Legal

Privacy & Cookie Policy

Last updated: 23 March 2026 · Governed by Dutch law · GDPR compliant

Plain English: We collect only what we need to run Lune. We don't sell your data, use your images to train AI, or share anything with advertisers. You have full control over your data under GDPR. Questions? legal@trylune.io

Section 01

Who We Are

Lune (“we”, “us”, “our”) is an AI-powered ad creative platform operated by Lune, registered in the Netherlands. If you are located in the European Economic Area (EEA), we are the data controller responsible for your personal data under the General Data Protection Regulation (EU) 2016/679 (“GDPR”).

Data Controller
Lune
Vespuccistraat 65-2, 1056 SH Amsterdam, Netherlands
legal@trylune.io

Section 02

What This Policy Covers

This Privacy & Cookie Policy explains what personal data we collect and why, how we use and protect it, who we share it with, your rights under applicable data protection law, and how we use cookies and similar tracking technologies.

This policy applies to trylune.io and all Lune sub-domains and services. It does not apply to third-party websites linked from our platform.

Section 03

Personal Data We Collect

3.1 — Account & Identity Data via Clerk

Name, email address, hashed password, profile photo (if via OAuth), authentication provider, account creation date and last sign-in time.

3.2 — Subscription & Billing Data via Stripe

Billing name and address, payment card metadata (last 4 digits, expiry, card type — full card numbers are never stored by us), subscription plan, billing cycle, payment history, VAT number if provided.

3.3 — Usage Data

Features accessed, actions performed, credit usage and generation history, platform and browser type, OS, device type, IP address and approximate location (country/city level), referring URL, session duration and interaction timestamps.

3.4 — Content You Upload (“User Content”)

Product images, brand logos and assets, brand kit settings (colors, fonts, tone), text inputs and prompts, generated ad creatives. User Content is processed solely to provide the Service.

Your uploaded content is never used to train AI models and is never shared with third parties for advertising purposes.

3.5 — Communications Data

Emails to our support team, feedback and survey responses, transactional emails (receipts, plan changes, password resets).

3.6 — Technical & Log Data

Server-side request logs (IP, timestamp, endpoint, response code), error logs and crash reports, API usage metadata.

Section 04

Legal Bases for Processing (GDPR)

Legal Basis	Article	Applies To
Performance of a Contract	6(1)(b)	Account data, billing data, usage data, User Content
Legitimate Interests	6(1)(f)	Fraud prevention, security monitoring, analytics, service communications
Legal Obligation	6(1)(c)	VAT records, financial audit trails, lawful authority requests
Consent	6(1)(a)	Non-essential cookies, marketing emails. Withdrawable at any time.

Section 05

How We Use Your Data

Create and manage your account and authenticate your identity

Process payments and manage subscription billing

Deliver the AI creative generation service

Store and serve your brand kits and generated creatives

Send transactional communications (receipts, plan confirmations)

Detect and prevent fraud, abuse, and security incidents

Monitor platform performance and fix technical issues

Comply with legal and regulatory obligations

We do not:

Sell your personal data to third parties

Use your User Content to train AI models

Use your data for targeted advertising outside trylune.io

Share your data with third parties for their own marketing purposes

Section 06

Third-Party Processors

We share data with the following sub-processors, each bound by data processing agreements and appropriate safeguards:

Provider	Purpose	Location	Safeguard
Clerk	Authentication & identity	USA	SCCs
Supabase	Database & file storage	EU / USA	SCCs
Stripe	Payment processing	USA	SCCs
Google (Gemini API)	AI image generation	USA	SCCs
Vercel	Hosting & edge delivery	USA	SCCs

SCCs = EU Standard Contractual Clauses under Article 46(2)(c) GDPR. No sub-processor may use your data for their own purposes beyond what is necessary to serve us.

Section 07

International Data Transfers

Some of our sub-processors are located outside the EEA. Where we transfer personal data to countries without an adequacy decision, we rely on EU Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914), supplemented by appropriate technical and organisational measures where necessary.

For more information on transfer safeguards, contact legal@trylune.io.

