Lucio — Privacy Policy
This Privacy Policy describes how Aleksandr Iusupov PR Beograd ("Lucio," "we," "us," or "our") collects, uses, shares, and protects personal information when you use the Lucio meditation app and related services (the "Service"). It also describes your rights and how to exercise them.
This Policy applies globally. Depending on where you live, additional rights may apply to you under laws such as the EU/UK General Data Protection Regulation (GDPR/UK GDPR), the Serbian Law on Personal Data Protection (ZZPL), the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), the Brazilian LGPD, and the Russian Federal Law No. 152-FZ. Region-specific sections are marked below.
Data Controller:
Aleksandr Iusupov PR Beograd
Jurija Gagarina 231, local 329
11073 New Belgrade (Novi Beograd), Republic of Serbia
Company registration (matični broj): 67540565
Tax ID (PIB): 114393562
Contact: s.yousupov@gmail.com
1. Scope
This Policy applies to personal information we process when you:
- install, open, or use the Lucio mobile application;
- create, access, or manage a Lucio account;
- purchase or manage a Lucio subscription;
- communicate with us (e.g., by email).
The Service is intended for users aged 18 or older. We do not knowingly collect personal information from anyone under 18 (see Section 13).
2. Categories of Personal Information We Collect
We collect the following categories of information:
| Category | Examples | Source |
|---|---|---|
| Identifiers | Email address, user ID, device identifier, IP address, user-agent | Provided by you; collected automatically |
| Account Profile | Display name, language preference, time-zone, optional profile details | Provided by you |
| Commercial Information | Subscription tier, subscription status, purchase history, transaction receipts | Apple App Store / Adapty |
| Content You Provide | Journal entries, reflections, survey responses, self-assessment answers, goals, quiz answers, feedback sent to support | Provided by you |
| Usage and Analytics Data | Session events (e.g., meditation started/completed, navigation, feature use), session duration, streak counts, distraction tags | Collected automatically via Amplitude |
| Diagnostic Data | Crash logs, error traces, performance metrics, device model, OS version | Collected automatically via Sentry |
| Inferences | AI-derived tags, mastery bands, technique signals, stage-advancement decisions, personalized content recommendations | Generated by our systems and by AI processors on your input data |
| Communications | Messages you send us via email or support channels | Provided by you |
We do not intentionally collect government identifiers, precise geolocation, biometric data, financial account numbers, or contact lists. Payments are processed by Apple; we never receive your credit card number.
2.1 Sensitive / Special-Category Data
Your journal entries, self-assessment answers, and survey inputs may reveal information about your mental or emotional state, religious or spiritual practices, or other sensitive topics. Under the GDPR this is special-category personal data (Article 9); under the CCPA/CPRA it is sensitive personal information. We process this data only to operate the Service you request, based on your explicit consent given at the point you choose to record such content. You can delete individual entries or your entire account at any time.
3. How We Collect Personal Information
- Directly from you — when you register, subscribe, answer the onboarding quiz, log a session, write a journal entry, or contact us.
- Automatically from your device — when you use the app (session events, crashes, device metadata).
- From third parties — from Apple (Sign in with Apple, subscription receipts), Google (Google Sign-In identity), Adapty (subscription state), and the AI processors that generate personalized content from your inputs.
4. How We Use Personal Information (Purposes and Legal Bases)
We use personal information for the following purposes. For users in the EU/UK/Serbia, the legal basis under the GDPR and ZZPL is indicated.
| Purpose | Data Used | Legal Basis (GDPR / ZZPL) |
|---|---|---|
| Provide the Service, including accounts, sessions, journaling, subscriptions, and support | Identifiers, Account, Commercial, Content, Usage | Performance of a contract (Art. 6(1)(b)) |
| Personalize content via AI (Dive-Ins, Today's Focus, survey insights, self-assessment questions) | Content, Usage, Inferences | Performance of a contract (Art. 6(1)(b)) and, for sensitive content, your explicit consent (Art. 9(2)(a)) |
| Measure and improve product performance and reliability | Usage, Diagnostic | Legitimate interests (Art. 6(1)(f)) — providing a reliable service |
| Prevent fraud, abuse, and unauthorized access | Identifiers, Diagnostic, Usage | Legitimate interests (Art. 6(1)(f)) — security |
| Send transactional communications (account, subscription, service updates) | Identifiers, Account, Commercial | Performance of a contract (Art. 6(1)(b)) and legal obligations (Art. 6(1)(c)) |
| Send optional marketing or product-update emails (where enabled) | Identifiers, Account | Consent (Art. 6(1)(a)), withdrawable at any time |
| Comply with legal obligations (tax, accounting, lawful requests) | As required | Legal obligations (Art. 6(1)(c)) |
| Defend legal claims | As required | Legitimate interests (Art. 6(1)(f)) |
We will not use your personal information for purposes materially different from those described above without notifying you and obtaining your consent where required.
5. Automated Processing and Artificial Intelligence
Lucio uses artificial intelligence to personalize parts of the Service. This section explains how.
Features that use AI:
- Personalized Dive-Ins — short guided reflections tailored to your practice history.
- Today's Focus — daily wisdom text generated from your recent sessions and selected archetype.
- Survey analysis — AI reviews your post-session survey to extract themes, technique signals, and suggested next steps.
- Self-Assessment — optional AI-generated questions during readiness checks.
- Text-to-speech — voice generation for guided audio.
AI processors we use:
- OpenAI (United States) — large language model processing for text features (journals, wisdom, Dive-In scripts, survey analysis).
- ElevenLabs (United States / EU via AWS) — text-to-speech audio generation.
Important facts:
- Your inputs are sent to these processors solely to generate outputs for you. They act as our processors (under contractual data-processing terms), not as independent controllers.
- By default, OpenAI retains API inputs for up to 30 days for abuse monitoring and then deletes them. OpenAI does not use our API inputs to train its general-purpose models (per OpenAI API terms, March 2023 onwards).
- We do not sell your inputs, and we do not allow any AI processor to use your content to train their models.
- AI outputs are probabilistic. They may be inaccurate, incomplete, or unsuitable for any particular purpose. AI outputs are not medical, psychological, or clinical advice. Always apply your own judgment and consult a qualified professional when appropriate.
- User controls: you can delete any individual journal entry or your entire account at any time. Deletion removes the entry from our database; it does not retroactively remove copies that a processor may have in short-term abuse-monitoring logs, which expire per the processor's retention policy.
Automated decision-making under GDPR Art. 22: AI-driven recommendations in Lucio do not produce legal or similarly significant effects on you, and therefore do not constitute "solely automated decision-making with legal effect" under GDPR Article 22. You can always disregard AI outputs and are never required to follow them.
6. How We Share Personal Information
We share personal information only as described below.
Service providers (processors). We share personal information with vendors who provide infrastructure, AI, analytics, payments, or customer support on our behalf. These providers may access only the information they need to perform their services, and they are bound by contractual data-processing obligations.
Affiliates and business transfers. We may share information with affiliated entities or in connection with a merger, acquisition, reorganization, or sale of assets. In any such transaction, we will ensure the recipient is bound by commitments consistent with this Policy.
Legal and safety. We may disclose information where we reasonably believe disclosure is required by law, to respond to lawful requests from authorities, to protect our rights or property, or to protect the safety of users or the public.
With your consent or at your direction. We share information with other parties only when you ask us to or consent.
Aggregated or de-identified data. We may share aggregated or de-identified information that cannot reasonably identify you.
We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising as defined under the CCPA/CPRA. We have not sold or shared the personal information of California consumers in the preceding 12 months.
