Privacy Policy
This Privacy Policy is issued in compliance with Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL) and its Executive Regulations. It describes how Luxorae collects, uses, discloses, retains, and protects the personal data of its customers and users.
1. Who We Are
Luxorae ("Luxorae", "we", "our", or "us") is a technology company incorporated and operating in Dubai, United Arab Emirates. We provide an AI-powered social media management platform ("the Platform") that helps UAE businesses — including retail stores, salons, gyms, and automobile dealerships — create, schedule, and publish content across Instagram and Facebook.
Luxorae acts as the Data Controller for personal data collected through our Platform and website located at luxorae.ae.
Data Controller contact:
Luxorae
Dubai, United Arab Emirates
Email: support@luxorae.ae
2. Scope of This Policy
This Privacy Policy applies to:
- Business owners and authorized users who register for a Luxorae account ("Users");
- Visitors to our website at luxorae.ae;
- Any person whose personal data is processed in connection with our services.
This Policy does not apply to third-party websites or services linked from our Platform. We encourage you to review the privacy policies of those services independently.
3. Personal Data We Collect
We collect the following categories of personal data:
3.1 Account and Identity Data
- Full name
- Business email address
- Password (stored as a cryptographic hash; we never store plaintext passwords)
- Business name, industry type, and location
- Phone number (if voluntarily provided)
- Profile photograph (if uploaded)
3.2 Social Media Integration Data
When you connect your Instagram and/or Facebook accounts to the Platform, we collect and store:
- Meta / Facebook OAuth access tokens and refresh tokens
- Instagram Business Account ID and username
- Facebook Page ID and Page name
- Instagram follower count, post counts, and engagement metrics (retrieved via the Instagram Graph API)
- Records of posts, reels, and stories published through our Platform on your behalf
3.3 Subscription and Payment Data
- Subscription plan details and billing cycle
- Payment confirmation references (we do not store full card numbers; payment processing is handled by our payment provider)
- Invoice history
3.4 Content Data
- Captions, images, videos, and other content you upload or that our AI generates on your behalf
- Content prompts and preferences you configure
- Scheduled and published post history
3.5 Technical and Usage Data
- IP address
- Browser type, version, and language
- Operating system and device type
- Pages visited within the Platform, timestamps, and session duration
- API request logs
- Error and crash reports
3.6 Communications Data
- Messages sent to our support team via email or in-app channels
- Feedback and survey responses
3.7 Data We Do Not Collect
We do not collect sensitive personal data as defined under UAE PDPL (such as health, biometric, racial, or religious data) unless you voluntarily include such information in content you upload. We do not purchase or obtain personal data from data brokers.
4. How We Use Your Personal Data
| Purpose | Data Categories Used |
|---|---|
| Create and manage your account | Account & Identity Data |
| Authenticate your identity and maintain session security | Account Data, Technical Data |
| Connect to your Instagram and Facebook accounts and publish content on your behalf | Social Media Integration Data, Content Data |
| Generate AI-powered captions, posts, and reels using your business context | Account Data, Content Data |
| Deliver analytics and insights on your social media performance | Social Media Integration Data, Usage Data |
| Process subscription payments and manage billing | Account Data, Payment Data |
| Send transactional emails (account confirmations, billing receipts, service alerts) | Account Data |
| Provide customer support | Account Data, Communications Data |
| Improve and develop the Platform (aggregated, anonymised analysis) | Technical & Usage Data |
| Ensure platform security, detect fraud, and prevent abuse | All categories |
| Comply with legal obligations under UAE law | All categories as required |
We do not sell your personal data to third parties. We do not use your data for cross-context behavioural advertising by third parties.
5. Legal Basis for Processing
Under the UAE PDPL, we process your personal data on the following bases:
- Performance of a contract: Processing necessary to provide the services you subscribe to (account management, social media publishing, AI content generation, billing).
- Legitimate interests: Platform security, fraud prevention, aggregated product analytics, and improvement of our services — provided these interests are not overridden by your privacy rights.
- Legal obligation: Compliance with applicable UAE laws, court orders, or regulatory requirements.
