Lumenfall
Sign Up

Legal

Privacy Policy

Last updated: March 5, 2026

This Privacy Policy describes how Telesoft AG, operating as Lumenfall ("Lumenfall", "we", "us", or "our"), a company incorporated under the laws of Switzerland, collects, uses, discloses, and protects your personal data when you access our website, platform, API, browser extension, and related services (collectively, the "Service"). We are committed to protecting your privacy in accordance with the Swiss Federal Act on Data Protection (FADP), the EU General Data Protection Regulation (GDPR), and other applicable data protection laws.

Our Service consists of several components, each with specific data handling practices. This policy describes each component in detail so you can understand exactly how your data is handled.

1. Data Controller

Telesoft AG, operating as Lumenfall, is the data controller responsible for your personal data. You can contact us at:

2. Information We Collect

2.1 Information You Provide Directly

We collect information you voluntarily provide when using our Service:

  • Account Information: Name, email address, and password when you create an account
  • Organization Information: Company name, billing address, VAT number, and team member details for business accounts
  • Payment Information: Payment details are processed securely through our payment processor, Stripe. We receive only the last four digits of your card, card type, and billing address
  • Communications: Messages you send to our support team, feedback, or other correspondence

2.2 Information from Third-Party Authentication

If you sign in using a third-party service (such as GitHub or Google), we receive:

  • Your name and email address
  • Account identifier from the authentication provider
  • Profile information you have made publicly available

2.3 Information Collected Automatically

When you access our website or dashboard, we automatically collect:

  • Device Information: Browser type and operating system
  • Network Information: IP address, from which we may infer approximate geographic location
  • Log Data: Access times, pages viewed, referring URLs, and actions taken within our dashboard
  • Cookies: Session identifiers and authentication tokens (see Section 10)

2.4 Device Fingerprinting and Bot Protection

We use device fingerprinting technology in our Arena and public Playground features. This creates a device identifier from browser characteristics (such as screen resolution, timezone, and browser settings). This identification data is not linked to your personal identity and is not used for advertising purposes. We use it for:

  • Arena: To prevent vote manipulation and ensure fair model rankings by detecting duplicate voting attempts
  • Public Playground: To enforce rate limits on free model generations for visitors who are not logged in

We also use Cloudflare Turnstile on the Arena and public Playground to verify that interactions are submitted by humans. This involves sharing a verification token with Cloudflare for processing and may set cookies on your device.

3. How We Handle Data by Service

Our Service consists of several components, each with distinct data handling practices.

3.1 Website

We use analytics on our website to improve our product and marketing efforts. This analytics data is not shared with third parties.

3.2 Arena

The Arena allows users to compare and vote on AI model outputs.

  • Device Fingerprinting: We collect a device fingerprint solely to prevent vote manipulation (see Section 2.4)
  • Visitor Cookie: We set a persistent cookie to identify returning visitors and prevent duplicate voting. This cookie is not linked to your personal identity
  • Bot Protection: We use Cloudflare Turnstile to verify that interactions are submitted by humans (see Section 2.4)
  • Voting Data and Behavior: By participating in the Arena, you grant Lumenfall all rights to your voting data and associated behavioral data (such as dwell time, interaction patterns, and preferences). This data may be used by Lumenfall for any purpose, including but not limited to improving our services, training AI models, research, and sharing with or disclosing to third parties

3.3 Playground

The Playground allows users to generate content using AI models through our website.

Free Generations

  • Content Storage: All request and response data, including text prompts, generated media (images, audio, video), and uploaded files, is retained indefinitely
  • Usage Rights: Lumenfall may use data from free Playground generations for any purpose, including but not limited to improving our services, training AI models, research, and sharing with or disclosing to third parties. This data may be anonymized prior to such use, after which it is no longer considered personal data and cannot be subject to deletion requests

Paid Generations

  • Content Storage: Request and response data, including text prompts, generated media, and uploaded files, is stored by default so you can access a history of your generations. You are in control of this data: you may delete individual items or your entire generation history at any time through the Playground interface
  • Request Metadata: Request metadata (see Section 3.4) is stored indefinitely for billing and platform stability purposes, even if you delete your generation history

3.4 Gateway (API)

The Gateway is our API that developers use to access AI models programmatically. It uses API key authentication and does not use cookies.

