Privacy Policy

1 Important Children's Privacy Notice

LUUA's Services are designed for and used by children, families, schools, and adults. LUUA is structured as an adult-mediated educational and general wellness service — children's access to our Services is mediated through a parent, guardian, school, teacher, camp, or other authorized adult or institution.

We do not knowingly collect personal information from children under 13 in the United States without verifiable parental consent. Equivalent rules apply to children under the digital age of consent in other jurisdictions (e.g., 13–16 across EU member states under GDPR, 14 in Colombia under Habeas Data Law 1581, 18 for full capacity in Venezuela under LOPDP, with parental authorization required for minors).

Children under 13 in the United States may not independently create a LUUA account. Where children use the Services, the account is held by an adult (parent, guardian, or institutional user), and the child's information is collected and processed only as necessary to deliver the Service.

If you are a parent or legal guardian and believe your child has provided personal information contrary to applicable law or this Privacy Policy, contact us immediately at privacy@luuaplay.com. We will investigate and, where required, delete the information.

A separate Children's Privacy Notice (available at luuaplay.com/legal/childrens-privacy) describes our children's-data practices in plain language for parents and guardians.

2 Information We Collect

2.1 Information You Provide Directly

Depending on how you use the Services, we may collect:

• Identification: name, email, phone (if provided), postal/shipping address;
• Account credentials: username, password (encrypted, never stored in plaintext);
• Profile information: language preference, currency, family role, region;
• Billing and transaction: payment card details (processed by Stripe/Shopify — we do not store full card numbers), order history, billing address, tax/VAT information where applicable;
• Customer support communications: the content of your inquiries, complaints, and our responses;
• Survey responses and quiz answers (e.g., from the "Which LUUA journal" recommendation quiz);
• Institutional information: for schools, organizations, and partners — school name, professional contact, role (teacher, admin, principal, camp director), country, signed agreement details;
• User-submitted content: journal entries, reflections, photos, testimonials, community posts, and any other content you choose to upload (where features are enabled);
• Marketing preferences: newsletter and SMS/WhatsApp opt-ins.

2.2 Child-Related Information

Where child-facing functionality is available and properly authorized by a parent, guardian, or institution, we may collect limited child-related information, including: child profile nickname, initials, avatar, or non-identifying profile label; age band or developmental stage (e.g., 6–9); language preference (English / Spanish / bilingual); content progress and feature usage within the LUUA app or program; parent- or educator-linked preferences (e.g., daily ritual reminders, completed practices); and limited content inputs where enabled (drawings, quiz responses, journal entries inside the app).

We collect only what is reasonably necessary to provide the Service to that child, and we limit retention as described in Section 9. We do not use children's information for behavioral advertising, third-party advertising profiles, or commercial profiling.

2.3 Information Collected Automatically

When you use the Services, we automatically collect: device type, browser type, operating system, app version; IP address (anonymized where feasible) and approximate location derived from IP (country/region); usage logs, session activity, pages viewed, actions taken; crash and performance diagnostic data; general analytics data (which features are used and for how long); and cookie and similar-technology data (see Section 7).

2.4 Information from Third Parties

We may receive information from third parties, including: payment processors (Stripe, Shopify, Apple Pay, Google Pay) — order and payment confirmation, fraud-prevention signals; app stores (Apple App Store, Google Play) — app installation data, subscription status; authentication providers (if you sign in via Google, Apple, etc.) — basic profile data per the provider's terms; analytics providers (Plausible — privacy-friendly, Meta Pixel — where you have consented to marketing cookies); email service provider (Klaviyo) — email engagement data; school or institutional administrators — student rosters and program enrollment data, governed by the Institutional Agreement; and business partners (e.g., Anima2 for the summer camp partnership) — limited program participation data per signed partnership agreements.

3 How We Use Information

We use personal information for the following purposes:

• to provide, maintain, operate, secure, and improve the Services;
• to create and manage your account;
• to process payments, fulfill orders, manage subscriptions, and process refunds;
• to deliver institutional programs (LUUA en el Aula) to schools and partners;
• to provide customer support;
• to personalize your experience (recommendations, language, region, age-appropriate content);
• to provide educational and wellness features (app practices, journal prompts, family rituals);
• to communicate with you about your account, orders, support requests, and Service-related matters (these communications are not optional);
• to send marketing communications (newsletter, promotions, product launches), only with your consent — you can unsubscribe at any time;
• to monitor performance, fix bugs, prevent fraud, and maintain security;
• to comply with legal obligations (tax, accounting, regulatory requests, court orders);
• to investigate fraud, abuse, safety incidents, policy violations, or unlawful activity;
• to protect the rights, property, safety, and security of LUUA, our users, children, schools, institutions, and others;
• to enforce these Terms, our Privacy Policy, our Master Disclaimer, and other policies;
• for product development, analytics, research, and internal business purposes, consistent with applicable law.

