Privacy Policy

Overview

Lumenshore Limited (“Lumenshore”, “we”, “us”, or “our”), company number 09607326, registered at Windsor House, Troon Way Business Centre, Humberstone Lane, Leicester, England, LE4 9HA, operates the LumenLingo mobile application (the “App”) and the lumenlingo.com website (the “Website”). This Privacy Policy explains how we collect, use, store, and protect information when you use either platform.

We built LumenLingo with a privacy-first architecture. On the iOS app, your learning data is processed and stored on your device and in your personal iCloud account — not on our servers. On the website, we collect minimal data necessary to operate the service and improve your experience. We believe your data is yours, and it should stay that way.

This policy is organised into two sections — Website and iOS App — so you can quickly find the information relevant to you.

Website Data Collection

When you visit lumenlingo.com, we may collect the following data:

• Email address — if you sign up for our newsletter or join the waitlist. We collect your email solely to send you product updates and launch notifications. You can unsubscribe at any time.
• Language preference — if you join the waitlist, we record which language you’re interested in to tailor future communications.
• Campaign attribution (UTM parameters) — we capture UTM parameters (source, medium, campaign) from URLs in your browser’s sessionStorage to understand which marketing channels are effective. This data is not tied to your identity and is cleared when you close your browser tab.
• Anonymous page views — we use Vercel Analytics, a cookie-free, privacy-respecting analytics service, to count page visits. No personal data is collected, no cookies are set, and no individual users are identified.
• Anonymous performance metrics — we use Vercel Speed Insights to measure page load times and core web vitals. This data is fully anonymous and helps us keep the website fast.
• Error data and session replays — we use Sentry for error monitoring. With your consent, Sentry may record session replays to help us diagnose and fix bugs. See the ‘Sentry Session Replay’ section below for full details.
• IP addresses — your IP address is processed transiently by our API routes for rate limiting (to prevent abuse). IP addresses are not stored or logged by us.

Sentry Session Replay

We use Sentry (operated by Functional Software, Inc.) for error monitoring on our website. Sentry’s session replay feature records page interactions (clicks, scrolls, navigation) to help us reproduce and fix bugs.

Sampling rates: Session replays are captured for approximately 0.1% of normal browsing sessions. When an error occurs, the replay capture rate increases to 100% for that session only — this helps us understand exactly what led to the bug.

What is captured: Page navigation, clicks, scrolls, and screen content. All text inputs in forms (such as newsletter and waitlist fields) are masked to protect your privacy. Media content is blocked from capture.

What is sent: Replay data is transmitted to Sentry’s servers in the United States. It is retained according to Sentry’s data retention policy (typically 90 days).

Your control: Session replays are only active if you have given consent via our cookie consent banner. You can change your preference at any time.

Vercel Analytics & Speed Insights

We use Vercel Analytics and Vercel Speed Insights on our website. These services are privacy-focused by design:

• No cookies — Vercel Analytics does not set any cookies on your device.
• No personal data — no IP addresses, device fingerprints, or user identifiers are collected.
• Aggregate only — we see total page view counts and performance metrics, but we cannot identify individual visitors.

Both services are operated by Vercel Inc. Data is processed on Vercel’s infrastructure. See Vercel’s Privacy Policy for more details.

Custom Analytics Events

In addition to page views, we track the following anonymised events through Vercel Analytics to understand how visitors use our website. No personal data is attached to these events:

• app_store_click — when a visitor clicks an App Store download link (records link location on the page)
• pricing_view — when a visitor views the pricing page
• pricing_cta_click — when a visitor clicks a pricing call-to-action button (records which tier)
• blog_post_read — when a visitor reads most of a blog post (records the post slug and title)
• feature_section_view — when a visitor views a feature section on the homepage
• newsletter_signup — when a visitor signs up for the newsletter (records the page location, not the email)
• demo_started — when a visitor starts the interactive flashcard demo
• demo_completed — when a visitor completes the demo (records correct/total scores)
• demo_cta_click — when a visitor clicks a call-to-action after completing the demo
• page_not_found — when a visitor lands on a 404 page (records the path)
• error_page_view — when a visitor sees an error page (records the error message)

Offline Caching (Service Worker)

Our website uses a Service Worker to cache static assets (HTML pages, CSS stylesheets, JavaScript bundles, images, and fonts) on your device. This enables faster page loads on repeat visits and limited offline access.

The Service Worker cache is stored entirely on your device and contains no personal data. You can clear it at any time through your browser’s settings (Clear site data). No cached data is sent back to our servers.

iOS App Data Collection

The LumenLingo iOS app collects minimal data necessary to provide a great learning experience:

• Learning progress data — flashcard mastery levels, practice scores, streaks, XP, and session history. This data is stored locally on your device and synced via iCloud.
• App preferences — your selected language pairs, soundscape preferences, visual background choices, and tier selection. Stored on-device and synced via iCloud.
• Subscription status — your membership tier, managed entirely by Apple through the App Store. We receive a subscription status from Apple but do not process payment information.
• Anonymous analytics — we may collect aggregated, non-identifiable usage metrics (such as which features are most popular) to improve the app. No personal data is included.

