Français

Compliance

Lumavine's regulatory compliance, security practices, and accessibility commitments

Effective Date: February 15, 2026 | Last Updated: February 15, 2026

Our Commitment

Lumavine is committed to transparency, regulatory compliance, and data protection across all jurisdictions we operate in. This page details our compliance posture, the regulations we adhere to, our security practices, and the rights available to our users under applicable law.

Table of Contents

1. Regulatory Compliance Matrix

The following table summarizes Lumavine's compliance status across applicable regulations in Canada, the United States, and internationally.

Regulation Jurisdiction Status Notes
PIPEDA Canada (Federal) Compliant Full 10 principles implemented
Quebec Law 25 (Bill 64) Quebec, Canada Compliant PIA conducted, privacy oversight by founder
Alberta PIPA Alberta, Canada Compliant Consistent with PIPEDA implementation
BC PIPA British Columbia, Canada Compliant Consistent with PIPEDA implementation
CASL Canada (Federal) Compliant Express consent, easy unsubscribe
CCPA/CPRA California, US Compliant No sale of PI, all rights honored
COPPA US (Federal) Compliant 18+ only, no child data collected
GDPR EU/EEA Compliant SCCs, privacy oversight by founder
Virginia CDPA Virginia, US Compliant Privacy rights honored
Colorado CPA Colorado, US Compliant Universal opt-out recognized
Connecticut CTDPA Connecticut, US Compliant Privacy rights honored
HIPAA US (Federal) N/A Not a covered entity
SOX US (Federal) N/A Not publicly traded
PCI DSS Global N/A No payment processing -- free platform
WCAG 2.1 AA Global Committed Ongoing accessibility improvements
AODA Ontario, Canada Committed Accessibility compliance plan
ADA US (Federal) Committed Best-effort accessibility
2. Privacy & Data Protection Oversight

Lumavine's privacy and data protection practices are overseen directly by the founder. For all privacy-related inquiries, contact support@lumavine.ai.

Responsibilities

  • Monitoring compliance with PIPEDA, GDPR, and all applicable privacy laws
  • Conducting Privacy Impact Assessments (PIAs) for new features and processing activities
  • Handling data subject access requests, correction requests, and deletion requests
  • Coordinating breach detection, assessment, and notification procedures
  • Liaising with regulatory authorities including the OPC, CAI, and EU supervisory authorities
3. Privacy Impact Assessments

Lumavine conducts Privacy Impact Assessments (PIAs) as a foundational practice to identify and mitigate privacy risks before they materialize.

  • New Features: PIAs are conducted for all new features and data processing activities before launch
  • Quebec Law 25: Requires PIAs before any new project involving personal information, which Lumavine fully implements
  • GDPR DPIAs: Data Protection Impact Assessments are performed for processing activities that present a high risk to individuals' rights and freedoms

PIA Scope

Each assessment covers:

  • Data flows: Mapping how personal information moves through systems
  • Necessity and proportionality: Ensuring data collection is limited to what is required
  • Risk identification: Assessing threats to confidentiality, integrity, and availability
  • Safeguards: Defining technical and organizational measures to mitigate identified risks
  • Consultation: Engaging with stakeholders and, where required, regulatory authorities
4. Breach Response Procedures

Detection & Containment

Upon detection of a potential data breach, Lumavine initiates an immediate technical response to isolate affected systems, preserve forensic evidence, and prevent further unauthorized access.

Assessment

Lumavine determines the scope of the incident, the types of data affected, the number of individuals impacted, and the level of risk to those individuals.

Notification Timelines

  • PIPEDA (Canada): Notification to the Office of the Privacy Commissioner and affected individuals "as soon as feasible" if there is a Real Risk of Significant Harm (RROSH)
  • Quebec Law 25: Notification to the Commission d'acces a l'information (CAI) and affected individuals within 72 hours of becoming aware of the breach
  • GDPR (EU/EEA): Notification to the supervisory authority within 72 hours; notification to affected individuals "without undue delay" when high risk exists
  • CCPA (California): Notification "in the most expedient time possible and without unreasonable delay"

Notification Content

All breach notifications include: the nature of the breach, the types of personal information involved, the likely consequences for affected individuals, the remediation measures taken or proposed, and contact information for follow-up inquiries.

Record Keeping

All breaches are recorded in an internal breach register regardless of whether notification thresholds are met, as required under PIPEDA and GDPR. Records are retained for a minimum of 24 months.

Post-Incident Review

Following each incident, Lumavine conducts a root cause analysis, implements corrective measures, updates relevant policies and procedures, and updates security practices where gaps are identified.

5. Sub-Processor List

Lumavine engages the following third-party sub-processors to deliver its services. Each sub-processor has been vetted for security and compliance, and appropriate data processing agreements are in place.

Sub-Processor Purpose Location Certification Agreement
Supabase Inc. Authentication, Database US SOC 2 Type II Data processing agreement
Vercel Inc. Hosting, CDN US SOC 2 Type II Data processing agreement
Cloudflare Inc. CDN, Security, Tunnel US SOC 2 Type II Data processing agreement
Google LLC Fonts CDN US ISO 27001 No PI transferred
OpenStreetMap Foundation Map / Shelter Data EU Open data No PI stored
Open-Meteo Weather Data Germany Open API GPS only, not stored
6. Data Processing Agreements

Lumavine maintains Data Processing Agreements (DPAs) with all sub-processors that handle personal information on our behalf. These agreements are a requirement under both PIPEDA and the GDPR.

DPA Requirements

Each DPA includes the following provisions:

  • Purpose limitation: Data is processed only for the specific purposes outlined in the agreement
  • Data minimization: Only the minimum amount of personal information necessary is shared
  • Security obligations: Sub-processors must implement appropriate technical and organizational measures
  • Breach notification: Sub-processors must notify Lumavine without undue delay upon discovering a breach
  • Audit rights: Lumavine retains the right to audit sub-processor compliance
  • Sub-processor restrictions: Further sub-processing requires prior written authorization
  • Data return and deletion: Upon termination, data must be returned or securely deleted at Lumavine's direction
7. Cross-Border Data Transfers

Lumavine's primary data processing infrastructure is located in the United States, operated by Supabase and Vercel. As a result, personal information collected from users in Canada, the EU/EEA, and other jurisdictions is transferred to the US for processing.

Transfer Safeguards

  • Canada to US: PIPEDA permits transfers to jurisdictions with comparable protections. Lumavine supplements this with contractual safeguards in all DPAs
  • EU/EEA to US: Transfers are governed by Standard Contractual Clauses (SCCs) adopted by the European Commission, supplemented by the EU-US Data Privacy Framework where applicable
  • Transfer Impact Assessments: Conducted annually to evaluate the legal framework in recipient countries and the effectiveness of supplementary measures
  • Technical measures: All data is encrypted in transit (TLS 1.3) and at rest (AES-256) to provide supplementary protection regardless of jurisdiction
8. HIPAA Status

Lumavine is NOT a HIPAA Covered Entity

Lumavine is not a healthcare provider, health plan, or healthcare clearinghouse as defined under HIPAA. The wellness data collected through our platform (such as mood tracking and journal entries) does not constitute Protected Health Information (PHI).

  • Lumavine does not process, store, or transmit Protected Health Information
  • Wellness features are for general well-being purposes and do not provide medical diagnosis or treatment
  • Users should not share medical records, diagnoses, or clinical information through the platform
  • No Business Associate Agreements (BAAs) are required or offered
  • If you require HIPAA-compliant health services, please consult a qualified healthcare provider
9. AI & Automated Decision-Making

Lumavine uses artificial intelligence in its Luma Core AI chatbot to provide wellness-oriented conversational support. We are committed to responsible and transparent AI practices.

  • No consequential automated decisions: Lumavine does not make automated decisions that produce legal effects or similarly significant effects on users
  • No discriminatory profiling: User data is not used to profile individuals for discriminatory purposes or to determine access to services, credit, employment, or housing
  • AI transparency: Users are clearly informed that they are interacting with an AI system, in compliance with California SB 243 and similar disclosure requirements
  • No automated scoring: There is no automated scoring or ranking system that affects a user's ability to access Lumavine's services
  • Human oversight: Users may contact support@lumavine.ai at any time to request human review of any AI-generated response or interaction
10. CASL Anti-Spam Compliance

Lumavine complies with Canada's Anti-Spam Legislation (CASL), which regulates Commercial Electronic Messages (CEMs) sent to or from Canada.

  • Express consent: Lumavine obtains express consent before sending any Commercial Electronic Messages
  • Transactional exemptions: Messages that are purely transactional (receipts, security alerts, service updates) are exempt from consent requirements but still comply with identification standards
  • Sender identification: All CEMs include clear identification of Lumavine as the sender and contact information
  • Unsubscribe mechanism: Every CEM includes a clear, prominently displayed, and easy-to-use unsubscribe mechanism
  • Unsubscribe processing: All unsubscribe requests are processed within 10 business days as required by CASL
  • Consent records: Lumavine maintains records of all consent obtained, including the timestamp, method of collection, and scope of consent
  • Complaints: Users may file CASL complaints through the CRTC at www.fightspam.gc.ca
11. Accessibility Compliance

Lumavine is committed to ensuring that our platform is accessible to all users, including those with disabilities. We are actively working toward compliance with the following standards:

WCAG 2.1 AA
Target compliance level for all web content. The Web Content Accessibility Guidelines provide the international standard for accessible web design.
AODA (Ontario)
Compliance with the Accessibility for Ontarians with Disabilities Act and the Integrated Accessibility Standards Regulation.
ADA (US)
Best-effort compliance with Title III of the Americans with Disabilities Act, ensuring equal access to digital services.
Section 508
Federal accessibility standards are followed as a benchmark for ensuring compatibility with assistive technologies.

Key Accessibility Commitments

  • Semantic HTML: Proper heading structure, landmarks, and ARIA attributes throughout the platform
  • Keyboard navigation: All interactive elements are accessible via keyboard without requiring a mouse
  • Screen reader compatibility: Content is structured to work with popular screen readers including NVDA, JAWS, and VoiceOver
  • Color contrast: Minimum 4.5:1 contrast ratio for normal text and 3:1 for large text
  • Alternative text: Descriptive alt text provided for all meaningful images
  • Focus indicators: Visible focus indicators on all interactive elements
  • Touch targets: Minimum 44x44px touch target sizing for mobile interactions

To report accessibility issues or request accommodations, please contact support@lumavine.ai.

12. Security Practices

Lumavine implements comprehensive security measures to protect user data from unauthorized access, disclosure, alteration, and destruction.

Encryption

All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption. This applies to all user data stored in our databases and any data transmitted between the user's browser and our servers.

Authentication

User sessions are managed securely using industry-standard practices. All communications between the user's browser and our servers are encrypted.

Data Security

User data stored locally in the browser is protected by the browser's built-in security model. Server-side data is protected using industry-standard encryption and access controls.

Access Controls

Lumavine implements Role-Based Access Control (RBAC) with the principle of least privilege. Row-Level Security (RLS) is enabled on all database tables, ensuring users can only access their own data.

Infrastructure

Our infrastructure is hosted on Vercel (SOC 2 Type II) with database services provided by Supabase (SOC 2 Type II), ensuring enterprise-grade security at the infrastructure level.

Monitoring & Response

  • Continuous security monitoring and anomaly detection
  • Regular dependency updates and vulnerability scanning
  • Documented incident response procedures
13. Payment Security

Lumavine is a completely free platform. No payment data is collected, processed, or stored. There are no paid plans, subscriptions, billing, or payment processing of any kind. As a result, PCI DSS compliance is not applicable to Lumavine's operations.

14. Children's Data Protection

Lumavine is designed for users aged 18 and older. We do not knowingly collect personal information from children or minors.

