Effective date: 2026-05-13 · Last updated: 2026-05-13
Privacy Policy
This Privacy Policy describes how Luuna, Inc. (“Luuna,” “we,” “us,” or “our”) collects, uses, and shares your information when you use the Luuna mobile application, the tryluuna.com website, and related services (the “Service”).
Marketing website (tryluuna.com)
If you join the Luuna alpha waitlist on tryluuna.com without yet creating an account in the app, we collect only what you submit on the signup form:
- Email address — used to email you when your TestFlight cohort opens and to send occasional updates about the alpha.
- First name — used to personalize the emails we send you.
- Referral source — your optional answer to “How did you hear about us?”, used to understand which channels bring people to Luuna.
We process this information based on your consent (the act of submitting the form). We do not sell it, share it with advertising partners, or use it to train AI models. Waitlist records are stored on our backend (see “Railway / cloud hosting” in the providers table below) for the duration of the alpha program.
To remove your email from the waitlist or request deletion of your waitlist record at any time, email info@tryluuna.com. The rest of this Privacy Policy describes what happens once you create an account and use the Luuna app.
What we collect
Information you provide
- Phone number — used to create your account and send a one-time verification code via SMS (delivered by Twilio).
- Email address — used for account recovery and important account notifications (delivered by SendGrid).
- Name — first and last name, shown in the app.
- Profile preferences — country, language, date format, notification preferences.
Financial information (when you connect a bank account)
- Bank account metadata — institution name, account type, account mask (last 4 digits). Provided by Plaid.
- Transaction history — past transactions used to compute your average spending and detect activity in real time.
- Spending estimates — categories and dollar amounts you enter during onboarding.
We do not store your bank login credentials. Plaid handles that authentication.
Information collected automatically
- Device information — device model, OS version, app version, language and timezone settings. Collected via Apple’s standard APIs.
- Push notification token — Apple Push Notification service identifier, used to send shield alerts and important account messages.
- Usage analytics — events such as “paywall_viewed,” “trial_started,” “shield_toggled,” collected via PostHog. Anonymized at the device level until you log in.
- Crash reports — diagnostic information when the app crashes, collected via Sentry. Includes device state and a stack trace, never your financial data.
- Subscription state — your tier, trial status, expiration date, and product ID, managed via RevenueCat.
Information processed for AI features
- Page content for shopping detection — when you use the in-app shopping browser, page text snippets are sent to Anthropic’s API to detect “added to cart,” “checkout started,” and “order confirmed” events. Anthropic’s terms commit to not training models on your data. See Anthropic’s privacy policy.
How we use your information
We use your information to:
- Provide the Service (verify your account, sync bank data, run shield logic, manage subscriptions).
- Detect over-spending and trigger reflection prompts at the moment they matter.
- Improve the Service (analytics on which features work, which fail, where users get stuck).
- Communicate with you about your account, support requests, and material product updates.
- Comply with legal obligations and protect against fraud and abuse.
We do not sell your personal information.
How we share your information
We share information with the following categories of service providers, each under contractual obligations to protect it:
| Provider | Purpose | Data shared |
|---|---|---|
| Plaid | Bank account linking, transaction data | Bank credentials (encrypted in transit, never stored by us), transaction history |
| Twilio | OTP delivery via SMS | Phone number, OTP code |
| SendGrid | Email delivery | Email address, message content |
| RevenueCat | Subscription management | User ID, subscription state, IAP receipts |
| Apple | App distribution, in-app purchases, push notifications | Apple ID (for IAP), device push token |
| Anthropic | AI page analysis for shopping detection | Page text snippets (no PII) |
| PostHog | Product analytics | Event data, anonymized user ID |
| Sentry | Crash reporting and error tracking | Device state, stack traces, anonymized user ID |
| Railway / cloud hosting | Backend hosting | All data flowing through our backend |
We may also share information when required by law (subpoena, court order), to protect our rights or the rights of others, or in connection with a merger, acquisition, or sale of assets (in which case we will notify you).
Data retention
- Account data — kept while your account is active. Deleted within 30 days of account deletion request.
- Transaction data — kept for as long as your bank account is connected, deleted within 30 days of unlinking.
- Analytics events — retained for up to 24 months for aggregate analysis.
- Crash reports — retained for up to 90 days.
To request account deletion, email support@tryluuna.com with the subject “Account Deletion Request.” You can also unlink bank accounts at any time in the app.
Your rights
Depending on where you live, you may have rights to:
- Access — request a copy of the data we hold about you.
- Correct — ask us to fix inaccurate data.
- Delete — ask us to delete your data.
- Portability — receive your data in a portable format.
- Object — object to certain processing activities.
To exercise these rights, email support@tryluuna.com. We will respond within 30 days.
California residents (CCPA / CPRA)
California residents have additional rights under the California Consumer Privacy Act. We do not sell or share personal information for cross-context behavioral advertising. To exercise CCPA rights, see Your rights above.
European residents (GDPR)
If you are in the European Economic Area, the United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation. Our legal basis for processing is your consent (when you create an account) and contract performance (delivering the Service). To exercise GDPR rights, see Your rights above. You may also lodge a complaint with your local data protection authority.
Children’s privacy
The Service is not directed to children under 18. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, contact us at support@tryluuna.com and we will delete it.
Security
We use industry-standard technical and organizational measures to protect your information, including encryption in transit (HTTPS), encryption at rest, and access controls on our backend. No security measure is perfect, and we cannot guarantee the absolute security of your data.
International data transfers
We are headquartered in the United States. Your information may be transferred to and processed in the United States and other countries where our service providers operate. We rely on Standard Contractual Clauses or equivalent legal mechanisms where required.
Changes to this Privacy Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you in the app or by email. The “Last updated” date at the top reflects the most recent revision.
Contact
Questions or requests about this Privacy Policy? Contact us at support@tryluuna.com.
© 2026 Luuna, Inc. All rights reserved.