Privacy Policy

If you bought via the website (Stripe checkout), the only personal data we hold is:

Your email address

Captured when you buy access via Stripe Checkout, and used to send you sign-in links and (on request) device-management links. Stored in our database against your purchase record.

Legal basis: performance of contract — without your email, we can't deliver access to the app you've paid for.

Payment information

Card details are entered directly into Stripe's hosted checkout. They never reach our servers. We only receive a Stripe session ID and the email associated with the purchase.

Legal basis: performance of contract.

Device records (the 3-device cap)

Each time you sign in on a new device we store a small record: a randomly generated device ID, a generic label derived from your browser's User-Agent (e.g. "iPhone", "Windows PC"), and timestamps for first and last sign-in. This is what enforces the 3-device limit and lets you remove devices via the manage-devices page.

Legal basis: legitimate interest — preventing one purchase being shared across unlimited devices.

The access cookie

Once you're signed in, we set an lumi_access cookie (a signed JWT) on your device, valid for up to 180 days. This is the only cookie we use. It contains your email and device ID, signed so we can verify it's authentic. It's HttpOnly + Secure — readable only by our server, never by JavaScript or third parties.

Legal basis: strictly necessary for the service you've requested (signed-in access).

If you bought via the App Store on iOS, we collect almost nothing:

Anonymous customer identifier (RevenueCat)

When you buy or restore Lumi Steps, our purchase processor RevenueCat assigns a random anonymous identifier to your install. We use it solely to check whether you have an active Lumi Steps purchase. It contains no personal information — no name, no email, no Apple ID — and we cannot use it to identify you anywhere else.

Legal basis: performance of contract — verifying your purchase is necessary to grant you access.

Apple handles your payment

The £14.99 In-App Purchase is processed entirely by Apple via your Apple ID. Apple is the merchant of record. Your card details, billing address, and Apple ID stay with Apple — they never reach us. (Apple's privacy policy applies to the App Store transaction itself.)

What we don't collect on iOS

• No email address. Your access is tied to your Apple ID — we never ask for an email.
• No device records. Apple Family Sharing handles multi-device access (up to 6 family members on their own Apple IDs) — we don't run a device cap of our own.
• No cookies, no JWTs, no JavaScript-stored auth. The native iOS app uses RevenueCat's on-device entitlement check only.

If you bought via Google Play on Android, we collect almost nothing:

Anonymous customer identifier (RevenueCat)

When you buy or restore Lumi Steps, our purchase processor RevenueCat assigns a random anonymous identifier to your install. We use it solely to check whether you have an active Lumi Steps purchase. It contains no personal information — no name, no email, no Google account email — and we cannot use it to identify you anywhere else.

Legal basis: performance of contract — verifying your purchase is necessary to grant you access.

Google handles your payment

The £14.99 in-app purchase is processed entirely by Google via Google Play Billing and your Google account. Google is the merchant of record. Your card details, billing address, and Google account email stay with Google — they never reach us. (Google's privacy policy applies to the Play Store transaction itself.)

What we don't collect on Android

• No email address. Your access is tied to your Google account — we never ask for an email.
• No device records. Google Play tracks which of your Android devices you've installed Lumi Steps on; we don't run a device cap of our own. (One purchase covers every device signed into the same Google account.)
• No cookies, no JWTs, no JavaScript-stored auth. The native Android app uses RevenueCat's on-device entitlement check only.

Web (Stripe) buyers:

• Stripe (payment processing) — receives your payment details and email at checkout. Stripe is based in the US; transfers are protected by Standard Contractual Clauses. Stripe privacy policy.
• Resend (transactional email) — receives your email address to deliver sign-in and device-management emails. Based in the US; SCCs apply. Resend privacy policy.
• Upstash (database — Redis) — stores the encrypted purchase record and device list. Hosted on a region we choose; data may transit through Upstash infrastructure in the EU and US. Upstash privacy policy.
• Vercel (hosting + edge runtime + first-party Web Analytics) — runs our website and API. Standard server logs (IP address, user-agent, request URL) are retained by Vercel for short periods for operational and security reasons. We use Vercel's cookieless Web Analytics for aggregate page-view counts only — it doesn't identify individual users and isn't shared with anyone else. Vercel privacy policy.