- Consent: Where we rely on consent (e.g., optional marketing communications), you may withdraw it at any time without affecting the lawfulness of prior processing.
6. Third-Party Services and Data Sharing
We engage carefully selected third-party service providers ("processors") to operate our Platform. Each processor handles personal data only on our documented instructions and is bound by data processing agreements. The key processors are:
| Service Provider | Purpose | Data Shared |
|---|---|---|
| Meta Platforms, Inc. (Instagram Graph API, Facebook API) |
Publishing posts, reels, and stories to Instagram/Facebook on your behalf; retrieving account analytics | OAuth tokens, content, scheduling instructions |
| OpenAI, LLC | AI-powered caption and content generation | Business context, content prompts (no names or contact details sent unless included in your prompt) |
| Anthropic, PBC | AI-powered content generation (Claude models) | Business context, content prompts |
| Amazon Web Services (AWS) | Cloud infrastructure hosting, file storage (S3), database hosting | All data stored on the Platform is hosted on AWS infrastructure in the AWS Middle East (UAE) or EU regions |
| Payment processor | Subscription billing and payment collection | Name, email, billing amount; card data handled directly by the processor under PCI-DSS compliance |
| Transactional email provider | Delivery of system and notification emails | Email address, email content |
6.1 Other Disclosures
We may disclose personal data:
- With your consent — when you explicitly authorise a specific disclosure;
- To comply with law — in response to a valid legal process from UAE authorities or courts;
- To protect rights — to enforce our Terms of Service or protect the safety of users or the public;
- In a business transfer — if Luxorae is involved in a merger, acquisition, or asset sale, you will be notified before your data is transferred or becomes subject to a different privacy policy.
We do not share personal data with advertisers, data brokers, or analytics companies for their own purposes.
7. International Data Transfers
Luxorae is based in Dubai, UAE. Some of our service providers — including OpenAI, Anthropic, and AWS — process data in jurisdictions outside the UAE (primarily the United States and the European Union). When we transfer personal data internationally, we ensure appropriate safeguards are in place, which may include:
- Standard contractual clauses or data processing agreements approved under applicable law;
- Transfers to jurisdictions recognised by the UAE as providing an adequate level of data protection;
- Other legally recognised transfer mechanisms under UAE PDPL and its Executive Regulations.
You may request information about the specific safeguards applied to cross-border transfers by contacting us at support@luxorae.ae.
8. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes described in this Policy, or as required by UAE law.
| Data Category | Retention Period |
|---|---|
| Account and identity data | Duration of the subscription + 90 days after account closure, then deleted |
| Social media tokens (Instagram/Facebook) | Active while the connection is maintained; deleted within 30 days of disconnection or account closure |
| Published content records | Duration of the subscription + 90 days, then deleted |
| Payment and billing records | 5 years from the date of the transaction, as required by UAE commercial law |
| Technical and usage logs | 90 days (security logs may be retained for up to 12 months) |
| Support communications | 3 years from last interaction |
| Data subject requests and records | 3 years from the date of the request |
Upon expiry of the applicable retention period, data is securely deleted or irreversibly anonymised.
9. Your Rights Under UAE PDPL
Subject to the conditions and exceptions set out in the UAE PDPL, you have the following rights in respect of your personal data:
9.1 Right of Access
You may request confirmation of whether we process your personal data and, if so, obtain a copy of that data along with information about how it is used.
9.2 Right to Correction
You may request that inaccurate or incomplete personal data be corrected or completed without undue delay.
9.3 Right to Erasure (Right to be Forgotten)
You may request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you withdraw consent (where consent was the legal basis), or where processing is unlawful. Erasure may be limited where retention is required by UAE law.
9.4 Right to Restriction of Processing
You may request that we restrict the processing of your personal data in certain circumstances, for example while a correction request is being assessed.
9.5 Right to Object
You may object to the processing of your personal data where we rely on legitimate interests as our legal basis, including profiling based on those interests.
