Published: April 12, 2026
Your health data never leaves your phone. There is no server. We cannot see your data. The apps are architecturally built so that transmitting your biometric information to us is not just unlikely — it is impossible.
If that is all you needed to know, you can stop here. The rest of this page explains exactly how and why, for people who want the technical details.
LuminaEco makes two apps: Atmos (body weather) and Kindred (private circle). Here is exactly what each one accesses:
| Data Type | Atmos | Kindred |
|---|---|---|
| Heart rate | Read-only from Apple Health / Health Connect | Not accessed |
| Heart rate variability | Read-only from Apple Health / Health Connect | Not accessed |
| Sleep data | Read-only from Apple Health / Health Connect | Not accessed |
| Anonymous user ID | Not used | From Sign in with Apple / Google |
| Contact hashes | Not used | SHA-256 hashes of Inner Circle contacts |
| Email address | Not collected | Not collected |
| Location | Not collected | Not collected |
| Analytics / telemetry | None | None |
That is the complete list. There is nothing else. No browsing history, no location data, no device fingerprinting, no third-party SDKs. The apps do not contain analytics frameworks like Firebase, Mixpanel, or Amplitude.
Everything is stored locally on your device. On iOS, health data is stored using SwiftData with Apple's FileProtection.complete encryption — the same level of encryption that protects banking apps. Your data can only be accessed when your phone is unlocked.
On Android, health data is stored in the app's private storage area, protected by Android's file-based encryption. Health Connect enforces its own additional encryption and access controls on top of that.
There is no database in the cloud. There is no backup server. If you delete the app, the data is gone.
This also means your data does not survive a device reset unless you have an encrypted device backup (via iCloud or iTunes on iOS, or device backup on Android). We consider this a feature, not a bug — your health data should not persist in places you do not control.
No. And this is not just a policy decision — it is an architectural one. There is no LuminaEco server to upload data to. The apps make zero network connections to any LuminaEco-owned endpoint. The only network calls in either app are to Apple's StoreKit or Google Play Billing for subscription verification, and to Sign in with Apple or Google for Kindred's anonymous authentication.
Your heart rate, HRV, and sleep data are processed in a self-contained pipeline that runs entirely on your phone's processor. The output — your body weather state — is a simple string like "sunny" or "stormy." Even that output stays on your device unless you choose to share it with a partner through Kindred.
This is one of the questions we get most often, and the answer is deliberately minimal.
When you use both Atmos and Kindred, Atmos sends Kindred exactly two things: your weather state (a word like "sunny") and your readiness score (a number from 0 to 100). That is it.
Your actual heart rate, HRV values, and sleep data are never shared between the apps. The shared data structure does not have fields for biometric values. This is by design. A developer cannot accidentally share your health data because the data types do not allow it. We verify this with 15+ automated tests that run on every code change — if someone adds a biometric field to the shared type, the build fails.
Atmos retains your biometric data for 90 days to calculate trends and baselines. On every app launch, data older than 90 days is automatically pruned. This happens locally — there is no server-side retention because there is no server.
Kindred retains your anonymous ID and contact hashes for as long as you have an account. Weather state history is kept for 30 days.
We chose 90 days because it is long enough to build meaningful personal baselines and short enough that you are not carrying around months of sensitive biometric history. The auto-prune is not optional — it runs every time the app opens, with no way to disable it.
Yes, immediately and completely:
Because there is no server, deletion is instant and total. There is no 30-day grace period, no backup to purge, and no "we'll delete it from our systems within 90 days" caveat. When you tap delete, it is gone.
You can also simply uninstall the app. When the app is removed, its private storage area is deleted by the operating system. No orphaned data remains.
Most health and wellness apps — including popular ones like Whoop and Oura — upload your biometric data to their cloud servers for processing. Your heart rate, sleep patterns, and HRV history live on their infrastructure. Their privacy policies typically allow them to use aggregated or de-identified data for research, product improvement, or partnerships.
LuminaEco takes a fundamentally different approach. All processing happens on your device. There is no cloud infrastructure to secure, no database to breach, and no aggregated dataset to sell or share. The architecture makes data exfiltration impossible — not just against policy, but structurally impossible.
This is not a marketing claim. It is a verifiable technical fact. The apps do not contain the code to transmit health data to an external server.
If you are interested in how this compares to cloud-based wellness apps like Whoop and Oura, read our honest comparison of Atmos vs Whoop vs Oura. For more about the body weather concept and how HRV works, see our other guides.
Words are easy. Code is harder to fake. LuminaEco maintains a suite of 15+ automated privacy tests that run on every single code change. These tests do the following:
heartRate or sleepHours to a shared type, the test fails and the code cannot be merged.These tests are not optional. They run in our continuous integration pipeline, and a failure blocks the release. This means privacy is enforced by code, not just by policy.
Most companies promise privacy in their terms of service. We enforce it in our build system. A promise can be broken. A failing test cannot be shipped.
For the full legal privacy policy, see our Privacy Policy page.