Your timeline never leaves your machine.

§ 01Summary

This policy describes what data Lunaflow collects, how we treat it, and the rights you have over it. It applies to the Lunaflow desktop app, browser extensions, and web app.

§ 02What we collect

We collect three categories of data, listed in order of sensitivity:

Account data

• Email address, hashed password (or OAuth identifier)
• Plan, billing status, invoice history (via Stripe)
• Locale, timezone, accessibility preferences

Derived statistics

• Per-daypart focus medians, switch density, deep-block counts
• Pattern fingerprints (statistical, not raw text)
• Goal commitments and progress series

Raw capture (local-only)

• Active window title and process name (desktop)
• Active tab URL and title (extension; subject to your blocklist)
• Session timestamps and durations

Raw capture stays in an encrypted SQLite database on your device. It only leaves to compute derivations, and only the derivations themselves are transmitted.

§ 03What we don't collect

We have explicitly chosen not to capture, and the product cannot capture:

• Keystrokes of any kind
• Screenshots or screen recordings
• Clipboard contents
• Microphone or camera
• The contents of files, emails, messages, or documents
• Third-party trackers on our marketing site (no Google Analytics, no Meta Pixel)

If a future feature would require any of the above, we will ask in plain language, explain why, and let you decline without losing the rest of the product.

§ 04Where it lives

Account data and derived statistics are stored on infrastructure operated by Hetzner (Falkenstein, Germany) for EU customers and AWS (Cape Town, af-south-1) for everyone else. You can pin storage to either region from Settings → Data residency.

Backups are encrypted with AES-256 and rotated every 24 hours. Backup data is destroyed 30 days after rotation; we do not maintain shadow copies elsewhere.

§ 05Sharing

We share data with the following processors, each under a signed DPA:

• Stripe — payment processing (card data never touches our servers)
• Postmark — transactional email (Sunday digest, receipts)
• Anthropic — readout phrasing (derived statistics only; no raw timeline)

We do not share, rent, or sell your behavioural data to advertisers, data brokers, employers, or insurers. Ever.

§ 06Retention

Free tier keeps a rolling four weeks of derivations. Paid tiers keep derivations indefinitely until you delete them. Raw capture retention is controlled entirely from your device.

On account deletion, derivations are removed within 30 days from primary storage and within 60 days from backups. Anonymised aggregates used for product metrics (e.g. “median morning continuity across the user base”) are retained without your identifier.

§ 07Your rights

Under POPIA (South Africa), GDPR (EU/EEA), and the CCPA (California), you have the right to:

• Access a full export of everything we hold on you (JSON, downloadable from Settings → Export)
• Rectify any incorrect personal data
• Erase your account and its derivations from one screen
• Restrict or object to processing of derivations
• Port your record to another service
• Withdraw consent for AI-generated readouts at any time

Requests are answered within 14 working days. If we cannot honour a request we explain why, in plain English, and tell you which authority you can complain to.

§ 08Children

Lunaflow is not intended for anyone under 16. We do not knowingly collect data from minors and will delete any account we discover to belong to one.

§ 09Contact

The Information Officer for Lunaflow Pty Ltd is reachable at privacy@lunaflow.app. Postal: 14 Bree Street, Cape Town 8001, South Africa.

If you believe we have mishandled your data, you may also lodge a complaint with the Information Regulator of South Africa or your local supervisory authority.