Lumo Push Auth — Privacy Policy

Effective: April 20, 2026

Lumo Push Auth (“the app“) is a passwordless authenticator published by LumoAuth. This policy describes exactly what the app does and does not do with your data. It mirrors the in-app policy shipped inside the app itself, so you can read the same text before installing.

For the broader LumoAuth identity service (web dashboards, APIs, SDKs), see our main Privacy Policy.

Why this app uses the camera

Lumo Push Auth uses the camera only to scan enrollment QR codes on-device. No photos or camera frames are stored, uploaded, or shared.

1. Who this policy applies to

Lumo Push Auth is a passwordless authenticator published by LumoAuth. This policy explains what information the app handles on your device, what leaves your device, and what does not. It applies worldwide, including to users in the United States, the European Economic Area, the United Kingdom, and other regions.

2. The short version

  • The app does not sell your personal data. Ever.
  • The app does not run advertising SDKs or third-party analytics.
  • The camera is used only to scan enrollment QR codes. Images are never stored, uploaded, or shared.
  • Your authenticator secrets stay in your device’s secure storage (Android Keystore / iOS Keychain) and are never transmitted.
  • The only data sent off the device is what is strictly required to deliver push-based sign-in approvals to the organization that issued your account.

3. Camera permission (android.permission.CAMERA)

The app requests the camera permission for one reason only: to scan the QR code that your identity provider or IT administrator displays during account enrollment, or when you add a TOTP code.

What the camera is used for

  • Decoding the QR code in real time on-device using the bundled barcode scanner.
  • Extracting the enrollment token or TOTP secret embedded in that QR code so it can be stored securely on your device.

What the camera is never used for

  • Taking, saving, or exporting photos or videos.
  • Recording audio — the app does not request microphone access.
  • Uploading images or camera frames to any server, including ours.
  • Recognizing faces, people, objects, locations, or text other than the QR payload.
  • Background capture — the camera preview runs only while the scanner screen is on screen, and stops the moment you leave it.

You can deny or revoke this permission at any time in your device settings. If you do, you can still enroll accounts by pasting the activation code manually.

4. Information stored on your device

The app stores the following locally, in encrypted secure storage provided by the operating system:

  • Account metadata you enrolled (issuer name, account label, tenant, icon color).
  • Cryptographic key material used to sign authentication responses.
  • TOTP secrets for any time-based one-time-password accounts you added.
  • A device identifier and push-notification token used to deliver sign-in prompts.
  • An optional local history of approvals and denials you have made on this device.
  • App preferences such as biometric-unlock on/off.

This data is bound to your device. Uninstalling the app removes it. It is never synchronized to a Lumo-operated account, because the app does not have user accounts of its own.

5. Information sent off your device

The app communicates only with the authentication server of the organization that issued your account (for example, your employer’s identity provider). The transmitted payload is limited to:

  • A cryptographic signature proving that a sign-in request was approved on this device.
  • Your push-notification token, so sign-in prompts can reach you.
  • The approval or denial decision you made, and the timestamp.
  • Minimal technical context about the request (for example, the request ID and, where the issuer provides it, risk signals supplied by the issuer itself).

No camera imagery, contacts, location, photos, files, SMS, call logs, microphone audio, or browsing data are transmitted.

6. Push notifications

Push notifications are delivered through Apple Push Notification service (APNs) on iOS and Firebase Cloud Messaging (FCM) on Android. The notification payload contains only the minimum needed to present a sign-in prompt (for example: the issuer name and a request identifier). Secrets and biometric data are never included.

7. Biometric authentication

If you enable “Biometric App Lock,” biometric matching is performed entirely by the operating system (Face ID, Touch ID, or Android BiometricPrompt). The app only receives a yes/no signal from the OS. Your fingerprint, face geometry, or other biometric templates are never read, stored, or transmitted by the app.

8. Analytics, advertising, and tracking

The app contains no advertising SDKs, no behavioral analytics, no cross-app tracking, and no third-party tags. Crash diagnostics, if ever enabled in a future release, will be disclosed here and will be opt-in.

9. Children

The app is intended for use by employees, contractors, and end users of organizations that have deployed LumoAuth. It is not directed to children under 13 (or under the relevant age of digital consent in your jurisdiction), and we do not knowingly collect personal information from them.

10. Your rights (GDPR / UK GDPR / CCPA and similar)

Because the app does not collect identifiable information on our servers, most rights (access, rectification, erasure, portability, objection, non-discrimination for exercising CCPA rights) are exercised directly on your device: uninstalling the app, or removing an enrolled account from within the app, removes the associated data.

If you need to exercise rights against data held by the organization that issued your account (your employer or identity provider), please contact them directly — they are the data controller for that information.

For rights against LumoAuth itself as the provider of the broader identity service, see our main Privacy Policy.

11. International use

The app is available to users in the United States, the European Economic Area, the United Kingdom, Canada, Australia, and other regions. Because authentication traffic is routed to the server operated by the organization that issued your account, any cross-border transfer is governed by that organization’s agreements and safeguards, not by us.

12. Security

Secrets are stored using the platform secure enclave (Android Keystore, iOS Keychain with Secure Enclave where available). Network traffic uses TLS. No security control is perfect, but the app is designed so that a compromise of our servers cannot expose your authenticator secrets, because we do not hold them.

13. Changes to this policy

If this policy changes materially, the updated version will be shipped in a new release of the app and published at the same URL referenced by the Google Play and Apple App Store listings. The “Effective” date at the top reflects the most recent update.

14. Contact

Questions about this policy can be sent to privacy@lumoauth.dev.

LumoAuth LLC
600 California Street, 11th Floor
San Francisco, CA 94108