Features Pricing FAQ Help Center Get Started

Privacy Policy

How Lumo collects, stores, and protects your data

Effective date: February 19, 2026

1. Overview

Lumo ("we", "our", or "us") is a Chrome browser extension that automates USD-exchange bank transfers for merchants on the ZAAD portal (mymerchant.telesom.com). This Privacy Policy explains what information is collected when you use Lumo, how it is stored, and your rights as a user.

By installing and using the Lumo extension you agree to the practices described in this policy. If you do not agree, please uninstall the extension.

2. Data We Collect

The table below lists every category of data Lumo touches, where it is stored, and whether it is ever transmitted to our servers.

Data Type Where Stored Sent to Servers? Purpose
ZAAD portal credentials (username & PIN) Device only Never Auto-fill login on the ZAAD portal
Bank account number & transfer settings Device only Never Configure the automated transfer
Phone number (used as account ID) Supabase Yes — at sign-up & login Identify your account; license management
License key & subscription status Supabase Yes — at validation Verify an active paid subscription
Transfer logs (amount, timestamp, status) Supabase Yes — per transfer Audit trail & support diagnostics
Payment reference (ZAAD/EVC+ transaction ID) Supabase Yes — at purchase Confirm payment; issue refunds
Browsing data from other websites Not collected Never N/A — Lumo only runs on mymerchant.telesom.com
Credit card or banking credentials Not collected Never N/A — payments are via mobile money only

3. Local Credential Storage

Your ZAAD portal credentials (username and PIN) are stored exclusively on your device using Chrome's chrome.storage.local API. They are encrypted before being written to storage and are never transmitted to Lumo's servers or any third party.

Encryption specification

  • Algorithm: AES-256-GCM (authenticated encryption)
  • Key derivation: PBKDF2 with SHA-256, 100,000 iterations
  • Salt: 16 bytes, cryptographically random, stored alongside the ciphertext
  • IV (Initialization Vector): 12 bytes, cryptographically random per encryption operation
  • Master key seed: derived from a device-unique identifier; never leaves the device

In plain English: Even if someone obtained the raw data from Chrome's local storage, they could not recover your credentials without your device-specific key. We cannot decrypt your credentials even if we wanted to — the key never leaves your device.

4. Our Backend (Supabase)

Lumo uses Supabase as its backend database and authentication provider. Supabase is hosted on AWS infrastructure in the US-East region.

Authentication

We register you using a pseudo-email address in the format 252XXXXXXXXXX@lumo.local derived from your phone number. Your real email address is not collected. This pseudo-email is used solely for Supabase's auth system; it is not a functional email address and no email is ever sent to it.

Data stored in Supabase

  • Your phone number (as part of the pseudo-email)
  • License key and subscription expiry date
  • Transfer logs: amount, destination account (last 4 digits only), timestamp, success/failure status
  • Payment transaction references

Supabase's own privacy policy applies to data stored on their infrastructure: supabase.com/privacy.

5. Payment Processing

Lumo accepts payments via ZAAD and EVC+ mobile money services only. We do not accept credit cards, debit cards, or any other payment method.

When you make a purchase:

  • Your phone number is used to initiate the mobile money request
  • The transaction reference ID returned by the payment provider is stored in Supabase for confirmation and refund purposes
  • No credit card numbers, bank account numbers, or card verification codes are ever collected

Payment processing is handled through the respective mobile money provider's infrastructure. Their privacy practices govern the payment transaction itself.

6. Chrome Permissions

The Lumo extension requests the following permissions. The table explains exactly why each permission is needed.

Permission Why It Is Required
storage Saves your encrypted credentials, transfer settings, and license cache to chrome.storage.local on your device.
alarms Schedules periodic checks (e.g., session keep-alive, balance polling) without needing a persistent background page.
tabs Detects when you navigate to the ZAAD portal tab so the extension can inject the automation script at the right moment.
notifications Shows a desktop notification when a transfer completes successfully or fails, so you stay informed without watching the tab.
host_permissions: https://mymerchant.telesom.com/* Grants Lumo permission to read and interact with the ZAAD merchant portal. Lumo does not request access to any other website.

Lumo does not request broad host permissions like <all_urls> or access to your browsing history, bookmarks, or any other Chrome API beyond those listed above.

7. Data Sharing

We do not sell, rent, or share your personal data with advertisers or marketing companies.

Data may be shared only in the following limited circumstances:

  • Supabase — as the infrastructure provider for our backend (see Section 4)
  • ZAAD / EVC+ — your phone number is sent to the mobile payment provider solely to process your subscription payment
  • Legal obligation — if required by a valid court order or applicable law, we may disclose data to law-enforcement authorities

In all other circumstances, your data stays within the systems described in this policy.

8. Data Retention

Data Type Retention Period
Encrypted credentials & settings (device) Until the extension is uninstalled or you clear Chrome extension data
Account & license data (Supabase) Until you submit a deletion request to us
Transfer logs (Supabase) Until you submit a deletion request to us
Payment transaction references 7 years (required for financial record-keeping under applicable regulations)

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Ask us to correct inaccurate data
  • Deletion: Request that we delete your account and associated data (subject to the retention requirements in Section 8)
  • Portability: Receive your data in a structured, machine-readable format
  • Withdraw consent: Uninstall the extension at any time to stop all local data collection; contact us to delete your Supabase data

To exercise any of these rights, email us at support@lumo.app with the subject line "Data Rights Request".

10. Children's Privacy

Lumo is intended for use by merchants and business operators. It is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us at support@lumo.app and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Effective date" at the top of this page. Continued use of Lumo after any changes constitutes acceptance of the updated policy. We recommend reviewing this page periodically.

12. Contact Us

If you have questions about this Privacy Policy or your data, please reach us: