Privacy Policy

Last Updated: October 7, 2025
Controller: Brightness Labs LLC (United States)
Contact: legal@lumawell.app

Summary

  • What we collect:

    • Account details (e.g., email, display name, hashed password).

    • App/device and usage data (e.g., app version, device type, crash/diagnostic logs, in-app events, push token).

    • Quit-journey inputs you choose to enter (e.g., cravings, puffs/day, spend, triggers, notes, goals, badges/streaks).

    • Subscription status metadata (from Apple/Google; no full payment card data).

  • How we use it:
     To run and secure the app, personalize guidance and progress, communicate about updates and support, and improve features and performance.

  • Selling/sharing:
     We do not sell your Personal Information and do not share it for cross-context behavioral advertising (per California law).

  • Who we disclose to:
     Trusted service providers under contract (e.g., hosting/analytics/crash reporting, notifications, subscriptions/payments) solely to operate the Service. We may share de-identified/aggregated data that does not identify you.

  • Your choices and rights:
    You can access, correct, export, or delete your data and manage notifications/marketing preferences.

    California residents also have rights to know, delete, correct, opt out of sale/sharing (not applicable here), and limit use of sensitive information (we already limit it to providing the Service). Request via legal@lumawell.app; we aim to respond within 45 days (one 45-day extension may apply as permitted by law).

  • Children’s privacy:
    The Service is not intended for users under the age of 13. By using the Service, you represent that you are at least 13 years old. If we learn we collected Personal Data from a child under the age of 13, we will delete it as required by law. Users between 13 and 17 years old should only use the Service with parent/guardian guidance.

Interpretation and Definitions

Interpretation

Words with capitalized initials have meanings defined below. The definitions apply whether singular or plural.

Definitions

  • Account: a unique account created for you to access the Service.

  • App: the LumaWell mobile application.

  • Business / Controller: for CPRA/GDPR purposes, Brightness Labs LLC as the party determining purposes and means of processing.

  • Company: Brightness Labs LLC (“the Company,” “we,” “us,” “our”).

  • Country: United States (California).

  • Device: any device that can access the Service (e.g., smartphone).

  • Personal Data: any information relating to an identified or identifiable individual.

  • Sensitive Personal Information (SPI): under CPRA, includes precise geolocation, government IDs, financial account logins, and health-related data.

  • Service: the App and related services.

  • Service Provider / Processor: any person or entity processing data on our behalf.

  • Usage Data: data collected automatically (e.g., device info, crash logs, in-app events).

Collecting and Using Your Personal Data

Types of Data Collected

Personal Data You Provide

  • Account info: email, display name, password (hashed), age band/consent, preferences.

  • Quit-journey inputs (may be considered health-related): cravings, triggers, puffs/day, spend, goals, notes, badges/streaks, check-ins.

  • Support and feedback: messages and metadata.

  • Payment/subscription: handled by Apple/Google; we receive limited info like product, status, region (no full card details).

  • Age Information. At signup we collect a broad age range (e.g., 13–17, 18–20, 21–24, 25–34, 35–44, 45–54, 55–64, 65+) to verify eligibility (13+) and tailor guidance. We do not collect full dates of birth or birth year at signup. We use age range for app functionality and privacy-safe analytics, restrict access to it, and you may request deletion at any time. We do not sell this information and do not share it for cross-context behavioral advertising.

Usage Data (Collected Automatically)

  • Device model, OS, app version, language, time zone, IP (at connection), performance data, crash logs, in-app events, push-notification token.

Tracking Technologies and Cookies

  • In-app: we may use SDK identifiers (e.g., Firebase Instance ID) for analytics, crash reporting, and notifications.

  • Website (if used): we may use cookies for essential operation and analytics. You can control cookies in your browser.

Optional Data (with your permission)

  • Notifications.

  • Health data integrations (e.g., Apple Health / Health Connect) — off by default and require opt-in.

  • Approximate location (only if a feature needs it; off by default).

Use of Your Personal Data

We use information to:

  • Provide, maintain, and secure the Service (including account auth, syncing, troubleshooting).

  • Personalize content and recommendations (e.g., tips, progress, badges) and measure effectiveness.

  • Process subscriptions and communicate about changes, service messages, and support.

  • Detect, prevent, and address security or abuse.

  • Comply with legal obligations and enforce our Terms.

Legal bases (if GDPR/UK GDPR applies): consent (for certain processing), contract performance, legitimate interests (security, product improvement), and legal compliance.

Retention of Your Personal Data

We keep Personal Data only as long as necessary for the purposes above, unless a longer retention is required by law. Backups may persist briefly after deletion.

Transfer of Your Personal Data

We process data in the United States and may use providers in other countries. Where required, we implement appropriate safeguards (e.g., Standard Contractual Clauses).

Delete Your Personal Data

You can request deletion/export via in-app controls (where available) or by emailing legal@lumawell.app. We will verify the request and delete or de-identify data unless an exception applies (e.g., legal obligations, security).

Disclosure of Your Personal Data

Service Providers

We share data with contracted providers that process it only under our instructions, such as:

  • Hosting/Database/Analytics/Crash: Google Firebase (Firestore, Crashlytics, Analytics for Firebase).

  • Subscriptions: Apple App Store / Google Play (and, if used, RevenueCat).

  • Email/Support: [Mailgun/SendGrid/Intercom] (as configured).

Business Transactions

If we are involved in a merger, acquisition, financing, or asset sale, your data may be transferred. We will provide notice of material changes.

Law Enforcement and Other Legal Requirements

We may disclose data where required to comply with law or valid legal process, to enforce our Terms, or to protect rights, property, or safety.

Security of Your Personal Data

We use administrative, technical, and physical safeguards (e.g., encryption in transit, access controls). No method is 100% secure.

Children’s Privacy

LumaWell is not intended for children under the age of 13. We do not knowingly collect Personal Data from this age group. If we learn that we have collected Personal Data from a child under 13, we will promptly delete it in accordance with applicable law. Users between the ages of 13 and 17 should use LumaWell under the guidance of a parent or guardian.

Links to Other Websites

The Service may contain links to third-party sites. We are not responsible for their content or privacy practices.

Changes to This Privacy Policy

We may update this Policy. We will post the new version and update the “Effective Date.” Material changes will be notified in-app or by email when appropriate.

Contact Us

Brightness Labs LLC
423 Broadway
Millbrae, CA 94030, USA
legal@lumawell.app

California Privacy Notice (CPRA/CCPA) — “Notice at Collection”

Categories of Personal Information Collected (past 12 months)

We collect the following categories as defined by Cal. Civ. Code §1798.140:

  • Identifiers (e.g., email, device IDs).

  • Customer Records (account profile info).

  • Age Range (for verifying eligibility and tailor guidance. We do not sell or share personal information for cross-context behavioral advertising.

  • Commercial Information (subscription product, purchase context—not full payment data).

  • Internet/Network Activity (in-app events, diagnostics).

  • Geolocation (approximate, only if you opt in to a feature that needs it).

  • Inferences (basic personalization like progress tiers).

  • Sensitive Personal Information (SPI): limited health-related entries you choose to log (e.g., cravings, puffs/day). We do not collect government IDs, SSNs, or precise geolocation.

Sources: You (directly), your Device, app stores, and our Service Providers.
Purposes: See “Use of Your Personal Data” above.
Retention: Kept only as long as needed for the purposes disclosed (see “Retention”).
Disclosure for business purposes: Service Providers listed above.
Sale/Share: We do not sell Personal Information and do not share it for cross-context behavioral advertising.

Your California Rights

Subject to exceptions, California residents have the right to:

  • Know/Access the categories and specific pieces of Personal Information we collected about you.

  • Delete Personal Information.

  • Correct inaccurate Personal Information.

  • Opt Out of Sale/Sharing of Personal Information (not applicable as we do not sell/share).

  • Limit Use and Disclosure of SPI to the Service’s permitted purposes. We already limit SPI accordingly.

  • Non-Discrimination: We will not discriminate for exercising your rights.

How to exercise your rights:
Email lagal@lumawell.app with your request (Know, Delete, Correct, Limit). We will verify your identity (e.g., by email confirmation or account checks). You may use an authorized agent; we may require proof of authorization and identity. If we deny a request, we will explain why.

“Do Not Track” and Global Privacy Controls

We do not respond to DNT signals. If we begin any activity treated as “sale” or “sharing,” we will honor applicable opt-out mechanisms and provide a clear link within the App.

“Shine the Light” (Cal. Civ. Code §1798.83)

We do not disclose Personal Information to third parties for their direct marketing. If this changes, we will provide required opt-out options.