Privacy policy.

Last updated: 08/07/2025

1.1 Lumin Solutions Ltd (we, us, our) respects your privacy and is committed to protecting

your personal data. This privacy notice sets out how we collect and process your

personal data when we provide goods and / or services to you, when you communicate

with us or when you visit our website or any other associated websites under our control

(websites) and tells you about your privacy rights and how the law protects you.

1.2 It is important that you read this privacy notice together with any other privacy notice or

fair processing notice we may provide on specific occasions when we are collecting or

processing personal data about you so that you are fully aware of how and why we are

using your data. This privacy policy supplements the other notices and is not intended

to override them.

1.3 We have appointed a data protection officer (DPO) who is responsible for overseeing

questions in relation to this privacy notice. If you have any such questions, including any

requests to exercise your legal rights, please contact the DPO by emailing

bmiller@luminsolutions.co.uk or by writing to Data Protection Officer at 5 Aelfrith Court,

Kingston Bagpuize, Oxford, OX13 5PW.

1.4 You have the right to make a complaint at any time to the Information Commissioner’s

Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk).

We would, however, appreciate the chance to deal with your concerns before you

approach the ICO so please contact us in the first instance.

2 CHANGES TO THE PRIVACY NOTICE AND YOUR DUTY TO INFORM US OF

CHANGES

2.1 We reserve the right to update and change this privacy notice from time to time in order

to reflect any changes to the way in which we process your personal data or changing

legal requirements. In case of any changes, we will publish the changed privacy notice

on our websites and may publish or bring it to your attention by other means. The

changes will take effect as soon as they are posted on our website.

2.2 It is important that the personal data we hold about you is accurate and current. Please

keep us informed if your personal data changes during your relationship with us.

3 PERSONAL DATA ABOUT OTHER PEOPLE WHICH YOU PROVIDE TO US

3.1 If you provide personal data to us about someone else (directors or employees, or

someone with whom you have business dealings) you must ensure you are entitled to

disclose that personal data to us and that, without our taking any further steps, we may

collect, use and disclose that personal data as described in this privacy notice. You

must ensure that the individual concerned is aware of the various matters detailed in

this privacy notice.

3.2 Our websites may include links to third-party websites, plug-ins and applications.

Clicking on those links or enabling those connections may allow third parties to collect

or share data about you. We do not control these third-party websites and are not

responsible for their privacy statements. When you leave our websites, we recommend

and encourage you to read the privacy notice of any other website you visit.

4 DATA WE COLLECT ABOUT YOU

4.1 Personal data, or personal information, means any information which is related to an

identified or identifiable natural person (i.e. you as an individual). It excludes any data

which does not relate to an identified or identifiable individual or personal data rendered

anonymous in such a manner that you (as the data subject) are not identified or no

longer identifiable (anonymous data).

4.2 We may collect, use, store and transfer different kinds of personal data about you which

we have grouped together as follows:

Identity Data includes first name, maiden name, last name, job title, username or similar

identifier used by you on any of our platforms or portals, marital status, title, date of birth

and gender.

Contact Data includes postal address (including home, delivery and billing addresses),

email address and telephone numbers.

Financial Data includes bank account, payment card details and other data necessary

for fraud prevention and other related billing information.

Instruction Data includes business information necessarily processed in a project or

customer contractual relationship with us or voluntarily provided by you, such as

instructions given, payments made and requests.

Technical Data includes internet protocol (IP) address, your login data, browser type

and version, time zone setting and location, browser plug-in types and versions,

operating system and platform and other technology on the devices you use to access

our websites.

Usage Data includes information about how you use our websites, products and

services.

Marketing and Communications Data includes your preferences in receiving marketing

from us and our third parties and your communication preferences.

4.3 "Special Category Data" means personal data revealing racial or ethnic origin, political

opinions, religious or philosophical beliefs, trade union membership, data concerning

health, data concerning sex life or sexual orientation. We do not collect any Special

Category Data about you. Nor do we collect any information about criminal convictions

and offences.

4.4 We also collect, use and share Aggregated Data such as statistical or demographic

data for any purpose. Aggregated Data may be derived from your personal data but is

not considered personal data in law as this data does not directly or indirectly reveal

your identity. However, if we combine or connect Aggregated Data with your personal

data so that it can directly or indirectly identify you, we treat the combined data as

personal data which will be used in accordance with this privacy notice.

5 IF YOU FAIL TO PROVIDE PERSONAL DATA

Where we need to collect personal data by law, or under the terms of a contract we

have with you and you fail to provide that data when requested, we may not be able to

perform the contract we have or are trying to enter into with you. In this case, we may

have to cancel a product or service you have with us but we will notify you if this is the

case at the time.

6 HOW IS YOUR PERSONAL DATA COLLECTED?

6.1 We use different methods to collect data from and about you including through:

6.1.1 Direct interactions. You may give us your personal data by filling in forms or

by corresponding with us by post, phone, email or otherwise. This includes

personal data you provide when you or your organisation seek our products or

services, create an account or use any service on our websites, subscribe to

our services or publications, make an enquiry or otherwise interact on our

websites (including by using any chat function on any of our websites), offer to

provide or actually provide services to us, request marketing to be sent to you,

enter a competition, promotion or survey or give us feedback.

6.1.2 Automated technologies or interactions. As you interact with our websites,

we may automatically collect Technical Data about your equipment, browsing

actions and patterns. We collect this personal data by using cookies, server

logs and other similar technologies. We may also receive Technical Data about

you if you visit other websites employing our cookies or if you receive emails

from us via our third party provider’s marketing tool.

6.1.3 Third parties or publicly available sources. We may receive personal data

about you from various third parties and public sources including analytics

providers such as Google based outside the UK; advertising networks; search

information providers, data brokers or aggregators who may be based inside

and/or outside the UK.

7 HOW WE USE YOUR PERSONAL DATA

7.1 We will only use your personal data when the law allows us to. Most commonly, we will

use your personal data in the following circumstances:

7.1.1 Where we need to perform the contract we are about to enter into or have

entered into with you. This includes:

Processing and delivering products and services to you including managing

payments, fees and charges and collecting and recovering money owed to us

– our legitimate interest is being able to recover debts owed to us.

Managing our relationship with you including notifying you about changes to

our terms or privacy notice and asking you to provide a reference or take a

survey.

Enabling you to partake in a prize draw, competition or complete a survey or to

attend an event that we are organising alone or jointly with others.

7.1.2 Where it is necessary for our legitimate interests (or those of a third party) and

your interests and fundamental rights do not override those interests. This

includes:

Registering you as a new customer and processing and delivering products

and services to you – our legitimate interest is being able to provide services

or products to you and/or being able to recover debts owed to us.

Managing our relationship with you including notifying you about changes to

our terms or privacy notice and asking you to provide a reference or take a

survey – our legitimate interest is keeping our records updated and studying

how customers use our products/services.

Enabling you to partake in a prize draw, competition or complete a survey or to

attend an event that we are organising alone or jointly with others – our

legitimate interest is studying how customers use our products/services,

developing them and growing our business.

Administering and protecting our business and our websites – our legitimate

interest is running our business, providing administration and IT services,

network security, preventing fraud and in the context of a business

reorganisation or group restructuring exercise.

Delivering relevant website content and marketing to you and measuring or

understanding the effectiveness of the marketing we serve to you – our

legitimate interest is studying how customers use our products/services,

developing them, growing our business and informing our marketing strategy.

Using data analytics to improve our websites, products/services, marketing,

customer relationships and experiences – our legitimate interest is defining

types of customers for our products and services, keeping our websites

updated and relevant, developing our business and informing our marketing

strategy.

Making suggestions and recommendations to you about goods or services that

may be of interest to you – our legitimate interest is developing our

products/services and growing our business.

7.1.3 Where we need to comply with a legal or regulatory obligation or where the

processing is necessary for the establishment, exercise or defence of legal

claims. This includes:

Registering you as a new customer and processing and delivering products

and services including collecting and recovering money owed to us.

Managing our relationship with you including notifying you about changes to

our terms or privacy notice and asking you to provide a reference or take a

survey.

Administering and protecting our business and our websites.

Complying with legal or regulatory obligations (such as record keeping),

compliance screening or recording (such as anti-money laundering and fraud

and crime prevention) and court orders.

7.1.4 Where we need to carry out a task in the public interest (for example the

prevention of fraud). This includes:

Registering you as a new customer and processing and delivering products

and services to you.

Complying with legal or regulatory obligations (such as record keeping),

compliance screening or recording (such as anti-money laundering and fraud

and crime prevention) and court orders.

7.1.5 Where you have provided your consent, including:

Where you request or subscribe to any of our publications or newsletters.

Where you make an enquiry or otherwise interact on our websites (including

by any chat function on any of our websites).

Where you attend a seminar or other event or complete a survey.

Where you request marketing to be sent to you.

8 MARKETING

8.1 You may receive marketing communications from us if you have requested information

from us or purchased products or services from us or if you provided us with details

when you registered to take part in an event that we are organising either alone or in

conjunction with others and, in each case, you have not opted out of receiving that

marketing.

8.2 We will get your express opt-in consent before we share your personal data with any

company outside our group for marketing purposes.

8.3 You can ask us to stop sending you marketing messages at any time by following the

opt-out links on any marketing message sent to you or by contacting us at any time.

8.4 Where you opt out of receiving these marketing messages, this will not apply to

personal data provided to us as a result of a product/service purchase or other

transactions. Opting out will not apply to any personal data that we are required to keep

for regulatory, compliance or legal reasons.