What We Don’t Collect

Across both our app and website, we want to be clear about what we never collect or do:

• No location data or GPS coordinates
• No contacts, photos, or access to other apps on your device
• No payment or credit card information (Apple handles all app billing)
• No advertising identifiers or tracking pixels
• No data sold or shared with third-party advertisers — ever
• No personal data shared with AI model training services

Legal Basis for Processing

Under GDPR and UK GDPR, we process personal data only when we have a lawful basis. Here is the legal basis for each type of data we handle:

Consent (GDPR Art. 6(1)(a))

• Newsletter signup — you actively provide your email and opt in to receive updates
• Waitlist signup — you actively provide your email and language preference
• Sentry session replay — replays are only captured after you give explicit consent via our cookie banner

Legitimate Interest (GDPR Art. 6(1)(f))

• Vercel Analytics — anonymous, cookie-free page view counting to improve our website. Our interest in understanding site usage is balanced against minimal privacy impact (no PII collected)
• Sentry error monitoring — collecting error diagnostics to maintain service reliability. No user behaviour is captured without consent; only crash and error data is collected under this basis
• Rate limiting (IP address processing) — preventing abuse of our API endpoints. IP addresses are processed transiently and not stored

Contract Performance (GDPR Art. 6(1)(b))

• iOS app learning data — processing your learning progress is necessary to deliver the language-learning service you use
• iCloud sync — syncing your progress across devices is a core part of the service
• Subscription management — verifying your tier to provide the appropriate features

Whether Providing Data Is Obligatory

Under UK GDPR Article 13(2)(e), we must inform you whether the provision of personal data is a statutory or contractual requirement, and the possible consequences of failing to provide such data:

Contractual Requirements

• Account creation data (email address via Clerk authentication) — this is a contractual requirement. Without it, we cannot create your account or provide the Service.
• Subscription payment data (processed by Apple/RevenueCat) — this is a contractual requirement for premium features. Without it, we cannot process your payment or grant premium access.

Voluntary Provision

• Analytics consent (Vercel Analytics, Sentry Session Replay) — this is entirely voluntary. Declining has no impact on your ability to use the Service.
• Feedback and support emails — voluntary. If you do not provide contact details, we may be unable to respond to your query.

There is no statutory (legal) requirement to provide your personal data to us. All data provision is either contractual (necessary for the service) or voluntary.

UK Data Protection

Lumenshore Limited is a company incorporated in England and Wales (Company No. 09607326). As a UK-based data controller, we comply with the UK General Data Protection Regulation (UK GDPR) — retained from EU law via the European Union (Withdrawal) Act 2018 — and the Data Protection Act 2018 (DPA 2018). These laws govern how we collect, use, store, and protect your personal data.

Data Controller

The data controller responsible for your personal data is:

• Company: Lumenshore Limited
• Registered Address: Windsor House, Troon Way Business Centre, Humberstone Lane, Leicester, England, LE4 9HA
• Company Number: 09607326 (England and Wales)
• VAT Number: GB 270411929

Data Protection Lead

Although Lumenshore is not required to appoint a Data Protection Officer (DPO) under Article 37 UK GDPR (we are not a public authority, do not carry out large-scale monitoring, and do not process special category data at scale), we have designated a data protection lead to oversee compliance:

Data Protection Lead: The Director of Lumenshore Limited

You can contact our data protection lead at Almost ready for any questions about how we handle your personal data, to exercise your data rights, or to raise a data protection concern.

ICO Registration

As required by section 25 of the Data Protection Act 2018, Lumenshore Limited pays the annual data protection fee to the Information Commissioner’s Office (ICO), the UK’s independent supervisory authority for data protection.

The ICO maintains a public register of fee payers. You can verify our registration status on the ICO’s website.

Our ICO registration number is ZB718685. You can verify this on the ICO register.

International Data Transfer Adequacy

When personal data is transferred between the UK and the European Economic Area (EEA), it is protected by the UK–EU adequacy decision made under Article 45 UK GDPR. The European Commission granted adequacy to the UK in June 2021, recognising that UK data protection law provides an essentially equivalent level of protection to the EU GDPR.

For transfers to the United States, we rely on service providers certified under the EU–US Data Privacy Framework (DPF) and its UK Extension, which the UK government has recognised as providing adequate safeguards. Where a sub-processor is not DPF-certified, we ensure Standard Contractual Clauses (SCCs) approved by the ICO are in place.

For further details on international transfers and the specific safeguards we use, see the International Data Transfers section of this policy.

Special Category Data

LumenLingo does not collect or process any special category data as defined by Article 9 UK GDPR and section 10 of the DPA 2018. This includes: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life or sexual orientation, and criminal conviction data.

If our data processing activities change in the future to include any special category data, we will update this policy, conduct a Data Protection Impact Assessment (DPIA), and obtain explicit consent where required.

Your Right to Complain to the ICO

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO). We would appreciate the opportunity to address your concerns first — please contact us at Almost ready and we will do our best to resolve the issue.

If you are not satisfied with our response, you can contact the ICO:

• Website: ico.org.uk/make-a-complaint
• Telephone: 0303 123 1113
• Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Electronic Communications (UK PECR)

The Privacy and Electronic Communications Regulations 2003 (PECR) set specific rules for electronic marketing and the use of cookies and similar technologies. As a UK company, Lumenshore Limited complies with PECR alongside the UK GDPR.

Cookies & Similar Technologies (Regulation 6)

PECR Regulation 6 requires your consent before we store or access information on your device, except where it is strictly necessary to provide a service you have requested. Our approach:

• Strictly necessary storage — consent preferences and language settings — is set without consent because it is essential for the website to function as you have requested.
• Non-essential storage — analytics tracking, error monitoring, and session replay — is only activated after you give explicit consent via our cookie banner.
• You can change your preferences at any time using the “Cookie Settings” link in the website footer.
• If your browser sends a Global Privacy Control (GPC) or Do Not Track (DNT) signal, all non-essential storage is automatically suppressed.

For full details of what we store and why, see our Cookie Policy.

Marketing Communications (Regulation 22)

We only send marketing emails to people who have given explicit, freely given consent by subscribing to our newsletter. We do not use pre-ticked boxes or bundle marketing consent with other agreements.

Every marketing email we send:

• Identifies the sender as Lumenshore Limited
• Includes a working unsubscribe link
• Describes the types of content you will receive (product updates, language learning tips, and occasional offers)

We record your consent (including the version of the consent text shown, a timestamp, and a hashed identifier) for our accountability records.

Soft Opt-In

PECR Regulation 22(3) allows businesses to send marketing to existing customers for similar products without explicit consent (“soft opt-in”), provided an opt-out was offered at point of collection and in every subsequent message. Lumenshore does not currently rely on the soft opt-in exception — all marketing requires explicit consent.

Where Your Data Goes

Here is a plain-English summary of where your data is stored and processed:

• Your device — all iOS app learning data, preferences, and progress are stored locally on your iPhone or iPad using Apple’s SwiftData framework
• Your iCloud account — learning data syncs across your Apple devices via your personal iCloud account, encrypted by Apple. We have no access to this data
• Vercel (website hosting) — our website is hosted on Vercel’s global edge network. Anonymous analytics data is processed by Vercel. Vercel’s servers are primarily located in the United States with edge nodes worldwide
• Sentry (error monitoring) — error logs and (with your consent) session replay data are sent to Sentry’s servers in the United States. Sentry processes this data under their DPA with Standard Contractual Clauses
• Apple (App Store & iCloud) — subscription management and iCloud sync are handled by Apple’s global infrastructure

Your data is not sent to any other third parties. We do not use Google Analytics, Facebook SDK, or any advertising networks.

How We Use Your Information

The limited data we handle is used solely to:

• Personalise your learning — spaced repetition scheduling, difficulty adaptation, and progress tracking depend on your learning history.
• Sync your progress — iCloud sync ensures your data follows you across all your Apple devices.
• Manage your subscription — we verify your membership tier to unlock the appropriate features.
• Improve the app and website — anonymous aggregate data helps us understand which features are valuable and where to focus development.
• Communicate with you — if you signed up for our newsletter or waitlist, we use your email to send product updates. You can unsubscribe at any time.
• Diagnose and fix bugs — Sentry error data (and session replays with your consent) help us identify and resolve issues quickly.

Data Storage & Security

LumenLingo uses a privacy-first, on-device architecture:

• On-device storage — all learning data is stored locally using Apple’s SwiftData framework, protected by your device’s built-in encryption.
• iCloud sync — data syncs between your devices via your personal iCloud account, encrypted end-to-end by Apple. We do not have access to your iCloud data.
• No external servers — LumenLingo does not maintain servers that store your personal data from the iOS app. There is no cloud database for us to secure (or breach).
• App Store security — subscription management is handled by Apple’s secure infrastructure.
• Website security — lumenlingo.com uses HTTPS encryption, strict Content Security Policy headers, and rate-limited API endpoints to protect your data.

Third-Party Services

LumenLingo integrates with a limited number of third-party services:

• Apple App Store & iCloud — for app distribution, subscription management, payment processing, and data synchronisation. Subject to Apple’s Privacy Policy.
• Vercel — for website hosting, anonymous analytics, and performance monitoring. Cookie-free, GDPR-compliant. Subject to Vercel’s Privacy Policy.
• Sentry — for website error monitoring and (with consent) session replay. Subject to Sentry’s Privacy Policy.
• Clerk — for user authentication and identity management. Subject to Clerk's Privacy Policy.
• RevenueCat — for subscription management and entitlement tracking. Apple remains the merchant of record for all payments. Subject to RevenueCat's Privacy Policy.

