Data Deletion

Last updated: 22 May 2026

You can delete your Lumiqa account and all associated personal data at any time. This page explains exactly how, what gets deleted, what's kept (and why), and how the Meta-specific deletion callback works for users who connected a Facebook or Instagram account via OAuth.

How to delete your account

Self-service via Settings

Sign in at lumiqa.io/login, go to Settings → Account → Delete account, confirm with your password (or re-authenticate via your OAuth provider), and submit. The deletion request is acknowledged on screen and recorded with a timestamp. You will receive a confirmation email within a few minutes.

By email — for any reason

If you cannot access the dashboard, email [email protected] or [email protected] from the address registered with your account. Subject line: Account deletion request. We verify your identity by checking the sender address, then process the request within 30 days (usually within 72 hours).

Export first (optional but recommended)

Before deleting, you can export your workspace data from Settings → Export (JSON metadata + original media files in a downloadable archive). Once your account is deleted you cannot recover the export.

What gets deleted

When your account is deleted, we permanently remove the following data within 30 days:

Data	Where it lives	Deleted within
Account record (email, name, Clerk identity)	Clerk	30 days
Workspace metadata (projects, comments, tasks, annotations)	Cloudflare D1	30 days
Uploaded media (videos, audio, thumbnails, exports)	Cloudflare R2	30 days
API keys (`lk_live_*`)	Cloudflare KV	Immediately revoked, then purged
OAuth tokens (Meta, Google, LinkedIn, TikTok)	Cloudflare D1 / KV	7 days (revoked immediately, purged within 7 days)
Team invitations, pending shares	Cloudflare D1	30 days
Backup snapshots containing your data	Cloudflare snapshots	Rolling 30-day window, then purged
Telemetry / API request logs	Cloudflare logs	14 days rolling window (auto)
Email logs in Resend	Resend	30 days

What we keep (and why)

Legal and tax retention. Italian tax law (DPR 633/1972 Art. 39 and Civil Code Art. 2220) requires us to keep accounting and invoice records for 10 years. EU VAT rules and OSS reporting impose similar obligations. This applies only to paid customers.

Data	Why retained	Duration
Stripe invoices, billing customer ID, transaction history	Italian tax law, EU VAT, OSS	10 years
Anonymous aggregate usage statistics (no PII)	Service capacity planning	Up to 24 months
Records of the deletion event itself (deletion log)	To prove compliance with GDPR erasure requests	3 years
Support correspondence (if you opened a ticket)	Defending legal claims	3 years after last contact

We do not retain Your Content (videos, projects, comments) beyond the 30-day backup window. Retained records are minimized to what the law strictly requires and are not used for any commercial purpose.

OAuth disconnections

If you only want to disconnect a third-party platform (not delete your whole Lumiqa account):

Go to Settings → Integrations, find the platform, click "Disconnect".
The OAuth token is revoked immediately and purged within 7 days.
You can also revoke access directly on the platform side (Meta Settings → Business Integrations, Google Account → Security, LinkedIn → Permitted services, TikTok → Manage apps).
Disconnecting an integration does not delete content already published or imported.

Autoposting data — what gets removed

If you used autoposting, deleting your account or disconnecting a platform removes, in addition to the items above:

The encrypted OAuth tokens for that platform (revoked immediately, purged within 7 days).
The cached account identifiers (channel ID, page ID, IG account ID, TikTok open ID) used to route your posts.
Any queued or scheduled posts that have not yet been published — these are canceled and deleted.

Already-published posts stay on the platform. Videos already published to YouTube, Instagram, TikTok, Facebook or LinkedIn live under your own account on that platform. Deleting your Lumiqa data does not retract them — remove them directly on the platform if needed.

Meta-specific deletion callback

Lumiqa supports the Meta Data Deletion Callback as required by the Meta Platform Terms and Developer Policies. If you connected your Facebook or Instagram account and you remove the Lumiqa app from your Meta settings, Meta will send a signed request to our deletion endpoint. We will:

Validate the signed_request using our Meta App Secret (HMAC-SHA256).
Identify the Meta user_id contained in the payload.
Locate the corresponding Lumiqa OAuth record(s), revoke the token(s), and purge them within 7 days.
Return a JSON response to Meta with a deletion confirmation URL and a unique confirmation code, as required by the Meta spec.

Endpoint URL

POST https://lumiqa.io/api/oauth/meta/data-deletion

Expected response shape (per Meta spec)

{
  "url": "https://lumiqa.io/data-deletion.html?code=<confirmation_code>",
  "confirmation_code": "<unique_code>"
}

How a Meta user can check the status

Open the URL returned by Meta (it includes a ?code= parameter). If our system recognizes the code, the page will display a deletion status (received / processed / completed). If you have lost the URL, email [email protected] from the email tied to your Lumiqa account, mention "Meta deletion status", and we will look it up.

Important — Removing the Lumiqa app from your Meta settings only deletes the Meta-linked OAuth token and any Meta-derived data (profile ID, pages list cached for publishing). It does not delete your Lumiqa account or workspace content. To delete the entire account, follow the steps at the top of this page.

Other platforms (Google, LinkedIn, TikTok)

Google, LinkedIn, and TikTok do not send automatic deletion callbacks the same way Meta does. You can still:

Disconnect via Lumiqa Settings → Integrations;
Revoke access on the platform side (see links above);
Email us at [email protected] to request immediate purge of any data linked to that integration.

Timeline summary

Action	Effect	Maximum time
Request deletion via Settings or email	Account flagged, login disabled, request acknowledged by email	72 hours
Active workspace content erased (D1, R2)	Permanently deleted from primary storage	30 days
OAuth tokens revoked and purged	Removed from KV / D1	7 days
Backups purged	Rolling backup window expires	30 days
Billing records retained	Anonymized where possible, kept for tax	10 years (legal obligation)

Right to complain

If you believe we have not handled your deletion request properly, you have the right to lodge a complaint with a data protection supervisory authority. In Italy, this is the Garante per la Protezione dei Dati Personali (garanteprivacy.it). EU residents can also contact their national supervisory authority.

Contact

Account deletion: [email protected]
Privacy / GDPR: [email protected]
Postal mail: AB Tools — Via M. Bertini 32, 55100 Lucca, Italy

For full details on what data we hold, see our Privacy Policy and Terms of Service.