Section 08

Data Retention

Data Type	Retention Period
Account data	Duration of account + 30 days after deletion
Billing & payment data	7 years (Dutch tax law)
Generated creatives	Duration of account + 30 days
Brand kits & uploaded images	Duration of account + 30 days
Usage & analytics logs	12 months
Server/access logs	90 days
Support communications	3 years from last communication

Billing records are retained for the statutory minimum required by Dutch tax law (7 years) regardless of account deletion. After all other retention periods expire, data is permanently deleted or irreversibly anonymised.

Section 09

Your Rights Under GDPR

If you are located in the EEA, you have the following rights:

Right of Access Art. 15

Request a copy of all personal data we hold about you.

Right to Rectification Art. 16

Ask us to correct inaccurate or incomplete data.

Right to Erasure Art. 17

Ask us to delete your data where no longer necessary or where you withdraw consent. Exceptions apply for legally required records.

Right to Restriction Art. 18

Ask us to restrict processing in certain circumstances, e.g. while a dispute is resolved.

Right to Portability Art. 20

Request your data in a structured, machine-readable format where processing is based on consent or contract.

Right to Object Art. 21

Object to processing based on legitimate interests. We cease unless we can demonstrate compelling legitimate grounds.

Withdraw Consent Art. 7

Withdraw consent at any time without affecting prior processing.

Lodge a Complaint Art. 77

Contact the Dutch DPA (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl

To exercise any right, email legal@trylune.io. We respond within 30 days. We may need to verify your identity before fulfilling a request.

Section 10

Data Security

TLS/HTTPS encryption for all data in transit

Encryption at rest for stored data (Supabase AES-256)

Role-based access controls — staff access to production data is logged and granted on a need-to-know basis only

Clerk-managed authentication with secure session tokens and optional MFA

Stripe-managed payment processing — we never handle or store raw card data

Regular dependency audits and security patch management

Incident response procedures for potential data breaches

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and notify affected individuals without undue delay.

Section 11

Children's Privacy

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that a user is under 16, we will delete their account and associated data immediately.

If you believe a minor has provided data to us, contact legal@trylune.io immediately.

Section 12

Cookie Policy

Cookies are small text files stored on your device when you visit trylune.io. We also use similar technologies such as local storage, session storage, and pixel tags.

On your first visit, we display a cookie consent banner. You may accept all, accept essential only, or customise. You can change preferences at any time via the Cookie settings link in the footer.

Managing cookies in your browser:

Chrome Settings → Privacy and Security → Cookies

Firefox Preferences → Privacy & Security → Cookies

Safari Preferences → Privacy → Manage Website Data

Edge Settings → Cookies and site permissions

Note: disabling certain cookies may impact platform functionality. Our platform does not currently respond to Do Not Track signals, but we minimise tracking by default and do not share data with ad networks.

Section 13

User-Uploaded Content & AI Processing

13.1 — Image Processing

Product images and logos you upload are transmitted to Google's Gemini API for AI image generation. This is governed by Google's data processing terms and our agreement with Google, which prohibits Google from using your content to train its AI models under our enterprise API agreement.

13.2 — Prompt & Text Input

Text prompts and notes you enter are processed by Google's Gemini API to generate creatives. These are not used for advertising or model training.

13.3 — Generated Output

Ad creatives generated on your behalf are stored in your account and accessible only to you and authorised seat users. We do not claim ownership of generated creatives — ownership is governed by our Terms & Conditions.

Deletion: When you delete your account or request erasure, all User Content (uploaded images, brand kits, generated creatives) is permanently deleted from our systems within 30 days. Residual copies in backup systems are purged within 90 days.

Section 14

Changes to This Policy

We may update this Privacy & Cookie Policy from time to time. When we make material changes, we will update the “Last updated” date and display a notice within the platform or send an email notification. Continued use of the Service after the effective date of a revised policy constitutes acceptance.

Section 15

Governing Law

Governing law

Dutch law (Netherlands)

EEA users

GDPR (EU) 2016/679 applies in full

This policy is governed by Dutch law. The GDPR applies to users located in the EEA. For users outside the EEA, applicable local data protection law also applies where required.

Privacy questions or data requests?

We respond to all privacy-related requests within 30 days.

legal@trylune.io