Privacy Policy.

1. The short version

We built Lumii to give you a personalised facial-aesthetics analysis and routine. To do that we need to process your face photos and a few details you choose to share (age, beauty goals, optional cycle data). Here is the plain-English summary:

• Your face photos are uploaded to our server only to be analysed. They are automatically deleted within 24 hours of upload. We never sell them, share them with advertisers, or use them to train any third-party AI model.
• Your scan results (scores, grades, tips) are kept mostly on your device. The server keeps only quota timestamps and cached tips against your profile — not the full scan history.
• Your account (name, email, password) is stored by our authentication provider, Supabase, so you can sign back in.
• Lumii Pro is an optional subscription (£3.99/week or £39.99/year). Payments are handled entirely by Apple In-App Purchase — your card details never touch our servers. We use RevenueCat to confirm your subscription status and apply promotional rewards.
• We use Anthropic's Claude API to generate personalised tips and to power the in-app cat-mascot chat. We do not send Anthropic your face photos, your facial landmarks, your email, or your name — only your numerical scores and your typed chat messages. Under our agreement with Anthropic, your data is not used to train Anthropic's models.
• We use Sentry to keep the app reliable. Sentry collects crash reports and performance data on every session. It also records screen-recording samples — about 10% of all sessions, and 100% of sessions in which an error occurs — to help us reproduce bugs. Sentry data is processed in Frankfurt, Germany.
• We do not show ads, track you across other apps, or sell your personal data.
• You can delete your account and all associated data from inside the App at any time. We act on the request immediately and finish deleting any backups within 30 days, except for a small number of pseudonymised audit records we keep for fraud-prevention (with your identity removed).
• California residents have additional rights to know, access, delete, correct, and limit how we use sensitive personal information. See Section 17 for a Notice at Collection summary and Section 10.2 for the full rights breakdown.

If you want the full detail, the rest of this document spells it out.

2. Who this policy applies to

Lumii is intended for users aged 13 and over. Users between the ages of 13 and 17 should use Lumii only with the consent of a parent or legal guardian. We do not currently operate an in-app parental-verification flow — see Section 11 for details on how this works, including how a parent or guardian can exercise rights on behalf of a 13–17 year old.

We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal data, contact us at the address above and we will delete it.

3. Information we collect

3.1 Information you give us directly

• Account details: your name, email address, and password when you create an account, or your Apple ID / Google account if you use Sign in with Apple or Sign in with Google. Passwords are handled by our authentication provider and we never see them in plain text. If you choose Sign in with Apple's "Hide My Email" feature, we receive only the Apple relay address.
• Profile details: an optional profile photo (avatar) you choose to upload.
• Onboarding answers: your age, your beauty goals, your skin concerns and, if you choose to use cycle tracking, your menstrual-cycle dates and phase.
• Photos you submit: the multi-angle face photos captured during a scan (or photos you pick from your library to analyse).
• Content you create: goals you set, daily check-ins, journal entries, free-form questions you send to the in-app cat-mascot chat.
• Saved locations (optional): if you enable location-based goal verification, the labels and coordinates of spots you save (e.g. "gym", "yoga studio"). These are stored on your device only.
• Subscription purchases: if you subscribe to Lumii Pro, Apple's App Store handles the transaction. Apple shares with us (via RevenueCat) the fact and status of your subscription, but never your card or payment details.
• Referral and waitlist codes: if you redeem a referral code or a founding-member waitlist code, the code you entered.
• Communications: any emails or messages you send us.

3.2 Information we collect automatically

• Device information: device model, operating system version, and basic app configuration (collected through standard Expo / React Native SDKs to make the App work and to debug crashes).
• Server logs: when your device connects to our backend, our hosting provider (Railway) and our application logs receive your IP address, the timestamp of the request, your user agent (device + app version string), and the API endpoint you called. We use these logs to debug errors, prevent abuse, and meet security obligations. Server logs are retained for up to 30 days unless required for an active security or legal investigation.
• Crash, performance, and replay data (Sentry): we use Sentry, an error-monitoring service, to keep the App reliable. Sentry is always on in production. Sentry collects:
  • Crash reports and the stack traces leading up to them, with your IP address, user agent, and Lumii user ID attached.
  • Performance metrics (which screens are slow, which network calls fail).
  • Screen recordings (session replay): we record approximately 10% of all sessions, and 100% of sessions in which an error occurs. Sensitive fields like password inputs are automatically masked by Sentry; however, you should be aware that screens you view (including the scan preview) may be recorded if your session is in the sampled set.
  • In-app feedback you submit via the Sentry feedback widget (if surfaced).
  All Sentry data is processed in Frankfurt, Germany (Sentry's EU data-residency endpoint). Sentry does not use Lumii's data for advertising. Lumii does not sell Sentry's data, and Sentry's privacy policy commits it not to sell customer data. We chose Sentry rather than a US-based equivalent specifically to keep this data inside the European Economic Area.
• In-app usage events: in-app events such as which screens you visit, when you complete a scan, and how often you open the app. These events are stored on your device for personalisation; we do not currently send them to any third-party analytics provider.

3.3 Information generated about you

When you complete a scan we run computer-vision analysis on the photos and generate:

• Facial landmarks: up to 584 numerical points describing the geometry of your face (positions of eyes, nose, lips, jawline, etc.).
• Facial metrics: approximately 75 measurements derived from those landmarks (proportions, symmetry, skin metrics).
• A "glow score" and grade label (e.g. "Luminous"), plus written tips and a personalised routine generated by an AI model.
• A referral code (6 characters) generated automatically when you sign up, so friends can credit you when they join.

We treat the facial landmarks and metrics as biometric data. See Section 5 for how we handle this category of data and what legal basis we rely on.

3.4 Information we do not collect

• We do not collect advertising identifiers (IDFA / GAID) or use them for any purpose.
• We do not access your microphone. The microphone permission key has been removed from the App in this version. The camera library we use is configured with microphone access disabled.
• We do not access your contacts, calendar, or SMS.
• We do not use behavioural tracking cookies (the App is native; there are no cookies inside it).
• We do not track you across other apps or websites. Apple's App Tracking Transparency prompt does not appear because we have nothing to ask about.
• We do not retain your face photos after analysis (deleted within 24 hours; see Section 6).
• We do not sell your personal data, and we do not "share" it for cross-context behavioural advertising within the meaning of the CCPA / CPRA.

3.5 Referrals, waitlist codes, and goal verification

• Referrals. When you create an account, we generate a 6-character referral code unique to you. If you share this code and a friend redeems it on signup, we record the redemption (date, redeemer's Lumii user ID, your Lumii user ID, and the outcome of any reward grant) and increment a counter visible to you ("X friends joined"). We do not share the redeemer's email, name, or any other identifying information with you. If you redeem someone else's code on signup, we store the code you used on your profile for audit and fraud-prevention purposes.
• Founding-member codes. A limited number of LUMI-XXXX codes were distributed to our pre-launch waitlist. When you redeem one, we record which code you used and when, so we can apply your founding-member perks and prevent the code being reused.
• Geofence goal verification (optional). If you save a location for goal verification (for example, your gym), we store the label, latitude, longitude, accuracy, and radius on your device only. When you open the App, we may check your current location against your saved spots to auto-mark a goal as complete. Your location is never transmitted to our servers. You can revoke location permission at any time in iOS Settings → Privacy & Security → Location Services → Lumii.
• Photo library writes (optional). When you choose to save a scan result or progress photo, the App writes the image to your iOS Photos library. The save is performed by your device's operating system; we do not keep a copy of the saved file or know which album you placed it in.

3.6 Data we collect via our marketing website (lumiiapp.com)

Our marketing website at lumiiapp.com is separate from the Lumii App, but personal data you give it is handled with the same care.

• Waitlist signup. If you join our waitlist, we collect your email address and, optionally, the referral source you tell us about. We store this in a Supabase database in London, United Kingdom, and send you a single confirmation email via Resend (a US-based transactional-email provider). We do not contact you further unless you ask us to.
• Referral signup. If you sign up as a referrer on the marketing site, we collect your name and email address, and we generate a referral code unique to you. We track aggregated referral counts ("points") on a leaderboard. The Supabase database row stores your email, name, code, and point total. We do not share your name or email with anyone you refer.
• Analytics. Vercel Analytics tracks aggregated, cookieless page-view counts on the marketing site. See Section 12.

You can ask us to delete data we hold from the marketing site by emailing office@hfjo.co.uk with the email address you signed up with.

Age verification on the marketing site. The waitlist and referral signup forms on lumiiapp.com only accept users who select an age category of 13 or older; users selecting a lower age cannot submit the form. We do not knowingly collect personal information from anyone under 13 via the website.

4. How we use your information

The table below lists the purposes for which we process your personal data and our lawful basis under UK GDPR / EU GDPR for each.

We do not use your personal data for behavioural advertising, profiling that produces legal effects, or training third-party AI models.

5. Biometric data, AI processing, and our legal basis

The facial landmarks and metrics we derive from your scan are biometric data and are treated as a special category of personal data under UK GDPR / EU GDPR Article 9.

We process this data on the basis of your explicit consent, which you give the first time you complete a scan. You can withdraw consent at any time by deleting your account from the App. When you do this:

• Your account record is deleted from our authentication database.
• Any scan photos that have not yet aged out of our 24-hour retention window are deleted.
• The biometric metrics derived from your scans are deleted along with your account.

For information about where this processing happens geographically, see Section 8 (International data transfers).

For everyday (non-special-category) data we rely on the lawful bases listed in the Section 4 table.

5.1 Automated processing

Our scan analysis uses computer vision and an AI model to generate scores, a grade label, and personalised tips. This is automated processing.

It does not produce legal effects or similarly significant effects on you within the meaning of UK GDPR / EU GDPR Article 22(1): the output is an aesthetic suggestion and a routine recommendation, not a decision about your employment, credit, insurance, access to services, or any other matter with material legal or financial consequence.

You can:

• Request a human review of any score that materially affects you, by emailing office@hfjo.co.uk.
• Delete any individual scan, or your entire account, at any time from inside the App.

5.2 What we send to Anthropic (Claude)

We use Anthropic's Claude API to generate personalised tips and to power the cat-mascot chat. We want to be explicit about what does and does not leave our servers for Anthropic:

We never send Anthropic:

• Your face photos.
• Your facial landmarks (the 584 numerical points).
• Your email address.
• Your name.
• Your account identifiers.

What we do send Anthropic, to generate your tips:

• Your numerical scan scores (overall score, grade label, per-category scores).
• Your skin tone and undertone classification from the scan.
• A short prompt template that describes the response format.

What we send Anthropic when you use the cat-mascot chat:

• The chat message you typed.
• Your numerical scan scores for context.
• A short prompt template that describes the cat-mascot persona.

Anthropic processes the request and returns a text response. Under our Commercial Terms agreement with Anthropic, the prompts and responses are not used to train Anthropic's models. Anthropic's privacy policy is at anthropic.com/legal/privacy.

You can avoid sending any data to Anthropic by not generating tips (don't open the Improve tab) and not using the cat-mascot chat. Both are features you initiate.

6. How long we keep your data

When you request account deletion in-app, we begin removing your data immediately. Any residual copies in encrypted backups are overwritten on our backup-rotation schedule and fully gone within 30 days.

After account deletion: what we keep

For fraud-prevention and audit integrity we retain a small number of pseudonymised records after you delete your account:

• Which waitlist code was redeemed and when, with the redeemer's user ID set to NULL.
• Referral redemption events, with both referrer and redeemer user IDs set to NULL.

These records cannot be linked back to you after deletion. We rely on UK GDPR / EU GDPR Article 17(3)(b) and 17(3)(e) (legal obligation / establishment of legal claims) for this retention.

7. Who we share your data with

We do not sell your personal data. We share it only with the service providers below, and only to the extent necessary for them to perform their function. These providers are contractually bound to protect your data and to use it only on our instructions.

Changes to our subprocessors. We will update this Privacy Policy whenever we add, remove, or materially change a subprocessor. If you have signed up to product updates, we will notify you of changes that materially affect what categories of data we share or where data is processed.

Other disclosures. We may also disclose your information:

• to comply with a legal obligation, court order, or lawful request from a government authority;
• to enforce our Terms of Service or to investigate potential breaches;
• to protect the rights, property, or safety of Lumii, our users, or the public; and
• as part of a corporate transaction (merger, acquisition, or sale of assets), in which case any acquirer will be bound by this Privacy Policy or a successor with at least the same protections.

For information about how HFJO&CO LIMITED handles general business correspondence and non-Lumii data, see our group privacy notice at hfjo.co.uk/privacy.

8. International data transfers

Lumii is based in the United Kingdom. Several of our service providers, and parts of our own backend, operate outside the UK and the European Economic Area.

When personal data is transferred outside the UK or the EEA, we rely on one of the following safeguards in each case:

You can request a copy of the SCCs or the relevant DPF certifications by emailing the contact address at the top of this policy.

9. Security

We take reasonable technical and organisational measures to protect your personal data, including:

• HTTPS / TLS for all network traffic between the App, our backend, and our providers.
• Storage of authentication tokens in iOS Keychain and Android Keystore (via the operating-system secure storage).
• Server-side rate limiting and API-key gating on scan endpoints.
• Validation of uploaded files (size and format) before processing.
• Automatic deletion of scan photos within 24 hours of upload.
• Row-level security policies on our database so that users can only read their own profile data.
• Access controls so that only authorised people on the Lumii team can reach production systems.

No internet-based service can be made absolutely secure. If a personal-data breach occurs that is likely to result in a risk to your rights and freedoms:

• We will assess severity within 24 hours of discovery.
• We will notify the UK Information Commissioner's Office within 72 hours if required under UK GDPR Article 33.
• We will notify affected California residents in accordance with California Civil Code §1798.82.
• We will notify other affected users by email, and through an in-app banner if appropriate, without undue delay where the breach is likely to result in a high risk to your rights and freedoms.

10. Your rights

Depending on where you live, you have some or all of the following rights.

10.1 Rights under UK GDPR and EU GDPR

• Access — ask for a copy of the personal data we hold about you.
• Rectification — ask us to correct inaccurate or incomplete data.
• Erasure ("right to be forgotten") — ask us to delete your data. You can also do this yourself instantly from the in-app Account → Delete account option.
• Restriction — ask us to pause our use of your data while a query is resolved.
• Portability — ask for your data in a structured, machine-readable format.
• Objection — object to processing based on our legitimate interests.
• Withdraw consent — for anything we process on the basis of your consent (including biometric data, cycle tracking, and geofence verification).
• Not be subject to automated decision-making that produces legal or similarly significant effects — see Section 5.1 for why we believe this does not apply to Lumii, and how to request human review if you disagree.
• Complain to a supervisory authority — the UK ICO (ico.org.uk) or your local EU data-protection authority.

10.2 Rights under California law (CCPA, as amended by CPRA)

If you are a California resident:

• You have the right to know what categories of personal information we collect, the sources, the purposes for collection, and the categories of third parties we share it with. Sections 3, 4, and 7 of this policy describe these in full.
• You have the right to access the specific pieces of personal information we hold about you.
• You have the right to delete your personal information, subject to certain legal exceptions (see "After account deletion: what we keep" in Section 6).
• You have the right to correct inaccurate personal information.
• You have the right to limit the use and disclosure of sensitive personal information. Under CPRA, our biometric data (facial landmarks and metrics), precise location data, and any health data are categorised as sensitive personal information. To exercise this right, email office@hfjo.co.uk with subject LIMIT SENSITIVE PI. We will restrict processing of these categories to what is strictly necessary to provide the Service within 15 business days.
• You have the right to opt out of the sale or sharing of your personal information. Lumii does not sell your personal information and does not "share" it for cross-context behavioural advertising within the meaning of CCPA / CPRA §1798.140(ad) or §1798.140(ah). The third-party processors listed in Section 7 receive personal information only to perform services we direct them to perform.
• You have the right not to receive discriminatory treatment for exercising any of these rights.

