Privacy Policy

Lume — AI Health from Tongue Analysis
Effective date: February 27, 2026 · Last updated: February 27, 2026

Lume ("we", "us", "our") is an iOS application developed by an independent developer. This policy explains what data we collect, why, how we protect it, and your rights.

1. Data We Collect

1.1 Tongue Photos

When you take or select a photo, we use it solely for health analysis. Photos are:

Compressed and sent to our server, which forwards them to AI providers (OpenAI, Alibaba Cloud / Qwen) for processing.
Stored locally on your device in an encrypted container (iOS file protection "Complete").
Not stored on our server. Only the structured analysis result (text/JSON) is saved server-side, never the raw image.

1.2 Health Analysis Data

Each analysis produces a structured report containing tongue observations, Traditional Chinese Medicine (TCM) insights, health scores, and dietary recommendations. This data is:

Stored locally on your device.
Synced to our server (hosted on Fly.io) so you can access your history across sessions and restore it if you reinstall.

1.3 Account Information

To use Lume you sign in with Apple or Google. We receive:

A provider-scoped identifier (e.g., Apple's "sub" claim) — this is your account ID.
Email address (optional — Apple lets you hide it). Used only to display in your settings; we do not send marketing emails.
Display name (if you set one in-app).

We do not receive or store your Apple/Google password.

1.4 App Metadata

On sign-in we record basic device context: app version, build number, iOS version, and platform ("ios"). This helps us debug issues.

1.5 Usage Quotas

We log which API endpoints you call and when (e.g., "analysis at 2026-02-27T10:00Z") to enforce free and Pro usage limits. These logs contain your account ID and a timestamp — no health content.

1.6 Purchase Information

Subscriptions are processed by Apple through the App Store and managed via RevenueCat. We receive your entitlement status (Pro or Free) and expiration date. We do not see your payment method, credit card number, or billing address.

2. Data We Do Not Collect

Location data
Contacts or address book
Advertising identifier (IDFA) — we do not use ad tracking
Third-party analytics (no Firebase, Mixpanel, Segment, or similar SDKs)
Browsing history

3. How We Use Your Data

Purpose	Data used
Generate tongue health analysis	Tongue photo, analysis history (for trend context)
Personalized chat (Spirits Lounge)	Recent analysis summaries
Weekly health summary	Past 7 days of analysis records
Enforce usage quotas	Account ID, timestamps
Manage subscriptions	Account ID, RevenueCat entitlement status
Debug and improve the app	App metadata (version, OS); server error logs (redacted)

4. Third-Party Services

Your data passes through these services when you use Lume:

Service	What they receive	Their privacy policy
OpenAI	Tongue photo (for validation & analysis), text prompts	openai.com/privacy
Alibaba Cloud (Qwen)	Tongue photo (for analysis), text prompts	qwen.ai/privacypolicy
RevenueCat	Account ID, entitlement status	revenuecat.com/privacy
Apple (Sign in with Apple)	Authentication token (verified server-side)	apple.com/legal/privacy
Google (Google Sign-In)	Authentication token (verified server-side)	policies.google.com/privacy
Fly.io (server hosting)	Infrastructure provider — processes requests	fly.io/legal/privacy-policy

All data transmitted to these services travels over HTTPS (TLS encryption in transit).

5. Data Storage & Security

On your device: Analysis files and photos are stored with iOS "Complete" file protection (encrypted at rest, inaccessible when device is locked). Authentication tokens are stored in the iOS Keychain.
On our server: Analysis records are stored in an encrypted-at-rest database hosted on Fly.io. API keys and secrets are stored as environment variables, never in source code.
Server logs: API keys and authentication tokens are automatically redacted from logs. Account identifiers are truncated. Health analysis content is never logged.

6. Data Retention

Active account: Your analysis history is retained as long as your account exists. You can delete individual records at any time.
Account deletion: When you delete your account (Settings → Delete Account), all sessions are revoked immediately. Your account record is soft-deleted on our server. We will permanently purge all associated data within 30 days of deletion.
Session tokens: Expire after 30 days automatically.

7. Your Rights & Controls

Delete individual records: Swipe to delete any analysis from your history.
Delete your account: Available in Settings. Removes your data from our server.
Sign out: Revokes your current session and clears local credentials.
Camera access: You can revoke camera permission at any time in iOS Settings. The app will still work for viewing past analyses.

If you are in the European Economic Area (EEA), you also have the right to access, rectify, port, or erase your personal data under the GDPR. If you are a California resident, you have rights under the CCPA. To exercise any of these rights, contact us at the email below.

8. Children's Privacy

Lume is not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with data, please contact us and we will delete it promptly.

9. Health Disclaimer

Lume provides wellness insights based on Traditional Chinese Medicine principles and AI analysis. It is not a medical device, does not provide medical diagnoses, and should not replace professional healthcare advice. Always consult a qualified healthcare provider for medical concerns.

10. Changes to This Policy

We may update this policy from time to time. If we make material changes, we will update the "Last updated" date at the top and, where practical, notify you in-app. Continued use of Lume after changes constitutes acceptance of the updated policy.

11. Contact

Questions or requests about your data? Reach us at:

Email: lumeaispirits@gmail.com