Luma Privacy Policy (Made Simple)

Last updated: 4 June 2025
Brought to you by the team at WorryTree Ltd

The short version – in plain english

• Your private notes and worries in Luma? Only you can see them.

• We don’t sell or share your personal data.

• We do use anonymised analytics to improve the app.

• Some features use Artificial Intelligence (AI), but it doesn’t access or learn from your notes.

• We follow General Data Protection Regulation (GDPR) and UK Data Protection laws.

• You can contact us any time about your rights or your data.

Your Questions, Answered

Who’s behind the app?

Luma is developed and run by WorryTree Ltd, a UK-based company registered with the Information Commissioner’s Office (ICO). Our data protection registration number is ZB232133.

What personal data do you collect and why?

We only collect the information we need to run the app smoothly, provide support, and improve your experience.

Here's a simple overview:

Do you use location or sensors?

No. We don’t track your location or collect data from things like your phone’s microphone, call logs, or movement sensors.

We may use your time zone to offer you relevant reminders, like journaling prompts.

What about AI?

Some tools in Luma use artificial intelligence (AI) to offer suggestions and prompts. But:

• AI doesn’t access or learn from your private data.

• It only uses what you input during a reflection.

• It’s there to guide, not to diagnose or treat.

Do you share my data with anyone?

Only when necessary, and never with advertisers. We work with trusted third-party providers to deliver services like analytics, support emails and hosting. These include:

• Firebase & Google Analytics – For anonymised, encrypted app usage insights

• SendGrid – To send confirmation emails (we don’t keep your email in our database)

• Squarespace – Our website host

• One Signal – To send push notifications (you can turn these off in your settings)

• Google Drive / Microsoft 365 / GoDaddy – For secure storage and email

• Payment providers – Like Stripe or Apple/Google (we don’t see your card details).

We vet these providers carefully and ensure they meet GDPR and security standards.

What happens if Luma is sold or merged?

If Luma is ever sold or merged with another business, your data may transfer with it - but we’ll make sure it stays protected and only used in line with this policy. We’ll notify you clearly if that ever happens.

Do you ever use my data without consent?

Only when the law allows or requires us to - such as for:

• Legal requests or investigations

• Preventing fraud or abuse

• Securing the app

• Studying app use in a way that protects your identity.

We’ll always weigh your rights and freedoms before doing anything with your data.

What happens when I contact you?

If you email us, we collect just enough info to reply and help you. Your messages are stored securely in our email system (Microsoft 365 via GoDaddy) and never shared.

We aim to respond to support emails within three business days.

What about marketing or surveys?

We might ask for feedback or run surveys occasionally, but:

• You’ll never be automatically opted in

• We don’t link your answers to your account

• You can opt out at any time.

We don’t do in-app advertising or third-party promotions.

What if I follow Luma on Instagram?

You’re welcome to follow us, but your Instagram or other social media accounts are never linked to your Luma account.

Do you link to other websites?

Yes, but we’re not responsible for their privacy practices. Always check their policies before sharing any personal info.

How do you protect my data?

We take data security seriously. Here’s what we do:

• We follow GDPR’s 7 key principles

• Data is encrypted using AES-256 at rest and SSL/TLS in transit

• We use secure systems with strong passwords and 2-step verification

• We sign strict agreements with all third-party providers

• We carry out security training, audits and privacy checks regularly.

How long do you keep my data?

We only keep your data as long as needed. This may include:

• To comply with legal requirements

• To support returning users

• To fulfil any unresolved requests.

By default, we retain user data for up to 10 years unless otherwise required.

Can I withdraw consent?

Yes. If we process any of your data based on consent, you can withdraw that consent at any time. This won’t affect any processing we’ve already done.

What happens if there’s a data breach?

If your data is at risk, we’ll notify you and the authorities as required by law.

What are my rights?

Under UK GDPR, you have rights around:

• Accessing your data

• Correcting it

• Deleting it

• Objecting to how it’s used

Just email us at hello@myluma.app if you'd like to exercise any of these rights.

Who can I talk to if I have a concern?

Please contact:

Mrs Louise Stevenson
Data Protection Officer
Email: hello@myluma.app
Address: WorryTree Ltd, 4–5 High Town, Hereford, HR1 2AA, United Kingdom

We’ll respond within 36 hours and aim to resolve your concern within a month.

If you’re still unhappy, you can contact the UK Information Commissioner’s Office or your local Data Protection Authority.

How will I know if the policy changes?

If we update this policy, we’ll:

• Post a notice in the app and on our website

• Let you know clearly if the changes are significant

• Always give you the option to opt out or delete your data.

Any final tips for staying safe?

Yes - here are a few best practices to keep your data secure:

• Use a strong passcode on your phone

• Keep your operating system up to date

• Be cautious about public Wi-Fi

• Install antivirus software

• Don’t click suspicious links or download unknown apps.

We do our part - but protecting your privacy starts with you, too.

Need help or have a question?
Just email us at hello@myluma.app