Your privacy matters.

Scope

This privacy policy covers the Lumijo website (lumijo.app) and the Lumijo mobile application. Lumijo is made by Vitgranen AB, a company registered in Sweden.

What data we collect

The data we collect depends on whether you use the website, the app, or both. The following sections break this down in detail.

Website data

• Contact form: your name, email and message are submitted via a secure form and stored to process your request. Messages are also forwarded to our team via email
• Analytics: Vercel Web Analytics and Umami Cloud Analytics, both privacy-friendly services that collect no personally identifiable information and use no cookies

App data

• Parent accounts: display name, email address (from Apple or Google sign-in), Google OAuth token, Apple Sign In token
• Child accounts: display name, age (5–18), encrypted PIN, biometric preference
• Camera: photos are processed on-device via Apple Vision OCR, immediately discarded, and never stored or transmitted
• Study data: exercise results, readiness scores, badges, session metadata
• AI tutoring: text sent to Claude API via a server-side proxy. Chat content exists only in app memory and is never persisted
• Payments: Apple In-App Purchase transaction records and credit balances. We never see or store credit card details
• Homework text: extracted text is sent to our AI provider via a secure server-side proxy to generate exercises. The original photos and PDFs are never stored on our servers or transmitted to any external service. Generated exercises are returned to your device and stored locally
• Biometric login: Face ID / Touch ID is used for convenience. Biometric data is processed entirely on your device by Apple's secure enclave and is never accessed or stored by Lumijo

Children's privacy

Lumijo is designed for children aged 5–18. A parent or guardian must create the account and manage all settings. We take children's privacy seriously:

• No advertising or ad trackers in the app
• No selling or sharing of children's data with third parties
• AI chat content is never persisted or used for training
• Camera images are processed on-device and immediately discarded
• Children cannot create accounts without a parent

How we use data

• Provide and improve the service
• Authenticate users and manage accounts
• Deliver AI-powered homework help
• Track learning progress and award badges
• Send transactional emails (credit balance notifications, support confirmations)
• We do not use your data for advertising
• We do not sell your data to anyone

Third-party services

• Anthropic (Claude API) — AI exercise generation and tutoring, accessed server-side only. Your data is not used for model training
• Supabase — database, authentication, and server functions (hosted in EU, Stockholm region)
• RevenueCat — in-app purchase validation. Receives transaction identifiers but not your payment card details
• Resend — transactional email delivery (credit notifications and support ticket routing only)
• Apple — authentication (Sign in with Apple) and In-App Purchases
• Google — authentication (Google Sign-in)
• Vercel Analytics — privacy-friendly website analytics with no PII collection
• Umami Cloud — privacy-friendly website analytics with no cookies and no PII collection

Data retention

• Active accounts: data is retained while your account is active
• Camera images: zero retention — processed on-device and immediately discarded
• AI chat: exists only in app memory during the session, never persisted
• Support messages: stored securely to handle your request
• Homework text: stored locally on your device only. Never stored on our servers
• Account deletion: you can delete your account and all associated data directly from the app. All data is permanently removed upon deletion

Your rights

Vitgranen AB is based in Sweden and subject to the General Data Protection Regulation (GDPR). You have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Delete your data
• Export your data in a portable format
• Object to processing
• Withdraw consent at any time

To exercise any of these rights, contact us using the details in the Contact section below.

Security

• Authentication via Apple Sign-in and Google Sign-in — no passwords stored
• Child PINs are encrypted
• Row-level security on all database tables
• Encrypted sessions and HTTPS everywhere
• AI calls are proxied through our server — your data never goes directly to third parties

Cookies & tracking

• Website: Vercel Web Analytics and Umami Cloud Analytics collect no PII and use no cookies
• App: no cookies, no analytics trackers, no advertising SDKs

Changes to this policy

We may update this policy from time to time. The effective date at the top of this page always reflects the latest version. We encourage you to review this page periodically.

Contact

If you have questions about this privacy policy or your data, reach out to us: