Skip to main content

Privacy Policy

Last updated: February 2026

Vita in Lumine ("the Site") is committed to protecting the privacy of its users. This policy describes how we collect, use and protect your personal data in accordance with the General Data Protection Regulation (GDPR) and applicable French law.

1. Data controller

The data controller is Guillaume Denis, individual entrepreneur, contactable at the address indicated in the legal notices or via the contact form on the Site.

2. Data collected

We collect the following data:

  • Account data: full name, email address, password (encrypted), language preference
  • Subscription data: subscription tier, payment identifiers (customer ID, subscription ID), payment status
  • Usage data: favourites, gallery reactions and messages
  • Technical data: IP address (for rate limiting and security only), browser type, connection timestamps
  • Cookies: age verification cookie, locale preference, session cookie (Supabase Auth)

3. Purpose and legal basis

Your data is processed for the following purposes:

  • Account management and authentication (contract performance)
  • Subscription management and payments (contract performance)
  • Content personalisation based on subscription tier (legitimate interest)
  • Sending notification emails — new galleries, articles (consent)
  • Sending weekly digest summaries (consent, configurable in profile)
  • Security: rate limiting, fraud prevention (legitimate interest)
  • Server-side error logging (legitimate interest, anonymised data)

4. Data sharing

Your data may be shared with the following service providers:

  • Supabase (database and authentication — hosted in EU)
  • Payment processor (secure payment processing — PCI DSS certified)
  • Resend (sending transactional emails)
  • Scaleway (image storage — S3-compatible object storage)
  • Vercel (website hosting)
  • Vercel (website hosting and error logging)

We do not sell your personal data. Each provider is contractually bound to protect your data.

5. Data retention

  • Account data: retained for the duration of the account, deleted within 30 days of deletion request
  • Subscription data: retained for 3 years after end of subscription (legal obligation)
  • Technical logs: deleted automatically after 90 days
  • legal.privacySection5Item4

6. Your rights

Under the GDPR, you have the following rights:

  • Right of access: obtain a copy of your personal data (available directly from your profile)
  • Right to rectification: modify your information via your profile
  • Right to erasure: delete your account and all associated data
  • Right to data portability: export your data in JSON format (available from your profile)
  • Right to object: unsubscribe from notification emails at any time
  • Right to lodge a complaint with the CNIL (www.cnil.fr)

To exercise these rights, use the options available in your member profile or contact us via the contact form.

7. Cookies

The Site uses the following cookies:

  • age_verified: age verification (essential, 30 days)
  • locale: language preference (functional, 1 year)
  • sb-*: Supabase authentication session (essential, session duration)
  • theme: dark/light theme preference (functional, 1 year)

No advertising or tracking cookies are used. Essential cookies cannot be refused as they are necessary for the Site to function.

8. Security

We implement appropriate technical and organisational measures to protect your data: password encryption (bcrypt via Supabase Auth), HTTPS encryption, Row Level Security (RLS) in the database, input validation (Zod), Content Security Policy (CSP) headers, rate limiting on sensitive endpoints.

9. Changes to this policy

This policy may be updated. The date of last update is indicated at the top of the page. We recommend checking it regularly.

10. Contact

For any questions regarding the protection of your data, contact us via the contact form or at the address indicated in the legal notices.