Luminara Trust & Legal
PrivacyChildrenRetentionTerms
Back to Luminara →
SecurityArchitectureData safeguardsFor familiesReport a vulnerabilityIncident response

Safety & Security

Protection should feel quiet, not mysterious.

Updated: July 2, 2026
A shared responsibility

Luminara provides family access controls and uses managed cloud infrastructure. Grown-ups still need to secure their Google account and devices, choose appropriate sites, and supervise children.

1. Access architecture

  • Grown-up controls use Google authentication.
  • Children use family-created profiles and hashed PINs on devices intentionally connected by a grown-up.
  • Pairing codes are randomly generated, short-lived bearer secrets and are removed after redemption when possible.
  • Family data is organized by family identifier and application access is designed around family membership.
  • Guardian holds no Firebase password or grown-up Google credential.

Child PINs are a lightweight profile separator. They should not be treated as a strong authentication factor.

2. Data safeguards

  • HTTPS protects data in transit.
  • Google states that Firebase Authentication and Realtime Database encrypt data at rest.
  • Proof photos are resized and compressed in the browser, and database rules limit image payload size.
  • Messages and images have application and database size limits.
  • Family content is not used for third-party advertising.
  • Deletion controls and capacity limits reduce some retained family content.

No security program eliminates all risk. Do not store passwords, financial information, health records, government identifiers, precise location, or emergency information in Luminara messages or photos.

3. What families should do

  1. Protect the grown-up Google account with a unique password and multi-factor authentication.
  2. Use unique child PINs and do not reuse sensitive device passcodes.
  3. Connect only trusted devices and disconnect devices that are lost, sold, shared, or no longer needed.
  4. Review approved sites and Guardian status regularly.
  5. Keep the browser, operating system, and Guardian extension updated.
  6. Report unexpected family data, sign-ins, or device behavior promptly.

4. Responsible vulnerability reporting

Send suspected security vulnerabilities to ava.moonaro@gmail.com. Include the affected URL or feature, clear reproduction steps, impact, and a safe proof of concept. Do not access another family’s data, disrupt service, use automated high-volume testing, disclose a vulnerability publicly before remediation, or include real child data in a report.

We will acknowledge a credible report when practical, investigate in good faith, and work toward a proportionate fix. This is not a bug-bounty offer or authorization to violate law or third-party terms.

5. Incident response

When we confirm a security incident, we aim to contain it, preserve necessary evidence, assess affected data and users, remediate the cause, and provide legally required notifications. Notification timing and content depend on the nature of the incident, affected jurisdiction, risk of harm, and law-enforcement restrictions.

© 2026 Luminara
Acceptable UsePrivacyAll policies