Luvo Privacy Policy
This policy explains what the Luvo mobile app (the “App”) collects, how we use it, and your choices. Luvo is operated by Elvar Systems Ltd (“we”, “us”), registered in the United Kingdom. For our company-wide privacy policy, see elvarsystems.co.uk/privacy.
1. What we collect
Account. When you sign in we receive your email address (and, if you use Apple or Google sign-in, the basic profile info those services share with us — typically a name and an opaque user ID).
Trips. The destinations, pitches, votes, costs and itinerary items you and your group enter into the App.
Trip chat and reactions. Text messages, emoji reactions, and activity events (e.g., “Alex voted on Bali”) you post within a trip. All of this content is visible to other members of that trip.
Photos. If you add a profile picture, a trip cover, or photos to an itinerary item, we store those images so they display in the App for you and your trip members. We only access your photo library when you pick an image for one of these features.
Push notification tokens. When you enable push notifications, we collect a device push token and deliver alerts about your trips through the Expo push service, which relays them to Apple Push Notification service (APNs) or Firebase Cloud Messaging.
Device data. Crash reports and basic analytics (screen viewed, app version, OS version) to keep the app reliable.
Advertising identifier & attribution. With your permission, we use your device’s advertising identifier (Apple’s IDFA or Google’s Advertising ID) together with our measurement partner AppsFlyer to understand which advert or campaign brought you to Luvo, so we can tell whether our marketing is working. On iOS this happens only if you allow it at the App Tracking Transparency prompt; if you decline, no advertising identifier is collected. We use this for measurement only — we don’t build advertising profiles about you or target ads to you across other apps.
Purchases. If you subscribe to Luvo Plus, we receive purchase data from the app stores: the product identifier, a transaction ID, the purchase date, and your subscription status and expiry. Billing is processed by Apple (App Store) or Google (Google Play) — we never see or store your card or payment-method details. We use this only to verify your subscription and prevent fraud.
2. What we don’t collect
We don’t access your contacts, photos library, microphone or precise location unless you explicitly grant permission for a feature that needs it. Apart from the opt-in advertising attribution described in section 1, we don’t track you across other apps or websites. We don’t sell personal data.
3. Sharing within your group
Anything you post into a trip (destinations, pitches, votes, costs, chat messages, reactions, and activity) is visible to other members of that trip. That’s the point. We do not share your trip content with anyone outside the trip.
If you post content that breaches our Acceptable Use Policy, other members can report it. We review reports and may remove content or suspend accounts.
4. Service providers
We use a small set of trusted providers to operate the App: Supabase (database and authentication), Sentry (crash reports), PostHog (privacy-preserving product analytics), the Expo push service (delivering notifications via Apple and Google), ZeptoMail (sending account emails such as sign-in codes), AppsFlyer (measuring, with your consent, which advert brought you to Luvo), Google (Sign in with Google), and Apple (Sign in with Apple and the Push Notification Service). They process your data on our behalf, under contract.
AI itinerary suggestions. When you ask Luvo to suggest activities or build an itinerary, we send the relevant trip context — such as the destination, dates, and the type of activity you’re after — to a large-language-model provider to generate the suggestion. We currently use Google (Gemini) and Alibaba Cloud (Qwen, hosted in Singapore) for this. The request is minimised: we do not send your name, email, account identifier, or your private trip chat. These providers process the prompt to return a suggestion and, under our agreements with them, do not use it to train their models. Where this routing sends data to providers in Singapore or the US, the transfer is covered by the Standard Contractual Clauses described in section 7.
Booking links. Some destinations show optional links to book flights or stays through our travel partners, currently Trip.com and Aviasales. When you tap one of these links, we pass the partner the search context for that link — typically the origin, destination, and dates — so the partner can show you relevant results. From that point the partner is an independent controller of any data you give them, governed by their own privacy policy and terms; we are not party to your booking. These are affiliate links, which means we may earn a commission if you book, at no extra cost to you. We do not receive your payment details.
5. Your rights
Under the UK GDPR you have the right to access, rectify, erase, restrict, port and object to processing of your personal data. You can delete your account inside the App. We immediately disable your account and revoke your sessions, then permanently erase your personal data after a 30-day grace period. During that period you can contact us to restore your account. Content you shared with a group may be retained or anonymised so the trip stays usable for its other members. To exercise any other right or to request a copy of your data, email contact@elvarsystems.co.uk.
6. Age requirements
Luvo is only available to users 13 years of age or older and is not directed at children under 13. We do not knowingly collect data from anyone under 13.
7. International transfers
Our service providers may store data in the EU, UK, or US. Where data leaves the UK, we rely on the UK Addendum to the EU’s Standard Contractual Clauses to protect it.
8. California privacy rights
If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA) gives you specific rights over your personal information. We extend these controls to you regardless of where you live.
Your rights. You have the right to know and access the personal information we have collected about you and how we use and share it (Cal. Civ. Code § 1798.100, § 1798.110, § 1798.115); to delete personal information we hold about you (§ 1798.105); to correct inaccurate personal information (§ 1798.106); to opt out of any “sale” or “sharing” of your personal information (§ 1798.120); and to not be discriminated against for exercising any of these rights (§ 1798.125). We do not use or disclose sensitive personal information for purposes that would trigger the right to limit its use under § 1798.121.
We do not sell or share your personal information. We do not sell your personal information for money, and we do not “share” it for cross-context behavioural advertising, as those terms are defined under the CPRA. Because we do not sell or share, there is nothing to opt out of — but if that ever changed, this page would carry a working “Do Not Sell or Share My Personal Information” control, and we would honour an opt-out before any such sale or sharing took place.
Do Not Sell or Share My Personal Information. This is our designated control. As stated above, we do not sell or share personal information, so this control is currently a no-op confirmation rather than a switch you need to set.
Global Privacy Control (GPC). This website uses only privacy-friendly, cookieless product analytics (PostHog, EU-hosted) to count page visits and app-store link clicks. It sets no cookies, writes no cross-site or cross-session identifier to your device, builds no personal profile, and runs no session recording, autocapture, or advertising trackers. Because we neither sell nor share personal information, there is nothing for a browser’s Global Privacy Control signal (sent as a Sec-GPC request header or exposed as navigator.globalPrivacyControl) to switch off; we additionally honour a browser Do-Not-Track signal as an opt-out of this analytics. Analytics in the Luvo mobile app are governed separately by the in-app analytics toggle in Settings, described in our Cookie Policy.
How to make a request. To exercise any California right, email contact@elvarsystems.co.uk with “California privacy request” in the subject line. We will verify your request against the information we hold and respond within the timeframes the CCPA requires (§ 1798.130). You may use an authorised agent to make a request on your behalf.
9. Changes
If we make material changes, we’ll let you know in the App before they take effect.
10. Contact
The data controller is Elvar Systems Ltd. Contact us at contact@elvarsystems.co.uk. You have the right to complain to the UK Information Commissioner’s Office at ico.org.uk.