Privacy Policy
_Last updated: 7 June 2026_
Lunaire ("Lunaire", "we", "us", or "our") is operated by Akbarali Khasanov as a sole proprietor. This Privacy Policy explains what personal data the Lunaire iOS app ("the App") collects, how we use it, and the rights you have over it.
We built Lunaire to give you accurate, judgment-free cycle and reproductive-health guidance. Cycle data is some of the most sensitive information a person shares with software, and we treat it accordingly. Your cycle data is never sold, never used to target advertising, and never shared with a third party for their own marketing.
If you have any question about how we handle your data, write to hello@uishelf.com and we will reply within 30 days.
1. Who this policy applies to
This policy applies to everyone who installs the App, regardless of country. If you are in the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR / UK-GDPR) applies and grants you the rights described in Section 8. If you are in California, the California Consumer Privacy Act (CCPA / CPRA) applies and grants you the rights described in Section 9.
The App is not intended for children under 13. If you are between 13 and 16, please use the App only with the consent of a parent or legal guardian.
2. Data we collect
We collect only what the App needs to do its job. Concretely:
2.1 Information you provide directly
- Cycle data: period start and end dates, flow level, ovulation indicators, symptoms (cramps, headache, etc.), mood, energy, sleep hours, and any free-text notes you add to a daily log.
- Reproductive-health context you optionally share during onboarding: current goal (track / try to conceive / avoid), cycle regularity, known conditions (PCOS, endometriosis, etc.), and pregnancy status.
- AI Chat messages: anything you type to the in-app AI coach. These messages are sent to Google's Gemini API for the sole purpose of producing the reply you see on screen.
- Profile data if you sign in with Apple: a stable Apple-provided user identifier, and the name and email address you choose to share at sign-in (Apple lets you hide your email behind a relay; we never see your real address in that case).
2.2 Information generated automatically
- Device data: iOS version, device model, app version, language, time zone, and a per-install identifier. Used to size database fields, schedule notifications correctly, and debug crashes.
- Push token: an APNs device token, only if you accept notifications, used to deliver reminders you opted into (period start, fertile window, etc.).
- Diagnostic events: anonymized crash reports and error counts via Sentry. No cycle data, message content, or personal identifiers are included in these events.
2.3 Information we do not collect
- We do not collect contacts, location, photos, microphone, or camera unless you explicitly enable a feature that needs them.
- We do not access HealthKit data unless you explicitly grant permission in iOS Settings.
- We do not collect advertising identifiers (IDFA). The App contains no third-party advertising.
3. How we use your data
We process your data only for the purposes listed below. Each purpose lists its lawful basis under GDPR.
| Purpose | What it does | GDPR basis |
| --- | --- | --- |
| Predicting your cycle | Estimating next period, fertile window, phase | Contract (Art. 6(1)(b)) |
| Generating insights and AI replies | Personalising guidance to your cycle context | Contract (Art. 6(1)(b)) |
| Sending notifications | Period start reminders, daily check-ins, etc. | Consent (Art. 6(1)(a)) |
| Authentication | Signing you in via Apple | Contract (Art. 6(1)(b)) |
| Subscription management | Verifying your Lunaire Premium status with Apple | Contract (Art. 6(1)(b)) |
| Debugging and improving the App | Diagnosing crashes, fixing bugs | Legitimate interest (Art. 6(1)(f)) |
| Complying with legal obligations | Responding to lawful requests, tax records | Legal obligation (Art. 6(1)(c)) |
Health information about your cycle is treated as a special category under GDPR Art. 9. Our processing is based on your explicit consent (Art. 9(2)(a)), which you give by entering data into the App. You can withdraw that consent at any time by deleting your account (Section 8.4).
4. Who we share data with
We only share data with the small number of service providers that make the App work. Each provider is bound by a data-processing agreement and may only use your data for the purpose we've assigned them.
| Provider | Where | What they get | Purpose |
| --- | --- | --- | --- |
| Hetzner Online GmbH (Germany) | EU (Falkenstein) | All cycle and profile data, encrypted at rest | Hosting our backend |
| Apple Inc. | USA | App Store sign-in token, subscription receipt | Authentication, subscription verification |
| Google LLC (Gemini API) | USA | Your AI Chat message content (no name, no profile) | Generating the AI reply |
| Sentry (Functional Software, Inc.) | USA / EU | Crash stack traces (no cycle data, no message content) | Diagnostics |
We do not share your data with advertisers, data brokers, insurers, employers, or government agencies โ except as required by binding legal process (Section 5).
