← Back to Home

Privacy Policy

Effective Date: February 24, 2026
Last Updated: February 27, 2026

1. Data Controller

The data controller responsible for your personal data is:

Fuse Link Inc.

A Delaware (USA) corporation

Operated from Berlin, Germany

Email: [email protected]

Fuse Link Inc. operates LUNA (useluna.app), an AI-powered visual content platform (the "Service"). This Privacy Policy explains how we collect, use, and protect your personal data when you use our Service.

This Privacy Policy is part of our Terms of Service. For our full legal identification, see our Impressum.

2. Data We Collect

2.1 Account Data

When you create an account, we collect:

  • Email address
  • Name and display name
  • Profile picture (if provided)
  • Authentication credentials (password hash or OAuth token)

You may also sign in via Google OAuth, in which case Google shares your name, email, and profile picture with us.

2.2 Content Data

  • Uploaded images: Photos of products, people, spaces, or brand assets you upload for AI content generation
  • Prompts and instructions: Text descriptions and creative directions you provide
  • Generated images: AI-created visual content stored in your projects
  • Project data: Project names, settings, and organization

2.3 Workspace Data

  • Workspace name and settings
  • Team member email addresses and roles
  • Invitation records

2.4 Payment Data

Payment processing is handled entirely by Stripe. We do not store your credit card numbers, bank account details, or full payment credentials. We receive from Stripe:

  • Stripe customer ID
  • Subscription status and plan type
  • Transaction history (amounts, dates, credit purchases)
  • Last four digits of your payment method (for display purposes)

2.5 Technical Data

Collected automatically when you use the Service:

  • IP address
  • Browser type and version
  • Operating system
  • Device type
  • Referral source (how you found us)

2.6 Usage Data

  • Pages visited and features used
  • Generation history (what you created, when)
  • Session duration and interaction patterns

2.7 Communication Data

When you contact us for support, provide feedback, or otherwise communicate with us, we collect:

  • Email correspondence and support inquiries
  • Feedback and feature requests you submit
  • Any information you voluntarily provide in those communications

3. Legal Basis for Processing (GDPR Art. 6)

If you are in the European Economic Area (EEA), we process your personal data on the following legal bases:

  • Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service to you - account management, image generation, project storage, credit system, workspace features.
  • Legitimate interests (Art. 6(1)(f)): Service security, fraud prevention, usage analytics to improve the Service, technical troubleshooting.
  • Consent (Art. 6(1)(a)): Marketing communications, non-essential cookies (analytics and advertising). You can withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)): Tax record retention, responding to lawful requests from authorities, fraud prevention obligations.

4. How We Use Your Data

  • To provide, operate, and maintain the Service
  • To process your images and generate AI visual content
  • To manage your account, projects, workspaces, and generated assets
  • To process payments, manage subscriptions, and track credit usage
  • To send transactional emails (account verification, password resets, subscription confirmations)
  • To send product updates and feature announcements (with your consent)
  • To detect, prevent, and address security threats and abuse
  • To analyze usage patterns and improve our Service
  • To respond to your support inquiries
  • To comply with legal obligations

5. AI Image Processing

When you use LUNA to generate visual content, your uploaded images and prompts are processed using third-party AI services. Here is what you should know:

  • Processing: Your images and prompts are sent to Google's Gemini AI services for content generation. This involves transmitting your data to Google's servers.
  • No AI training: We do not use your images or prompts to train AI models. Google's API terms for paid usage also prohibit using customer data for model training.
  • Storage: Your uploaded images are stored in our Supabase infrastructure to maintain identity consistency across generations. Generated images are stored in your projects.
  • Your control: You can view, download, and delete your uploaded images, projects, and generated content at any time through the Service.
  • Temporary processing: Images sent to AI services for generation are processed in memory and are not permanently stored by the AI provider beyond what is needed to complete your request.
  • Provider changes: We may change or add AI service providers to improve quality, performance, or reliability. Any new provider will be subject to equivalent data protection standards.

6. Cookies and Tracking Technologies

6.1 Essential (Strictly Necessary)

Required for the Service to function. No consent needed.

  • Supabase authentication token (localStorage) - Keeps you logged in.
  • Application state (localStorage) - Stores your preferences and form state.

6.2 Analytics

Used to understand how visitors interact with the Service.

  • Google Analytics 4 - Collects anonymized usage data. Data retained for 14 months. Google may process this data in the USA.

