Help About Contact My recordings Get started

This is a working draft. Before publication, this policy must be reviewed and ratified by legal counsel qualified in your jurisdictions of operation. It does not constitute legal advice.

Effective date: [INSERT DATE ON RATIFICATION]

Lullavo (“Lullavo,” “we,” “us”) operates lullavo.com and app.lullavo.com. We take privacy seriously. This policy explains what data we collect, why, how long we keep it, and the rights you have.

What we collect

  • Account information: email address you use to sign in, your chosen display name.
  • Recording metadata: book title, listener name, occasion (all optional), timestamps.
  • Audio recordings: the voice recordings you save on a Lullavo sticker.
  • Order information (DTC customers): shipping address, order history, payment authorization IDs (we do not store full payment-card data; that is processed by our payment provider).
  • Technical information: IP address, user agent, session timestamps, rate-limit counters.
  • Transfer-request submissions: if you submit a transfer request on behalf of a deceased loved one, we collect your name, email, relationship, optional message, and the supporting document you upload.

How we use it

  • To deliver the Lullavo service.
  • To authenticate sign-ins (magic-link email delivery).
  • To send transactional emails.
  • To detect and prevent abuse.
  • To operate our business (accounting, tax, legal compliance).

We do not sell personal data. We do not serve advertising. We do not build profiles for third-party marketing purposes.

Legal bases (GDPR / UK GDPR)

  • Contract: to provide the services you asked for.
  • Legitimate interests: to prevent abuse, maintain security.
  • Consent: where required.
  • Legal obligation: to comply with tax, accounting, and law-enforcement requests.

Who we share with

  • Supabase: database, authentication, and audio storage.
  • Vercel: application hosting.
  • Resend: transactional email.
  • Klaviyo: event analytics.
  • Cloudflare: Turnstile CAPTCHA.
  • WooCommerce / payment processor: order processing.
  • Law enforcement: only where legally required.

International transfers

Some processors are located in the United States. Where personal data of EU / UK residents is transferred internationally, we rely on Standard Contractual Clauses or equivalent safeguards.

Retention

  • Recordings: retained indefinitely while your account is active.
  • Transferred accounts: preserved for 1 year after transfer.
  • Transfer-request supporting documents: deleted within 30 days of review.
  • Technical logs: 30–90 days.
  • Backups: rolling, typically 30 days.
  • After account deletion: all personal data removed within 14 days.
  • If Lullavo ceases operation: see our wind-down policy.

Your rights

Depending on your jurisdiction, you may have the right to access, correct, delete, port, or restrict processing of your data; to withdraw consent; and to object to certain processing. Email privacy@lullavo.com. You have the right to complain to your local data protection authority.

Children

Lullavo is not directed to children under 13. Adult account holders may record for their own children; those recordings are owned and controlled by the adult account holder. We do not knowingly collect personal information directly from children under 13.

Cookies

We use strictly necessary cookies to keep you signed in and to prevent abuse. We do not use third-party advertising cookies.

Security

Audio files are stored in a private bucket with encryption at rest. Access uses short-lived signed URLs. Authentication is passwordless.

Changes

We will post material changes here and notify active users by email at least 30 days before changes take effect.

Contact

Privacy questions: privacy@lullavo.com. General support: hello@lullavo.com.

Data controller: [COMPANY LEGAL NAME], [REGISTERED ADDRESS].