Privacy Policy

Last updated: April 28, 2026

Luni ("we", "our", or "us") operates the Luni mobile application. This page informs you of our policies regarding the collection, use, and disclosure of personal information when you use our app.

Information We Collect

Account Information

• Email address (when signing up with email)
• Apple ID identifier (when using Sign in with Apple)
• Google account identifier (when using Sign in with Google)
• Display name (optional)

Skincare Profile Data

• Skin type, skin tone, sensitivity level, and skincare goals
• Skin concerns and conditions you disclose
• Product inventory you add to the app
• Product photos captured via the scan feature
• Routine preferences and completion history
• Tretinoin usage tracking (if applicable)

Subscription Data

• Subscription tier and status (managed through Apple). We do not collect or store your payment information — all billing is handled by Apple.

Usage Data

• App interaction data for improving user experience
• Crash reports and performance metrics

How We Use Your Information

• To generate personalized skincare routines based on your profile and product shelf
• To track your routine progress and streaks
• To manage your subscription and enforce tier-based features
• To improve the quality and relevance of our services
• To respond to support requests

Legal Basis for Processing

We process your personal information based on:

• Contract performance: To provide the services you signed up for (routine generation, product tracking, subscription management)
• Consent: For collecting sensitive skincare profile data (skin type, skin tone, skin concerns). You provide this information voluntarily during the onboarding quiz and can delete it at any time.
• Legitimate interest: For crash reporting, performance monitoring, and service improvements

Data Storage and Retention

Your data is stored securely using Supabase (hosted on AWS in the United States). We use industry-standard encryption for data in transit and at rest.

We retain your personal data for as long as your account is active. When you delete your account, your data is permanently removed from our active systems within 30 days. Deleted data may persist in encrypted backups until those backups are rotated out of retention, after which it no longer exists in any backup.

If you are located outside the United States, please be aware that your data is transferred to, processed in, and stored in the United States. Where required by applicable law, we rely on Standard Contractual Clauses or equivalent mechanisms with our service providers to protect your data.

AI Processing and Training Data

Luni uses OpenAI's API to power three features: generating your personalized skincare routines, answering questions in the in-app assistant, and identifying products you scan with your camera. The following information is sent to OpenAI to support these features:

• Your skin type, sensitivities, goals, and quiz responses
• Products on your shelf
• Messages you send to the in-app assistant
• Photos of products you scan

We do not send your name, email address, or other direct identifiers to OpenAI.

Important: Luni participates in a data-sharing arrangement with OpenAI under which OpenAI may use the data above to train and improve its AI models. We cannot currently exclude individual accounts from this arrangement while keeping AI features active. If you do not want your data used for AI model training, you can delete your account at any time (Edit profile → Delete account), which stops all further data sharing and removes your existing data from our systems within 30 days. We cannot retroactively remove data already used by OpenAI for training.

Data Sharing

We do not sell, rent, or trade your personal information, and we do not use it for cross-app advertising or tracking. We share data with the following service providers solely to operate Luni:

• Supabase: Cloud database, authentication, and file storage. Receives all account and app data.
• OpenAI: Routine generation, in-app assistant, and product scanning. See the AI Processing section above for details on what is shared and how it is used.
• RevenueCat: Subscription management. Receives your user ID and purchase events.
• PostHog: Product analytics and crash reporting. Receives usage events linked to your account, only if you opt in (see Analytics below).
• Apple (App Store): Payment processing, subject to Apple's own privacy policy.
• Expo: Over-the-air app updates. Receives device platform and app version required to deliver updates.

Analytics

We use PostHog to understand which features are useful and to fix crashes. Analytics are off by default until you opt in during signup. You can change your preference at any time at Edit profile → Analytics. We do not sell analytics data and do not use it for cross-app tracking or advertising.

Your Rights

Regardless of where you live, you can:

• Access and view your data inside the app
• Export your data in machine-readable JSON format at any time from Edit profile → Export my data. The export includes your skin profile, shelf, routines, completion history, and other information stored in your account.
• Delete your account and all associated data from Edit profile → Delete account. Deletion permanently removes your data from our active systems within 30 days. Note: deleting your account does not automatically cancel your App Store subscription — you must cancel that separately in iOS Settings → Apple ID → Subscriptions.
• Correct inaccurate information by editing your profile, shelf, or quiz responses in the app
• Withdraw consent for analytics at any time in Profile settings

EU/EEA/UK Residents (GDPR)

If you are located in the European Union, European Economic Area, or United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR), including the right to: access your personal data; rectify inaccurate data; erase your data; restrict processing; object to processing; data portability; and withdraw consent. You also have the right to lodge a complaint with your local data protection authority. To exercise any of these rights, use the in-app tools above or contact us at the email below.

California Residents (CCPA)

Under the California Consumer Privacy Act, California residents have the right to: know what personal information we collect and how it is used; request deletion of personal information; correct inaccurate information; and not be discriminated against for exercising these rights. We do not sell personal information. To exercise your rights, use the in-app tools above or contact us at the email below.

Health Information Disclaimer

Luni is a skincare app, not a medical service. Information you provide about your skin (such as skin type, concerns, or use of topical prescriptions like tretinoin) is treated as personal information, not as protected health information. Luni is not a HIPAA-covered entity and does not provide medical advice, diagnosis, or treatment. Always consult a qualified dermatologist or healthcare provider for medical concerns.

Children's Privacy

Luni is not intended for children under 13. We do not knowingly collect data from children. If we learn that we have collected data from a child under 13, we will promptly delete it.

Contact Us

For privacy questions or data requests: hello@luniskin.com

Changes

We may update this policy. Changes will be posted here with an updated date. If we make material changes, we will notify you through the app or by email.