Privacy Policy

1. Who We Are

Luca Flow is a creative studio operated by Dr. Mohamed Khaled Eid, based in Egypt. This policy explains how we collect, use, and protect your personal data when you use our website (lucaflow.com) and services.

2. What Data We Collect

Information you provide

• Name and email address (via contact forms, intake forms, or direct communication)
• Project details and business information you share during engagement
• WhatsApp number (if you contact us via WhatsApp)

Payment information

Card payments on this website are processed by PayPal. We do not collect or store card numbers - PayPal's hosted checkout overlay handles all card data on its own infrastructure. When you complete a purchase, PayPal shares your name and email address with us as part of the order record so we can deliver what you ordered and email your receipt.

For custom engagements that fall outside the website checkout (bank transfer, invoice, etc.), payment instructions are issued directly to the client and we do not collect card data through any other channel.

PayPal's handling of your payment data is governed by their own privacy policy at paypal.com/myaccount/privacy/privacyhub.

Automatically collected data

• Page views, clicks, and navigation patterns (via PostHog analytics)
• Device type, browser, and approximate location
• Performance metrics (via Vercel Speed Insights)
• Ad-measurement events and, when you submit a form, a securely hashed version of your email or phone number (via the Meta Pixel) so we can measure and improve our advertising

3. How We Use Your Data

• To deliver the services you purchased or requested
• To communicate about your project (updates, questions, deliveries)
• To improve our website and services based on usage patterns
• To send relevant updates about Luca Flow (only if you opted in)

We do not sell your data to third parties. Ever.

4. Third-Party Services

We use the following third-party services that may process your data:

• PayPal - card payment processing for purchases made through the website checkout
• PostHog - website analytics (privacy-focused, self-hostable)
• Vercel - website hosting and performance monitoring
• Meta (Facebook) Pixel - advertising measurement and retargeting. With Advanced Matching enabled, form data such as your email or phone number is hashed (SHA-256) in your browser before it is sent, so Meta receives only an irreversible token, never the raw value

Each service has its own privacy policy. We only share the minimum data necessary for each service to function.

5. Data Retention

We keep your project data and communication history for as long as our business relationship is active, plus a reasonable period after (typically 24 months) for reference and support purposes. Analytics data is retained according to PostHog's default retention settings.

You can request deletion of your data at any time (see Section 6).

6. Your Rights

You have the right to:

• Access - request a copy of the personal data we hold about you
• Correction - ask us to update or correct inaccurate data
• Deletion - ask us to delete your personal data
• Portability - receive your data in a structured, commonly used format

To exercise any of these rights, email us at info@lucaflow.com. We will respond within 30 days.

7. Cookies & Tracking

Our website uses cookies and similar technologies for analytics (PostHog), essential site functionality, and advertising measurement. We use the Meta (Facebook) Pixel to understand how our ads perform and to show relevant content to people who have visited the site. You can opt out of interest-based ads through your Meta ad preferences and your device or browser settings. We never sell your data.

8. Changes to This Policy

We may update this privacy policy from time to time. Changes take effect when posted on this page. We will not materially reduce your rights under this policy without giving you notice.

9. Echo OS - Connected Social Platforms

Echo OS is the internal application Luca Flow uses to schedule and publish content across the social platforms our clients and brand portfolio operate on. When a brand owner authorizes Echo OS to act on their account, Echo OS accesses the platform via the platform's official APIs (TikTok Content Posting API, Meta Graph API, X API, LinkedIn API, YouTube Data API).

What Echo OS accesses

For each authorized account, Echo OS may access:

• Permission to upload and publish videos, images, and text posts
• Basic profile information (display name, username, avatar) for verification
• OAuth access and refresh tokens issued by the platform to authorize the above

What Echo OS does NOT access

• Direct messages or private conversations
• Follower lists or relationship graphs
• Analytics beyond the published posts Echo OS itself created
• Payment, billing, or financial information held by the platform

Storage and security

OAuth tokens are stored on Luca Flow's controlled infrastructure with restricted access. Tokens are used solely to fulfill scheduled posting tasks the brand owner has approved. Echo OS does not share any platform-derived data with third parties.

Revoking Echo OS access

You may revoke Echo OS's access at any time by:

• Removing the connection in your TikTok / Meta / X / LinkedIn / YouTube app settings under "Connected apps" or "Authorized apps"
• Emailing info@lucaflow.com - we will delete stored tokens and credentials within 7 days

TikTok-specific disclosure

Echo OS uses the TikTok Content Posting API to publish videos to authorized TikTok creator accounts. TikTok user data accessed via Echo OS is processed in accordance with TikTok's Terms of Service and TikTok API Platform Terms. Echo OS does not retain TikTok-derived content beyond what is required to complete the authorized publishing task.

10. Contact

For privacy-related questions or requests, contact us at info@lucaflow.com.