We do not use Google Analytics, Facebook SDK, or any advertising networks.

Sub-Processors

The following third-party services process data on our behalf. Each sub-processor has been assessed for data protection compliance:

Data Processing Agreements

We maintain Data Processing Agreements (DPAs) or equivalent contractual protections with all sub-processors that handle personal data:

• Apple — covered by Apple's standard DPA for developers, incorporating Standard Contractual Clauses for international transfers.
• Vercel — covered by Vercel's DPA, available at vercel.com/legal/dpa. Vercel Analytics is cookie-free and processes no personal data.
• Sentry — covered by Sentry's DPA with Standard Contractual Clauses (SCCs) for EU-US data transfers.
• Clerk — covered by Clerk's Data Processing Agreement, incorporating Standard Contractual Clauses and EU-US Data Privacy Framework certification for international transfers.
• RevenueCat — covered by RevenueCat's Data Processing Addendum with Standard Contractual Clauses. RevenueCat does not receive raw payment card data; Apple is the merchant of record.

Sub-Processor Changes

If we add or change a sub-processor that handles personal data, we will update this page and note the change in the Version History section of this Privacy Policy. For material changes, we will provide at least 30 days' notice before the new sub-processor begins processing data.

International Data Transfers

Lumenshore Limited is based in the United Kingdom. Some of your data may be transferred to and processed in countries outside the UK and the European Economic Area (EEA). Here is where each service processes data and the legal mechanism that protects the transfer:

• Apple (United States & global) — iCloud data and App Store subscription data may be processed in Apple’s global data centres, including in the United States. Apple participates in transfers under Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework.
• Vercel (United States & global edge) — our website is served from Vercel’s edge network, with primary servers in the United States. Vercel Analytics processes no personal data. Website hosting data is protected under Vercel’s GDPR DPA with Standard Contractual Clauses.
• Sentry (United States) — error logs and session replay data (with your consent) are transmitted to Sentry’s servers in the United States. These transfers are protected by Sentry’s DPA incorporating Standard Contractual Clauses (SCCs).
• Clerk (United States) — authentication data (email address, user identifiers, auth tokens) is processed on Clerk's servers in the United States. These transfers are protected by Clerk's DPA incorporating Standard Contractual Clauses and Clerk's EU-US Data Privacy Framework certification.
• RevenueCat (United States) — subscription management data (app user ID, subscription status, Apple purchase receipts) is processed on RevenueCat's servers in the United States. These transfers are protected by RevenueCat's Data Processing Addendum with Standard Contractual Clauses.

Transfer Safeguards

For all international data transfers, we ensure at least one of the following safeguards is in place:

• Standard Contractual Clauses (SCCs) — EU Commission-approved contractual clauses that bind the data importer to protect your data to GDPR standards.
• EU-US Data Privacy Framework — where the recipient is certified under the framework, providing an adequacy basis for transfers to the US.
• UK International Data Transfer Agreement (IDTA) — the UK equivalent of SCCs, approved by the ICO for transfers from the UK.
• Adequacy decisions — where the European Commission or UK Government has determined that the destination country provides adequate data protection.

You may request a copy of the relevant transfer safeguards by contacting us at Almost ready.

Aggregated and De-identified Data

We may collect, aggregate, and de-identify personal data so that it can no longer reasonably identify any individual. Once de-identified, such data is no longer personal data under GDPR, UK GDPR, CCPA, or any applicable data protection law.

We may use, disclose, and publish de-identified and aggregated data for any purpose, including but not limited to:

• Product improvement and feature development
• Research and analytics
• Marketing materials and case studies
• Benchmarking and public reports
• Investor and stakeholder reporting

De-identification Standards

Our de-identification process meets the following legal standards:

• GDPR Recital 26 — data cannot be singled out, linked, or inferred to identify any individual, taking into account all means reasonably likely to be used.
• CCPA § 1798.140(m) — information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer or household. We maintain a commitment not to attempt to re-identify de-identified data.

Examples of Aggregate Data

Examples of the types of aggregate data we may derive and publish include:

• Total number of users per language pair
• Average learning session duration
• Most commonly studied vocabulary
• Error rates per difficulty level
• Feature usage statistics across membership tiers

No individual user can be identified from any published aggregate data.

Our right to retain and use Aggregate Data survives account deletion and service termination. After you delete your account, we may retain Aggregate Data that was derived from your use of the Service.

Children’s Privacy

Parents and guardians can manage or delete the app and its data at any time through standard iOS device management. If you believe a child has provided personal data to us, please contact us at Almost ready and we will delete it promptly.

Parents and guardians can manage or delete the app and its data at any time through standard iOS device management. If you believe a child has provided personal data to us, please contact us at Almost ready and we will delete it promptly.

Parents and guardians can manage or delete the app and its data at any time through standard iOS device management. If you believe a child has provided personal data to us, please contact us at Almost ready and we will delete it promptly.

COPPA Compliance

LumenLingo complies with the Children’s Online Privacy Protection Act (COPPA). We do not knowingly collect, use, or disclose personal information from children under 13 without verifiable parental consent. Our service is not directed at children under 13, and we do not target advertising to children.

All website forms that collect personal information (such as email addresses) include an age-confirmation step requiring users to confirm they are at least 13 years old, or that they have parental or guardian consent if under 18.

Parental Rights

Under COPPA and similar laws, parents and guardians have the right to:

• Review any personal information we may have inadvertently collected from their child
• Request deletion of their child’s personal information from our systems
• Refuse further collection or use of their child’s information
• Manage or remove the app and its locally stored data through standard iOS device management

To exercise any of these rights, please contact us at Almost ready. If we discover that we have collected personal information from a child under 13 without proper parental consent, we will delete that information within 72 hours of discovery.

Educational Use & FERPA

LumenLingo is not administered by or on behalf of educational institutions. If a school or educational organisation chooses to recommend LumenLingo to students, it does so independently. The institution is responsible for ensuring compliance with the Family Educational Rights and Privacy Act (FERPA) and for obtaining any required parental consent before directing students under 13 to use the service.

Age of Digital Consent — Multi-Jurisdiction

The age at which a person can give valid consent for data processing varies by jurisdiction. As a language-learning service likely used by younger learners, we apply locale-aware age requirements.

Age of Consent by Jurisdiction

The following table summarises the minimum digital consent age in each jurisdiction where we operate:

• United Kingdom: 13 (UK GDPR / ICO guidance)
• United States: 13 (COPPA)
• Spain: 14 (LOPDGDD)
• Italy: 14 (D.Lgs 101/2018)
• China: 14 (PIPL Art. 31 — under-14 classified as sensitive personal information)
• South Korea: 14 (PIPA — parental consent for under-14)
• France: 15 (Loi Informatique et Libertés)
• Germany: 16 (BDSG)
• Netherlands: 16 (UAVG)
• Poland: 16 (GDPR national implementation)
• Ireland: 16 (Data Protection Act 2018)
• Japan: 16 (APPI — case-by-case for minors; we apply 16 as a conservative default)
• UAE: 18 (UAE PDPL — minors require guardian consent)
• Saudi Arabia: 18 (PDPL — minors require guardian consent)
• India: 18 (DPDPA 2023 — children defined as under 18; verifiable parental consent required)
• Brazil: 12/18 (LGPD Art. 14 — children under 12 require parental consent; 12–17 processed in their best interest)
• Canada: 13 (PIPEDA; Quebec: 14 under provincial law)
• Australia: capacity-based (Privacy Act 1988 — no fixed age; assessed by individual capacity)

Our Approach

We apply locale-aware age verification. When you interact with our website forms (newsletter, waitlist), the minimum age displayed and enforced matches your detected locale. For locales not explicitly mapped, we default to 16 — the highest common EU digital consent age — ensuring compliance across all jurisdictions.

Our iOS app does not require account registration and stores data locally on the device. No personal information is transmitted to us from app users, so age verification is not required for app use.

Parental Consent for Underage Users

If you are between 13 and your jurisdiction’s consent age, you cannot submit personal information through our website without parental consent. Our forms require a self-declaration confirming you meet the age threshold for your jurisdiction.

For users under the applicable age: we display an age-appropriate notice explaining our data collection practices. Essential service functionality (such as browsing the website) remains available without consent-based data collection.

China PIPL — Special Protections for Under-14

Under China’s Personal Information Protection Law (PIPL Art. 31), personal information of individuals under 14 is classified as “sensitive personal information.” Processing requires separate consent from a parent or guardian, and we must conduct a Personal Information Protection Impact Assessment for any such processing.

We do not knowingly collect personal information from Chinese users under 14. If we discover such data has been collected, we will delete it promptly and notify the parent or guardian.

Children’s Enhanced Privacy Protections

As a language-learning service likely used by younger learners, we apply enhanced privacy protections for users under 18. These protections exceed baseline regulatory requirements and reflect our commitment to child safety.

Data Minimisation for Minors

We collect only data strictly necessary for service delivery from all users, with additional restrictions for verified minors:

• No marketing communications are sent to verified minor users.
• No session-replay or behavioural-analytics tracking is applied to minor users.
• Analytics is limited to essential error monitoring to maintain service quality.
• No third-party advertising trackers are loaded for minor users.

Parental Controls

Where parental or guardian consent has been provided:

• Parents or guardians may review the data we hold about their child by emailing Almost ready.
• Parents or guardians may revoke consent at any time, and we will cease processing the child’s personal data within 30 days.
• Upon parental request, we will delete all of the minor’s personal data, subject to any legal retention obligations.

