Privacy Policy

Last updated: 18 April 2026

This Privacy Policy explains how MYTRACKHOLDING LLC ("we", "us", or "our") collects, uses, shares, and protects your personal data when you use Lunyb across the web app, mobile apps, and supporting services. It is written to satisfy our duties under the EU/UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and equivalent regional laws.

1. Data we collect

We only collect data that we need to deliver Lunyb's security features. Concretely:

• Account data: email address, name, hashed password, country, language, and the marketing or product communications you opt into.
• Subscription and billing data: plan, renewal dates, transaction identifiers, and the last four digits of the payment method. Full card numbers are handled by RevenueCat (mobile in-app purchases) or Stripe / Adyen (web) and never reach our servers.
• Device and technical data: device model, operating system version, app version, IP address (truncated within 24 hours), language, time zone, and crash diagnostics.
• Threat Blocker DNS data: the DNS Shield runs locally on your device. We never see, log, or store your DNS queries on our servers. Queries that are not blocked by the local blocklist are forwarded to Cloudflare 1.1.1.2 (malware-blocking resolver). Only UDP port 53 (DNS) transits the local VPN profile — no other network traffic, no full URLs, no page contents, no unencrypted traffic.
• Reported scam numbers and call metadata: phone numbers and call duration you submit through the in-app reporting flow or the iOS Share Extension. We never record or store call audio. On iOS we ship a refreshed Call Directory blocklist to the system every 6 hours and Apple never tells us who is calling you; on Android an optional post-call prompt asks whether the number was a scam, and we never read your full call history.
• Wi-Fi safety scans: SSID, BSSID, encryption type, and a derived risk score for the network you ask Lunyb to evaluate.
• Password and breach checks: SHA-256 prefixes of the credentials you choose to verify against public breach corpora; we never see, store, or transmit the plaintext password.
• Photo Vault content: the photos you import are AES-256 encrypted on-device with a key derived from your biometric/PIN that we cannot recover. We can hold the encrypted blobs on your behalf but cannot read them. The optional "Intruder Selfie" feature (off by default, must be enabled explicitly) takes a front-camera photo after 3 wrong unlock attempts and stores it ONLY on your device.
• Security scan and protection history: timestamps, scores, and outcomes of the protection checks you run in the app.
• Customer support content: the messages, screenshots, and contact details you send when you reach out to us.
• Photo Guard reverse image search: photos you submit to Photo Guard are temporarily uploaded to our image-search edge function, matched against exposure databases via a SHA-256 hash computed locally, and discarded from our servers within 24 hours.

2. How we use your data

• Provide the service: run scans, return Threat Blocker results, sync your protection state across devices, and back up your encrypted Photo Vault.
• Improve our detection: train and tune our own scam-detection and fraud-prevention heuristics and machine-learning models on pseudonymised internal data so that the next user is better protected.
• Send transactional notifications: scan results, billing receipts, security alerts, and deletion confirmations.
• Prevent abuse: rate-limiting, anti-fraud, and integrity checks on the API and the Threat Blocker pipeline.
• Comply with legal obligations and respond to lawful requests from regulators and law-enforcement when we are required to.

3. Legal basis (EU/UK GDPR Art. 6)

• Performance of a contract (Art. 6(1)(b)) — to deliver the features you signed up for.
• Legitimate interest (Art. 6(1)(f)) — operating, securing, and improving a fraud-prevention service. We document a balancing test for every new use.
• Consent (Art. 6(1)(a)) — for App Tracking Transparency on iOS, push notifications, marketing email, and any optional feature that requires explicit opt-in.
• Legal obligation (Art. 6(1)(c)) — when we must retain or disclose data to satisfy a legal duty.

4. Third-party processors

We share the minimum amount of data needed with the following processors. Each is bound by a Data Processing Agreement and acts only on our instructions.

