Privacy Policy

Your privacy matters.

How we handle your data across the Lumijo website and app.

Effective: 2 March 2026

01

Scope

This privacy policy covers the Lumijo website (lumijo.com) and the Lumijo mobile application. Lumijo is made by Vitgranen AB, a company registered in Sweden.

02

What data we collect

The data we collect depends on whether you use the website, the app, or both. The following sections break this down in detail.

03

Website data

  • Waitlist: email address and locale preference, stored in Supabase (hosted in the EU)
  • Contact form: your name, email and message are submitted via a secure form and stored to process your request. Messages are also forwarded to our team via email
  • Analytics: Vercel Web Analytics, which collects no personally identifiable information and uses no cookies
04

App data

  • Parent accounts: email, hashed password, display name, Google OAuth token
  • Child accounts: display name, age (5–18), encrypted PIN, biometric preference
  • Camera: photos are processed on-device via Apple Vision OCR, immediately discarded, and never stored or transmitted
  • Study data: exercise results, readiness scores, badges, session metadata
  • AI tutoring: text sent to Claude API via a server-side proxy. Chat content exists only in app memory and is never persisted
  • Payments: Apple In-App Purchase transaction records and credit balances. We never see or store credit card details
  • Homework text: text extracted from photos via on-device OCR is stored to enable study features such as quizzes, flashcards and AI tutoring. The original photos are never stored or transmitted
  • Biometric login: Face ID / Touch ID is used for convenience. Biometric data is processed entirely on your device by Apple's secure enclave and is never accessed or stored by Lumijo
05

Children's privacy

Lumijo is designed for children aged 5–18. A parent or guardian must create the account and manage all settings. We take children's privacy seriously:

  • No advertising or ad trackers in the app
  • No selling or sharing of children's data with third parties
  • AI chat content is never persisted or used for training
  • Camera images are processed on-device and immediately discarded
  • Children cannot create accounts without a parent
06

How we use data

  • Provide and improve the service
  • Authenticate users and manage accounts
  • Deliver AI-powered homework help
  • Track learning progress and award badges
  • Send transactional emails (password reset, receipts)
  • We do not use your data for advertising
  • We do not sell your data to anyone
07

Third-party services

  • Supabase — database and authentication hosting
  • Anthropic (Claude API) — AI tutoring, accessed server-side only. Your data is not used for model training
  • Apple — In-App Purchases and Vision framework (on-device OCR)
  • Resend — transactional email delivery
  • Vercel Analytics — privacy-friendly website analytics with no PII collection
08

Data retention

  • Active accounts: data is retained while your account is active
  • Camera images: zero retention — processed on-device and immediately discarded
  • AI chat: exists only in app memory during the session, never persisted
  • Support messages: stored securely to handle your request
  • Homework text: retained while your account is active to power study features
  • Account deletion: you can delete your account and all associated data directly from the app. All data is permanently removed upon deletion
09

Your rights

Vitgranen AB is based in Sweden and subject to the General Data Protection Regulation (GDPR). You have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Delete your data
  • Export your data in a portable format
  • Object to processing
  • Withdraw consent at any time

To exercise any of these rights, contact us using the details in the Contact section below.

10

Security

  • Passwords are hashed, never stored in plain text
  • Child PINs are encrypted
  • Row-level security on all database tables
  • Encrypted sessions and HTTPS everywhere
  • AI calls are proxied through our server — your data never goes directly to third parties
11

Cookies & tracking

  • Website: Vercel Web Analytics collects no PII and uses no cookies
  • App: no cookies, no analytics trackers, no advertising SDKs
12

Changes to this policy

We may update this policy from time to time. The effective date at the top of this page always reflects the latest version. We encourage you to review this page periodically.

Lumijo — Läxhjälp för alla