Privacy Policy

Lumira (“we,” “us,” “our”) operates the AI parenting companion available at hellolumira.app (“the Service”). We are the data controller responsible for your personal data as described in this Privacy Policy.

This Privacy Policy explains what data we collect, how we use it, who we share it with, how long we keep it, and what rights you have. It applies to all users of Lumira worldwide. For detailed information about how our AI system processes your data, please also see our AI & Data Practices document.

2.1 Account Data

Legal basis: Contract performance (GDPR Art. 6(1)(b))

• Email address (used for authentication and communication)
• First name (used for personalisation)
• Authentication tokens (managed by Supabase Auth; we do not store passwords as we use passwordless magic link authentication)
• First-time parent status (yes/no)

2.2 Baby Profile Data

Legal basis: Contract performance + Parental consent (GDPR Art. 6(1)(b), 6(1)(a))

• Baby's name (optional — if not provided, we use “Baby” or “your baby”)
• Date of birth or expected due date
• Developmental stage (pregnancy, infant, or toddler)
• Milestone records (type, date, optional notes)
• Pregnancy appointments (type, date, optional notes)

2.3 Health-Adjacent Data

Legal basis: Explicit consent (GDPR Art. 6(1)(a), Art. 9(2)(a))

• Daily check-in data: sleep quality (poor/ok/good), night wakings count, feeding patterns (less/normal/more), baby mood (calm/fussy/very fussy), diaper observations (normal/fewer/more/unusual), nausea level (none/mild/moderate/severe for pregnancy), energy level (low/ok/good), symptom log (free text), kept-food-down indicator
• Concern flow responses: structured answers to concern-specific questions (e.g., symptom descriptions, duration, severity ratings), free-text concern descriptions
• AI conversation logs: your messages to Lumira and the AI-generated responses, stored as chat messages within conversation threads linked to each check-in or concern session
• Concern summaries: AI-generated summaries containing likely causes, suggested actions, monitoring guidance, and escalation criteria
• Pattern observations: automated analysis of check-in trends (e.g., “3 consecutive nights of poor sleep detected”), generated by rule-based logic (not machine learning)
• Weekly summaries: AI-generated weekly summaries of check-in trends, patterns, and developmental observations, stored per baby profile and week number
• Weekly developmental guides: AI-generated, age-appropriate weekly guides covering what to expect at your baby's current developmental stage, cached per gestational week or age

2.4 Emotional State Data

Legal basis: Explicit consent (GDPR Art. 6(1)(a), Art. 9(2)(a))

• Inferred emotional signals: ok, tired, struggling, or distressed. These are determined by keyword matching against your messages (not by AI analysis). See our AI & Data Practices page for the full explanation.
• Parent wellbeing indicators: derived from emotional signal history over time.

When a “distressed” signal is detected, Lumira will surface wellbeing resources and helpline information. This is an automated safety mechanism, not a clinical assessment.

2.5 Journal Entries

Legal basis: Explicit consent (GDPR Art. 6(1)(a))

• Free-text reflections and personal notes
• Entry dates

Journal entries are personal to each parent. In a two-parent account, each parent's journal entries are visible only to them and are never shared with the other parent or sent to the AI.

2.6 Communication Data

Legal basis: Consent (GDPR Art. 6(1)(a)) and Legitimate interest (GDPR Art. 6(1)(f))

• Communication preferences (email, WhatsApp, SMS, push notification settings)
• Phone number (if voluntarily provided for WhatsApp or SMS; masked in the UI after entry)
• Preferred check-in time and timezone
• Quiet hours settings
• Communication delivery logs (channel, message type, delivery status, timestamp — for delivery debugging and anti-spam enforcement)

2.7 Notification Data

Legal basis: Contract performance (GDPR Art. 6(1)(b))

• In-app notifications (type, title, body, read/unread status, associated links)
• Notification delivery timestamps

Notifications are used to inform you about pattern observations, weekly guide availability, concern follow-ups, and other Service-related updates. Notification data is deleted when your account is deleted.

2.8 Consent & Preference Data

Legal basis: Legal obligation (GDPR Art. 6(1)(c))

• Consent records: We track your consent status for each of the following categories: terms of service, privacy policy, data processing, sensitive data, community guidelines, acceptable use, AI data practices, marketing email, marketing SMS, marketing WhatsApp, analytics, product improvement, and third-party sharing. Each consent event (granted or withdrawn) is recorded as an immutable, timestamped entry.
• Privacy preferences: AI processing opt-in/out, analytics opt-in/out, product improvement opt-in/out, and your chosen data retention period (12, 24, or 36 months).