4 Children's Privacy; Parental Rights

4.1 Child-Directed Context

Because child-directed services trigger heightened privacy obligations under multiple legal regimes (COPPA in the United States, GDPR in the European Union, LOPDP in Venezuela, Habeas Data in Colombia, LFPDPPP in Mexico, LGPD in Brazil, and others), parents, legal guardians, educators, and institutions should use the Services only in compliance with applicable law.

4.2 Parental or Guardian Involvement

Before collecting personal information from a child where required, we seek verifiable parental or guardian consent through one or more of the following methods (depending on jurisdiction and the nature of the data): email-plus confirmation; credit-card verification (where the parent makes a purchase); signed parental consent form; or institutional authorization (where the school or camp has obtained parental consent on our behalf under an Institutional Agreement).

4.3 Parent Rights

Subject to applicable law and reasonable identity verification, a parent or legal guardian may: review personal information collected from their child; request correction of inaccurate information; request deletion of their child's personal information; revoke previously granted consent at any time; refuse further collection or use of the child's personal information, subject to the limitations of Service functionality; and receive a description of what types of information we collect, why we collect them, and with whom we share them.

To exercise any of these rights, contact privacy@luuaplay.com. We respond within 30 days, or sooner if required by applicable law.

4.4 Data Minimization for Children

We limit the collection of children's personal information to what is reasonably necessary to support the relevant activity or feature. We do not require children to provide more information than is necessary to use a feature.

4.5 Schools, Educators, and Institutional Users

When LUUA is delivered through a school, camp, or institution under an Institutional Agreement, the institution is the data controller for student or participant information. LUUA acts as a service provider/sub-processor under that agreement. Student data is used only to deliver the program; it is not used to market to students or families directly, and it is not retained beyond the program's needs.

For United States schools, we honor education-record protections consistent with FERPA principles, including: limited access to student data on a need-to-know basis; inspection rights for parents and eligible students; support for institutional data-handling requirements; and deletion of student records upon termination of the Institutional Agreement, unless retention is required by law.

5 Legal Bases for Processing

Where applicable law requires us to identify a legal basis for processing personal information, we rely on one or more of the following:

• Consent — for marketing, optional cookies, certain children's-data uses, and where law requires explicit consent;
• Performance of a contract — to fulfill orders, deliver subscriptions, and provide Services you've requested;
• Compliance with legal obligations — including tax, accounting, regulatory, and law enforcement requirements;
• Legitimate interests — to improve our products, secure our Services, and grow our business, balanced against your privacy rights;
• Protection of vital interests — in rare cases involving the safety of a person.

For children's personal information, where consent is the legal basis and parental consent is required by law, we rely on the consent of the parent or legal guardian.

6 How We Disclose Information

We share information only as described below. We do not sell personal information.

6.1 Service Providers (Data Processors)

We share information with vendors that help us operate the Services, including:

• Exentur LLC (Glasgow, KY, USA) — tech and operations support, under a signed Data Processing Agreement;
• Shopify — e-commerce platform and order management;
• Stripe — payment processing;
• Klaviyo — email delivery and marketing;
• Sanity — content management;
• Bunny.net — video and asset delivery via CDN;
• Vercel — website hosting;
• monday.com — internal CRM and operations;
• Higgsfield, Kling AI — AI-powered asset generation (no end-user personal data shared — only LUUA-owned brand assets are processed);
• Plausible — privacy-friendly analytics;
• Meta (Pixel for advertising attribution) — only with your consent;
• Vanta — SOC 2 compliance and security audit.

Each processor operates under a contract requiring them to protect your information, use it only for the purposes we specify, and comply with applicable data-protection laws.

6.2 Schools, Educators, and Institutional Users

Where you participate through a school, camp, or partner organization, we share information with that institution and its authorized personnel as necessary to deliver the program, under the Institutional Agreement.

6.3 Parents and Guardians

Where applicable, we share children's information with the child's parent or legal guardian (e.g., progress reports, account history).

6.4 Professional Advisors

We share information with auditors, legal counsel, insurers, accountants, and other professional advisors as needed for our business operations.

6.5 Legal Requirements

We may disclose information if required by law, subpoena, court order, government request, or to: comply with legal obligations; protect our rights, property, or safety; protect the rights, property, or safety of our users, children, or the public; and detect, prevent, or address fraud, abuse, security, or technical issues.

