Privacy Policy
Last updated: June 4, 2026
Effective date: June 4, 2026
1. Who we are
Lumo: Bible Journey (“Lumo”, “we”, “us”, or “our”) is a Bible learning, memorization, reflection, review, and social learning app.
The Service is operated by:
- Legal name: Davide Neri
- Website: https://lumobible.app
- Privacy contact: privacy@lumobible.app
This Privacy Policy explains what personal data we collect when you use the Lumo mobile app, website, and web app, why we collect it, who we share it with, how long we keep it, and the rights you have.
2. Information we collect
2.1 Account data
When you create an account or sign in, we may collect:
- Email address
- Username and display name
- Preferred language / locale
- Password credentials handled by Supabase Auth
- Authentication information from Google or Facebook/Meta if you choose those sign-in methods, such as name, email address, profile picture, and provider user ID
- Authentication tokens or session data, stored through Expo SecureStore on mobile and secure cookies or browser storage on web
We do not access your Google or Facebook contacts, posts, or friends list.
2.2 Learning, progress, and reflection data
To provide the core app experience, we collect and store data such as:
- Courses, chapters, and lessons you start, complete, skip, or review
- Exercise answers, correct and incorrect answers, accuracy, attempts, and wrong-answer history
- Review schedules, spaced repetition state, due dates, intervals, and memorization progress
- XP, levels, streaks, achievements, and other gamification data
- Reflection responses, including selected options and any free-text reflections or notes you choose to write
- Language preference and app settings
2.3 Feedback and support data
If you submit feedback, report an issue, or contact us, we may collect:
- Your written comments
- Page, lesson, or exercise context connected to the feedback
- Technical details needed to understand or fix the issue
- Your email address or account identifier if needed to respond
2.4 Social features
If you use social features, we may collect and process:
- Friend requests and friendships
- Invite links
- Activity posts
- Reactions and leaderboard activity
- Public or friend-visible profile information
- Limited profile statistics, such as XP, streaks, progress, or completed lessons
Your username, display name, and basic profile statistics may be visible to other users. Accepted friends will see additional activity, progress, leaderboard, and lesson completion information.
2.5 Notifications
If you allow push notifications, we collect and store:
- Expo push token or similar push notification token
- Device platform
- Notification preferences
- Notification interaction data needed to deliver or route notifications
You can disable push notifications in your device settings and, where available, in the app’s notification settings.
2.6 Device, technical, and usage data
We may collect technical and usage information such as:
- Device type, browser, operating system, app version, and platform
- IP address, used for security, diagnostics, and approximate location such as country or city
- Approximate time zone
- App lifecycle events
- Page views, screen views, taps, clicks, lesson completions, and feature usage
- Crash reports, logs, and error data
2.7 Cookies and similar technologies
On the website and web app, we use cookies and local storage for:
- Authentication and session management
- Session refresh
- Language preference
- Security
- Analytics and product improvement, where enabled
Strictly necessary cookies are required for the Service to work. Analytics cookies or similar technologies are used only where legally permitted and, where required, with your consent.
You can update your profile settings and export a copy of your user data from the Profile page in the app. The exported data includes the main account, progress, reflection, review, memorization, and social data connected to your account.
2.8 Data we do not collect
Unless this changes and we update this policy, Lumo does not access:
- Microphone
- Camera
- Contacts
- Photos
- Calendar
- Precise GPS location
At the moment we do not collect payment card details directly. If paid features are introduced, payments will be processed by Apple App Store or Google Play.
3. Religious content and sensitive data
Lumo helps users study and reflect on the Bible. Because of this, your use of the Service, including lessons you take, chapters you engage with, reflections you write, and learning activity, may reveal religious interests or beliefs.
Under GDPR, data revealing religious or philosophical beliefs can be considered special category personal data.
Where required, we process this type of data with your explicit consent and only for the purpose of providing and improving the Service. We do not sell this data, and we do not use it for advertising or third-party profiling.
Please do not include sensitive personal information in reflections, notes, or feedback unless you are comfortable providing it.
You can withdraw consent by deleting your account or contacting us, but withdrawing consent may mean we can no longer provide parts of the Service that depend on your learning, progress, or reflection data.
4. How we use information
We use personal data to:
- Create and manage your account
- Authenticate you and keep your account secure
- Provide lessons, exercises, memorization, reflection, review, progress tracking, streaks, XP, and social learning features
- Save your learning progress and personalize review timing
- Personalize language, content, reminders, and app experience
- Send push notifications, such as learning reminders, streak reminders, and friend request notifications
- Show public or friend-visible profile, activity, and leaderboard features
- Respond to feedback and support requests
- Analyze usage, diagnose issues, fix bugs, and improve the product
- Prevent abuse, protect the Service, and enforce our rights
- Comply with legal obligations
5. Legal bases under GDPR
Where GDPR applies, we rely on the following legal bases:
| Purpose | Data used | Legal basis |
|---|---|---|
| Create and authenticate your account | Account data | Contract |
| Provide lessons, progress tracking, memorization, reviews, and reflections | Learning and progress data | Contract; explicit consent where special category data is involved |
| Provide social features | Social data | Contract and/or consent |
| Send transactional emails | Email address | Contract |
| Send optional product or marketing emails | Email address | Consent |
| Send push notifications | Push token and preferences | Consent |
| Improve the product through analytics | Usage data | Legitimate interest and/or consent, depending on context |
| Secure the Service and prevent abuse | Technical data, logs, IP address | Legitimate interest |
| Comply with legal obligations | Relevant data | Legal obligation |
6. Analytics and service providers
We use trusted third-party service providers to operate and improve Lumo. These may include:
- Supabase for authentication, database, storage, and session management. Data is stored in Frankfurt.
