Privacy Policy

Luma PCOS Tracker is operated by Dawood Togoo, an individual sole proprietor based in Qatar. Our registered address is Building I 4, Street 1149, Floor 3, Apartment 308, Al Barbasati, Doha, Qatar. We are the data controller for personal data processed through luma-pcos.com and any associated mobile applications.

Designated privacy contact / Data Protection Officer: Dawood Togoo .dpo@luma-pcos.com. Privacy enquiries also accepted at privacy@luma-pcos.com. We acknowledge requests within 5 business days and respond substantively within 30 days (or sooner where legally required). Security vulnerability reports: security@luma-pcos.com . see our security.txt for the full disclosure policy.

Data you provide directly. name, age or date of birth, height, weight, profile photo, email address (for optional cloud sign-in), language preference, selected health goals, and symptoms you choose to track.

Health tracking data you enter. cycle dates and events, symptom logs, food and nutrition entries, supplement and medication notes, lab values extracted from uploaded reports, imaging scan notes, clinician questions, journal entries, and voice-note titles and metadata.

Uploaded documents (processed locally). when you upload a lab report (PDF or image), it is sent over HTTPS to a serverless text-extraction route. The file is processed transiently to extract text and is not stored on our servers. OCR for images runs in your browser.

Authentication data. if you choose to sign in, we receive your email address and a stable user identifier from Supabase. If you sign in with Google, Apple, or Facebook, the chosen provider authenticates you and shares only your email address and a per-app unique ID with Supabase. We do not receive your social-network friend lists, posts, photos, contacts, or profile graph. We do not receive or store any password; sign-in is handled by Supabase Auth and the chosen identity provider.

Technical data. standard server logs (IP address, browser type, request path, timestamps) generated when you load pages or call API routes. These are retained for a short period for security and debugging. We do not currently use cookies for advertising or tracking analytics.

What we do NOT collect. we do not collect government identification numbers, payment card details, social media profiles, or location data.

If you are in the European Economic Area (EEA), the United Kingdom, or another jurisdiction that requires a documented lawful basis, we rely on the following:

• Your explicit consent (Art. 9(2)(a) GDPR). for processing special-category health data. You provide this when you actively use health-tracking features. For optional cloud sync, you must tick a consent checkbox before sign-in is enabled. You can withdraw consent at any time by deleting your data in Settings.
• Contract performance (Art. 6(1)(b) GDPR). to operate the core features of the app you have signed up for.
• Legitimate interests (Art. 6(1)(f) GDPR). for security logging and fraud prevention, where our legitimate interest is not overridden by your rights.

We do not use your health data for profiling, automated decision-making, advertising, or any purpose other than providing the Luma PCOS Tracker service to you.

Your data is used exclusively to:

• Display your personal trends, lab comparisons, and symptom patterns within the app.
• Generate clinician-ready summaries and exportable reports at your request.
• Allow you to back up and restore your data if you enable optional cloud sync.
• Maintain the security and integrity of the service.

We do not sell your data, share it with advertisers, use it to train AI models, or disclose it to third parties except as described in Section 5.

Sub-processors. Luma PCOS Tracker uses the following third-party services, each governed by their own privacy policies and data-processing agreements:

• Supabase. hosts optional cloud authentication and your encrypted text snapshot. Data is stored in the region selected for the project.
• Vercel. hosts the web application and processes standard HTTPS request logs.
• Google LLC. only if you choose “Continue with Google”, in which case Google authenticates you and shares your email and a stable user ID with Supabase.
• Apple Inc.. only if you choose “Continue with Apple”, in which case Apple authenticates you and shares an Apple-specific user identifier (and optionally a relay email) with Supabase.
• Meta Platforms, Inc. (Facebook Login). only if you choose “Continue with Facebook”, in which case Meta authenticates you and shares your email and a per-app user ID with Supabase. We do not request, receive, or use any extended Facebook permissions (no friend list, no posts, no photos, no contacts).
• Cloudflare, Inc.. fronts our DNS, edge proxy, and TLS for luma-pcos.com. Cloudflare sees encrypted traffic and HTTP request metadata only.
• Zoho Corporation Pvt. Ltd.. provides SMTP for transactional outbound email (magic-link sign-in messages, account confirmations, support replies). No health data ever passes through SMTP.
• Functional Software, Inc. (Sentry). collects technical error reports and basic performance telemetry (browser type, page URL, JavaScript stack traces) so we can detect and fix bugs. Sentry is configured to redact form values and other potentially-sensitive content before transmission. No health values, journal text, lab values, or user identifiers are sent to Sentry.

We do not use any other third-party data processors. We do not load advertising SDKs, analytics SDKs, or social-media tracking pixels.

Cross-border transfers. if you are in the EEA or UK and your data is transferred to the United States (where Supabase and Vercel have infrastructure), such transfers take place under Standard Contractual Clauses (SCCs) or an equivalent approved transfer mechanism.

Legal disclosure. we may disclose data if required by law, court order, or regulatory authority, or if necessary to protect the safety of users or the public. We will inform you of such requests where legally permitted to do so.