You may authorise an agent to act on your behalf in line with California law.

10.3 Rights under CalOPPA

We honour Do Not Track signals as follows: the App does not use third-party behavioural tracking, so Do Not Track signals have no operational effect on Lumii. We will update this disclosure if that changes.

We do not allow third parties to collect personally identifiable information about your activity across different websites or apps when you use Lumii.

10.4 How to exercise your rights

To exercise any of the rights above, email office@hfjo.co.uk from the email address on your Lumii account. (We are setting up a dedicated privacy@lumiiapp.com alias; until then, office@hfjo.co.uk is the canonical channel.)

Our intake process:

1. Send your request to office@hfjo.co.uk with a subject line that identifies the type (e.g. ACCESS REQUEST, DELETION REQUEST, LIMIT SENSITIVE PI).
2. We will acknowledge within 5 working days.
3. We will respond in full within one month (UK / EU) or 45 days (California). If your request is complex we may extend by a further two months and tell you why.
4. For identity verification we may ask you to confirm details we already hold (e.g. account creation date, the email on your account). We will not ask for new sensitive information.
5. Requests are free of charge, except where the law permits us to charge a reasonable fee (typically for manifestly unfounded or excessive requests).

11. Children's privacy and users aged 13–17

Lumii is rated 13+ in the App Store and Google Play. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child under 13 has signed up to Lumii, please email office@hfjo.co.uk with subject PARENTAL REQUEST — UNDER 13 and we will delete the account and any associated data within 7 working days.

11.1 Why the age picture is complicated

The age of digital consent is set differently in different jurisdictions:

• UK — 13 (UK GDPR Article 8, retained EU law).
• United States — 13 for COPPA purposes (we collect personal data only from users 13+; COPPA does not apply at or above 13).
• EU member states — between 13 and 16 depending on the country. As of this policy's date, several EU member states have set the threshold at 16, including Germany, France, Ireland, the Netherlands, and others. In those countries, a user aged 13–15 needs parental consent for processing that relies on a "consent" lawful basis (notably our biometric scan and cycle tracking).

We currently rely on you to tell us your age truthfully during signup. We do not operate an in-app parental-verification flow at this time. If you are below the age of digital consent in your country, you should use Lumii only with your parent's or guardian's permission.

11.2 What we do for users we know or treat as under 18

For accounts where the user is, or appears to be, between 13 and 17, we apply protective defaults inspired by the UK Information Commissioner's Office Age-Appropriate Design Code (the "Children's Code"):

• No marketing emails by default. Marketing emails (if we ever add them) require an explicit opt-in for any user.
• No behavioural advertising. We do not show ads anywhere in Lumii, full stop — see Section 3.4.
• No use of under-18 user data to train any AI model, including our own and our subprocessors'.
• No profile photo prompted beyond the optional avatar. We never ask under-18 users to upload images of themselves to anywhere except the scan flow itself.
• Geofence integration is off by default and requires an explicit in-app opt-in.
• The same data-minimisation defaults apply to all users, so this set is not less protective for adults; it is simply protective for everyone.

11.3 Rights of parents and guardians of 13–17 year olds

If you are the parent or guardian of a Lumii user aged 13–17, you can:

• Review the personal data we hold about your child;
• Request deletion of your child's account and associated data;
• Withdraw consent for any consent-based processing (biometric scan, cycle tracking, geofence verification);
• Restrict processing while a query is being resolved.

To exercise these rights, email office@hfjo.co.uk with subject PARENTAL REQUEST — UNDER 18 and include:

• Your name and relationship to the child;
• The child's name and the email address on the Lumii account;
• The right you are exercising.

We will respond within 7 working days for child-related requests. We may ask for a single additional confirmation (for example, the date the account was created, or a screenshot from inside the App) to verify your parental relationship.

11.4 If you are a user aged 13–17

You can delete the content you have posted at any time using the in-app Delete options, or by emailing us. You have the same rights as adult users (see Section 10) and we will respond to your requests directly — you do not need to go through a parent unless you would prefer to.

12. Cookies and tracking technologies

The Lumii App is a native iOS and Android application; it does not use cookies, web beacons, pixels, or any browser-based tracking technology, because there is no browser inside the App.

Our marketing website at lumiiapp.com is a Next.js application hosted on Vercel. It uses Vercel Analytics for cookieless, aggregated page-view analytics. Vercel Analytics does not use cookies, does not track you across other sites, and does not assign you a persistent identifier. We will update this section if we add any other tracking or analytics technology to the App or the website.

13. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes — for example, adding a new subprocessor, changing where personal data is processed, or adding a new category of data we collect — we will:

• update the Last Updated date at the top of this policy, and
• notify you through the App or by email of the change (see also the subprocessor-change-notification commitment in Section 7).

Your continued use of Lumii after the new policy takes effect means you accept the updated policy. If a change materially reduces your rights, we will give you a reasonable opportunity to delete your account before the change takes effect.

14. Contact

If you have questions about this Privacy Policy, or want to exercise any of your rights:

• Email: office@hfjo.co.uk
• Postal address: HFJO&CO LIMITED, 167–169 Great Portland Street, 5th Floor, London W1W 5PF, United Kingdom
• Data controller: HFJO&CO LIMITED, registered in England & Wales under company number 15421741

A dedicated privacy@lumiiapp.com alias is being set up. Until it is live, please use office@hfjo.co.uk — your message will reach the same person.

If you are not satisfied with our response, you can complain to:

• the UK Information Commissioner's Office at ico.org.uk (0303 123 1113);
• your local EU data-protection authority (see Section 18 on our EU representative position); or
• (for California residents) the California Attorney General's office.

15. Subscriptions and payments

Lumii offers an optional subscription called Lumii Pro, which unlocks the full feature set described inside the App (the score breakdown, AI coach, verification integrations, personalised protocols, unlimited scans, and more).

15.1 Pricing and renewal

Regional pricing may vary based on Apple's local pricing tiers and any taxes Apple is required to collect. The exact price you will be charged is displayed inside the App before you confirm the purchase.

Subscriptions auto-renew at the end of each billing period unless you cancel at least 24 hours before the end of the current period. Renewal is charged to your Apple ID payment method.

Free trial. New annual subscribers may be offered a 3-day free trial. The weekly plan has no trial and bills immediately. If you start the annual free trial and do not cancel at least 24 hours before it ends, it automatically converts to a paid annual subscription at £39.99 / year and your Apple ID is charged. Whether a trial is offered, and its exact length, is shown in the App before you confirm and is governed by Apple's introductory-offer rules — an introductory offer is available only once per Apple ID.

15.2 How payment works

Payment is processed entirely by Apple In-App Purchase through the App Store. Lumii never receives or stores your payment card, bank account, or other financial details.

We use RevenueCat, Inc. (a US-based subscription-management provider) to verify your subscription status and apply promotional rewards. RevenueCat receives your Lumii user ID and an anonymous Apple subscriber identifier (a randomised ID Apple gives to apps — not your Apple ID or your email). RevenueCat does not receive your payment details. See Section 7 for RevenueCat's processor entry and Section 8 for the transfer mechanism we use.

15.3 Managing or cancelling your subscription

You can manage or cancel your subscription at any time from your device:

• iOS: Settings → tap your name at the top → Subscriptions → Lumii.
• inside the App: the Paywall screen has a "Manage subscription" link that opens the same iOS Subscriptions screen.

Cancellation takes effect at the end of your current billing period. You keep Lumii Pro access until then.

15.4 Refunds

Refunds are handled by Apple under the standard App Store Terms of Service. You can request a refund from Apple at reportaproblem.apple.com. Lumii cannot directly issue refunds for App Store purchases.

