CitizenReady AI Privacy Policy

Last updated: April 18, 2026 · Effective: April 18, 2026

1. Introduction

This Privacy Policy explains how LUQ LABS ("LUQ LABS," "we," "our," or "us") collects, uses, discloses, processes, and protects personal information in connection with the CitizenReady AI mobile application and related services (the "App"). It applies to all users globally and incorporates disclosures required by the EU and UK General Data Protection Regulation (GDPR/UK GDPR), the California Consumer Privacy Act as amended by the CPRA (collectively, "CCPA"), the India Digital Personal Data Protection Act, 2023 ("DPDP Act"), and the children's privacy laws of the U.S. (COPPA) and other jurisdictions.

Please read this Policy together with our Terms of Service and our AI Disclosure. Our App is distributed through the Apple App Store and Google Play; billing and store-related data are handled under Apple's and Google's respective privacy policies.

2. Who We Are (Data Controller)

For the purposes of GDPR, UK GDPR, and similar laws, LUQ LABS is the "data controller" of personal information processed through the App. You may contact us at:

• Email (privacy requests & general): customersupportbot@luqlabs.com
• Postal: Please contact us by email to request our current mailing address.

We are a small independent developer and have not appointed a Data Protection Officer. If you are located in the EEA or UK and require a representative under Article 27 GDPR, please contact us and we will provide updated details when applicable.

3. Information We Collect

3.1 Information You Provide Directly

• Account Information: Email address, hashed password, and account preferences.
• N-400 Practice Data: Information you voluntarily enter for naturalization interview practice, which may include name, date and place of birth, employment history, travel history, marital and family information, residence history, and other data mapped to the USCIS Form N-400. You choose what to enter; you may substitute sample or fictitious data at any time.
• Interview Responses: Text and, if you choose to enable voice input, audio of your responses during AI-powered mock interview sessions. Audio is transcribed and then processed as text; see §5 below.
• Subscription Information: Subscription status and transaction identifiers. Full payment card data is not received by us — all payments are processed by Apple (App Store) or Google (Google Play) under their own privacy terms.
• Communications: Messages, attachments, and metadata you send to our support team.

3.2 Information Collected Automatically

• Device Information: Device model, operating system and version, app version, language, and time zone.
• Usage Information: Features accessed, buttons tapped, session duration, and error/crash events.
• Approximate Location: Coarse, city-/country-level location derived from your IP address. We do not collect precise GPS location.
• Diagnostics: Crash reports, latency metrics, and stack traces used to diagnose defects.

3.3 Information We Do Not Collect

• We do not collect your Social Security number, A-Number, biometric templates, government-issued ID images, health, financial, sexual orientation, religious, or political data. Do not enter such data into the App; if you do, it is processed only as free-text N-400 practice data and will be deleted when you delete your session data.
• We do not access your Contacts, Photos, Microphone (except when you actively start voice input), Camera, or HealthKit.
• We do not use the Apple IDFA or engage in cross-app tracking, and we do not display the App Tracking Transparency (ATT) prompt because we do not track you as defined by Apple.

4. How We Use Your Information and Legal Bases (GDPR Art. 6)

For users in the EEA, UK, and Switzerland, we rely on the following legal bases. For users elsewhere, the same purposes apply under applicable local law.

• Provide and operate the App (account creation, authentication, saving progress): performance of a contract (Art. 6(1)(b)).
• AI-powered interview simulation and feedback: performance of a contract (Art. 6(1)(b)); where you enter sensitive free-text data, your explicit consent (Art. 9(2)(a)) by your voluntary choice to submit it.
• Customer support and service communications: performance of a contract (Art. 6(1)(b)) and legitimate interests in responding to users (Art. 6(1)(f)).
• Analytics, bug-fixing, and product improvement: legitimate interests in securing, improving, and measuring the App (Art. 6(1)(f)). You can object; see §12.
• Fraud prevention, abuse detection, and security: legitimate interests (Art. 6(1)(f)) and legal obligation (Art. 6(1)(c)).
• Compliance with law, legal process, and enforcement of our Terms: legal obligation (Art. 6(1)(c)) and legitimate interests (Art. 6(1)(f)).
• Marketing emails (only if you opt in): consent (Art. 6(1)(a)), revocable at any time.