2.9 Technical Data

Legal basis: Legitimate interest (GDPR Art. 6(1)(f))

• IP address — SHA-256 hashed before storage. We never store your raw IP address. Hashed IPs are used solely for security auditing and fraud prevention.
• User agent string (browser and device type)
• Session data (managed by Supabase)

We do NOT collect:

• Precise or approximate location data
• Device identifiers (IDFA, GAID, or similar)
• Contact lists or address books
• Photos, camera, or microphone data
• Biometric data
• Financial or payment information (future payment processing will use a PCI-compliant third-party processor)

• Provide personalised parenting guidance: Your check-in data, baby's age, and stage are used to generate contextual, age-appropriate AI responses.
• Generate weekly developmental guides: Your baby's gestational age or age in weeks is used to generate and cache stage-specific weekly content.
• Detect patterns: Your check-in data over time is analysed using rule-based logic to identify trends in sleep, feeding, mood, and other categories (e.g., “3 consecutive nights of poor sleep”).
• Screen for safety concerns: Your messages are scanned by a keyword-based red flag scanner (running locally within Lumira's infrastructure, not sent to AI) that detects twelve (12) categories of potentially urgent symptoms and directs you to emergency services or your healthcare provider when appropriate.
• Infer emotional state: Your messages are scanned using keyword matching to infer whether you may be tired, struggling, or in distress, so Lumira can provide an appropriate tone of response and surface wellbeing resources when needed.
• Generate concern summaries: When you use the concern flow feature, your structured answers are sent to the AI to generate a summary with likely causes, suggested actions, monitoring guidance, and escalation criteria.
• Generate weekly summaries: Your check-in data is aggregated weekly to produce AI-generated summaries highlighting trends, observations, and developmental progress.
• Track milestones: Your baby's milestone records are stored and used to provide contextual, stage-appropriate guidance.
• Send notifications: We generate in-app notifications for pattern observations, weekly guide availability, and other Service-related updates.
• Send communications: With your consent, we send daily check-in reminders, pattern alerts, weekly guide previews, and concern follow-ups via your preferred channel (email, WhatsApp, SMS, or push notification).
• Provide community features: Your display name and posted content are shared within Tribes communities you join.
• Improve the Service: We use anonymised, aggregated data (with all personal identifiers removed) to understand how the Service is used, identify and fix issues, and improve features. We never use identifiable personal data for product improvement without your explicit consent.
• Comply with legal obligations: We retain consent records and audit logs as required by GDPR, CCPA, and other applicable regulations.

Anthropic's data handling. We use Anthropic's API (not the consumer product). Under Anthropic's API Terms of Service, Anthropic does not use API inputs or outputs to train its models. Your conversations with Lumira are not used by Anthropic for model training, fine-tuning, or improvement.

AI model settings. Lumira uses Claude (currently claude-sonnet-4-6) with a temperature of 0.4 (a conservative setting that reduces randomness) and a maximum token output of 800 per response. These settings are chosen to favour consistency and conservatism over creativity.

Opting out. You can disable AI processing at any time in Settings → Privacy & Data. When AI processing is disabled, your check-ins are still recorded and patterns are still detected, but Lumira will not generate AI-powered conversational responses or send your data to Anthropic.

For users in the European Union and United Kingdom, we process your data under the following legal bases:

Legitimate interest assessments. Where we rely on legitimate interest, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. Our legitimate interests include: ensuring security and preventing fraud (technical data), maintaining delivery quality and enforcing anti-spam rules (communication logs), and meeting legal accountability requirements (audit logs). You have the right to object to processing based on legitimate interest (see Section 9).

Each sub-processor is bound by a Data Processing Agreement (DPA) that requires them to process data only on our instructions and to implement appropriate technical and organisational security measures.

Lumira is operated from the United States, and your data is primarily stored on servers located in the United States (via Supabase on AWS infrastructure).

For EU/UK users: Personal data transferred from the European Economic Area (EEA) or United Kingdom to the United States is protected by Standard Contractual Clauses (SCCs) as adopted by the European Commission (Decision 2021/914) and, where applicable, the UK International Data Transfer Agreement or Addendum. Each of our sub-processors maintains SCCs or equivalent transfer mechanisms.

For Indian users: Transfers of personal data outside India comply with the cross-border data transfer provisions of the Digital Personal Data Protection Act, 2023 (DPDPA). The Central Government of India has not yet notified restricted countries for data transfer; we will comply with any such restrictions when they are published.

