Last updated 2026-06-17 · v1.1
Privacy Policy
1. Who We Are
Lueurly is a brand name used by TZU-YU CHIU, an individual developer based in Taiwan (not a registered trademark or company). TZU-YU CHIU (operating as Lueurly) is the operator/the party you contract with.
Contact: [email protected]
Lueurly's backend (API, media, notification, authentication, and related server endpoints) runs on infrastructure operated by us under lumoraworks.uk. This is our own operational infrastructure, not a third party. The iOS app pins TLS connections to lumoraworks.uk.
Lueurly is not offered to, and is not targeted at, users in the European Union, European Economic Area, United Kingdom, Switzerland, or South Korea. Those regions are excluded through App Store Connect geo-restriction and operational controls. GDPR, UK GDPR, the Digital Services Act, and the Korean Location Information Act do not apply to the service.
2. Data We Collect
We collect and process only the categories described below.
| Category | Data | When collected | Purpose |
|---|---|---|---|
| Account identifiers | Email address, display name, avatar, locale, timezone | Registration, login, profile use | Account creation, login, localization, account display |
| Authentication data | Password stored only as an Argon2id hash, Google identifier, Apple `sub` identifier | Registration, login, SSO | Authentication and account security |
| Age data | `birth_year` | Registration or first SSO use | 18+ eligibility check |
| Device and technical data | Device fingerprint made from IDFV and bundle identifier using SHA-256, IP address, user agent, app version | Authentication, token refresh, security events | Account security, new-device detection, audit records, abuse prevention |
| Push tokens | Firebase Cloud Messaging token, Apple APNs token | App launch or token refresh | Push notifications |
| Location for Sync Open | Latitude, longitude, and accuracy in meters | Only when you manually check in for Sync Open | Multi-participant same-place unlock; check-in state may be broadcast in real time to participants in the same message |
| Location for pact signing audit | `gps_lat`, `gps_lng` | Only when you sign a pact and the Premium audit-location option is enabled | Pact signing audit metadata |
| IP for pact signing audit | Public IP captured from request headers | Pact signing | Pact signing audit metadata |
| User-generated content | Text, voice files, photos up to 9, wax seal choice, replies, chat threads, pact content and signatures | When you create, send, receive, reply to, or sign content | Core messaging and pact features |
| Message feature flags | Burn-after-read duration, device-bound status, Sync Open status, scheduled delivery time, anonymous status, E2EE status | Message composition | Delivering selected message features |
| Read receipts | Recipient email, display name, `read_at` | When a recipient opens a message | Showing sender read status |
| Contacts matching data | SHA-256 hashes of email addresses only; we do not store plaintext contact email, phone number, or name for contact sync | Only after your express consent | Finding registered friends and mutual matches |
| Friends and blocks | Friend email or alias, block list entries | When you add, invite, or block users | Social graph, invitations, abuse prevention |
| Subscription data | Product ID, original transaction ID, purchase token, Apple receipt/JWS | Purchase and renewal | Subscription validation and Premium entitlement |
| Security records | Login attempts, audit logs | Automatically during security-relevant activity | Abuse prevention, account protection, operational audit |
| Content moderation data | Reports, report reasons, report notes, screenshot-detection events | User reports or client-side events | UGC safety, objectionable-content review, screenshot notice |
| Preferences | Push and email settings, quiet hours, anonymous-message preference, biometric-lock setting, marketing opt-in | Settings changes | Personalization and consent management |
3. Device Permissions
Lueurly may request optional device permissions for app features:
| Permission | Use |
|---|---|
| Microphone | Recording voice messages |
| Speech recognition | Voice-to-text, preferably on device where available |
| Photo library | Attaching photos |
| Location while in use | Sync Open check-in |
| Face ID | Optional app unlock |
| Contacts | Friend discovery through hashed email matching |
If you deny a permission, the related feature may not work, but other app features remain available where technically possible.
4. Why We Process Data
We process data to provide the service, authenticate accounts, deliver messages, operate Premium features, process subscriptions through Apple, secure accounts, prevent abuse, respond to reports, comply with legal obligations, and honor your settings. Where a feature depends on your action or consent, such as contacts matching or GPS check-in, you may choose not to use that feature or withdraw the relevant permission.
This section describes our operational reasons for processing. It is not a GDPR legal-basis notice because Lueurly is not offered to users in the EU, EEA, UK, or Switzerland.
5. How We Use Data
We use account, authentication, and device data to create accounts, log you in, detect new devices, and protect accounts.
We use message content and feature flags to deliver messages, schedule delivery, manage Sync Open, apply device-bound restrictions, operate E2EE, and support burn-after-read.
We use GPS coordinates only in two contexts: manual Sync Open check-in and optional Premium pact-signing audit. We do not continuously track location.
We use pact audit IP, GPS where enabled, device, and timestamp metadata as supporting evidence of signing intent and audit history.
