Privacy Policy

1. Who We Are

LumaTracer ("we," "our," or "us") operates the LumaTracer platform at lumatracer.com - a fertility cycle tracking service that helps users understand their menstrual cycle, ovulation window, and fertility health. We are not a covered entity under HIPAA; however, we take the privacy of your health-related data seriously and apply strong protections to all personal and sensitive information we collect.

2. What Data We Collect

At signup, we require explicit agreement to the Terms of Service and Privacy Policy, confirmation of 13+ age, and consent to health-data processing for service functionality.

2.1 Information You Provide

• Account information: name, email address, age band, 13+ age confirmation, and password
• Fertility and cycle data: menstrual cycle dates, ovulation symptoms, basal body temperature logs, cervical mucus observations, and similar cycle-related inputs
• Medical images: ultrasound images and other medical imaging files you choose to upload to your account
• Health notes: free-text journal entries, symptoms, and health observations you record within the app
• Communications: support requests, feedback, or messages you send to us

2.2 Information Collected Automatically

• Device and usage data: IP address, browser type, operating system, pages visited, time spent on pages, and referring URLs
• Cookies and similar technologies: session cookies, preference cookies, and analytics identifiers (see our Cookie Policy at contact@lumatracer.com)

2.3 Information We Do Not Collect

We do not collect government-issued ID numbers, financial account numbers, or health insurance information.

3. How We Use Your Data

We do not use your health or fertility data for advertising, sell it to third parties, or share it with employers or insurance companies.

4. Medical Image Storage

• Images are stored using Supabase Storage with encryption at rest (AES-256) and in transit (TLS 1.2+)
• Images are accessible only by you and any accounts you explicitly authorize
• LumaTracer staff do not access, view, or analyze your images except where required to provide technical support at your explicit request
• Images are retained for as long as your account is active, plus 30 days after account deletion, unless earlier deletion is requested
• You may delete individual images or all images at any time from your account settings
• We do not use your medical images to train machine learning models without your explicit, separate consent

5. How We Share Your Data

We do not sell your personal data. We may share data with:

• Service providers: hosting (Hostinger), cloud storage, email delivery, and analytics providers who are contractually bound to protect your data and use it only to provide services to us
• Legal compliance: if required by law, court order, or to protect the rights and safety of users
• Business transfers: if LumaTracer is acquired or merges, your data may transfer to the new entity, and you will be notified

All third-party providers are required to maintain appropriate security standards. A list of current sub-processors is available upon request at privacy@lumatracer.com.

6. Data Retention

• Account data: retained for the life of your account plus 30 days after deletion
• Cycle and health data: retained as above, or deleted sooner if you request it
• Medical images: deleted within 30 days of account deletion or individual deletion request
• Anonymized analytics data: may be retained indefinitely in aggregated, non-identifiable form

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Access: request a copy of the data we hold about you
• Correction: request that inaccurate data be corrected
• Deletion: request deletion of your account and associated data ("right to be forgotten")
• Portability: receive your data in a machine-readable format
• Restriction: ask us to stop processing your data in certain circumstances
• Objection: object to processing based on legitimate interest
• Withdraw consent: where processing is based on consent, you may withdraw at any time

For EU/EEA users (GDPR): The above rights apply to you in full. Our legal basis for processing sensitive health data is your explicit consent (Article 9(2)(a) GDPR). You may lodge a complaint with your local supervisory authority.

For California residents (CCPA/CPRA): You have the right to know, delete, and opt out of the sale of personal information. We do not sell personal information.

To exercise any right, contact: privacy@lumatracer.com. We will respond within 30 days.

8. Security

We implement the following security measures:

• Encryption at rest (AES-256) and in transit (TLS 1.2+) for all stored data
• Access controls limiting data access to authorized personnel only
• Regular security reviews of our infrastructure
• Prompt notification of data breaches to affected users as required by applicable law

No method of transmission over the internet is 100% secure. While we apply strong protections, we cannot guarantee absolute security.

9. Children's Privacy

LumaTracer is not intended for users under the age of 13. During signup, users must confirm they are 13+. We do not knowingly collect personal data from children. If you believe a child has created an account, please contact us at privacy@lumatracer.com and we will delete the account promptly.

10. International Data Transfers

LumaTracer is operated from USA. If you access LumaTracer from outside USA, your data may be transferred to and processed in USA or other countries where our service providers operate. For EU/EEA users, we rely on Standard Contractual Clauses for international transfers.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last Updated" date at the top and, for material changes, notify you by email or prominent in-app notice at least 30 days before the change takes effect.

12. Contact Us

LumaTracer Privacy Team
Email: privacy@lumatracer.com
Website: lumatracer.com
Address: 13747 Montfort Dr, Dallas, Texas 75240