Security

How we protect your data.

Luminelle handles sensitive personal data - cycle logs, journal entries, selfies. We take that seriously. For the full account of what we collect and why, see our Privacy Policy.

Accounts and sign-in

Sign-in is handled by a managed authentication provider. Passwords are hashed and never stored in clear text. Sign in with Google is available as an option - your Google password is never shared with us.

Encryption

All traffic between your device, our website, and our servers is encrypted in transit. Data at rest on our servers is encrypted at the storage layer.

Access

Every request to our backend is scoped to your authenticated account. One user cannot read another user’s data. Internal access by our team is limited to what’s needed for operations and support; we do not routinely read journal entries or view selfies.

Where your data lives

Your account data and history are stored on servers in the EU.

Providers we work with

The third parties that process Luminelle data on our behalf:

  • Supabase - database and authentication.
  • Cloudflare - backend hosting.
  • Azure OpenAI - analysis of selfies and product/meal photos.
  • RevenueCat - subscription state.
  • OneSignal - push notifications.
  • Google - sign-in (optional) and website analytics.

See the Privacy Policy for more.

If something goes wrong

If a personal data breach occurs that is likely to put your rights at risk, we will notify the competent authority within 72 hours of becoming aware, and notify affected users without undue delay.

What we don’t claim

We’re an early-stage product. We do not currently hold SOC 2, ISO 27001, or HIPAA attestations, and Luminelle is not a HIPAA-covered service. If your use case requires a formal certification, Luminelle may not be the right fit today.

Reporting a vulnerability

If you find a security issue, please email info@luminelle.ai with a clear description, steps to reproduce, and your assessment of impact.

We commit to acknowledging your report in good faith, investigating promptly, and not pursuing legal action against good-faith researchers who follow this policy - do not exfiltrate user data, do not disrupt the service, and give us reasonable time to fix the issue before public disclosure. We do not currently run a paid bug bounty.