Lumi's privacy and security posture for parents, schools, and auditors. Last reviewed 2026-05-14.
| Table | Field | Purpose | Retention | Accessed by |
|---|---|---|---|---|
| parents | Account identity, email contact | Account life | Google (OAuth), Resend | |
| parents | name | Greeting in emails + dashboard | Account life | — |
| parents | google_sub | OAuth account binding | Account life | Google (OAuth) |
| children | first_name | Personalize tutor voice | Account life | Anthropic |
| children | age | Pace tutor to age-appropriate vocabulary | Account life | Anthropic |
| children | dob_year | Birth year only — used to track grade-band progression | Account life | — |
| children | interests | Personalize examples Lumi uses | Account life | Anthropic |
| children | voice_id | Which ElevenLabs voice to use | Account life | ElevenLabs |
| consents | policy_version + tos_version | Audit trail of which version the parent accepted | 7y audit | — |
| consents | ip_hash | SHA-256 hash only — used for fraud prevention | 7y audit | — |
| consents | user_agent | Audit trail device context | 7y audit | — |
| attempts | skill_code + task_type + is_correct + reaction_ms | Adaptive pacing engine, parent dashboard stats | Account life | — |
| attempts | prompt_payload + response_payload (raw) | Detailed analysis during debugging | 90d → aggregate | — |
| mastery_state | trials, correct, stable_mastery, median_rt_ms, confusion_partners | Drives pacing decisions and parent dashboard | Account life | — |
| tutor_memories | content (text) | Longitudinal memory — Lumi greets the child tomorrow and references yesterday's work | Account life | Anthropic |
| audio_assets | blob_url + text_hash + voice_id + model | Cache pre-rendered audio. Filenames are content-addressed by hash — no child identifiers. | 180d unused | Vercel Blob |
| events | kind + payload | Internal debugging logs | 30d | — |
| data_requests | kind + status + timestamps | Audit trail for export/delete requests | 7y audit | — |
Email security@lumikids.dev. Safe harbor for good-faith security research; 90-day disclosure window.
Enforced by daily cron /api/cron/retention-purge.