Privacy Policy

Introduction

Luma ("we", "us", "our") is committed to protecting your privacy. This policy explains how we collect, use, and safeguard your personal information when you use our medication management service at getluma.health.

We understand that medication data is deeply personal. We treat your health information with the highest care and will never sell your data to third parties.

Data We Collect

Account Information

• Email address (required for account creation and notifications)
• Name (optional, used for personalisation)
• Phone number (optional, used for SMS notifications and verification)
• Password (stored securely using bcrypt hashing — we never store plaintext passwords)

Medication Data

• Medication names, dosages, and forms
• Dose schedules (times, days, frequency)
• Dose event history (taken, skipped, or missed)
• Prescription photos (when you use the scan feature — processed and then discarded)
• Notes you add to medications

Device Data

• Device identifiers and pairing information
• Battery status and connectivity data
• Firmware version information

Care Circle Data

• Relationships between patients and caregivers
• Permissions granted to caregivers

Technical Data

• IP address and browser user agent (for session security)
• Session data (login times, last activity)
• Push notification subscription endpoints

How We Use Your Data

• To provide medication reminders and tracking
• To send notifications (email, push, SMS) based on your preferences
• To enable caregivers you've authorised to monitor your schedule
• To generate consistency reports and weekly summaries
• To process prescription label scans into medication schedules
• To improve the service and fix issues

Third-Party Processors

We use the following third-party services to operate Luma. Each processes only the minimum data necessary:

Data Retention

• Account data is retained for as long as your account is active
• Dose event history is retained indefinitely to support long-term consistency tracking
• Prescription images are processed and discarded — they are not permanently stored
• Session data is automatically cleaned up after expiry
• When you delete your account, all personal data is permanently removed within 30 days

Your Rights

Under the UK General Data Protection Regulation (UK GDPR), you have the right to:

• Access — request a copy of all data we hold about you
• Rectification — correct any inaccurate personal data
• Erasure — request deletion of your personal data
• Data portability — receive your data in a machine-readable format
• Object — object to processing of your personal data
• Restrict processing — request that we limit how we use your data

You can export your data at any time from your account settings. To exercise any other right, contact us at privacy@getluma.health.

Health Data Sensitivity

We recognise that medication information constitutes sensitive health data under UK GDPR. We process this data on the basis of your explicit consent (provided when you create your account and agree to our terms) and because it is necessary to provide the service you have requested.

We implement appropriate technical and organisational measures to protect this data, including encryption in transit (TLS) and at rest, access controls, and regular security reviews.

Children's Data

Luma is not intended for use by children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@getluma.health and we will promptly delete it.

Governing Law

This privacy policy is governed by and construed in accordance with the laws of England and Wales. Any disputes relating to this policy shall be subject to the exclusive jurisdiction of the courts of England and Wales.

Contact Us

If you have any questions about this privacy policy or how we handle your data, please contact us at:

privacy@getluma.health