Privacy Policy
Effective: April 13, 2026
The short version
Your memories are yours. Everything you create in Lumoria — tickets, moods, notes, voice memos — is encrypted on your device before it reaches our servers. We cannot read it. No one can, except you.
What we collect
When you join the waitlist
Your email address. A hashed (irreversible) version of your IP address, your browser’s user agent string, and the referring URL — solely to detect abuse and understand how people found us.
When you use the app
Account. Your email address, display name, username, and avatar. Your avatar is encrypted before it leaves your device — we store the ciphertext, not the image.
Tickets and memories.The content you create: ticket details, locations, event dates, memory names, emojis, date ranges, and linked music. All of this is encrypted on your device using AES-256 before it is sent to our servers. We store ciphertext. We cannot read your ticket destinations, your memory names, or anything you’ve written.
Mood entries.When you log a mood, it is stored in two places: Apple Health on your device, and our servers as an encrypted blob. The server receives a valence level, a set of emotion labels (as numeric codes), and a timestamp — all encrypted. We cannot read your mood entries. What goes to Apple Health is governed by Apple’s privacy policy and stays in your personal Health data.
Notes. Title and body text, encrypted before upload. We cannot read your notes.
Voice memos.Your audio file never leaves your device. Transcription happens on-device using Apple’s on-device speech recognition — no audio is sent to any server. We store only the transcript text, duration, and waveform shape — all encrypted.
Photos and videos. Photos and videos you attach to memories are never uploaded anywhere. We store only an opaque local identifier (a string Apple assigns to each asset in your library). The actual files stay on your device.
Music. When you link an Apple Music or Spotify playlist or song to a memory, we store only its metadata — title, artist name, artwork URL, and catalog link — encrypted. We do not access your listening history, your full library, or your play activity.
Push notification token. Your APNs device token, used to deliver notifications. It is deleted from our servers when you sign out.
Notification preferences. Four boolean toggles controlling which notification types you receive.
Subscription status. If you subscribe to Lumoria+, we store your App Store product ID and transaction ID to verify your entitlement. No payment or card data is ever handled by us — all payments go through Apple.
How we use it
- To store and sync your memories across your devices
- To send you one confirmation email when you join the waitlist
- To notify you when Lumoria launches or opens early access
- To deliver push notifications you’ve opted into
- To verify your subscription or early adopter status
- To understand aggregate usage trends — never individual profiling
Encryption
All sensitive content is encrypted on your device using AES-GCM-256 before it is transmitted or stored. Your encryption key is generated on your device and stored in your iCloud Keychain — it syncs to your other devices so your memories are accessible everywhere, but it never reaches our servers. This means we are technically unable to read your ticket content, memory names, mood entries, notes, voice memo transcripts, or avatar.
Analytics
We use Amplitude to understand how people use Lumoria in aggregate. Here is exactly what we send:
- An anonymous identifier derived from your account ID (never your email)
- Your email domain at sign-up only (e.g. gmail.com, not your full address)
- App version and build number
- Behavioral events — which screens you visit, which actions you take — with no content attached. When you log a mood, we record that a mood was logged and how many labels were selected. We never send the labels themselves.
- User property flags: whether you’ve created your first ticket, your appearance mode, whether push is enabled, your export preferences
IP address tracking is explicitly disabled. Session replay is not active. We do not send your email, your ticket content, your memory names, or any personally identifiable information to Amplitude.
Who we share it with
| Service | What they receive | Why |
|---|---|---|
| Supabase | Encrypted content blobs, account metadata | Database and authentication |
| Resend | Your email address | Transactional email delivery |
| Amplitude | Anonymous usage events (see above) | Product analytics |
| Apple | MapKit search queries, Apple Health data, Sign in with Apple token | Maps autocomplete, Health sync, authentication |
| OAuth token (Sign in with Google only) | Authentication | |
| Spotify | OAuth token, catalog search queries | Music linking (if you connect Spotify) |
We do not sell, rent, or trade your data to any third party, ever.
Health data
Lumoria can write State of Mind entries to Apple Health when you log a mood. We only write data you explicitly create in the app. We do not read your existing Health data — not your sleep, fitness, heart rate, or any health record you didn’t create through Lumoria. Health data is governed by Apple’s privacy framework and stays in your personal Health database on your device and iCloud.
Location
Lumoria never requests or tracks your GPS location. The only location data we store is coordinates you manually enter when creating a ticket — for example, the origin and destination of a flight. These coordinates are encrypted before upload.
Voice and microphone
Voice memo transcription uses Apple’s on-device speech recognition model. No audio is sent to Apple’s servers or ours. Your .m4a recording stays on your device only.
Cookies
This site does not use tracking cookies. Amplitude uses a first-party anonymous session identifier stored in localStorage, not a cookie.
Retention
When you delete your account, your data is removed from our servers immediately. Voice memo recordings are stored locally on your device only and are removed at the same time. Mood entries written to Apple Health remain in your Health app — you control them directly from Apple Health. Analytics events in Amplitude are anonymised and cannot be linked back to you once your account is deleted.
Your rights
You have the right to access, correct, or delete the information we hold about you. To exercise these rights, email us at privacy@getlumoria.app. We’ll respond within 30 days.
If you are in the EU or UK, you also have the right to lodge a complaint with your local data protection authority.
Changes
If we materially change this policy, we’ll update the effective date above. We won’t retroactively change how we use data we’ve already collected.