Privacy Policy

LumaNox is a zero-cloud, fully offline photo safe. Your photos never leave your device — and neither does our respect for your privacy.

App: LumaNox: Private Photo Safe
Identifier: com.xpx.vault
Controller: LumaNox Team
Contact: [email protected]
Effective date: 2026-06-05
Last updated: 2026-06-05
Version: 1.0

1. Introduction

LumaNox ("we", "our", "the app") is a privacy-first, on-device photo safe. This Privacy Policy explains what information we collect (spoiler: almost nothing), what we do not collect, and the choices you have. By using LumaNox, you agree to the practices described below.

LumaNox is designed around a single principle: your photos never leave your device. We do not operate any servers that receive, store, or process your media. We do not have a cloud. We cannot see your vault — not even if we wanted to.

2. Our Role under Privacy Laws

For purposes of the EU GDPR, UK GDPR, and analogous laws, the LumaNox Team is the Data Controller for the very limited processing described below. For California residents under the CCPA/CPRA, LumaNox is the Business. Where we use third-party processors (see §6), they act on our documented instructions.

3. What We Collect

3.1 Data the app handles only on your device (we do NOT receive this)

Category	Examples	Where it lives
Photos & videos	Media you import or capture in-app	Encrypted (AES-256) in the app's private storage on your device
Albums & metadata	Album names, covers, photo counts, timestamps, encrypted file references	Local app database and app container, device-only
Lock credentials	6-digit PIN	Stored only as a SHA-256 hash on your device; the vault data key is generated on device and protected by platform secure storage
Biometric templates	Face / fingerprint unlock	Never accessed or stored by us — handled entirely by your device's operating system
AI inference inputs/outputs	On-device face, barcode, text, duplicate, blur, and classification analysis	Processed locally with on-device system or bundled models and local indexes; never uploaded
Backup archives	Encrypted backup files you create or schedule	Saved to a location you choose through the system file/document picker. We never see the file

We do not transmit any of the above over the network.

3.2 Data we genuinely collect

Only low-sensitivity diagnostics and subscription status: if you choose to purchase Premium, the relevant app store and RevenueCat (see §6) process a minimal set of subscription-related identifiers. We receive only aggregate entitlement status ("premium: active / inactive") — never your payment details, name, email, or address. The app may also use Firebase Analytics / Crashlytics to receive crash breadcrumbs and low-sensitivity events such as app start, lock result, import result, camera capture result, backup result, AI scan result, and subscription action result for stability and critical-flow analysis.

4. What We Do NOT Collect

✕ We do not collect your photos, videos, or thumbnails
✕ We do not collect contacts, call logs, SMS, or browsing history
✕ We do not collect precise or coarse location
✕ We do not collect your name, email, phone number, or mailing address
✕ We do not use advertising identifiers, nor serve ads
✕ Firebase events do not include photo/video content, thumbnails, filenames, album names, file paths, PINs, keys, or OCR text
✕ We do not integrate advertising trackers, Meta SDK, AppsFlyer, or comparable ad-attribution tools
✕ We do not build profiles, infer demographics, or engage in behavioral advertising

5. Permissions & Why

LumaNox requests only the permissions needed to deliver the feature you tapped:

Permission	Purpose	Triggered by
Camera	Shoot photos/videos directly into your encrypted vault; optionally capture an intruder-alert photo after failed PIN attempts if you enable that feature	Opening the in-app camera or enabling intruder alerts
Microphone	Record audio when you intentionally capture video in the in-app camera	Starting video capture
System photo/media library access	Import selected photos/videos into the vault	Tapping an import action for your system library
System photo/media library add access	Export photos/videos or redacted copies back to a LumaNox album in your system library	Tapping Export or Save to gallery/photos
Biometric unlock	Unlock the vault with face or fingerprint authentication	You enable biometrics in Settings or during setup
System file/document picker (per-use)	Save/read encrypted backup archives to a location you choose	Tapping Backup, Restore, or choosing an auto-backup folder

We do not request: location, contacts, calendars, reminders, Bluetooth, health data, advertising tracking permission, SMS, call logs, or unrestricted access to all files on your device.

