Privacy Policy
Last Updated: January 25, 2026
Effective Date: January 25, 2026
Lumenya (“we,” “us,” “our,” or “Company”) respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website https://www.lumenya.com (the “Site”), purchase our products or services (including online courses, physical products, and in-person sessions), or interact with us in any other way.
By using the Site or providing your information to us, you consent to the data practices described in this policy. If you do not agree, please do not use our Site or services.
1. Information We Collect
We collect several types of information to provide and improve our services to you.
A. Information You Provide Directly:
-
Identity & Contact Data: Name, email address, billing and shipping address, phone number, country.
-
Transaction & Financial Data: Details of products/services purchased, payment method information (processed securely by our third-party payment processors; we do not store full card numbers).
-
Profile & Communications Data: Account password, purchases, workshop/course progress, preferences, feedback, survey responses, and the content of your communications with us (e.g., support requests, emails).
-
Health & Wellness Data (Special Category Data): For in-person treatments or services, you may voluntarily provide information about your health, well-being, or intentions. We process this sensitive data only with your explicit, informed consent, which will be obtained separately at the point of collection, and use it strictly for the purpose of providing the requested service.
B. Information Collected Automatically:
-
Technical & Usage Data: Internet protocol (IP) address, browser type and version, time zone setting, browser plug-in types, operating system, device information, and other technology on the devices you use to access this Site.
-
Website Interaction Data: Information about how you use our Site, including the full clickstream to, through, and from our Site (including date and time), pages viewed, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page.
C. Information from Third Parties:
We may receive limited information about you from:
-
Payment Processors (e.g., Stripe, PayPal) to confirm your transaction.
-
Social Media Platforms (if you interact with our profiles or use social login features).
-
Analytics Providers (e.g., Google Analytics, anonymized data).
2. How We Use Your Information
We use your personal data only for lawful and specified purposes. Our primary legal bases under GDPR are: Performance of a Contract, Legitimate Interests, Your Consent, and Legal Obligation.
| Purpose / Activity | Type of Data Used | Lawful Basis for Processing |
|---|---|---|
| To register you as a new customer and manage your account. | Identity, Contact, Profile. | Performance of a contract with you. |
| To process and deliver your order, manage payments, fees, and charges, and collect/recover money owed to us. | Identity, Contact, Transaction, Financial. | Performance of a contract, Legitimate interest (to recover debts). |
| To provide you with access to online courses/workshops and track your progress. | Identity, Contact, Profile, Usage. | Performance of a contract. |
| To schedule and perform in-person services, treatments, or consultations. | Identity, Contact, Health & Wellness Data (with explicit consent). | Performance of a contract, Explicit Consent (for sensitive data). |
| To manage our relationship, notify you about changes to terms or policies, and ask you to leave a review. | Identity, Contact, Profile, Marketing. | Performance of a contract, Legal obligation, Legitimate interests (to keep records updated). |
| To send you marketing communications about our products, services, and offers (where you have not opted out). | Identity, Contact, Profile, Marketing. | Consent (for email marketing) or Legitimate interests (for existing customers regarding similar products/services – “soft opt-in”). |
| To administer and protect our business and this Site (including troubleshooting, data analysis, security). | Identity, Contact, Technical, Usage. | Legitimate interests (for running our business, network security, fraud prevention). |
| To deliver relevant website content and advertisements to you and measure/understand the effectiveness of our ads. | Identity, Contact, Profile, Usage, Marketing, Technical. | Consent (for non-essential cookies and analytics), Legitimate interests (to study how customers use our services, grow our business). |
| To use data analytics to improve our Site, products/services, marketing, and user experiences. | Technical, Usage. | Consent (where required), Legitimate interests (to define types of customers, keep Site updated, develop strategy). |
| To comply with legal or regulatory requirements (e.g., tax, accounting). | Identity, Contact, Transaction, Financial. | Legal obligation. |
3. How We Share Your Information
We do not sell your personal data. We only share it in the following limited circumstances:
-
Service Providers: Trusted third parties who perform services on our behalf (“Processors”), such as hosting, payment processing, email delivery, customer support, analytics, and marketing services. They are contractually bound to use your data only as instructed and to protect it.
-
Professional Advisors: Accountants, lawyers, insurers, and auditors where necessary.
-
Legal & Regulatory Authorities: If required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency).
-
Business Transfers: In connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business by another company.
-
With Your Consent: For any other purpose disclosed to you with your prior consent.
4. International Data Transfers
Our operations are based in Spain. However, some of our service providers may be located outside the European Economic Area (EEA). We ensure any transfer of your data outside the EEA is protected by appropriate safeguards, such as the European Commission’s Standard Contractual Clauses, or occurs to countries deemed to provide an adequate level of data protection.
5. Data Security
We implement state-of-the-art technical and organizational measures designed to protect your personal data from unauthorized access, alteration, disclosure, or destruction. These include encryption (SSL/TLS), regular security assessments, access controls, and secure data storage. However, no method of transmission over the Internet or electronic storage is 100% secure, and we cannot guarantee absolute security.
6. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes for which we collected it, including to satisfy any legal, accounting, or reporting requirements. Our retention periods are based on the nature of the data and the purpose for its collection. For example:
-
Customer Purchase Records: Retained for 6 years from the end of the financial year of the transaction (to comply with tax law).
-
Marketing Consent: Retained for as long as you remain subscribed; we regularly review and refresh consents.
-
Website Analytics Data: Typically anonymized or deleted after 26 months.
-
Health & Wellness Data: Retained only for the duration necessary to provide the service and for a short follow-up period, unless you provide consent for longer retention.
7. Your Rights Under Data Protection Laws
Depending on your location (e.g., EU, UK, California), you may have the following rights regarding your personal data:
-
Right to Access: Request a copy of the personal data we hold about you.
-
Right to Rectification: Request correction of inaccurate or incomplete data.
-
Right to Erasure (“Right to be Forgotten”): Request deletion of your data under certain conditions.
-
Right to Restrict Processing: Request a temporary halt to processing your data.
-
Right to Data Portability: Receive your data in a structured, machine-readable format.
-
Right to Object: Object to processing based on our legitimate interests or for direct marketing.
-
Right to Withdraw Consent: Where we rely on consent, you can withdraw it at any time.
-
Right to Non-Discrimination & Opt-Out of Sale/Sharing (for CA residents): We do not sell your data. You have the right to opt-out of any future “sharing” for cross-context behavioral advertising.
To exercise any of these rights, please contact us at [email protected] or use the contact details below. We may need to verify your identity before processing your request. We will respond within one month.
8. Cookies and Tracking Technologies
Our Site uses cookies and similar technologies to distinguish you from other users, analyze trends, and administer the Site. You can control cookies through your browser settings. For a detailed explanation of the cookies we use and their purposes, please see our Cookie Policy.
9. Children’s Privacy
Our Site and services are not intended for individuals under the age of 16 (“Children”). We do not knowingly collect personal data from Children. If you are a parent or guardian and believe your child has provided us with data, please contact us. If we learn we have collected such data, we will delete it promptly.
10. Third-Party Links
Our Site may contain links to third-party websites or applications. This Privacy Policy does not apply to those third parties. We encourage you to review the privacy policies of every site you visit.
11. Changes to This Privacy Policy
We may update this Privacy Policy periodically to reflect changes in our practices or for legal reasons. We will post the updated policy on this page with a revised “Last Updated” date. We will notify you of any material changes via email or a prominent notice on our Site.
12. Contact Us & Data Controller
If you have any questions about this Privacy Policy or our privacy practices, or if you wish to exercise your rights, please contact our Data Protection Officer (DPO) at:
Lumenya
Attn: Data Protection Officer / Privacy Team
Marqués de Campo 66
03700 Denia, Spain
Email: [email protected]
You have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or place of the alleged infringement. For Spain, this is the Agencia Española de Protección de Datos (AEPD).
