Lightli LTD Privacy Policy

Last updated: June 8, 2026

Data Controller

Lightli LTD is the data controller for personal data processed through Lightli services, unless this Privacy Policy says otherwise. You can contact us about privacy matters at hello@lightli.uk.

App-Specific Data Collection

Each Lightli app collects specific data necessary for its operation and to provide you with the service:

Quitly - Sobriety Tracker

• Quit timers (start dates, substance/habit names)
• Timer history and milestones
• Custom timer settings and preferences
• All data is operational and necessary for the app to function

Routino - Habit & Routine Manager

• Habit names, descriptions, and icons
• Routine structures and schedules
• Habit completion tracking and statistics
• Custom habit configurations (colors, time settings)
• All data is operational and necessary for the app to function

Journalmi - Modular Journal

• Journal entries (text content, timestamps)
• Uploaded images stored in Firebase Storage
• Custom module configurations
• Entry metadata (dates, tags, moods)
• Health data: May contain sensitive health information if you choose to journal about health topics
• All data is operational and necessary for the app to function

Cycle - Period & Pregnancy Tracker

• Menstrual cycle dates (period start/end)
• Pregnancy tracking dates and trimester information
• Symptom logs and health observations
• Fertility tracking data
• Health data: Contains sensitive health information processed for cycle prediction and tracking
• All data is operational and necessary for the app to function

Listly - Notes & Lists

• Note content and titles
• List items and task data
• Organization and categorization preferences
• All data is operational and necessary for the app to function

Gymly - Workout Tracker

• Exercise names, descriptions, and custom exercises
• Workout plans and templates
• Exercise completion tracking and statistics
• Body weight logs and measurements
• Custom workout configurations (sets, reps, rest times)
• All data is operational and necessary for the app to function

Special Category Data (Health Information)

Under UK GDPR Article 9, certain apps process "special category" personal data relating to health:

Cycle App - Menstrual Health Data

Cycle collects and processes health data including menstrual cycle information, pregnancy dates, and related symptoms. We process this data:

• Legal basis: To provide the service you request, and your explicit consent for special category health data where required by UK GDPR Article 9(2)(a)
• Purpose: To provide cycle tracking, predictions, and health insights
• Storage: Stored using Google Cloud/Firebase, primarily in the United States
• Retention: Until you delete your account or request deletion, subject to limited legal, security, and backup needs
• Your rights: You can withdraw consent and delete your data at any time, although withdrawing consent may limit or disable health-tracking features

Journalmi App - Potential Health Data

Journalmi may contain health information if you choose to journal about health-related topics. We process this data:

• Legal basis: To provide the service you request, and your explicit consent for special category health data where required by UK GDPR Article 9(2)(a)
• Purpose: To provide journaling functionality and store your personal reflections
• Storage: Stored using Google Cloud/Firebase, primarily in the United States; images stored in Firebase Storage
• Retention: Until you delete your account or request deletion, subject to limited legal, security, and backup needs
• Your rights: You can withdraw consent and delete your data at any time, although withdrawal may limit or disable features that store health-related entries

Medical Disclaimer: Our apps are not medical devices and should not be used for medical diagnosis or treatment. Always consult qualified healthcare professionals for medical advice.

Interpretation and Definitions

Interpretation

The words of which the initial letter is capitalized have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.

Definitions

For the purposes of this Privacy Policy:

• Account means a unique account created for You to access our Service or parts of our Service.

• Affiliate means an entity that controls, is controlled by or is under common control with a party, where "control" means ownership of 50% or more of the shares, equity interest or other securities entitled to vote for election of directors or other managing authority.

• Application refers to Lightli applications, including Quitly, Routino, Journalmi, Cycle, Listly and Gymly.

• Company (referred to as either "the Company", "We", "Us" or "Our" in this Agreement) refers to Lightli LTD.

• Country refers to the United Kingdom.

• Device means any device that can access the Service such as a computer, a cellphone or a digital tablet.

• Personal Data is any information that relates to an identified or identifiable individual.

• Service refers to the Applications, websites, subscriptions, support, and related services provided by Lightli.

• Service Provider means any natural or legal person who processes the data on behalf of the Company. It refers to third-party companies or individuals employed by the Company to facilitate the Service, to provide the Service on behalf of the Company, to perform services related to the Service or to assist the Company in analyzing how the Service is used.

