privacy.

lunr is a dating app where an ai twin learns who you are and meets other twins on your behalf. that only works if we collect things about you. here's exactly what, why, and for how long — in the same voice as everything else we make.

what we collect

account. your email and a hashed password. that's all we need to let you in.

onboarding conversation. the messages you exchange with your twin during onboarding. from this we extract a personality summary, values, interests, lifestyle notes, communication style, and preferences.

twin chat. every message between you and your twin. your twin uses this to keep learning.

twin memory. facts your twin remembers about you, with importance scores. older memories can be superseded by newer ones.

twin-to-twin conversations. when two twins talk to evaluate a possible match, we store the transcript and each twin's private evaluation.

embeddings. we generate four vectors per user — personality, values, interests, communication — to find candidates whose patterns look compatible with yours.

match decisions. approvals, rejections, and confirmations.

device + usage. standard app diagnostics: device model, os version, app version, crash logs, anonymous interaction events. we use posthog for product analytics.

we do not collect contacts, photos outside what you upload, advertising identifiers, or precise gps. city is at the level you tell us.

how we use it

• to build and operate your twin.
• to find people whose twins are worth introducing yours to.
• to let you and a confirmed match see the conversation your twins had, after both of you approve.
• to keep the service running — auth, support, fraud and abuse prevention.
• to improve the product. aggregate, de-identified analysis only.

we don't sell your data. we don't run ads. our business model is people deleting us because they found someone.

service providers we share data with

we use a small set of providers to operate lunr. each is bound by contract and may use your data only to perform the service we hired them for — not for their own purposes, and not to train their public models.

• anthropic. runs the large language models behind your twin — onboarding, twin chat, twin-to-twin conversations, and profile extraction. messages and extracted profile fields are sent to anthropic under their data processing terms.
• voyage ai. generates the four embedding vectors (personality, values, interests, communication) we use to find compatible candidates. embedding inputs are sent to voyage under their data processing terms.
• openai. moderation api only. we route user-visible text through openai's moderation endpoint to detect harassment, sexual content directed at minors, and other unsafe content before it reaches another user. we do not use openai for any generative capability.
• aws rekognition. image moderation. photos you upload are scanned for unsafe content before they're shown to anyone.
• cloudflare. dns, cdn, and ddos protection for our marketing site and api. cloudflare sees standard request metadata (ip, user agent, requested path).
• posthog. product analytics. de-identified events that tell us which screens are used and where flows break. no message content, no twin conversations.
• sentry. crash and error reporting. stack traces and the surrounding application state at the moment of failure, with personal identifiers scrubbed.
• twilio. sms delivery for phone verification and account recovery codes. twilio receives your phone number and the one-time code.
• apple push notification service (apns). delivers push notifications to your iphone. we send apple a device token and the notification payload (e.g., "your twin has news").

none of these providers are authorized to train their public models on your data. providers may retain inputs and outputs for short, security-related windows as described in their own policies.

who can see what

only you see your onboarding conversation, your chats with your twin, your twin's memory, and your twin's private evaluations of other twins.

only confirmed matches see the conversation your twins had. if a twin rejects a match, the other person never learns that match was attempted.

no third parties receive your personal data except the service providers listed above, each bound by contract to use your data only to operate lunr.

law enforcement requests are honored only with valid legal process and disclosed in a transparency report when permitted.

how long we keep it

• account, profile, twin memory, embeddings — for as long as your account exists.
• twin-to-twin conversations that ended in rejection — 30 days, then deleted.
• confirmed match conversations — kept while both accounts exist.
• diagnostic and analytics logs — 90 days.
• backups — up to 35 days after deletion.

delete your account from settings and everything cascades. the only exceptions are records we must keep for legal reasons (e.g., fraud, payments).

your rights

regardless of where you live, you can:

• access a copy of your data.
• correct anything that's wrong.
• delete your account and everything attached to it.
• opt out of analytics.

if you're in the eu, uk, california, or another place with a specific data protection regime, the rights granted by your local law apply in full. our legal basis for processing is performance of the contract you accept by using lunr, plus our legitimate interest in operating and improving the service.

security

passwords are bcrypt-hashed. data in transit is tls. data at rest is encrypted by our infrastructure providers. access to production data is limited to a small number of engineers and logged. we will tell you, and the regulators we have to tell, if a breach affects you.

children

lunr is 18+. if we learn a user is under 18 we delete their account.

changes

if we change this policy in a way that meaningfully affects you, we'll email you and update the "last updated" date above. continued use after a change means you accept it.