Lumera Insights is committed to protecting the privacy of prospects, customers, and partners. This Privacy Policy applies to the personal data we collect and process in the course of our business activities.

​

§ 1 Data Controller, Scope

(1) The controller within the meaning of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data (“General Data Protection Regulation”, “GDPR”) as well as the Slovak Data Protection Act (Act No. 18/2018 Coll., “Zákon č. 18/2018 Z. z.”) is:

Lumera Insights s.r.o.
Duhova 11, 917 01 Trnava
Data Protection Email: privacy@lumerainsights.com

​

(2) This Privacy Policy applies to all processing of personal data in the context of Lumera Insights’ business activities (hereinafter “Lumera Insights” or “we”), as well as to the use of our website operated under www.lumerainsights.com, including all subdomains.

​

(3) Personal data is processed exclusively on the basis of the GDPR, the Slovak Data Protection Act, and other applicable regulations of the European Union and the Slovak Republic.

​

§ 2 Categories of Data Processed

(1) As part of the web scraping and data analytics services offered by Lumera Insights, information from freely and lawfully publicly accessible sources is collected and processed in an automated manner. The focus is on product, price, assortment, availability, and aggregated review data, which—based on the design of our service—do not constitute personal data within the meaning of Art. 4(1) GDPR.

​

(2) In individual cases where publicly available content nevertheless contains personal data (e.g. publicly visible usernames or profile names, publicly accessible review or comment content), Lumera Insights processes such data only to the extent necessary to provide the contractually agreed services and insofar as this is legally permissible under data protection law. Otherwise, personal data elements are, where technically feasible, pseudonymised, anonymised, or deleted as early as possible.

​

(3) In the context of prospect, customer, and supplier relationships, Lumera Insights processes in particular the following categories of personal data:

• Master data: name, academic degree, professional position, employer, business address, and where applicable date of birth

• Communication and contact data: email address, telephone number, and other contact details provided by the data subject

• Contract, offer, and billing data: contract content, service descriptions, order and payment information, bank details, invoice data, and correspondence related to the contractual relationship

• Technical communication data: data generated in connection with communication via website forms, email, or similar electronic channels (e.g. timestamps, metadata, log files)

​

(4) When using our website, the following log data (“log files”) are technically processed in particular:

• IP address of the accessing device (possibly in shortened or pseudonymised form)

• Date and time of access

• Pages/files accessed and volume of data transferred

• Browser type and version used

• Operating system used

• Referrer URL (the page from which the access originated)

​

(5) Lumera Insights does not process any special categories of personal data within the meaning of Art. 9 GDPR (in particular no data concerning health, religious or political beliefs, trade union membership, or sexual orientation) and does not carry out automated decision-making, including profiling within the meaning of Art. 22 GDPR.

​

§ 3 Purposes of Data Processing

(1) Personal data is processed exclusively for the following purposes:

• Initiation, conclusion, administration, and execution of contractual relationships with (prospective) customers, service providers, suppliers, and other business partners.

• Provision and billing of Lumera Insights’ web scraping, data analytics, SaaS, and API services.

• Accounting and fulfilment of statutory retention, documentation, and disclosure obligations under Slovak commercial law.

• Communication with clients, prospects, and other contacts (in particular responding to inquiries via email, telephone, or contact forms).

• Operation, security, and improvement of the website and our services, including technical administration, error analysis, and detection and defence against attacks.

• Sending informational and marketing communications (e.g. newsletters) to recipients who have given consent or where legally permitted.

• Performance of internal administrative and organisational tasks, as well as assertion, exercise, or defence of legal claims.

​

(2) Processing for purposes other than those listed in paragraph 1 will only take place where legally permitted or where the data subject has given explicit consent in advance. In the event of an intended change of purpose, the data subjects will be informed separately in advance.