• Third-party Social Media Service refers to any website or any social network website through which a User can log in or create an account to use the Service.

• Usage Data refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).

• You means the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.

Collecting and Using Your Personal Data

Types of Data Collected

Personal Data

While using Our Service, We may ask You to provide Us with certain personally identifiable information that can be used to contact or identify You. Personally identifiable information may include, but is not limited to:

• Email address

• Name, display name, or account identifier from Google Sign-In or Apple Sign-In, where provided

• Usage Data

• App-specific content and settings you choose to create, save, upload, or sync

Usage Data

Usage Data is collected automatically when using the Service.

Usage Data may include information such as Your Device's Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that You visit, the time and date of Your visit, the time spent on those pages, unique device identifiers and other diagnostic data.

When You access the Service by or through a mobile device, We may collect certain information automatically, including, but not limited to, the type of mobile device You use, Your mobile device unique ID, the IP address of Your mobile device, Your mobile operating system, the type of mobile Internet browser You use, unique device identifiers and other diagnostic data.

We may also collect information that Your browser sends whenever You visit our Service or when You access the Service by or through a mobile device.

Information from Third-Party Social Media Services

The Company allows You to create an account and log in to use the Service through the following Third-party Social Media Services:

• Google
• Apple

If you create an account or sign in through Google or Apple, we receive the account information needed for authentication, such as your email address, account identifier, and name or display name if provided by that service. We do not request your social media activity or contact list for account sign-in.

Google and Apple may process your data under their own terms and privacy notices when you use their sign-in services.

Use of Your Personal Data

The Company may use Personal Data for the following purposes:

• To provide and maintain our Service: including account authentication, syncing, storing your app content, backing up data, and making app features work.

• To manage your account: including registration, login, account deletion, subscriptions, and access to premium features.

• To process purchases and subscriptions: including verifying entitlement status through the App Store or Google Play.

• To contact you about the Service: including security notices, service updates, support replies, and important account or subscription information.

• To improve and secure our Service: including crash reporting, diagnostics, analytics, fraud prevention, abuse prevention, troubleshooting, and product improvement.

• To manage your requests: including responding to support, privacy, deletion, export, or correction requests.

• For optional marketing: only where we have a lawful basis to do so, such as your consent where required. You can opt out of marketing communications at any time.

• For legal and business purposes: including complying with law, enforcing our terms, protecting rights and safety, and evaluating or completing a business transfer.

We may share Your personal information in the following situations:

• With Service Providers: We may share personal information with providers that help us operate the Service, including hosting, authentication, analytics, crash reporting, support, app distribution, subscriptions, and security.
• For business transfers: We may share or transfer Your personal information in connection with, or during negotiations of, any merger, sale of Company assets, financing, or acquisition of all or a portion of Our business to another company.
• With Affiliates: We may share information with affiliates that support Lightli services, and we require them to handle it consistently with this Privacy Policy.
• For legal, safety, and security reasons: We may disclose information where necessary to comply with law, respond to lawful requests, protect rights and safety, prevent fraud or abuse, or enforce our terms.
• With your consent: We may disclose personal information for other purposes where you have given consent.

Retention of Your Personal Data

We retain personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, including to provide the Service, comply with legal obligations, resolve disputes, maintain security, and enforce our terms.

Account data and app content are kept until you delete your account or request deletion, unless a longer retention period is required or permitted by law. Usage, diagnostic, and analytics data is generally retained for a shorter period and may be aggregated or anonymized for product improvement and security.

Transfer of Your Personal Data

Your information, including Personal Data, may be processed in the United Kingdom, the United States, and other locations where Lightli or our service providers operate. Data protection laws in those locations may differ from the laws where you live.

Where UK GDPR requires safeguards for international transfers, we rely on appropriate mechanisms such as adequacy decisions, the UK International Data Transfer Agreement, the UK Addendum to Standard Contractual Clauses, Standard Contractual Clauses, and technical and organisational safeguards.

We take reasonable steps to ensure that your data is treated securely and consistently with this Privacy Policy.

Delete Your Personal Data

You have the right to delete or request that We assist in deleting the Personal Data that We have collected about You.

Our Service may give You the ability to delete certain information about You from within the Service.