5. AI Processing via Google Gemini API

5.1 How Data is Processed

• Transmission: When you run a mock interview, the text of your prompt and your response is transmitted over HTTPS/TLS to Google's Gemini API on the paid ("billing-enabled") tier.
• Processing: Google processes your input to generate AI-generated interview questions, feedback, and scoring.
• No training: Per Google's Gemini API Additional Terms of Service for paid usage, Google does not use your API inputs or outputs to train or improve Google's general AI models.
• Abuse logging: Google may retain API inputs and outputs for up to 55 days in a logically separated, access-restricted environment for policy-abuse detection and debugging. After that period, Google deletes those logs.
• Voice input (optional): If you enable voice input, audio is transcribed on your device or through a speech-to-text service and the resulting text is sent to Gemini. We do not use your voice to identify you and do not create a biometric voiceprint.

5.2 Automated Decision-Making (GDPR Art. 22)

AI-generated scores, feedback, and readiness assessments are practice aids only. They are not legally or similarly significant decisions about you, they do not affect your immigration status, and they are not used to decide eligibility for the App. AI output can be incorrect. If you nonetheless want a human review of any specific AI output, email customersupportbot@luqlabs.com and we will re-review the output manually.

5.3 Your Controls

• Use sample or fictitious data instead of your real information.
• Use Offline Study Mode to skip the AI interview and avoid any data going to Gemini.
• Delete your session data at any time from within the App.

6. Data Sharing and Third-Party Processors

6.1 Processors (we share, they act on our instructions)

• Google LLC — Gemini API: AI interview generation and feedback. See Google's Gemini API Terms and Privacy Policy.
• Supabase, Inc. (or equivalent cloud backend): Authentication, encrypted database, and file storage for your account and session data.
• Crash/Diagnostics Provider (e.g., Sentry): Crash reporting and error telemetry; personal identifiers are scrubbed where reasonably feasible.
• Apple Inc. / Google LLC: App distribution, subscription billing, and receipt validation under their own privacy terms.

6.2 We Do Not Sell or Share for Cross-Context Behavioral Advertising

We do not sell your personal information for money or other valuable consideration, and we do not "share" it for cross-context behavioral advertising as those terms are defined under the CCPA. We have not sold or shared personal information in the preceding twelve (12) months and we do not sell the personal information of minors under sixteen (16).

6.3 Legal, Safety, and Corporate Transfers

We may disclose personal information when we reasonably believe it is required to (a) comply with applicable law, court order, subpoena, or governmental request; (b) enforce our Terms of Service; (c) detect, prevent, or address fraud, security, or technical issues; or (d) protect the rights, property, or safety of LUQ LABS, our users, or the public. In the event of a merger, acquisition, reorganization, financing, or sale of assets, personal information may be transferred as part of that transaction; we will notify you as required by law.

7. International Data Transfers

We are based in the United States, and our processors operate in the United States and other countries. If you access the App from the EEA, the UK, Switzerland, India, or another jurisdiction with data-export restrictions, your personal information will be transferred to and processed in the United States and other countries whose data-protection laws may differ from those of your home jurisdiction.

For transfers from the EEA, UK, or Switzerland to the United States, we rely on one or more of the following safeguards:

• The EU–U.S. Data Privacy Framework, UK Extension, and Swiss–U.S. Data Privacy Framework, where a processor is certified;
• Standard Contractual Clauses approved by the European Commission (and the UK International Data Transfer Addendum) with processors that are not DPF-certified; and
• Supplementary technical and organizational measures, including encryption in transit and at rest.

A copy of the applicable safeguards is available on request by email.

8. Data Retention

Category	Retention
Account information	Until you delete your account, then purged within 30 days.
N-400 practice data & session history	Up to 30 days of session history; deletable anytime from within the App.
Real-time interview prompts/responses	Only during the active session, then discarded on our servers.
Google Gemini abuse logs	Up to 55 days, controlled by Google.
Crash reports & diagnostics	Up to 90 days.
Support correspondence	Up to 24 months after the matter is closed.
Billing & tax records	As required by applicable tax / accounting law (typically 7 years).

After the applicable period, we delete or irreversibly anonymize the data.

9. Data Security

We implement reasonable and appropriate technical and organizational measures to protect personal information, including:

• Encryption in transit: HTTPS/TLS for all network communication between the App and our backend and third-party APIs.
• Encryption at rest: Provider-managed encryption (e.g., AES-256) on our cloud backend databases and backups.
• Access controls: Role-based access, principle of least privilege, and logging of administrative access.
• Secure authentication: Hashed passwords and support for sign-in with Apple and Google where applicable.
• Periodic review: Regular review of dependencies, configurations, and access rights.

No system is 100% secure. We cannot guarantee absolute security and you use the App at your own risk.

10. Data Breach Notification

If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it, as required by GDPR Article 33. Where the breach is likely to result in a high risk to affected individuals, we will also notify you without undue delay. For U.S. users, we will comply with applicable state breach-notification laws.