  • COPPA (US): Lumavine does not knowingly collect data from children under 13. Our platform is not directed at children
  • CCPA (California): We do not collect or sell personal information of users under 16 without affirmative authorization
  • Quebec Law 25: Special protections apply to personal information of minors under 14, including restrictions on collection and use. Lumavine does not target this age group
  • Age requirement: By using the platform, users confirm they are at least 18 years old as stated in the Terms of Service
  • Discovery protocol: If Lumavine discovers that a user is under 18, access will be terminated and any associated data will be deleted immediately

To report concerns about a minor using Lumavine, please contact support@lumavine.ai.

15. Content Moderation & Safety

Lumavine prioritizes user safety through multiple layers of content moderation and crisis intervention systems.

  • AI content filtering: The Luma Core AI chatbot includes content filtering to prevent the generation of harmful, abusive, or inappropriate content
  • SafeHaven crisis detection: Automated keyword detection for crisis-related terms (988, suicide, domestic violence) triggers immediate redirection to professional crisis services
  • Crisis intervention: When crisis indicators are detected, users are presented with relevant professional resources including hotline numbers and emergency contacts
  • User reporting: Users can report inappropriate content or concerning behavior through the platform's reporting mechanisms
  • Content review: Reported content is reviewed promptly and actioned according to our content review procedures
  • Terms enforcement: Users who violate the Terms of Service through harmful behavior are subject to access suspension or termination
16. Data Retention Schedule

Lumavine retains personal information only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. The following table outlines our retention periods.

Data Type Retention Period Disposal Method
User Preferences Stored locally in browser Browser data clearing
Wellness Data (mood, journal) While active On request or browser data clearing
AI Conversations 90 days Anonymized or deleted
Game Scores Stored locally in browser Browser data clearing
Usage Analytics 3 years Aggregated / anonymized
Support Tickets 2 years Secure deletion
Audit Logs 2 years Regulatory compliance
SafeHaven Data Session only Never persisted
Push Subscriptions While active Browser data clearing or unsubscribe
17. Regulatory Authorities Contact

Users have the right to file complaints with the relevant regulatory authorities in their jurisdiction. Below is a list of key authorities.

Regulatory Authorities

Office of the Privacy Commissioner of Canada (OPC)
www.priv.gc.ca | 1-800-282-1376
Commission d'acces a l'information du Quebec (CAI)
www.cai.gouv.qc.ca | 1-888-528-7741
CRTC (CASL Enforcement)
www.crtc.gc.ca | www.fightspam.gc.ca
Federal Trade Commission (US)
www.ftc.gov
California Attorney General
oag.ca.gov
Information Commissioner's Office (UK)
ico.org.uk
European Data Protection Board (EU)
edpb.europa.eu
18. Compliance Updates & Audits

Lumavine maintains a continuous compliance improvement program to ensure our practices remain current with evolving regulatory requirements and industry best practices.

  • Annual compliance review: A comprehensive review of all compliance policies and practices is conducted each year
  • Quarterly PIA updates: Privacy Impact Assessments are reviewed and updated quarterly to reflect new features and processing activities
  • Regulatory monitoring: Continuous monitoring of regulatory changes in Canada, the United States, the EU, and other applicable jurisdictions
  • Ongoing review: Regular review of data protection practices and security measures
  • Third-party assessments: Periodic third-party security assessments to validate our security posture
  • Sub-processor verification: Ongoing verification that sub-processors maintain their compliance certifications and obligations
  • Policy version history: All policy versions are archived and available upon request for audit and accountability purposes
19. Contact Information

For compliance inquiries, data protection requests, or to exercise your rights under applicable privacy laws, please reach out through any of the following channels.

Compliance Contact Channels

All Inquiries (Privacy, Legal, Compliance, Accessibility)
support@lumavine.ai
Response Time
30 business days for formal requests

Related: Privacy Policy · Terms of Service · Cookie Policy

© 2026 Lumavine. All rights reserved. Developed by Soltolaria Strategic Solutions.