Legal

Privacy Policy

Effective Date: April 27, 2026 · Last Updated: April 27, 2026

      Your privacy matters to us. This policy explains what data we collect, why we collect it, how we use it, and your rights. We do not sell your personal data.
    

1. Who We Are

Summa Studios™ ("we," "our," or "us") develops and operates Lumafy AI™, a wellness application available at lumafyai.com. This Privacy Policy applies to all users of our website and application.

For privacy-related questions or requests, contact us at: support@lumafyai.com

2. What Data We Collect

2.1 Information You Provide Directly

Data Type	When Collected	Purpose
Name & Email address	Account registration	Authentication, account management, transactional emails
Password (hashed)	Account registration	Secure authentication — never stored in plain text
Payment information	Subscription checkout	Billing — processed by Stripe. We never store full card numbers.
Mood & energy ratings	Daily check-ins	Personalize your wellness experience and track your progress
Journal entries	Journaling feature	Displayed to you; optionally shared with AI coach for context
AI coach conversations	Coaching sessions	Generate AI responses — not stored indefinitely, cleared per session
Recovery Mode data	If Recovery Mode enabled	Sobriety date, meeting logs, recovery type — stored locally on your device (localStorage). Not uploaded to our servers.
App review / feedback	In-app review prompt	Service improvement — stored in our database with your consent
W9 tax information	Affiliate program only	Tax compliance for affiliate payouts — not collected from regular users

2.2 Information Collected Automatically

Usage data: Pages visited, features used, session duration — collected via Google Analytics
Push notification tokens: Device push subscription endpoint, stored to deliver notifications you opt into
Referral data: Affiliate referral code used during signup, if any
Ad interaction data: Whether you clicked a Meta (Facebook/Instagram) ad before visiting — collected via Meta Pixel on our landing, signup, and launch pages
Browser & device info: Collected automatically by analytics tools (browser type, operating system, general geographic region)

2.3 What We Do NOT Collect

We do not collect your precise location
We do not record or store audio or video
We do not access your contacts, camera, or microphone
Recovery Mode data (sobriety date, meeting logs, recovery type) is stored only on your device via localStorage — it is never uploaded to our servers

3. How We Use Your Data

Provide the service: Authenticate your account, process your subscription, deliver app features
Personalize your experience: Use check-in history and preferences to tailor AI coach responses and progress insights
Send communications: Transactional emails (welcome, subscription confirmation, password reset) and optional push notifications you opt into
Improve the product: Analyze aggregated, anonymized usage data to improve features and performance
Process payments: Share necessary billing information with Stripe to complete transactions
Affiliate tracking: Track referral conversions to calculate partner commissions
Legal compliance: Comply with applicable laws, enforce our Terms of Service, and protect against fraud

4. How We Share Your Data

We do not sell your personal data. We share data only in the following limited circumstances:

Recipient	Data Shared	Purpose
Supabase	Account info, check-in data, push tokens	Database hosting and authentication infrastructure
Stripe	Email, payment info	Subscription billing and payment processing
OpenAI	Your coach conversation messages	AI response generation — subject to OpenAI's data policy
Resend	Email address	Transactional email delivery
Google Analytics	Anonymized usage data	Product analytics and performance monitoring
Meta (Facebook)	Pixel events (page views, trial starts)	Ad performance measurement and optimization
Netlify	Web traffic data	Hosting and serverless function infrastructure
Law enforcement	As legally required	Compliance with valid legal process, court orders, or government requests

5. Data Storage & Security

Your data is stored on Supabase-managed PostgreSQL databases hosted on secure cloud infrastructure. We use industry-standard security measures including:

Encrypted connections (HTTPS/TLS) for all data in transit
Hashed passwords — your password is never stored in readable form
Payment data handled exclusively by Stripe's PCI-compliant infrastructure — we never store full card numbers
Row-level security policies on database tables

While we implement strong security practices, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of your data.

6. Data Retention

Account data: Retained for the duration of your account. Deleted upon verified account deletion request.
Check-in and journal data: Retained while your account is active. You may request deletion at any time.
AI coach conversations: Not stored permanently. Conversations are cleared at the end of each session.
Recovery Mode data: Stored only on your device (localStorage). Cleared when you log out, clear browser data, or disable Recovery Mode.
Payment records: Retained as required for tax and legal compliance (typically 7 years).
Push notification tokens: Retained while your subscription is active or until you revoke notification permissions.

7. Cookies & Tracking Technologies

We use cookies and similar technologies for:

Authentication: Maintaining your logged-in session via Supabase auth tokens
Analytics: Google Analytics cookies to understand how users navigate the app
Ad measurement: Meta Pixel cookies to measure ad effectiveness (which ads led to sign-ups)

You can control cookies through your browser settings. Disabling cookies may affect your ability to stay logged in or use certain features.

8. Push Notifications

If you opt in to push notifications, we will send you wellness reminders, streak notifications, and check-in prompts. You can revoke notification permissions at any time through your browser or device settings. Revoking permissions does not affect your account or subscription.

9. Children's Privacy

Lumafy AI is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us at support@lumafyai.com and we will promptly delete it.

10. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

For All Users

Access: Request a copy of the personal data we hold about you
Correction: Request that we correct inaccurate or incomplete data
Deletion: Request deletion of your account and associated personal data
Opt-out of communications: Unsubscribe from marketing emails at any time

California Residents (CCPA)

California residents have additional rights under the California Consumer Privacy Act, including the right to know what personal information is collected and sold, the right to opt out of the sale of personal information (we do not sell personal information), and the right to non-discrimination for exercising your rights.

European Residents (GDPR)

If you are in the European Economic Area, you have rights under the General Data Protection Regulation including the right to access, rectify, erase, restrict processing, and data portability. Our legal basis for processing your data is contract performance (to provide the service you signed up for) and legitimate interests (analytics, security, fraud prevention).

To exercise any of these rights, email us at support@lumafyai.com. We will respond within 30 days.

11. Third-Party Links

Our app may contain links to third-party websites (such as SAMHSA, AA, or NA resources). We are not responsible for the privacy practices of those sites and encourage you to review their privacy policies independently.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last Updated" date at the top. For significant changes, we will notify you via email or an in-app notice. Continued use of Lumafy AI after changes are posted constitutes your acceptance of the updated policy.

13. Contact Us

For privacy-related questions, data requests, or concerns, contact us at:

Lumafy AI — Privacy
Email: support@lumafyai.com
Website: lumafyai.com