Privacy Policy
Last updated: 2026-04-16
1. Who we are
This Privacy Policy explains how LUMGEX collects, uses, and protects personal data in connection with the LUMGEX website and the current public Intelligence Report ("IR") service.
LUMGEX is operated by Dianna Abad Veloz as a Dutch eenmanszaak.
For the purposes of the General Data Protection Regulation (GDPR), LUMGEX acts as the data controller for personal data collected through the website and the public IR ordering flow.
2. What this policy covers
This policy covers personal data collected from:
- visitors to the LUMGEX website,
- clients who place an Intelligence Report order,
- clients who submit project inputs through the post-purchase form,
- individuals who contact LUMGEX for support or business enquiries.
Any separate agency, partner, white-label, or enterprise arrangement that creates a distinct controller-processor relationship is governed by separate written terms.
3. What data we collect
In the normal public IR flow, LUMGEX may collect:
Order and project data:
- work email address
- order number or reference
- ASIN or SKU
- product name
- Amazon product URL
- brief product description
- marketplace, category, tier, and delivery speed linked to the order
- optional classification-help answers provided in the intake form
Billing and payment data:
- billing name and address
- VAT number (if provided)
- payment confirmation and transaction reference (via Stripe — LUMGEX does not receive or store full payment card numbers)
Service and technical data:
- delivery records and service metadata (timestamps, status, report identifiers)
- technical data collected automatically when you visit the website (IP address, browser type, pages visited)
- integrity and audit records, including content hashes where used
Business enquiry data:
- if you contact LUMGEX about an agency, partner, or enterprise enquiry, we may collect your name, company, email, and the content of your message
4. What we do not collect in the standard IR flow
The standard public IR ordering and project-input flow does not intentionally collect:
- payment card numbers (these are handled entirely by Stripe and never reach LUMGEX systems),
- Amazon Seller Central login credentials or passwords,
- intake call recordings or transcripts (the standard IR flow does not include an intake call),
- compliance-document uploads as part of the normal checkout or project-input form,
- sensitive personal data (racial or ethnic origin, political opinions, health data, etc.) unless explicitly required for a specific support case and only with your consent.
5. Why we process your data
We process personal data for the following purposes:
| Purpose | Legal basis (GDPR) |
|---|---|
| Fulfil your IR order and deliver the report | Performance of a contract (Art. 6(1)(b)) |
| Process payment and issue invoices | Performance of a contract / legal obligation |
| Communicate about your order, inputs, or delivery | Performance of a contract |
| Respond to support or business enquiries | Legitimate interest (Art. 6(1)(f)) |
| Maintain service integrity and audit records | Legitimate interest |
| Comply with Dutch tax, accounting, and legal obligations | Legal obligation (Art. 6(1)(c)) |
| Improve the service and fix technical issues | Legitimate interest |
6. Subprocessors
LUMGEX uses the following third-party service providers to operate the current IR website and ordering flow:
| Provider | Purpose | Location |
|---|---|---|
| Hetzner | Server hosting (n8n workflow engine) | Germany (EU) |
| Hostinger | Website hosting and DNS | Lithuania (EU) |
| Tally | Post-purchase project-input forms | Belgium (EU) |
| Stripe | Payment processing | US (EU SCCs) |
| Airtable | Order and delivery records | US (EU SCCs) |
| Make (Integromat) | Workflow orchestration | EU |
| Google Workspace | Email and file delivery (Google Drive) | US (EU SCCs) |
| OpenAI | AI-assisted report generation | US (EU SCCs / DPA) |
Where a subprocessor is located outside the EEA, transfers are made under Standard Contractual Clauses (SCCs) or equivalent mechanisms as required by GDPR Chapter V.
A Data Processing Agreement covering these subprocessors is available at /dpa.html.
7. Cookies and tracking
The LUMGEX website currently uses only functional and session cookies necessary for the website to operate (e.g., form state, navigation).
LUMGEX does not use third-party advertising cookies or cross-site tracking pixels.
If this changes in the future, this policy and any required consent mechanism will be updated accordingly.
8. Data retention
| Data type | Retention period |
|---|---|
| Prospects with no purchase | 90 days, then deleted |
| Suppression list (unsubscribe records) | Indefinite (minimal data: email only) |
| Order, delivery, and service records | Up to 18 months, unless longer retention is needed for legal claims or ongoing support |
| Billing, invoicing, and tax records | 7 years (Dutch tax obligation) |
| Integrity and audit records, including hashes | Up to 7 years |
| Security and execution logs | Up to 30 days, unless retained for an active incident investigation |
After the applicable retention period, data is deleted or anonymised unless a legal hold applies.
9. Your rights under GDPR
If you are in the EEA, you have the right to:
- access your personal data,
- rectify inaccurate data,
- erase your data (subject to legal retention requirements),
- restrict processing in certain circumstances,
- data portability (receive your data in a structured, machine-readable format),
- object to processing based on legitimate interest,
- not be subject to solely automated decision-making with legal or similarly significant effects, where applicable.
To exercise any of these rights, contact privacy@lumgex.com. LUMGEX aims to respond without undue delay and in principle within one calendar month.
You also have the right to lodge a complaint with the Dutch Data Protection Authority:
https://autoriteitpersoonsgegevens.nl
10. International transfers
Where personal data is transferred outside the EEA (e.g., to US-based subprocessors), LUMGEX relies on Standard Contractual Clauses, adequacy decisions, or other mechanisms recognised under GDPR Chapter V.
11. Security
LUMGEX implements reasonable technical and organisational measures to protect personal data, including encrypted connections (HTTPS), access controls, and subprocessor due diligence.
No system is perfectly secure. If LUMGEX becomes aware of a data breach likely to result in a risk to your rights, LUMGEX will notify the relevant supervisory authority and, where required, affected individuals in accordance with GDPR Articles 33 and 34.
12. Children
LUMGEX services are intended for businesses and professionals. LUMGEX does not knowingly collect personal data from individuals under 16 years of age.
13. Changes to this policy
LUMGEX may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the latest published version.
Material changes will be communicated through the website or by email where appropriate.
14. Contact
For any privacy-related questions or requests: