This Privacy Policy explains how LumiWeb collects, uses, stores, shares, and protects personal data in line with UK GDPR, EU GDPR transparency principles, and related data protection obligations.

1. Controller and Contact Details

• Controller: LumiWeb, London, United Kingdom.
• Privacy contact: privacy@lumiweb.co.uk.
• Data protection officer channel: dpo@lumiweb.co.uk.
• General support: support@lumiweb.co.uk.

2. Scope of This Policy

• Website visits, forms, account registration, subscriptions, billing, and support.
• Use of LumiWeb product modules and operational platform services.
• Security and audit logging needed to protect users, systems, and transactions.

3. Personal Data We Process

• Identity and account data: name, business email, company details, role data.
• Billing data: billing identifiers, transaction references, subscription status, tax fields.
• Technical data: IP logs, device/browser metadata, access timestamps, session data.
• Support and communication data: tickets, requests, replies, and service records.
• Security data: authentication, fraud signals, risk flags, and incident-response records.

4. Sources of Data

• Directly from you (forms, contracts, settings, support requests).
• From your authorized users and administrators.
• From payment and fraud-prevention providers for transaction verification.
• From analytics, security, and infrastructure systems used to run the Service.

5. Purposes and Lawful Bases

• Service delivery and account administration: contract performance.
• Billing, invoicing, subscription lifecycle, and payment reconciliation: contract and legal obligations.
• Fraud prevention, cybersecurity, abuse handling, and service integrity: legitimate interests and legal obligations.
• Compliance with tax, accounting, sanctions, and legal recordkeeping: legal obligations.
• Optional product updates/marketing where applicable: consent or legitimate interests, with opt-out controls.

6. Recipients and Processors

We share data only where necessary with vendors and partners operating under contractual and legal controls.

• Payment and billing providers (including Paddle and Stripe where applicable).
• Wallet payment rails and associated ecosystem participants (for example Apple Pay and Google Pay flows via processors).
• Hosting, infrastructure, backup, monitoring, email delivery, and support tooling providers.
• Professional advisers, auditors, and authorities where disclosure is legally required.

7. Apple Platform and App Store Data Context

• Where distribution or billing is handled through Apple channels, Apple may process account, billing, and device-related data under its own policies.
• For Apple-handled app transactions, Apple may operate as platform operator and may also act through Apple billing entities depending on region.
• We receive only the data required for service provisioning, entitlement validation, fraud control, and support.
• For Apple account-level privacy rights or Apple-billed purchase records, users may need to contact Apple directly.

8. International Data Transfers

• Where data moves outside the UK or EEA, we use lawful transfer mechanisms.
• These may include adequacy regulations/decisions, Standard Contractual Clauses, UK Addendum/IDTA, or other lawful safeguards.
• Transfer mechanisms and safeguards can be requested via privacy@lumiweb.co.uk.

9. Retention Periods

• Account and contract records: retained during active service and for legally required post-termination periods.
• Billing, invoice, and tax records: retained according to statutory accounting and tax obligations.
• Security and audit logs: retained for operational security, fraud detection, and incident response needs.
• Support records: retained as needed for continuity, dispute handling, and compliance evidence.

10. Security Measures

• Access controls, least-privilege principles, authentication checks, and audit trails.
• Encryption in transit, secure configuration baselines, and monitoring controls.
• Risk-based fraud detection and payment-abuse mitigation.
• Incident handling procedures and evidence preservation for legal/regulatory response.
• For Apple-distributed app contexts, technical data used for updates/support may also be processed under Apple platform terms.

11. Your Rights

Subject to applicable law, you may request access, correction, deletion, restriction, objection, portability, and withdrawal of consent where processing relies on consent.

• Requests should be sent to privacy@lumiweb.co.uk.
• Identity verification may be required before fulfillment.
• We respond within legal timeframes, normally within one month unless law allows extension.

12. Complaints and Supervisory Authorities

• If unresolved, you can lodge a complaint with the UK ICO or your local EU/EEA supervisory authority.
• We encourage first contact through privacy@lumiweb.co.uk so issues can be resolved quickly.

13. Cookies and Similar Technologies

• We use necessary technical storage and may use analytics or preference technologies where configured.
• Where consent is required, controls are provided through applicable consent mechanisms.
• You can adjust browser settings, but some functions may not operate correctly if essential storage is blocked.

14. Children

The Service is intended for business and professional use and is not directed to children. If you believe child data was submitted in error, contact privacy@lumiweb.co.uk for review.

15. Policy Changes

• We may update this Policy to reflect legal, technical, or operational changes.
• The revision date shown on this page is the official effective-date marker.
• Material changes may be additionally communicated through in-product or email notice.

16. Privacy and Legal Contact Directory

• Privacy: privacy@lumiweb.co.uk
• DPO channel: dpo@lumiweb.co.uk
• Legal: legal@lumiweb.co.uk
• Billing: billing@lumiweb.co.uk
• Security: security@lumiweb.co.uk
• Support: support@lumiweb.co.uk

Related documents: Terms of Service and Refund Policy.