You may update, amend, or delete your information by signing in to your account, if you have one, and visiting the account settings section that allows you to manage personal information. For data export, signed-in users can request a JSON copy from in-app Settings. You may also contact us to request access to, correction, export, or deletion of personal information that you have provided to us.

Our self-service export is designed to provide your account profile, app-created content, app settings, and user-readable file metadata where applicable. It is not necessarily a complete response to every formal access request, which you can make by contacting us. To protect account security, other users, and our service infrastructure, self-service exports do not include authentication secrets, payment provider secrets, internal support notes, raw diagnostics, analytics or product telemetry, security logs, raw database paths, backend storage bucket names, or backend storage object paths. We may also withhold or limit information where permitted by law, for example where disclosure would affect another person, compromise security, or reveal information we are not legally required to provide.

Please note that we may need to retain limited information where we have a legal obligation or lawful basis to do so, including security, fraud prevention, accounting, dispute, or compliance reasons.

Disclosure of Your Personal Data

Business Transactions

If the Company is involved in a merger, acquisition or asset sale, Your Personal Data may be transferred. We will provide notice before Your Personal Data is transferred and becomes subject to a different Privacy Policy.

Law enforcement

Under certain circumstances, the Company may be required to disclose Your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).

Other legal requirements

The Company may disclose Your Personal Data in the good faith belief that such action is necessary to:

• Comply with a legal obligation
• Protect and defend the rights or property of the Company
• Prevent or investigate possible wrongdoing in connection with the Service
• Protect the personal safety of Users of the Service or the public
• Protect against legal liability

Security of Your Personal Data

The security of Your Personal Data is important to Us, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While We strive to use commercially acceptable means to protect Your Personal Data, We cannot guarantee its absolute security.

Data Storage and Location

Your data is stored using secure services provided by Google Cloud Platform and Firebase, with primary storage currently in the United States.

• Primary storage location: USA data centers
• Backup and replication: Managed by Google Cloud/Firebase according to their infrastructure and resilience controls
• Service providers: Google Cloud Platform, Firebase (Google LLC)
• Images: User-uploaded images (such as journal photos in Journalmi) are stored in Firebase Storage buckets

Encryption and Data Protection

We use technical and organisational measures designed to protect your data:

• Data in transit: Data transmitted between your device and our services is encrypted using HTTPS/TLS
• Data at rest: Stored data is protected by Google-managed encryption at rest
• Authentication: Secure authentication via Google Sign-In and Apple Sign-In with OAuth 2.0
• Access controls: Access to internal systems is restricted to authorized personnel with a need to know
• Database security: Firebase Firestore with security rules and authentication requirements

Can Lightli Staff See Your Data?

Yes, authorized Lightli staff members can access your data, but only under specific circumstances:

• To provide customer support when you contact us
• To troubleshoot technical issues
• To detect and prevent fraud or abuse
• To comply with legal obligations

We maintain internal access restrictions designed to limit data access to people who need it to perform their role. Staff and contractors with access to personal data are subject to confidentiality obligations and receive appropriate data protection guidance.

Data Backup and Recovery

We and our service providers use backup, replication, and recovery measures designed to reduce data loss:

• Recovery: In case of system failure, data may be restored from backups or replicated systems
• Account deletion: When you delete your account, active account data is deleted or anonymized. Residual copies may remain in backups for a limited period until overwritten or deleted according to backup cycles, unless retention is required by law

Data Breach Notification

In the event of a personal data breach, we will assess the risk and take action required by data protection law. Where legally required, we will:

• Notify the UK Information Commissioner's Office (ICO) within 72 hours after becoming aware of a notifiable breach
• Notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms
• Provide clear information about the nature of the breach and steps taken to address it
• Offer guidance on protective measures you can take

Cookies and Tracking Technologies

We use cookies and similar technologies to operate our website and apps, understand performance, and analyze how our services are used. Where required by law, we rely on consent for non-essential cookies and analytics technologies.

