Legal

Privacy Policy

Effective date: June 1, 2026

Proapptiva S.R.L.S — proapptivasrls@gmail.com

🇮🇹 Italiano 🇬🇧 English 🇪🇸 Español

1. Who We Are and Scope

This Privacy Policy describes how Proapptiva S.R.L.S ("we", "us", "our"), an Italian limited liability company, collects, uses, and protects your personal data when you use the Lumideo mobile application ("the Service"). Effective date: June 1, 2026. We act as the data controller under the EU General Data Protection Regulation (GDPR) and other applicable privacy laws. We may update this policy at any time; material changes will be notified via email or in-app notification.

2. Data We Collect

We collect the following categories of personal data: Account data: your name, email address, username, and profile photo (if uploaded). Video capsule data: the video files and optional text messages you record and submit through the Service. Video files are stored encrypted in Google Cloud Storage (Firebase). Capsule metadata (creation date, unlock date, recipient, duration) is stored in Google Firestore. Authentication data: hashed password credentials, or social authentication tokens (Apple or Google), managed by Firebase Authentication. Device and technical data: device type, operating system version, app version, and push notification token, collected automatically. Website data: when you visit lumideo.app, we may collect technical data such as browser language, device type, page viewed, referrer, download button interactions, scroll depth, and page performance metrics. Usage analytics: anonymized, aggregated data about which app features are used and how often, via Firebase Analytics and PostHog EU. This data cannot be used to identify you individually. Website analytics: with your consent, we use Google Analytics 4 to measure visits, page views, clicks to the App Store and Google Play, language selection, device category, and website traffic sources. Error reports: in the event of a crash, technical diagnostic data is sent to Sentry for debugging. Error reports do not include the content of your video capsules.

3. How We Use Your Data

We use your data exclusively for the following purposes: • To create and manage your account and authenticate your identity. • To store your video capsules and deliver them to you or your designated recipients on the specified unlock date. • To send push notifications informing you when a capsule has been unlocked or when someone sends you a capsule. • To detect and prevent fraud, abuse, and security threats. • To diagnose and fix technical errors via Sentry. • To understand aggregated usage patterns via Firebase Analytics and PostHog EU to improve the Service. • To measure website performance and download CTA effectiveness via Google Analytics 4, only after your consent. • To comply with our legal obligations. We will never sell your personal data to third parties, and we will never use it for advertising or marketing purposes.

4. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA), we process your personal data on the following legal bases: • Contract performance (Art. 6(1)(b) GDPR): processing your account data and video content is necessary to provide the Service. • Legitimate interests (Art. 6(1)(f) GDPR): error monitoring (Sentry), anonymized app analytics (Firebase Analytics and PostHog EU), and web font delivery are necessary for maintaining a safe, functional, and consistent service. • Consent (Art. 6(1)(a) GDPR): website analytics through Google Analytics 4 are activated only if you accept them through the consent banner. • Legal obligation (Art. 6(1)(c) GDPR): where we are required to retain or disclose data by applicable law.

5. Third-Party Data Processors

We use the following sub-processors, each bound by a Data Processing Agreement: Google Firebase / Google Cloud Platform (Google LLC, USA): provides database (Firestore), file storage (Cloud Storage), authentication, and cloud infrastructure. Certified under the EU-US Data Privacy Framework. Google privacy policy Google Analytics 4 / Google Fonts (Google LLC, USA): used to measure website usage after consent and to serve the web fonts loaded by the site. Google may receive technical data such as truncated or pseudonymized IP address, user agent, browser language, referrer, and page interactions. Google privacy policy PostHog EU (PostHog, Inc. / EU infrastructure): used for product analytics and in-app event measurement. It may receive usage events, technical device properties, and functional metadata needed to analyze user experience and improve the Service. PostHog privacy policy Sentry (Functional Software, Inc., USA): receives anonymized crash and error reports. Does not receive video content. Certified under the EU-US Data Privacy Framework. Sentry privacy policy Apple Inc. (USA): push notification delivery via Apple Push Notification Service (APNS) for iOS. Expo (Expo Technology, Inc., USA): push notification infrastructure.

6. Video Capsule Privacy

Your video capsules are stored encrypted at rest in Google Cloud Storage. Access to video files is controlled via Firebase Storage Security Rules, which restrict read access to the capsule sender and designated recipient(s). We do not view, analyze, or process the content of your capsules except as technically required to store and deliver them. The recipient cannot access the video content before the designated unlock date. Please note that, as with any digital content, we cannot technically prevent a recipient from recording their screen or otherwise capturing the video once it has been unlocked and is being played. We encourage users to share capsules only with people they trust.

7. Data Retention

We retain your personal data for as long as your account is active. If you delete your account: • Your account data and capsule metadata in Firestore are deleted within 30 days. • Your video files in Google Cloud Storage are deleted within 30 days. • Anonymized, aggregated analytics data may be retained longer for statistical purposes. • Certain data may be retained longer if required by law. Error logs in Sentry are retained for 90 days and then automatically deleted.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data: • Right of access: request a copy of the personal data we hold about you. • Right to rectification: request correction of inaccurate or incomplete data. • Right to erasure ("right to be forgotten"): request deletion of your account and all associated data. You can do this directly from the app settings, or by contacting us. • Right to restriction: request that we limit processing of your data in certain circumstances. • Right to data portability: request your data in a machine-readable format. • Right to object: object to processing based on legitimate interests. For EU/EEA users, you also have the right to lodge a complaint with your national data protection authority. In Italy, this is the Garante per la Protezione dei Dati Personali. To exercise any of these rights, contact us at proapptivasrls@gmail.com. We will respond within 30 days.

9. International Data Transfers

Some of our third-party service providers (including Google LLC and Functional Software, Inc.) are based in the United States. We ensure that international data transfers comply with GDPR by relying on providers certified under the EU-US Data Privacy Framework or that have executed EU Standard Contractual Clauses (SCCs) with us.

10. Security

We implement industry-standard security measures including: • Encryption of video files at rest and in transit (TLS). • Firebase Security Rules restricting database and storage access to authorized users only. • Regular security reviews of our Firebase configuration. In the event of a data breach likely to result in a risk to your rights and freedoms, we will notify the appropriate supervisory authority within 72 hours.

11. Children's Privacy

The Service is not directed to children under 13 years of age. We do not knowingly collect personal data from children under 13. If you believe we may have such data, please contact us at proapptivasrls@gmail.com.

12. Analytics and Tracking

We do not use advertising trackers or sell data to advertisers. Firebase Analytics and PostHog EU collect anonymized or pseudonymized app usage data to help us improve the Service. On the website, we use Google Analytics 4 only after your consent. Events we may measure include visits, page views, clicks on App Store or Google Play buttons, language selection, scroll depth, device category, and referrer/UTM campaign data. We do not enable advertising features, remarketing, or ad personalization. Your consent choice is stored in your browser through localStorage. The website also uses Google Fonts for typography rendering and may use strictly necessary technical cookies or storage for site functionality.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or via an in-app notification at least 14 days before the change takes effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

14. Contact and Data Protection

For any privacy-related questions, requests to exercise your rights, or concerns about how we handle your data: Email: proapptivasrls@gmail.com Proapptiva S.R.L.S, Italy We aim to respond to all privacy requests within 30 days.