The NG8 Group LLC ("we," "us," "our") operates Lumafly (the "Service"), an AI-powered social media marketing platform. This Privacy Policy explains how we collect, use, disclose, store, and protect information about you when you use the Service available at lumafly.ai.
This policy applies to all users globally, including users in the United States (with specific rights for California residents under CCPA), the European Economic Area ("EEA"), and the United Kingdom. By using the Service, you acknowledge that you have read and understood this Privacy Policy.
If you have questions about this policy, contact us at legal@lumafly.ai.
2.1 Information you provide directly
Account registration:
- Full name
- Email address
- Password (stored in hashed, unreadable form — we cannot recover your password)
- OAuth provider data when registering via Google or Meta
Business profile:
- Business name and type
- Business description
- Phone number
- Full business address (street, city, state, zip code, country)
- Timezone
- Website URL
- Social media handles (Instagram, TikTok, Facebook)
- Business email address
- Business logo
- Business hours
Content and posts:
- Product photos and other images you upload
- Marketing captions and hashtags you write or approve
- Video content you upload or that is generated on your behalf
- Content scheduling preferences and publishing dates
POS integration (optional):
- Square POS product catalog data
- Square business location data
- Square POS connection credentials
2.2 Information we collect automatically
Social media account data (when you connect accounts):
- Platform user ID and username from Meta (Instagram/Facebook) and TikTok
- OAuth access tokens and refresh tokens (stored in encrypted form)
- Token expiration dates
- Page IDs and Instagram Business Account IDs
- Connected account metadata
Post analytics data (retrieved from social platforms):
- Impressions, reach, likes, comments, shares, saves
- Video views
- Engagement metrics per post
- Data retrieval timestamps
Technical and usage data:
- IP address (used for security and logging purposes)
- Browser type and version
- Device type and operating system
- Pages accessed and features used
- Timestamps of actions
- Error logs and diagnostic data
- Correlation/request IDs for audit logging
Generation and job data:
- AI generation job status and progress
- Source images used for generation
- Product names and templates selected
- AI provider used (recorded as a category, not shared back to you)
- Output video and image file locations
- Error messages when generation fails
2.3 Information stored in your browser
We store certain information in your browser's local storage (not cookies) to preserve your preferences between sessions:
- Onboarding completion status
- Business name and business type
- Selected social media platforms
- Business profile data
- Imported menu items (if applicable)
- POS connection details
- Profile setup method
- Self-reported social media experience level
This data is stored only on your device and is not transmitted to our servers independently of your normal use of the Service.
We use the information we collect for the following purposes:
| Purpose | Legal basis (where applicable) |
|---|---|
| Provide, operate, and maintain the Service | Performance of contract / Legitimate interests |
| Create and manage your account | Performance of contract |
| Generate AI marketing content using your product photos | Performance of contract / Consent |
| Schedule and publish content to Social Platforms on your behalf | Performance of contract |
| Retrieve analytics from Social Platforms to display in the Service | Performance of contract |
| Communicate with you about your account and the Service | Performance of contract / Legitimate interests |
| Respond to support inquiries | Legitimate interests |
| Detect, prevent, and investigate fraud, security, or abuse | Legitimate interests / Legal obligation |
| Comply with legal obligations | Legal obligation |
| Improve and develop the Service | Legitimate interests |
| Enforce our Terms and Conditions | Legitimate interests / Legal obligation |
We do not use your personal information for advertising profiling, sell your data to third parties, or use your information for purposes unrelated to providing the Service.
5.1 Storage locations
Your data is stored across the following systems:
- Primary database: Google Cloud SQL (PostgreSQL), hosted in the United States
- Media files and generated assets: Google Cloud Storage, hosted in the United States
- Rendered video files: AWS S3 (via Remotion Lambda), hosted in the United States
- Real-time caching: Redis (in-memory only, used for WebSocket session management)
5.2 Security measures
We implement reasonable technical and organizational measures to protect your information, including:
- Encrypted HTTPS connections for all data in transit
- HTTP-only, secure, and SameSite session cookies
- Hashed passwords (your password is never stored in readable form)
- Encrypted storage of social media access tokens
- CORS restrictions limiting API access to authorized origins
- Role-based access controls for internal systems
- Structured audit logging for security events
No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.
5.3 Breach notification
In the event of a data breach that affects your personal information, we will notify affected users and relevant authorities as required by applicable law.
