Privacy Policy

Last updated 2026-05-15 · Version 1.0

One-line summary: we record when your child's account goes online so we can notify you. We never read messages, we never sell data, and you can wipe every byte we hold about you with one click.

Lumio is an independent family-safety tool and is not affiliated with, endorsed by, or sponsored by WhatsApp LLC or Meta Platforms, Inc. WhatsApp is a trademark of WhatsApp LLC. We work only with best-effort online/offline presence signals for accounts you are authorized to monitor, and never read messages or content.

1. Who we are

Lumio ("we", "us", the "Service") is operated by Lumio Yazılım A.Ş. ("the controller"). Our registered address and Data Protection Officer details are available at the bottom of this page.

For European users, our representative under GDPR Article 27 is appointed and listed in the contact section.

2. What personal data we process

We process the following categories. Anything not listed here is not collected.

CategorySourceRetention
Email addressYou provide it at signupAccount lifetime + 30 day grace
Password (hash only)Argon2id of what you typedAccount lifetime
Country (ISO code)Approximate, from your IPAccount lifetime
Locale + timezoneYour deviceAccount lifetime
Phone number of monitored childYou provide itSalted SHA-256 + raw, until you remove the contact
Presence events (online / offline timestamps)Linked device1 / 7 / 90 / 365 days by plan tier (Free / Starter / Pro / Family)
Device push tokenFirebase Cloud MessagingUntil app uninstall or token rotation
IP + user-agent on security eventsHTTP request5 years (regulatory)
Payment metadata (no card number)Apple / Google / Stripe10 years (tax law)

What we never collect: message content, attachments, contacts list, profile pictures, location data, browsing history, microphone or camera access.

3. Why we process it (lawful basis)

PurposeLawful basis
Authenticate your accountContract — GDPR Art. 6(1)(b)
Deliver the parental-control service you subscribed toContract + parental consent for the minor — GDPR Art. 6(1)(a) and (b)
Detect fraud, abuse, and security incidentsLegitimate interest — Art. 6(1)(f)
Comply with our legal and regulatory obligationsLegal obligation — Art. 6(1)(c)
Send transactional emails (receipts, password resets)Contract — Art. 6(1)(b)
Marketing (if you opt in)Consent — Art. 6(1)(a)

4. Children's data and parental consent

The Service is intended for use by parents and legal guardians monitoring accounts that belong to their minor children. At signup you affirm parental responsibility under a recorded, audited consent flow. We do not knowingly process personal data of children under 13 without verifiable parental consent (COPPA-aware) and we apply the same standard to all users under the legal age of digital consent in their country of residence (varies between 13–16 across the EU).

If you are a child and you believe a parent or guardian has set up an account about you and you wish for that to stop, email [email protected]. We will engage with you and your guardian to resolve the matter without delay.

5. Who we share data with (sub-processors)

We use the following sub-processors. A Data Processing Agreement is in place with each, and each is bound by EU SCC 2021/914 where data leaves the EEA.

VendorPurposeRegion
Apple / GoogleIn-app purchase processingUS / IE
RevenueCatSubscription orchestrationUS
Firebase Cloud MessagingPush notification deliveryUS
CloudflareCDN + DDoS protectionGlobal edge, EU / US
Hetzner CloudHosting + databaseGermany (EU)
SMTP relayTransactional emailEU
MaxMind (local DB)IP → country lookup; no outbound callsLocal

6. Your rights

Under GDPR, KVKK, and similar regimes you can exercise the following rights at any time. Most are one click in the app under Settings → Privacy.

7. Data retention

The retention table is in §2 above. We never keep data longer than the published period, and we run automated jobs daily to enforce it.

One exception: audit logs are retained for 5 years (required for fraud and tax compliance) and mirrored to immutable cold storage. They never contain message content; they record administrative actions on your account (login, password change, payment) so we can prove what happened if a dispute arises.

8. International transfers

Our primary hosting is in Germany (Hetzner Cloud, Frankfurt). Some sub-processors are based in the United States. Transfers to non-EEA countries are protected by EU Standard Contractual Clauses (Commission Decision 2021/914) and, where applicable, the EU-US Data Privacy Framework. You can request the SCCs by emailing [email protected].

9. Security measures

10. Cookies and tracking

The marketing website at lumiox.app uses one strictly-necessary cookie for session management when you submit the deletion request form. No advertising or analytics cookies. No third-party trackers.

The mobile app does not use IDFA / Android Advertising ID for ad tracking. We request notification + network permissions only.

11. Changes to this policy

Material changes are notified by email 30 days before they take effect. The version + last-updated stamp at the top of this page is the canonical version. Historical versions are available on request.

12. Contact

Data Controller: Lumio Yazılım A.Ş.
Privacy questions: [email protected]
Data Protection Officer: [email protected]
EU Article 27 representative: appointed and listed at [email protected]


Lumio is an independent family-safety tool and is not affiliated with, endorsed by, or sponsored by WhatsApp LLC or Meta Platforms, Inc. WhatsApp is a trademark of WhatsApp LLC. Lumio works only with best-effort online/offline presence signals for accounts you are authorized to monitor, and never reads messages or content.