Privacy Policy

Age Requirements & Data Collection

Age Requirement: LumaMH is designed for people age 13 and older. If you are under 18, please use the app with parent or guardian consent.

Information We Collect:

• • Account data: Email, username, and password (your password is stored securely and not kept in plain text).
• • Wellness data: Mood entries, journal entries, and chat sessions.
• • Usage data: Session activity, feature usage, and performance metrics.
• • Technical data: IP address, browser type, and device information.
• • Cookies: Sign-in, preferences, and analytics options.

Data Retention Periods:

• → Account data: Retained until account deletion + 30 days
• → Mental health data: 6 years (or until deletion requested)
• → Analytics data: 2 years maximum
• → Security logs: 7 years for audit compliance

Data Protection

We use technical and organizational safeguards to protect your information. No system is perfect, but we work continuously to keep your data safe:

• ✓ While data is moving: HTTPS/TLS is used between your device and our service.
• ✓ While stored: Sensitive wellness content (like chat and journal text) is encrypted where implemented. Some account and activity fields are protected through access controls and infrastructure security.
• ✓ Hosting partners: Our providers may have their own certifications. Their certifications apply to their platforms.
• ✓ Ongoing security: We regularly maintain and improve our security controls.

Your Data Protection Rights

Under GDPR, CCPA, and other applicable privacy laws, you have the following rights:

GDPR Rights (EU Residents):

• ✓ Right of Access: Request copies of your personal data
• ✓ Right to Rectification: Correct inaccurate personal data
• ✓ Right to Erasure: Request deletion of your personal data
• ✓ Right to Restrict Processing: Limit how we use your data
• ✓ Right to Data Portability: Transfer your data to another service
• ✓ Right to Object: Stop processing based on legitimate interests
• ✓ Right to Withdraw Consent: Revoke consent for data processing

CCPA Rights (California Residents):

• → Right to Know: What personal information we collect and how it's used
• → Right to Delete: Request deletion of personal information
• → Right to Opt-Out: Opt-out of sale of personal information (We do not sell data)
• → Right to Non-Discrimination: Equal service regardless of privacy choices

Third-Party Services & Data Transfers

We work with trusted partners to provide core features:

• • OpenAI (US): AI features may send relevant prompts and context to OpenAI. See OpenAI’s policies for details.
• • Google / Apple (app stores): In-app subscription purchases when you subscribe inside the mobile app
• • Railway (US): Cloud hosting provider.

International Data Transfers:

Contact Us

If you have questions about our privacy practices or want to exercise your data rights:

Data Breach Notification

In the event of a breach affecting personal data, we will follow applicable notification requirements (including timelines such as GDPR’s 72-hour rule to supervisory authorities where it applies) and notify affected users when the law requires it. We maintain incident response procedures; insurance coverage, if any, is subject to our policies at the time of an incident.

Changes to This Policy

We may update this privacy policy to reflect changes in our practices or applicable laws. Material changes will be communicated via email and/or prominent notice on our platform at least 30 days before taking effect. Continued use after changes indicates acceptance of the updated policy.