For Australian users: Transfers comply with Australian Privacy Principle (APP) 8. We take reasonable steps to ensure overseas recipients handle your personal information in accordance with the Australian Privacy Act 1988.

For Canadian users: Transfers comply with PIPEDA. Your personal information may be accessible to law enforcement and national security authorities of the United States under US law.

Account deletion. When you delete your account, the following occurs immediately:

• Personal identifiers (name, email, phone) are permanently erased.
• Check-in data, journal entries, chat threads and messages, concern sessions, weekly summaries, notifications, and pattern observations are permanently deleted.
• If you are in a two-parent account, the shared baby profile is retained for the other parent. If both parents delete, the baby profile is permanently deleted.
• Consent records are retained (with profile_id) for 7 years as required for GDPR accountability.
• Audit log entries are anonymised (profile_id set to NULL) and retained for 7 years.
• Your authentication record is deleted from Supabase Auth.

You can configure your data retention period at any time in Settings → Privacy & Data.

9.1 Rights for All Users

Regardless of your location, you have the right to:

• Access your data: Settings → Privacy & Data → Download My Data (JSON export, generated within minutes, download link valid for 48 hours).
• Correct inaccurate data: Settings → Profile, or contact us.
• Delete your account and data: Settings → Privacy & Data → Delete Account (confirmed via email verification for security).
• Withdraw consent at any time: Settings → Privacy & Data for AI processing, analytics, and individual communication channels. Withdrawal does not affect the lawfulness of processing performed before withdrawal.
• Object to automated profiling: You may request human review of any automated assessment by contacting privacy@hellolumira.app.
• Lodge a complaint with your local data protection supervisory authority.

9.2 Additional Rights for EU/UK Users (GDPR)

Under the General Data Protection Regulation (GDPR) and UK GDPR, you also have the right to:

• Data portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format (JSON). Available via the Download My Data feature.
• Restriction of processing (Art. 18): Request that we restrict the processing of your personal data in certain circumstances (e.g., while we verify the accuracy of data you have contested).
• Object to processing based on legitimate interest (Art. 21): Object to our processing of your data where we rely on legitimate interest as the legal basis. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
• Right not to be subject to automated decision-making (Art. 22): Lumira does not make automated decisions with legal or similarly significant effects. Emotional state inferences and pattern observations are used for informational and supportive purposes only. You may request human review of any automated assessment.

EU supervisory authorities: You may lodge a complaint with the data protection authority in your EU member state of habitual residence, place of work, or place of the alleged infringement.
UK supervisory authority: Information Commissioner's Office (ICO), ico.org.uk.

9.3 Additional Rights for California Residents (CCPA/CPRA)

Under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), California residents have the right to:

• Right to know: Request disclosure of the categories and specific pieces of personal information we have collected, the categories of sources, the business or commercial purpose for collecting, and the categories of third parties with whom we share personal information.
• Right to delete: Request deletion of personal information we have collected (subject to certain exceptions under CCPA Section 1798.105).
• Right to correct: Request correction of inaccurate personal information.
• Right to opt-out of sale: We do NOT sell your personal information. We do not share personal information for cross-context behavioural advertising. No opt-out is necessary because no sale or sharing for advertising occurs.
• Right to limit use of sensitive personal information: You may limit our use of sensitive personal information (health-adjacent check-in data, emotional state data) to uses necessary to provide the Service. Contact privacy@hellolumira.app.
• Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights. You will not receive different pricing, quality of service, or access levels for exercising your rights.

Categories of personal information collected in the preceding 12 months: Identifiers (name, email), internet activity (session data, hashed IP), health-related information (check-in data, concern flows), inferences (emotional state, pattern observations). We have not sold any personal information. We have disclosed personal information to our service providers as described in Section 6.

9.4 Additional Rights for Virginia, Colorado, Connecticut, Texas, Oregon, and Other US State Residents

If you reside in a US state with a comprehensive privacy law (including the Virginia Consumer Data Protection Act, Colorado Privacy Act, Connecticut Data Privacy Act, Texas Data Privacy and Security Act, Oregon Consumer Privacy Act, and others), you may have similar rights to access, delete, correct, and opt-out of certain processing. Contact privacy@hellolumira.app to exercise these rights. We will respond within the timeframe required by your state's law (typically 45 days, extendable by an additional 45 days with notice).