​

§ 4 Legal Bases for Processing

(1) Depending on the type of processing activity, Lumera Insights relies on the following legal bases under Art. 6 GDPR:

• Art. 6(1)(b) GDPR: processing necessary for the performance of a contract or for the implementation of pre-contractual measures (in particular initiation, conclusion, and execution of business relationships, provision of our web scraping, data analytics, SaaS, and API services)

• Art. 6(1)(c) GDPR: processing necessary for compliance with legal obligations (in particular under company, tax, and retention law)

• Art. 6(1)(f) GDPR: processing necessary for the purposes of legitimate interests pursued by Lumera Insights or a third party (in particular economic operation and development of our services, ensuring IT security, efficient communication, direct marketing within the legally permitted scope, and the establishment, exercise, or defence of legal claims)

• Art. 6(1)(a) GDPR: processing based on the consent of the data subject (in particular for newsletter distribution and the use of non-essential cookies or tracking technologies)

​

(2) The legitimate interests within the meaning of Art. 6(1)(f) GDPR include, in particular, the economic operation and further development of the service offering, ensuring IT security, prevention of fraud and misuse, direct marketing to existing customers within the permitted scope, and the defence against legal claims.

​

(3) Where processing is based on consent, such consent may be withdrawn at any time with effect for the future, without affecting the lawfulness of processing carried out prior to the withdrawal.

​

§ 5 Processing in the Context of Web Scraping and Data Analytics Services

(1) Lumera Insights provides B2B services in the areas of web scraping, data analytics, SaaS services, and API interfaces. In this context, freely and lawfully publicly available information from the internet is collected in an automated manner and analysed for technical and statistical purposes. The focus is on product, price, assortment, availability, and review data, which—based on the design of the service—do not contain personal data.

​

(2) Lumera Insights has implemented technical and organisational measures to avoid or minimise the processing of personal data within scraping processes wherever possible. These include, in particular, filtering, pseudonymisation, and anonymisation mechanisms, as well as configurations that prevent the collection of non-publicly available content.

​

(3) To the extent that, in individual cases, personal data is nevertheless collected from freely and lawfully publicly available sources (in particular publicly visible usernames or profile names, publicly accessible review or comment content), such data is processed only insofar as this is necessary for the performance of the contractually agreed services and can be based on a legal basis, in particular Art. 6(1)(b) GDPR (performance of a contract) or Art. 6(1)(f) GDPR (legitimate interests of our customers or Lumera Insights in market and competitive analysis), provided that the interests or fundamental rights and freedoms of the data subjects do not override in individual cases. In all other cases, personal data elements are immediately anonymised or deleted.

​

(4) Lumera Insights does not extract content from areas that are not freely accessible or that require special access conditions (e.g. login requirements, CAPTCHA circumvention, or bypassing of technical protection measures).

​

(5) In the typical scenarios, Lumera Insights acts as a data processor within the meaning of Art. 4(8) and Art. 28 GDPR with respect to the respective customer. The data protection responsibility for the purposes and means of processing lies in such cases with the respective customer as controller. The specific allocation of roles under data protection law, as well as the subject matter, duration, nature, and purpose of the processing, the type of personal data, and categories of data subjects, are governed on a case-by-case basis within the contractual relationship and a separate data processing agreement pursuant to Art. 28 GDPR.

​

(6) In certain scenarios (e.g. operation of the website, own marketing and sales activities, administration of customer and prospect data), Lumera Insights acts as the controller within the meaning of Art. 4(7) GDPR. In such cases, the information obligations and data subject rights described in this Privacy Policy apply directly.

 

§ 6 Website Use, Contact Forms and Newsletter

(1) When using our website for purely informational purposes, the log file data referred to in § 2(4) is processed in order to ensure the technical provision, stability, and security of the website, as well as to detect and defend against attacks or misuse. The legal basis for this is Art. 6(1)(f) GDPR (legitimate interest in the secure and stable operation of the website).

​

(2) If you contact us via a contact form or by email, we process the personal data you provide (in particular name, email address, telephone number if applicable, and the content of your enquiry) in order to handle your request and clarify any follow-up questions. The legal bases are Art. 6(1)(b) GDPR (pre-contractual measures or performance of a contract) and Art. 6(1)(f) GDPR (legitimate interest in processing enquiries).

​

(3) The sending of newsletters or comparable electronic information and marketing communications is carried out only with your prior explicit consent or—where legally permitted—within an existing customer relationship. Each communication includes an option to withdraw consent or object at any time (e.g. via an unsubscribe link or a reference to the above contact address).

​

(4) Newsletter distribution is generally carried out using a double opt-in procedure: after registration, you will receive an email asking you to confirm your subscription. Only after this confirmation will your email address be activated for distribution. The registration and confirmation are logged for verification purposes (time, IP address, and relevant content used). The legal basis is your consent (Art. 6(1)(a) GDPR) or, in the case of existing customers, our legitimate interest in direct marketing within the legally permitted scope (Art. 6(1)(f) GDPR). You may object to receiving newsletters or withdraw your consent at any time with effect for the future.

 

§ 7 Cookies and Similar Technologies

(1) Cookies and similar technologies are used on the website. Some of these technologies are technically necessary to provide basic website functionality (e.g. language selection, session management, security features). These technically necessary cookies are used on the basis of Art. 6(1)(f) GDPR (legitimate interest in providing a functional and secure website).

​

(2) In addition, and subject to your consent, analytics, statistical, or marketing cookies and similar technologies may be used to evaluate website usage, perform reach measurements, and tailor our services to user needs. The legal basis for this is Art. 6(1)(a) GDPR.

​

(3) Upon your first visit to the website, a cookie banner is displayed in which you can consent to or reject the use of specific categories of cookies. You may change or withdraw your consent at any time with effect for the future via the cookie settings on the website.

​

(4) Detailed information about the cookies and tools used (providers, functionality, data categories, storage duration, and any data transfers to third countries) is available in the cookie banner or in the cookie overview provided on the website.

​

(5) Analytical and statistical tools (e.g. web analytics services, tag management systems) are used exclusively on the basis of your consent and serve to evaluate website usage, measure reach, and optimise our services. Where such tools involve the transfer of personal data to third countries, you will be informed separately in the cookie banner or cookie overview.

​

(6) Marketing technologies (e.g. tracking pixels, remarketing tools), if used at all, are deployed only with your separate consent and are presented in the cookie overview with details on the provider, functionality, storage duration, and any third-country transfers.

 

§ 8 Recipients and Categories of Recipients

(1) Within Lumera Insights, only those employees have access to personal data who require it for the fulfilment of the stated purposes and who are appropriately bound to confidentiality obligations.

​

(2) External recipients of personal data include in particular:

• IT, hosting, and cloud service providers (e.g. data centres, email service providers, CRM and collaboration platforms, support tools, etc.),

• tax advisors, auditors, and legal representatives,

• banks and payment service providers in the context of payment processing,

• public authorities, courts, and other public bodies, insofar as there is a legal obligation or this is necessary for the establishment, exercise, or defence of legal claims.

​

(3) Where such recipients act as processors within the meaning of Art. 28 GDPR, processing is carried out exclusively on the basis of corresponding data processing agreements which, in particular, ensure confidentiality, data security, and processing in accordance with instructions.

​

(4) A transfer of personal data to countries outside the European Union or the European Economic Area (“third countries”) takes place only if:

• it is necessary for the fulfilment of our contractual or legal obligations,

• you have given your explicit consent, or

• an adequacy decision of the European Commission exists for the relevant third country or appropriate safeguards within the meaning of Art. 44 et seq. GDPR (in particular standard contractual clauses) are in place.

​

(5) For hosting our systems and providing our services, we primarily use service providers with server locations within the European Union or the European Economic Area. Where individual service providers are based in a third country (e.g. the USA) or may access personal data from there, we ensure that either an adequacy decision of the European Commission (e.g. the EU–US Data Privacy Framework) is in place or that EU standard contractual clauses have been concluded with the service provider and, where necessary, additional protective measures are implemented.

​

(6) In cases where a transfer is based on Art. 49 GDPR (e.g. explicit consent or necessity for contract performance), data subjects are informed separately in advance about the associated risks.

​

§ 9 Storage Locations and Retention Periods

(1) Personal data is generally stored on servers within the European Union, in particular in data centres located in Austria or Germany. Where processing in third countries occurs in individual cases, the provisions of § 8(4) to (6) apply additionally.

