Privacy Policy

Last Updated: January 2, 2025

LunoFlow ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our accounting software service.

1. Information We Collect

Account Information

When you create an account, we collect:

  • Name and email address
  • Password (stored in encrypted form using bcrypt)
  • Account preferences and settings
  • Account type (business owner or accountant)

Business Information

To provide our accounting services, we collect:

  • Business name, address, and contact information
  • Tax identification numbers (EIN, SSN for sole proprietors)
  • Business logo and branding preferences
  • Invoice and estimate data
  • Expense and income records
  • Client and vendor contact information
  • Bank transaction data (we store only the last 4 digits of account numbers)

Usage Information

We automatically collect:

  • IP address and approximate location
  • Browser type and device information
  • Pages visited and features used
  • Date and time of visits

2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our accounting services
  • Process transactions and send related notifications
  • Generate financial reports, including Schedule C reports
  • Send service-related communications and updates
  • Respond to your inquiries and support requests
  • Analyze usage patterns to improve our service
  • Detect and prevent fraud or abuse
  • Comply with legal obligations

3. Information Sharing

We share your information only in the following circumstances:

Service Providers

  • Stripe: Payment processing. Stripe receives your name, email, and payment information to process subscriptions.
  • Hetzner (Germany): Cloud infrastructure hosting in EU-compliant data centers.
  • Brevo: Transactional email delivery.

Accountant Access

If you are a business owner: When you grant access to an accountant through our platform, they will be able to view and manage your business financial data. You control this access and can revoke it at any time from your Settings.

If you are an accountant: When clients grant you access, you become a data processor for their financial information. You agree to handle client data in accordance with applicable privacy laws and this Privacy Policy.

Legal Requirements

We may disclose your information if required by law, court order, or government request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

4. Data Security

We implement security measures to protect your information:

  • Encryption in Transit: All data transmitted via HTTPS/TLS
  • Password Security: Passwords hashed using bcrypt
  • Access Controls: Role-based access and multi-tenant data isolation
  • Infrastructure: Hosted on Hetzner with automated backups

For more details about our security practices, visit our Security page.

5. Data Retention

We retain your information according to the following schedule:

Data Type Retention Period
Account data Duration of account + 30 days
Financial records (invoices, expenses) Duration of account + 7 years (IRS requirement)
Usage logs 90 days
Support communications 3 years
Deleted account data Permanently deleted within 30 days

6. Cookies and Tracking

We use cookies and similar technologies for:

  • Essential: Authentication, security, and session management
  • Analytics: Understanding how you use our service (via Ahoy)
  • Preferences: Remembering your settings

You can control cookies through your browser settings. Disabling essential cookies may affect service functionality.

7. Your Rights

Regardless of your location, you have the right to:

  • Access: Request a copy of the personal information we hold about you
  • Correction: Update or correct inaccurate information
  • Deletion: Request deletion of your account and associated data
  • Export: Export your financial data in CSV or PDF format
  • Revoke Access: Remove accountant access to your data at any time

To exercise these rights, contact us at privacy@lunoflow.app.

8. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to Know: Request details about the personal information we collect and how we use it
  • Right to Delete: Request deletion of your personal information
  • Right to Opt-Out: Opt-out of the sale of personal information (we do not sell personal information)
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To submit a CCPA request, email privacy@lunoflow.app with "CCPA Request" in the subject line.

9. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

  • Legal Basis: We process your data based on contract performance (providing the service), legitimate interests (improving the service), and consent (marketing communications)
  • Right to Portability: Receive your data in a structured, machine-readable format
  • Right to Restrict Processing: Request that we limit how we use your data
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent for any processing based on consent
  • Right to Lodge a Complaint: File a complaint with your local data protection authority

International Data Transfers: Your data is primarily stored on Hetzner servers in Germany (EU). Some data may be processed in the United States through our service providers (Stripe for payments, Brevo for email delivery).

10. Accountant-Specific Provisions

If you use LunoFlow as an accountant managing client accounts:

  • Data Controller vs Processor: Your clients remain the data controllers of their financial data. You act as a data processor when accessing their accounts through LunoFlow.
  • Client Consent: You must ensure your clients understand and consent to your access to their data.
  • Professional Obligations: You must handle client data in accordance with your professional licensing requirements and applicable privacy laws.
  • Access Logs: All access to client accounts is logged for audit purposes.
  • Revocation: Clients can revoke your access at any time, immediately terminating your ability to view their data.

11. Children's Privacy

LunoFlow is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If you believe we have collected information from a minor, please contact us immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the new policy on this page
  • Updating the "Last Updated" date
  • Sending an email notification for significant changes

Your continued use of the service after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or our data practices:

Privacy Inquiries: privacy@lunoflow.app
General Support: support@lunoflow.app
Contact Form: lunoflow.app/contact