Privacy Policy

Lunarosa is a period-tracking application operated by Horizon Digital Engineering LLC ("we," "us," "Lunarosa"). We are the controller of personal data processed through the Lunarosa app and lunarosa.app marketing pages. You can reach our privacy team at support@lunarosa.app.

We try to collect as little as possible. Here is the complete list:

Account credentials — your email address, used only for authentication. We hash your email with HMAC-SHA256 before storing it; the plaintext email never sits in our database.

Profile (optional) — name, gender, date of birth, country, preferred language. All optional. None of these are required to use the app.

Health data (encrypted on your device) — period dates, flow intensity, symptoms, mood, notes. This data is encrypted on your device with a key derived from your PIN before it is sent to our servers. We store ciphertext only; we cannot read the contents.

Billing data (Premium subscribers only) — Stripe handles payment processing. We see your subscription status (active, past due, canceled) and a customer ID. We never see your full card number.

Crash reports (inside the app only) — when the app encounters an unexpected error, we send a stack trace to Sentry so we can fix the bug. Health-data routes are filtered before any error is sent. Crash reporting only operates inside the authenticated app, never on the marketing pages.

We process your data only to operate Lunarosa: to authenticate you (email/account credentials), let you log and view your cycle (encrypted health data), bill you for Premium if you subscribe (billing data), and fix bugs that the app throws at us (crash reports, inside the app only). We do not use your data for advertising, marketing analytics, profiling, or sale of any kind.

Your health data is encrypted with keys only you possess.

When you set your PIN, a key is derived from it on your device using PBKDF2 with 200,000 iterations of SHA-256. Health data is encrypted with AES-GCM before it leaves your device. We store ciphertext on our servers. We do not store your PIN. We cannot decrypt your data, and neither can our infrastructure providers, even if compelled to try.

If you lose your PIN and your recovery key, your data is permanently lost. We cannot recover it. This is intentional — it's the only way to guarantee that no one (including us) can ever access your private health data.

We make this commitment explicitly because most apps do not:

• No advertising networks. No ad pixels. No retargeting.
• No third-party analytics (no Google Analytics, no PostHog, no Mixpanel, no Segment, no Amplitude).
• No session replay or behavioral monitoring.
• No tracking cookies. The marketing pages set no cookies that identify you. The only cookies are the strictly-necessary authentication cookies inside the logged-in app, which expire when you sign out.
• No fingerprinting. No persistent device identifiers beyond what's strictly needed for authentication.

The only client-side telemetry that runs is the crash reporter (Sentry), and only inside the authenticated app — never on the marketing pages, and only after you've created an account and accepted these terms.

We use the following service providers ("subprocessors") to run the app. Each is contractually bound to handle your data only as we direct.

• Vercel — hosting and serverless functions. Production database is in São Paulo (Brazil); static assets are cached at edge nodes globally. Data is encrypted at rest.
• Upstash — short-lived authentication tokens and rate-limiting counters (Redis). No long-term data is stored here.
• Sentry — crash reporting from inside the authenticated app. Health-data routes are filtered before any error is sent. No replay, no breadcrumbs of user input.
• Stripe — payment processing for Premium. Stripe receives card data directly; we never see it. We receive only your subscription status.

If we add or remove a subprocessor, we will update this list and the "Last updated" date above.

We do not sell your personal data, and we do not "share" it for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act. We do not exchange your data with data brokers. We do not run ad campaigns that rely on your behavior. We make money from optional Premium subscriptions, not from your data.

"Do Not Sell or Share My Personal Information": because we do not sell or share, no opt-out is needed. To exercise the right anyway, or to confirm: email support@lunarosa.app with the subject "DNSH Request" and we will respond in writing within 15 business days.

We honor these rights for every user, regardless of where you live:

• Right of access: view all your data within the app at any time
• Export / Portability: download your data in a portable format from the app
• Right to correct: update or modify your profile and health data within the app
• Delete: delete your account and all associated data from inside the app (Profile → Account → Delete account). Deletion is permanent and irreversible. If you cannot reach the in-app flow, email support@lunarosa.app and we will action the deletion within 30 days.
• Withdraw consent: revoke your consent for processing at any time. Practically, this is the same as deleting your account.
• Complain: lodge a complaint with your local data protection authority. For EU residents, find yours at edpb.europa.eu. For California residents, the CPPA at cppa.ca.gov.

