← Back to Home

Privacy Policy

Last updated: May 2026

1. Introduction

Welcome to Runlock (“we,” “our,” or “us”), developed and operated by Lumio Studio. We are committed to protecting your privacy and being transparent about the data we handle. This Privacy Policy explains what information we collect, why we collect it, and how it is used when you download and use the Runlock mobile application on iOS.

By using Runlock, you agree to the practices described in this policy.

2. Information We Collect

2.1 On-Device Data Only

The following data is processed entirely on your device and is never transmitted to our servers or any third party:

  • Step count data — read from Apple HealthKit solely to determine whether your daily step goal has been met. No health data leaves your device.
  • App lock selections — represented by opaque, privacy-preserving tokens issued by Apple’s Screen Time API (Family Controls / Managed Settings). We cannot see which specific apps you select.
  • Step goal, streak history, and app settings — stored in local device storage.

2.2 Account Data (Optional — Challenges Feature Only)

The Challenges tab allows you to compete with friends. This feature is entirely optional and requires Sign in with Apple. If you choose to use it, we collect via Firebase Authentication:

  • Your Apple-assigned display name (if you choose to share it)
  • Your Apple relay email address (a private, Apple-generated address — we never see your real email)
  • A Firebase User ID (UID) used to identify your Challenges profile

2.3 Cloud-Stored Content (Challenges Only)

If you use the Challenges feature, the following data is stored in Firebase Firestore under your Firebase UID:

  • Friends list (Firebase UIDs of accepted connections)
  • Challenge entries (challenge name, step goal, start/end dates, participants)
  • Leaderboard scores (daily step counts contributed to active challenges)

2.4 Analytics and Diagnostics

We use the following services to understand app usage and maintain stability. None of these receive your health data, app lock selections, or Challenges content:

  • PostHog — product analytics events (e.g., screen views, feature interactions). Each user is identified by an anonymous UUID or, if signed in, their Firebase UID. PostHog is GDPR-compliant and processes data in the EU.
  • Firebase Analytics — app usage events (screen views, key user actions). Data is processed by Google.
  • Firebase Crashlytics — crash reports and error breadcrumbs. No personal health or Challenges data is included.

2.5 Subscription Data

Runlock uses Adapty for subscription management on top of Apple’s StoreKit 2. Adapty receives:

  • An Adapty Profile ID (generated internally, not tied to your Apple ID)
  • Your subscription tier and entitlement status (free or Premium)
  • Purchase events from Apple — Adapty never sees your payment card details

2.6 Attribution and Advertising Identifiers

We use AppsFlyer and the Meta (Facebook) SDK for advertising attribution — to understand which marketing campaigns lead to app installs and key in-app events. These SDKs may collect:

If you grant permission via the iOS App Tracking Transparency (ATT) prompt: your device’s IDFA (Identifier for Advertisers), which enables cross-app attribution.

If you deny ATT: only aggregated, non-identifiable attribution signals are used (SKAdNetwork). No IDFA is accessed.

3. App Tracking Transparency (ATT)

iOS requires us to ask your permission before accessing your device’s advertising identifier (IDFA). When you first open Runlock, you will see an ATT prompt from Apple.

If you tap Allow: your IDFA is shared with AppsFlyer and Meta to measure ad performance and install attribution across apps.

If you tap Ask App Not to Track: no IDFA is accessed. Attribution relies only on privacy-preserving, aggregated signals (Apple’s SKAdNetwork). The core app — step tracking, app blocking, and all premium features — works identically regardless of your ATT choice.

You can change your ATT decision at any time under Settings > Privacy & Security > Tracking on your iPhone.

4. How We Use the Information

We use the information described above only for the following purposes:

  • Providing the step-gating service — locking and unlocking apps based on your daily step progress
  • Operating the optional Challenges feature — storing leaderboard data and friend connections in Firestore
  • Improving the app — understanding feature usage via PostHog and Firebase Analytics
  • Maintaining stability — detecting and fixing crashes via Firebase Crashlytics
  • Managing your subscription — verifying entitlements and purchase events via Adapty and StoreKit 2
  • Measuring ad effectiveness — attributing installs and events to marketing campaigns via AppsFlyer and Meta SDK (with ATT consent)

5. Third-Party Services

The following third-party services process data on our behalf. We encourage you to review their respective privacy policies:

  • Apple HealthKit — https://www.apple.com/legal/privacy/
  • Apple Screen Time API (Family Controls) — https://www.apple.com/legal/privacy/
  • Firebase (Auth, Firestore, Analytics, Crashlytics, Remote Config) by Google — https://firebase.google.com/support/privacy
  • PostHog — https://posthog.com/privacy
  • Adapty — https://adapty.io/privacy-policy/
  • AppsFlyer — https://www.appsflyer.com/legal/services-privacy-policy/
  • Meta (Facebook SDK) — https://www.facebook.com/privacy/policy/

We do not sell your personal information to any third party.

6. International Data Transfers

Runlock is developed by Lumio Studio, based in Turkey. Some of our third-party processors operate servers in the United States and the European Union:

Firebase (Google) — primarily US-based, with EU data-residency options. Google is GDPR-compliant under Standard Contractual Clauses.

AppsFlyer — EU/US servers; GDPR and CCPA compliant.

Meta (Facebook SDK) — US-based; GDPR-compliant under Standard Contractual Clauses.

PostHog — EU-based cloud; GDPR-compliant.

If you are located in Turkey, processing of your personal data by these third-party services constitutes an international transfer under KVKK (Kişisel Verilerin Korunması Kanunu) Article 9. We rely on the data processors’ standard contractual mechanisms and KVKK-permitted transfer bases.

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you
  • Correction — ask us to correct inaccurate data
  • Deletion — request deletion of your account and associated Challenges data (email us at contact@lumiostudio.co with subject line “Delete My Data”)
  • Portability — request an export of your data in a portable format
  • Objection / Restriction — object to or restrict certain processing activities
  • Revoke ATT — go to Settings > Privacy & Security > Tracking and disable tracking for Runlock
  • Revoke HealthKit — go to Settings > Privacy & Security > Health > Runlock
  • Revoke Screen Time — go to Settings > Screen Time on your iPhone
  • Manage or cancel subscription — go to Settings > [Your Name] > Subscriptions

For KVKK (Turkey) requests, contact us at contact@lumiostudio.co. We will respond within 30 days.

8. Data Retention

  • On-device data (steps, goals, streak) — retained until you uninstall the app
  • Firebase Challenges data — retained until you request deletion or your account is inactive for 12 months
  • Analytics events (PostHog, Firebase Analytics) — retained per each provider’s default retention settings
  • Crash reports (Crashlytics) — retained for 90 days
  • Adapty subscription records — retained per Adapty’s data retention policy (typically tied to subscription lifecycle)

9. Children’s Privacy

Runlock is not intended for children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has created a Challenges account, please contact us at contact@lumiostudio.co and we will delete the account promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page with a revised “Last updated” date. For material changes, we will notify you within the app. We encourage you to review this policy periodically.

11. Contact

If you have any questions, requests, or concerns about this Privacy Policy, please reach out:

Runlock

Operated by: Lumio Studio

Email: contact@lumiostudio.co