Lumo — Privacy Policy
Effective Date: 2026-05-29.
This Privacy Policy explains what personal data Lumo (“Lumo”, “we”, “us”, or “our”) collects, how we use it, who processes it, and the choices you have. It applies to the Lumo mobile applications (iOS and Android), the web properties at memorycopilot.sanva.tk, and any related services (collectively, the “Service”).
The Service is operated by Sanva Independent Developer (the “Operator”). If you have any questions about this policy, contact us at privacy@sanva.tk.
1. Data We Collect
We collect only what is necessary to operate the Service. Specifically:
1.1 Account data
- Email address — when you sign up with email, or as provided by Sign in with Apple / Sign in with Google.
- Apple / Google account identifier — the opaque user identifier returned by Apple Sign-In or Google Sign-In. We do not receive your Apple ID password or Google password.
- Display name and profile picture — optional; only if you set one in the app.
1.2 User content
- Memories — the text, links, and other notes you choose to save into Lumo.
- Chat messages — the messages you send to the AI agent and the responses returned.
- Images and videos — the photos and videos you attach to a memory or a chat.
- Voice recordings — the audio you record using the in-app voice memo feature, which we transcribe into text so it can be searched and recalled.
- Documents — files you attach so their contents can be indexed and recalled.
- Container metadata — names, slugs, member roles, and invitation status of memory containers you create or join.
- Connected device data (optional, Pro) — when you choose to connect a source in Lumo Sources, we import: your location (to tag and recall memories by place), your calendar events, contacts you explicitly select (as person seeds for your relationship notes), and Health summaries (daily totals for sleep, activity, and heart rate — never your raw HealthKit records). Each source is off by default and enabled one at a time, and can be turned off at any time.
1.3 Subscription data
- In-App Purchase receipts — provided by Apple App Store or Google Play, verified through RevenueCat.
- Subscription status, plan, and expiry — synced from RevenueCat to our backend.
1.4 Device and diagnostic data
- Device model, OS version, and app version — for compatibility and crash diagnostics.
- Push notification token — if you enable push notifications.
- Crash reports and performance data — collected by Sentry, with stack traces and breadcrumbs.
- IP address — captured at the network edge for abuse prevention; not retained beyond what is necessary.
1.5 What we do not collect
- We access your camera, photo library, and microphone only when you actively use a feature that needs them — for example, attaching a photo or video, or recording a voice memo. We do not access these in the background, and we do not scan your full photo library; we only receive the specific images, videos, and recordings you choose to add.
- We collect location, calendar, contacts, and Health data only if you explicitly connect those sources in Lumo Sources; each is optional and off by default. We do not collect your biometrics, financial information, or browsing history.
- We do not sell your personal data to anyone, and we do not use your memories or chat content for advertising.
2. How We Use Your Data
We use the data above to:
- Provide the Service — authenticate you, store and retrieve your memories, generate replies and summaries, run AI recall and search over your data, describe (caption) the images and videos you attach, transcribe the voice recordings you make, and synchronize across your devices.
- Process subscriptions — verify entitlement, handle upgrades and renewals.
- Communicate with you — invitation emails for shared memory spaces, security and account notices, and transactional updates.
- Improve quality — diagnose crashes, monitor performance, and fix bugs. We do not use your memories or chat content to train AI models.
- Comply with law — respond to lawful requests and enforce our Terms.
We do not use your memories or chat content for advertising, profiling, or any third-party marketing.
3. AI Processing — What We Send, To Whom, and For What
To provide replies, summaries, recall, search, and to organize your memories, the content you provide — your chat messages, the text of your memories, the images and videos you attach, and the voice recordings you make — is sent from your device to our backend over an encrypted (TLS) connection and routed through our secure gateway to third-party AI model providers. These providers process your content only to deliver these features: text understanding, image description (captioning), voice transcription, and converting text into search embeddings. They act solely as our processors, are contractually limited to processing your content for these purposes, and do not use your content to train their models. We do not sell your data and do not use your memories or chat content for advertising.
Your device does not call these AI providers directly, and their API keys are never stored on your device. We do not include your real name, email address, or other directly identifying account fields in these payloads beyond what you yourself wrote.
The AI model providers we currently use are:
| Provider | Purpose | Region | Data shared |
|---|---|---|---|
| OpenAI | Conversational agent, text understanding, summaries, image captioning, voice transcription | United States | Your chat messages, memory text, attached images/videos, and voice recordings |
| Search embeddings (vectorization of text) | United States | Text derived from your memories and queries |
3.1 No model training on your content
The third-party AI model providers we use are contractually bound not to use your inputs or outputs to train or improve their models. We act as the data controller; these providers act only as our processors under our instructions.