We respond to verifiable rights requests within 30 days for GDPR/LGPD and 45 days for CCPA/CPRA/MHMDA. We may extend by up to an additional 45 days where reasonably necessary, and will notify you if we do.

Active accounts: we keep your data until you choose to delete it.

When you delete your account: all associated data is permanently removed from our primary database immediately. Database backups may retain data for up to 35 days before they are overwritten by their normal rotation; we do not access backup data except to restore a system after an incident.

Inactive accounts: we may delete accounts that have not been logged into for 24 consecutive months. You can request earlier deletion at any time.

We use modern transport security (HTTPS / TLS 1.3 only), database encryption at rest, strict Content Security Policy headers, HSTS, secure HTTP-only cookies for authentication, and short-lived JWT sessions. Health data is end-to-end encrypted before leaving your device. Authentication tokens have rate limiting via Redis. We follow standard secure-development practices including code review, automated security scanning (Semgrep), and dependency auditing. No security control is absolute; if a breach occurs, we will notify affected users and the relevant data protection authorities as required by applicable law (GDPR within 72 hours, CCPA without unreasonable delay, etc.).

Our primary database is in São Paulo, Brazil. Our infrastructure providers (Vercel, Stripe, Sentry) are based in the United States; data transferred to them relies on Standard Contractual Clauses adopted by the European Commission for EU/UK transfers, and equivalent safeguards for other jurisdictions. By using Lunarosa, you understand that your data may be processed in the United States and other countries with different data-protection laws than your home country.

Lunarosa is not directed at children. We require users to be at least 13 years old. In the European Economic Area, the United Kingdom, Canada, and other jurisdictions where local law requires a higher age of consent, the minimum age is 16. If you are between 13 and 18 (or whichever age of majority applies where you live), you should have permission from a parent or guardian. If we learn that we have collected personal data from a child below the applicable minimum age, we will delete it promptly. Parents can email support@lunarosa.app to request deletion of a minor's data.

California (CCPA / CPRA):

Lunarosa collects the categories of personal information listed in "What we collect" above (identifiers, characteristics protected by California or US law, internet activity limited to authenticated app crash reports, health-related data classified as sensitive personal information under the CPRA). We collect this information for the business purposes described in "How we use your data." We do not sell personal information and we do not share it for cross-context behavioral advertising. You have the right to know, delete, correct, limit the use of sensitive personal information, opt out of sale/sharing (not applicable — we do neither), and not be retaliated against for exercising your rights. To exercise any right, email support@lunarosa.app. We will not discriminate against you for exercising any right.

Washington (My Health My Data Act) and Nevada:

Period and cycle data is "consumer health data" under the Washington My Health My Data Act and similar Nevada law. We collect it only with your affirmative consent (you provide it by entering it into the app), use it solely to provide the app to you, and do not sell or share it. We list categories of consumer health data and the subprocessors that may process it in the sections above. Washington and Nevada residents have the right to confirm whether we are processing their consumer health data, the right to a list of all third parties that have received it (we list ours above), the right to withdraw consent, and the right to deletion. Email support@lunarosa.app to exercise these rights. The Washington Attorney General can be reached at atg.wa.gov.

Lunarosa is not a HIPAA-covered entity. HIPAA protects information held by healthcare providers, health plans, and their business associates. We are a consumer wellness app. The fact that the data is sensitive does not bring us within HIPAA. We tell you this so you can make an informed decision about what to log. (Practically, we believe our zero-knowledge architecture protects your data more strongly than HIPAA would require — but we don't make a HIPAA promise we are not legally obligated to make.)

We email you transactional messages only: magic-link sign-ins, password / PIN recovery, billing receipts, and material changes to this privacy policy or our terms. We do not send marketing emails. We do not run a newsletter. If we ever introduce one, it will be opt-in only.

We will update this policy when our practices change. The "Last updated" date at the top of this page reflects the most recent version. For material changes, we will email you and require renewed consent before continuing to use your data under the new terms.

Questions, complaints, or rights requests: support@lunarosa.app.

Operator: Horizon Digital Engineering LLC.