Privacy Policy

LuxLeads AI provides AI-powered chatbot and lead capture services to businesses via Facebook Messenger, Instagram Direct, WhatsApp notifications, and website chat widgets.

We are the data controller for our own account, billing, website, support, and business outreach data. For messages and leads captured on behalf of a client business, the client business is usually the data controller and LuxLeads AI acts as its data processor.

For data enquiries, contact us at [email protected].

From businesses using LuxLeads AI:

• — Business name, email address, and account credentials
• — Facebook Page ID, Instagram account ID, and associated access tokens granted via Meta OAuth
• — Business configuration (working hours, pricing, niche, booking links)
• — WhatsApp notification numbers and Calendly links if provided

From end-users (visitors chatting with a business via Facebook, Instagram, or website widget):

• — Facebook Page-Scoped User ID (PSID) — assigned by Meta, not your real Facebook ID
• — Messages sent to and from the business page during a conversation
• — Name, phone number, email address, and enquiry details if shared voluntarily during the chat
• — Website session identifier (for widget users)

LuxLeads AI connects to Facebook Pages and Instagram accounts via the Meta Platform. We use this connection solely to:

• — Receive incoming Messenger and Instagram Direct messages on behalf of the business
• — Send automated replies from the business page to the person who messaged
• — Capture lead information (name, contact details, enquiry) shared during conversations
• — Notify the business owner of new leads via WhatsApp (if enabled)

We do not use Facebook or Instagram data for advertising, profiling, or any purpose beyond providing the chatbot service to the business.

We do not share Facebook or Instagram message data with third parties except where required by law or to operate the service (e.g. OpenAI for AI response generation, subject to data processing agreements).

Depending on the context, we rely on the following lawful bases under UK GDPR:

• — Contract — to create accounts, provide the dashboard, process subscriptions, and deliver the LuxLeads AI service
• — Legitimate interests — to improve the service, prevent misuse, secure the platform, respond to support requests, and carry out proportionate B2B outreach
• — Consent — where required for optional marketing, optional integrations, or non-essential cookies if introduced later
• — Legal obligation — for accounting, tax, compliance, and lawful requests from authorities

For client customer chat data, the client business is responsible for confirming its own lawful basis and providing any required privacy information to its customers.

LuxLeads AI uses automated systems to generate draft replies, classify enquiry type or urgency, extract lead details voluntarily shared in chat, and route enquiries to the connected business.

The system is designed for lead capture and routing only. It does not make legal, medical, financial, employment, credit, or similarly significant decisions about individuals. Businesses using LuxLeads AI should monitor conversations and step in where human review is needed.

LuxLeads AI complies with the Meta Platform Policy and Meta Terms of Service.

Permissions we request and why:

• — pages_messaging — to send and receive Messenger messages on behalf of the business page
• — pages_manage_metadata — to read page details and set up the webhook subscription
• — pages_read_engagement — to verify the page is active and accessible
• — instagram_manage_messages — to send and receive Instagram Direct messages on behalf of the connected account

We do not request permissions beyond those listed above.

• — Conversation state is retained for up to 90 days of inactivity, then automatically purged
• — Lead records are retained for as long as the business account is active
• — Facebook and Instagram access tokens are stored securely and invalidated when a business disconnects their account
• — Deletion requests from Meta are processed within 30 days

All data is transmitted over HTTPS. Access tokens are stored securely with restricted access. Access to production data is restricted to authorised personnel only. We do not store Facebook user passwords or payment card details.

Under UK GDPR and applicable data protection law, you have the right to:

• — Access the personal data we hold about you
• — Request correction of inaccurate data
• — Request deletion of your data (see our Data Deletion page)
• — Object to or restrict processing in certain circumstances
• — Lodge a complaint with the ICO (Information Commissioner's Office) at ico.org.uk

To exercise any of these rights, email [email protected]. We will respond within 30 days.

We use the following third-party services to operate LuxLeads AI:

• — OpenAI — AI response generation. Messages may be sent to OpenAI's API for processing. OpenAI's privacy policy applies.
• — Meta (Facebook/Instagram) — Messaging platform. Governed by Meta's Platform Policy.
• — Stripe — Payment processing. We do not store card details. Stripe's privacy policy applies.
• — Resend / email providers — Transactional email delivery.
• — Railway or hosting providers — Application hosting and infrastructure.

We may contact businesses using publicly available or business contact details where we believe LuxLeads AI may be relevant. We do not hide our identity in outreach messages and every outreach email includes a way to opt out.

Some outreach emails may include basic open or reply tracking so we can understand whether campaigns are working and avoid repeatedly contacting people who are not interested. This is used for service improvement and campaign management, not for selling personal data.

If you ask us to stop contacting you, we will add your details to a suppression list so we do not contact you again for marketing.

LuxLeads AI does not currently use advertising cookies, analytics cookies, or third-party tracking cookies on the website.

The service may use essential browser storage such as localStorage or sessionStorage to remember demo sessions, website chat sessions, dashboard access details, admin session convenience, and setup progress. This storage is used to make the service work properly and is not used for advertising.

If we introduce non-essential analytics, advertising pixels, or marketing cookies in the future, we will update this policy and request consent where required.

LuxLeads AI is not a substitute for medical, legal, financial, emergency, or other regulated professional advice. Where an enquiry appears urgent or specialist, the business should review it and respond appropriately. Users should contact emergency services or the relevant professional directly where needed.

We may update this policy from time to time. The "Last updated" date at the top of this page will reflect any changes. Continued use of LuxLeads AI after changes constitutes acceptance of the updated policy.

For any privacy-related questions or requests:

• — Email: [email protected]
• — Company: LuxLeads AI