​

(2) Lumera Insights stores personal data only for as long as is necessary to achieve the purposes set out in this Privacy Policy, and insofar as no statutory retention obligations or overriding legitimate interests require further storage.

​

(3) The retention period is determined in particular by the following criteria:

• Contract and billing data are stored for the duration of the contractual relationship and, as a general rule, for 7 years after the end of the financial year in order to comply with statutory retention obligations (in particular under Slovak commercial law).

• General correspondence and enquiries are stored until they have been fully processed and thereafter for as long as necessary for documentation and evidentiary purposes (e.g. for the defence against liability claims), typically up to 3 years after the last contact.

• Log file data and security-related logs are generally stored for a period of up to [e.g. 6 months], unless security incidents require longer retention.

• Data related to newsletters is stored until consent is withdrawn or the subscription is cancelled; records of consent and withdrawal are retained for evidentiary purposes for up to [e.g. 3 years] after the last mailing.

• ​

(4) Once the respective storage purpose ceases to apply or statutory retention periods expire, personal data is deleted or anonymised.

​

§ 10 Rights of Data Subjects

(1) Data subjects have the following rights in accordance with applicable legal provisions, in particular Articles 15 to 22 GDPR:

• Right of access to whether and which personal data concerning them are being processed, as well as the right to receive a copy of such data (Art. 15 GDPR)

• Right to rectification of inaccurate personal data and completion of incomplete personal data (Art. 16 GDPR)

• Right to erasure of personal data (“right to be forgotten”), provided that no statutory retention obligation or overriding legitimate interest applies (Art. 17 GDPR)

• Right to restriction of processing under the conditions set out in Art. 18 GDPR

• Right to data portability in a structured, commonly used, and machine-readable format, where processing is based on consent or contract and carried out by automated means (Art. 20 GDPR)

• Right to object to the processing of personal data based on Art. 6(1)(e) or (f) GDPR, on grounds relating to the data subject’s particular situation (Art. 21 GDPR)

• Right to withdraw consent at any time with effect for the future (Art. 7(3) GDPR)

​

(2) To exercise these rights, data subjects may contact Lumera Insights using the contact details provided in § 1. Lumera Insights is entitled to request proof of identity to the extent necessary in order to prevent unauthorised disclosure.

​

(3) Furthermore, data subjects have the right to lodge a complaint with a supervisory authority. In Slovakia, this is:

Úrad na ochranu osobných údajov
Námestie 1. mája 18
811 06 Bratislava
Website: https://dataprotection.gov.sk/sk/

​

(4) Data subjects have the right to object at any time, on grounds relating to their particular situation, to the processing of their personal data which is based on Art. 6(1)(f) GDPR (legitimate interests). Where personal data are processed for direct marketing purposes, data subjects have the right to object at any time to such processing; this also applies to profiling insofar as it is related to such direct marketing. In the event of an objection, personal data will no longer be processed for these purposes.

​

§ 11 Security of Processing

(1) In accordance with Art. 32 GDPR, Lumera Insights implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with personal and business-critical data. In doing so, the state of the art, implementation costs, the nature, scope, context and purposes of processing, as well as the likelihood and severity of risks are taken into account.

​

(2) The measures implemented include in particular:

• Access control: Role- and permission-based access concept, authentication procedures, and regular review of access rights.

• Disclosure control: Use of encryption during data transmission, logging of data flows, and defined procedures for data transfers.

• Input control: Documentation of input, modification, and deletion of personal data, with traceable logging.

• Availability control: Data backup and recovery concepts, as well as emergency and disaster recovery plans.

• Procedures for the regular review, assessment, and evaluation of the effectiveness of technical and organisational measures.

​

§ 12 Changes to this Privacy Policy

(1) Lumera Insights reserves the right to amend this Privacy Policy at any time with effect for the future in the event of changes in legal requirements, services offered, data processing activities, or technical conditions.

​

(2) The currently valid version of the Privacy Policy is available on the website at www.lumerainsights.com and replaces previous versions. Material changes affecting the processing of personal data within existing contractual relationships will be communicated to the relevant contractual partners in an appropriate form (e.g. by email) in text form.