Age-Appropriate Privacy Notices

For users aged 13–17, we aim to provide privacy information that is:

• Written in clear, plain language appropriate for a younger audience.
• Concise and focused on what matters most: what data we collect, why, and how to control it.
• Presented in a visual, accessible format rather than dense legal text wherever possible.

UK Children’s Code Compliance

The UK Information Commissioner's Office (ICO) Age Appropriate Design Code applies to online services likely to be accessed by children under 18. As a language-learning service, LumenLingo falls within scope. We have assessed our service against all 15 standards of the Code:

• Best interests of the child: data practices prioritise children's wellbeing over commercial interests.
• Data protection impact assessments: we conduct DPIAs for features likely to be accessed by children.
• Age-appropriate application: we apply age-appropriate protections by default; where precise age is unknown, we treat all users as potentially under 18 for privacy purposes.
• Transparency: privacy information is provided in clear, age-appropriate language.
• Detrimental use of data: we do not use children's data in ways that have been shown to be detrimental to their wellbeing.
• Policies and community standards: our published terms uphold the Code's standards.
• Default settings: high-privacy defaults are applied for all users, ensuring children receive maximum protection without needing to adjust settings.
• Data minimisation: only data essential for the learning service is processed.
• Data sharing: we do not share children's personal data with third parties for marketing or advertising purposes.
• Geolocation: we do not collect or use precise geolocation data.
• Parental controls: not applicable — LumenLingo does not currently provide parental control features. If introduced, they will be designed to provide an appropriate level of monitoring without excessive surveillance.
• Profiling: children are not profiled for marketing or behavioural targeting. Our spaced-repetition algorithm is purely pedagogical and does not constitute profiling under the Code.
• Nudge techniques: we do not use design techniques that encourage children to provide unnecessary personal data or weaken their privacy protections.
• Connected toys and devices: not applicable — LumenLingo is a software application and does not interact with connected toys or IoT devices.
• Online tools: we provide accessible tools for users to exercise their data rights, including account deletion and data export.

App Store Age Rating

LumenLingo is rated 4+ (educational content) on the Apple App Store. This rating reflects the app’s educational nature and absence of objectionable content. The app does not require account registration and stores all learning data locally on the device.

For website services that collect personal data (newsletter, waitlist), the minimum age is enforced according to the user’s jurisdiction as described in our Age of Digital Consent section above.

Data Retention & Deletion

We only keep your data for as long as necessary:

Website Data

• Newsletter/waitlist emails — retained until you unsubscribe, plus up to 30 days to process your removal.
• Sentry error logs — retained by Sentry for 90 days, then automatically deleted.
• Sentry session replays — retained by Sentry for 90 days, then automatically deleted.
• Vercel Analytics — aggregated, cookie-free analytics data is retained for 30 days from collection, then automatically purged. No personally identifiable information is stored.
• Consent records — retained for 3 years after your last interaction, as required for GDPR accountability.
• Data request logs — retained for 3 years after completion, as required for GDPR accountability.

iOS App Data

• Delete account — use the in-app Settings → Sign Out → Delete Account to permanently erase all learning data, progress, preferences, and iCloud sync data. This action cannot be undone.
• Delete the app — uninstalling LumenLingo removes all locally stored data.
• iCloud data — you can manage iCloud storage through your device’s Settings → Apple ID → iCloud → Manage Storage.
• Subscription — cancel your subscription through Settings → Apple ID → Subscriptions. No data is retained by us after cancellation.

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with UK GDPR Article 33. Where notification to the ICO is not made within 72 hours, it shall be accompanied by reasons for the delay.

If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, in accordance with UK GDPR Article 34. We will communicate to you in clear and plain language:

• The nature of the personal data breach, including where possible the categories and approximate number of data subjects and records concerned
• The name and contact details of our data protection lead from whom you can obtain more information
• The likely consequences of the breach
• The measures taken or proposed to address the breach, including, where appropriate, measures to mitigate its possible adverse effects

We maintain internal breach response procedures, including a breach register, to ensure we can detect, report, and investigate personal data breaches effectively. For questions about our breach notification procedures, contact us at Almost ready.

Law Enforcement and Government Requests

Lumenshore will only disclose personal data to law enforcement authorities or government bodies when legally compelled to do so — for example, pursuant to a court order, warrant, or statutory obligation under the Data Protection Act 2018, section 7.

Where we receive a valid legal demand for personal data, we will notify the affected user unless we are legally prohibited from doing so (for example, by a non-disclosure order attached to the demand).

We will resist any request that we consider to be overbroad, disproportionate, or lacking a proper legal basis. We do not voluntarily provide personal data to any government body, and we do not participate in mass surveillance programmes.

If you have questions about our approach to law enforcement requests, please contact us at Almost ready.

Automated Decision-Making and Profiling

We do not use your personal data for automated decision-making that produces legal effects or similarly significant effects on you, as defined by UK GDPR Article 22.

Our app uses a spaced-repetition algorithm to optimise your learning schedule. This is pedagogical optimisation only — it determines when to show you a flashcard, not any decision with legal or similarly significant effects on you.

If we ever introduce automated decision-making with legal or significant effects in the future, we will update this policy and ensure you have the right to: (a) obtain human intervention, (b) express your point of view, and (c) contest the decision, as required by UK GDPR Article 22(3).

California Notice at Collection (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) require that we disclose the categories of personal information we collect, the purposes for collection, and whether such information is sold or shared. This notice is provided at or before the point of collection.

Do Not Sell or Share My Personal Information

Lumenshore does not sell your personal information to third parties. We do not share your personal information for cross-context behavioural advertising. Because we do not engage in these practices, there is no need to opt out — but we provide this disclosure as required by the CCPA/CPRA.

If our practices ever change, we will update this policy and provide a mechanism for you to opt out before any sale or sharing begins.

California residents may also use the Global Privacy Control (GPC) browser signal to communicate their opt-out preference. We honour GPC as a valid opt-out request under the CPRA.

Your Rights

Depending on your location, you may have additional rights regarding your data:

Under GDPR (European Economic Area & UK)

• Right to access your data — app data is on your device and iCloud; for website data, contact us.
• Right to rectification — edit app preferences directly; for website data, contact us.
• Right to erasure — use the in-app Delete Account feature, delete the app, or contact us to remove your email from our lists.
• Right to data portability — export all your personal data as a free JSON download from Settings → Export My Data in the iOS app. Your data is always stored in standard formats. Contact us for website data export.
• Right to object — contact us to opt out of anonymous analytics or to object to processing based on legitimate interest.
• Right to restrict processing — contact us to request that we limit how we process your data.
• Right to lodge a complaint — you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113, or with your local supervisory authority if you are outside the UK.
• Right to withdraw consent — where we rely on consent as a legal basis (e.g., analytics), you may withdraw your consent at any time by adjusting your cookie preferences or contacting us at Almost ready. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

Under CCPA/CPRA (California)

• Right to know — you may request that we disclose the categories and specific pieces of personal information we have collected about you. See the Notice at Collection section above.
• Right to delete — you may request deletion of your personal information. Use the in-app Delete Account feature, delete the app, or contact us to remove website data.
• Right to correct — you may request correction of inaccurate personal information. App data can be edited directly; for website data, contact us.
• Right to opt out of sale or sharing — we do not sell or share personal information for cross-context behavioural advertising. No opt-out action is required.
• Right to limit use of sensitive personal information — we do not collect sensitive personal information as defined by the CCPA/CPRA.
• Non-discrimination — we will not deny you services, charge different prices, or provide a different quality of service because you exercised your privacy rights.

For California residents, we will acknowledge your request within 10 business days and respond substantively within 45 calendar days. If more time is needed, we may extend by an additional 45 days with notice. We may verify your identity by matching information you provide with data we have on file.

Under US State Privacy Laws (Virginia, Colorado, Connecticut & Others)

If you reside in Virginia, Colorado, Connecticut, Utah, or other US states with comprehensive privacy laws, you hold similar rights to those described under CCPA/CPRA above. These laws include the Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), and Connecticut Data Privacy Act (CTDPA).

• Right to access — you may confirm whether we process your personal data and request a copy.
• Right to correct — you may request correction of inaccurate personal data.
• Right to delete — you may request deletion of your personal data.
• Right to data portability — you may obtain your data in a portable, readily usable format.
• Right to opt out — you may opt out of targeted advertising, the sale of personal data, and profiling. Lumenshore does not engage in any of these practices.

If we decline your request, you may appeal by contacting us at Almost ready. We will respond to appeals within 60 days. If you are unsatisfied with the outcome, you may contact your state attorney general's office.

Colorado and Connecticut require us to honour universal opt-out signals such as Global Privacy Control (GPC). We honour GPC across all jurisdictions.

Verification & Response Process

To protect your data, we will verify your identity before processing a rights request. We may ask you to confirm the email address associated with your account or subscription, or to provide other identifying details that match our records.

You may designate an authorised agent to make a request on your behalf. We will require proof of the agent's authority (such as a signed authorisation or power of attorney) and may still verify your identity directly.

Response Timeframes

• CCPA/CPRA (California) — acknowledgement within 10 business days; substantive response within 45 calendar days (extendable by an additional 45 days with notice).
• VCDPA (Virginia) — response within 45 days (extendable by an additional 45 days with notice).
• CPA (Colorado) — response within 45 days (extendable by an additional 45 days when reasonably necessary).
• CTDPA (Connecticut) — response within 45 days (extendable by an additional 45 days with notice).
• GDPR (EEA & UK) — response within one calendar month (extendable by two further months for complex requests).

To exercise any of these rights, email us at Almost ready or submit a request through our Data Request page. We will respond within the applicable timeframe for your jurisdiction. We may need to verify your identity before processing certain requests.

