Privacy Policy

Last updated: 2026-05-04. This is a v1 draft pending review by counsel before launch.

This policy describes the personal data Loni collects, why we collect it, who we share it with, how long we keep it, and the rights you have. Loni SAS (Côte d'Ivoire) is the data controller. You can reach us at privacy@helloloni.com.

1. What we collect

We collect only what we need to operate the service.

1.1 Account and identity

• Name (display name, first/last where provided), email, phone number, profile photo, bio, preferred language (fr / en / es).
• Verification status: whether your email and phone are confirmed.
• Account status: pending verification, active, suspended, or pending deletion.
• Two-step authentication state and the SHA-256 hashes of your six recovery codes (we never store the recovery codes themselves).
• For password sign-up, an Argon2id hash of your password (the password itself is never stored).
• For OAuth sign-up (Google, Apple), the provider name and the provider-issued user identifier.
• Referral code generated for your account.

1.2 Sessions and devices

• Device records: the client-generated device identifier, label (e.g., "iPhone 15 Pro"), platform, app version, and the push-notification token (FCM for Android, APNS for iOS) so we can deliver push messages.
• Session records: IP address, user agent, expiration timestamp, revocation timestamp.
• Refresh tokens (rotated on every use, with a 10-second grace window for double-fire tolerance).
• Access tokens are short-lived (15 minutes) and not stored.
• Two-step authentication secret: encrypted at rest with AES-256-GCM using a server-side key (MFA_ENCRYPTION_KEY) — only the encrypted form is stored, decrypted in memory only when you authenticate.

1.3 Order, ledger, and invoice data

• Items purchased, quantities, format (digital / paperback / hardcover).
• Delivery address for printed books: recipient name, street, city, region, postal code, country code, and phone number.
• Payment-method last four digits (for cards via Stripe) or a masked Mobile Money number (for PawaPay), plus the provider's transaction reference. We do not store full card numbers or full Mobile Money credentials.
• Wallet balance and per-transaction history (refunds to wallet, gift-card redemptions).
• Ledger entries with amounts in BigInt-precise XOF, in a tamper-evident hash chain.
• HTML invoices stored in private storage and signed with HMAC-SHA256.

1.4 Reading and library data

• Your library entries (denormalized: which books, which formats, source = purchase / subscription / gift / manual grant, last access time).
• Active reading sessions (one per book, per format, per user) with 120-second heartbeats while reading.
• Bookmarks, highlights, notes, and reading-progress positions, synced across your devices so you can resume on another device.
• Offline reading bundles you have downloaded.
• Annotation exports you have requested (CSV / JSON / Markdown).

1.5 Communications and reviews

• Messages you send to support (these create a support ticket).
• Reviews and ratings you publish (1–5 stars + text), with helpfulness votes.
• Notification preferences per channel (email, SMS, WhatsApp, push) and quiet-hours window.
• Reports you file on reviews or other content.

1.6 Technical telemetry

• Server-side request logs and structured event logs through pino, shipped to Grafana Loki for short-term debugging and security analysis. Logs do not persist third-party cookies in your browser.
• An audit log of state-changing actions (your own and platform-wide) — see retention below.
• A forensic watermark bound to each license: HMAC-SHA256 over (userId : bookId : format : issuedAt), stored in license metadata only. It is never embedded in the content and is consulted only by administrators investigating a leak, recorded in the audit log when accessed.

1.7 What we do not collect

• We do not collect biometric data.
• We do not track precise geolocation; only the country derived from your IP address may be used for routing.
• We do not collect health, religious, political, or other sensitive special-category data.
• We do not run third-party advertising trackers or social-media pixels.

2. Why we collect it

2.1 Provide the service

• Register your account, sign you in, and keep your credentials safe.
• Sync your library and reading state across devices so you can pick up where you left off.
• Process your purchases and refunds, and deliver printed books to the address you provide.
• Issue, deliver, and revoke the digital licenses that allow you to read in the Loni mobile app.

2.2 Secure the platform

• Detect and limit abuse (sign-in throttling, fraud flags such as orders above 150,000 XOF, five or more paid orders per hour, refund rates above 30%, or five or more 5-star reviews in seven days). These flags trigger human review; they do not automatically block your account.
• Protect content via the digital rights management system, including the forensic watermark in license metadata.
• Comply with legal obligations and respond to lawful requests.

2.3 Communicate with you

• Transactional messages (always sent): order updates, refund decisions, account-security alerts, password resets, two-step codes, account-deletion confirmations. These are essential to the service and you cannot opt out while using your account.
• Marketing messages (opt-in only): announcements, promotions, recommendations. You can withdraw consent at any time from your notification preferences.
• We deliver messages through email (SendGrid), SMS (Twilio), WhatsApp (Twilio Business), and push (FCM and APNS).
• A bounce or complaint webhook from SendGrid moves your address into a 30-day suppression list, so we stop sending email until the issue is resolved. Critical templates (one-time codes, password reset, two-step authentication, account deletion) bypass the suppression list because they are needed to keep your account safe.

2.4 Improve the product

• Aggregate analytics to understand which features are used and where errors occur. We use server-side logs only — no third-party analytics in v1.

3. Who we share it with

We never sell your personal data. We share with these categories of providers, only to the extent required:

| Recipient | What they receive | Purpose | | --- | --- | --- | | PawaPay | Mobile Money number (E.164 format) | Process Mobile Money transactions; webhooks signed per RFC-9421 | | Stripe | Tokenized card data, customer reference | Process card payments and Stripe-side subscriptions | | SendGrid | Email address | Deliver email; receive bounce / complaint events | | Twilio | Phone number | Deliver SMS and WhatsApp messages | | FCM (Google) / APNS (Apple) | Per-device push token | Deliver push notifications to your phone | | Print partners | Recipient name and shipping address | Print and ship physical books to you | | Hosting and managed databases | Encrypted server-side storage | Run the platform; subject to written processing agreements | | Legal authorities | Limited disclosures | Comply with court orders or applicable law |

Print partners receive only name and shipping address. They never receive your payment information.

4. Where your data is stored

Loni runs from a managed cloud infrastructure (DigitalOcean droplet plus managed Postgres and Redis). Files (book content, covers, samples, invoices, exports, proofs of delivery) are stored in a single private S3-compatible bucket on MinIO, replicated continuously to a managed S3 endpoint with daily snapshots. All public access goes through short-lived signed URLs; nothing in our storage is publicly browsable.

5. How long we keep it

| Category | Retention | | --- | --- | | Account profile and settings | While your account is active | | Refresh tokens, sessions | Up to 14 days rolling, 90-day absolute maximum, or until revoked | | Reading state (library, bookmarks, highlights, notes, sessions) | Until you remove the book or delete your account | | Order, ledger, and invoice records | Up to ten years (accounting and tax obligations), even after account deletion | | Audit log entries | Indefinite — append-only and tamper-evident; required for security and compliance | | Server-side telemetry logs | Short-term (typically 30–90 days) | | Email / SMS suppression entries | 30 days from the last bounce / complaint | | GDPR data exports | 7 days from the moment your signed download URL is issued | | Marketing consent state | Until you withdraw consent |

When you delete your account, we anonymize or delete your personal data within 30 days. Some records (orders, ledger, audit log, your published book metadata if you are a creator, your reviews under "Deleted User") are retained as required for accounting, tax, security, and the rights of other users.

6. Your rights

You have the right to:

• Access — request a copy of the personal data we hold about you. You can trigger a self-service export from your account; we deliver a JSON archive via a signed download link with a 7-day TTL. Limit: one export request per 24 hours.
• Correct — update inaccurate or outdated data directly in your account settings.
• Delete — request deletion of your account. From inside the app: account settings → Delete account. If you can no longer sign in: use the public Delete my account page; we email you a confirmation link. After confirmation, deletion is scheduled in 30 days; during that grace period you can cancel by signing in.
• Object or restrict — for processing based on our legitimate interest (for example, marketing).
• Withdraw consent — for any processing that relies on your consent, including marketing emails.
• Lodge a complaint — with a competent data-protection authority.

We respond within one month. If we refuse a request we tell you why and how to challenge that decision.

7. Cookies and similar storage

Our Cookie Policy lists the cookies we set, what they do, and how to refuse the non-essential ones.

8. Children

You must be at least 13 years old to create an account. Some books carry an age rating (ALL_AGES, TEEN, MATURE, ADULT) — please respect them. We do not knowingly collect data from users under 13. If you believe we have, contact us and we will delete the account.

9. Changes to this policy

We may update this policy. Material changes are announced by email and on the site at least 14 days before they take effect.

10. Contact

For privacy questions or to exercise a right: privacy@helloloni.com, or via the Contact page.