Business transfer. if Luma PCOS Tracker is acquired or merged, user data would be transferred as part of that transaction and you would be notified of any material change to this policy.

We never sell personal data. We never share health data with insurers, employers, or advertisers.

Luma PCOS Trackercan bring in cycle history you’ve recorded in another app, in two ways:

• Apple HealthKit (iPhone) and Google Health Connect (Android). on the native iPhone or Android app, tap “Connect Apple Health” or “Connect Google Health.” iOS / Android show a system permission sheet where you grant Luma PCOS Tracker read access to onlythe menstrual cycle category. We never write to either system, and we never read any health category outside the ones you grant. The data is read on your device and only reaches our servers if you’ve separately enabled cloud sync in Settings.
• File import. you can drop in a file you exported from another tracker: Apple Health export.zip, Clue CSV. The file is parsed in your browser; the original file is never uploaded to us.

We do notsign in to or talk to any third-party cycle app (Flo, Clue, Stardust, Natural Cycles, etc.) directly. Those apps don’t offer a public API for third parties to read user data. The OS health hubs above are the legitimate channel. most cycle apps write there with your permission inside their own app.

You can disconnect at any time from your phone’s Health (iOS) or Health Connect (Android) settings. Luma stops being able to read new entries the moment you revoke. Already-imported cycles remain in your local Luma store until you delete them from Settings.

Your account is hosted by Supabase. Sign-in is available via Google, Apple, or a Supabase-managed email/password account, with passwordless email magic links available as a fallback. Supabase and the chosen identity provider handle authentication; we never see your password.

Your health data stays in your browser by default. Lab values, symptoms, cycles, journal entries, supplements, medications, imaging notes. all of it lives in IndexedDB on your device. Nothing health-related is uploaded to our servers unless you explicitly enable cloud sync.

If you choose to enable cloud sync from Settings → Optional cloud sync, an encrypted text snapshot of your structured data (extracted lab values, journal text, symptom logs, etc.) is stored in Supabase. Original PDF files, screenshots, and voice recordings are never uploaded.

Cloud data is protected by Supabase Row Level Security (RLS) so that only your authenticated account can read or modify your rows.

You can delete your cloud copy at any time from Settings → Optional cloud sync → Clear cloud copy. Deletion removes your data from Supabase immediately; local browser data is unaffected.

Depending on your location, you have some or all of the following rights:

• Access. request a copy of the personal data we hold about you. Most of your data is already accessible in the app and exportable via Settings → Export.
• Correction. ask us to correct inaccurate data.
• Erasure (“right to be forgotten”). delete your data from Settings at any time. If you have cloud sync enabled, use “Clear cloud copy” to delete server-side data. For complete erasure requests, email privacy@luma-pcos.com. Facebook users may also trigger account deletion through Facebook's app settings; we honour these requests through our automated callback at /api/facebook/data-deletion.
• Portability. export your data as JSON, CSV, or PDF from Settings → Export at any time, in machine-readable format.
• Restriction. ask us to restrict processing in certain circumstances.
• Object. object to processing based on legitimate interests.
• Withdraw consent. you may withdraw health-data consent at any time by clearing your data or disabling cloud sync. Withdrawal does not affect the lawfulness of prior processing.
• Complaint. you have the right to lodge a complaint with your national data protection authority (e.g., the ICO in the UK, the relevant DPA in your EU member state).

To exercise any of the above rights, contact us at privacy@luma-pcos.com. We acknowledge requests within 5 business days and respond substantively within 30 days (or sooner where required). If a request is complex we may need additional time and will tell you within the 30-day window. If we reject a request we will explain why and tell you how to lodge a complaint with the relevant data protection authority.

Luma PCOS Tracker is intended for adults. PCOS is clinically an adult condition; we ask all users to confirm they are 18 or older when creating an account.

We do not knowingly collect personal data from children under 13 (or the applicable age of digital consent in your jurisdiction. 16 in most EU member states, 13 in the US under COPPA) without verifiable parental consent.

If you believe a child has provided us with personal data without appropriate consent, please contact us immediately at privacy@luma-pcos.com and we will delete the data promptly.

Adolescents aged 13–17 with a clinical reason to track (rare adolescent presentations referred to a clinician) should use the app only with parental or guardian oversight. Health data from minors is especially sensitive and should be handled with extra care.

We implement reasonable technical and organisational measures to protect your data, including:

• HTTPS/TLS encryption for all data in transit (HSTS preloaded).
• Supabase Row Level Security ensuring only your authenticated account can access your cloud rows.
• Postgres encryption at rest for cloud snapshots (managed by Supabase).
• Local-first architecture. most sensitive data never leaves your device by default.
• Local account passwords (used only when you decline OAuth) are protected with PBKDF2-SHA256 at 600,000 iterations and a unique 128-bit salt per account, following OWASP 2023 guidance.
• OAuth-based cloud authentication. we do not store your social-login passwords.
• No original uploaded PDFs or voice recordings stored server-side.
• Automated dependency vulnerability scanning on every code change (CI fails on high-severity advisories).