7. Third-Party Processors (Named List)
| Processor | Purpose | Region | Privacy Policy |
|---|---|---|---|
| Apple Inc. | Sign in with Apple, in-app purchases, App Store subscription management | United States / global | apple.com/legal/privacy |
| Google LLC | Google Sign-In (OAuth identity) | United States | policies.google.com/privacy |
| Supabase Inc. | Database, authentication, file storage (hosted on AWS) | United States (AWS regions) | supabase.com/privacy |
| OpenAI, L.L.C. | AI language model processing for personalized content | United States | openai.com/policies/privacy-policy |
| ElevenLabs, Inc. | Text-to-speech audio generation | United States | elevenlabs.io/privacy |
| Adapty Inc. | Subscription receipts, entitlement, paywall configuration | United States | adapty.io/privacy |
| Amplitude Inc. | Product analytics (aggregated user behavior) | United States | amplitude.com/privacy |
| Functional Software, Inc. d/b/a Sentry | Error and crash telemetry | United States (EU region available) | sentry.io/privacy |
We may update this list from time to time; the current list is always available in the most recent version of this Policy.
8. Cookies, SDKs, and Similar Technologies
Lucio is a native mobile application and does not use web cookies in the traditional sense. The Service incorporates software development kits (SDKs) from the processors listed in Section 7. These SDKs may collect device identifiers, IP addresses, and usage events to perform their function (analytics, error reporting, subscription management, authentication). We do not use any SDK to link your activity to third-party data for cross-context behavioral advertising.
9. International Data Transfers
Personal information is processed in the United States (by our primary processors) and in the Republic of Serbia (by us as the controller). If you are located in the European Economic Area, the United Kingdom, or Switzerland, your personal information is transferred outside those regions.
We rely on the following safeguards for international transfers:
- Standard Contractual Clauses (SCCs) approved by the European Commission for transfers to processors in the United States and elsewhere.
- UK Addendum / International Data Transfer Agreement (IDTA) for transfers from the United Kingdom.
- Swiss-equivalent SCCs for transfers from Switzerland.
- EU-U.S. Data Privacy Framework where a processor is self-certified.
If you are located in the Russian Federation, by using the Service you provide your explicit consent to the cross-border transfer and processing of your personal information outside the Russian Federation (including the Republic of Serbia and the United States). We do not maintain servers in the Russian Federation; if you do not consent to such transfer, you must not use the Service.
You may request a copy of the safeguards applicable to your data by emailing s.yousupov@gmail.com.
10. How Long We Keep Personal Information
We keep personal information only as long as necessary for the purposes described in this Policy, subject to the following general retention periods:
| Category | Retention |
|---|---|
| Account profile and credentials | For the life of your account. Upon account deletion, removed within 30 days (a short safety window for accidental deletion and legal/fraud review). |
| Content you provide (journal, surveys, self-assessments) | For the life of your account. You can delete individual entries at any time. Upon account deletion, removed within 30 days. |
| Commercial / subscription records | For the life of your account, plus up to 10 years after account closure to comply with tax, accounting, and consumer-law record-keeping obligations. |
| Usage analytics (Amplitude) | Raw events retained up to 24 months, then aggregated or deleted. |
| Diagnostic / crash logs (Sentry) | Up to 90 days. |
| AI processor logs (OpenAI, ElevenLabs) | Up to 30 days per processor's default retention policy. |
| Customer support correspondence | Up to 3 years after the last communication. |
| Backups | Up to 35 days from creation, after which automatically overwritten. |
We may retain information longer where required by law, to resolve disputes, or to enforce our agreements.
11. Your Rights
11.1 Rights Under GDPR / UK GDPR / Serbian ZZPL
If you are in the European Union, the European Economic Area, the United Kingdom, Switzerland, or the Republic of Serbia, you have the right to:
- Access the personal information we hold about you and receive a copy;
- Rectify inaccurate or incomplete information;
- Erase your personal information ("right to be forgotten") in certain circumstances;
- Restrict processing in certain circumstances;
- Object to processing based on our legitimate interests or for direct marketing;
- Data portability — receive your personal information in a structured, commonly used, machine-readable format;
- Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing before withdrawal;
- Lodge a complaint with a supervisory authority. In Serbia this is the Commissioner for Information of Public Importance and Personal Data Protection (poverenik.rs). In the EU, with your national Data Protection Authority. In the UK, with the Information Commissioner's Office (ico.org.uk).
11.2 Rights Under CCPA / CPRA (California Residents)
If you are a California resident, you have the right to:
- Know the categories and specific pieces of personal information we have collected about you in the past 12 months, the sources, purposes, and third parties with whom we share it;
- Delete personal information we have collected from you, subject to certain exceptions;
- Correct inaccurate personal information we maintain about you;
- Opt out of the "sale" or "sharing" of personal information. Lucio does not sell or share personal information as those terms are defined under the CCPA/CPRA;
- Limit the use or disclosure of sensitive personal information to those uses necessary to provide the Service;
- Non-discrimination — we will not discriminate against you for exercising any of these rights (e.g., by denying Service, charging different prices, or providing a different level of quality).
You may designate an authorized agent to submit requests on your behalf; we may require verification of the agent's authority.
11.3 Rights Under Brazilian LGPD
If you are in Brazil, you have rights analogous to those under the GDPR, including access, correction, deletion, portability, and information about sharing. The data protection authority is the ANPD (gov.br/anpd).
11.4 How to Exercise Your Rights
To exercise any of these rights, email us at s.yousupov@gmail.com with a clear description of your request. For verification, we may ask you to confirm the email associated with your account and respond from that address. We will respond within 30 days (GDPR/UK/Serbia/Brazil) or 45 days (California), extendable once where allowed by law with notice to you.
In-app account deletion. You can delete your account at any time within the app by going to Settings → Account → Delete Account. Deletion is irreversible and will remove your profile, session history, journal entries, and other User Content in accordance with the retention schedule in Section 10.
12. Security
We implement administrative, technical, and organizational measures designed to protect personal information, including:
- TLS encryption for data in transit;
- Encryption at rest for databases and file storage (via Supabase / AWS);
- Access controls and the principle of least privilege for staff and contractors;
- Secure credential storage (JWT tokens stored in the iOS Keychain via secure storage);
- Logging and monitoring of unusual access;
- Regular review of processor security practices.
No security measure is perfect. If we become aware of a data breach affecting your personal information, we will notify you and relevant authorities as required by applicable law.
13. Children's Privacy
The Service is intended for users aged 18 or older. We do not knowingly collect personal information from individuals under 18. If you are a parent or guardian and believe that your child under 18 has provided personal information to us, please contact s.yousupov@gmail.com and we will delete it.
14. Changes to This Policy
We may update this Policy from time to time. If we make material changes, we will notify you by email or through an in-app notice before the changes take effect. The "Effective Date" at the top of this page shows when the current version took effect. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.
15. Regional Disclosures
15.1 European Union — Article 27 Representative
At this time the Service is offered to a relatively small, non-commercial-advertising audience and we rely on the derogation in Article 27(2)(a) of the GDPR. If and when our EU user base grows to the point that an Article 27 representative is required, we will appoint one and update this Policy. EU users may contact us directly at s.yousupov@gmail.com regarding any GDPR matter.
15.2 California — "Shine the Light"
California residents may request a list of categories of personal information we have disclosed to third parties for their direct marketing purposes in the preceding calendar year. Lucio does not disclose personal information to third parties for their own direct marketing purposes.
15.3 Russian Federation
The Service is made available in the Russian Federation for personal use; however, we do not actively market the Service within Russia. By using the Service in Russia, you provide your explicit consent to the collection, processing, and cross-border transfer of your personal data as described in this Policy (Federal Law No. 152-FZ). If you do not consent, you must not use the Service.
16. Contact Us
Questions or complaints about this Policy or our privacy practices can be sent to:
Aleksandr Iusupov PR Beograd
Jurija Gagarina 231, local 329
11073 New Belgrade, Republic of Serbia
Email: s.yousupov@gmail.com
If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority (see Section 11 for details).