If we ever need to transfer data outside the EEA / UK / Switzerland, we rely on the Standard Contractual Clauses approved by the European Commission, plus, for transfers to the United States, the EU-U.S. Data Privacy Framework where the recipient is certified.
5. Legal requests
We will disclose data only if compelled by a binding legal order from a court of competent jurisdiction. Where the law allows, we will notify you in advance so you can object. We publish an annual transparency report at lunaire.emojinest.com/transparency.
6. How long we keep your data
- Active accounts: we retain your cycle history and profile while your account is active because the prediction engine needs the history to be accurate.
- Inactive accounts: if you don't open the App for 24 months we send you a reminder. If you don't return within 6 more months, your account and all associated data are deleted.
- Deleted accounts: when you ask us to delete your account (Section 8.4), backend data is removed within 30 days. Encrypted backup snapshots are overwritten within 90 days.
- Chat history: AI Chat messages are stored locally on your device only. We do not retain a copy on our backend.
- Diagnostic events: retained 90 days.
7. Security
We treat health data the way we'd want our own treated.
- All traffic between the App and our backend is encrypted in transit using TLS 1.3.
- Backend data is encrypted at rest using AES-256.
- Apple Sign In tokens never expose your real email unless you choose to share it.
- The App uses iOS Keychain for credentials. Optional App Lock uses Face ID / Touch ID โ we never see or store the biometric template.
- We follow the principle of least privilege: only the engineer on call can access production data, and access is logged.
No system is perfectly secure. If we discover a breach affecting your data, we will notify you within 72 hours, as required by GDPR Art. 33.
8. Your rights (GDPR / UK-GDPR)
You have the following rights at any time. To exercise any of them, email hello@uishelf.com from the address attached to your account, or use the "Export my data" / "Delete account" buttons under Profile โ Settings โ Privacy.
1. Right of access (Art. 15) โ receive a machine-readable copy of all data we hold about you.
2. Right to rectification (Art. 16) โ correct inaccurate data. Most fields are editable directly in the App.
3. Right to erasure (Art. 17) โ request deletion. We comply within 30 days.
4. Right to restrict processing (Art. 18) โ pause processing while we resolve a dispute.
5. Right to data portability (Art. 20) โ export your data in JSON format.
6. Right to object (Art. 21) โ object to any processing based on legitimate interest.
7. Right not to be subject to automated decisions (Art. 22) โ the cycle-prediction engine produces estimates only; nothing in the App makes legally significant decisions about you.
If you believe we've mishandled your data, you have the right to lodge a complaint with your local supervisory authority. For EU residents, see https://edpb.europa.eu/about-edpb/about-edpb/members_en for the list of authorities.
9. Your rights (California โ CCPA / CPRA)
If you live in California you have the following rights:
- The right to know what categories of personal information we collect, the sources, the business purpose, and the categories of third parties we share it with. See Sections 2, 3, and 4 above.
- The right to delete the personal information we hold about you, subject to a few legal exceptions.
- The right to correct inaccurate personal information.
- The right to opt out of "sale" or "sharing" of personal information. We do not sell your personal information, and we do not share it for cross-context behavioral advertising.
- The right to limit the use of sensitive personal information. Health data is considered sensitive under CPRA; we only use it for the purposes listed in Section 3.
- The right to not be discriminated against for exercising any of these rights. Lunaire works identically whether or not you've made privacy requests.
To exercise any of these rights, email hello@uishelf.com. We will verify your identity using your Apple Sign In account and respond within 45 days.
10. Children's privacy
The App is not directed to children under 13 and we do not knowingly collect personal information from them. If you believe a child under 13 has shared data with us, email hello@uishelf.com and we will delete it immediately.
If you are between 13 and 16 in the European Economic Area, you need a parent or guardian's consent to use the App.
11. Changes to this policy
If we change this policy in a way that affects how we use your data, we will:
1. Notify you inside the App at least 30 days before the change takes effect.
2. For material changes that require fresh consent (under GDPR Art. 7), we will ask you to re-consent before continuing to use affected features.
The current version is always available at lunaire.emojinest.com/privacy and inside the App under Profile โ Settings โ Privacy Policy.
12. Contact
- Email: hello@uishelf.com
- Postal: Akbarali Khasanov, Tashkent, Uzbekistan (full address provided on request for data-subject requests under GDPR)
- Data Protection Officer: Not appointed (we don't meet the GDPR's mandatory DPO criteria), but privacy questions go to the email above.
Thank you for trusting Lunaire with your cycle data. We don't take it for granted.