11. Your Privacy Rights

11.1 Rights Available to All Users

• Access & portability: Settings > Privacy > Download My Data, or email us.
• Correction: Settings > Account, or email us.
• Deletion: Settings > Privacy > Delete All Data, or email us. We honor Apple's App Store Guideline 5.1.1(v) right to account deletion.
• Opt-out of AI features: Use Offline Study Mode.

11.2 GDPR / UK GDPR Rights (EEA, UK, Switzerland)

• Right of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), and objection (Art. 21).
• Right to withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.
• Right not to be subject to solely automated decisions with legal or similarly significant effects (Art. 22). As noted in §5.2, we do not make such decisions.
• Right to lodge a complaint with your local supervisory authority (e.g., your national data-protection authority or the UK ICO).

11.3 California Rights (CCPA / CPRA)

California residents have the following rights:

• Right to know the categories and specific pieces of personal information collected, sources, purposes, and third parties with whom it is shared;
• Right to delete personal information;
• Right to correct inaccurate personal information;
• Right to opt out of sale or sharing (we do not sell or share, so there is nothing to opt out of);
• Right to limit use and disclosure of sensitive personal information (we do not use sensitive PI beyond what is necessary to provide the service);
• Right to non-discrimination for exercising privacy rights.

Categories of personal information collected in the last 12 months (per Cal. Civ. Code §1798.140): identifiers (email, device ID); customer records (account info); internet or other electronic network activity (usage data); geolocation data (coarse, from IP); audio information (if you choose voice input); inferences from usage; and limited commercial information (subscription status).

Purposes: to operate, secure, and improve the App; provide customer support; process subscriptions; and comply with law.

Sources: directly from you; automatically from your device; and from our service providers (e.g., Apple/Google).

We honor opt-out preference signals such as the Global Privacy Control (GPC) where technically applicable. You may also use an authorized agent to submit requests on your behalf; we will verify identity and authorization before responding. To exercise California rights, email customersupportbot@luqlabs.com.

11.4 India Rights (DPDP Act, 2023)

If you are a "Data Principal" in India, you have the right to access a summary of your personal data and of processing; to correct, complete, update, and erase your data; to grievance redressal; and to nominate another individual to exercise your rights in the event of death or incapacity. For the DPDP Act, LUQ LABS acts as the Data Fiduciary. Our Grievance Officer can be reached at customersupportbot@luqlabs.com with the subject line "DPDP Grievance." We will acknowledge within 72 hours and respond within the statutory period.

11.5 How to Exercise Your Rights

Email customersupportbot@luqlabs.com, use the in-app controls, or submit a request via our website. We will respond within the time required by applicable law (generally 30 days under GDPR; 45 days, extendable once, under CCPA). We may need to verify your identity before acting on your request. Exercising your rights is free of charge; we may decline or charge a reasonable fee for manifestly unfounded or excessive requests.

12. Opt-Out of Analytics / Direct Marketing

You may disable in-app analytics from Settings > Privacy > Analytics. Where we send marketing emails, you may opt out through the unsubscribe link in the email or by contacting us.

13. Children's Privacy

The App is intended for adult applicants preparing for the U.S. naturalization interview. It is not directed to children under 13 (or under 16 in the EEA/UK). We do not knowingly collect personal information from children. If you believe a child has provided personal information to us, contact us at customersupportbot@luqlabs.com and we will delete it promptly. Parents and legal guardians may request review, deletion, or cessation of further collection of a child's data under COPPA and similar laws.

14. Tracking, Cookies, and Do Not Track

The App itself does not use browser cookies. Our marketing website (luqlabs.com) uses only essential, first-party cookies/localStorage for basic functionality and does not use advertising or cross-site tracking technologies. Because we do not engage in tracking as defined by Apple's App Tracking Transparency framework, we do not display the ATT prompt. We do not currently respond to "Do Not Track" browser signals beyond honoring Global Privacy Control where required by law.

15. Legal Disclaimer

The App is an educational study tool and is not a substitute for legal advice. We are not a law firm, and use of the App does not create an attorney-client relationship. For legal advice about your immigration matter, please consult a licensed attorney or a DOJ-accredited representative.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the App and/or by email and update the "Last updated" date above. We will not reduce your rights under this Policy without your explicit consent.

17. Contact Us

For privacy questions, requests, or complaints:

• Email: customersupportbot@luqlabs.com
• DPDP Grievance Officer (India): customersupportbot@luqlabs.com (subject: "DPDP Grievance")