Breach notification. In the unlikely event of a personal data breach affecting your data, we will notify the National Data Privacy Office of Qatar (and your local data protection authority where applicable) within 72 hours of becoming aware, and we will notify you directly without undue delay if the breach is likely to result in a high risk to your rights and freedoms. Our internal breach response procedure is documented in our private Breach Response Plan.

Vulnerability disclosure. If you discover a vulnerability, please disclose it responsibly to security@luma-pcos.com. Our policy is published at /.well-known/security.txt. We acknowledge reports within 5 business days and will not pursue legal action for good-faith research within scope.

Local data. stored in your browser indefinitely until you clear browser storage, uninstall the app, or use Settings → Delete all local data.

Cloud snapshot. if you enable optional sync, your cloud row persists until you click “Clear cloud copy” in Settings or email us requesting deletion. Inactive cloud snapshots are also automatically deleted after 24 months of no sign-in. your auth account is preserved so you can sign back in and re-sync from local data if you have it.

Server logs. standard HTTPS access logs (IP, path, timestamp) are retained for up to 90 days for security purposes, then deleted.

Transient PDF processing. uploaded PDF files are processed transiently for text extraction and not written to persistent server storage.

Luma PCOS Tracker does not use advertising cookies, tracking pixels, or third-party analytics SDKs. We use only:

• Supabase auth cookies. a session cookie set by Supabase when you sign in for optional cloud sync. This is necessary for authentication only.
• Browser localStorage. used locally on your device to remember your session and last sync timestamp. This data stays on your device.

We do not use Google Analytics, Facebook Pixel, or any other third-party tracking service. If this changes, this policy will be updated with full disclosure before the change takes effect.

European Economic Area & Switzerland (GDPR). you have all the rights in Section 7. Our lawful bases are described in Section 3. You may contact your national DPA to lodge a complaint.

United Kingdom (UK GDPR & Data Protection Act 2018). the same rights apply. The supervisory authority is the Information Commissioner's Office (ICO): ico.org.uk.

California, USA (CCPA / CPRA). California residents have the right to know what personal information we collect, to delete it, to opt out of sale (we do not sell data), and to non-discrimination. To exercise these rights, contact privacy@luma-pcos.com. We do not sell or share your personal information for cross-context behavioural advertising.

Canada (PIPEDA / Bill C-27). we collect, use, and disclose personal information with your knowledge and consent, for the purposes described in this policy. You have the right to access and correct your information. Contact privacy@luma-pcos.com to exercise these rights.

Australia (Privacy Act 1988 / APPs). we comply with the Australian Privacy Principles. You may request access to or correction of your personal information by contacting privacy@luma-pcos.com. You may also complain to the Office of the Australian Information Commissioner.

Qatar (Personal Data Privacy Protection Law No. 13/2016). we process personal data with appropriate consent and security measures as required by Qatari law. Health data is treated as sensitive data under Qatari regulations and is processed only with explicit consent and proportionate safeguards.

United Arab Emirates. we comply with applicable UAE data protection frameworks, including Federal Decree-Law No. 45/2021. Health data is treated as sensitive and processed only with explicit consent.

Other jurisdictions. we aim to meet the spirit and requirements of applicable local data protection laws worldwide. If your jurisdiction has specific requirements not covered here, contact us at privacy@luma-pcos.com.

Luma PCOS Tracker is positioned as a personal wellness and health-tracking tool. It is not a regulated medical device, does not diagnose conditions, and is not intended for emergency use.

Apple App Store and Google Play submissions will include accurate privacy nutrition labels / data safety forms reflecting:

• Health and fitness data collected (symptom logs, cycle data, lab values). linked to identity only if cloud sync is enabled.
• User content (journal entries, voice-note metadata). stored locally; synced only with explicit consent.
• Contact info (email). collected only for optional cloud sign-in.
• No data sold to third parties.
• No data used for tracking across other apps.

Before public App Store or Google Play release, this policy and the store metadata will be reviewed by qualified legal counsel to ensure full compliance.

Luma PCOS Tracker may surface patterns and suggest topics worth discussing with a clinician. It must never be used as a substitute for professional medical advice, diagnosis, or treatment. Always seek qualified medical care for any health concern. Do not delay or disregard professional medical advice based on anything displayed in this app.

If you are in a medical emergency, call your local emergency services immediately.

We may update this policy from time to time. Material changes will be announced with at least 30 days notice via the app or email (if you have provided one). Continued use of Luma PCOS Tracker after the effective date of an updated policy constitutes acceptance of the changes.

You can always find the current version of this policy at luma-pcos.com/privacy.

For any privacy question, data request, or concern, contact us at: privacy@luma-pcos.com

• privacy@luma-pcos.com privacy enquiries and data requests
• support@luma-pcos.com account help and bug reports
• hello@luma-pcos.com general questions
• noreply@luma-pcos.com. automated transactional emails (do not reply)

Legal entity: Dawood Togoo (Individual / Sole Proprietor)
Jurisdiction: Qatar
Registered address: Building I 4, Street 1149, Floor 3, Apartment 308, Al Barbasati, Doha, Qatar