Privacy Policy

This Privacy Policy describes how Lume (defined below) collects, uses, discloses, and safeguards personal information when you access or use our website, mobile applications, web application, browser extensions, smart-contract interfaces, APIs, and other products (collectively, the “Service”).

Two separate entities operate behind the Service, and each is the “controller” of different categories of personal information about you:

• Lume Foundation (legal name: Union Square Ledger DAO LLC), a non-profit DAO LLC registered in the Republic of the Marshall Islands, is the controller of personal information collected in connection with the protocol and trading-related Service (for example, on-chain activity associated with your wallet, sanctions screening, and dispute records).
• LumeFi Inc., a Delaware corporation, is the controller of personal information collected in connection with the marketing website, account authentication, product analytics, support communications, and employment-related processing.

References in this policy to “Lume”, “we”, “us”, or “our” mean both entities, acting in their respective controller roles.

It does not apply to information collected by third parties whose products or services are accessed through the Service, including authentication providers (such as Privy), the Onramper fiat-gateway aggregator (Onramper Technologies B.V., a Dutch limited liability company subject to Dutch and EU privacy law), the licensed fiat gateways aggregated through Onramper (each performing its own identity verification and AML screening), additional fiat on-ramp providers (such as MoonPay), RWA issuers, perpetual-futures protocols, wallet providers, and the Solana blockchain itself. Each such third party operates under its own privacy policy, and we encourage you to review them.

Account information

When you authenticate through Privy or another supported method, we (and Privy) collect identifiers such as your email address, social-login identifier, profile name, and any associated public Solana wallet address. If you connect a self-custodied wallet, we collect its public address only.

On-chain activity

Your transactions and balances are public information on the Solana blockchain by their nature. The Service reads on-chain data associated with your wallet to display your portfolio, order history, and positions. We do not custody any private keys.

KYC and identity information (only when required)

If you choose to use a fiat on-ramp or off-ramp, identity-verification information is collected directly from you by the licensed fiat gateway processing your transaction — not by Lume. Fiat gateways are made available through Onramper Technologies B.V., a Dutch software aggregator that auto-selects available gateways based on your location and their licensing in your jurisdiction. Where MoonPay or another redundant on-ramp is enabled, the same principle applies. The information collected by the fiat gateway may include your full legal name, date of birth, residential address, government-issued identification document, selfie or biometric data, and source-of-funds information. That information is processed under the fiat gateway’s own privacy policy and (where applicable) Onramper’s own privacy policy. Lume receives only the minimum data necessary to confirm completion or failure of an on-ramp transaction (for example, transaction reference, status, and amount).

Device and usage information

We automatically collect information about your device and how you use the Service, including IP address, approximate location derived from IP, device type, operating system, browser, language, referring URL, pages viewed, time-stamps, click events, scroll depth, and crash and performance data.

Communications

When you contact us — including by email, in-app support, or social media — we receive the contents of your communication and any attachments.

Cookies and similar technologies

We use cookies, local storage, pixels, and similar technologies, including those set by third parties (such as Google Analytics, Crazy Egg, and X/Twitter advertising pixels), to operate the Service, remember preferences, measure usage, prevent fraud, and improve the product. You can control cookies through your browser settings; doing so may affect functionality.

We use the information described above to:

• Provide, operate, maintain, secure, and improve the Service.
• Authenticate users and prevent unauthorized access.
• Display your on-chain activity and provide trading-relevant features.
• Detect, investigate, and prevent fraud, abuse, market manipulation, security incidents, and other prohibited or unlawful activity.
• Comply with legal and regulatory obligations, including sanctions, anti-money-laundering, and counter-terrorist-financing requirements, and respond to lawful requests from competent authorities.
• Enforce our Terms of Use and other agreements.
• Communicate with you about the Service, including operational notices, security alerts, and (where you have not opted out) product updates.
• Conduct analytics and research to understand how the Service is used and to improve it.
• With your consent where required by law, send you marketing communications about Lume products and features.

Where the GDPR, UK GDPR, or a substantially similar law applies to you, we rely on the following legal bases: (i) performance of a contract with you (to provide the Service); (ii) compliance with legal obligations (such as sanctions screening); (iii) our legitimate interests (such as fraud prevention, network security, and product improvement), provided those interests are not overridden by your rights; and (iv) your consent, where required (for example, certain marketing communications and non-essential cookies). You may withdraw consent at any time, which will not affect the lawfulness of processing prior to withdrawal.

