Privacy Policy

Luau Digital, Ltd. ("Luau," "we," "our," or "us") respects your privacy. This policy explains what data we collect, why we collect it, how we share it, and the choices you have.

If you have any questions about this policy or our practices, email us at privacy@luau.co.

1. Who we are

Luau Digital, Ltd.
1975 Hickory Road
Vestavia Hills, AL 35216
United States
privacy@luau.co

We operate the Luau iOS app and the Luau website at luau.co. This policy covers both unless we say otherwise.

2. Information we collect

We collect only what we need to run Luau and the features you use.

Account & contact

Phone number — required. We use SMS one-time codes to sign you in, and for opt-in event reminders.
Name — required. Shown to people you host or invite.
Email address — optional. Used for account recovery and important service emails (e.g., changes to this policy).
Profile photo — optional. You upload it; we host it on Cloudinary (see "Service providers" below).

Event content (User Content)

Event titles, descriptions, dates, times, locations, cover images, RSVPs, and any details you add to events you host or attend.
AI conversations with Kai (our event-planning assistant). Your messages are sent to OpenAI to generate responses and event drafts (see "Third-party AI" below).

Device & technical

Device type, OS version, and app version (for troubleshooting and crash reports).
Network metadata (IP address, request timestamps) used to deliver the service and detect abuse.
Universally unique account identifier (your Luau user ID). We do not use Apple's Identifier for Advertisers (IDFA).

PartyPass (NFC chips)

The chip's unique identifier (UID) and a cryptographic message authentication code (CMAC) when you tap a PartyPass. We use these solely to verify access to a specific event. We do not link the chip to a persistent device fingerprint.

Google Calendar (optional integration)

If you choose to connect Google Calendar, we receive read access to your calendar's free/busy times and the ability to create, update, and delete events you make through Luau. We never read the content of calendar events you didn't create through Luau.
Use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google Calendar data to train AI, build user profiles, or sell to third parties.

Things we don't collect

We do not collect precise location.
We do not access your contacts.
We do not access your microphone.
We do not use third-party advertising networks. There are no ad SDKs in the Luau iOS app.
We do not use cross-site or cross-app tracking. Apple's App Tracking Transparency prompt is not shown because we do not track.

3. How we use your information

Purpose	What we use
Operate the app and your account	Phone, name, email, account ID
Deliver event reminders and updates	Phone (SMS), event content
Power AI-assisted event planning ("Kai")	Your prompts and event drafts
Verify PartyPass access	Chip UID + CMAC
Sync with your Google Calendar (if connected)	Calendar free/busy + Luau events you create
Detect abuse, fraud, and policy violations	Network metadata, content reports
Comply with legal obligations	Whatever the law requires
Improve the product	Aggregated, de-identified usage

We do not sell your personal data. We do not share your data for cross-app or cross-site behavioral advertising.

4. Service providers (third parties who process data on our behalf)

We share the minimum necessary data with the following service providers. Each is contractually required to keep your data confidential and use it only to perform the service we hired them for.

Provider	What they do	Data shared
Clerk	Authentication (phone OTP)	Phone, name, email
Cloudinary	Image hosting (profile photos, event covers, AI-generated images)	Image files + image metadata
OpenAI	Powers Kai's event drafting and image generation	Your Kai messages, event drafts, image prompts. Per OpenAI's API terms, OpenAI does not use Luau API data to train its models.
AWS End User Messaging (formerly Amazon Pinpoint SMS)	Sends SMS event reminders	Phone, message body
AWS Rekognition	Automated content moderation on uploaded and AI-generated images	Image files
Google Calendar API	Calendar sync (only if you opt in)	Calendar free/busy + Luau events you create
Vercel	Hosting infrastructure	All app traffic
Neon (PostgreSQL)	Database hosting	All persisted application data

5. Third-party AI (Kai)

Luau uses OpenAI as its AI provider. Several features in the app send data to OpenAI on your behalf:

Event drafting and editing: when you ask Kai to create or revise an event, your typed prompt and the event's title, description, date, and location are sent to OpenAI.
Cover-art generation: when you tap Generate Image — on a new event, or when changing the image on an existing one — your prompt and any reference image are sent to OpenAI's image API.
Potluck suggestions: when you ask Kai what to bring to a potluck, the event's details and the names of guests who have already claimed items are sent to OpenAI.

Consent. The first time you reach any of the surfaces above, Luau shows you a consent sheet that lists exactly what is sent and to whom. Nothing leaves Luau until you tap Use Kai. If you decline, the manual flows (manual event form, manual potluck list, upload your own image) remain available. You can change your choice any time under Profile → AI Assistant in the iOS app, or under Profile → AI Assistant on app.luau.co.

Retention and training. OpenAI's API terms prohibit OpenAI from using Luau-submitted data to train its models. OpenAI may retain prompts and outputs for up to 30 days for abuse monitoring, after which they are deleted. See OpenAI's API data usage policies for details.

What we do not send to OpenAI: your phone number, email address, password or sign-in credentials, calendar contents, full guest lists for events you didn't ask Kai about, or your aggregated social-graph data.

