Lumine

Last updated March 24, 2026

Privacy Policy

This policy describes what the Lumine portal at lumineproxy.org collects, what stays only in your browser, what the portal keeps server-side for security, and when data is sent to Lumine services or third-party providers you choose to use.

Important Microsoft account note

The portal keeps the lumine_microsoft_accounts cache in your browser cookie for client-side account selection. That does not mean Microsoft-powered features stay entirely local: when you ask the portal to connect, poll, look up friends, look up Realms, resolve realm addresses, or submit a Microsoft account action, the relevant device-code or token data is sent through Lumine routes to complete the feature you requested.

Security-first collection

Lumine collects account, IP, device, and sign-in evidence to operate the portal, protect accounts, and fight fraud or chargebacks.

A lot of data stays in your browser

The portal stores multiple security and convenience items locally, including Microsoft account cache data, proxy settings, resource packs, and browser request keys.

Third-party services are optional but real

If you use Google sign-in, Microsoft account linking, Stripe checkout, YouTube embeds, or social links, those providers also receive data under their own policies.

What we collect through the portal

Account and sign-in data

  • Lumine account email, password submission during sign-in or registration, and password-change or recovery requests. The portal does not store your plaintext password in browser storage.
  • Account profile and entitlement data returned to the portal, such as email verification state, whether a password exists, auth provider list, last login time, Stardust balances, daily reset timing, premium status, premium start and end timestamps, deletion markers, creation and update timestamps, and related account-security fields.
  • Recent sign-in history shown in the portal profile, including timestamp, auth method, client IP, IP source, observed request IP, user agent, device ID, device cluster ID, device match source, and device risk score when available.

Security and fraud-prevention data

  • Client IP address, subnet, observed upstream IP, sign-in timestamp, and user agent.
  • Approximate location data derived from hosting or CDN headers when available, including city, region, country, metro-style location keys, and in some cases latitude and longitude.
  • Browser and device signals used to build a fraud-prevention fingerprint: timezone, language, languages list, platform, screen size, color depth, pixel ratio, hardware concurrency, device memory, max touch points, user agent, and accept-language.
  • Portal anti-abuse records stored server-side in the device security ledger, including linked account emails, linked IPs and subnets, linked metro areas, location anchors, user-agent hashes, fingerprint hashes, recovery hashes, risk scores, suspicious wipe counts, trust levels, Stardust-claim counters, cooldowns, and security events for login, register, Google login, Google signup, and logout actions with success, failed, blocked, or logout results.
  • Rate-limit counters keyed by IP address in portal memory for auth, registration, read-only, general, and proxy-start routes.
  • Same-site browser request proof data, including browser key IDs, timestamps, nonces, and request signatures used to protect portal API routes.

Microsoft, Google, and Minecraft data

  • Google sign-in data when you choose Google auth, including the Google ID token and the email claim the portal may read from that token before forwarding it to Lumine auth routes.
  • Microsoft account cache data kept in your browser cookie, including the Microsoft username and OAuth token details: access token, refresh token, token type, and expiry.
  • Microsoft device authorization data for the connect flow, including the device code, user code, verification URI, poll status, and temporary token results returned by the Microsoft-linked flow.
  • Minecraft friends data requested through the portal, including gamertag, XUID, online state, game title, game state, and rich presence.
  • Minecraft Realms data requested through the portal, including realm ID, name, state, message of the day, world type, days left, owner, slots, and resolved realm join address.

Proxy, configuration, and support data

  • Proxy targets and session data such as remote server address, realm code, realm ID, friend target, region, proxy type, connection state, assigned address, port, server code, start time, shutdown reason, shutdown error, and shutdown timestamp when returned to the portal.
  • Preferred region, selected tier, last proxy start configuration, selected proxy configuration ID, saved proxy configuration snapshots, and settings blobs used to resume or recreate portal-driven starts.
  • Resource pack metadata and uploaded resource pack content stored locally in your browser when you use the resources flow, including file name, size, type, add time, and data payload.
  • Support or legal emails you send to Lumine, including your contact details and the contents of your message.
  • Password-reset and account-deletion email token flows used from the portal, including the one-time tokens you open and submit and the exact deletion confirmation phrase you type.

Exact browser storage used by the portal

The portal uses cookies, local storage, session storage, and IndexedDB for authentication, device security, Microsoft account caching, proxy convenience, and account recovery flows.

Cookies set by the portal

token

HttpOnly Lumine session token cookie used for portal sign-in. Max age: 7 days.

lumine_account

HttpOnly lowercased account email used for the one-account-per-24-hours browser restriction. Max age: 24 hours.

lumine_device

HttpOnly signed device identifier used for device matching and anti-abuse checks. Max age: 365 days.

lumine_device_recovery

Browser recovery token used to reconnect a browser to the same device identity. Max age: 365 days.

lumine_browser_proof

Website proof cookie used for same-site browser request checks. Max age: 30 days.

lumine_browser_key

HttpOnly signed browser public-key registration cookie used for request signing. Max age: 30 days.

lumine_microsoft_accounts

Browser-side Microsoft account cache containing username plus OAuth access token, refresh token, token type, and expiry. Max age: 365 days.

lumine_proxy_configs

Saved proxy configuration list and settings snapshots stored in a browser cookie. Default max age: 365 days.

lumine_proxy_config_selected

Selected proxy configuration ID stored in a browser cookie. Default max age: 365 days.

Local storage keys

lumine_browser_request_key

Serialized browser signing key used to sign protected portal requests until you clear browser storage.

lumine_device_recovery

Copy of the browser recovery token used for device identity continuity until you clear browser storage.

lumine_xbl_device_code

Temporary Microsoft device-code auth cache kept until the code expires or is cleared.

resourcePacks

Locally saved resource pack metadata and payloads you upload in the portal until you clear them.

lastProxyStart

Last proxy start settings such as account, proxy type, target, and tier until you clear it.

lumine_preferred_region

Preferred proxy region selection until you clear it.

lumine:onboarding-finished

Boolean onboarding completion marker until you clear it.

Session storage keys

lumine_browser_key_registered_key_id

Tracks the active registered browser key for the current browser session.

lumine_chunk_reload_attempt

Single-session marker used to recover from chunk-load errors.

lumine_password_reset_token

Password-reset token held in session storage after you open a reset link.

lumine_delete_account_token

Account-deletion token held in session storage after you open a delete link.

IndexedDB stores

lumine-device-context / markers / recovery-token

Recovery token mirror used for durable client device identity.

lumine-browser-request-proof / keys / browser-key

Browser request signing key store used for protected portal requests.

How we use information

  • Create, authenticate, secure, and recover Lumine accounts.
  • Operate Microsoft-connected and Minecraft-connected features such as friends, Realms, realm address resolution, and account linking.
  • Start, resume, stop, and manage proxies and related dashboard state.
  • Link purchases and premium windows to the correct Lumine account, manage billing redirects, and respond to disputes or chargebacks.
  • Prevent fraud, enforce browser or device restrictions, investigate abuse, and protect the service and other users.
  • Respond to support, policy, security, and legal requests.

When information is shared

We do not sell or rent your personal information. We share information only as needed to run Lumine, complete features you request, process billing you choose to start, maintain security, or comply with legal obligations.

  • With Lumine API routes and infrastructure when the portal needs to complete an account, security, billing-linking, or proxy action you requested.
  • With Google if you use Google sign-in.
  • With Microsoft and Xbox-linked flows if you use Microsoft account connection, friends, Realms, or related Minecraft features.
  • With Stripe if you open checkout or billing management for Stardust or Lumine Eclipse.
  • With YouTube if you load the embedded tutorial or click through to YouTube.
  • With Discord, TikTok, Instagram, or other social services only if you choose to open those links.
  • With service providers, hosts, CDNs, or legal authorities when reasonably necessary for security, abuse prevention, legal compliance, chargeback defense, or protection of users and the service.

Retention and your choices

Cookie retention and browser-storage behavior are listed above. Some items expire automatically, while others stay until you clear browser storage, overwrite them, disconnect an account, or remove saved portal data.

Server-side security records are retained as needed for account protection, anti-abuse review, dispute defense, and service operations. Portal rate-limit counters are kept in memory for their configured windows and then age out. Device-security event history is capped to a rolling maximum instead of growing forever.

You can review recent sign-ins in the dashboard, request password reset emails, request account deletion, clear local Microsoft account caches from the portal flows that manage them, remove saved resource packs or proxy configurations, or contact Lumine for support or policy requests.

Do Not Track, children, and third-party tracking

The portal does not currently change its behavior in response to a browser "Do Not Track" signal. The portal is primarily built around first-party account, proxy, and security features rather than cross-site behavioral ad tracking, but third-party services you choose to load or open may still collect data under their own policies.

Lumine is not intended for children under 13, and we do not knowingly collect personal information from children under 13 through the portal. If we learn that we have done so, we will take reasonable steps to remove that data.

Contact

Support questions can be sent to [email protected]. Policy or legal questions can be sent to [email protected].