Privacy Policy

Last updated: March 27, 2026

Your privacy matters to us. This Privacy Policy explains how LostAura ("Company," "we," "us," or "our") collects, uses, stores, shares, and protects your personal information when you use our mobile application ("App") and related services.

By using LostAura, you consent to the data practices described in this Privacy Policy. If you do not agree to this Privacy Policy, please do not use the App.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

  • Apple ID identifier (for Sign in with Apple) — a unique, anonymized identifier
  • Email address (if shared through Sign in with Apple or provided directly)
  • Account creation date and time
  • Device information (device type, operating system version, app version)

1.2 Commitment and Challenge Data

When you create commitments and complete challenges, we collect:

  • Goal descriptions — the text you enter describing your commitment
  • Challenge types and settings (body, mind, social; difficulty; frequency)
  • Deadline dates and times
  • Frequency settings (one-time, daily, weekly, etc.)
  • Commitment status (active, completed, failed, cancelled)
  • Challenge completion history (streaks, points, levels)
  • Exercise performance data (rep counts from AI pose detection)

1.3 Screen Time Data

When you use app-locking features, we process:

  • App selection tokens — opaque tokens from Apple's FamilyControls framework that represent your selected apps. These tokens are meaningless outside of Apple's system — we cannot see which apps you selected, only Apple knows
  • Screen Time authorization status — whether you have granted Screen Time permissions
  • Lock/unlock events — timestamps of when apps were shielded and unshielded

Important: We have zero visibility into which specific apps you lock. App tokens are opaque by design — this is an Apple privacy protection that we fully support.

1.4 Photos and Images

LostAura collects and processes two types of images:

  • Proof Photos: Photos you submit to verify challenge completion (e.g., gym visit, book reading, coffee date)
  • Signature Images: Your digital signature captured during commitment confirmation

Proof photos are used solely for AI verification and are not viewed by LostAura staff unless required by law or for abuse investigation.

1.5 Camera Data (Pose Detection)

For exercise challenges (pushups, squats, sit-ups):

  • Your device camera is used for real-time AI pose detection to count reps
  • Video is processed entirely on-device — no video or camera feed is uploaded to our servers
  • Only the final rep count and completion status are transmitted

1.6 Usage Data

We automatically collect:

  • App usage patterns and feature interactions
  • Error logs and crash reports
  • Push notification delivery status
  • Subscription status and history

1.7 Payment Information

We do not directly collect or store payment card information. All payments are processed through the Apple App Store. We receive only:

  • Subscription status (active, expired, cancelled)
  • Transaction identifiers
  • Subscription start and expiration dates

2. How We Use Your Information

2.1 Core App Functionality

  • Account management: Creating and maintaining your account
  • Commitment tracking: Storing and managing your goals, challenges, and progress
  • App locking: Managing Screen Time API shields based on your commitment status
  • AI verification: Analyzing proof photos to verify challenge completion
  • Pose detection: Processing camera input on-device to count exercise reps
  • Gamification: Tracking streaks, points, levels, and achievements
  • Notifications: Sending reminders about challenges, deadlines, and verification results

2.2 Service Improvement

  • Analyzing usage patterns to improve app features
  • Debugging errors and improving app stability
  • Developing new challenge types based on user behavior

2.3 Communication

  • Sending service-related emails (account verification, security alerts)
  • Responding to support inquiries
  • Notifying you of significant changes to Terms or Privacy Policy

2.4 Legal Compliance

  • Complying with legal obligations
  • Responding to lawful requests from law enforcement
  • Protecting our rights and preventing fraud

3. Photo Handling: Processing and Deletion

3.1 Proof Photos

  • Proof photos are transmitted securely (TLS 1.3) to our servers for AI verification
  • Photos are stored temporarily and deleted within 30 days of verification
  • Photos are not used for marketing, training, or any purpose beyond verification

3.2 AI Processing of Proof Photos

When you submit proof of challenge completion:

  • Your proof photo is transmitted to OpenAI's GPT-4.1 Mini Vision API for analysis
  • OpenAI processes the image to compare it against your challenge description
  • OpenAI's processing is governed by their API Data Usage Policy
  • According to OpenAI's policy, API data is not used to train their models

3.3 On-Device Camera Processing

For exercise challenges using pose detection:

  • All camera processing happens locally on your device using on-device ML models
  • No video, images, or camera frames are uploaded to any server
  • Only the result (rep count, completion status) leaves your device

3.4 Photo Deletion Schedule

Event Deletion Timing
Proof photos 30 days after verification
Signature images 1 year after commitment resolution
Account deleted Within 24 hours — all data purged
Commitment cancelled Immediate — associated data deleted, locks removed

4. Third-Party Services

We use the following third-party services to operate LostAura:

4.1 Supabase

  • Purpose: Database, user authentication, and file storage
  • Data shared: Account information, commitment data, proof photos
  • Privacy Policy: supabase.com/privacy

4.2 RevenueCat

  • Purpose: Subscription management and payment processing
  • Data shared: User identifier, subscription status, transaction data
  • Privacy Policy: revenuecat.com/privacy

4.3 OpenAI

  • Purpose: AI-powered proof verification using GPT-4.1 Mini Vision
  • Data shared: Proof photos, challenge descriptions
  • Privacy Policy: openai.com/privacy
  • API Data Policy: openai.com/policies/api-data-usage-policies
  • Note: OpenAI's API data is not used to train their models. Data may be retained for up to 30 days for abuse monitoring.

