Lumen is a self-hostable AI chatbot platform. The hosted version at lumen.qubitgt.com is operated by Adrian (“we”, “us”). This page explains what data we collect, why we collect it, and what we will and will not do with it. We wrote it in plain language because we hate corporate privacy policies as much as you do.
The short version. Your account data and your bots' conversation logs live on hardware we control. We do not sell, rent, share, or analyze them for advertising. We never send your knowledge-base contents to third-party AI providers unless you explicitly opt in by adding your own API key. Inference happens locally on our GPU.
1. What we collect
Account information
When you create an account, we store:
- Your email address
- Your name (if provided, or as returned by Google OAuth)
- Your profile image URL (if returned by Google OAuth — never the image itself)
- A securely hashed password (only if you sign up with email and password — we use scrypt; we never see or store your raw password)
- Your plan tier (Free, Pro, or Team)
OAuth tokens
If you sign in with Google, we receive and store an OAuth access token, a refresh token, and your verified email. These let us re-authenticate you and are never used to access any Google service beyond reading your basic profile.
Bot configuration and content
When you create a chatbot, the system prompt, name, branding, and any documents you upload or websites you crawl are stored in our database. This is your data; you can delete it at any time from the dashboard, and deletion is permanent within 24 hours.
End-user conversations
When a visitor to a website that hosts one of your Lumen bots sends a message, we store the conversation transcript so the bot can recall context across turns and so you can see what your users are asking. We also log the visitor's IP address and user agent for rate limiting and abuse prevention. End-user data belongs to you (the bot owner) and is deleted when you delete the bot or your account.
Operational logs
Our servers keep standard request logs (timestamps, paths, status codes, response times) for up to 30 days for debugging and security. These do not contain message contents.
2. What we do with it
- Authenticate you and keep you signed in
- Run your bots — retrieve relevant chunks from your knowledge base, send them with the user message to the language model, return the response
- Show you analytics about your bots (conversation counts, document counts) inside your own dashboard
- Enforce rate limits and detect abuse
- Send transactional email (password resets, billing receipts) — we do not send marketing email unless you opt in
3. Where it lives
All Lumen application data is stored in PostgreSQL on infrastructure we operate directly. Vector embeddings of your knowledge base run through nomic-embed-text on a local GPU; the resulting vectors are stored alongside your documents in the same database. Inference runs on Ollama on the same hardware. Your data does not leave our servers in the course of normal operation.
The only exception is if you provide your own API key for a cloud model (Anthropic, OpenAI, etc.) and configure a bot to use it. In that case, the user's message and the relevant retrieved context are sent to that provider for inference. You control whether this happens; the default is local-only.
4. What we never do
- Sell your personal data to anyone, ever
- Use your conversations or knowledge base to train models, ours or anyone else's
- Run third-party advertising or analytics trackers on the dashboard
- Disclose your data to anyone except as required by law (and we will notify you first if legally permitted)
5. Cookies
We set one essential cookie: lumen.session_token (with a __Secure- prefix in production), an HttpOnly, Secure, SameSite=Lax cookie scoped to .qubitgt.com that holds your session token for up to 30 days. We do not use tracking, analytics, or advertising cookies on the dashboard. The chat widget that you embed on third-party sites uses sessionStorage only, scoped to the current tab.
6. Third-party services
We use a small number of third-party services strictly for operational reasons:
- Google OAuth — for “Continue with Google” sign-in. Google sees that you signed into Lumen; they do not see your conversations.
- Stripe — for billing on paid plans. Stripe receives your name, billing email, and payment details. We never see or store full card numbers.
- Let's Encrypt — for TLS certificates. Standard certificate-authority operation; no personal data involved.
7. Your rights
You can, at any time:
- Export your data — email hi@qubitgt.com and we'll send a JSON dump within 7 days
- Delete a single bot, including all its conversations and documents — instant from the dashboard
- Delete your entire account and everything tied to it — settings page, or email us
- Correct anything inaccurate in your profile from the settings page
Depending on where you live, you may have additional rights under GDPR, CCPA, or similar laws. We honor all of them. Contact us if you want to exercise any of them.
8. Data retention
- Active accounts: we retain your data for as long as your account exists.
- Deleted bots / documents: permanently removed from our database within 24 hours, including from backups within 30 days.
- Deleted accounts: we delete your user record and cascade-delete all your bots, documents, conversations, and embeddings within 7 days. Backups roll off within 30 days.
- Server logs: 30 days, then deleted.
9. Children
Lumen is not intended for users under 13. We do not knowingly collect personal information from children. If you believe a child has signed up, contact us and we'll delete the account.
10. Changes
We'll update this page if we change anything material. The “Last updated” date at the top reflects the most recent revision. For significant changes, we'll email account holders before the change takes effect.
11. Contact
Questions, complaints, or just curious? Email hi@qubitgt.com. We aim to respond within two business days.