- PostHog Cloud EU for product analytics, surveys, feedback events, error capture, crash reports, and diagnostics. PostHog is cloud-hosted in EU Central, Frankfurt. We do not use PostHog session replay.
- Microsoft Clarity for mobile product analytics and session interaction insights. Clarity is used on mobile only and may record session replays of app interactions. We configure Clarity to mask text inputs so that typed reflection, feedback, and other text-entry content is not visible in replay.
- Expo, Apple Push Notification service, Firebase Cloud Messaging, or similar providers for push notifications.
- Google and Facebook/Meta if you choose OAuth sign-in.
- Vercel or another hosting provider for the website and web app.
- Brevo for transactional emails such as email confirmation, password reset, account notices, and other service-related messages.
- Zoho for receiving and responding to support, privacy, and other user emails.
- Apple App Store and Google Play for app distribution and, if applicable, in-app purchases.
These providers process personal data on our behalf or as independent controllers depending on the service. We do not sell your personal data.
7. International transfers
Your information may be processed in countries other than the country where you live.
Where personal data is transferred outside the European Economic Area, the United Kingdom, or Switzerland, we rely on appropriate safeguards such as adequacy decisions, Standard Contractual Clauses, data processing agreements, and other legally recognized transfer mechanisms where required.
8. How we share information
We share personal data only as needed to:
- Provide the Service through the providers listed above
- Enable social features that you choose to use
- Send notifications and transactional messages
- Respond to your requests
- Comply with law, legal process, or regulatory obligations
- Enforce our rights and protect the Service
- Protect users, the app, or the public from harm or abuse
- Complete a merger, acquisition, financing, reorganization, or business transfer, if applicable
We do not sell personal information for money. We do not use your personal data for cross-context behavioral advertising.
9. Data retention
We keep personal data only for as long as needed for the purposes described in this policy, unless a longer period is required or permitted by law.
Current retention periods are:
- Account and learning data: for as long as your account is active
- Reflections and notes: for as long as your account is active, unless you delete them where deletion is available
- Feedback and support messages: up to 24 months
- Analytics events: up to 24 months, aggregated or pseudonymous where possible
- Deleted accounts: personal data deleted or anonymized within 30 days, except where limited retention is required for legal, security, fraud prevention, or accounting reasons
- Backups: overwritten or deleted within 30 days
- Security logs: overwritten or deleted within 30 days
10. Security
We use reasonable technical and organizational measures to protect personal data, including:
- Encryption in transit using TLS
- Encryption at rest where supported by our providers
- OS-secured storage for mobile authentication sessions
- Secure cookies or browser storage for web sessions
- Role-based database access and user-scoped queries
- Access controls for administrative systems
- Regular dependency and security updates
No method of transmission or storage is completely secure. If we discover a data breach affecting your personal data, we will notify you and the relevant authority where required by law.
11. Your choices and rights
Depending on where you live, you may have rights to:
- Access the personal data we hold about you
- Correct inaccurate data
- Delete your account and personal data
- Export your data in a portable format
- Object to or restrict certain processing
- Withdraw consent where processing is based on consent
- Opt out of optional marketing messages
- Lodge a complaint with a data protection authority
To exercise your rights, contact us at privacy@lumobible.app or use the in-app privacy/account settings where available.
If you are in Italy, you may also contact the Garante per la protezione dei dati personali.
We may need to verify your identity before responding to a request.
12. Account deletion
You can delete your account in the app by going to Profile → Account → Delete account. When your account is deleted, we delete or anonymize personal data associated with your account, except where we need to keep limited information for legal, security, fraud prevention, dispute resolution, or accounting purposes. If you cannot access the app, contact us at privacy@lumobible.app from the email address connected to your account.
13. Children
Lumo is intended for users aged 16 and older.
We do not knowingly collect personal data from children below this age. If you are a parent or guardian and believe that a child has provided us with personal data, contact us at privacy@lumobible.app and we will take appropriate steps to delete the data.
If we decide to allow younger users in the future, we will update this policy and add any required parental consent or age-appropriate privacy protections.
14. Push notifications and emails
If you enable push notifications, we may send you reminders about lessons, streaks, reviews, friend requests, or other app activity. You can disable push notifications in your device settings and, where available, in the app’s notification settings.
We may send transactional emails, such as password reset emails, account security messages, or important Service notices. These are part of the Service.
We send marketing or product update emails only where permitted by law and, where required, with your consent. You can unsubscribe from marketing emails at any time.
15. Changes to this policy
We may update this Privacy Policy from time to time. We will post the updated version at https://lumobible.app/privacy or another accessible location and update the “Last updated” date.
If we make material changes, we will provide additional notice where required, such as by email, in-app notice, or website notice.
16. Contact us
Questions or requests about this Privacy Policy can be sent to privacy@lumobible.app.