3.2 Health data (Apple HealthKit)
If you connect Apple Health, Lumo reads only daily summaries (totals for sleep, activity, and heart rate) — never your raw HealthKit samples. These summaries are stored on our self-hosted backend, isolated per user by row-level security, and are never used for advertising, never sold, and never used to train any AI model. You can disconnect Health at any time in Lumo Sources, and deleting your account removes all imported Health summaries. Lumo does not write any data back to Apple Health.
4. Other Third-Party Processors (Infrastructure)
Beyond the AI processing described above, we share narrowly scoped data with the following infrastructure processors. Each is contractually bound to confidentiality and to use your data only for the purposes described below.
| Processor | Purpose | Region | Data shared |
|---|---|---|---|
| Supabase, Inc. | Authentication, Postgres database, Edge Functions | Hosted region: us-east-1 | Account data, subscription status, container metadata, invitations |
| RevenueCat, Inc. | Subscription management & receipt validation | United States | Apple/Google receipts, anonymous app user ID |
| Resend, Inc. | Transactional email (invitations, security notices) | United States | Recipient email and email body |
| Sentry (Functional Software, Inc.) | Crash reporting and performance monitoring | United States / EU | Stack traces, breadcrumbs, device info |
| Apple Inc. / Google LLC | App Store / Google Play distribution and IAP | Global | Receipt data and platform user identifier |
5. International Data Transfers
The Service is operated from Hong Kong SAR. The processors listed above are primarily based in the United States. If you are located in the European Economic Area, the United Kingdom, or other regions with data export rules, your data may be transferred to and processed in countries that may not provide the same level of data protection as your home jurisdiction. Where required, we rely on the European Commission’s Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms.
Where your data is transferred across borders, we require these third-party AI providers to maintain protections equivalent to those described in this policy through contractual data-protection terms.
6. Data Retention
- While your account is active — we retain your memories, chat messages, container metadata, and account data for as long as you use the Service.
- After you delete your account — we trigger a cascade deletion across our database, vector index, and shared container memberships. The cleanup completes within 72 hours of your request. Backup snapshots may persist for up to 30 days, after which they are overwritten or deleted.
- Diagnostic data — Sentry retains crash and performance data for up to 90 days.
- Invitation tokens — pending invitations expire 7 days after creation; expired records are purged within 30 days.
- Legal retention — limited records may be retained beyond the periods above where required by law (e.g., tax records of paid subscriptions).
7. Account Deletion
You can delete your account at any time:
- In-app — Settings → Account → Delete Account → confirm.
- From the web — visit /delete-account for the full step-by-step guide.
When you delete your account:
- Your memories, chat history, and shared container memberships are removed.
- Apple Sign-In tokens are revoked per App Store guideline 5.1.1(v).
- Pending invitations you sent are revoked.
Deletion is permanent. We cannot recover deleted data.
8. Your Controls and Rights
Inside the app you can review the AI data-use disclosure (Settings → AI data use), manage notification preferences and search scope, export your data (Settings → Export), and delete individual content or your entire account (see Section 7).
Depending on your jurisdiction, you may also have the following rights:
- Access — request a copy of the personal data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure — delete your data (see Section 7).
- Portability — request a machine-readable export of your data.
- Restriction / Objection — restrict or object to certain processing.
- Withdraw consent — where processing is based on consent, withdraw it.
- Lodge a complaint — with your local data protection authority.
To exercise any of these rights, email privacy@sanva.tk. We respond within 30 days.
9. Children’s Privacy
Lumo is not directed to children under 13. We do not knowingly collect personal data from children under 13. If you believe we have collected such data, contact privacy@sanva.tk and we will delete it promptly. In the European Economic Area, the minimum age is 16 (or the lower age set by your member state).
10. Security
We use industry-standard practices to protect your data:
- Transport-layer encryption (TLS 1.2+) for all network traffic.
- Encrypted at rest where supported by the underlying processor.
- Row-level security policies on Supabase Postgres so users can only access their own data.
- API tokens scoped to each user; admin keys never live on user devices.
- Apple App Store and Google Play handle payment data; we never see your card.
- Connected device data (location, calendar, contacts, Health summaries) is stored on infrastructure we control, isolated per user by row-level security; raw HealthKit records never leave your device.
No system is perfectly secure. If you suspect unauthorized access to your account, contact security@sanva.tk immediately.
11. Cookies & Web Tracking
The Lumo website uses only essential cookies (e.g., theme preference). We do not use third-party advertising cookies, behavioral tracking, or fingerprinting. No analytics SDK is loaded on the marketing site.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will:
- Update the Effective Date at the top.
- Notify you in-app and (for material changes) by email at least 7 days before the change takes effect.
- Continue to apply the previous version to data already collected, where required.
13. Contact
For privacy questions, requests, or complaints:
- Email — privacy@sanva.tk
- Postal — Sanva Independent Developer, Hong Kong SAR (mailing address available on request)