We retain your personal information for as long as your account is active or as needed to provide the Service.
[BEFORE LAUNCH ALERT] Define specific retention periods before launch. Suggested defaults:
- Account data: Retained for the duration of your account + [X] days after deletion
- Generated content and media files: Retained for the duration of your account + [X] days after deletion
- Post analytics data: Retained for [X] months
- Logs and diagnostic data: Retained for [X] months
- Backup copies: Purged within [X] days
Upon account deletion, we will delete or anonymize your personal information within a commercially reasonable time frame, except where retention is required by law or legitimate business need (e.g., fraud prevention, legal disputes).
8.1 Rights for all users
Regardless of your location, you have the right to:
- Access the personal information we hold about you
- Correct inaccurate or incomplete information through your account settings
- Delete your account and personal information by contacting legal@lumafly.ai
- Withdraw consent for any processing based on your consent (note: withdrawal may affect your ability to use certain features)
- Object to certain uses of your information
8.2 Rights for EEA and UK users (GDPR/UK GDPR)
If you are located in the European Economic Area or the United Kingdom, you have additional rights under the GDPR or UK GDPR:
- Right of Access (Article 15): Request a copy of the personal data we hold about you
- Right to Rectification (Article 16): Request correction of inaccurate data
- Right to Erasure ("Right to Be Forgotten") (Article 17): Request deletion of your personal data
- Right to Restriction of Processing (Article 18): Request that we limit how we process your data
- Right to Data Portability (Article 20): Receive your personal data in a structured, machine-readable format
- Right to Object (Article 21): Object to processing based on legitimate interests
- Rights Related to Automated Decision-Making (Article 22): Rights regarding decisions made solely by automated means
Legal basis for processing: Where required, we process your data on the following legal bases: performance of contract (providing the Service), legitimate interests (security, fraud prevention, service improvement), compliance with legal obligations, and consent (where specifically requested).
International transfers: [BEFORE LAUNCH ALERT] If you serve EEA/UK users, you must establish a lawful transfer mechanism (e.g., Standard Contractual Clauses) for transferring data outside the EEA/UK (to your US-based infrastructure). Consult a GDPR-qualified attorney before going live with European users.
EU/UK representative: [BEFORE LAUNCH ALERT] If you have no establishment in the EEA, you may need to appoint an EU representative under GDPR Article 27. Consult legal counsel.
To exercise your GDPR/UK GDPR rights, contact us at legal@lumafly.ai. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.
8.3 Rights for California residents (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you the following rights:
- Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the purposes for collection, and the categories of third parties with whom we share it.
- Right to Delete: Request deletion of personal information we have collected about you, subject to certain exceptions.
- Right to Correct: Request correction of inaccurate personal information.
- Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising.
- Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information beyond what is necessary to provide the Service.
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.
Categories of personal information collected (CCPA):
| Category | Collected | Purpose |
|---|---|---|
| Identifiers (name, email, IP) | Yes | Account management, security |
| Commercial information | Yes (subscription status) | Service provision |
| Internet activity | Yes (usage logs) | Security, debugging |
| Geolocation (business address) | Yes | Business profile |
| Professional information | Yes (business profile) | Content generation |
| Audio/visual (product photos) | Yes | AI content generation |
| Inferences | No | — |
To exercise your CCPA/CPRA rights, contact us at legal@lumafly.ai with the subject line "California Privacy Rights Request."
The Service is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. If we learn that we have inadvertently collected information from a child under 13, we will promptly delete it. Users between 13 and 18 years of age must use the Service with parental or guardian consent.
If you are a parent or guardian and believe your child has provided personal information to us, please contact us at legal@lumafly.ai.
The Service may link to or integrate with third-party services (Social Platforms, Square, OAuth providers). This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you connect.
We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last Updated" date at the top of this page and, where reasonably practicable, by sending notice to your registered email address. Your continued use of the Service after the effective date of changes constitutes acceptance of the revised policy.
For privacy-related questions, data access requests, or to exercise any of your rights:
The NG8 Group LLC (Lumafly)
Attn: Privacy
2108 N ST, STE N
Sacramento, CA 95816
Email: legal@lumafly.ai
Website: lumafly.ai
We will respond to all verified requests within 30 days, or within the timeframe required by applicable law.
Questions?
Drop us a line at hello@lumafly.com and a real human will get back to you.