Types of Cookies We Use

• Essential Cookies: Required for basic functionality, security, and account access
• Analytics Cookies: Google Analytics and Google Tag Manager to understand user behavior and improve our services
• Authentication Cookies: To keep you logged in across sessions

Third-Party Analytics

We use the following third-party services that may collect data:

• Google Analytics: To analyze website and app usage patterns
• Google Tag Manager: To manage marketing and analytics tags
• Firebase Analytics: To understand app performance and user engagement

You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

Your Rights Under UK GDPR

Under UK GDPR and the Data Protection Act 2018, you have the following rights:

• Right of access: Request a copy of all personal data we hold about you
• Right to rectification: Request correction of inaccurate or incomplete data
• Right to erasure ("right to be forgotten"): Request deletion of your personal data
• Right to restriction of processing: Request that we limit how we use your data
• Right to data portability: Receive your data in a structured, commonly used format
• Right to object: Object to processing of your data for specific purposes
• Right to withdraw consent: Withdraw consent at any time where we rely on consent
• Right to lodge a complaint: File a complaint with the ICO if you believe we've violated your rights

How to Exercise Your Rights

To exercise any of these rights:

• Email us at: hello@lightli.uk
• Use the in-app account settings to delete your account
• Data export: Signed-in users can request a JSON copy in-app from Settings. If you cannot access your account, contact hello@lightli.uk and we can help with a rights request after verification. For security and abuse prevention, repeated export requests may be rate limited, and very large exports may require manual support follow-up. Data export should be requested before account deletion because deletion removes active account data. Export files are intended to contain your personal data and app-created content, not backend infrastructure details or security-sensitive internal records.
• We will respond to your request within one month, unless UK GDPR allows more time for complex or multiple requests

Legal Basis for Processing

We process your personal data under the following legal bases:

• Contract performance: To provide the services, accounts, subscriptions, syncing, support, and app features you request
• Consent: For optional choices, certain analytics or marketing where required, and explicit consent for special category health data where UK GDPR Article 9 requires it
• Legitimate interests: To improve and secure our services, prevent fraud and abuse, diagnose crashes, understand aggregated usage, and respond to support requests, where those interests are not overridden by your rights
• Legal obligation: To comply with applicable laws, regulatory requirements, accounting obligations, lawful requests, and data protection duties

International Data Transfers

Lightli is based in the United Kingdom, and our service providers, including Google Cloud/Firebase, may process personal data in the United States and other countries. When personal data is transferred internationally:

• We use appropriate safeguards where required, such as adequacy decisions, the UK International Data Transfer Agreement, the UK Addendum to Standard Contractual Clauses, or Standard Contractual Clauses
• We work with providers that offer contractual, technical, and organisational protections for personal data
• We assess transfer risks and provider security practices where required by law

Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you.

Data Retention Periods

We retain your personal data for the following periods:

• Account data: Until you delete your account or request deletion, then deleted or anonymized subject to limited legal, security, and backup needs
• Anonymous accounts: Automatically deleted 30 days from creation
• Analytics data: Retained according to Google Analytics settings (typically 14-26 months)
• Support communications: 3 years from last contact
• Legal/compliance records: As required by applicable law (typically 6 years)

Children's Privacy

Our services are not directed at children under 13. If you are under 13, you should use Lightli only with consent and supervision from a parent or guardian. If you are under the age of majority where you live, your parent or guardian should review this Privacy Policy and our Terms with you.

We do not knowingly collect personal data from children under 13 without appropriate consent. If you are a parent or guardian and believe your child has provided personal data without appropriate consent, please contact us at hello@lightli.uk so we can take appropriate action.

Links to Other Websites

Our Service may contain links to other websites that are not operated by Us. If You click on a third party link, You will be directed to that third party's site. We strongly advise You to review the Privacy Policy of every site You visit.

We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.

Changes to this Privacy Policy

We may update Our Privacy Policy from time to time. We will notify You of any changes by posting the new Privacy Policy on this page.

We will let You know via email and/or a prominent notice on Our Service, prior to the change becoming effective and update the "Last updated" date at the top of this Privacy Policy.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

Contact Us

If you have any questions about this Privacy Policy, want to exercise your rights, or have concerns about your data, please contact us:

• Email: hello@lightli.uk
• Company: Lightli LTD
• Country: United Kingdom

Supervisory Authority

If you have concerns about how we handle your data and wish to lodge a complaint, you can contact the UK Information Commissioner's Office (ICO).

• UK Information Commissioner's Office (ICO)
• Website: https://ico.org.uk
• Helpline: 0303 123 1113