LumaLog in

Privacy Policy

Last updated: April 2026

1. Information We Collect

1.1 Account Information

When you sign in to Luma using Google OAuth, we receive your Google account email address and display name. We do not receive or store your Google password. We do not request access to your Google contacts, calendar, drive, or any other Google services beyond basic profile information.

1.2 Service Data

When you use Luma, we store data you create within the Service, including but not limited to: guest profiles, room reservations, folio charges, payment records, menu items, and room status updates. This data is created by you in the course of operating your property and belongs to your organization.

1.3 Technical Data

We automatically collect limited technical data when you access the Service, including: IP address, browser type and version, device type, and pages visited. This data is collected by our hosting provider (Vercel) as part of standard web server operations. We do not use third-party analytics services, advertising trackers, or marketing pixels.

1.4 Cookies

Luma uses only essential cookies required for authentication and session management. We do not use tracking cookies, advertising cookies, or third-party cookies. No cookie consent banner is required because we do not use non-essential cookies.

2. How We Use Your Information

Travel AI, Inc. (“Pebble House”, “we”, “us”, or “our”) uses the information we collect to:

  • Authenticate your identity and manage your access to the Service
  • Provide, maintain, and improve the Service
  • Store and process the property management data you create
  • Respond to your requests and support inquiries
  • Comply with legal obligations

We do not sell, rent, or share your personal information with third parties for their marketing purposes. We do not use your data to train machine learning models. We do not serve advertisements.

3. Data Storage and Security

3.1 Infrastructure

Service data is stored in a PostgreSQL database hosted by Supabase, Inc. The application is hosted on Vercel, Inc. Both providers maintain SOC 2 Type II compliance and encrypt data in transit (TLS 1.2+) and at rest (AES-256).

3.2 Multi-Tenancy Isolation

Luma is a multi-tenant system. Your property's data is logically isolated from other properties using row-level security policies enforced at the database level. Staff members can only access data for properties they are assigned to.

3.3 Access Controls

Access to the Service is restricted to users who have been explicitly granted a staff role by a property administrator. Authentication is handled by Supabase Auth via Google OAuth. We do not store passwords.

4. Data Retention

We retain your account information and service data for as long as your organization maintains an active Luma account. If you request account deletion, we will delete your personal information within 30 days. Anonymized or aggregated data that cannot identify you may be retained indefinitely for service improvement purposes.

Property management data (guest records, reservations, folios) is retained according to your organization's needs and applicable hospitality industry record-keeping requirements.

5. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate personal information
  • Request deletion of your personal information
  • Export your data in a machine-readable format
  • Object to or restrict certain processing of your information

To exercise any of these rights, contact us at the address below.

6. Children's Privacy

Luma is a business-to-business service designed for hospitality professionals. We do not knowingly collect personal information from children under the age of 13 (or the applicable age of consent in your jurisdiction). If we learn that we have collected personal information from a child, we will delete it promptly.

7. International Data Transfers

Your data may be processed in countries other than your country of residence, including the United States, where our infrastructure providers operate. By using the Service, you consent to the transfer of your data to these countries. We ensure that appropriate safeguards are in place to protect your data in accordance with this Privacy Policy.

8. Third-Party Services

We use the following third-party services to operate Luma:

Supabase, Inc.
Database, authentication, storage — https://supabase.com/privacy
Vercel, Inc.
Application hosting, edge network — https://vercel.com/legal/privacy-policy
Google LLC
OAuth authentication provider — https://policies.google.com/privacy

We do not share your service data with these providers beyond what is necessary to operate the Service.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the “Last updated” date. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

10. Contact Us

Travel AI, Inc. (operating as Pebble House)

Email: privacy@luma.mu