Privacy Policy
Last updated: 1 July 2026
1. Who we are
Lunara AI (“Lunara”, “we”, “us”) is the developer of the Lunara AI mobile application (“App”) and this website. This Privacy Policy explains how we collect, use, disclose, and safeguard your information.
Contact: [email protected]
2. Data we collect
2.1 Account data
- Email address (from Sign in with Apple, Google, or email sign-up)
- Name (optional)
- Locale and time-zone (auto-detected)
2.2 Sleep & health data
- Sleep sessions (bedtime, wake time, stages, duration, sleep score)
- Recovery metrics (HRV, resting heart rate, respiratory rate, SpO₂) — only if you grant Apple Health / Google Fit access
- Snoring & ambient-noise events (timestamps and intensity only — raw audio is never uploaded)
- Sleep goals, preferences, morning mood, and notes you enter
2.3 App usage & device data
- Anonymous crash reports and diagnostic logs
- App version, OS version, device model
- Push notification token (only if you enable notifications)
2.4 What we do not collect
- Raw microphone audio (all analysis is on-device only)
- Location, contacts, photos, calendar, or browsing history
- Advertising identifiers (we do not run ads and do not sell data)
3. How we use your data
- Compute sleep scores, recovery, insights, and AI Coach responses
- Sync your data across your devices
- Send you notifications you enabled (bedtime reminders, morning summary)
- Improve the App via anonymised aggregate analytics
- Detect fraud or abuse (e.g. rate-limiting)
4. Legal basis (GDPR)
For users in the EEA / UK, we process your personal data under the following bases:
- Contract — to provide the App you purchased or signed up for.
- Consent — for optional integrations (Apple Health, push notifications).
- Legitimate interest — to prevent abuse and improve the product.
- Legal obligation — where required by law.
5. Sharing & third parties
We do not sell your personal data. We share limited data only with the following processors:
- Apple / Google — for subscriptions and push delivery (per platform terms)
- Emergent LLC — our infrastructure & AI provider (SOC 2 aligned)
- Stripe, Inc. — for optional card-based subscription flows
- Anthropic PBC — for AI Coach responses (only the conversation context, no health identifiers)
6. International data transfers
Your data is stored on servers located in the United States and the European Union. Transfers outside your region rely on Standard Contractual Clauses (SCCs) and equivalent safeguards under UK GDPR.
7. Retention
We keep your data for as long as your account is active. On account deletion, all personal data is permanently erased within 30 days, except where retention is required by law (e.g. tax records — up to 7 years, anonymised).
8. Your rights
Under GDPR, CCPA, the Australian Privacy Act, and equivalent frameworks you have the right to:
- Access your data (data portability)
- Correct inaccurate data
- Delete your data (“right to be forgotten”)
- Object to or restrict processing
- Withdraw consent at any time
- Lodge a complaint with your supervisory authority
Exercise any of these rights by emailing [email protected] or using the Delete Account page.
9. Children
Lunara AI is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has provided us data, please contact [email protected] and we will delete it.
10. Security
Passwords are stored using bcrypt with a per-user salt. Data in transit uses TLS 1.2+. Data at rest is encrypted using AES-256. We enforce strict CORS, security headers (HSTS, CSP, X-Frame-Options), and rate limiting on all endpoints. No system is 100% secure, but we take security seriously and continuously improve.
11. Changes to this policy
We may update this policy from time to time. Material changes will be announced in-app and by email 30 days before taking effect.
12. Contact
Data controller: Lunara AI. Data protection enquiries: [email protected]
⚠️ This document is a working draft prepared for engineering release readiness. It has not been reviewed by counsel. Have a qualified attorney review before publishing to a live audience.