Table of Contents
- Who We Are
- Information We Collect
- How We Use Your Information
- How We Share Information
- Third-Party Services
- Camera, Photos & Microphone
- Push Notifications
- In-App Purchases & Subscriptions
- Children's Privacy
- Data Retention
- Data Security
- Your Rights
- GDPR: European Users
- CCPA: California Users
- Changes to This Policy
- Contact Us
1. Who We Are
Lumen NICU is developed by Lumen Family Co. The app is designed to help families of premature and medically complex infants track health data, document milestones, and coordinate care. This Privacy Policy covers the Lumen NICU mobile application and associated websites and services.
2. Information We Collect
Account Information
Email address, display name, and OAuth tokens (Google/Apple sign-in).
Baby Profile
First name, date of birth, gestational age, biological sex, birth weight and length, expected due date, and profile photo.
Health Tracking Data
Feeding (time, duration, type, volume, notes), diapers, sleep, weight, length, head circumference, vitals (SpO₂, heart rate, respiratory rate, blood pressure, temperature), medications, milestones with photos, kangaroo care, ABD events, journal entries, appointments, and discharge readiness goals.
Photos & Media
Photos you capture or select, plus processed/cropped versions stored within the app.
Co-Parent Access
Partner email addresses and invitation status when you use the partner sharing feature.
Device & Technical
Push notification tokens (FCM for Android, APNs for iOS) and device platform information.
What We Do NOT Collect
GPS location, contacts, browsing history, audio or video, Social Security numbers, insurance information, or government IDs.
3. How We Use Your Information
- Authenticate your account: Email, OAuth tokens
- Display and sync baby records: All tracking data
- Enable partner sharing: Email, baby profile, tracking data
- Deliver push notifications: Push token, reminder settings
- Generate in-app PDF reports: All tracking data
- Power AI care assistant (Nicky): Chat messages only. We do not automatically send health records
- Manage subscriptions: Purchase receipts via RevenueCat
- Improve and debug the app: Aggregated, anonymized patterns. No individual health records
We do not use health data for advertising, marketing, or machine learning model training without your explicit consent.
5. Third-Party Services
- Supabase: Database, authentication, and photo storage (display copies). SOC 2 Type II compliant. supabase.com/privacy
- Cloudflare R2: Stores full-resolution photo originals. Receives only your photos, no other personal data. cloudflare.com/privacypolicy
- Google Firebase Cloud Messaging: Push notifications. Receives push tokens only. policies.google.com/privacy
- Google/Apple Sign-In: Shares email address only. No passwords stored by us.
- RevenueCat: Subscription management. Receives device ID and purchase receipts, not health data. revenuecat.com/privacy
- AI Care Assistant (Nicky): Transmits chat messages to Anthropic. Messages are not linked to your account. Health records are only sent when you explicitly initiate that action. anthropic.com/privacy
6. Camera, Photos & Microphone
Camera & Photos: Used for baby profile photos, memory/milestone photos, and optional photos you attach to tracking entries. Photos are saved on your device and backed up to your private cloud storage (hosted by Supabase and Cloudflare R2) so they are not lost if you lose or replace your phone, and so they sync to any co-parents you invite. Photos are encrypted in transit and at rest, visible only to you and the co-parents you choose to share a baby with, and are never sold, shared with advertisers, scanned, or used to train AI models. When you delete a photo or your account, the cloud copies are deleted.
Microphone: Used solely for optional voice dictation. Audio is processed on-device and is never recorded, stored, or transmitted by Lumen NICU.
7. Push Notifications
Used for: feed reminders, medication alerts, daily check-ins, weekly weight reminders, partner data updates, and trial-ending reminders. You can disable notifications at any time via app settings or device notification settings. Push tokens are used only for delivering notifications.
8. In-App Purchases & Subscriptions
All payments are processed by Google Play or the Apple App Store. We never collect or store your payment card information. Subscriptions auto-renew unless cancelled at least 24 hours before the renewal date.
9. Children's Privacy
Lumen NICU is not directed at children under 13. Health data is entered by parents and guardians. We do not knowingly collect information from children under 13.
10. Data Retention
- Active accounts: Data retained while your account is open.
- Account deletion: Deleted from servers within 30 days of your request, including photo backups.
- Deleted photos & memories: Removed from your device immediately and purged from cloud storage after a short grace period (about 30 days) so accidental deletions can be recovered.
- Local data: Remains on your device until you uninstall the app or manually delete it.
- Backups: Encrypted backups retain data for up to 90 days before being overwritten.
11. Data Security
- Encryption in transit: TLS 1.2+
- Encryption at rest: AES-256
- Access controls: Row-level security (RLS) ensures users can only access their own data
- Authentication: OAuth 2.0; we never store passwords
No method of transmission or storage is 100% secure. We will notify you of any breaches as required by applicable law.
12. Your Rights
- Access: Request a copy of the data we hold about you
- Correction: Update inaccurate information via the app or by contacting us
- Deletion: Request deletion via app Settings or our Delete Account page
- Portability: Request your data in a machine-readable format
- Withdraw Consent: Withdraw consent for any processing based on consent
We respond to requests within 30 days.
13. GDPR: European Users
Legal basis for processing: Performance of contract, legitimate interests, consent, and legal obligation. Health data is processed under explicit consent (Article 9(2)(a)).
Data transfers: Where data is transferred outside the EEA, we use Standard Contractual Clauses (SCCs).
Right to lodge a complaint: You may contact your local supervisory authority if you believe we have violated GDPR. Contact us first via our privacy request form.
14. CCPA: California Users
Categories of information collected: Identifiers (email), personal records (baby profile, health data), commercial information (subscriptions), internet activity (push tokens), and photos/media.
We do not sell or share your personal information for cross-context behavioral advertising.
Your California rights: Know, delete, and correct the information we hold; opt out (not applicable here); non-discrimination; and the right to limit use of sensitive personal information.
15. Changes to This Policy
We update this policy periodically. For material changes, we provide at least 30 days' notice. Continued use of Lumen NICU after the effective date constitutes acceptance.
16. Contact Us
- Privacy inquiries: Submit a privacy request
- General support: Contact support
- Company: Lumen Family Co.
- Response time: Within 30 days