Privacy Policy

Meridian Labs LLC (“we,” “us,” or “our”) operates the Lumia mobile application (the “App”). This Privacy Policy explains what information we collect, how we use it, and the choices you have.

By using Lumia, you agree to the collection and use of information as described below.

1. Information We Collect

Information You Provide

• Account information. When you create an account, we collect your name and email address. Accounts are created through third-party sign-in providers (Google or Apple), and we receive basic profile information from those providers. We do not collect or store passwords.
• Birth data. To generate your personalized content, we collect your birth date, time, and location (city, latitude, longitude, timezone). This data is encrypted at rest on our servers using field-level encryption.
• Profile information. You may provide additional profile details including a username, bio, avatar image, gender, interests, and life needs.
• Journal entries. Your private journal entries are stored with encryption at rest on our servers. Entries you choose to share in the community feed are visible to other users. Please note: certain AI-powered features (such as emotion detection, categorization, and summaries) involve server-side processing of your journal content — see Section 2 for details.
• Community content. Posts, comments, likes, and other interactions you share in the community feed are visible to other users and stored on our servers.
• Reading data. Your reading selections and history are stored to provide you with a personalized experience.
• Images. Photos you upload (profile pictures, journal images) are stored on Google Cloud Storage.
• Support requests. If you contact support, we collect the information you include in your message, including any file attachments.
• Invitations. If you invite others to join Lumia, we collect the email addresses you provide for the purpose of sending invitations.

Information We Collect Automatically

• Device information. We collect device data including operating system version, device model, app version, and device identifiers for push notification delivery.
• Timezone. We collect your device's timezone to deliver time-appropriate content and notifications.
• Usage analytics. We use analytics tools to understand how people use the App. This includes data like screen views, session duration, feature usage, and crash reports. This data is aggregated and cannot be used to identify you personally.
• Interaction data. We collect data about your engagement with content (views, likes, comments, follows) to personalize your experience and improve our recommendation systems.
• IP address. Your IP address is collected in server logs for security and abuse prevention. It is not used for tracking or advertising.

Information We Do Not Collect

• We do not collect your precise real-time GPS location. Birth location is entered manually and used only for content personalization.
• We do not access your contacts, camera, or microphone unless you explicitly grant permission for a specific feature (such as uploading a journal image).
• We do not use advertising trackers or share data with ad networks.

2. How We Use Your Information

We use the information we collect to:

• Provide core features. Generate personalized insights, readings, and journal experiences based on your profile and birth data.
• AI-powered features. Process your data through artificial intelligence services to generate personalized content, including daily messages, reading interpretations, journal analysis (emotion detection, categorization, summaries), and conversational responses. This processing is performed by Google's Gemini AI service acting as our data processor.
• Personalize your feed. Use algorithmic ranking, including machine learning models, to surface relevant content in your discovery feed. We may run experiments (A/B tests) to improve these systems.
• Social features. Enable following, commenting, liking, and content sharing between users.
• Push notifications. Send notifications about social activity, personalized content, and service updates via Apple Push Notification service (APNS).
• Email communications. Send account-related messages, support responses, and invitation emails.
• Improve the App. Analyze aggregated usage patterns to improve features and fix issues.
• Security and integrity. Detect and prevent abuse, fraud, or misuse of the App, including rate limiting and content moderation.

3. How We Protect Your Information

• Encryption at rest. Sensitive personal data — including your birth information (date, time, location) and email address — is encrypted at rest using field-level encryption with keys managed through Google Cloud Key Management Service (KMS).
• Encryption in transit. All data transmitted between your device and our servers is encrypted using HTTPS/TLS. We also offer an additional transit encryption layer for sensitive operations.
• Access controls. We limit internal access to personal data to authorized personnel who need it to operate the service.
• AI data handling. Data sent to AI services for processing is transmitted securely and is not used by those services to train their models. We redact personally identifiable information before sending data to AI services where possible.
• Blind indexing. Encrypted fields such as email are indexed using blind hashes, meaning the actual values are not stored in searchable form.

4. Third-Party Services

We use the following categories of third-party services to operate the App:

These providers act as data processors on our behalf and are contractually bound to protect your data. We do not sell your personal information to any third party.

5. Information Sharing

We do not sell your personal information. We do not share it with advertisers.

We may share information only in the following cases:

• Service providers. As described in Section 4, third-party services process data on our behalf to operate the App.
• Community content. Content you share publicly in the community feed is visible to other users of the App.
• Legal requirements. We may disclose information if required by law, court order, or government request.
• Safety. We may share information when we believe it is necessary to prevent harm, investigate violations of our Terms, or protect the rights and safety of our users.
• Business transfers. If Meridian Labs is acquired or merges with another company, your information may be transferred as part of that transaction. We will notify you before this happens and give you the option to delete your account.

6. Your Rights and Choices

• Access your data. You can request a copy of the personal data we hold about you by contacting us.
• Delete your account. You can request account deletion through the App's settings. Upon request, your personal data will be permanently removed within 30 days, except where we are legally required to retain it.
• Export your journal. You can export your journal entries at any time from the App.
• Opt out of analytics. You can disable anonymous analytics collection in the App's settings.
• Manage notifications. You can control push notification and email notification preferences within the App or through your device settings.
• Profile visibility. You can set your profile to private to limit what other users can see.
• Content control. You can delete your posts, comments, and other content at any time.

For Users in the European Economic Area (EEA)

If you are located in the EEA, you have additional rights under the General Data Protection Regulation (GDPR), including the right to access, rectification, erasure, data portability, restriction of processing, and the right to object to processing. Our legal bases for processing are: consent (for birth data and optional profile information), contract performance (for account and service features), and legitimate interests (for security, analytics, and service improvement). To exercise these rights, contact us at hello@meridian-labs.co.

For California Residents

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to delete it, and the right to opt out of the sale of personal information. We do not sell personal information. To exercise your rights, contact us at hello@meridian-labs.co.

7. Children's Privacy

Lumia is not directed at children under 13. We do not knowingly collect information from children under 13. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

8. Data Retention

• Active accounts. We retain your account data for as long as your account is active.
• Deleted accounts. If you request account deletion, we remove your personal data within 30 days, except where we are required by law to retain it.
• Cached data. Computed data (such as chart calculations) is cached temporarily and refreshed periodically. Cache data does not persist beyond the active lifetime of your account.
• Analytics data. Anonymous, aggregated analytics data may be retained indefinitely as it cannot be linked back to individual users.
• Server logs. Server logs containing IP addresses and request metadata are retained for up to 90 days for security and debugging purposes.

9. International Data Transfers

Your data is processed and stored on servers located in the United States. If you are accessing the App from outside the United States, your data will be transferred to and processed in the United States. We take appropriate safeguards to ensure your data is protected in accordance with this Privacy Policy.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this page and notify you through the App. We encourage you to review this policy periodically.

11. Contact Us

If you have questions about this Privacy Policy or your data, contact us at:

Meridian Labs LLC
Email: hello@meridian-labs.co