Privacy Policy

Last updated: April 6, 2026

Luvset ("we", "us", or "our") operates the Luvset platform, including our website, mobile app, and all associated services (collectively, the "Service"). This policy explains what information we collect, how we use it, and your rights.

---

1. Who We Are

Luvset is a relationship growth platform. We help partners explore boundaries, agreements, goals, check-ins, and more in a safe, encrypted, ENM-first environment.

For all privacy enquiries, contact us at: privacy@luvset.com

---

2. Information We Collect

Account Information

When you create an account, we collect:

• Email address, used for authentication and communications
• Display name, chosen by you
• Password, stored as a secure hash. We never store it in plaintext

Profile Data

You may optionally provide:

• Pronouns and gender identity
• Sexual orientation
• Relationship structure (e.g. monogamous, ENM/CNM, solo poly)
• Bio and birthday
• Love languages
• Communication preferences
• ENM/CNM experience level

This information is used to personalise your experience. It is treated as sensitive information and encrypted with a key unique to your account (see Section 5).

Relationship Data

When you use the Service with partners, we store:

• Check-in responses and history
• Boundaries and boundary shares
• Agreements and agreement revisions
• Goals and goal progress
• Journal entries (visible only to you, never to partners)

Usage Data

We collect anonymised analytics data including:

• Pages and features visited
• Device type and operating system
• Session duration
• Feature interaction events

We use PostHog for analytics. We don't build individual behavioural profiles for advertising purposes.

Inferred Location

We derive your country and region from your IP address at the time of account creation and login. We don't collect or store your precise location.

---

3. How We Use Your Information

We use your information to:

• Provide the Service: store and retrieve your data, enable collaboration with your partners, and deliver features
• Personalise your experience: tailor prompts, suggestions, and defaults to your relationship structure and preferences
• Generate AI-powered insights: using Anthropic Claude on our servers. We only pass derived context (sentiment, themes, structure), never your raw check-in responses or personal details
• Send transactional emails: account verification, password reset, invitations, important service updates
• Send marketing communications: updates, new features, and tips (you can unsubscribe at any time)
• Monitor and improve the Service: error tracking, performance monitoring, and product analytics
• Enforce our Terms of Use: detect and prevent abuse, fraud, or policy violations

We don't use your information for automated decision-making that produces legal or similarly significant effects on you.

---

4. Legal Basis for Processing

Depending on your location, we rely on the following legal bases:

• Consent (EU/UK GDPR, Australian Privacy Act): for marketing communications and optional profile data you provide
• Contractual necessity: for account data and relationship data required to deliver the Service you signed up for
• Legitimate interests: for aggregate analytics, error tracking, security monitoring, and product improvement, where these interests don't override your rights

You can withdraw consent at any time. Withdrawing consent for essential processing means we can no longer provide the Service.

---

5. Sensitive Information

Luvset is built for people exploring diverse relationship structures and identities. We handle sensitive data with extra care.

• Application-level encryption: all user data is encrypted using AES-256-GCM before it reaches the database
• Per-relationship encryption keys: data shared within a relationship is encrypted with a key unique to that relationship. Data from one relationship can't be read by members of another
• Per-user encryption keys: your personal profile and journal data is encrypted with a key unique to your account
• App-level encryption keys: system metadata and category labels are encrypted with a shared application key
• Blind reveal: check-in responses are invisible to all members until every member has submitted. This is enforced at the database level, not just in the app
• Journal privacy: journal entries are never visible to partners. This is enforced at the database level
• AI safety: we never send your raw check-in responses or personal details to Anthropic. We only send derived context (sentiment, themes, structure)
• Account deletion: on deletion, all your data is encrypted with a key given only to you. After 7 days, the key is destroyed and the data becomes permanently unrecoverable. We retain the encrypted rows for audit purposes only

---

6. Email Communications

We use Resend to send transactional and marketing emails. Your email address is stored on Resend's infrastructure in accordance with their privacy policy.

All marketing emails include an unsubscribe link. You can also manage your email preferences in the app at any time. Unsubscribing from marketing doesn't affect transactional emails required to operate your account.

---

7. Data Sharing

We don't sell your personal information. We share data only with the following service providers, each bound by data processing agreements:

• Supabase: database, authentication, and real-time infrastructure
• Vercel: web hosting and edge functions
• Resend: transactional and marketing email delivery
• Qonversion: subscription management and billing
• PostHog: product analytics (anonymised events)
• Sentry: error tracking and performance monitoring
• Anthropic: AI-powered insights (server-side only, derived context only, never raw user content)

We will disclose data to law enforcement or regulators where required by law, or to protect the safety of our users or the public.

---

8. Data Retention

• Active account data is retained for as long as your account exists
• Deleted account data is encrypted on deletion and destroyed within 7 days
• Check-in history is retained per your in-app preferences
• Analytics data is retained in anonymised, aggregated form for up to 24 months

---

9. Your Rights

Depending on your location, you have the right to:

Australia (Privacy Act 1988)

• Access and correct your personal information
• Complain to the Office of the Australian Information Commissioner (OAIC)

EU/UK (GDPR / UK GDPR)

• Access, rectify, or erase your data
• Restrict or object to processing
• Data portability
• Lodge a complaint with your local supervisory authority

United States (CCPA/CPRA, California residents)

• Know what personal information is collected and how it is used
• Delete your personal information
• Opt out of sale (we don't sell data)
• Non-discrimination for exercising your rights

To exercise any of these rights, email us at privacy@luvset.com.

---

10. Cookies & Tracking

We use PostHog for product analytics. PostHog sets cookies and uses local storage to maintain session continuity and track feature usage.

We don't use advertising trackers, retargeting pixels, or third-party cookies for commercial profiling purposes.

---

11. International Data Transfers

Your data is processed in countries outside your own, including the United States, where our service providers operate. Where required by law (e.g. EU GDPR), we ensure appropriate safeguards are in place, including Standard Contractual Clauses.

---

12. Children

The Service is not directed at anyone under the age of 18. We don't knowingly collect data from minors. If you believe we have inadvertently collected data from a minor, please contact us at privacy@luvset.com.

---

13. Changes to This Policy

We'll update this policy when needed. We'll update the "Last updated" date at the top of this page. For material changes, we'll notify you by email or via an in-app notice.

---

14. Contact

For any privacy-related questions or requests:

Email: privacy@luvset.com