LumioLumio

Privacy Policy

Last updated: June 28, 2026

This document is provided in English for legal accuracy. Translations may be offered for convenience only.

1. Introduction

Lumio ("we", "our", or "us"), operated by ODBS Tech, provides an AI skincare application that analyzes a selfie to estimate skin characteristics, generates a personalized skincare routine, and offers an in-app coaching assistant ("Aria"). This Privacy Policy explains what information we collect when you use the Lumio mobile application or website (the "Service"), how we use it, and with whom we share it. By using the Service, you consent to the practices described here.

2. Information We Collect

We collect the following categories of information:

  • Account information: When you create an account, we collect your email address, a hashed password (if applicable), and basic profile data such as your name. If you sign in with Apple or Google, we receive a basic identity token from that provider; we never receive your social account password.
  • Selfie photos: When you run a skin analysis, you provide a selfie. The photo is processed by our analysis pipeline to produce your results and is then deleted within 24 hours. A storage lifecycle rule enforces deletion as a backstop. We do not create or store any biometric template, faceprint, or facial-recognition signature from your photo.
  • Skin analysis & routine data: We store the results of each analysis (such as your skin score, detected concern categories and their severity, and timestamps), the skin profile you provide (skin type, concerns, goals, and optional birth year), and the routines, reminders, and habit data generated for you.
  • Aria coaching messages: When you chat with Aria, we process your messages and the assistant's replies to provide the conversation and improve guidance. Do not share information in chat that you consider medically sensitive; Aria is not a medical service.
  • Device & push tokens: We collect device identifiers and push notification tokens (Apple Push Notification service and Firebase Cloud Messaging tokens) so we can deliver reminders and updates. We may also collect device model, OS version, app version, and language for support and analytics.
  • Subscription & purchase information: Lumio Pro subscriptions are processed by Apple's App Store and Google Play, mediated by RevenueCat for receipt validation. We receive transaction identifiers, subscription status, and entitlement state. We do not collect or store your credit card numbers — payment is handled entirely by Apple or Google.
  • Usage data: We automatically collect logs of how you use the Service: feature usage, errors, request and response timing, and similar diagnostic information, used to operate, debug, and improve the Service.

3. How We Use Your Information

We use your information to:

  • Provide the Service — analyze your selfie, generate your skin score and routine, store your history, and synchronize state across your devices.
  • Power the Aria coaching assistant and personalize its guidance to your skin profile and goals.
  • Send notifications and reminders for your routine, water, and sunscreen, when you enable them.
  • Validate and manage Lumio Pro subscriptions through RevenueCat and the app stores.
  • Detect and prevent abuse, fraud, and violations of our Terms of Use.
  • Comply with legal obligations that apply to us.
  • Support, debug, and improve the Service using diagnostic and aggregated usage data.

4. How We Share Your Information

Lumio only shares your information with the following categories of recipients, and only as necessary to operate the Service:

  • AI analysis providers: To analyze your selfie and power Aria, we may transmit your photo and messages to trusted AI processing providers acting on our behalf under contract. Selfies sent for analysis are processed to return results and are not retained for advertising or sold.
  • RevenueCat (subscription management): We use RevenueCat to validate app store purchase receipts and track subscription entitlements. RevenueCat receives anonymized identifiers and transaction data — see revenuecat.com/privacy.
  • Push notification providers (Apple APNs, Firebase Cloud Messaging): Push tokens are sent to Apple Push Notification service (APNs) and Firebase Cloud Messaging (FCM) to deliver reminders and updates. Payloads include the minimum information needed to render the notification.
  • Cloud infrastructure providers: Our backend, database, and media storage run on standard cloud providers acting as data processors under contract.
  • Legal & safety: We may disclose information when required by law, valid legal process, or to protect Lumio, our users, or the public — for example, to respond to a lawful request or investigate abuse.
  • We do not sell your data: We do not sell, rent, or trade your personal information, selfies, or skin data to third parties for advertising.

5. Your Photos & Skin Data

Because skincare involves your image, we hold ourselves to strict handling rules:

  • 24-hour deletion: Your raw selfie is deleted within 24 hours of analysis. We retain the derived results (such as your skin score and concern categories) so you can track progress, but not the underlying photo.
  • No biometric template: We do not create a faceprint, biometric template, or facial-recognition signature. We do not use your photo to identify you across services.
  • Not a medical service: Lumio provides cosmetic and wellness insights, not medical diagnosis or treatment. Results are estimates and should not be relied on for medical decisions.
  • Result retention: Analysis results, routines, and chat history are stored in your account until you delete them or delete your account.

6. Data Storage & Security

We store your data on secure cloud infrastructure with encryption in transit (TLS) and encryption at rest. Access to production systems is restricted to authorized personnel under least-privilege controls. We continuously monitor for vulnerabilities and follow industry-standard security practices. No system is perfectly secure; please also keep your device and account credentials safe.

7. Data Retention

We retain different categories of data for different periods:

  • Selfie photos are deleted within 24 hours of analysis.
  • Account data is retained while your account is active, and for a limited period after deletion to satisfy legal and accounting obligations.
  • Analysis results, routines, and chat history are retained while you keep them in your account; deleting your account removes them from our systems.
  • Diagnostic logs are retained for a limited period (typically up to 90 days) for debugging and abuse prevention.

8. International Transfers

Lumio is operated from Türkiye, but our cloud infrastructure and processing providers may be located in the United States, the European Union, and other regions. By using the Service, you understand that your information may be transferred to and processed in countries other than your own, with appropriate safeguards in place.

9. Your Rights

Depending on where you live, you may have the following rights regarding your personal data:

  • Access: Request a copy of the data we hold about you.
  • Correction: Request correction of inaccurate data.
  • Deletion: Request deletion of your account and associated data. You can also delete your account directly from inside the app, or from our Account Deletion page.
  • Portability: Request export of your data in a portable format.
  • Object / restrict: Object to or restrict certain processing where applicable law allows.

To exercise any of these rights, contact us at [email protected].

10. Children's Privacy

The Service is not directed to children under 13 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the app or via email. The "Last updated" date at the top reflects the most recent revision. Your continued use of the Service after a change becomes effective constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at [email protected].