6.6 Business Transfers

If LUUA is involved in a merger, acquisition, financing, restructuring, sale of assets, or bankruptcy, your information may be transferred to the successor entity. We will notify you of any such change and any material changes to how your information is used.

6.7 Aggregated and Anonymized Data

We may share aggregated, de-identified statistics that cannot reasonably be used to identify you (e.g., "X% of teachers using LUUA report increased class engagement"). This data does not constitute personal information.

6.8 We Do Not Sell Children's Personal Information

Under any circumstance, we do not sell children's personal information. We also do not sell adult personal information for monetary consideration. Where state laws (like California's CCPA/CPRA) define "sale" or "sharing" more broadly to include certain advertising arrangements, we respect opt-out rights — see Section 12.

7 Cookies and Similar Technologies

We use cookies, SDKs, pixels, local storage, and similar technologies for the following purposes:

• Essential cookies: authentication, cart functionality, security, fraud prevention (cannot be disabled);
• Functional cookies: language preference, currency, accessibility settings;
• Analytics cookies: Plausible (privacy-friendly, no personal tracking, no cross-site profiling);
• Marketing cookies: Meta Pixel for advertising attribution — only with your consent.

You can manage cookie preferences via our cookie banner, your browser settings, or by visiting luuaplay.com/legal/cookies for full details. Where required by law (EU, UK, California, and others), we obtain consent before using non-essential cookies. We honor "Do Not Track" signals and Global Privacy Control (GPC) where technically feasible.

8 Analytics, Advertising, and Third-Party Tracking

We use Plausible (privacy-friendly analytics) by default — it does not use cookies for cross-site tracking and does not collect personal information. For users who consent to marketing cookies, we use Meta Pixel to measure advertising effectiveness. You can opt out at any time through our cookie banner or your account settings.

For child-directed experiences and the children's section of our Services:

• We disable third-party advertising trackers;
• We disable cross-app tracking;
• We do not allow behavioral profiling of children;
• We comply with platform requirements for kid-focused categories on Apple App Store and Google Play.

9 Data Retention

We retain personal information only as long as necessary for the purposes described in this Privacy Policy:

When information is no longer needed, we delete or anonymize it. Some data may persist in backups for a limited period before secure deletion.

10 Data Security

We implement reasonable administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. Specific measures include:

• TLS/HTTPS encryption for data in transit;
• Encryption at rest for sensitive databases;
• Access controls and authentication (including multi-factor authentication for staff);
• Password management via NordPass for all staff;
• Regular security reviews and penetration testing;
• SOC 2 Type II compliance (in progress with Vanta) — see luuaplay.com/legal/security for current status;
• Vendor risk management and signed Data Processing Agreements with all major processors.

No system is 100% secure. If we become aware of a breach affecting your personal information, we will notify you and applicable regulators as required by law (typically within 72 hours for serious breaches under GDPR, with comparable requirements in other jurisdictions). You are responsible for maintaining the confidentiality of your account credentials and for using appropriate precautions when using the Services.

11 International Data Transfers

LUUA operates from the United States but serves users across Latin America, the European Union, and elsewhere. Your personal information may be transferred to and processed in the United States or other countries where our processors operate.

For transfers from the European Union and United Kingdom, we rely on: Standard Contractual Clauses (SCCs) approved by the European Commission; the UK International Data Transfer Addendum; and other appropriate safeguards as required by GDPR Chapter V.

For transfers from Latin America, we comply with local cross-border transfer requirements, including those under: Habeas Data Law 1581 (Colombia); LOPDP (Venezuela); LFPDPPP (Mexico); and LGPD (Brazil).

By using the Services, you understand that your information may be transferred to and processed in jurisdictions with different data protection standards than your country of residence.

12 Your Rights and Choices

Depending on your location and applicable law, you may have the right to:

• Access — request a copy of the personal information we hold about you;
• Correct — update inaccurate or incomplete information;
• Delete — request that we delete your information (subject to legal retention requirements);
• Restrict or object — ask us to limit or stop certain types of processing;
• Portability — receive your data in a portable, machine-readable format;
• Withdraw consent — for processing based on consent (e.g., marketing);
• Lodge a complaint — with your local data protection authority;
• Opt out of "sale" or "sharing" — under California and similar state laws.

Region-Specific Rights

European Union / United Kingdom (GDPR / UK GDPR): Full rights as listed above. You may lodge complaints with your national Data Protection Authority. For EU residents, our representative for GDPR purposes will be appointed before marketing or substantial operations begin in the EU.

