Privacy Policy

Account information

When you create an account, we collect your name, email address, and authentication credentials. This is handled through Clerk, our authentication provider. If you sign in with a third-party provider (such as Google), we receive basic profile information from that provider.

Business and campaign data

To generate marketing campaigns, you provide us with business information including your company name, industry, target audience, brand tone, platforms, and campaign goals. This data is stored in our database and used solely to generate and improve your campaign outputs.

Connected analytics and social accounts

If you connect external platforms (such as Google Analytics), we store OAuth tokens to access your analytics data on your behalf. These tokens are encrypted at rest and are never exposed to third parties. You can revoke access at any time from your Settings page.

Payment information

Subscription payments are processed by Stripe. We do not store your card number, CVV, or full billing details on our servers. We retain only a Stripe customer ID and the status of your subscription for billing and access control purposes.

Usage data

We collect standard usage information such as pages visited, features used, and session duration via Google Analytics. This data is aggregated and anonymized where possible.

We use the information we collect to:

• ✦Provide, operate, and improve the Lumaco platform
• ✦Generate AI-powered marketing campaigns and strategies tailored to your business
• ✦Process payments and manage your subscription
• ✦Send transactional emails such as receipts, account alerts, and campaign notifications
• ✦Respond to support requests and inquiries
• ✦Analyze usage patterns to improve features and performance
• ✦Comply with legal obligations

We do not use your business data or campaign outputs to train AI models without explicit consent.

Lumaco integrates with the following third-party services to deliver our platform. Each service has its own privacy policy and data practices:

• ✦Clerk — User authentication, session management, and identity verification
• ✦Supabase — Secure database storage and file storage with row-level security
• ✦Stripe — Payment processing and subscription management
• ✦Anthropic Claude API — AI-powered campaign and content generation
• ✦Google Analytics — Aggregated usage analytics (anonymized)
• ✦Cloudinary — Media asset storage and transformation for Reel Editor
• ✦Shotstack — Programmatic video rendering for Reel Editor outputs

We share only the minimum data required for each service to function. We do not sell your data to any third party, ever.

We take the security of your data seriously:

• ✦All data is encrypted in transit using TLS/HTTPS
• ✦Data at rest is encrypted using AES-256 via Supabase
• ✦Database access is governed by Row-Level Security (RLS) policies — users can only access their own data
• ✦OAuth tokens for connected accounts are stored encrypted and are never exposed in plain text or logs
• ✦Access to production systems is restricted to authorized team members only

No system is 100% secure. If you discover a security vulnerability, please report it to privacy@lumaco.ai immediately.

We retain your account data and campaign outputs for as long as your account is active. If you delete your account, we will delete your personal data and campaign history within 30 days, except where we are required by law to retain it.

Anonymized, aggregated usage analytics may be retained indefinitely as they cannot identify you.

Depending on your location, you may have the following rights regarding your data:

• ✦Access — Request a copy of the personal data we hold about you
• ✦Correction — Request corrections to inaccurate or incomplete data
• ✦Deletion — Request deletion of your account and associated data
• ✦Portability — Request your campaign outputs and business data in a machine-readable format
• ✦Objection — Object to certain uses of your data, such as analytics

To exercise any of these rights, email us at privacy@lumaco.ai. We will respond within 30 days.

Lumaco uses cookies and similar technologies to maintain your session, remember preferences, and collect anonymized usage analytics via Google Analytics. You can disable cookies in your browser settings, though this may affect functionality.

Lumaco is not directed to children under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with their information, please contact us at privacy@lumaco.ai and we will delete it promptly.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on the platform at least 14 days before the changes take effect. Continued use of Lumaco after changes take effect constitutes acceptance of the updated policy.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: privacy@lumaco.ai