Privacy Policy
How we collect, use, and protect your information.
Last updated: March 27, 2026
Table of Contents
1. Overview
Luma ("we", "our", or "us") operates a Discord music bot and associated web services at lumabot.nxen.uk. This Privacy Policy explains what information we collect, how we use it, and your rights regarding that information.
By using Luma — whether through Discord, our web dashboard, or our website — you agree to the collection and use of information as described in this policy.
2. Information We Collect
We collect the following categories of data when you use Luma:
2.1 Discord Account Data
When you authenticate via Discord OAuth2, we receive and store:
- Discord User ID — used to identify you across sessions
- Username and discriminator — displayed in the web dashboard
- Avatar URL — displayed in the web dashboard
- Guild (server) memberships — used to show you servers where Luma is active
We do not receive your email address, phone number, or any payment information through Discord OAuth2.
2.2 Music & Playlist Data
When you use Luma's music features, we store:
- Playlist contents — track titles, authors, URIs, durations, and artwork URLs saved to playlists you create
- Playlist metadata — playlist name, description, privacy setting (public/private), creation date, and allowed users
- Play history for leaderboards — aggregated track play counts used for the "Top Songs" feature; this data is not linked to individual users in public displays
2.3 Server (Guild) Data
For each Discord server Luma is added to, we may store:
- Guild ID and name — for configuration and dashboard display
- Bot configuration settings — default volume, DJ role settings, language preferences
- Active player state — current track and queue, held in memory only during an active session and not persisted to disk
2.4 Usage & Technical Data
- API request logs — endpoint, timestamp, and HTTP status code (no request bodies logged)
- Error logs — stack traces and error messages for debugging, auto-deleted after 30 days
- Session tokens — encrypted, stored in cookies, used to keep you logged into the web dashboard
3. How We Use Your Information
We use the information we collect for the following purposes:
- To operate and improve the Luma Discord bot and web services
- To authenticate you on the web dashboard via Discord OAuth2
- To store and retrieve your playlists across sessions
- To display aggregated statistics (leaderboards, server stats) — never linked to your name without consent
- To diagnose bugs, monitor uptime, and ensure service reliability
- To respond to support requests if you contact us
We do not sell, rent, or share your personal data with third parties for advertising or marketing purposes.
4. Third-Party Services
Luma integrates with the following third-party services to deliver music:
- YouTube / YouTube Music — audio streaming via Lavalink; subject to Google's Privacy Policy
- Spotify — track metadata and URI resolution; subject to Spotify's Privacy Policy
- SoundCloud, Apple Music, Deezer, Bandcamp — audio streaming where available; subject to their respective privacy policies
- Discord — bot platform and OAuth2 authentication; subject to Discord's Privacy Policy
- MongoDB Atlas — database hosting for playlists and settings, stored in encrypted form
- Vercel — web hosting for the dashboard; subject to Vercel's Privacy Policy
We do not control these third parties and encourage you to review their privacy policies. We only share the minimum data necessary to deliver the service.
5. Data Retention & Deletion
5.1 Retention Periods
- Playlist data — retained until you delete your playlists or request account deletion
- Server settings — retained until Luma is removed from the server or settings are reset
- Session tokens — expire after 30 days of inactivity
- Error logs — auto-deleted after 30 days
- Player state (queue, now playing) — held in memory only; deleted when the player stops or the bot restarts
5.2 Requesting Deletion
You may request deletion of all data associated with your Discord User ID at any time by contacting us at legal@lumabot.app. We will process your request within 30 days. Note that removing Luma from a server does not automatically delete server-specific settings — please contact us if you also want that data removed.
6. Data Security
We take reasonable technical measures to protect your data, including:
- Encrypted connections (HTTPS/TLS) for all web traffic
- API secret authentication between web dashboard and bot server
- Discord session tokens stored as encrypted HTTP-only cookies
- Database credentials stored as environment variables, never in code
- Access to production systems restricted to authorised personnel only
No system is 100% secure. If you believe your data has been compromised, please contact us immediately at legal@lumabot.app.
7. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access — request a copy of the data we hold about you
- Correction — request correction of inaccurate data
- Deletion — request deletion of your data ("right to be forgotten")
- Portability — receive your playlist data in a machine-readable format
- Objection — object to certain processing of your data
To exercise any of these rights, please contact us at legal@lumabot.app. We will respond within 30 days.
8. Children's Privacy
Luma is not directed at children under the age of 13 (or 16 in the European Union). We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us at legal@lumabot.app and we will delete it promptly.
9. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page and, for significant changes, post an announcement in our Discord support server. Continued use of Luma after changes constitutes acceptance of the updated policy.
10. Contact Us
If you have any questions about this Privacy Policy or how we handle your data, please reach out at legal@lumabot.app or join our Discord support server.