Skip to content
Lunio

Privacy Policy

Last updated: 22 April 2026

Plain-language summary; please review with your own legal counsel before launch.

Lunio ("we", "us") is committed to protecting your personal data. This policy explains what we collect, why, the legal bases we rely on, and the rights you have under the EU/UK GDPR.

1. Who we are

Lunio is the data controller for the personal data described here. You can contact us via our support page for any privacy-related question, or to exercise the rights set out in section 8.

2. Data we collect

We collect only what's needed to deliver your routine and run the service:

  • Quiz answers — child's age range, sleep challenges, schedule, living situation, screen-time context.
  • Contact details — your email address (required to deliver the PDF) and, optionally, your child's first name to personalise the routine.
  • Payment metadata — handled by Stripe; we receive an order reference, the amount, and your billing country, but we never see or store your full card details.
  • Email delivery logs — message IDs and delivery status from our email provider, for support and deliverability.
  • Basic technical data — IP address, browser type, and pages viewed, kept in short-lived server logs for security and abuse prevention.

3. Legal bases (GDPR Art. 6)

We process your data on the following bases:

  • Performance of a contract — to deliver the routine you purchased and provide customer support.
  • Legitimate interests — fraud prevention, service security, and aggregated analytics to improve the product.
  • Consent — only where we explicitly ask for it (for example, optional marketing emails). You can withdraw consent at any time.
  • Legal obligation — to retain invoicing records as required by tax law.

4. How we use your data

We use the information above to generate your personalised routine, deliver the PDF by email, respond to your support requests, prevent fraud, and keep the service secure. We do not sell your data, and we do not use it to train AI models.

5. Third-party processors

We rely on a small number of trusted processors. Each is bound by a data processing agreement and processes data only on our instructions:

  • Stripe — payment processing (https://stripe.com/privacy).
  • Resend — transactional email delivery (https://resend.com/legal/privacy-policy).
  • Lovable Cloud / Supabase — application hosting and database (EU region) (https://supabase.com/privacy).
  • Google Fonts — font delivery; fonts are self-served where possible to limit data sharing.

6. International transfers

Your data is stored in the European Union by default. Where a processor is located outside the EU/UK (for example, Stripe in the United States), transfers are protected by the European Commission's Standard Contractual Clauses and supplementary measures where required.

7. Retention

We keep personal data only as long as needed:

  • Order and invoicing data — 7 years (legal/tax obligation).
  • Quiz answers and generated routines — up to 24 months from purchase, then deleted or anonymised.
  • Email delivery logs — 12 months.
  • Suppression list (people who unsubscribed) — kept indefinitely so we don't email you again by mistake.
  • Server logs — up to 30 days.

8. Your rights

Under the EU/UK GDPR you have the right to:

  • Access the personal data we hold about you.
  • Have inaccurate data rectified.
  • Request erasure of your data, subject to our legal retention obligations.
  • Restrict or object to certain processing.
  • Receive your data in a portable, machine-readable format.
  • Withdraw consent at any time, where processing is based on consent.
  • Lodge a complaint with your local supervisory authority (in France, the CNIL — www.cnil.fr).

How to exercise these rights

Open a request from our support page using the address linked to your order. We will respond within one month, as required by GDPR.

9. Cookies and tracking

We use only essential cookies needed to make the site work (for example, to remember your language). We do not use advertising cookies. When you reach checkout, Stripe sets its own cookies for fraud detection — see Stripe's privacy notice linked in section 5.

10. Children

Lunio is intended for parents and caregivers. We do not knowingly collect personal data from children under 16. If you believe a child has provided personal data without parental consent, please contact us via our support page and we will delete it.

11. Security

Data is transmitted over TLS, encrypted at rest, and access is restricted to authorised personnel on a need-to-know basis. We review our security practices regularly. No system is 100% secure; if we ever suffer a personal data breach affecting your rights, we will notify you and the relevant supervisory authority as required by law.

12. Changes to this policy

We may update this policy from time to time. The "last updated" date at the top reflects the most recent change. Material changes will be communicated by email where appropriate.