01 Privacy Policy

Privacy Policy

Effective Date: June 25, 2026  ·  Last Updated: June 25, 2026

Luma is a GLP-1 treatment tracker for iPhone. We built Luma to help people on GLP-1 medications keep their doses, weight, side effects, reminders, and follow-up notes organized in one calm, private timeline. Luma is designed to be private by default — you do not need an account, and your treatment entries stay on your device and in your own private iCloud. This policy explains what Luma handles, how and why, the choices you have, and how to reach us.

Introduction

Using Luma means sharing some information with your own device and, depending on the features you enable, with a small number of service providers that help us run the app. We take that responsibility seriously.

Luma is a health-adjacent tool, so we lean toward collecting less. Estimates are shown as estimates. Records stay records. Luma does not prescribe, diagnose, or recommend dose changes.

This Privacy Policy explains what we collect, how we use it, who we share it with, your rights and choices, and how to contact us.

Where this policy applies

Platform How it works
iPhone app No account required. Your individual treatment entries are stored locally on your device and, if iCloud syncing is enabled, in your private iCloud database (CloudKit) associated with your Apple ID. Luma does not have access to your Apple ID credentials.
Website A static marketing site that uses limited analytics to understand traffic and improve the site. We do not design the website to collect health data. If you submit health information through a form or email, we use it only to respond and handle it as sensitive. Please do not submit health information unless it is necessary.

Key terms (plain English)

  • Health data: Information about your treatment that you enter or import into Luma — for example, doses, injection sites, side effects, weight, and notes.
  • Local-first: Your data lives on your device first. Any iCloud syncing happens through your own private CloudKit database, not a Luma-operated server.
  • Anonymous experience data: Analytics data we design to be non-identifying, used only in aggregated form to understand trends and improve Luma.
  • Aggregated: Summarized across groups of users (counts, averages, distributions) — never individual records.

What we collect (and why)

Account information

Luma does not require an account. We do not ask for your name, email, phone number, or password to use the core app. If you contact support by email, we receive the email address you use to contact us, and we use it only to respond.

Health data (optional)

If you choose to track your treatment in Luma, you may enter:

  • GLP-1 dose records (date, time, dose, site, medication)
  • Side effects, severity, duration, and wellness notes
  • Weight and related measurements
  • Reminders and treatment-plan details

Why? To provide Luma’s core features. This data is stored on your device and, if iCloud syncing is enabled, in your private iCloud database. Luma does not transmit your health entries to Luma-operated servers.

Apple Health (optional)

With your permission, Luma can read certain data from Apple Health to make tracking easier, such as weight / body mass and nutrition data. Luma requests only the Apple Health access needed for its user-facing tracking features, and it does not write data to Apple Health unless a feature clearly requires it and you enable it. You can grant, deny, or revoke Apple Health access at any time in iOS Settings › Privacy & Security › Health.

Why? To display trends from other apps alongside your treatment timeline, so you don’t have to switch between logs.

Anonymous experience data (optional)

With your consent, Luma may collect anonymous experience data to help us understand broader trends and improve the app. We use this data only in aggregated form. We do not collect: name, email, phone number, Apple ID, advertising identifiers (IDFA), IP address, precise location, or free-text fields (such as notes or custom side-effect names).

Examples may include counts and distributions such as:

  • Feature usage related to tracking tools (analyzed in aggregate)
  • App performance and reliability signals, like crash frequency
  • General app context, such as app version and OS version

Anonymization commitment. We remove direct identifiers and purposely exclude all free-text fields, because free text may include identifying information. We do not use anonymous experience data to identify you, and we do not attempt to reidentify it.

Settings. You can control this any time in Luma’s Privacy Settings. If you opt out, we stop collecting these analytics going forward.

Device & technical information

We (and our service providers) may automatically collect limited technical information, such as device type and OS version, app version and basic diagnostics, and crash reports and performance logs. For website visits, usage data may be collected via cookies and similar technologies.

Why? To keep Luma reliable, secure, and working properly.

Payment & subscriptions

If Luma offers paid subscriptions, purchases are processed by the Apple App Store. We do not receive your full payment card details. We may receive subscription status and related purchase metadata (for example, whether a subscription is active) so the app can unlock premium features and support troubleshooting, typically through a provider such as RevenueCat.

Where & how we store your data

Data Where it’s stored & notes
Treatment entries On your device and in your private iCloud database (CloudKit). Synced through your Apple ID — Luma cannot access your Apple ID credentials.
Anonymous experience data Stored by our analytics provider in aggregated, non-identifying form.
Crash & performance logs Stored by our crash-reporting provider for a limited period to fix bugs and improve reliability.
Support correspondence Stored by our email/support provider to respond to your request.
Website analytics Stored by our website analytics provider according to its standard settings.

How long we keep your data

Data type Retention
Treatment entries Until you delete them from Luma or from iCloud.
Anonymous experience data Only as long as reasonably necessary for product improvement, security, and trend analysis.
Crash / performance logs A limited period for debugging and reliability, then deleted or aggregated.
Support correspondence As long as reasonably necessary to provide support, maintain records, and meet legal obligations.
Website analytics Retained according to our analytics provider’s standard policies.

Because anonymous experience data is not maintained in a way intended to be linked back to you, we may not be able to locate or delete specific historical analytics records for an individual. You can always stop future collection in Privacy Settings.

Your privacy rights

Depending on where you live, you may have rights to:

  • Access your data
  • Export your data
  • Correct inaccurate data
  • Delete your data
  • Restrict or object to certain uses
  • Withdraw consent at any time

Because Luma stores your treatment entries on your device and in your private iCloud, you can manage most of this directly: export or delete your data in Luma’s Settings, and manage iCloud data in iOS Settings. You can also email us at hello@luma.app.

Requests, verification & appeals

To protect your privacy, we may need to verify your request before fulfilling it. If we deny a request, you can appeal by replying to our response email or contacting hello@luma.app. We will review and respond as required by applicable law.

Legal bases (EEA/UK and similar regions)

If you are in a region that requires a legal basis for processing, we process information under the following bases:

  • Contract: To provide Luma’s core features (saving and syncing your data, enabling exports, and delivering subscription features where applicable).
  • Legitimate interests: To keep Luma reliable and secure, prevent fraud and abuse, debug issues, and understand how the app is used so we can improve it.
  • Consent (where required): For optional features such as Apple Health imports and anonymous experience data. You can withdraw consent at any time in the app or in iOS Settings.
  • Legal obligations: To comply with applicable laws and respond to lawful requests from regulators, courts, or law enforcement.

Who we share data with (and why)

We share data only with service providers that help us run Luma. These providers are permitted to use data only to provide services to us (and not for their own independent purposes), subject to applicable contracts and safeguards. Examples may include:

  • Apple (iCloud, App Store): Local-first storage and syncing through your private iCloud database, and subscription processing through the App Store.
  • Analytics providers: Anonymous, aggregated product analytics to understand feature usage and reliability.
  • Crash-reporting providers: Crash reports and performance logs to fix bugs and improve reliability.
  • Subscription management (e.g. RevenueCat): Subscription status and related purchase metadata, where applicable.
  • Email / support providers: To manage support conversations and any information you choose to include when contacting us.

We do not sell your data.

We do not share your data for targeted advertising.

Support communications

If you contact us, we use the information you provide to respond and resolve your issue. If your support request includes health details, we treat that information as sensitive and use it only to help you.

Legal requirements

We may disclose information if required by law or legal process (for example, a subpoena), or if we believe disclosure is necessary to protect rights, safety, and security.

Corporate transactions

If Luma is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be transferred as part of that transaction. We will provide notice when required by law.

Security

We use reasonable administrative, technical, and organizational safeguards designed to protect information, such as access controls and encryption in transit (and, where supported by our providers, encryption at rest). No method of transmission or storage is 100% secure, but we work hard to protect your information and improve our safeguards over time.

Because your treatment entries live on your device and in your private iCloud, they also benefit from the protections Apple applies to your Apple ID and device.

International data transfers

Your data may be stored or processed in the United States or other locations where our service providers operate. Where required (such as under the GDPR), we use appropriate safeguards like Standard Contractual Clauses (SCCs) approved by regulators.

Children’s privacy

Luma is not directed to children, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us so we can delete it.

Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last Updated” date at the top of this page. If we make material changes, we will provide notice in the app or on our website where practicable. We encourage you to review this page periodically.

Contact

If you have questions about this Privacy Policy or want to make a privacy request, contact us at hello@luma.app. We will respond as required by applicable law.

Questions about your data?

We’re happy to help with access, export, or deletion requests, or any question about how Luma handles your information.

Contact Luma