Your California Privacy Rights

Under California Civil Code § 1798.83 ("Shine the Light"), California residents may request information about the disclosure of personal information to third parties for direct marketing purposes. Lumenshore does not disclose personal information to third parties for their direct marketing purposes.

To exercise any California privacy right — including rights under the CCPA/CPRA — email us at Almost ready with the subject line "California Privacy Rights" or submit a request through our Data Request page.

Global Privacy Control & Do Not Track

We honour the Global Privacy Control (GPC) signal. When your browser sends a GPC signal (via the Sec-GPC HTTP header or the navigator.globalPrivacyControl JavaScript API), we treat it as a valid opt-out request for non-essential data processing.

Under the California Privacy Rights Act (CPRA), GPC constitutes a valid opt-out of the sale or sharing of personal information. Under the Colorado Privacy Act and Connecticut Data Privacy Act, we are required to honour universal opt-out mechanisms including GPC.

When a GPC signal is detected, we automatically suppress all non-essential tracking on our website — including analytics events and session replay — regardless of any prior cookie consent preferences.

We also honour the Do Not Track (DNT) browser signal. Although DNT has been deprecated by the W3C, we treat it identically to GPC for consistency and as a demonstration of our commitment to privacy.

Policy Updates

We may update this Privacy Policy from time to time, typically to reflect changes in our services or legal requirements. When we make significant changes, we’ll update the “Last updated” date and version number at the top of this page.

We encourage you to review this page periodically. Continued use of LumenLingo after changes constitutes acceptance of the updated policy.

Version History

• v2.3 (27 March 2026) — Phase 3 legal fortification: added limitation of liability cross-reference to Terms, added dispute resolution section referencing Terms for non-GDPR disputes with GDPR Art. 79 carve-out, standardised all contact email addresses to Almost ready.
• v2.2 (26 March 2026) — Phase 2 legal hardening: standardised company name to Lumenshore Limited throughout; added GDPR Art. 77 ICO complaint right and contact details; added processor sub-processor register; enhanced international transfer safeguards; added regional privacy frameworks (Japan APPI, China PIPL, Brazil LGPD, Germany BDSG, Australia Privacy Act, India DPDP, Canada PIPEDA, South Korea PIPA, Switzerland FADP); improved electronic communications and PECR compliance disclosures.
• v2.1 (26 March 2026) — Reorganised sections: moved commercial/regulatory compliance disclosures (VAT treatment, EU VAT, international tax, pricing compliance, sanctions, encryption export controls) to Terms of Service. Added cross-reference to Terms. Consolidated trademark attribution to shared Legal namespace. No content was removed.
• v2.0 (23 March 2026) — Extended policy to cover lumenlingo.com website data collection, added Sentry session replay disclosure, Vercel Analytics disclosure, legal basis for processing, data flow section, and service worker caching details.
• v1.0 (22 March 2026) — Initial privacy policy covering the LumenLingo iOS app.

Limitation of Liability

For details on our liability limitations, please refer to the Limitation of Liability section in our Terms of Service.

Dispute Resolution

For disputes not relating to data protection, the dispute resolution provisions of our Terms of Service apply, including informal resolution, mediation, and court proceedings governed by the laws of England and Wales.

For data protection disputes, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) or to seek a judicial remedy under GDPR Article 79 and the Data Protection Act 2018 section 167, without prejudice to any other administrative or non-judicial remedy available to you.

EU Representative (GDPR Art. 27)

Lumenshore Limited is incorporated in England and Wales and is therefore established outside the European Economic Area (EEA). Where Lumenshore offers its Service to individuals in the EEA or monitors their behaviour within the EEA, it may be subject to the obligation under GDPR Art. 27 to designate a representative in the EU.

LumenLingo processes minimal personal data and does not systematically monitor the behaviour of EU-based individuals. The app's learning algorithms operate locally on users' devices and do not involve server-side profiling or tracking.

Lumenshore Limited, Almost ready

Lumenshore will review this assessment periodically and will formally appoint an EU representative under GDPR Art. 27 if required by changes in processing activities, applicable guidance, or regulatory requirements.

EU-based individuals have the right to lodge a complaint with their local data protection supervisory authority. A list of EEA supervisory authorities is available on the European Data Protection Board website.

If Lumenshore formally appoints an EU representative in the future, the representative's details will be published in this Privacy Policy and communicated to the relevant supervisory authority in accordance with GDPR Art. 27(4).

Contact Us

If you have questions about this Privacy Policy, your data, or want to exercise your rights, please reach out:

• Email: Almost ready
• Company: Lumenshore Limited, Windsor House, Troon Way Business Centre, Humberstone Lane, Leicester, England, LE4 9HA
• Company Number: 09607326 (England and Wales)
• VAT Number: GB 270411929

We typically respond within 48 hours and within 30 days for formal data rights requests.