Privacy Policy

1. Introduction & Controller Identity

This Privacy Policy explains how lumionyx ("we", "us", "our") collects, uses, and protects personal data when you visit our website and when you contact us about online courses, webinars, masterclasses, intensives, or other educational programs.

For the purposes of the General Data Protection Regulation (GDPR) and applicable German data protection law, the data controller is:

• Lumionyx Learning GmbH
• Leopoldstraße 256, 80807 Munich, Germany
• Email: [email protected]
• Phone: +49 89 2154 6278

We do not currently designate a Data Protection Officer (DPO) because we do not conduct large-scale processing of special-category data as a core activity. If this changes, we will update this policy and provide DPO contact details.

2. Personal Data We Collect

We collect personal data in a few clear situations: when you browse our pages, when you use our contact forms, and when you set cookie preferences. The categories below describe what we may process.

• Identity and contact data: name, email address, phone number (if provided), and similar identifiers you submit.
• Form content: messages, program interest, preferred dates, and any details you include when requesting course or webinar information.
• Technical data: IP address, browser type and version, device type, operating system, language settings, and approximate location derived from IP (country/city level).
• Usage data: pages viewed, time on pages, referral source, click paths, and interactions with site elements (for example, cookie preference actions).
• Cookies and identifiers: cookie IDs and similar identifiers described in Section 4 and our Cookie Policy.
• Conversion events: events such as form submissions, which help us measure whether the site is working and (where enabled) whether advertising campaigns are effective.

We do not intentionally collect special-category data (such as health data, biometric data, religious or political beliefs) through our website. We also do not request financial account details or government identification numbers through our standard contact flow. Please avoid sharing sensitive information in open text fields.

3. Why We Process Personal Data & Legal Basis

We process personal data only for specific, limited purposes. If you are located in the European Economic Area (EEA) or the United Kingdom, we rely on the legal bases under Article 6 of the GDPR (and the UK GDPR, where applicable).

• Handling inquiries and requests (contact forms and email): We process your identity, contact details, and message to reply with schedules, program details, and next steps. Legal basis: Art. 6(1)(b) (steps prior to entering a contract) and Art. 6(1)(a) (consent, where applicable for optional fields).
• Analytics and site improvement: If you consent, we use analytics to understand which pages help users find the information they need and where improvements are required. Legal basis: Art. 6(1)(a) (consent).
• Marketing measurement and audience building: If you consent, we may use marketing cookies and pixels to measure ads, understand conversions, and build audiences (including custom and lookalike audiences) for future campaigns. Legal basis: Art. 6(1)(a) (consent).
• Security, abuse prevention, and reliability: We process technical data (including IP addresses) to protect the site, limit fraud, and ensure stable delivery. Legal basis: Art. 6(1)(f) (legitimate interests), balanced against user rights.
• Legal and compliance obligations: If required by law, we may retain certain correspondence or records. Legal basis: Art. 6(1)(c) (legal obligation).

Automated decision-making: We do not engage in automated decision-making or profiling that produces legal or similarly significant effects as described in Article 22 GDPR.

4. Cookies & Tracking

Cookies are small text files stored on your device. We also use similar technologies (pixel tags and server-side signals) that can operate alongside cookies. We categorize technologies into three groups: Essential, Analytics, and Marketing. These categories match our Cookie Policy.

Essential (always active)

Essential cookies and similar storage are required for core site functionality and security. They include:

• _site_session: maintains basic site session continuity.
• cookie_consent: stores your cookie consent choice so we can respect it.
• CSRF and security controls: may be used to protect forms and the site from abuse.

Retention: session up to 12 months depending on the cookie; consent record typically 12 months in the browser.

Analytics (requires consent)

If you consent, analytics cookies help us understand how people use our pages so we can improve clarity, navigation, and performance. We may use Google Analytics 4 (GA4) with IP anonymization features where available and configured.

• _ga (typical retention: 2 years)
• _ga_XXXXXXXXXX (typical retention: 2 years; GA4 property-specific identifier)

Data retention for analytics events is typically configured for 14 months.

Marketing (requires consent)

If you consent, marketing cookies and pixels help measure advertising performance and show relevant messages to people who have previously visited our site. Typical examples include:

• _gcl_au (Google Ads conversion linker; typical retention: 90 days)
• _fbp (Meta Pixel browser identifier; typical retention: 90 days)
• _fbc (Meta click identifier; typical retention: 90 days when click IDs are set)

In addition to browser cookies, marketing measurement can include pixel tags (such as gtag.js or Meta Pixel) and, in some configurations, server-side tracking (for example, via Meta Conversion API or server-side tag management). Where server-side signals are used, identifiers may be hashed before transmission, depending on the integration.

5. Consent and How to Withdraw It

Users in the EEA and UK receive a consent notice under GDPR/UK GDPR. Analytics and marketing cookies activate only after explicit, informed, freely given consent (Art. 6(1)(a)). Your choice is recorded in the cookie_consent browser cookie (typically for 12 months).

You can withdraw consent at any time by using the "Manage cookie preferences" link in the site footer or by clearing cookies in your browser. Withdrawal does not affect the lawfulness of processing based on consent before it was withdrawn.

6. Sharing With Advertising & Service Partners

We share personal data only where necessary to operate the site, respond to inquiries, and (where you consent) measure and improve marketing. We do not sell personal data.

• Google LLC (Google Analytics 4, Google Ads, tag management, remarketing): may receive cookie identifiers, usage data, and conversion events depending on your consent choices. Privacy policy: https://policies.google.com/privacy
• Meta Platforms, Inc. (Meta Pixel, Custom/Lookalike Audiences, Conversion API): may receive page views, conversions, audience membership signals, and limited identifiers depending on your consent choices. Privacy policy: https://www.facebook.com/privacy/policy
• Cloudflare, Inc. (content delivery network and security): may process technical data such as IP addresses for security and performance. Privacy policy: https://www.cloudflare.com/privacypolicy/

These providers may act as processors or independent controllers depending on the specific service. We configure settings where available to limit unnecessary data collection and to respect consent choices. We do not permit these providers to use site data for their own independent commercial purposes beyond providing services to us, subject to their platform terms and technical operations.

7. International Transfers

Some service providers are located outside the EEA/UK, including in the United States. Where personal data is transferred internationally, we rely on appropriate safeguards, which may include:

• EU-US Data Privacy Framework (DPF) (primary mechanism since July 2023 where applicable)
• UK Extension to the EU-US DPF
• Swiss-US DPF (where applicable)
• Standard Contractual Clauses (EU 2021/914) as a fallback
• UK International Data Transfer Agreement (IDTA) as a fallback

We also apply reasonable technical and organizational measures to reduce transfer risk, such as limiting data fields and using encryption in transit.

8. Data Retention

We keep personal data only as long as needed for the purposes described in this policy. Typical retention periods include:

• Contact submissions: up to 2 years from the last meaningful interaction, unless a longer period is required for legal reasons.
• Analytics data: typically 14 months (configuration may vary depending on the analytics tool).
• Marketing cookies: retained according to cookie lifetimes (commonly 90 days for _gcl_au, _fbp, and _fbc).
• Email correspondence: duration of the relationship plus up to 1 year for continuity and audit needs.
• Server/security logs: typically up to 90 days, unless required longer for incident investigation.
• Cookie consent record: up to 3 years for audit purposes, and/or per cookie lifetime in the browser.
• Legal/tax records: retained as required by applicable law (commonly 6–10 years for invoice-related records).

9. Your Rights (GDPR & UK GDPR)

If you are in the EEA or the UK, you may have the following rights under data protection law:

• Right of access (Art. 15)
• Right to rectification (Art. 16)
• Right to erasure (Art. 17)
• Right to restriction of processing (Art. 18)
• Right to data portability (Art. 20)
• Right to object (Art. 21)
• Right to withdraw consent at any time (Art. 7(3))
• Right to lodge a complaint with a supervisory authority (Art. 77)

To exercise your rights, contact us at [email protected]. We typically respond within 30 days. This may be extended by up to 60 additional days for complex requests, in which case we will notify you.

Supervisory authority references:

• EEA overview: https://edpb.europa.eu/
• United Kingdom (ICO): https://ico.org.uk/
• Germany (BfDI): https://www.bfdi.bund.de/
• France (CNIL): https://www.cnil.fr/
• Poland (UODO): https://uodo.gov.pl/
• Spain (AEPD): https://www.aepd.es/

10. Children

This site is not directed at individuals under 16. We do not knowingly collect personal data from minors. If we learn that we have received personal data from a child under 16 without verifiable parental consent, we will delete it promptly.

11. Do Not Track Signals

This website does not respond to "Do Not Track" (DNT) browser signals. Third-party providers may have their own mechanisms for preference handling.

12. Data Deletion Requests

To request deletion, email [email protected] with the subject line "Data Deletion Request". We may ask for reasonable information to verify identity. Requests are typically completed within 30 days, unless retention is required by law or needed to establish, exercise, or defend legal claims.

13. Business Transfers

If we are involved in a merger, acquisition, asset sale, financing, reorganization, bankruptcy, or similar event, personal data may be transferred to a successor or affiliate as part of that transaction. If such a transfer materially changes how personal data is used, we will provide notice via the website.

14. California (CCPA / CPRA)

This section applies to California residents where the California Consumer Privacy Act (CCPA), as amended by the CPRA, applies.

Categories of personal information disclosed in the past 12 months may include:

• Identifiers (name, email, IP address, cookie IDs): disclosed to service providers and, if you consent, advertising partners.
• Internet or other electronic network activity (pages viewed, interactions): disclosed to analytics and, if you consent, advertising providers.
• Inferences (interests or preferences inferred from site usage): shared with advertising partners only if you consent to marketing cookies.

We do not sell personal information as defined by CCPA. We do share information for cross-context behavioral advertising when marketing cookies are enabled. California residents may opt out via our cookie preferences panel.

Your rights may include the right to know, delete, correct, and opt out of sale/sharing, and the right to non-discrimination. To submit a request, email [email protected] with the subject line "California Privacy Request". We may need to verify your identity. Authorized agents must provide documentation showing authority to act on your behalf.

15. Virginia (VCDPA)

If the Virginia Consumer Data Protection Act (VCDPA) applies, Virginia residents may have rights to access, correct, delete, obtain a copy of personal data, and opt out of targeted advertising. We do not sell personal data and we do not engage in profiling that produces legal or similarly significant effects.

To submit a request, email [email protected] with the subject line "Virginia Privacy Request". If we decline your request, you may appeal by emailing with subject "Appeal of Refusal — Privacy Request". We will respond to an appeal within 60 days. If unresolved, you may contact the Virginia Attorney General.

16. Nevada

Nevada residents may submit a verified opt-out request by emailing [email protected] with the subject line "Nevada Do Not Sell Request". We do not currently sell personal information under Nevada Revised Statutes Chapter 603A.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be announced via a prominent notice on the website at least 14 days before the changes take effect. The "Last Updated" date at the top will be revised with every update.

18. Contact

For privacy questions or requests, contact:

• Lumionyx Learning GmbH
• Leopoldstraße 256, 80807 Munich, Germany
• Email: [email protected]
• Phone: +49 89 2154 6278