Privacy Policy

Lumen (“we”, “us”, or “our”) is a personal movie recommendation service operated as an independent project. If you have any questions about this Privacy Policy or how we handle your data, you may contact us at marcogagliardi84@gmail.com.

We collect only the information necessary to provide the service:

• Account information: your email address, username, hashed password, and country of residence, provided when you register.
• Preference data: movie ratings, watchlist entries, skipped titles, and any other feedback you provide within the app. This data is the core of the recommendation engine.
• Authentication data: if you choose to sign in with Google, we receive your Google account email and display name solely for the purpose of authenticating you.
• Technical data: session identifiers stored in a secure HTTP-only cookie to keep you signed in. We do not use tracking or advertising cookies.

We do not collect payment information, precise location data, or any special categories of personal data as defined by the GDPR.

Your data is used exclusively to:

• create and manage your account;
• generate personalised movie recommendations;
• maintain your watchlist, ratings, and preferences;
• authenticate you when you sign in; and
• improve the accuracy of the recommendation engine.

We do not sell, rent, or share your personal data with third parties for advertising or marketing purposes. We do not use your data for automated decision-making that produces legal or similarly significant effects.

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data on the following legal bases:

• Performance of a contract (Art. 6(1)(b) GDPR): processing your account information and preferences is necessary to provide the service you signed up for.
• Legitimate interests (Art. 6(1)(f) GDPR): improving the recommendation engine based on aggregated usage patterns, where those interests are not overridden by your rights.
• Consent (Art. 6(1)(a) GDPR): for optional features such as Google sign-in, which you may choose or decline at any time.

We retain your personal data for as long as your account is active. If you request deletion of your account, we will erase your personal data within 30 days, except where retention is required by applicable law.

Anonymised or aggregated data (from which you cannot be identified) may be retained indefinitely for service improvement purposes.

Depending on your location, you may have the following rights regarding your personal data:

• Access: request a copy of the personal data we hold about you.
• Rectification: request correction of inaccurate or incomplete data.
• Erasure: request deletion of your personal data (“right to be forgotten”).
• Portability: receive your data in a structured, machine-readable format.
• Restriction: request that we limit how we use your data in certain circumstances.
• Objection: object to processing based on legitimate interests.
• Withdraw consent: where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at marcogagliardi84@gmail.com. We will respond within 30 days. If you are located in the EEA, you also have the right to lodge a complaint with your local data protection authority.

We implement industry-standard technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include password hashing, secure (HTTPS) transmission, and HTTP-only session cookies.

However, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, and you provide your data at your own risk. We will notify you of any data breach as required by applicable law.

We use the following third-party services, each subject to their own privacy policy:

• Google OAuth: if you choose to sign in with Google, your authentication is handled by Google LLC. We receive only your email and display name. Google’s Privacy Policy is available at policies.google.com/privacy.
• Movie data providers: Lumen retrieves movie metadata (titles, descriptions, posters) from third-party databases. No personal data is shared with these providers.

We use a single, essential session cookie to keep you authenticated. This cookie is strictly necessary for the service to function and does not require your consent under ePrivacy rules. We do not use analytics, advertising, or third-party tracking cookies.

Lumen is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.

Your data is stored and processed within the European Union or in countries that provide an adequate level of data protection as determined by the European Commission. If data is transferred outside the EEA, we ensure appropriate safeguards are in place in accordance with GDPR Chapter V.

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the effective date at the top of this page and, where appropriate, by sending you an email. Your continued use of Lumen after any changes constitutes acceptance of the revised policy.

For any privacy-related enquiries, please contact us at marcogagliardi84@gmail.com.