Free API Usage

  • Content Storage: All request and response data, including text prompts, generated media, and uploaded files, is retained indefinitely
  • Usage Rights: Lumenfall may use data from free API generations for any purpose, including but not limited to improving our services, training AI models, research, and sharing with or disclosing to third parties. This data may be anonymized prior to such use, after which it is no longer considered personal data and cannot be subject to deletion requests

Paid API Usage

  • Request and Response Content: By default, we do not store the content of your API requests or responses (prompts, generated media, uploaded files) beyond what is necessary to complete the request. Content may be stored if you explicitly opt in to content logging

All API Usage

  • Temporary Media Storage: In some cases, generated media may be temporarily stored on our infrastructure to deliver it to you (for example, when format conversion is required or when the upstream provider does not supply a direct URL). This data is automatically deleted after a short period and is used solely to fulfill your request
  • Content Moderation: We reserve the right to scan requests for content that violates our terms or applicable law, including but not limited to illegal content, child sexual abuse material (CSAM), and content depicting unlawful violence. Where content is flagged as illegal or in violation of our terms, request and response data may be retained as required by law or as necessary for reporting to the relevant authorities, regardless of any other retention policies described in this section
  • Request Metadata: We always store request metadata indefinitely for billing, platform stability, and performance monitoring. This includes: HTTP headers, usage data (model used, token counts, request/response sizes), timing data (latency, processing duration), routing data (provider selected, failover information), request IP address, and User Agent
  • Third-Party AI Providers: When we route your request to a third-party AI provider (such as Google, OpenAI, or others), your content is subject to that provider's data handling practices. Different providers have different data retention policies, and some may retain data for abuse monitoring, safety, or model improvement unless you opt out directly with them. We work with providers to understand their policies and can provide information about specific providers upon request. For enterprise customers, we offer routing options that prioritize providers with stricter data handling commitments

3.5 Dashboard

The Dashboard is our web application for managing your account, API keys, and usage.

  • Personal and Billing Data: We store the personal and billing information you provide to operate your account. This data is not shared with third parties
  • Feature Usage Analytics: We collect analytics on how you use Dashboard features (which features you access, how frequently, and similar usage patterns) to improve our product. This analytics data is not shared with third parties

3.6 Chrome Extension

Our Chrome Extension allows you to access Lumenfall features directly from your browser.

  • No Cookies, Analytics, or Telemetry: The Chrome Extension does not use cookies, collect analytics, or send telemetry data
  • Local Storage Only: Authentication credentials, settings, and generated content are stored locally in your browser. This data remains on your device and is not transmitted to our servers except as necessary to authenticate API requests
  • Data Deletion: Locally stored data is deleted when you clear the extension's data or uninstall the extension
  • API Usage: When you use the extension to generate content, the requests are processed through the Gateway and subject to Section 3.4

4. Legal Bases for Processing

Under the Swiss FADP and GDPR, we process your personal data based on the following legal grounds:

  • Contract Performance: Processing necessary to provide the Service, manage your account, process payments, and fulfill our contractual obligations to you
  • Legitimate Interests: Processing for our legitimate business interests, such as improving our Service, ensuring security, preventing fraud, and conducting analytics, where these interests are not overridden by your rights
  • Legal Obligations: Processing required to comply with applicable laws, regulations, court orders, or legal processes
  • Consent: Where required by law, we obtain your consent for specific processing activities, such as marketing communications. You may withdraw consent at any time

5. How We Use Your Information

We use the information we collect for the following purposes:

  • Service Delivery: Process API requests, manage your account, provide customer support, and deliver the core functionality of our platform
  • Billing and Payments: Calculate usage, generate invoices, process payments, and maintain financial records
  • Product Improvement: Analyze usage patterns, feature adoption, and website analytics to optimize performance, troubleshoot issues, and develop new features. Analytics data is not shared with third parties
  • AI Model Training and Research: Data from Arena participation, free Playground generations, and free API generations may be used to train AI models and conduct research, as described in Sections 3.2, 3.3, and 3.4
  • Aggregate Data: We may share aggregate, anonymized model usage data with third parties
  • Anonymized Categorization: We may use automated systems to categorize and classify the content you submit to the Service (such as prompts and inputs) for the purpose of generating anonymized, aggregated metrics, including usage statistics, model popularity rankings, and content category distributions. The content itself is not stored beyond what is necessary to perform the categorization. The resulting anonymized category data is not associated with your account or identity and may be used, shared, or published for any purpose, including on public-facing features such as rankings pages
  • Content Moderation: We reserve the right to scan generation requests for content that violates our terms or applicable law. Where illegal content is detected, we may retain request data and report it to the relevant authorities as required by law
  • Security and Abuse Prevention: Detect, prevent, and respond to fraud, abuse, vote manipulation, security incidents, and violations of our terms
  • Communications: Send service-related notices, security alerts, technical updates, and respond to your inquiries
  • Legal Compliance: Meet regulatory requirements, respond to legal requests, and protect our legal rights

6. Data Sharing and Disclosure

We do not sell your personal data. However, pursuant to the content license granted in our Terms of Service, the following data may be shared with or disclosed to third parties:

  • Arena voting data and behavioral data (see Section 3.2)
  • Data from free Playground generations (see Section 3.3)
  • Data from free API generations (see Section 3.4)
  • Aggregate, anonymized model usage data
  • Anonymized content category data derived from input categorization (see Section 5)

We may also share information in the following circumstances:

6.1 AI Model Providers

To process your API requests, we transmit your input content to third-party AI model providers. Each provider processes this data according to their own privacy policies and terms of service.

6.2 Service Providers

We engage trusted service providers who process data on our behalf:

  • Infrastructure: Cloudflare and Google Cloud Platform (hosting, CDN, storage, security)
  • Payment Processing: Stripe (payment handling, billing)
  • Analytics: Service providers that help us understand usage and improve our product

All service providers are contractually bound to protect your data and use it only for the purposes we specify.

6.3 Legal Requirements

We may disclose your information when required by law, court order, or government authority, or when we believe disclosure is necessary to:

  • Comply with legal obligations
  • Protect our rights, property, or safety
  • Protect the rights, property, or safety of our users or the public
  • Detect, prevent, or address fraud, security, or technical issues

6.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website of any change in ownership or uses of your personal data.

7. International Data Transfers

As a Swiss company operating globally, we may transfer your data to countries outside Switzerland and the European Economic Area (EEA). When we do so, we ensure appropriate safeguards are in place:

  • Adequacy Decisions: Transfers to countries recognized by Switzerland and the EU as providing adequate data protection
  • Standard Contractual Clauses: EU and Swiss-approved contractual provisions ensuring data protection standards
  • Data Processing Agreements: Contracts with all service providers specifying data protection obligations

AI model providers are located in various jurisdictions, including the United States. By using our Service, you acknowledge that your content may be processed in these locations.

8. Data Retention

We retain your information as follows:

  • Account Data: Retained while your account is active. After account deletion, retained for up to 90 days to allow for account recovery, then deleted
  • Gateway API Request Metadata: Retained indefinitely for billing and platform stability
  • Gateway API Content — Free: Request and response data, including media, retained indefinitely
  • Gateway API Content — Paid: Not retained beyond request processing unless you opt in to content logging
  • Playground Data (Free): Request and response data, including media, retained indefinitely
  • Playground Data (Paid): Request and response data, including media, retained indefinitely for your convenience. Deletable by you at any time. Metadata retained indefinitely regardless
  • Arena Data: Voting data and behavioral data retained indefinitely
  • Anonymized Categorization Data: Only the resulting anonymized category labels and aggregated metrics are retained. The underlying content used for categorization is not stored beyond the categorization process. Anonymized data is retained indefinitely as it is no longer personal data
  • Billing and Financial Records: Retained for 10 years to comply with Swiss commercial and tax law
  • Support Communications: Retained for 3 years after resolution
  • Content Moderation Data: Where content is flagged as illegal, retained as required by law for reporting to authorities
  • Security and Abuse Logs: Retained for up to 1 year
  • Chrome Extension Data: Stored locally on your device until you delete it or uninstall the extension

You may request deletion of your data at any time, subject to legal retention requirements and the specific retention rules described above.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including encryption of data in transit and at rest, access controls, and secure infrastructure. Despite our efforts, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security of your data.

9.1 Data Breach Notification

In the event of a personal data breach that poses a high risk to your rights and freedoms, we will notify you without undue delay. We will also notify the Federal Data Protection and Information Commissioner (FDPIC) as required by Swiss law.

10. Cookies and Tracking Technologies

10.1 Website and Dashboard

We use cookies and similar technologies on our website and dashboard:

  • Essential Cookies: Required for authentication, session management, and security features (CSRF protection). These cannot be disabled
  • Functional Cookies: Remember your preferences and settings to enhance your experience
  • Analytics Cookies: Help us understand how visitors interact with our website and dashboard to improve our product and marketing. Analytics data is not shared with third parties. You can opt out of analytics cookies through your browser settings

We do not use advertising cookies or share cookie data with advertisers.

10.2 Gateway (API)

The Gateway does not use cookies. It authenticates via API keys.

10.3 Arena and Public Playground

The Arena sets a persistent visitor cookie to identify returning visitors and prevent duplicate voting. This cookie is not linked to your personal identity.

The Arena and public Playground use device fingerprinting and Cloudflare Turnstile for bot protection as described in Section 2.4. Turnstile may set its own cookies on your device.

10.4 Chrome Extension

The Chrome Extension does not use cookies, analytics, or any tracking technologies. Authentication data and settings are stored locally in your browser.

11. Your Rights

Under the Swiss FADP and, where applicable, the GDPR, you have the following rights regarding your personal data:

  • Right of Access: Request a copy of the personal data we hold about you
  • Right to Rectification: Request correction of inaccurate or incomplete data
  • Right to Erasure: Request deletion of your personal data, subject to legal retention requirements
  • Right to Data Portability: Receive your data in a structured, commonly used, machine-readable format
  • Right to Restriction: Request limitation of processing in certain circumstances
  • Right to Object: Object to processing based on legitimate interests or for direct marketing
  • Right to Withdraw Consent: Where processing is based on consent, withdraw that consent at any time
  • Right to Information: Request information about the data we collect and how it is processed

To exercise these rights, please contact us at [email protected]. We will respond within 30 days. We may request verification of your identity before processing your request.

Please note that certain data may not be subject to deletion requests, including Arena voting data (which is anonymized and not linked to your identity) and request metadata retained for legal or billing purposes.

11.1 Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. In Switzerland, this is the Federal Data Protection and Information Commissioner (FDPIC):

If you are located in the EEA, you may also contact your local data protection authority.

12. Enterprise Customers

If you use our Service under an enterprise agreement, additional terms may apply:

  • Your organization is the data controller for personal data processed through your enterprise account
  • We act as a data processor on behalf of your organization
  • A Data Processing Agreement (DPA) governs our processing activities
  • Enterprise customers may have access to additional privacy features, including dedicated infrastructure and enhanced data handling options

13. California Privacy Rights (CCPA)

California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know: Request information about what personal information we collect, use, and share
  • Right to Delete: Request deletion of your personal information
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt-Out of Sale/Sharing: We do not sell your personal information within the meaning of the CCPA. Certain data (Arena voting data, free Playground and API generation data, and aggregate model usage data) may be disclosed to third parties pursuant to the content license granted in our Terms of Service, as described in Sections 3.2, 3.3, and 3.4
  • Right to Non-Discrimination: Exercise your privacy rights without discriminatory treatment

To exercise these rights, contact us at [email protected].

14. Children's Privacy

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 18, we will take steps to delete that information promptly. If you believe we have inadvertently collected such data, please contact us at [email protected].

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

  • We will update the "Last updated" date at the top of this policy
  • For material changes, we will notify you by email and/or through a notice in our dashboard
  • We encourage you to review this policy periodically

Your continued use of the Service after any changes indicates your acceptance of the updated policy.

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

  • Email: [email protected]
  • Mailing Address: Telesoft AG, Weisserlenweg 7, 8966 Oberwil-Lieli, Switzerland

We aim to respond to all inquiries within 30 days.

Book a Meeting

Schedule a call with the Lumenfall team