We do not sell personal information. We share information only as described below.

Service providers

We share information with vendors that provide services on our behalf, under written agreements that limit their use of personal information. These currently include authentication (Privy), cloud hosting and infrastructure, analytics (Google Analytics, Crazy Egg), advertising measurement (X/Twitter pixel), error monitoring, customer support tooling, and email delivery.

Protocols and issuers

When you submit a transaction through the Service, the transaction is broadcast to the Solana blockchain and routed to the relevant Protocol. The Protocol receives the public transaction data necessary to execute. Lume does not transmit your email, IP address, or other off-chain identifiers to Protocols, except to the extent the Protocol itself integrates a separate identity check that you choose to complete.

On-ramp and off-ramp providers

If you initiate a fiat on-ramp or off-ramp, the relevant Onramper-aggregated fiat gateway (or, where enabled, MoonPay) collects information directly from you under its own privacy policy and (where applicable) under Onramper’s privacy policy. We may receive transaction status and reference information from the provider to display in your account.

Legal, safety, and compliance

We may disclose information to law-enforcement agencies, regulators, courts, and other public authorities where we reasonably believe disclosure is required by law, necessary to comply with sanctions or anti-money-laundering obligations, or necessary to protect the rights, property, or safety of Lume, our users, or others.

Business transfers

If Lume is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or a portion of its assets, information may be transferred as part of that transaction, subject to standard confidentiality protections.

With your direction

We may share information with other parties at your direction or with your consent.

Lume Foundation is registered in the Republic of the Marshall Islands. LumeFi Inc. is headquartered in the United States. Information we process may be transferred to, stored, and processed in the Marshall Islands, the United States, and other countries that may have data-protection laws different from those in your jurisdiction. Where required, we rely on appropriate transfer mechanisms — such as the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, and equivalent safeguards — to protect your information.

We retain personal information for as long as needed to provide the Service, comply with legal obligations (including transaction-monitoring and recordkeeping rules that may require retention for several years), resolve disputes, and enforce our agreements. When information is no longer needed, we delete or de-identify it. On-chain data is permanent and outside our control.

We implement administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, alteration, disclosure, and destruction, including encryption in transit, access controls, principle-of-least-privilege, and regular review of vendor security. No system is perfectly secure, and we cannot guarantee the security of information transmitted to or from the Service.

Depending on where you live, you may have the following rights with respect to your personal information:

• Access to the personal information we hold about you.
• Correction of inaccurate or incomplete information.
• Deletion of personal information, subject to legal and compliance retention obligations.
• Restriction or objection to certain processing.
• Portability of information you provided to us.
• Withdrawal of consent where processing is based on consent.
• Lodging a complaint with your local data-protection authority.

You can exercise these rights by emailing support@lumefi.app from the email address associated with your account. We will respond within the period required by applicable law. We cannot delete or modify on-chain data and cannot recover assets sent from your wallet.

California residents may have additional rights under the California Consumer Privacy Act, including the right to know, the right to delete, the right to correct, and the right to opt out of any “sharing” for cross-context behavioral advertising. We do not “sell” personal information as defined under the CCPA. Indian residents have rights under the Digital Personal Data Protection Act, 2023, including access, correction, erasure, grievance redressal, and nominee rights, which you may exercise by the same email above.

You may opt out of marketing emails using the unsubscribe link in any such email. Operational notices (such as security alerts) may continue to be sent.

The Service is not directed to children under the age of 18, and we do not knowingly collect personal information from anyone under 18. If we learn that we have inadvertently collected such information, we will promptly delete it.

The Service may contain links to, or be integrated with, third-party websites, applications, and on-chain protocols. Lume is not responsible for the privacy practices of any third party. We encourage you to read the privacy policies of any third parties before sharing information with them.

We may update this Privacy Policy from time to time. If we make a material change, we will provide notice through the Service or by email. The “Last updated” date at the top of this page indicates when the policy was last revised.

If you have questions or concerns about this policy or our privacy practices, please email support@lumefi.app. For data-subject requests, see Section 9.