6. SMS messages

When you opt in (typically by RSVPing or accepting an event invite), Luau sends event-related SMS messages such as confirmations, guest updates, and reminders.

Frequency: up to 10 messages per event.
Cost: standard message and data rates may apply.
Opt out: text STOP to any Luau SMS at any time. You'll receive one final confirmation message.
Help: text HELP or email support@luau.co.
Eligibility: U.S. mobile numbers only. You must be 18 or older (or have parental consent) to receive SMS.
Carriers: messages are sent via AWS End User Messaging. Supported carriers include AT&T, Verizon, T-Mobile, and others. Carriers are not liable for delayed or undelivered messages.

We do not share or sell your phone number or SMS opt-in status to any third party for marketing.

7. How long we keep your data

Data	Retention
Account profile (name, phone, email, photo)	While your account is active, plus a 90-day grace window after deletion (see §9)
Event content (titles, descriptions, RSVPs)	While the host's account is active; deleted with the host's account
Kai conversation history	Until you delete the conversation in-app, or up to 18 months, whichever comes first
AI-generated images	While linked to an event you control, plus a 90-day grace window after event deletion
SMS delivery logs	12 months for compliance and troubleshooting
Server logs (IP, request timestamps)	90 days
Aggregated, de-identified analytics	Indefinitely

We disclose personal information only:

To service providers described in §4 to deliver the service.
To other Luau users when you choose to share — for example, your name and profile photo are visible to people you host or invite, and your RSVPs are visible to event hosts and other invitees.
To authorities when required by law (subpoena, court order, valid legal process), to protect the safety of our users, or to enforce our Terms of Service.
In a corporate transaction (merger, acquisition, asset sale). If this happens, we'll post a notice on luau.co before any change.

We never sell your personal data, and we never share it for cross-context behavioral advertising.

9. Account deletion

You can delete your account inside the Luau iOS app: Profile → Settings → Delete Account. You can also request deletion by emailing privacy@luau.co.

When you delete your account:

Within minutes, your name, profile photo, and email are anonymized. You're signed out of every device and your account is no longer visible to other users.
Your phone number is retained as a hashed identifier for 90 days so you can sign back in with the same number to restore the account if you change your mind. During this window your data is restorable but otherwise inaccessible.
After 90 days, deletion is permanent. We purge your account profile, Kai history, AI images linked only to your account, and all data not required for legal retention.

Some data is retained beyond 90 days where required:

Aggregate, de-identified analytics that can no longer be tied back to you.
Event content you created that other users still depend on (e.g., shared event descriptions). The host attribution is anonymized.
Records required for tax, legal, or fraud-prevention purposes (typically 7 years).

If you'd prefer to skip the 90-day grace window and delete immediately, email privacy@luau.co with the subject line "Immediate deletion."

10. Your privacy rights

Depending on where you live, you have one or more of the following rights:

Access — request a copy of the personal data we hold about you.
Correction — fix inaccurate or incomplete data.
Deletion — delete your account and associated data (see §9).
Portability — receive your data in a portable format.
Opt-out of sale or sharing — we don't sell or share your data for cross-context behavioral advertising in the first place; this right is built into how we operate.
Non-discrimination — we won't penalize you for exercising any of these rights.

To exercise any right, email privacy@luau.co. We respond within 30 days (or 45 if extended; we'll tell you).

California residents (CCPA/CPRA)

You have the rights listed above plus the right to know what categories of personal information we've collected, the categories of sources, business purposes, and categories of third parties we share with — all detailed in §2 and §4.

We do not sell or "share" personal information as those terms are defined under the CCPA/CPRA.

The legal bases on which we process your personal data are:

Performance of a contract — to provide the service you signed up for.
Legitimate interests — to keep the service secure, prevent abuse, and improve the product.
Consent — where required (e.g., the optional Google Calendar integration, AI assistant).
Legal obligation — where required by law.

You also have the right to lodge a complaint with your local data protection authority. We do not require you to use our service to provide unnecessary data.

11. International data transfers

Luau operates from the United States. If you use Luau from outside the United States, your data is transferred to and processed in the United States, where data protection laws may differ from your jurisdiction.

For users in the European Economic Area, United Kingdom, and Switzerland, transfers are made under the European Commission's Standard Contractual Clauses (SCCs) and applicable adequacy decisions.

12. Children's privacy

Luau is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided personal information to us, email privacy@luau.co and we'll delete it.

If you are between 13 and 18, you must have a parent or guardian's permission to use Luau.

13. Security

We use TLS 1.2+ in transit, encryption at rest, scoped access controls, and routine audits to safeguard your data. No system is 100% secure; if you suspect unauthorized activity on your account, email security@luau.co immediately.

14. Changes to this policy

We may update this policy from time to time. If we make material changes, we'll notify you by SMS or in-app message, and update the "Last updated" date at the top. Continued use of Luau after a change means you accept the updated policy.

15. Contact

Privacy questions, data requests, or anything else:

Luau Digital, Ltd.
1975 Hickory Road
Vestavia Hills, AL 35216
United States
privacy@luau.co