information, subject to certain exceptions;

Right to Correct: Request correction of inaccurate personal information;

Right to Opt Out of Sale: We do not sell personal information, so this right is satisfied by default;

Right to Opt Out of Sharing for Cross-Context Behavioral Advertising: We do not share personal information for cross-context behavioral advertising;

Right to Limit Use of Sensitive Personal Information: Financial data is used only to provide the Service as described in this policy;

Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

12.4 Exercising Your California Rights

To submit a request under the CCPA, contact us at:

Email: [email protected]

We will verify your identity before processing your request. We will respond to verified requests within 45 days, as required by law.

12.5 Authorized Agents

You may designate an authorized agent to submit requests on your behalf. The authorized agent must provide written authorization from you and verify their identity.

12.6 Financial Incentives

We do not offer any financial incentives in exchange for the collection, sale, or retention of personal information.

13. International Users

13.1 Data Location

Lumen's servers are located in data centers operated by Hetzner. By using the Service, you acknowledge that your data will be processed and stored on servers in the jurisdiction where Hetzner operates.

13.2 GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you may have additional rights under the General Data Protection Regulation (GDPR) or equivalent local legislation. The rights described in Section 9 of this policy are intended to satisfy GDPR requirements. For any GDPR-specific inquiries, contact us at [email protected].

14. Changes to This Privacy Policy

14.1 Notification of Changes

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

We will update the "Effective Date" at the top of this policy;

We will notify you via email or a prominent notice on the Service at least 30 days before the changes take effect;

We will provide a summary of the material changes.

14.2 Review Schedule

This Privacy Policy is reviewed at least annually and updated as necessary.

14.3 Continued Use

Your continued use of the Service after the effective date of a revised Privacy Policy constitutes your acceptance of the revised terms. If you do not agree to the revised policy, you must stop using the Service and may request deletion of your account and data.

15. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:

Nigel Silva-Dallenbach

Founder & Security Officer

Lumen Financial

Email: [email protected]

We will respond to all inquiries within 30 days.