4.4 Apple (Sign in with Apple & Screen Time API)

  • Purpose: User authentication and app-locking functionality
  • Data shared: Authentication tokens; Screen Time data stays within Apple's system
  • Privacy Policy: apple.com/legal/privacy
  • Note: App selection tokens are opaque — we cannot determine which apps a user has selected. All Screen Time enforcement is handled by Apple's frameworks on-device.

5. Data Retention

Data Type Retention Period
Account data Until account deletion + 30 days
Proof photos 30 days after verification
Signature images 1 year after commitment resolution
Commitment history 1 year after resolution
Challenge performance data Duration of account + 30 days
Payment records 7 years (legal requirement)

6. Data Security

6.1 Security Measures

We implement industry-standard security measures including:

  • TLS 1.3 encryption for all data in transit
  • Encryption at rest for stored data
  • Secure authentication via Sign in with Apple
  • On-device processing for camera-based pose detection (no video leaves your device)
  • Access controls and audit logging
  • Secure cloud infrastructure (Supabase/AWS)

6.2 Data Breach Notification

In the event of a data breach that affects your personal information:

  • We will notify affected users within 72 hours of discovering the breach
  • Notification will be sent via email and/or in-app notification
  • We will describe the nature of the breach, types of data affected, and steps we're taking
  • We will notify relevant regulatory authorities as required by law

6.3 Your Responsibility

You are responsible for:

  • Maintaining the security of your Apple ID credentials
  • Keeping your device secure
  • Notifying us immediately if you suspect unauthorized account access

7. Your Rights

7.1 Access and Portability

You have the right to:

  • Request a copy of the personal data we hold about you
  • Receive your data in a portable, machine-readable format
  • Access this information within 30 days of your request

7.2 Correction

You have the right to request correction of inaccurate personal data. Goal descriptions and commitment details can be modified directly in the App before a commitment is finalized.

7.3 Deletion

You have the right to request deletion of your account and associated data. You can:

  • Delete your account through Settings, then Account, then Delete Account
  • Request deletion by emailing privacy@lostaura.app

Upon deletion request:

  • Active commitments will be cancelled and all app locks removed
  • All photos will be permanently deleted
  • Account data will be purged within 24 hours
  • Some data may be retained as required by law (payment records)

7.4 Withdrawal of Consent

You may withdraw consent for specific processing activities:

  • Cancel active commitments via Emergency Cancellation (removes app locks)
  • Revoke Screen Time permissions through iOS Settings
  • Disable push notifications through device settings
  • Delete your account to stop all processing

7.5 Opt-Out

You may opt out of:

  • Marketing emails (click unsubscribe or contact us)
  • Push notifications (through device settings)
  • Analytics (contact us to opt out)

8. Children's Privacy

LostAura is not intended for users under 18 years of age. We do not knowingly collect personal information from children under 18.

If you believe a child under 18 has provided us with personal information, please contact us immediately at privacy@lostaura.app. We will promptly delete such information.

If we discover we have collected information from a child under 18, we will delete the account and all associated data immediately.

9. International Data Transfers

LostAura is operated from the United States. If you are located outside the United States:

  • Your data will be transferred to and processed in the United States
  • By using the App, you consent to this transfer
  • We implement appropriate safeguards for international transfers
  • US data protection laws may differ from those in your country

10. GDPR Compliance (European Users)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR):

10.1 Legal Basis for Processing

  • Consent: For Screen Time management and challenge features (Article 6(1)(a))
  • Contract: For providing the App services (Article 6(1)(b))
  • Legitimate interests: For security, fraud prevention, and service improvement (Article 6(1)(f))

10.2 Your GDPR Rights

  • Right of access (Article 15)
  • Right to rectification (Article 16)
  • Right to erasure / "right to be forgotten" (Article 17)
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20)
  • Right to object to processing (Article 21)
  • Right to withdraw consent at any time

10.3 Data Protection Authority

You have the right to lodge a complaint with your local data protection authority if you believe we have violated your privacy rights.

10.4 Data Protection Officer

For GDPR-related inquiries, contact our Data Protection Officer at: dpo@lostaura.app

11. CCPA Compliance (California Users)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

11.1 Right to Know

You have the right to request information about:

  • Categories of personal information we collect
  • Purposes for collecting personal information
  • Categories of third parties with whom we share information
  • Specific pieces of personal information we have collected about you

11.2 Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions (such as legal requirements).

11.3 Right to Non-Discrimination

We will not discriminate against you for exercising your CCPA rights.

11.4 Sale of Personal Information

We do not sell your personal information. We have not sold personal information in the preceding 12 months and have no plans to do so.

11.5 Authorized Agent

You may designate an authorized agent to make requests on your behalf. The agent must provide proof of authorization.

11.6 How to Submit Requests

To exercise your CCPA rights, contact us at privacy@lostaura.app with the subject line "CCPA Request."

12. Do Not Track

Some browsers include a "Do Not Track" (DNT) feature. We currently do not respond to DNT signals because there is no industry-wide standard for handling them. We will update this policy if a standard is established.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes:

  • We will update the "Last updated" date at the top of this page
  • For material changes, we will notify you via email or in-app notification
  • We may provide a summary of key changes
  • Continued use of the App after changes constitutes acceptance

We encourage you to review this Privacy Policy periodically.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

General Privacy Inquiries:
privacy@lostaura.app

Data Protection Officer (GDPR):
dpo@lostaura.app

Mailing Address:
LostAura (a product of Vocaloco LLC)
5830 E 2nd St, Ste 7000 #25447
Casper, Wyoming 82609
United States

We aim to respond to all privacy-related inquiries within 30 days.