9.6 Right to Data Portability
Where technically feasible and where processing is carried out by automated means, you may request to receive your personal data in a structured, commonly used, machine-readable format.
9.7 Right to Withdraw Consent
Where we process your data based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
9.8 Exercising Your Rights
To exercise any of these rights, please submit a written request to support@luxorae.ae with the subject line "Data Subject Rights Request". We will respond within 30 days of receiving a complete request. Where a request is complex or numerous, we may extend this period by a further 30 days, notifying you accordingly.
We may need to verify your identity before processing your request. We will not charge a fee for a first request unless it is manifestly unfounded or excessive.
9.9 Right to Lodge a Complaint
If you believe we have not handled your personal data in accordance with UAE PDPL, you have the right to lodge a complaint with the UAE Data Office (the competent supervisory authority under the UAE PDPL). We would, however, appreciate the opportunity to address your concern directly first — please contact us at support@luxorae.ae.
10. Security Measures
We implement technical and organisational security measures proportionate to the risks presented by the processing of your personal data. These measures include:
- Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
- Encryption at rest: Personal data stored on our servers and cloud infrastructure is encrypted at rest using AES-256 or equivalent standards.
- Access controls: Strict role-based access controls ensure that only authorised Luxorae personnel can access personal data on a need-to-know basis.
- Token security: Social media access tokens are stored encrypted and are never logged in plaintext.
- Password hashing: User passwords are hashed using a strong adaptive algorithm (bcrypt or equivalent); we never store or transmit plaintext passwords.
- Infrastructure security: Our cloud infrastructure is hosted on AWS, which maintains ISO 27001, SOC 2, and other industry certifications.
- Vulnerability management: We conduct periodic security assessments and apply software patches promptly.
- Incident response: We maintain a data breach response procedure. In the event of a breach that is likely to result in risk to your rights, we will notify the UAE Data Office and, where required, affected individuals in accordance with UAE PDPL timelines.
No security measure is absolute. If you discover a potential vulnerability, please report it responsibly to support@luxorae.ae.
11. Cookies and Tracking Technologies
Our Platform uses cookies and similar technologies to operate core functionality and improve your experience.
11.1 Essential Cookies
These are strictly necessary to provide the service — for example, maintaining your logged-in session. You cannot opt out of these cookies while using the Platform.
11.2 Analytics Cookies
We may use internal analytics tools to understand aggregate usage patterns (e.g., which features are most used). Where we use third-party analytics tools, we configure them to anonymise IP addresses and disable cross-site tracking. We do not use Google Analytics or similar third-party tracking scripts that share your data with advertising networks.
11.3 Managing Cookies
You can control cookies through your browser settings. Note that disabling essential cookies will impair your ability to use the Platform.
12. Children's Privacy
The Luxorae Platform is designed for businesses and their authorised representatives. We do not knowingly collect personal data from individuals under the age of 18. If you believe a minor has provided us with personal data without appropriate authorisation, please contact us at support@luxorae.ae and we will delete such data promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our services, legal requirements, or data practices. When we make material changes, we will:
- Update the "Last updated" date at the top of this page;
- Notify registered users via email or a prominent in-Platform notification at least 14 days before the changes take effect.
Your continued use of the Platform after the effective date of the updated Policy constitutes your acknowledgement of the changes. If you do not agree with the revised Policy, you may close your account before the effective date.
Previous versions of this Policy are available upon request by emailing support@luxorae.ae.
14. Governing Law and Jurisdiction
This Privacy Policy is governed by and construed in accordance with the laws of the United Arab Emirates, including Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data and its Executive Regulations. Any dispute arising out of or in connection with this Policy shall be subject to the exclusive jurisdiction of the competent courts of Dubai, UAE.
15. Contact Us
If you have any questions, concerns, or requests relating to this Privacy Policy or the handling of your personal data, please contact us:
Luxorae — Privacy Enquiries
Dubai, United Arab Emirates
Email: support@luxorae.ae
Subject line: "Privacy Enquiry" or "Data Subject Rights Request"
We aim to acknowledge all privacy enquiries within 5 business days and resolve them within 30 days.