California, US (CCPA / CPRA): Right to know what we collect, use, and disclose; right to delete personal information; right to correct inaccurate information; right to opt out of "sale" or "sharing" (we don't sell, but you can opt out of cookie-based sharing); right to limit use of sensitive personal information; right to non-discrimination for exercising rights. For minors under 16, opt-in is required before any "sale" or "sharing" (we do not engage in these activities for minors regardless).

Other US states (Colorado, Virginia, Connecticut, Utah, Texas, Oregon, and others): rights vary by state — we honor applicable state laws.

Colombia (Habeas Data, Law 1581/2012): right to know, update, rectify; right to revoke authorization; right to request deletion; right to file complaints with the Superintendencia de Industria y Comercio (SIC).

Venezuela (LOPDP): right to access, correction, deletion, and consent withdrawal; right to file complaints with the competent national authority.

Mexico (LFPDPPP): ARCO rights — Access, Rectification, Cancellation, Opposition; right to file complaints with the Instituto Nacional de Transparencia (INAI).

Brazil (LGPD): equivalent to GDPR rights; right to file complaints with the ANPD (Autoridade Nacional de Proteção de Dados).

To exercise any right, email privacy@luuaplay.com. We will respond within the timeframe required by applicable law (typically 30–45 days). We may need to verify your identity before fulfilling certain requests, particularly for sensitive data or deletion.

13 School, Educator, and Institutional Privacy Context

Where the Services are used through a school, educational program, summer camp, organization, or other institution:

• The institution is the data controller for participant information;
• LUUA acts as a service provider/sub-processor under the Institutional Agreement;
• Schools, camps, and institutions are responsible for determining their own legal obligations regarding parental notices, permissions, consent collection, and implementation;
• For US schools, we support FERPA-aligned data handling;
• For LATAM schools, we comply with local children's-data rules under LOPDP, Habeas Data, and equivalent laws;
• For EU schools, we comply with GDPR's strict requirements for minors.

Institutional Agreements govern: what student data is collected; how it is used; retention and deletion; sub-processor relationships; breach notification; and termination and data return. Schools and institutions: contact privacy@luuaplay.com to request our Data Processing Addendum (DPA) for institutional partnerships.

14 Third-Party Links and Services

The Services may contain links to or integrations with third-party websites, apps, or services — including payment processors, app stores, social media platforms, partner organizations (e.g., Anima2), and school systems. We are not responsible for the privacy, content, or practices of third parties. Your use of third-party services is subject to their own terms and policies. We recommend reviewing the privacy policies of any third-party services you access through LUUA.

15 Sensitive Information; Not a Crisis Service

If you or someone in your care is in crisis or requires urgent professional care, do not rely on the Services. Contact emergency services or a crisis hotline:

• United States: 988 (Suicide & Crisis Lifeline) or 911
• Colombia: Línea 106 (Bogotá) or local emergency
• Venezuela: Sociedad Venezolana de Psiquiatría or local emergency
• Mexico: SAPTEL 55 5259-8121, or 911
• European Union: 112
• Other countries: your local emergency number

LUUA's Master Disclaimer (incorporated by reference) provides further detail.

16 Marketing Communications

You may opt in to receive marketing communications from LUUA via email, SMS, WhatsApp, or other channels. We will only send marketing communications if you have provided consent, and only as permitted by applicable law (including CAN-SPAM, TCPA, GDPR ePrivacy, Colombia's marketing rules, and equivalents).

To opt out:

• Email: click "unsubscribe" in any marketing email, or email privacy@luuaplay.com;
• SMS: reply "STOP" to any SMS message;
• WhatsApp: reply "STOP" or contact us at privacy@luuaplay.com;
• Account settings: update your preferences in your LUUA account.

Transactional communications (order confirmations, security alerts, account notifications, legal notices) are not optional and will continue regardless of your marketing preferences.

17 Automated Decision-Making

We do not engage in fully automated decision-making that produces legal or similarly significant effects on you. Some features may use automated logic (e.g., the journal recommendation quiz, content personalization), but these do not produce legally binding decisions about you.

If we begin using automated decision-making in a way that would affect you legally, we will provide additional notice and respect your right under GDPR Article 22 (and equivalents) to request human review.

18 Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by:

• Posting the updated Policy at luuaplay.com/legal/privacy with a revised "Last Updated" date;
• Where required by law, sending email or in-app notice;
• Where required, obtaining renewed consent.

Continued use of the Services after the updated Policy becomes effective constitutes acceptance, to the extent permitted by law.