We have written this policy to be clear and direct because privacy is fundamental to how Lucid works. If anything is unclear, please write to privacy@lucidhealth.app.
LAST UPDATED · MAY 19, 2026
In plain language:
When you create an account, we collect your email address, a display name (optional), birth year (optional, used to contextualize age-related cognitive patterns), and your account preferences.
When you use the Service, you may choose to provide voice recordings, written journal entries, drawings (including from handwriting and clock drawing activities), photo and video content, responses to cognitive activities, self-reported information about mood, life events, and medical history, and family member contact information when you invite family members. All raw content is stored on your device by default.
With your permission, the Service can access your microphone (for voice journaling), camera (for video journaling), Apple HealthKit data (read-only), notifications, and Face ID or Touch ID (optional, to protect access to the app).
We do not collect: your location, your contacts, your browsing or search history, your photo library beyond items you choose to share, or any data you have not granted permission to access.
The Service processes the data above on your device to extract patterns and features. These derived patterns include linguistic features from your voice and writing (vocabulary diversity, speech rate, sentence complexity), facial features from videos (expression patterns, eye movement, head pose), performance metrics from cognitive activities, behavioral features (typing rhythm, app usage patterns), and health context (sleep architecture, activity patterns).
These derived patterns are what sync to your account, not the underlying raw data.
If you choose to connect third-party services, we receive data from those services according to your permissions: Oura Ring (sleep, recovery, HRV, body temperature), Whoop (recovery, strain, sleep), continuous glucose monitors (Levels, NutriSense, Stelo, Lingo), and 23andMe or AncestryDNA (genetic data files you upload).
Genetic data is processed entirely on your device. We do not transmit, store on our servers, or share genetic information.
If you invite family members to provide observations, we collect their email address to send check-in prompts, and the observations they provide. Family members have their own privacy rights and can request deletion of observations they have shared.
When you use the Service, we automatically collect app usage information (which features you use, when, for how long), device information (device model, OS version, app version), crash and performance data, and IP address (used only to provide the Service, never for tracking).
We use your information solely to provide the Service, improve the Service through aggregate pattern analysis and bug fixes, communicate with you about service-related matters, and comply with legal obligations.
We do not use your information to: sell or rent to third parties, train artificial intelligence models without your explicit opt-in consent, show you advertising, track you across other apps or websites, or make any inferences about your identity beyond what is necessary for the Service.
We share your information only in these limited circumstances:
We use trusted service providers to operate the Service: Supabase (database hosting), Hetzner (cloud infrastructure), RevenueCat (subscription management), Anthropic (AI for personalized insights, anonymized text only, never raw recordings), PostHog (analytics, app usage events only), and Apple (App Store, push notifications). These providers are contractually bound to protect your information.
When you invite a family member and grant them permission, they can see the specific information you authorize. You control exactly what they see and can revoke access at any time.
If you opt into research participation, we may share deidentified data with research partners such as academic institutions. This requires separate, explicit consent and can be revoked at any time.
We may disclose your information if required by law, subpoena, or court order. We will notify you of such disclosure unless legally prohibited.
If Lucid is acquired or merges with another company, your information may transfer to the new entity, subject to this Privacy Policy or a successor policy that respects your rights equivalently.
Raw cognitive content (voice, video, journal entries, drawings) is stored on your device, optionally backed up via your iCloud (we do not have access to those backups).
Derived patterns and account data are stored on encrypted servers operated by Supabase and Hetzner.
Genetic data is processed on your device only and is never transmitted to our servers.
Data in transit uses TLS 1.3. Data at rest uses AES-256. Authentication uses industry-standard token-based authentication. Sensitive data fields receive additional encryption with user-derived keys.
We retain your account data and derived patterns as long as your account is active. When you delete your account, we delete all associated data within 30 days, except where required for legal compliance (financial records related to subscriptions are retained for 7 years per applicable regulations). You can export all your data at any time.
We follow industry best practices, including SOC 2 Type II compliance (in progress), HIPAA-aligned security practices (though Lucid is not a HIPAA covered entity), regular security audits, limited internal access on a need-to-know basis, and logging and monitoring of all data access.
If we become aware of a security breach affecting your information, we will notify you within 72 hours of discovery for significant breaches and take appropriate remediation steps.
View all data we hold about you within the app. Export a complete copy in standard formats (JSON, CSV) from Settings > Privacy > Export My Data.
Correct any inaccurate information through the app or by writing to privacy@lucidhealth.app.
Delete specific items at any time. Delete your entire account from Settings > Account > Delete Account.
Withdraw consent for specific uses (research participation, family sharing, third-party integrations) at any time without losing access to the Service.
Grant or revoke iOS permissions at any time in iOS Settings > Lucid. The app handles revoked permissions gracefully.
We send only essential service communications. We do not send marketing emails by default.
California residents have the right to know what personal information we collect, the right to delete personal information, the right to correct inaccurate information, the right to opt out of sale or sharing of personal information (we do not sell or share for cross-context behavioral advertising), the right to limit use of sensitive personal information, and the right to non-discrimination for exercising these rights.
To exercise these rights, write to privacy@lucidhealth.app or use the in-app controls. We will respond within 45 days.
EEA, UK, and Swiss residents have rights under GDPR, UK GDPR, and related laws, including the rights of access, rectification, erasure, restriction of processing, data portability, and objection to processing.
Legal bases for processing: Contract (providing the Service), Consent (specific features), Legitimate Interest (improving the Service, preventing fraud).
International transfers: Data may be transferred to the United States. We use Standard Contractual Clauses approved by the European Commission for these transfers.
Data Protection Officer: dpo@lucidhealth.app
If you reside in a jurisdiction with specific privacy rights (Canada's PIPEDA, Brazil's LGPD, Australia's Privacy Act), we comply with applicable local laws. Write to privacy@lucidhealth.app for jurisdiction-specific inquiries.
Lucid is intended for adults aged 18 and older. We do not knowingly collect personal information from anyone under 13. If you believe a child has provided us information, please write to privacy@lucidhealth.app and we will delete it promptly. For users between 13 and 18, certain features may require parental consent depending on jurisdiction.
Lucid is a wellness app, not a medical device. We do not provide medical advice, diagnosis, or treatment. The information provided by the Service is for general informational and educational purposes only.
If you have specific health concerns, please consult a qualified healthcare provider. Do not rely on Lucid for medical decisions.
We are not a HIPAA-covered entity. The health data we collect is treated with HIPAA-aligned security practices but is governed by this Privacy Policy, not HIPAA.
We may update this Privacy Policy occasionally. Material changes will be communicated through the app and via email at least 30 days before they take effect. Continued use of the Service after changes constitutes acceptance. Previous versions are archived and available upon request.
Privacy questions and data requests: privacy@lucidhealth.app
General support: hello@lucidhealth.app
Legal: legal@lucidhealth.app
Security: security@lucidhealth.app
We aim to respond to all privacy inquiries within five business days.