9 CHANGE OF PURPOSE

9.1 We will only use your personal data for the purposes for which we collected it, unless

we reasonably consider that we need to use it for another reason and that reason is

compatible with the original purpose. If you wish to get an explanation as to how the

processing for the new purpose is compatible with the original purpose, please contact

us.

9.2 If we need to use your personal data for an unrelated purpose, we will notify you and we

will explain the legal basis which allows us to do so.

9.3 Please note that we may process your personal data without your knowledge or

consent, in compliance with the above rules, where this is required or permitted by law.

10 COOKIES

You can set your browser to refuse all or some browser cookies, or to alert you when

websites set or access cookies. If you disable or refuse cookies, please note that some

parts of our websites may become inaccessible or not function properly.

11 DISCLOSURES OF YOUR PERSONAL DATA

11.1 We may have to share your personal data with third parties for the purposes set out in

paragraph 4 above. The third parties we may share personal data with are:

11.1.1 Other companies in our group who are based in the United Kingdom and

undertake or provide complementary or similar legal and commercial support

products and services.

11.1.2 Service providers acting as processors who provide IT and system

administration services.

11.1.3 Organisations who provide services for money laundering checks, credit risk

reduction and other fraud and crime prevention purposes and organisations

providing similar services, including financial institutions, credit reference

agencies and regulatory bodies with whom such personal data is shared.

11.1.4 Professional advisers including bankers, auditors and insurers based in the

EEA or outside the EEA who provide consultancy, banking, insurance and

accounting services.

11.1.5 HM Revenue & Customs, regulators and other authorities who require

reporting of processing activities in certain circumstances.

11.1.6 Courts, law enforcement authorities, regulators or attorneys or other parties

based inside and outside the EEA as appropriate for the purpose (where it is

reasonably necessary) of the establishment, exercise or defence of a legal or

equitable claim, or for the purposes of dispute resolution.

11.1.7 Third parties to whom we may choose to sell, transfer, or merge parts of our

business or our assets. Alternatively, we may seek to acquire other businesses

or merge with them. If a change happens to our business, then the new

owners may use your personal data in the same way as set out in this privacy

notice.

11.2 We require all third parties to respect the security of your personal data and to treat it in

accordance with the law. We only permit our third party service providers to process

your personal data for specified purposes and in accordance with our instructions.

12 INTERNATIONAL TRANSFERS

12.1 Some of our third party service providers (including any sub-processors appointed by

them) are based outside the UK so their processing of your personal data will involve a

transfer of data outside the UK.

12.2 Whenever we (and/or our third party service providers) transfer your personal data out

of the UK, we will ensure a similar degree of protection is afforded to it by ensuring at

least one of the following safeguards is implemented:

12.2.1 Your personal data is only transferred to countries that have been deemed to

provide an adequate level of protection for personal data.

12.2.2 Where we (and/or our third party service providers) use certain service

providers, specific contracts approved for use in the UK which give personal

data the same protection it has in the UK are used, or any alternative transfer

mechanisms as recognised by applicable data protection law are

implemented.

12.3 Please contact us if you want further information on the specific mechanism used by us

when transferring your personal data out of the UK.

13 DATA SECURITY

13.1 We have put in place appropriate security measures to prevent your personal data from

being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

In addition, we limit access to your personal data to those employees, agents,

contractors and other third parties who have a business need to know. They will only

process your personal data on our instructions and they are subject to a duty of

confidentiality.

13.2 We have put in place procedures to deal with any suspected personal data breach and

will notify you and any applicable regulator of a breach where we are legally required to

do so.

14 DATA RETENTION

14.1 We will only retain your personal data for as long as necessary to fulfil the purposes we

collected it for, including for the purposes of satisfying any legal, accounting, or

reporting requirements.

14.1.1 To determine the appropriate retention period for personal data, we consider

the amount, nature, and sensitivity of the personal data, the potential risk of

harm from unauthorised use or disclosure of your personal data, the purposes

for which we process your personal data and whether we can achieve those

purposes through other means, and the applicable legal requirements.

14.1.2 In some circumstances we may anonymise your personal data (so that it can

no longer be associated with or identify you) for research or statistical

purposes in which case we may use this information indefinitely without further

notice to you.

15 YOUR LEGAL RIGHTS

15.1 Under certain circumstances, you have rights under data protection laws in relation to

your personal data. These rights are to:

15.1.1 Request access to your personal data (commonly known as a “data subject

access request”).

15.1.2 Request correction of your personal data.

15.1.3 Request erasure of your personal data.

15.1.4 Object to processing of your personal data.

15.1.5 Request restriction of processing your personal data.

15.1.6 Request transfer of your personal data to you or to a third party in a structured,

commonly used, machine-readable format.

15.1.7 Withdraw consent at any time where we are relying on consent to process

your personal data.

15.2 If you wish to exercise any of the rights set out above, please contact our DPO.