Privacy Policy

Effective Date: April 18, 2026

Aletheia Labs ("we", "us", "our") operates Luminae (the "Service"), accessible at luminae.qzz.io. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. By using Luminae, you consent to the practices described in this policy.

1. Information We Collect

Account Information

When you sign in with Google, we receive the following from your Google account:

Your name
Email address
Profile picture

We do not receive or store your Google password. Authentication is handled securely by Google OAuth 2.0 through Supabase.

Uploaded Content

When you upload academic papers or provide URLs for analysis, we process the document content to generate AI-powered analysis. Uploaded documents are processed in memory and are not permanently stored on our servers in their original form.

Analysis Data

The results of your analyses (critiques, experiment proposals, grant outlines) are stored in association with your account so you can access your analysis history.

Usage Data

We automatically collect certain information when you use the Service, including API usage metrics, token consumption, and processing costs. This data is used for budget management and service optimization.

2. How We Use Your Information

We use the information we collect to:

Provide, operate, and maintain the Service
Process and analyze your uploaded documents using AI
Store and display your analysis history
Manage usage budgets and rate limits
Monitor and improve the performance and reliability of the Service
Communicate with you about service-related matters
Detect, prevent, and address technical issues or abuse

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

3. Data Storage and Security

Your data is stored across the following infrastructure:

Supabase — Account information and analysis history are stored in a PostgreSQL database managed by Supabase with row-level security.
Redis — Temporary job state and processing data are stored in Redis with automatic expiration (7-day TTL).
Render — Our API backend runs on Render's infrastructure with encrypted connections (HTTPS/TLS).

We implement industry-standard security measures including encrypted data transmission (TLS), secure authentication flows, and access controls. However, no method of electronic storage or transmission is 100% secure, and we cannot guarantee absolute security.

4. Third-Party Services

Luminae integrates with the following third-party services, each with their own privacy policies:

Google OAuth — Used for user authentication. Subject to Google's Privacy Policy.
Supabase — Used for authentication and database storage. Subject to Supabase's Privacy Policy.
Mistral AI — Used for document analysis and AI processing. Document content is sent to Mistral AI's API for analysis. Subject to Mistral AI's Privacy Policy.
Render — Used for hosting the backend API. Subject to Render's Privacy Policy.

5. Cookies and Local Storage

Luminae uses the following browser storage mechanisms:

Authentication tokens — Stored in local storage to maintain your signed-in session.
Analysis cache — Recent analysis results may be cached locally for faster access.
Preferences — Your display preferences are stored locally.

We do not use third-party tracking cookies or advertising cookies. You can clear local storage at any time through your browser settings.

6. Data Retention

Account data — Retained for as long as your account is active, or until you request deletion.
Analysis history — Stored indefinitely in your account unless you delete individual analyses or your account.
Temporary job data — Automatically deleted from Redis after 7 days.
Usage logs — Retained for up to 7 days for operational monitoring.

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Access — Request a copy of the personal data we hold about you.
Correction — Request correction of inaccurate personal data.
Deletion — Request deletion of your account and associated data.
Portability — Request your data in a portable, machine-readable format.
Opt-out — You may stop using the Service at any time. You can revoke Google OAuth access from your Google Account settings.

To exercise any of these rights, please contact us at contact@qzz.io. We will respond to your request within 30 days.

8. Children's Privacy

Luminae is not intended for use by individuals under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal data from a child under 13, we will take steps to delete that information promptly. If you believe a child under 13 has provided us with personal information, please contact us at contact@qzz.io.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. Our infrastructure providers (Supabase, Render, Mistral AI) may store and process data in the United States and the European Union. By using the Service, you consent to the transfer of your data to these jurisdictions, which may have different data protection laws than your jurisdiction.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes, we will update the "Effective Date" at the top of this page. Your continued use of the Service after any changes constitutes acceptance of the updated policy. We encourage you to review this page periodically.

11. Contact Us

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us:

Organization: Aletheia Labs
Email: contact@qzz.io
Website: luminae.qzz.io