GDPR Compliance

Introduction

This GDPR Compliance page explains how LUMA DAILY, Inc. ("we," "us," or "our") complies with the European Union General Data Protection Regulation (GDPR) for customers and website visitors located in the European Economic Area (EEA), the United Kingdom, and other regions with equivalent data protection laws. This page should be read alongside our Privacy Policy, which provides a comprehensive overview of our data practices.

Our Legal Basis for Processing Data

Under GDPR, we must have a valid legal basis for processing your personal data. We rely on the following:

  • Contract performance: Processing your orders, payments, and deliveries.
  • Legitimate interest: Improving our website, preventing fraud, and communicating with you about your orders.
  • Consent: Marketing emails and non-essential cookies (you can withdraw consent at any time).
  • Legal obligation: Complying with tax, accounting, and consumer protection laws.

Data We Collect from EEA/UK Visitors

  • Name, email, shipping address, and phone number (at checkout).
  • Payment information (processed by Shopify Payments — we do not store card details).
  • Order history and preferences.
  • Website browsing data via cookies (see our Privacy Policy for cookie details).
  • Information submitted through our contact form or live chat.

Your Rights Under GDPR

As an EEA/UK resident, you have the following rights regarding your personal data:

  • Right of Access (Article 15): You can request a copy of all personal data we hold about you.
  • Right to Rectification (Article 16): You can request correction of any inaccurate or incomplete data.
  • Right to Erasure (Article 17): You can request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements.
  • Right to Restriction (Article 18): You can request that we limit how we process your data in certain circumstances.
  • Right to Data Portability (Article 20): You can request your data in a structured, machine-readable format (e.g., JSON or CSV).
  • Right to Object (Article 21): You can object to processing based on legitimate interests, including direct marketing.
  • Rights Related to Automated Decision-Making (Article 22): You have the right not to be subject to decisions based solely on automated processing.

How to Exercise Your Rights

To exercise any of these rights, please contact us through our contact page with a clear description of your request and proof of identity. We will respond to your request within 30 days as required by GDPR. There is no charge for exercising your rights, although we may charge a reasonable fee for manifestly excessive or repetitive requests.

Data Transfer Outside the EEA

Our website and services are operated from the United States. If you are located in the EEA or UK, your personal data will be transferred to and processed in the US. We ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission for data transfers.
  • Shopify's Data Processing Agreement (DPA), which provides GDPR-compliant data handling.
  • Encryption and security measures to protect your data in transit and at rest.

Data Retention

We retain your personal data only for as long as necessary:

  • Order records: Retained for 6 years for tax and legal compliance.
  • Account data: Retained for the duration of your account plus 2 years of inactivity.
  • Marketing data: Retained until you unsubscribe or withdraw consent.
  • Support inquiries: Retained for 2 years after resolution.

You can request earlier deletion by contacting us, subject to legal retention requirements.

Cookies and Tracking Technologies

For EEA/UK visitors, we implement cookie consent mechanisms in accordance with the ePrivacy Directive. You will be presented with a cookie consent banner on your first visit. You can:

  • Accept all cookies.
  • Reject non-essential cookies.
  • Manage your preferences at any time through your browser settings or our cookie consent tool.

Essential cookies (required for the website to function) do not require consent under GDPR. For details on specific cookies, please refer to the Cookies section of our Privacy Policy.

Data Protection Officer

Given the nature and scale of our data processing, we have not appointed a formal Data Protection Officer (DPO). However, we take data protection seriously and ensure compliance through regular reviews and appropriate technical and organizational measures. If you have data protection concerns, please contact us through our contact page.

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk to your rights, we will also notify you directly.

Supervisory Authority

If you believe that our processing of your personal data infringes on your rights under GDPR, you have the right to lodge a complaint with your local data protection supervisory authority.

Changes to This Page

We may update this GDPR compliance page to reflect changes in our practices or applicable regulations. Any changes will be posted on this page.

Contact

For GDPR-related inquiries or to exercise your data rights, please visit our contact page. We typically respond within 24 hours.