Privacy Policy

1. Introduction

Luvo ("we," "our," or "us") operates the Luvo mobile application (Android and iOS) and web application at www.luvo.co.in (collectively, the "Service"). Luvo is a lifestyle and productivity application that helps you build and maintain daily rituals, habits, and routines — whether for reading, exercise, study, mindfulness, work, or any personal goal.

This Privacy Policy explains how we access, collect, use, disclose, and safeguard your information when you use our Service.

The Service is operated by Pranay Kumar Bathini, an individual developer based in Karimnagar, Telangana, India.

By using Luvo, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this Privacy Policy, please do not use the Service.

2. Information We Collect

Below is a comprehensive list of all data we access, collect, and store:

2.1 Account Information

When you create an account, we collect:

• Full name
• Email address
• Hashed password (we never store passwords in plaintext; they are securely hashed by Supabase Auth using bcrypt)
• Profile bio (optional, user-provided)
• Avatar/profile picture URL (optional)

If you sign in with Google OAuth, we receive the following information from Google: name, email address, and profile picture. We do NOT receive or store your Google password.

If you sign in with Sign in with Apple, we receive your name and email address (which may be an Apple Private Relay address if you choose to hide your email). We do NOT receive or store your Apple password.

2.2 Ritual and User-Created Data

We store the data you create within the app, including:

• Rituals — names, descriptions, icons, categories, frequencies, durations, scheduled times, intentions, and step-by-step instructions for rituals you create
• Completion logs — dates, times, and completion status of your rituals
• Reflections — free-text entries and optional images you write after completing rituals
• Daily intentions — text entries you set each day
• Goals — personal goals you create (titles, descriptions, and progress status)
• Ritual stacks — grouped sequences of rituals you organize together
• Custom categories — category names you create to organize your rituals
• Template ratings — ratings and optional reviews you leave on ritual templates
• Insights and progress metrics — completion rates, streaks, patterns, and trends derived from your ritual activity
• Preferences — theme selection, notification settings, language/locale

All ritual and user-created data is self-reported and user-initiated. Luvo does not collect data in the background or from external sources.

2.3 Subscription and Purchase Data

• Subscription status (free or Pro tier)
• Subscription expiry date
• RevenueCat user ID (for managing in-app purchases on Android/iOS)
• Purchase history managed by Google Play, Apple App Store, or web payment providers

We do NOT store your credit card numbers, CVVs, bank account details, or full payment credentials. All payment processing is handled by the respective platform (Google Play Billing, Apple In-App Purchase, Cashfree, or Razorpay).

2.4 Device and Usage Information

We may automatically collect:

• Device type and operating system version
• App version
• Platform (Android, iOS, or web)
• General usage patterns (which features you use, how often you complete rituals)
• App open events and foreground/background state (native apps, via Firebase Analytics)
• Page views and navigation paths (web only, via Google Analytics 4)
• Last-seen timestamps per platform (web, Android, iOS) for re-engagement notifications
• Firebase Cloud Messaging (FCM) token for push notification delivery
• Firebase Installation ID (an anonymous device identifier generated by Firebase, used internally for analytics and messaging — this is NOT an advertising identifier)

2.5 What We Do NOT Collect

Luvo does not access, collect, or process:

• Precise GPS location or geolocation data
• Contacts, phone book, or address book
• Photos, camera, or microphone data (except profile photos you choose to upload)
• Data from other apps on your device
• Browsing history outside of Luvo
• Advertising identifiers (Google Advertising ID / IDFA) — Luvo does not serve ads
• SMS, call logs, or telephony data
• Biometric data (fingerprints, face scans)
• Data from health sensors, wearables, or Google Health Connect

3. How We Use Your Information

We use the information we collect for the following purposes:

• Provide and maintain the Service — authenticate your identity, sync your data across devices, and deliver core functionality
• Track your rituals — record ritual completion, generate insights, calculate streaks and progress metrics
• Personalize your experience — remember your theme, language, notification preferences, and custom categories
• Send notifications — deliver ritual reminders (local), re-engagement notifications, and weekly summaries (via FCM)
• Process subscriptions — manage your Pro subscription status and entitlements
• Improve the Service — analyze anonymized and aggregated usage patterns to identify bugs, improve features, and enhance user experience
• Respond to support requests — address your questions and concerns via email

We do NOT:

• Sell your personal data to any third party
• Use your data for advertising or create advertising profiles
• Share your data with data brokers
• Use your data for any purpose other than providing and improving the Service

4. Cookies, Local Storage, and Client-Side Data

We use cookies and local storage to enhance your experience and remember your preferences:

• ip-country cookie: Country detection for pricing/localization (session only)
• luvo-theme: Your selected theme preference (persistent)
• luvo_saved_email: "Remember Me" email pre-fill (persistent, stored only on your device)
• luvo-settings: App settings like locale and notification sound (persistent)
• Supabase Auth tokens: Authentication session management (strictly necessary)

We do NOT use: Third-party advertising cookies, cross-site tracking cookies, or social media tracking pixels.

5. Android App Permissions

The Luvo Android app requests the following device permissions. Each permission is used solely for the stated purpose:

• INTERNET — Required to sync your data with our servers and authenticate your account
• POST_NOTIFICATIONS — To send ritual reminders, re-engagement notifications, and weekly summaries (you can opt out at any time via device settings)
• USE_EXACT_ALARM / SCHEDULE_EXACT_ALARM — To schedule precise ritual reminder times so notifications arrive at the exact time you set
• RECEIVE_BOOT_COMPLETED — To re-schedule your ritual reminders after your device restarts, so you don't miss notifications
• WAKE_LOCK — To ensure notifications can be delivered reliably even when your device is in sleep mode
• VIBRATE — For haptic feedback on interactions within the app

Permissions we do NOT request: Camera, microphone, location, contacts, phone, storage (beyond app-specific storage), SMS, call logs, or body sensors.