6.3 Do Not Track

Our Service does not currently respond to "Do Not Track" (DNT) browser signals. However, you can opt out of analytics tracking using the methods described below.

6.4 How to Opt Out

  • Browser settings: You can configure your browser to block third-party cookies.
  • Google Analytics opt-out: Install the Google Analytics Opt-out Browser Add-on.
  • Ad blockers: Browser extensions like uBlock Origin will block analytics and marketing trackers.

7. Third-Party Services (Sub-processors)

We share your data with the following service providers who process data on our behalf:

ProviderPurposeData Location
Supabase Inc.Database, authentication, file storage, serverless functionsEU (Stockholm, AWS)
Google LLC (Gemini)AI image generation and classificationUSA
Google LLC (Analytics)Website analytics (GA4)USA
Stripe Inc.Payment processing, subscription managementUSA
Resend Inc.Transactional and authentication emailsUSA

Each provider is bound by their own privacy policies and data processing agreements. We only share the minimum data necessary for each provider to perform their function.

8. International Data Transfers

Your account data, uploaded content, and generated images are stored in the European Union (Stockholm, Sweden) on our Supabase infrastructure. However, some data is transferred to the United States for processing by our AI, payment, analytics, and email service providers.

We rely on the following safeguards for these transfers:

  • EU-US Data Privacy Framework: Where our providers are certified under the EU-US DPF (Google, Stripe).
  • Standard Contractual Clauses (SCCs): Where the DPF does not apply, we use EU-approved Standard Contractual Clauses as the transfer mechanism.

9. Data Retention

We retain your data only as long as necessary:

  • Account data: Until you delete your account
  • Uploaded images: Until you delete them or your account
  • Generated content: Until you delete the project or your account
  • Workspace data: While the workspace is active; deleted upon workspace deletion
  • Payment and transaction records: 7 years (tax and legal compliance)
  • Analytics data (GA4): 14 months, then automatically deleted by Google
  • Authentication logs: 90 days
  • Error logs: 90 days (contain no personal content, only technical metadata)

When you delete your account, we remove your personal data within 30 days. Some data may persist in encrypted backups for up to 90 days before automatic deletion.

10. Your Rights Under GDPR

If you are in the EEA, UK, or Switzerland, you have the following rights under the General Data Protection Regulation:

  • Access (Art. 15): Request a copy of the personal data we hold about you
  • Rectification (Art. 16): Request correction of inaccurate or incomplete data
  • Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
  • Restriction (Art. 18): Request limitation of processing
  • Portability (Art. 20): Receive your data in a structured, machine-readable format
  • Objection (Art. 21): Object to processing based on legitimate interests or for direct marketing
  • Withdraw consent (Art. 7(3)): Withdraw consent at any time for processing based on consent

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority. Since we operate from Berlin, Germany, the relevant authority is:

Berliner Beauftragte fur Datenschutz und Informationsfreiheit

Alt-Moabit 59-61, 10555 Berlin, Germany

Website: datenschutz-berlin.de

11. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CPRA):

  • Right to know what personal information is collected, used, and shared
  • Right to delete personal information
  • Right to correct inaccurate personal information
  • Right to opt out of the sale or sharing of personal information
  • Right to limit the use of sensitive personal information
  • Right to non-discrimination for exercising your privacy rights

We do not sell or share your personal information for cross-context behavioral advertising. To exercise your California privacy rights, contact us at [email protected].

12. Children's Privacy

Our Service is not intended for children under the age of 16 in the European Economic Area or under 13 in other jurisdictions. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data, contact us immediately and we will delete it.

13. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption of data in transit (TLS/HTTPS) and at rest
  • Row-level security policies on our database
  • Authentication and access controls
  • Rate limiting and abuse prevention
  • Regular security reviews
  • Principle of least privilege for internal access

No method of transmission over the internet is 100% secure. While we implement industry-standard protections, we cannot guarantee absolute security.

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (GDPR Article 33), notify affected users without undue delay if high risk (GDPR Article 34), and provide details about the breach, affected data, consequences, and mitigation measures.

14. Third-Party Links

Our Service may contain links to third-party websites, services, or content that are not operated by us. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you access through our platform.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email or through a prominent notice on the Service at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

16. Contact Us

For privacy-related questions or to exercise your data rights:

Fuse Link Inc.

Privacy inquiries: [email protected]

This Privacy Policy was last updated on February 27, 2026. By continuing to use LUNA after changes are posted, you agree to the updated Privacy Policy.