Privacy Policy
Last updated 2026-05-15 · Version 1.0
Lumio is an independent family-safety tool and is not affiliated with, endorsed by, or sponsored by WhatsApp LLC or Meta Platforms, Inc. WhatsApp is a trademark of WhatsApp LLC. We work only with best-effort online/offline presence signals for accounts you are authorized to monitor, and never read messages or content.
1. Who we are
Lumio ("we", "us", the "Service") is operated by Lumio Yazılım A.Ş. ("the controller"). Our registered address and Data Protection Officer details are available at the bottom of this page.
For European users, our representative under GDPR Article 27 is appointed and listed in the contact section.
2. What personal data we process
We process the following categories. Anything not listed here is not collected.
| Category | Source | Retention |
|---|---|---|
| Email address | You provide it at signup | Account lifetime + 30 day grace |
| Password (hash only) | Argon2id of what you typed | Account lifetime |
| Country (ISO code) | Approximate, from your IP | Account lifetime |
| Locale + timezone | Your device | Account lifetime |
| Phone number of monitored child | You provide it | Salted SHA-256 + raw, until you remove the contact |
| Presence events (online / offline timestamps) | Linked device | 1 / 7 / 90 / 365 days by plan tier (Free / Starter / Pro / Family) |
| Device push token | Firebase Cloud Messaging | Until app uninstall or token rotation |
| IP + user-agent on security events | HTTP request | 5 years (regulatory) |
| Payment metadata (no card number) | Apple / Google / Stripe | 10 years (tax law) |
What we never collect: message content, attachments, contacts list, profile pictures, location data, browsing history, microphone or camera access.
3. Why we process it (lawful basis)
| Purpose | Lawful basis |
|---|---|
| Authenticate your account | Contract — GDPR Art. 6(1)(b) |
| Deliver the parental-control service you subscribed to | Contract + parental consent for the minor — GDPR Art. 6(1)(a) and (b) |
| Detect fraud, abuse, and security incidents | Legitimate interest — Art. 6(1)(f) |
| Comply with our legal and regulatory obligations | Legal obligation — Art. 6(1)(c) |
| Send transactional emails (receipts, password resets) | Contract — Art. 6(1)(b) |
| Marketing (if you opt in) | Consent — Art. 6(1)(a) |
4. Children's data and parental consent
The Service is intended for use by parents and legal guardians monitoring accounts that belong to their minor children. At signup you affirm parental responsibility under a recorded, audited consent flow. We do not knowingly process personal data of children under 13 without verifiable parental consent (COPPA-aware) and we apply the same standard to all users under the legal age of digital consent in their country of residence (varies between 13–16 across the EU).
If you are a child and you believe a parent or guardian has set up an account about you and you wish for that to stop, email [email protected]. We will engage with you and your guardian to resolve the matter without delay.
5. Who we share data with (sub-processors)
We use the following sub-processors. A Data Processing Agreement is in place with each, and each is bound by EU SCC 2021/914 where data leaves the EEA.
| Vendor | Purpose | Region |
|---|---|---|
| Apple / Google | In-app purchase processing | US / IE |
| RevenueCat | Subscription orchestration | US |
| Firebase Cloud Messaging | Push notification delivery | US |
| Cloudflare | CDN + DDoS protection | Global edge, EU / US |
| Hetzner Cloud | Hosting + database | Germany (EU) |
| SMTP relay | Transactional email | EU |
| MaxMind (local DB) | IP → country lookup; no outbound calls | Local |
6. Your rights
Under GDPR, KVKK, and similar regimes you can exercise the following rights at any time. Most are one click in the app under Settings → Privacy.
- Access (Art. 15) — request a copy of everything we hold. JSON export, available via in-app button or email.
- Rectification (Art. 16) — fix anything inaccurate.
- Erasure (Art. 17) — wipe your account entirely. Soft-delete is immediate; cryptographic erasure runs 30 days later.
- Restriction (Art. 18) — temporarily freeze processing.
- Portability (Art. 20) — get your data in machine-readable JSON.
- Object (Art. 21) — remove specific monitored contacts; refuse legitimate-interest processing.
- Withdraw consent — for any consent-based processing (marketing, KVKK), withdrawal stops the processing. It doesn't affect lawfulness of prior processing.
- Lodge a complaint with your supervisory authority. EU users: any DPA. Turkish users: KVK Kurumu.
7. Data retention
The retention table is in §2 above. We never keep data longer than the published period, and we run automated jobs daily to enforce it.
One exception: audit logs are retained for 5 years (required for fraud and tax compliance) and mirrored to immutable cold storage. They never contain message content; they record administrative actions on your account (login, password change, payment) so we can prove what happened if a dispute arises.
8. International transfers
Our primary hosting is in Germany (Hetzner Cloud, Frankfurt). Some sub-processors are based in the United States. Transfers to non-EEA countries are protected by EU Standard Contractual Clauses (Commission Decision 2021/914) and, where applicable, the EU-US Data Privacy Framework. You can request the SCCs by emailing [email protected].
9. Security measures
- Passwords hashed with Argon2id at OWASP-recommended cost parameters.
- Refresh tokens with reuse detection — replaying a stolen token revokes the entire token family.
- Account TOTP available for administrative accounts; mandatory for operations staff.
- TLS 1.3 in transit. AES-256-GCM at rest for sensitive at-rest keys (session credentials).
- Append-only audit log with cryptographic hash chain, mirrored to S3 Object Lock Compliance storage for 5 years.
- Least-privilege database role for the runtime application — cannot UPDATE or DELETE audit rows even with full app access.
- Annual third-party penetration test.
10. Cookies and tracking
The marketing website at lumiox.app uses one strictly-necessary cookie for session management when you submit the deletion request form. No advertising or analytics cookies. No third-party trackers.
The mobile app does not use IDFA / Android Advertising ID for ad tracking. We request notification + network permissions only.
11. Changes to this policy
Material changes are notified by email 30 days before they take effect. The version + last-updated stamp at the top of this page is the canonical version. Historical versions are available on request.
12. Contact
Data Controller: Lumio Yazılım A.Ş.
Privacy questions: [email protected]
Data Protection Officer: [email protected]
EU Article 27 representative: appointed and listed at [email protected]
Lumio is an independent family-safety tool and is not affiliated with, endorsed by, or sponsored by WhatsApp LLC or Meta Platforms, Inc. WhatsApp is a trademark of WhatsApp LLC. Lumio works only with best-effort online/offline presence signals for accounts you are authorized to monitor, and never reads messages or content.