6. Third-Party Services

6.1 Store Billing

If you purchase a subscription or lifetime upgrade, the app store that provides your copy of LumaNox processes the payment under its own privacy policy and payment terms. This may include Apple's privacy policy (https://www.apple.com/legal/privacy/) or Google's privacy policy (https://policies.google.com/privacy). We never receive your credit card, bank account, account password, or billing address.

6.2 RevenueCat

We use RevenueCat, Inc. ("RevenueCat") to reconcile subscription status and support "Restore purchases" across reinstalls. RevenueCat acts as our data processor under a signed Data Processing Addendum.

Data shared with RevenueCat: an anonymous App User ID (generated on your device), the product ID you purchased, and app store receipt / transaction metadata
Not shared: your photos, videos, name, email, precise location, or any vault content
Purpose: deliver, validate, and restore your Premium entitlement
Retention: as long as your entitlement is active, plus audit periods required by law
RevenueCat's privacy policy: https://www.revenuecat.com/privacy

6.3 Firebase Analytics / Crashlytics

In release builds, we may use Firebase Analytics and Firebase Crashlytics to understand app stability and critical feature reliability. Events are intentionally limited to sanitized operational signals, such as whether an import, backup, lock, AI scan, camera capture, purchase, or restore action succeeded or failed.

Data sent to Firebase: event names, coarse app/build information, sanitized status values, crash diagnostics, and breadcrumbs needed to debug stability issues
Not sent: photo/video content, thumbnails, filenames, album names, file paths, PINs, encryption keys, OCR text, face data, precise location, contacts, or payment details
Firebase privacy information: https://firebase.google.com/support/privacy

Other than app store billing, RevenueCat, and Firebase, no third-party SDKs, trackers, or ad networks are embedded in v1.

7. Data Security

AES-256 encryption for every photo and video, applied at import time
Master encryption key generated on your device and protected by platform secure storage — the key is not exportable by LumaNox or by us
PIN stored as a SHA-256 hash; plaintext never persisted
Auto-lock when the app is backgrounded; app icon hidden from recent-task thumbnails where supported
No plaintext photos are written outside the app's private directory; temporary files created for sharing are deleted immediately after the share completes
We do not operate servers that could be breached to expose your media, because we do not operate any such servers

No method of storage or processing is 100% secure; we encourage you to keep your device updated, use a strong PIN, and protect your backup archive password.

8. Data Retention & Deletion

Because your vault lives on your device, you control retention:

Delete a photo: move to Trash → permanent delete (or auto-purge after 30 days)
Delete all local data: uninstall LumaNox — the operating system removes the app's private storage according to platform rules
Subscription records at RevenueCat: email [email protected] referencing your anonymous App User ID (visible in Settings → About) and we will forward your deletion request to RevenueCat

9. Children's Privacy

LumaNox is not directed to children under 18 and we do not knowingly collect information from anyone under 18. If you believe a minor has used the app, contact us and we will act accordingly.

10. International Data Transfers

The only data that may cross borders in the course of using LumaNox is subscription metadata and low-sensitivity diagnostics handled by app store providers, RevenueCat, and Firebase. These providers rely on Standard Contractual Clauses and comparable safeguards for transfers out of the EEA/UK/Switzerland. We ourselves do not transfer your vault content internationally because we do not collect or receive it.

11. Your Rights

11.1 EEA / UK / Swiss residents (GDPR / UK GDPR)

You have the right to access, rectify, erase, restrict, port, and object to processing of your personal data, and to lodge a complaint with a supervisory authority. Since the data we hold is limited to anonymous purchase metadata and low-sensitivity diagnostics, most requests will be forwarded to our processors or the relevant app store provider.

11.2 California residents (CCPA / CPRA)

You may request to know, delete, or correct the limited personal information we process, and to opt-out of the sale or sharing of personal information. We do not sell or share personal information. We will not discriminate against you for exercising these rights.

11.3 How to exercise

Email [email protected]. We will respond within 30 days (GDPR) or 45 days (CCPA), and may extend by another period as permitted by law.

12. Changes to this Policy

We may update this Policy to reflect product, legal, or operational changes. The "Last updated" date at the top always reflects the current revision. Material changes will be announced in-app before they take effect. Continued use after the effective date of an update constitutes acceptance.

13. Contact Us

LumaNox Team
Email: [email protected]
Response target: within 5 business days