LutaFlow

Privacy Policy

Last updated: April 10, 2026

1. Introduction

LutaFlow ("we," "us," or "our") operates the LutaFlow platform at lutaflow.app and its subdomains. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and your rights regarding that data.

By using LutaFlow, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the service.

2. Data We Collect

2.1 Account & Profile Data

  • Full name
  • Email address (used as your login identifier)
  • Phone number (optional)
  • Date of birth (optional)
  • Profile photo (optional)

2.2 Training & Activity Data

  • Current belt rank and stripe count (IBJJF belt system)
  • Promotion history (dates, notes, class counts at time of promotion)
  • Class attendance records (date, time, check-in method)
  • Membership status (active, frozen, or cancelled)
  • Milestone achievements (class counts, streaks)

2.3 Academy & Class Data

  • Academy name and location addresses
  • Class details (title, type, schedule, techniques, notes)
  • Instructor assignments
  • Tags and class images

2.4 Technical & Usage Data

  • IP address and user agent (logged in our audit trail for security)
  • Last login timestamp
  • Browser type and device information
  • Notification preferences

3. How We Use Your Data

We use your personal data to:

  • Provide, operate, and maintain the LutaFlow platform
  • Authenticate your identity via PIN-based passwordless login
  • Track class attendance, belt promotions, and training milestones
  • Generate attendance reports and analytics for your academy
  • Send transactional emails (login PINs, invitations, notifications)
  • Deliver Slack notifications when configured by your academy
  • Process subscription payments through Stripe
  • Maintain an audit log of sensitive actions for security and accountability
  • Provide offline functionality through locally cached data
  • Improve the service based on aggregate usage patterns

4. Cookies & Local Storage

Session Cookies

We use a secure, HTTP-only session cookie (lutaflow.session) to keep you logged in. This cookie is essential for the service to function and cannot be disabled. It contains your session identifier and is encrypted.

Verification Tokens

When you log in, we generate a temporary 6-digit PIN that is stored server-side for 15 minutes and deleted after use. This is used for passwordless authentication only.

IndexedDB (Offline Storage)

LutaFlow is a Progressive Web App (PWA). We store data locally on your device using IndexedDB to enable offline access. This includes cached class schedules, attendance records, and pending check-ins. This data remains on your device and syncs with our servers when you reconnect.

No Tracking Cookies

We do not use third-party advertising or analytics cookies. We do not track you across other websites.

5. Third-Party Services

We share limited personal data with the following third-party service providers, solely to operate the LutaFlow platform:

5.1 Stripe (Payment Processing)

We use Stripeto process subscription payments. When you sign up for a paid plan, you are redirected to Stripe's secure checkout page where you enter your payment details (credit/debit card number, expiration date, CVC).

LutaFlow never receives, stores, or has access to your full payment card details. Stripe handles all payment information directly. We only receive and store a Stripe Customer ID and subscription status (active, past due, cancelled) to manage your billing state. Stripe maintains your payment method on their PCI-DSS Level 1 compliant infrastructure and processes charges on your behalf.

You can manage your payment methods, view invoices, and cancel your subscription at any time through the Stripe Customer Portal, accessible from your academy billing settings. Stripe's handling of your payment data is governed by the Stripe Privacy Policy.

5.2 Brevo (Email Delivery)

We use Brevo (formerly Sendinblue) to send transactional emails such as login PINs, account invitations, and notifications. Brevo receives your email address and name to deliver these messages. We do not use Brevo for marketing emails.

5.3 Slack (Optional Notifications)

If your academy configures Slack integration, class creation events are posted to your designated Slack channel via webhook. This includes class details (title, time, location, coach) but does not include member personal data.

5.4 DigitalOcean (Hosting & Storage)

Our application and database are hosted on DigitalOcean infrastructure. Profile photos and class images are stored in DigitalOcean Spaces (S3-compatible object storage). All data is stored in accordance with DigitalOcean's Privacy Policy.

6. Data Security

  • All data in transit is encrypted via HTTPS/TLS
  • Database connections use SSL encryption
  • Authentication uses secure, HTTP-only cookies — no passwords are stored
  • API keys are hashed with bcrypt before storage
  • Sensitive actions (promotions, role changes, deletions) are recorded in a tamper-evident audit log with IP address and timestamp
  • File uploads are validated for type and size before storage
  • All database queries are parameterized to prevent SQL injection

7. Data Retention

  • Active accounts: Your data is retained for as long as your academy subscription is active.
  • Cancelled accounts: After cancellation, your data is retained for 90 days to allow for reactivation, after which it is permanently deleted.
  • Verification tokens: PINs expire after 15 minutes. Invitation tokens expire after 30 days.
  • Webhook logs: Event logs are purged after 30 days.
  • Audit logs: Retained for the lifetime of the academy for security and compliance purposes.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate or incomplete data
  • Delete your personal data ("right to be forgotten")
  • Export your data in a portable format (CSV export is available for members)
  • Restrict or object to certain processing of your data

To exercise any of these rights, contact your academy administrator or email us at [email protected].

9. Invitation-Only Access

LutaFlow operates on an invitation-only model. There is no public self-registration. Members are invited by their academy administrator, who provides the member's email address and initial belt rank. By accepting an invitation, you consent to the collection and use of your data as described in this policy.

10. Children's Privacy

LutaFlow may be used by academies with youth programs. If a member is under the age of 16, their parent or legal guardian must provide consent. Academy administrators are responsible for obtaining appropriate parental consent before inviting minor members. If we learn that we have collected data from a child without parental consent, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify academy administrators by email. Continued use of the service after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

[email protected]