Legal

Privacy Policy

Last updated: November 2026

Overview

Luukza is a privacy-first app suite. This policy explains what data we collect, why, and how it is stored. We do not sell your data, serve ads, or share your personal information with third parties except where required to provide the service (e.g. payment processing).

By default, all Luukza apps operate entirely on your device. No data is sent to any server unless you explicitly enable cloud sync (Plus tier and above).

Data we collect

Free tier (local-only)

When using the free tier without an account, Luukza collects no personal data. All app data (entries, lexicon items, notes) is stored locally on your device and never transmitted.

Account creation (Plus / Pro / Pro+)

When you create an account, we collect:

  • Email address (required for sign-in)
  • A hashed password or Apple Sign In token — we never store plain-text passwords
  • Account metadata: creation date, subscription tier, last sync timestamp

Synced app data

When cloud sync is enabled, your app data (lexicon entries, knowledge items, journal text, file metadata) is stored in Supabase with row-level security. Only your account can access your data. Binary files (images, audio, PDFs) are stored in Cloudflare R2, referenced by your account ID.

Payment data

Pro and Pro+ subscriptions are processed by Stripe. Luukza does not store card numbers or payment details. Stripe may retain payment information in accordance with their own privacy policy.

How we use your data

  • To provide cloud sync across your devices
  • To authenticate your account and manage your subscription
  • To calculate storage usage for overage billing (Pro / Pro+)
  • To respond to support requests if you contact us

We do not use your data to train AI models. AI features (available on Plus and above) process your data in-context via the Claude API — Anthropic's privacy policy governs that processing, and we do not send more data than necessary for each request.

Data storage and security

Structured data (account info, app content) is stored in Supabase with row-level security policies — only authenticated requests from your account can read or write your data.

Binary files are stored in Cloudflare R2. Journal entries can be encrypted locally before sync using device-level encryption (available from Phase 6).

All connections to Luukza services use HTTPS/TLS. We do not operate our own servers — infrastructure is provided by Supabase (PostgreSQL) and Cloudflare (CDN, R2, Pages).

Data retention and deletion

You can delete your account at any time from within the app. Account deletion permanently removes all synced data from Supabase and Cloudflare R2. Local data on your device is removed when you uninstall the app.

Stripe may retain billing records for up to 7 years as required by law.

Third-party services

  • Supabase — auth and database (GDPR-compliant, EU region available)
  • Cloudflare R2 — file storage
  • Stripe — payment processing
  • Anthropic (Claude API) — AI features (Plus and above)
  • Apple (StoreKit) — in-app purchase subscriptions

Your rights

Depending on your jurisdiction, you may have rights to access, correct, export, or delete your personal data. To exercise these rights, contact us at privacy@luukza.com.

For users in the EU or UK: Luukza complies with applicable data protection legislation. Data processing is based on contract performance (providing the service) and legitimate interest. You may request a copy of your data or its deletion at any time.

Contact

For privacy-related queries: privacy@luukza.com

This policy was last updated in November 2026. Material changes will be communicated via email to registered users.