• Supabase (PostgreSQL hosting, authentication, edge functions) — primary backend, EU and US regions.
• Cloudflare — CDN, WAF, and 1.1.1.2 malware-blocking DNS upstream used by the Threat Blocker for queries that are not on our local blocklist. Cloudflare receives the domain name and the originating IP, governed by its own privacy policy.
• IPQualityScore — domain reputation lookups for Threat Blocker and the URL-safety checker.
• RevenueCat — mobile in-app purchase orchestration; receives anonymous purchaser identifiers and product metadata.
• Stripe and Adyen — web payment processing; PCI-DSS Level 1 providers.
• OneSignal (layered over Apple APNs / Google FCM) — push notification delivery; only the device push token is shared, never notification content.
• Branch — deep linking and attribution for invitation flows.
• SendGrid (Twilio) — transactional and security email delivery.
• Sentry — crash and error diagnostics, with IP truncation enabled.

5. We do not sell your personal data

We do not sell, rent, or trade personal information that identifies you. We may publish anonymised, aggregated statistics derived from reported scam numbers and malicious domains (for example, "%X new phishing domains seen this week") so the wider community is better protected. Those statistics never contain identifiers, IP addresses, or any field that could re-identify a user. Lunyb also complies with Apple's App Tracking Transparency framework: we never track you across other apps or websites, and we respect your "Ask App Not to Track" choice at the operating-system level.

6. Data retention

• Account data: kept while your account is active.
• Threat Blocker DNS history: kept until you tap "Clear my DNS history" in the app or until your account is deleted.
• Reported scam numbers and Wi-Fi scans: retained as part of the community threat database; the link to your account is removed when you delete your account.
• Account deletion: triggered immediately from the in-app Data & Privacy screen, with a 30-day undo window. After 30 days, all rows tied to your user_id are purged across protection tables.
• Backups: encrypted backups are rotated within 35 days.

7. Your GDPR rights

If you live in the EU, the UK, Switzerland, or another GDPR-aligned jurisdiction you can exercise the following rights at any time, free of charge:

• Right of access (Art. 15) — request a copy of the personal data we hold about you.
• Right to rectification (Art. 16) — correct inaccurate or incomplete data.
• Right to erasure (Art. 17) — delete your account and associated personal data.
• Right to restriction (Art. 18) and to object (Art. 21) — limit how we process your data, including objecting to processing based on legitimate interest.
• Right to portability (Art. 20) — receive your data in a structured, machine-readable format.
• Right to lodge a complaint with your local supervisory authority.

Exercise these rights in seconds via Settings → Data & Privacy in the app, or by emailing privacy@lunyb.com. We answer within 30 days.

8. California / CCPA & CPRA rights

California residents have the following rights under the CCPA/CPRA:

• Right to know what personal information we have collected, used, disclosed, and (if applicable) sold or shared.
• Right to delete your personal information.
• Right to correct inaccurate personal information.
• Right to limit the use and disclosure of sensitive personal information.
• Right to opt out of sale or sharing — Lunyb does not sell or share personal information for cross-context behavioural advertising. We honour Global Privacy Control (GPC) signals on the website.
• Right to non-discrimination for exercising any of these rights.

Submit any CCPA request through Settings → Data & Privacy in the app, or by emailing privacy@lunyb.com.

9. Security

• All traffic between your device and our servers is encrypted with TLS 1.2+.
• Data at rest is encrypted at the storage layer; Photo Vault content is additionally encrypted on-device with a key derived from your biometric/PIN that we cannot recover.
• Database access is gated by row-level security so a user can only ever see their own rows.
• API keys for partners (IPQualityScore, RevenueCat, Stripe, Adyen, etc.) live in server-side secrets and never leave our edge functions.
• Administrative access is scoped, reviewed, and audit-logged.

10. Contact

Questions, requests, or complaints? Email privacy@lunyb.com or write to us at the address below. We respond within 30 days.

MYTRACKHOLDING LLC, 75 Omega Dr, Suite 300, Newark, DE 19713, United States.