9.5 Rights for Indian Users (DPDPA 2023)

Under the Digital Personal Data Protection Act, 2023 (DPDPA), Indian users (“Data Principals”) have the right to:

• Access personal data: Request a summary of your personal data and processing activities.
• Correction and erasure: Request correction of inaccurate data and erasure of data that is no longer necessary.
• Nomination: Designate another person to exercise your data rights in the event of your death or incapacity.
• Grievance redressal: Contact our Grievance Officer (or, until appointed, privacy@hellolumira.app) for any complaints. We will acknowledge your grievance within 48 hours and resolve it within 30 days.

As a Data Fiduciary, Lumira will comply with all obligations under the DPDPA, including obtaining verifiable consent before processing and implementing reasonable security safeguards.

9.6 Rights for Australian Users

Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), you have the right to access and correct your personal information. If you believe we have breached the APPs, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

9.7 How to Exercise Your Rights

Lumira processes data about children (infants and toddlers aged 0–36 months), not from children. All baby data is provided by and controlled by the parent or legal guardian who creates the account.

• Only a parent or legal guardian may enter data about their child into Lumira.
• In a two-parent account, both parents have equal data rights over the shared baby profile.
• Baby profile data is deleted when the parent account is deleted, unless a co-parent account retains access to the baby profile.
• Children do not use Lumira directly. The Service is designed for use by adults (18+) only.

COPPA (US): Because Lumira does not collect personal information directly from children under 13, COPPA's verifiable parental consent requirements do not apply in the traditional sense. Nonetheless, because we process sensitive data about children (provided by their parents), we apply COPPA-level protections to all baby data.

GDPR Art. 8 (EU): Information society services requiring consent from children require parental consent. As Lumira is used by parents and collects child data from parents, the parent's explicit consent at onboarding satisfies this requirement.

UK Age Appropriate Design Code (AADC): Lumira's data practices for child data comply with the “best interests of the child” standard. We collect the minimum data necessary, apply the highest privacy settings by default, and do not use child data for profiling or marketing.

DPDPA Section 9 (India): Lumira obtains verifiable consent from the parent or legal guardian before processing any data relating to a child. We do not track, behaviourally monitor, or target advertising at children.

Lumira uses a minimal cookie footprint. The only cookies we use are:

We do not use:

• Analytics cookies (no Google Analytics, Mixpanel, Amplitude, or similar)
• Advertising cookies
• Third-party tracking cookies
• Tracking pixels or web beacons
• Browser fingerprinting
• Cross-site tracking of any kind

Because we only use strictly necessary cookies, no cookie consent banner is required. If we add non-essential cookies in the future, we will update this policy and implement a consent mechanism before deploying them.

We implement technical and organisational measures to protect your personal data, including:

• Encryption in transit: All data transmitted between your browser and Lumira's servers is encrypted using TLS 1.3.
• Encryption at rest: All data stored in our database (Supabase on AWS) is encrypted at rest using AES-256.
• Row Level Security (RLS): Every database table is protected by Supabase Row Level Security policies, ensuring users can only access their own data. RLS policies are enforced at the database level and cannot be bypassed by application code.
• IP address hashing: IP addresses are SHA-256 hashed before storage. Raw IP addresses are never written to any database table or log.
• Immutable audit trail: Consent records and audit logs are append-only. Database rules prevent any UPDATE or DELETE operations on these tables. Every consent change creates a new, timestamped, immutable record.
• Passwordless authentication: Magic link authentication eliminates the risk of password-based attacks (credential stuffing, brute force).
• Minimal data collection: We collect only the data necessary to provide the Service (see Section 2.9 for data we do NOT collect).

Data breach response. In the event of a data breach involving personal data:

1. We will assess the scope of the breach within 24 hours of detection.
2. If the breach is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (per GDPR Art. 33).
3. If the breach is likely to result in a high risk to your rights and freedoms, we will notify affected users without undue delay (per GDPR Art. 34).
4. All breach response actions will be logged in the audit trail.

We honour Do Not Track (DNT) browser signals. However, because we do not engage in any form of cross-site tracking, third-party tracking, or behavioural advertising, your experience with Lumira is the same regardless of your DNT setting. We do not track you across third-party websites or services.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons.

• Material changes: We will provide at least thirty (30) days' prior notice via the email address associated with your account. We may also require you to re-consent during your next login.
• Non-material changes: We will update the “Effective date” and “Version” at the top of this page.

Your continued use of Lumira after the effective date of the updated Privacy Policy constitutes your acceptance of those changes. If you disagree with the updated policy, you should stop using the Service and delete your account.