Back to Home

Privacy Policy

Last Updated: December 17, 2024

1. Introduction

Lumo Travel ("we", "our", "the Application") respects user privacy and is committed to protecting personal data.

This Privacy Policy explains:

  • what data we collect,
  • how it is used, stored, and protected,
  • the legal basis for processing,
  • and the rights available to users.

By using the Lumo Travel application, you agree to the terms of this Privacy Policy.

2. Data Controller

Lumo Travel acts as the data controller for personal data processed through the Application in accordance with applicable data protection laws, including GDPR and CCPA.

3. Data Security and Encryption

We apply appropriate technical and organizational measures to protect user data from unauthorized access, loss, or disclosure.

3.1 Encryption of Personal Data

  • Personal and sensitive data are encrypted using industry-standard authenticated symmetric encryption (AES-based)
  • Data is encrypted prior to storage in our databases with integrity verification
  • Encryption keys are stored in secured infrastructure with restricted access controls
  • Access to data is strictly limited and monitored

3.2 Encryption of Files and Documents

  • All files and documents uploaded by users are encrypted before storage
  • Uploaded files are stored exclusively in encrypted form
  • Access to encrypted files is limited to the user's account context

3.3 Important Notice

  • All personal data and uploaded files are stored in encrypted form regardless of their type or sensitivity
  • Despite encryption, we may technically be able to decrypt data in strictly limited cases, such as:
    • compliance with legal obligations
    • providing technical support
    • ensuring security and system integrity

This is standard practice for cloud-based services and does not involve commercial use of user content.

4. Voluntary Provision of Data

  • Use of Lumo Travel does not require mandatory submission of sensitive personal data
  • Fields containing sensitive data (including passport numbers, tax identifiers, visa documents, or files) are optional
  • Users decide which data and documents to upload
  • Refusal to provide sensitive data does not restrict basic functionality
  • Users may delete uploaded data and documents at any time

5. Information We Collect

5.1 Account Information (Not Encrypted)

For account management purposes, we process:

  • Email address
  • Account creation date
  • Last login date
  • Subscription status (trial, active, expired, cancelled)
  • Subscription expiration date

This data is stored unencrypted as it is required for account management and cannot be reasonably encrypted while maintaining core functionality.

5.2 Personal Information (Encrypted in Database)

The following data may be voluntarily provided by the user and is stored in encrypted form:

Personal details:

  • First and last name
  • Date of birth
  • Nationality(ies)
  • Passport number
  • Tax identification number
  • Permanent address
  • Phone number

Travel information:

  • Countries visited
  • Entry and exit dates
  • Travel purpose
  • User notes and comments

Tax residency information:

  • Current tax residency country
  • Target tax residency country

Uploaded documents:

  • Flight tickets
  • Visa documents
  • Travel insurance documents
  • Hotel booking confirmations

All documents are uploaded solely at the user's initiative.

5.3 Technical and Analytical Data (Anonymized)

Collected automatically:

  • Device type and operating system version
  • Application version
  • Anonymized crash reports
  • Aggregated usage statistics

This data does not allow identification of individual users.

5.4 Data We Do Not Collect

We do **not** collect, use, or share:

  • Precise GPS location data for advertising, marketing, or cross-app tracking
  • User activity outside the Application
  • Contacts or address book data
  • Photos or files not explicitly uploaded by the user
  • Data from other applications installed on the device

6. Legal Basis for Processing

We process personal data on the following legal grounds:

  • **Contract performance** — providing Application functionality
  • **User consent** — processing sensitive data and documents
  • **Legal obligations** — compliance with applicable laws
  • **Legitimate interests** — security, fraud prevention, and service improvement

7. How We Use Information

7.1 Account Management

  • Authentication and security
  • User support
  • Security and service notifications

7.2 Service Provision

  • Storage and synchronization of travel data
  • Calculation of stay limits
  • Notifications related to visa, residency, or mobility thresholds
  • Country change detection using location permission (processed on-device; not used for advertising)

GPS coordinates are processed on-device and stored locally. Raw location coordinates are not transmitted to our servers. Only the resulting country code may be synchronized in encrypted form for trip management purposes.

7.3 Subscription Management

  • Verification of access to premium features
  • Processing subscriptions via Apple App Store
  • Managing renewals and subscription status

7.4 Application Improvement

  • Analysis of anonymized feature usage
  • Bug fixing and stability improvements
  • Abuse and fraud prevention

8. Data Retention

We retain data only for as long as necessary:

  • Account data — while the account is active
  • Travel data and documents — until deleted by the user or account deletion
  • Technical logs — up to 12 months in anonymized form
  • Legally required data — for periods required by law

9. Data Sharing and Third Parties

We do **not** sell, rent, or transfer personal data for marketing purposes.

Apple App Store

  • Purpose: payment processing and subscription management
  • Data shared: subscription status

RevenueCat

  • Purpose: subscription management
  • Data shared: anonymized user identifier and subscription status
  • Encrypted personal data is not shared

Mapbox

  • Purpose: map rendering (tiles and display from the device)
  • No personal or encrypted data is shared

10. International Data Transfers

Our servers may be located in the European Union and/or the United States.

Where international transfers occur, we apply appropriate safeguards, including Standard Contractual Clauses (SCC), in accordance with GDPR.

11. User Rights

Users have the right to:

Access

  • View account-related data
  • Request a copy of personal data

Deletion

Users may delete their account and all associated data at any time.

How to delete an account::

  1. Open Lumo Travel
  2. Go to the Profile tab
  3. Tap "Delete Account" (in the Lumo Travel Access section)
  4. Confirm deletion

Upon deletion::

  • All personal and encrypted data is permanently removed
  • All uploaded files and documents are deleted
  • Account information is erased

Deletion is irreversible.

12. Children's Privacy

  • The Lumo Travel application is not intended for children under the age of 13.
  • We do not knowingly collect personal data from children under 13.
  • If a user is considered a minor under the laws of their jurisdiction, the Application may only be used with the consent of a legal guardian where such consent is required by applicable law.

13. Policy Updates

  • We may update this Privacy Policy from time to time
  • Material changes will be communicated via the Application or email

14. Contact Information

For privacy and data protection inquiries:

Email: support@lumoapps.org

15. Legal Compliance

This Privacy Policy complies with:

  • General Data Protection Regulation (GDPR)
  • California Consumer Privacy Act (CCPA)
  • Apple App Store Review Guidelines
  • Google Play Developer Policy
  • Other applicable data protection laws