App Store (iOS) buyers:

• RevenueCat (purchase verification) — receives the anonymous customer identifier described in section 2 and the App Store receipt. RevenueCat is based in the US; SCCs apply. RevenueCat privacy policy.
• Apple (App Store transaction) — Apple processes your purchase and provides us only with a verified entitlement status. Apple does not share your card details or Apple ID with us. Apple privacy policy.

We do not use Stripe, Resend, or our Redis database for App Store buyers — there's no email or device record on our side to share. The native iOS app loads its content from the app bundle on your device; it does not call our website's servers during normal use.

Google Play (Android) buyers:

• RevenueCat (purchase verification) — receives the anonymous customer identifier described in section 2 and the Google Play receipt. RevenueCat is based in the US; SCCs apply. RevenueCat privacy policy.
• Google (Play Store transaction) — Google processes your purchase via Google Play Billing and provides us only with a verified entitlement status. Google does not share your card details or Google account email with us. Google privacy policy.

We do not use Stripe, Resend, or our Redis database for Play Store buyers — there's no email or device record on our side to share. The native Android app loads its content from the app bundle on your device; it does not call our website's servers during normal use.

Web (Stripe) buyers:

• Purchase record (email + Stripe session ID + device list): up to 5 years from purchase, unless you request earlier deletion or refund.
• Device entries: until you remove them via the manage-devices page or your purchase record is deleted.
• Sign-in / manage-devices tokens: 30 minutes — they self-delete once used or expire.
• Access cookies: up to 180 days, then they expire and you sign in again.
• If you receive a refund: your purchase record is automatically deleted from our database within seconds of Stripe processing the refund.

App Store (iOS) buyers:

• Anonymous customer identifier (held by RevenueCat): retained for as long as Lumi Steps is installed and you have an active entitlement. It vanishes when you uninstall the app and clear app data, or when you submit a RevenueCat data-deletion request (we can help — see section 6).
• Apple receipt: held by Apple — see Apple's privacy policy for their retention.
• If Apple refunds your purchase: your Lumi Steps entitlement automatically revokes via RevenueCat within minutes. We hold no purchase record on our side to delete.

Google Play (Android) buyers:

• Anonymous customer identifier (held by RevenueCat): retained for as long as Lumi Steps is installed and you have an active entitlement. It vanishes when you uninstall the app and clear app data, or when you submit a RevenueCat data-deletion request (we can help — see section 6).
• Google Play receipt: held by Google — see Google's privacy policy for their retention.
• If Google refunds your purchase: your Lumi Steps entitlement automatically revokes via RevenueCat within minutes. We hold no purchase record on our side to delete.

We use exactly one cookie: lumi_access, described in section 2 above. It is strictly necessary for keeping you signed in. We do not use any other cookies — no analytics cookies, no advertising cookies, no third-party trackers. Because the only cookie is strictly necessary for the service, no consent banner is required under UK law (PECR Reg 6(4)). Our first-party Vercel Web Analytics is cookieless, so PECR Reg 6 still applies.

Lumi Steps for iOS is a native app — it doesn't use cookies at all. Your purchase status is held entirely on-device via RevenueCat's local cache. (If you visit lumisteps.app in a web browser, the web cookie described above applies there, not here.)

Lumi Steps for Android is a native app — it doesn't use cookies at all. Your purchase status is held entirely on-device via RevenueCat's local cache.

Data in transit is protected by TLS (HTTPS). Cookies are HttpOnly, Secure, and SameSite=Lax. Authentication tokens are signed JWTs. Our database is access-controlled and encrypted at rest by Upstash. Payment card data never touches our servers.

Communications between the app, RevenueCat, and Apple use TLS (HTTPS) by default. Payment card data never touches our servers — Apple is the merchant of record. We hold no email address, no device records, and no database entry for App Store buyers, so there's effectively no server-side data of yours on our end to secure.

Communications between the app, RevenueCat, and Google use TLS (HTTPS) by default. Payment card data never touches our servers — Google is the merchant of record. We hold no email address, no device records, and no database entry for Play Store buyers, so there's effectively no server-side data of yours on our end to secure.