Privacy Policy

Last updated: March 2026

1. Who We Are

Lunar ("we", "us", "our") is a personal wealth tracking application based in the UK.

For the purposes of UK data protection law, we are the data controller - meaning we decide how and why your personal data is processed.

If you have any questions about this policy or how we handle your data, contact us at: support@lunarportfolio.com

2. What Data We Collect

We collect the following categories of personal data:

Account information

  • Name and email address (when you create an account or join our waitlist)
  • Authentication credentials

Financial data via Open Banking

  • Bank account balances and transaction history

Financial data via third-party APIs

  • Investment holdings, valuations and performance data

Financial data via manual entries

  • Pension, savings and other asset data you choose to add

Photos and documents

  • Photos of financial documents (such as Premium Bonds statements) that you voluntarily upload or capture using your device camera for data extraction

Technical and usage data

  • Device type, operating system, and browser
  • IP address (anonymised where possible)
  • Pages visited, features used, and session duration
  • Crash reports and performance data

3. How We Use Your Data

We process your personal data for the following purposes:

Purpose Legal basis (UK GDPR)
Providing the Lunar app and its features Performance of contract (Art. 6(1)(b))
Connecting your financial accounts via Open Banking Performance of contract (Art. 6(1)(b))
Processing uploaded photos to extract financial data Performance of contract (Art. 6(1)(b))
Managing your account and responding to support requests Performance of contract (Art. 6(1)(b))
Sending service-related communications (e.g. security alerts) Legitimate interest (Art. 6(1)(f))
Analysing usage to improve the app Legitimate interest (Art. 6(1)(f))
Website analytics (Google Analytics, Microsoft Clarity) Consent (Art. 6(1)(a))
Preventing fraud and ensuring security Legitimate interest (Art. 6(1)(f))

We will never sell your personal data. We do not use your financial data for advertising, profiling, or credit scoring.

4. Open Banking and Financial Data

Lunar connects to your financial institutions through authorised Open Banking providers regulated by the Financial Conduct Authority (FCA). When you connect an account:

  • You authenticate directly with your bank - we never see or store your banking login credentials
  • We receive read-only access to the account data you authorise
  • You can revoke access at any time through the Lunar app or directly with your bank
  • Your data is encrypted in transit and at rest

5. Camera Permission and Photo Handling

The Lunar app requests camera access so you can photograph financial documents (such as Premium Bonds statements) for automatic data extraction. Camera access is optional and only used when you choose to scan a document.

How we handle photos you upload or capture:

  • Photos are uploaded to our secure servers over an encrypted connection
  • Photos are processed solely to extract financial data for your portfolio
  • Photos are cached for up to 1 hour to prevent duplicate processing, then automatically deleted
  • We do not use your photos for any other purpose, including training machine learning models

6. Who We Share Your Data With

We share personal data only where necessary to provide our services or where required by law. We use the following categories of third-party processors:

Provider Purpose Data shared
Open Banking provider(s) Financial account connections Account authorisation tokens
Cloud hosting provider Secure data storage and processing All app data (encrypted)
Google Analytics Website usage analytics Anonymised usage data (with consent)
Microsoft Clarity Website behaviour analytics Session recordings, heatmaps (with consent)
Cloudflare Security (Turnstile bot protection) IP address, browser fingerprint

All third-party processors are bound by data processing agreements and are required to handle your data in accordance with UK data protection law.

7. International Data Transfers

Some of our third-party processors (such as Google and Microsoft) may process data outside the UK. Where this occurs, we ensure appropriate safeguards are in place, such as:

  • UK International Data Transfer Agreements (IDTAs)
  • Standard Contractual Clauses approved by the ICO
  • Transfers to countries with an adequacy decision from the UK government

8. How Long We Keep Your Data

Data type Retention period
Account information Until you delete your account, plus up to 30 days for backup removal
Financial data Until you disconnect the account or delete your Lunar account
Uploaded photos Automatically deleted after processing (typically within 1 hour)
Usage and analytics data Up to 26 months (Google Analytics default)
Support correspondence Up to 2 years after last contact
Waitlist sign-ups Until the product launches or you request removal

When data is no longer needed, it is securely deleted or anonymised so that it can no longer be linked to you.

9. Data Security

We take the security of your data seriously. Our measures include:

  • Encryption of data in transit (TLS) and at rest (AES-256)
  • Read-only access to financial accounts - we can never move your money
  • Secure authentication and access controls
  • Regular security reviews and monitoring
  • Principle of least privilege for internal access to systems

No system is completely secure. If we become aware of a data breach that is likely to affect your rights, we will notify you and the ICO within 72 hours as required by law.

10. Your Rights

Under UK data protection law, you have the following rights:

  • Right of access - request a copy of the personal data we hold about you
  • Right to rectification - ask us to correct inaccurate or incomplete data
  • Right to erasure - ask us to delete your data (also known as the "right to be forgotten")
  • Right to restrict processing - ask us to limit how we use your data
  • Right to data portability - receive your data in a structured, machine-readable format
  • Right to object - object to processing based on legitimate interest
  • Right to withdraw consent - where processing is based on consent, you can withdraw it at any time

To exercise any of these rights, email us at support@lunarportfolio.com. We will respond within one month.

You also have the right to delete your Lunar account and all associated data at any time through the app or via our account deletion page.

11. Cookies

We use cookies on our website to analyse traffic and improve your experience. We only set analytics cookies after you give consent via our cookie banner.

Provider Cookie Purpose Duration
Google Analytics _ga Distinguishes unique users 2 years
Google Analytics _gid Stores a unique value for each page visited 24 hours
Microsoft Clarity _clck Persists the Clarity User ID 1 year
Microsoft Clarity _clsk Connects page views into a session 1 day
Microsoft Clarity CLID Identifies first-time Clarity user 1 year

You can manage your cookie preferences at any time using the Cookie Preferences link in the footer.

12. Children's Privacy

Lunar is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us and we will delete it promptly.

13. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. When we make significant changes, we will notify you through the app or by email. The "last updated" date at the top of this page indicates when this policy was last revised.

14. Complaints

If you are unhappy with how we have handled your data, we encourage you to contact us first at support@lunarportfolio.com so we can try to resolve your concern.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's data protection authority:

15. Contact Us

For any questions about this privacy policy or your personal data, contact us at: