🔐 Luna Privacy Policy
Last updated: June 2026

📋 CONTROLLER
icoso Consulting SL (“Luna FemTech”)
Represented by: Daniel Osorio Fernandez
Calle Juan de Herrera 18, 4th and 5th floor
ES-39002 Santander (Cantabria), Spain (EU)
Privacy contact: privacy@icoso.es

🎯 SHORT AND HONEST
Luna encrypts your health data on your device (AES-256) before it ever reaches our servers — all we store is unreadable code. In Standard mode, password recovery is possible (the key is safeguarded server-side); only in Max Privacy mode does your Recovery Key alone grant access.

🔒 ENCRYPTION (KEK/DEK)
• All health data (cycle, symptoms, moods, BBT, journal) is encrypted with a random data key (DEK) using AES-256
• The DEK is protected by your password (KEK)
• Standard mode: password recovery possible (DEK safeguarded server-side)
• Max Privacy mode: only you hold the key (Recovery Key) — no server-side recovery

📊 WHAT DATA WE PROCESS
Stored encrypted:
• Name, avatar, profile data
• Cycle data, symptoms, moods, BBT
• Journal entries
• Cycle predictions (computed deterministically in the app)

Stored unencrypted:
• Email address (for login; authentication via our self-operated service on EU servers)
• App settings (language, color scheme)
• Operational reminder metadata: frequencies, reminder times, medication category, contraception mode. Values (hormone numbers, medication names, notes) are encrypted — the operational fields stay plaintext because the local scheduler must read them to fire reminders.

🤖 AI SERVICES & EXTERNAL APIS
• Claude AI (Anthropic via AWS Bedrock, region eu-central-1 Frankfurt): nutrition and lifestyle tips. Data is anonymized before sending — no names, IDs or exact dates. Our server additionally strips identifiers you may type yourself into the chat (email addresses, phone numbers, IBAN) before sending. We log anonymized metadata per chat request for quality assurance (language, cycle phase, response length, a pseudonymous hash of your identifier) — NO chat content, retention max. 180 days. AI text processing stays entirely in the EU.
• Recipe and illustration images: gpt-image-1 (OpenAI). Image generation is processed in the USA (OpenAI, USA, safeguarded by EU Standard Contractual Clauses). Only an English search term for the motif is transmitted (e.g. salmon bowl) — no health data, no IDs.
• Barcode lookup: when you scan a medication package, the EAN is sent to public product databases (OpenFoodFacts) to suggest the name. The request runs through our EU backend — external services see neither your identity nor your IP. Cached EANs in our database carry no user identifier.
• Place autocomplete: when you optionally enter your place of residence, the city name you type is sent through our EU backend to OpenStreetMap Nominatim to show suggestions. The external service sees neither your identity nor your IP; the chosen place is stored only in your (encrypted) profile.
• Email delivery: sign-up and confirmation emails are sent via Scaleway Transactional Email (Paris, EU). Your email address is transmitted; processing stays in the EU.
• Fault diagnosis: crash and error reports are collected via Sentry (EU region) to ensure stability and security. Personal content is automatically removed (scrubbed) before sending. You can disable crash reports at any time in Settings (Privacy) — the change takes effect at the next app start.
• Subscription management: purchases and subscriptions are managed via RevenueCat (USA, safeguarded by EU Standard Contractual Clauses). Only the subscription status and an anonymised user identifier (a sha256 hash of your account ID, not the ID itself — RevenueCat cannot link it back to you) are transmitted — no health data.

All requests run through our EU backend — your device never contacts external services directly. AI text processing (Claude) stays in the EU.

⚖️ LEGAL BASES (GDPR)
• Art. 6(1)(a): Consent — for AI coaching and recipe suggestions
• Art. 6(1)(b): Performance of contract — for cycle tracking and core features
• Art. 6(1)(f): Legitimate interest — for crash and fault diagnosis (Sentry) and for anonymized quality assurance of AI responses (metadata only, no chat content; see "AI services"). You may object at any time (Art. 21), most easily via the crash-report switch in Settings or by email to privacy@icoso.es.
• Art. 9(2)(a): Explicit consent — for health data (special category)

🌍 INFRASTRUCTURE & THIRD-COUNTRY TRANSFERS
• Backend: Hetzner Cloud (EU)
• Database: operated by us on Hetzner Online GmbH servers (EU)
• Encrypted backups: Scaleway Object Storage (Paris, EU) - ciphertext only, not readable in plaintext by us or Scaleway
• Your health data stays in the EU.

Transferred to the USA exclusively:
• Image generation (OpenAI): English search terms only — no health data, no identity (EU Standard Contractual Clauses).
• Subscription management (RevenueCat): subscription status and an anonymised identifier (a sha256 hash of your account ID — RevenueCat cannot link it back to you) only — no health data (EU Standard Contractual Clauses).
Apple (App Store) and Google (Play) process payment and store data as independent controllers under their own privacy policies.

🍎 APPLE HEALTH & GOOGLE HEALTH CONNECT
With your explicit consent, Luna imports health data from Apple HealthKit or Google Health Connect (e.g. sleep, resting heart rate, body temperature) to improve your cycle insights.
This data is used exclusively to provide app features — NOT for advertising, it is NOT sold and NOT shared with third parties.
Like all your health data, it is stored end-to-end encrypted. You can revoke access at any time in your device settings.

🛡️ BIOMETRIC DATA
• Face ID / Touch ID are processed only locally on your device
• We store no biometric data
• The stored password lives in the iOS Keychain / Android Keystore (hardware-protected)

❌ WHAT WE DON'T DO
• No advertising, no trackers, no analytics
• No data sales, no data sharing
• No profiling algorithms

✅ YOUR RIGHTS (GDPR)
• Art. 15: Access → Settings > Download data
• Art. 16: Rectification → profile editable at any time
• Art. 17: Erasure → Settings > Delete account (immediate, irreversible)
• Art. 20: Data portability → JSON export of all data
• Art. 21: Objection to processing based on legitimate interest (crash reports) → switch in Settings or privacy@icoso.es
• Art. 7(3): Withdrawal of consent → possible at any time
• Art. 77: Right to lodge a complaint with a data protection authority — e.g. the Spanish AEPD (www.aepd.es) or the authority of your place of residence

🔄 DATA RETENTION
• When you delete your account, your data is removed from our active systems immediately
• Residual copies in encrypted technical backups are deleted within 7 days as part of the daily backup cycle; should a backup exceptionally be restored, a logged procedure removes already-deleted accounts again
• Crash/error reports (Sentry) are deleted automatically after the provider's standard retention (90 days); on account deletion your events are actively purged

📧 Contact: privacy@icoso.es

🌙 Made with ❤️ in the EU