Skip to main content
Luqya

Privacy Policy

Last updated: April 13, 2026

1. Who We Are

Luqya (“we”, “us”, “our”) operates the website at luqya.app and the Luqya mobile application. This policy explains what data we collect, why, and how we handle it.

2. Data We Collect

Account information

When you sign up we collect your email address, name (optional), and a password. Your password is hashed before storage — we never store or have access to your plaintext password.

Scan photos

Photos you take through FastScan are uploaded to our servers for AI analysis. Scan photos are stored so you can review past scans in your history. You can request deletion of your scan data at any time.

Location data

With your permission, the mobile app collects GPS coordinates at the time of a scan. This data is used to provide location-relevant craft information and to build aggregate price and craft distribution maps. Location data is stored alongside your scan event and is never shared with third parties in individually identifiable form.

Payment information

Payments are processed by Stripe (web) and Apple App Store / Google Play via RevenueCat (mobile). We do not store your credit card number, bank account details, or other raw financial data. We store only a Stripe customer identifier and transaction references to track your scan credit balance.

Device and usage data

We collect anonymized usage analytics through PostHog, including pages visited, features used, and performance metrics. On mobile, we store an Expo push notification token if you opt in to notifications. We also log your IP address for rate limiting and abuse prevention.

Craft submissions

When you submit an unrecognized craft for review, we store the photos, optional notes, and AI scan context you provide. This data helps us expand our craft knowledge base.

User-reported prices

You may optionally report the price you paid for an item. This data is stored alongside your scan and is used in aggregate to improve our price range accuracy. It is never shared in individually identifiable form.

3. How We Use Your Data

  • To provide and operate the Service (scan analysis, history, encyclopedia)
  • To process payments and maintain your credit balance
  • To send transactional emails (verification, password reset, submission updates)
  • To improve AI model accuracy using aggregated, de-identified scan data
  • To detect abuse, enforce rate limits, and prevent fraud
  • To generate aggregate market insights (price trends, craft distribution) — never sold or shared as individual-level data

4. Data Storage and Security

Your data is stored on Supabase-managed PostgreSQL databases and Supabase Storage (for images), both hosted in secure cloud infrastructure. Sessions use httpOnly cookies (web) and encrypted tokens (mobile). Passwords are hashed with bcrypt. Admin access uses HMAC-derived tokens with constant-time comparison. We apply reasonable technical and organizational measures to protect your data, but no system is 100% secure.

5. Third-Party Services

We share data with the following third parties, only as needed to operate the Service:

  • OpenAI / Anthropic — scan photos are sent to AI providers for craft analysis. Photos are processed per their data usage policies and are not used to train their models when sent via API.
  • Stripe — processes web payments. See Stripe's Privacy Policy.
  • RevenueCat — manages mobile in-app purchases. See RevenueCat's Privacy Policy.
  • PostHog — anonymized product analytics. See PostHog's Privacy Policy.
  • Resend — sends transactional emails (verification, password reset, submission updates).
  • Supabase — database and file storage hosting.

6. Data Retention

  • Account data is kept for as long as your account is active.
  • Scan photos and results are retained so you can access your scan history. You may request deletion at any time.
  • IP addresses used for rate limiting are retained for up to 30 days.
  • Analytics datais anonymized and retained per PostHog's data retention settings.

7. Your Rights

You have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Request deletion of your account and associated data
  • Export your scan history
  • Withdraw consent for optional data collection (location, push notifications)

To exercise any of these rights, email us at hello@luqya.app.

8. Children

Luqya is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes by email. The “Last updated” date at the top reflects the most recent revision.

10. Contact

For privacy-related questions or requests, contact us at hello@luqya.app.

See also our Terms of Use.