Luana← Back to homePrivacy Policy
Data Controller
The controller responsible for processing your personal data under the GDPR and BDSG is:
A Data Protection Officer is not required under § 38 BDSG (thresholds not met). For data protection questions, contact us directly at the email above.
Hosting and Infrastructure
Database — Supabase
User accounts, project data, chat messages, and billing records are stored in a PostgreSQL database managed by Supabase Inc. The server is located in EU Frankfurt (AWS eu-central-1). A Data Processing Agreement (DPA) under Art. 28 GDPR is in place.
Web Server
Server log files are generated on each request (IP address anonymised after 7 days, timestamp, URL, browser/OS). Retention: 7 days, then automatically deleted.
Registration via Roblox OAuth 2.0
Login is done exclusively via Roblox OAuth 2.0 — no separate password required. The following data is transmitted by Roblox and stored by us:
- Roblox User ID
- Roblox username and avatar URL
- Email address (if provided and shared in Roblox account)
Third-country transfer: Roblox Corporation is headquartered in the USA. The OAuth process briefly transfers authentication data to Roblox servers. Basis: EU–US Data Privacy Framework adequacy decision (July 2023, Art. 45 GDPR) where Roblox is DPF-certified; supplemented by Standard Contractual Clauses (Art. 46(2)(c) GDPR).
User Account, Projects and Chat Content
Account data
- Profile data (Roblox ID, username, avatar)
- Credit balances — daily, gift, and shop credits
- Subscription status
- Roblox API key (if provided — stored encrypted)
Project data
- Project name, type and creation date
- Lua scripts created or imported by the user
- Context documents (custom instructions) attached to a project
- 3D mesh generation records — description, status, credit cost
Chat messages and backups
All conversation messages (requests and AI responses) are stored to display history and enable context summarisation. Before each AI generation, a script snapshot is saved automatically (one row per user) for recovery purposes.
AI-Assisted Processing of Content
Your inputs (prompts, script content, project descriptions) are forwarded to external AI providers to generate scripts and 3D models. This is strictly necessary to deliver the service.
| AI Service | Provider | Purpose | HQ |
|---|---|---|---|
| Claude (Sonnet, Opus) | Anthropic PBC via OpenRouter Inc. | Script generation (chat) | USA |
| Gemini Flash | Google LLC | Script generation, 3D optimisation | USA / EU |
| Trellis 2 | 3D AI Studio | 3D mesh generation | USA |
Third-country transfer (USA): All three AI providers are US-based. Transfer basis: EU–US Data Privacy Framework adequacy decision (2023, Art. 45 GDPR) where certified, supplemented by Standard Contractual Clauses (Art. 46(2)(c) GDPR) and Art. 49(1)(b) GDPR (contract performance). Do not include sensitive personal data in chat prompts.
Discord Integration (Optional)
Users may voluntarily link their Luana account to Discord for bonus credits and community access. Linking is optional and can be revoked at any time in settings. The following data is stored on linking:
- Discord User ID, username, and avatar URL
- Discord account email address
- Whether the one-time bonus credit has been claimed
Third-country transfer: Discord Inc. (USA) is certified under the EU–US Data Privacy Framework — basis: adequacy decision (Art. 45 GDPR).
Payment Processing — Polar
Payments are processed by Polar via an external checkout page. Luana does not store card numbers or bank details.
- Polar Customer ID and Subscription ID
- Subscription status, start and end dates
- Transaction log for credit grants (idempotency)
Polar privacy policy: polar.sh/legal/privacy
Error Logging
Technical errors are logged in a database table for fault diagnosis. Stored data: error code, description, User ID, Chat ID, and operation context.
Cookies and Local Browser Storage
We use only technically necessary storage — no tracking, advertising, or analytics cookies. No cookie consent banner is required (§ 25(2) TTDSG).
Session cookies
| Name | Purpose | Lifetime |
|---|---|---|
sb-[id]-auth-token | Supabase auth session (HTTP-only, Secure) | Session / 1 week |
discord_oauth_state | CSRF protection during Discord OAuth | 5 minutes |
discord_oauth_join | Redirect flag after Discord OAuth | 5 minutes |
Local storage
| Key | Content | Purpose |
|---|---|---|
theme | "light" or "dark" | Stores colour scheme preference |
International Data Transfers
For US providers: since the EU–US Data Privacy Framework (DPF) adequacy decision of 10 July 2023, DPF-certified companies benefit from an adequate level of protection (Art. 45 GDPR). Standard Contractual Clauses (Art. 46(2)(c) GDPR) are used as a supplementary safeguard.
| Provider | Country | Transfer basis |
|---|---|---|
| Roblox Corporation | USA | DPF / SCCs + Art. 49(1)(b) GDPR |
| Discord Inc. | USA | DPF certified — Art. 45 GDPR |
| Google LLC (Gemini) | USA / EU | DPF certified — Art. 45 GDPR |
| Anthropic PBC via OpenRouter | USA | SCCs + Art. 49(1)(b) GDPR |
| 3D AI Studio | USA | SCCs + Art. 49(1)(b) GDPR |
| Supabase Inc. | USA (HQ only) | Data stored EU Frankfurt — no transfer |
Despite safeguards, US authorities (e.g. under the CLOUD Act) may access data held by US-based companies. We take all reasonable measures to minimise this risk.
Data Processing Agreements (DPAs)
| Provider | Service | DPA status |
|---|---|---|
| Supabase Inc. | Database, auth, row-level security | DPA in place |
| OpenRouter Inc. | AI API router (Claude) | PLACEHOLDER: verify / sign DPA |
| Anthropic PBC | Claude language model | PLACEHOLDER: review Anthropic DPA |
| Google LLC | Gemini language model | Google Cloud DPA in place |
| 3D AI Studio | 3D model generation (Trellis 2) | PLACEHOLDER: verify / sign DPA |
| Polar Analytics AS | Payment processing | Polar DPA in place |
Retention and Deletion
| Data category | Retention | Deletion trigger |
|---|---|---|
| User account, credits | Until account deletion | User request |
| Project data, chat messages | Until deleted by user | User action or account deletion |
| Payment / transaction data | 10 years | § 147 AO (German tax law) |
| Server log files | 7 days | Automatic |
| Error logs | 30 days | Automatic |
| Discord link data | Until disconnection | User action |
To delete your account email [email protected]. Self-service deletion will be added in a future release.
Your Rights Under GDPR
- Access (Art. 15) — request a copy of all data we hold about you
- Rectification (Art. 16) — request correction of inaccurate data
- Erasure (Art. 17) — request deletion, subject to legal retention obligations
- Restriction (Art. 18) — request that we restrict processing of your data
- Portability (Art. 20) — receive your data in a structured, machine-readable format
- Object (Art. 21) — object to processing based on legitimate interest (Art. 6(1)(f))
- Withdraw consent (Art. 7(3)) — revoke any consent at any time with future effect
To exercise any right: [email protected]
Right to Lodge a Complaint
If you believe our processing violates the GDPR you may lodge a complaint with a supervisory authority (Art. 77 GDPR). The competent authority for our location is:
You may also contact the authority in your country of residence or work.
Last updated May 2026 · luana.studio · Always available at https://luana.studio/datenschutz