All permissions are used solely for the stated purposes. You can revoke permissions at any time through your device settings (Settings → Apps → Luvo → Permissions).

5b. iOS App Permissions

The Luvo iOS app requests the following device permissions. Each permission is used solely for the stated purpose:

• Camera (NSCameraUsageDescription) — To allow you to take a profile photo directly within the app. Camera access is only triggered when you tap the photo button on your profile.
• Photo Library (NSPhotoLibraryUsageDescription) — To allow you to select an existing photo from your library to use as your profile photo.
• Notifications (NSUserNotificationsUsageDescription) — To send ritual reminders, re-engagement notifications, and weekly summaries (you can opt out at any time via device settings or within the app).

Permissions we do NOT request: Microphone, location, contacts, phone, SMS, call logs, health data, biometric data, or advertising identifiers.

All permissions are used solely for the stated purposes and only when you actively choose to use the relevant feature. You can revoke permissions at any time through your device settings (Settings → Luvo → Privacy).

6. Third-Party Services and Data Sharing

We use the following third-party services to provide and improve the Service. Each service receives only the minimum data necessary for its function:

We do NOT share your user-created content (ritual names, reflections, completion logs, intentions, goals, or any personal content) with any third-party analytics, advertising, or marketing service.

Each third-party service has its own privacy policy. We encourage you to review: Supabase, Google, Firebase, RevenueCat, Cashfree, Razorpay, Vercel.

7. Push Notifications

Luvo sends the following types of push notifications:

• Ritual reminders — scheduled locally on your device based on your reminder times
• Re-engagement notifications — sent via Firebase Cloud Messaging if you haven't opened the app for 3+ days
• Weekly summary notifications — sent every Sunday with your ritual completion statistics

Push notifications require your explicit consent. On Android 13+, the app will request the POST_NOTIFICATIONS runtime permission before sending any notifications.

You can opt out of push notifications at any time by disabling notification permissions in your device settings (Settings → Apps → Luvo → Notifications) or turning off individual ritual reminders within the app.

8. Data Storage, Security, and Encryption

All user data is stored in Supabase, a hosted PostgreSQL database located in Mumbai, India (South Asia region).

Security measures include:

• Encryption in transit — all data transmitted using TLS 1.2 or higher
• Encryption at rest — data stored in the database is encrypted at the storage level
• Row Level Security (RLS) — database-level policies ensure you can only access your own data; no user can access another user's data
• Password hashing — passwords are hashed using bcrypt and never stored in plaintext
• Secure authentication — sessions managed via Supabase Auth with JWT tokens
• No personal content in logs — we do not log your personal content (reflections, intentions, ritual names) in server logs

While we implement strong security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security against unauthorized access.

9. Data Retention and Deletion

We retain your personal data for as long as your account is active and you continue to use the Service.

Data export: You can export all your data at any time from the Profile section of the app. Your data is exported in JSON, HTML, or ZIP formats, including your profile information, rituals, completion history, reflections, and milestones.

Account deletion: You can delete your account and all associated data permanently from within the app (Profile → Account Settings → Delete Account) or by visiting https://luvo.co.in/delete-account.

Upon account deletion, all your personal data — including rituals, completion logs, reflections, images, goals, intentions, preferences, subscription records, and authentication credentials — is permanently removed from our servers immediately. This action cannot be undone.

Analytics data previously sent to Firebase Analytics or Google Analytics 4 is anonymized and cannot be traced back to you after account deletion, as it does not contain your personal content.

10. Your Rights (GDPR, CCPA, DPDPA)

Depending on your jurisdiction, you may have the following rights regarding your personal data:

GDPR Rights (EU/EEA/UK Users)

• Right to access — request a copy of your personal data (use in-app data export)
• Right to rectification — correct inaccurate data (edit your profile, rituals, and reflections)
• Right to erasure — request deletion of your data (use in-app account deletion)
• Right to data portability — receive your data in JSON, HTML, or ZIP format via in-app export
• Right to withdraw consent — for consent-based processing like push notifications and analytics
• Right to restriction of processing — request that we limit how we use your data

CCPA/CPRA Rights (California Residents)

• Right to know — request disclosure of personal information we collect
• Right to delete — request deletion of your personal information
• Right to opt-out of sale — Luvo does NOT sell personal information
• Right to non-discrimination — we will not discriminate against you for exercising your rights

India DPDPA Rights

Under India's Digital Personal Data Protection Act, 2023, you have the right to access, correct, and erase your personal data.

To exercise any of these rights, use the in-app features (Profile → Export Data or Delete Account) or email us at support@luvo.co.in. We will respond within 30 days.

11. Children's Privacy

Luvo is not intended for children under the age of 13 (or 16 in the EU/EEA without parental consent). We do not knowingly collect personal information from children under 13. If we become aware that we have collected data from a child under 13 without parental consent, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at support@luvo.co.in.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or legal requirements. When we make material changes, we will update the "Last updated" date at the top of this document and notify you via email or an in-app notification. Your continued use of the Service after the effective date of the updated Privacy Policy constitutes your acceptance of the changes.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us: