Written policy
Data Retention & Deletion
We do not retain children’s personal information indefinitely. We keep it only while there is a documented purpose and business need, then delete or de-identify it using reasonable measures.
1. Retention principles
- Purpose limitation: retain information only for the purpose disclosed when it was collected.
- Data minimization: avoid collecting information that is not needed for a family feature.
- Parent control: honor verified parent requests to review, correct, stop collection, or delete a child’s information.
- Deletion by design: remove photo data from rejected work, use capacity limits for family content, and preserve only limited deletion markers when synchronization requires them.
- Service-provider follow-through: delete or cause deletion from active systems and allow protected backup copies to expire on their normal cycle.
2. Public retention schedule
| Category | Purpose and business need | Deletion timeframe or trigger |
|---|---|---|
| Grown-up account and family membership | Authenticate the grown-up and authorize family management. | While the family is active; delete within 30 days after a verified account/family deletion request, subject to exceptions below. |
| Child profile, PIN hash, schedules, settings, progress, and rewards | Provide the child’s family experience and synchronize it across connected devices. | While the profile is active; remove when the grown-up deletes the child or family, resets applicable progress, or submits a verified request. |
| Proof submissions and photos | Let a grown-up review completed work and optionally keep a limited family gallery. | Pending until reviewed or deleted. Rejected photo data is removed during review. Local storage keeps at most 48 recent approved gallery photos and 240 submissions; a grown-up may request earlier cloud deletion. |
| Messages and image attachments | Provide supervised family communication and synchronization. | Until sender deletion, child/family deletion, or verified request. Clients retain at most 300 recent messages; a limited tombstone may remain to synchronize deletion. |
| Announcements and reactions | Support family updates and encouragement. | Until deleted, family deletion, or verified request. Clients retain at most 50 announcements and 500 reactions. |
| Guardian daily activity summaries and blocked domains | Show time on approved apps and whether family browsing controls are working. | On-device until extension data is cleared or Guardian is uninstalled; cloud copies remain while the family is active or until verified deletion. |
| Pairing codes | Connect a child device to the correct family. | Designed to expire after 5 minutes and removed after successful use when possible; expired records may remain briefly for operational cleanup. |
| Local and session storage | Keep a device connected, preserve settings, and remember the current child session. | Session data ends when the browser session ends. Local data remains until unpaired, reset, removed through the product, browser storage is cleared, or the app removes it. |
| Support and privacy correspondence | Respond to requests, document completion, and resolve disputes. | Up to 24 months after the request closes, unless a longer period is legally required. |
| Security and abuse records | Protect users, investigate incidents, and meet legal obligations. | Normally up to 24 months; longer only when reasonably necessary for an active investigation, claim, or legal hold. |
Capacity limits describe current client behavior and may remove information sooner; they are not a promise that cloud deletion occurs solely because a local limit is reached.
3. Children’s personal information
Children’s personal information may not be retained for a secondary, undisclosed purpose or beyond the period reasonably necessary for the specific purpose described in this policy. The operative trigger is the earliest of: the information is no longer needed, the grown-up deletes it, the child/family profile is deleted, consent is withdrawn and no other lawful basis applies, or a verified deletion request is completed.
4. Deletion process
- The requester emails ava.moonaro@gmail.com or uses an available grown-up control.
- Luminara verifies identity and parental authority using proportionate information.
- Relevant active data is identified and deleted or de-identified. The target completion time is 30 days after verification.
- Protected backups expire within up to 90 additional days unless an exception applies.
- A minimal request log may be retained for up to 24 months to document completion.
Uninstalling Guardian, clearing a browser, or disconnecting one device does not by itself delete cloud information. A grown-up should also submit a deletion request when cloud deletion is desired.
5. Limited exceptions
Information may be retained beyond the ordinary period only when reasonably necessary to comply with law, preserve evidence during an active security investigation or legal dispute, prevent fraud or abuse, complete a transaction requested by the user, or protect a child or another person. Access is restricted and the information is deleted when the exception ends.
6. Policy review and responsibility
Luminara Privacy owns this policy. The schedule is reviewed at least annually and whenever a material feature or service provider changes. Product behavior, database configuration, backups, and support procedures should be tested against this schedule. Material changes affecting children’s information require updated notice and consent when applicable.