15.5 Promotional grants (referrals and waitlist codes)

When you redeem a friend's referral code, redeem a founding-member LUMI- code, or receive any other promotional grant from us, the resulting access to Lumii Pro is granted as a promotional entitlement through RevenueCat. It is not an Apple In-App Purchase, you are not charged, and your Apple ID is not billed. Promotional grants have a fixed duration (e.g. 14 days for a referral reward) and do not auto-renew. When the promotional period ends, your account returns to the free tier unless you have an active paid subscription.

16. In-app privacy controls

You have several controls available inside the App:

• Save scan photos toggle (Settings → Privacy & Data → "Save scan photos"). When on (default), the photos you capture during a scan are saved locally to the App's storage so you can revisit them. When off, the photos are kept only for the duration of the scan and discarded immediately after the scan response is received. This toggle controls on-device storage only — it does not change the 24-hour server-side photo retention described in Section 6, which applies regardless.
• Delete a single scan (Scan history → swipe a scan → Delete). Removes the scan from your on-device history.
• Delete your account (Settings → Account → Delete account). Removes your authentication record, your server-side profile, any cached tips on your profile, and any scan photo still inside the 24-hour server retention window. Pseudonymised audit records are retained as described in Section 6 ("After account deletion: what we keep").
• Revoke biometric consent — happens automatically when you delete your account; see Section 5.
• Revoke location access — iOS Settings → Privacy & Security → Location Services → Lumii.
• Revoke notification permissions — iOS Settings → Notifications → Lumii.

17. Notice at collection (California residents)

This section is provided to meet the requirement in California Civil Code §1798.100(a). It is a summary of disclosures already made elsewhere in this policy.

For the full disclosures, rights, and how to exercise the right to limit use and disclosure of sensitive personal information, see Section 10.2.

18. EU representative under GDPR Article 27

Lumii's user base at launch is primarily in the United Kingdom and the United States. We have not yet appointed a representative in the European Union under GDPR Article 27. As we expand to material EU user volumes, we will appoint and disclose an EU representative.

In the meantime, EU users can:

• exercise all GDPR rights via the contact methods in Section 14;
• contact their local data-protection authority directly; and
• complain to their local supervisory authority if dissatisfied with our response.

The UK Information Commissioner's Office (ICO) acts as our lead supervisory authority because HFJO&CO LIMITED is established in the United Kingdom.

19. Glossary

A short list of terms used in this Privacy Policy that have specific legal meanings.

• Personal data (UK / EU GDPR) and personal information (CCPA) — information relating to an identified or identifiable individual. Includes obvious items like name and email, less obvious items like IP address, and inferences drawn from those items.
• Processing — anything done with personal data: collecting, storing, using, sharing, deleting. If we touch the data, we "process" it.
• Biometric data (UK / EU GDPR Article 9) — personal data resulting from specific technical processing relating to the physical, physiological, or behavioural characteristics of a natural person, which allow or confirm the unique identification of that person. The facial landmarks and metrics we derive from a scan fall under this definition.
• Sensitive personal information (CPRA §1798.140(ae)) — a sub-set of personal information including biometric data used for identification, precise geolocation, and health information. Triggers additional disclosure and the right described in Section 10.2.
• Subprocessor — a third party (like RevenueCat or Sentry) that processes your personal data on our behalf, under our instructions and a written contract.
• Standard Contractual Clauses (SCCs) — model contract terms approved by the European Commission and the UK ICO that authorise transfers of personal data outside the UK / EEA.
• UK International Data Transfer Addendum — the UK-specific addition to the EU SCCs that makes them effective for UK-originating personal data.
• Data Privacy Framework (DPF) — the EU-US and UK-US arrangements under which US companies can self-certify to receive personal data from the EU / UK. We use it for Google and Vercel; we use SCCs for Anthropic, RevenueCat, Railway, Apple, and Expo.
• Session replay — a recording of the visible content of the App during a user session, used for debugging. Sentry's mobile session replay automatically masks input fields like passwords. See Section 3.2.
• Promotional entitlement — a free grant of Lumii Pro access (via RevenueCat) that does not involve an Apple In-App Purchase or any payment by you. See Section 15.5.