Lumora ("we", "our", "us") is an educational app that helps students learn, teachers teach, and parents support their children. Because many of our users are children, we take privacy very seriously and comply with the U.S. Children's Online Privacy Protection Act (COPPA), the EU General Data Protection Regulation (GDPR) including the children's protections under Article 8 GDPR-K, and the Malaysian Personal Data Protection Act 2010.
1. Who this policy applies to
Lumora has four types of accounts:
- Students (ages 5–18)
- Parents / guardians
- Teachers
- School administrators
2. What we collect
2.1 You give us directly
- Account: full name, email address, date of birth, country, role, preferred language
- Profile: avatar, school/class affiliation, subjects, goals
- Learning activity: answers, photos you upload for grading, drawings and notes, journal entries, help requests
- Communication: messages to teachers, study buddies, or classmates through in-app channels
2.2 Collected automatically
- Device: model, OS, app version, language
- Technical logs: error reports, crash diagnostics, approximate country-level location derived from IP (no GPS)
- Usage analytics: features used, time on task, Brain Points / Heart Points — powers your dashboards
- Push-notification token (if you enable notifications)
2.3 We do NOT collect
- Precise GPS location
- Phone contacts, SMS, or call logs
- Background camera or microphone recordings
- Health data
- Card numbers or bank details (payments go through Apple / Google / Stripe)
- Advertising identifiers — Lumora has no ads and no ad tracking
3. How we use your information
| Purpose | Examples |
|---|---|
| Provide the service | Show lessons, save answers, sync across devices |
| Educational personalisation | Recommend practice at your level, match study buddies by subject |
| Safety | Detect toxic language, age-gate features, enforce parent controls |
| Teacher & parent dashboards | Show parents activity trends, show teachers pass/fail statistics |
| Account security | Sign-in, prevent unauthorised access, detect abuse |
| Communication | Service announcements, trial expiry reminders |
| Improve Lumora | Fix bugs, prioritise features, measure changes |
We do not use your information for behavioural advertising, profile-building for third parties, or training third-party AI models.
4. Legal bases (GDPR)
- Consent — optional features (notifications, sharing answers globally)
- Contract — to provide the service you signed up for
- Legal obligation — COPPA, GDPR, Malaysian PDPA
- Legitimate interest — product security, fraud prevention, aggregated analytics
For children, consent is obtained from a parent or school administrator, not the child.
5. Who we share with
We share only what is strictly necessary, and never sell personal data.
5.1 Service providers
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage | EU / US |
| Firebase Cloud Messaging (Google) | Push notifications | Global |
| Apple App Store / Google Play / Stripe | Subscription payments | Global |
Each is bound by a Data Processing Agreement and processes data only on our instructions.
5.2 Within the app
- Teachers see enrolled students' submitted work, class pass/fail stats, help requests
- Parents see their own child's activity (subject to child's privacy toggles if 13+)
- Other students see only public profile info you made visible (name, country, subjects) — never answers or messages
5.3 We will NOT share
- With advertisers or data brokers
- For marketing purposes
- With any third party for profit
6. Children's privacy (COPPA / GDPR-K)
- Parental consent required for children under 13 (US) / 16 (EU)
- Schools may provide consent under educational-licence terms
- No behavioural advertising or tracking across other apps/websites
- No public profile for under-13s — visible only to enrolled teacher and own parent
- Privacy toggles (13+): students can hide activity details from their parent; safety alerts are still shared
- Right to review and delete — parents may request a copy of or deletion of all data about their child any time
- Data minimisation — we ask only for what is needed to teach and keep children safe
If you believe a child created an account without parental consent, email amigoraj888@gmail.com and we will delete the account within 30 days.
7. Your rights
Wherever you live, you have these rights:
- Access — request a copy of data we hold about you
- Correct — fix inaccuracies
- Delete — remove your account and data permanently
- Export — receive your data in a machine-readable format
- Withdraw consent — for anything you opted into
- Object — to processing you disagree with
- Restrict — pause processing during a dispute
- Complain — to your local data-protection authority
Email amigoraj888@gmail.com with subject "Privacy request". We respond within 30 days, free of charge.
8. Data retention
- Active accounts: data kept while the account is in use
- Inactive accounts (no sign-in for 24 months): reminder sent; if no response, deleted after 30 days
- Deleted accounts: personal data removed within 30 days; anonymised analytics may be retained
- Legal records (e.g., tax receipts): up to 7 years
9. Security
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Row-level security — users can only access their own data
- Supabase Auth with bcrypt password hashing
- Regular security audits and dependency scanning
- Principle of least privilege for all staff access
- No staff access to student messages or photos except to investigate a specific safety report
If we discover a breach affecting you, we will notify you and the relevant regulator within 72 hours (GDPR requirement).
10. International transfers
Your data may be processed in Malaysia, the EU, or the US. Transfers out of the EU are protected by Standard Contractual Clauses approved by the European Commission.
11. Payments and subscriptions
Subscriptions are processed by Apple, Google, or Stripe. We receive only your subscription status — never your card number, bank details, or billing address. Refunds are handled by the platform that processed your payment.
The 30-day free trial does not require a card.
12. Cookies and tracking
Lumora uses essential storage only for:
- Keeping you signed in
- Remembering your paper type / language preferences
- Offline availability of recent lessons
We do not use advertising cookies, tracking pixels, or analytics cookies that identify you personally.
13. Changes to this policy
If we make material changes we will:
- Notify you in-app at least 30 days in advance
- Ask for fresh consent where legally required
- Keep the full version history public on our GitHub repository
14. Contact us
- Email: amigoraj888@gmail.com
- Subject line for privacy requests: "Privacy request"
- Response time: within 30 days
In the EU, you may also contact your national data-protection authority. In Malaysia, you may contact the Jabatan Perlindungan Data Peribadi (PDP).