Privacy Policy

Last updated: 2026-05-05

Lusis ("we", "our", "the app") is a private location-sharing app operated by STODR LLC, a Washington State (USA) limited liability company ("STODR", "the operator"). This policy explains what data Lusis collects, how it's used, who it's shared with, and the choices you have.

Plain-English summary

The short version, in plain language, is:

We do not sell your data. Ever. To anyone. This is not a "we won't for now" — this is the business model.
We do not look at your data. No human at STODR reads your locations, your check-ins, or your saved places. The only exception is if you contact us for support and explicitly ask us to look at something specific in your account — and even then, we touch only what we need to help you.
We do not show you ads. No third-party advertising SDKs are in Lusis.
We do not run third-party analytics or tracking SDKs. No Google Analytics, no Firebase Analytics, no Segment, no Amplitude, no Mixpanel. We do log a small set of first-party diagnostic events to our own backend (e.g., "background service started", "fix gated") to debug bugs and tune battery use — see "Diagnostic and product telemetry" below for the full list.
This app is built for us too. We use Lusis with our own loved ones. We're not looking to sell the company, and if we ever did, we would only do so in a way that preserves these privacy commitments for existing users. No creepy pivots, no data fire sales.
You own your data. You can view, update, or delete it at any time. Most of it is editable directly from the app's settings.
Your location is only shared with the people you explicitly add to your shared circle. When you remove someone from your circle, they immediately lose access to your live location and any new check-ins.
You can delete your account and everything in it at any time. Use Delete account in the app's Settings, or see our deletion page for details. If you can't sign in, email [email protected] from your account's email address with the subject "Delete my Lusis account" and we'll wipe everything within 7 days.
You must be at least 13 years old to use Lusis. If you are under 18, you should have a parent or guardian's permission.

The rest of this document is the full legal version of the above.

Data we collect

Account data

When you sign up, we collect:

Email address — for authentication and password recovery
Display name — shown to other members of your shared circle
Profile photo (optional) — shown to other members of your shared circle
Phone number (optional) — for direct-call shortcuts from the people tray

Location data

When you enable location sharing, Lusis collects:

Latitude / longitude — your current position
Altitude, speed, heading — derived from GPS
Accuracy — how precise the GPS fix is
Battery level and charging state — so your circle can see if your phone is about to die
Timestamp — when the fix was recorded

Location is reported at an adaptive interval that balances accuracy against battery life — faster updates while you're moving, slower updates while you're stationary, and longer gaps when your battery is low. The exact tuning changes over time as we learn more from real usage; specific intervals aren't part of this policy.

Usage data

Check-in messages — short one-tap messages (kisses, hugs, ETAs, "on my way") you send to people in your circle
Saved places — named locations (home, school, gym) and their radii
Geofence events — when you arrive at or leave a saved place, if you've enabled notifications for that place

Technical data

Device type (iOS or Android) and OS version — for compatibility
App version — for bug triage
Push notification token — so we can deliver check-in notifications

Activity and motion data

To save battery, Lusis adapts how often it reports your location based on whether you're moving. To do this, the app reads short-term signals from your phone:

Activity recognition (Apple/Google APIs that classify whether you're stationary, walking, cycling, or driving)
Pedometer / step counter — used as a wake-up signal; never persisted

Raw activity history is not retained. The classification is used to set the next location update interval and is then discarded.

Crash and diagnostic reports

When the app crashes or hits an unexpected error, we collect a diagnostic report containing:

Stack trace — the code path that led to the error
Device model and OS version
App version and build number
Breadcrumbs — anonymized recent in-app events (e.g., "navigated to map", "fetched circle members")
Your user ID (a random UUID — not your email or name) — so we can tell whether the same user is hitting an error repeatedly

We do not deliberately include personal information in crash reports. Crash reports are sent to Sentry (sentry.io); see "Service providers" below.

In-app feedback

When you submit feedback through the in-app form, we store the text you typed, your user ID, and a timestamp. We read it manually to triage bugs and improve the app. You can request deletion of any feedback you've submitted by emailing [email protected].

Diagnostic and product telemetry

Lusis logs a small set of named events to its own backend (Supabase) to diagnose bugs and tune the location and battery algorithms. These are first-party events — none of them are sent to any third-party analytics service.

Examples of events we log:

App lifecycle: app started, background service started/stopped, service unhealthy and restarted
Location pipeline: activity changed (e.g., walking → still), fix gated (location update skipped because not enough movement), reverse-geocoding called
Permission state: notifications denied, activity recognition unavailable
Errors: geocoder failed, auth refresh failed

Each event is stored with your user ID, the event name, a timestamp, and a small structured payload (typically: device state, an error message, or a coarse-rounded location). We do not include the contents of check-in messages, the names of saved places, your phone number, or your email in these events.

Permissions we request

Location (foreground and background) — to share your location with your circle. Without it the app's core feature does not work. You can revoke this at any time in your phone's settings.
Activity recognition — to detect movement and adapt the location update interval (saves battery).
Photo library — only when you choose to set or change your profile picture. The app reads the photo you pick; it does not browse your library.
Camera — only when you choose to take a new profile picture from inside the photo picker. The app does not record video and does not capture frames in the background.
Notifications — to deliver check-ins and circle alerts.
Foreground service (Android) — to keep location reporting alive while the app is in the background.

