Document: Privacy Policy

Version: 1.0

Effective: 2026-06-01

Last updated: 2026-05-14

Privacy Policy

Version: 1.0
Effective Date: [TO BE SET BEFORE PUBLISHING]

LULL Privacy Policy

1. INFORMATION WE COLLECT

1.1 Information You Provide Directly

Account registration information: name, email address, birthdate, and password
Profile information: age range, usage mode (Personal, Student, Veteran), and settings preferences
Journal entries, Question of the Day responses, Log It captures, and Audio Capture summaries
Guardian connection information: Connect Code usage and guardian account details
Communications with us: support requests and feedback

1.2 Information Collected Automatically

Device information: device type, operating system, and app version
Usage data: features used, session frequency, and interaction patterns
Technical logs: error reports and performance data

1.3 Information We Do NOT Collect

1.4 Audio Capture — Special Notice

Lull's Audio Capture feature processes audio entirely on your device using on-device speech recognition. Raw audio is never transmitted to Rhetoric Innovations LLC servers. Only a compressed text summary of the audio session is stored. Raw audio is deleted from your device immediately after the summary is generated. No audio recordings are retained by the Company.

1.5 Children Under 13 — COPPA-Specific Disclosures

For users under 13, we collect only the minimum information necessary to provide the Service: name (first name only), parent email address, and account activity data. We do not collect any information from children under 13 beyond what is strictly necessary to provide the journaling service and comply with safety obligations. Parents may review, modify, or request deletion of their child's information at any time by contacting hello@lulljournal.app.

2. HOW WE USE YOUR INFORMATION

2.1 Service Provision

To create and manage your account
To provide the journaling, reflection, and AI response features
To generate the Question of the Day based on your journaling history (if the context-aware setting is enabled)
To build memory summaries that allow Lull to recognize patterns across your journal entries over time
To operate the guardian dashboard and safety notification features

2.2 Safety Features

To analyze journal content for safety signals and surface crisis resources when appropriate
To notify connected guardians or trusted contacts at defined safety threshold levels
To maintain safety logs for legal compliance purposes

2.3 Service Improvement

To monitor and improve application performance and reliability
To diagnose and resolve technical issues

2.4 Communications

To send account-related notifications including subscription confirmations and account updates
To send safety-related communications as described in Section 2.2
To respond to your support requests

2.5 What We Do NOT Use Your Information For

3. HOW WE SHARE YOUR INFORMATION

3.1 We Do Not Sell Your Data

Rhetoric Innovations LLC does not sell, rent, or trade your personal information to any third party for any purpose. This applies to all users, including users under 18.

3.2 Service Providers

We share information with the following categories of service providers solely to operate the Service:

3.3 Legal Requirements

We may disclose your information if required to do so by law, court order, or governmental authority, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of the Company, our users, or the public.

3.4 Business Transfers

In the event of a merger, acquisition, or sale of all or substantially all of our assets, your information may be transferred to the acquiring entity. We will provide notice of such transfer and the opportunity to delete your account before the transfer takes effect.

4. DATA RETENTION

4.1 Active Accounts

We retain your account data and journal entries for as long as your account is active. You may delete individual journal entries at any time through the application.

4.2 Deleted Accounts

Upon account deletion, all journal entries, Log It captures, audio summaries, memory summaries, and profile data will be permanently deleted within 30 days. You will receive email confirmation when deletion is complete.

4.3 Safety Logs

Safety-related logs (records of safety detection events) are retained for up to 7 years after account deletion for legal compliance purposes. These logs contain only metadata about safety detection events, not journal entry content.

4.4 Sensitive Pattern Logs

Behavioral pattern detection logs used to adapt the AI journaling experience are automatically cleared when no relevant signals appear within the applicable detection window (7 days for urge patterns, 30 days for behavioral patterns). These logs are retained for no longer than 30 days after the last relevant signal.

4.5 Payment Records

Payment transaction records are retained for 7 years as required by applicable tax and financial regulations. Retained payment records do not include full payment card details.

5. DATA SECURITY

We implement industry-standard security measures to protect your information, including:

Encryption of data in transit using TLS 1.2 or higher
Encryption of data at rest
Row-level security policies limiting data access to authorized users only
Regular security monitoring and logging
Limited employee access to user data on a need-to-know basis

6. YOUR RIGHTS AND CHOICES

6.1 Access and Portability

You may request a copy of your personal information at any time by contacting privacy@lulljournal.app. We will provide your data in a commonly used electronic format within 30 days.

6.2 Correction

You may update your account information at any time through account settings. For information that cannot be updated through the application, contact privacy@lulljournal.app.

6.3 Deletion

You may delete your account and all associated data at any time through account settings. Upon deletion request, all data except safety logs and payment records will be permanently deleted within 30 days.

6.4 Opt-Out of Context-Aware Features

You may disable context-aware Question of the Day selection in account settings. When disabled, daily prompts are delivered independently of your journal history.

6.5 Guardian Dashboard Opt-Out

Users 18 and older may remove connected guardian accounts at any time through account settings. Users under 13 may request guardian access review through privacy@lulljournal.app.

6.6 California Residents

California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including the right to know what personal information is collected, the right to delete personal information, the right to opt out of sale (we do not sell data), and the right to non-discrimination for exercising privacy rights. To exercise these rights, contact privacy@lulljournal.app.

6.7 Nevada Residents

Nevada residents may opt out of the sale of covered information. We do not sell covered information as defined under Nevada law. For questions, contact privacy@lulljournal.app.

6.8 European Users

7. CHILDREN'S PRIVACY — COPPA COMPLIANCE

7.1 Information Collected from Children Under 13

For users under 13, we collect only:

First name (for personalized greetings only)
Parent or guardian email address (for consent verification)
Account activity data (journaling frequency and general themes for guardian dashboard)
Journal entry content (stored securely, never shared with third parties except as described in Section 3.2)

7.2 Verifiable Parental Consent

Before collecting any personal information from a child under 13, we obtain verifiable parental consent through our email verification and identity confirmation process. Accounts for users under 13 are not activated until this consent is received.

7.3 Parental Rights

Parents or legal guardians of children under 13 have the right to:

Review the personal information we have collected from their child
Request deletion of their child's personal information
Refuse to permit further collection or use of their child's information
Revoke previously granted consent To exercise these rights, contact privacy@lulljournal.app or hello@lulljournal.app. We will respond within 10 business days.

7.4 No Behavioral Advertising to Children

We do not use the personal information of children under 13 for behavioral advertising. We do not serve any advertising within the Lull application to any user.

7.5 California Age-Appropriate Design Code Compliance

For all users under 18, regardless of state of residence, we apply the standards of the California Age-Appropriate Design Code (AB 2273), including:

Privacy settings are configured to the highest level of protection by default
We do not profile users under 18 for advertising or commercial purposes
We do not use dark patterns to encourage users under 18 to provide more personal information than necessary
We have conducted a Data Protection Impact Assessment as required by applicable law

8. SCHOOL AND INSTITUTIONAL USE — FERPA AND SOPIPA

8.1 School Deployments

When Lull is deployed by a school or educational institution under a licensing agreement, additional privacy protections apply. Schools deploying Lull must execute a Data Processing Agreement with Rhetoric Innovations LLC.

8.2 FERPA Compliance

When deployed by a school that receives federal funding, Lull may be subject to the Family Educational Rights and Privacy Act (FERPA). In FERPA-covered deployments, Lull acts as a school official with a legitimate educational interest in accordance with 34 C.F.R. § 99.31(a)(1). Student education records within Lull are used only for educational purposes and are not disclosed to third parties except as permitted by FERPA.

8.3 SOPIPA and State Student Privacy Laws

Lull complies with the Student Online Personal Information Protection Act (SOPIPA) and equivalent state student privacy laws. We do not use student data to build a personal profile for purposes other than the educational purpose for which the data was collected, sell student data, or disclose student data for advertising purposes.

9. THIRD-PARTY LINKS AND SERVICES

The Service may contain links to third-party websites or services, including crisis resource websites. We are not responsible for the privacy practices of third parties. We encourage you to review the privacy policies of any third-party services you access through Lull.

We may update this Privacy Policy periodically. We will provide notice of material changes by email to your registered address and by posting updated policy on our website with an updated effective date. For changes that materially reduce your privacy protections, we will seek your affirmative consent before the changes take effect for your account.

11. CONTACT INFORMATION

For privacy-related questions, requests, or concerns:

Privacy Inquiries: privacy@lulljournal.app General Contact: hello@lulljournal.app Company: Rhetoric Innovations LLC Website: lulljournal.app

For urgent privacy concerns related to children's data, we will respond within 2 business days.

Rhetoric Innovations LLC | lulljournal.app | hello@lulljournal.app

This Privacy Policy describes how Rhetoric Innovations LLC ("Company," "we," "us," or "our") collects, uses, stores, and shares information about you when you use the Lull journaling application and related services.

The following categories of information are NOT collected by Lull: precise geolocation data, contact list or address book data, advertising identifiers or tracking identifiers for advertising purposes, biometric data, financial information beyond what is necessary for subscription processing, audio recordings (Audio Capture is processed entirely on-device; raw audio is never transmitted to our servers).

We do not use your journal content or personal information for: advertising targeting or behavioral advertising, sale to data brokers or third parties, training AI models, profiling for purposes unrelated to providing the Service, or any commercial purpose not described in this Privacy Policy.

Provider	Purpose	Data Shared
Anthropic, PBC	AI response generation for journal conversations	Journal entry text for individual session processing only. Not retained by Anthropic beyond individual requests.
Supabase, Inc.	Database and authentication infrastructure	Account data, journal entries, and usage data stored securely
Stripe, Inc.	Subscription payment processing	Payment information only. We do not store full payment card details.
Resend, Inc.	Transactional email delivery	Email address and email content for account and safety notifications

No method of electronic transmission or storage is 100% secure. While we implement strong security measures, we cannot guarantee absolute security of your information. In the event of a data breach affecting your personal information, we will notify you as required by applicable law.

This section applies specifically to users under 13 years of age and their parents or legal guardians. We comply with the Children's Online Privacy Protection Act (COPPA), 15 U.S.C. § 6501 et seq.