We use contact hashes only to match registered users. We do not upload or store plaintext contact names, phone numbers, or contact email addresses for contact sync.
We use Firebase only for push delivery through FCM. Firebase Analytics is disabled, advertising is disabled, and Lueurly does not include third-party tracking SDKs such as Crashlytics, Sentry, or Mixpanel.
We do not sell personal data. We do not share personal data for cross-app tracking. We do not use your data for third-party advertising.
6. Processors and Third Parties
We share data with service providers only as needed to operate Lueurly.
| Provider | Data involved | Purpose | Region |
|---|---|---|---|
| Apple | App Store transactions, APNs token, Sign in with Apple identifier | Payments, push notifications, login | Global |
| FCM token, Google Sign-In identifier | Push notifications, login | Global | |
| Hetzner Online GmbH | Backend service data | Server hosting | Germany |
| Resend, through an internal relay | Recipient email address and email contents | Transactional and notification email delivery | United States |
Lueurly's backend (API, media, notification, authentication, and related server endpoints) runs on infrastructure operated by us under lumoraworks.uk. This is our own operational infrastructure, not a third party. The iOS app pins TLS connections to lumoraworks.uk.
Apple processes App Store payments. Lueurly does not receive or store your payment card number.
7. Storage Location and International Transfers
Your data is stored and processed on servers located in Germany (Hetzner Online GmbH, Nuremberg, Bavaria). Lueurly's backend (API, media, notification, authentication, and related server endpoints) runs on infrastructure operated by us under lumoraworks.uk. This is our own operational infrastructure, not a third party. The iOS app pins TLS connections to lumoraworks.uk. Lueurly is operated from Taiwan. By using the service, you consent to your data being transferred to and processed in Germany and other countries where our processors operate, such as the United States for email delivery through Resend.
This disclosure is provided for transparency. Lueurly is not established in the EU and does not submit to GDPR by using German hosting.
8. Retention
We retain data according to the verified retention schedule below:
| Data | Retention |
|---|---|
| Burn-after-read content, including text, E2EE payload, photos, and voice files | Cleared from the server no later than 1 hour after read and expiry |
| Contact hashes | Deleted after 90 days without update |
| GPS check-in coordinates, participant coordinates, and Sync Open anchor coordinates | Cleared after 90 days |
| Login attempts | 30 days |
| Audit logs, including IP, user agent, and device fingerprint | 180 days |
| Web access logs, including IP | 14 days |
| Application logs | 30 days |
| Database backups | 30-day rolling backups |
| Account data and remaining content | Kept while the account exists; erased when the account is deleted |
Burn-after-read is best-effort. Lueurly cannot prevent recipients from taking screenshots, screen recordings, photos of the screen, or other external copies. Cleared burn-after-read content is not retained long-term, and backups roll over within 30 days.
9. Your Choices and Rights
You may access, correct, or update account information in the app where available.
You may delete your account in the app through Settings -> Delete Account. Account deletion triggers `POST /users/me/delete` and erases account data and exclusive media, subject to short retention needed for legal, security, subscription, or audit purposes described in this policy.
You may request deletion by email if you cannot access the app: [email protected].
You may export messages through `GET /export/messages`, export pacts through `GET /export/pacts`, and export pact PDFs where available. Lueurly does not currently provide a single complete machine-readable account export endpoint.
You may delete contact-sync hashes through `DELETE /contacts/sync`, withdraw optional device permissions in iOS Settings, block users, report content, log out devices, and change notification, email, anonymous-message, biometric-lock, and marketing preferences.
10. US State Privacy Notice
Lueurly does not sell personal information and does not share personal information for cross-context behavioral advertising. Lueurly does not use personal data for cross-app tracking.
Some US state privacy laws apply only to businesses that meet revenue, user-volume, or data-sale thresholds. Lueurly may not meet those thresholds. Even where a law does not apply, you may contact us at [email protected] to request access, correction, deletion, or information about our data practices.
11. Security
Lueurly uses HTTPS/WSS, certificate pinning, E2EE using Curve25519, HKDF, and AES-GCM, server-side AES-GCM media encryption, Argon2id password hashing, Keychain session storage, and device/security audit controls.
No service can guarantee perfect security. You are responsible for keeping your account credentials and trusted devices secure.
12. Children and Adults Only
Lueurly is for adults only. You must be at least 18 years old to use the service. Lueurly is not directed to children or minors. We use `birth_year` to help enforce the 18+ requirement. If we learn that an underage account exists, we will terminate and delete it.
13. Changes to This Policy
We may update this Privacy Policy as the service, law, or operational practices change. For material changes, we will provide reasonable notice through the app, website, email, or another appropriate method before the change takes effect where practical.
14. Contact
For privacy requests, account deletion help, security questions, or complaints, contact:
This document is the legally binding version. Translations are provided for convenience only; in case of conflict, the English version prevails.