How we use your data

We use the data above only to:

Show your location to members of your shared circle you've explicitly invited and who have accepted the invitation.
Deliver check-in messages from one circle member to another.
Trigger geofence notifications when you arrive at or leave a saved place.
Operate the app — authentication, data sync, crash diagnostics, and minimal server-side logs required for service operation. We use a third-party crash reporter (Sentry) to be told when the app fails, but we do not use any analytics SDK, advertising SDK, attribution SDK, or behavioral tracker.

We do not use your data for:

Advertising
Profiling
Sale to third parties
Sharing with data brokers
Training machine learning models

Where your data is stored

Account data, location history, check-ins, saved places, profile photos, push tokens, user-submitted feedback, and diagnostic event logs are stored on Supabase infrastructure (supabase.com), which uses data centers in the European Union (Frankfurt, Germany). Data is encrypted at rest and in transit. Supabase is our data processor; they process data only on our instructions and do not use it for their own purposes.

Crash and diagnostic reports are stored separately by Sentry (see Service providers below).

Service providers

Lusis relies on a small set of third-party services to operate. Below we describe what each category of service receives. The currently-named providers in each category are listed at the end of this section; we update that list whenever a provider changes, but the descriptions of what each category sees do not change.

Backend storage and authentication. Stores everything described in "Data we collect" above (account data, location history, check-ins, saved places, profile photos, push tokens, user feedback, and diagnostic event logs). Hosted in the European Union, encrypted at rest and in transit.
Crash and error reporting. Receives the diagnostic information described in "Crash and diagnostic reports" above (stack trace, device model, OS version, app version, breadcrumbs, and your user UUID). Does not receive your email, name, IP address, location data, or any check-in or feedback content.
Push notification delivery. Receives your device's push token and the notification payload (the title and body text you would see on the lock screen). Routes through Apple's Push Notification service on iOS and Google's Firebase Cloud Messaging on Android.
Over-the-air update delivery. When the app checks for JavaScript updates, the update server sees your device's IP address, OS, app version, and the update channel name. No account information is sent.
Map tile rendering. Serves the map tiles displayed inside the app, using OpenStreetMap data. The tile server sees your IP address and the tile coordinates corresponding to the part of the map currently in view. No account information is sent.
Reverse geocoding (turning a latitude/longitude into a place name shown in the app). When the app needs a place name, the coordinates are sent to the geocoder and the result is cached on your device. No account information is sent.
Route snapping (matching a recorded movement track to the nearest roads, e.g. during a bike or drive replay). When you view such a route, the route's coordinates are sent. No account information is sent.

We do not use any analytics, advertising, attribution, fingerprinting, or A/B-testing services.

Currently-named providers

This list reflects the providers in each category as of the "Last updated" date at the top of this page. When a provider changes, we update this list and the date.

Backend storage and authentication — Supabase (supabase.com), EU (Frankfurt, Germany)
Crash and error reporting — Sentry (sentry.io), EU region
Push notification delivery — Expo Push (expo.dev), routing through Apple Push Notification service (iOS) and Firebase Cloud Messaging (Google, Android)
Over-the-air update delivery — Expo Updates (expo.dev)
Map tile rendering — CARTO (carto.com)
Reverse geocoding — Photon (photon.komoot.io, operated by Komoot)
Route snapping — OSRM (project-osrm.org)

Who can see your location

Your location is visible only to:

Members of the shared circle you created or joined, and only while you have location sharing enabled.
The operator, when investigating account-specific issues you've reported to us, and only with your explicit consent.

Your location stream is never sent to:

Other users who are not in your circle
Advertisers
Data brokers
Any third-party service other than the ones listed in "Service providers" above (and only for the limited purposes described there).

Location history retention

Location points are retained while your account is active. You can delete your entire account and all associated data at any time using Settings → Delete account in the app (see "Account deletion" below). A configurable auto-delete window for older location history is on our roadmap and will be announced in-app when available.

Push notifications

Push notifications are delivered via Expo Push (a thin layer over Apple Push Notification service and Firebase Cloud Messaging) for circle check-in alerts. Push tokens are cleared when you sign out or lose access to the app.

Your rights

You have the right to:

Access — all data we hold about you
Export — your data in a machine-readable format (JSON)
Correct — most of your data (display name, phone number, profile photo, custom places) can be edited directly in the app's settings. For anything else, email [email protected].
Delete — your account and all associated data
Withdraw consent — for location sharing at any time, by toggling sharing off in the app's settings

To exercise any right that isn't already self-service in the app, email [email protected]. We respond within 30 days.

If you are in the European Economic Area, United Kingdom, or Switzerland, you also have the right to lodge a complaint with your local data protection authority.

California residents (CCPA / CPRA)

If you are a California resident, you have the additional right to know what personal information we collect and how we use it (covered above), the right to delete it, the right to correct it, and the right to opt out of sale. We do not sell personal information to any third party. There is nothing to opt out of, but if this ever changes we will provide a clear opt-out mechanism.

Account deletion

You can delete your account and all associated data directly in the app via Settings → Delete account. Deletion is immediate and permanent. If you can no longer sign in, email [email protected] with the subject line "Delete my Lusis account" from the email address associated with your account, and we will complete the deletion within 7 days.

Upon deletion, we will remove:

Your profile (display name, photo, phone number)
All your location history
All your check-ins (sent and received)
Your saved places and geofences
Your push notification token
Your authentication record

Changes to this policy

We will post any changes to this page and update the "Last updated" date above. If the changes are material, we will notify active users in-app before the changes take effect.

Contact

Questions or requests: [email protected]

Operator: STODR LLC, Washington State, USA