GDPR

GDPR Information Obligation

The following information constitutes a concise, clear, and transparent summary of the details included in the Privacy Policy regarding the Data Controller, the purpose and method of personal data processing, and your rights related to such processing, in the form required to fulfill the GDPR information obligation. Detailed information concerning the processing methods and entities involved in this process is available in the indicated policy.

Who is the data controller?

The Personal Data Controller (hereinafter referred to as the Controller) is "Lumenux / Vasylyna Nawrocka", providing electronic services via the Service.

How can you contact the data controller?

You may contact the Controller in one of the following ways:

  • Email address - contact@lumenux.pl

  • Contact form - available at: https://lumenux.pl/en/contact-us

Has the Controller appointed a Data Protection Officer?

Pursuant to Article 37 of the GDPR, the Controller has not appointed a Data Protection Officer.

For matters concerning data processing, including personal data, please contact the Controller directly.

Where do we obtain personal data from and what are its sources?

Data is obtained from the following sources:

  • from the data subjects
  • in the case of registration via social media platforms, from those platforms with the explicit and informed consent of the data subjects

What is the scope of the personal data we process?

The Service processes standard personal data voluntarily provided by data subjects (e.g., first name, last name, username, email address, phone number, IP address, etc.).

The detailed scope of processed data is available in the Privacy Policy.

What are the purposes of processing your data?

Personal data voluntarily provided by Users is processed for one of the following purposes:

  • Provision of user account registration and maintenance services
  • Newsletter services (including sending marketing content with consent)
  • Commenting / liking posts
  • Communication between the Controller and Users regarding matters related to the Service
  • Pursuing the Controller’s legitimate interests

What are the legal grounds for data processing?

The Service collects and processes User data based on:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation)
    • Article 6(1)(a) – the data subject has given consent to the processing of their personal data for one or more specific purposes
    • Article 6(1)(b) – processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract
    • processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party
  • Polish Personal Data Protection Act of 10 May 2018
  • Polish Telecommunications Law of 16 July 2004
  • Polish Copyright and Related Rights Act of 4 February 1994

What legitimate interests are pursued by the Controller?

  • To establish, pursue, or defend against claims – the legal basis for processing is our legitimate interest (Article 6(1)(f) GDPR) consisting of protecting our rights, including but not limited to
  • Assessing potential client risk
  • Evaluating planned marketing campaigns
  • Conducting direct marketing activities

How long do we process personal data?

As a rule, the indicated personal data is stored only for the duration of the service provided within the Service by the Controller. It is deleted or anonymized within 30 days from the termination of service provision (e.g., deletion of a registered user account, unsubscribing from the Newsletter, etc.).

In exceptional cases, in order to protect the legitimate interests pursued by the Controller, this period may be extended. In such a case, the Controller will store the indicated data from the time of the User’s request for deletion, no longer than 3 years in the event of a violation or suspected violation of the Service Terms and Conditions by the data subject.

Who are the recipients of the data, including personal data?

As a rule, the sole recipient of the data is the Controller.

However, data processing may be entrusted to other entities providing services to the Controller in order to maintain the operation of the Service.

  • Hosting companies providing hosting or related services to the Controller
  • Companies through which the Newsletter service is provided
  • IT service and support companies responsible for maintenance or IT infrastructure
  • Companies intermediating online payments for goods or services offered within the Service (in the case of purchase transactions)
  • Companies intermediating mobile payments for goods or services offered within the Service (in the case of purchase transactions)
  • Companies responsible for the Controller’s accounting (in the case of purchase transactions)
  • Companies responsible for delivering physical products to the User (postal / courier services in the case of purchase transactions)

Will your personal data be transferred outside the European Union?

Personal data is not transferred outside the European Union.

Will personal data be used for automated decision-making?

Personal data is used for automated decision-making (profiling).
Profiling does not produce legal effects or similarly significantly affect the data subject.

What rights do you have regarding the processing of personal data?

  • Right of access to personal data
    Users have the right to obtain access to their personal data upon request submitted to the Controller.

  • Right to rectification of personal data
    Users have the right to request the Controller to promptly rectify inaccurate personal data and/or complete incomplete personal data, upon request submitted to the Controller.

  • Right to erasure of personal data
    Users have the right to request the Controller to promptly delete their personal data, upon request submitted to the Controller.


    In the case of user accounts, deletion of data consists of anonymizing data enabling User identification.
    In the case of the Newsletter service, the User may independently delete their personal data using the unsubscribe link included in every email message.

  • Right to restriction of processing
    Users have the right to restrict processing in the cases specified in Article 18 GDPR, including contesting the accuracy of personal data, upon request submitted to the Controller.

  • Right to data portability
    Users have the right to receive from the Controller their personal data in a structured, commonly used, machine-readable format, upon request submitted to the Controller.

  • Right to object to processing
    Users have the right to object to the processing of their personal data in the cases specified in Article 21 GDPR, upon request submitted to the Controller.

  • Right to lodge a complaint
    Users have the right to lodge a complaint with the supervisory authority responsible for personal data protection.