Last updated: 11th December 2020

Contents

Introduction
Who we are
Our approach to privacy
Our companies and websites
Where and why we collect your personal data
Our legal basis for processing your personal data
What personal data we process
Sharing information with third parties
Security
International transfers of personal data
Retention of your personal data
Children
Your rights
Contact Us
Complaints


1.  Introduction 

Your privacy and the protection of your personal data is important to us (Lumi). When we refer to ‘personal data’ in this policy, we mean any information which can be used to personally identify you. This public privacy policy (or privacy statement) explains what personal data we process, how we collect it and why. We take the security of your personal data very seriously and this policy tells you what we do to ensure its protection. In this policy we also outline the rights we think you have with your personal data, and how you can exercise them.


2.  Who we are 

Lumi is the leading global provider of fast, accurate and secure technologies to facilitate the smooth running of AGMs, shareholder or member meetings, legislative meetings and elections – whether that is a physical in-room meeting, a virtual meeting or a hybrid meeting. Our headquarters are in the United Kingdom, but we have offices in North America, Europe, the Middle East, Africa, Asia and Australia.

Geting Capital Ltd. is the parent company of our organisation, and we have provided a full list of our subsidiary companies in the Scope section below, where we include our registered address.

We are not legally required to appoint a Data Protection Officer (DPO). However, we have nominated members of our Information Security Management System (ISMS) Team to take overall responsibility for matters of data protection and privacy.  You can contact them with any questions or concerns about your personal data by emailing privacy@lumiglobal.com (for more contact details see below section).

 

3.  Our approach to privacy

We do not sell your personal data to third parties for marketing or promotional purposes.  We do not abuse or misuse your personal data, or let it fall into the wrong hands.  We only process your personal data for the reasons we say we do.

As a business, we supply mobile technology products and services which process personal data to help our customers (Clients) better understand a group of people. That personal data is as important to us as it is to you.

We only process your personal data in accordance with our Clients’ instructions. If these instructions are ethical, moral and legal, then we comply with our Clients’ directions as to how they want us to process the personal data.  We also try to ensure that any obligations our Clients have concerning your privacy are carried out, subject to applicable laws.

We share your personal data with our Clients, who are the data controllers in respect of the personal data and have provided it to us and/or asked us to collect personal data and process it by using our technology and services. They have their own privacy policies that apply to your personal data and must be able to provide you with a copy.

Technology, laws or even our way of doing business can change from time to time, as can your rights and expectations. To ensure we comply with data protection regulations, we will update this privacy policy. When we make changes, we will always publish it here on our website.

 

4.  Our companies and websites

The following companies are within scope for this policy;

  • Geting Capital Ltd. (our parent company)
  • Lumi Holdings Ltd.
  • Lumi AGM UK Ltd.
  • Lumi USA Inc.
  • Lumi Canada Inc.
  • Lumi Technologies SA (Pty) Ltd.
  • Lumi Technologies Pty Ltd.
  • Lumi Technologies BV (Belgium)
  • Lumi Technologies BV (The Netherlands)
  • Lumi France SAS
  • IML Asia Ltd.
  • Interactive Meetings Singapore Pte Ltd.
  • Lumi Technologies Middle East FZE

The following websites are within scope for this policy;

  • https://www.lumiglobal.com

This policy also covers any additional personal data collected in the following, which are our online web applications;

  • https://web.lumiagm.com
  • https://home.lumieventapp.eu
  • https://home.lumieventapp.com

 

5.  Where and why we collect your personal data

We collect your personal data from the following sources:

  1. when you visit our website(s);
  2. when you contact us for help or support; and/or
  3. when you use one of our products or services (e.g. joining or participating in a virtual meeting, completing a survey, downloading an application, sending a message, responding to an electronic poll, visiting a web application, liking a comment, etc.)

    Because our business revolves around helping our Clients to reach and better understand groups of people, we may also receive your personal data from those Clients, who have analysed the information they already have about you or you have provided directly to them.

    We process your personal data for one or more of the following purposes:

  4. you have come to us for our help (this could be enquiring about our technology or technical support if you already use it);
  5. you have consented to our Clients who are using our services;
  6. you are visiting our website;
  7. to provide you with information you have requested from us;
  8. to fulfil a contract that we have entered into with you or with an entity that you represent;
  9. to ensure the safe operation and security of our websites and underlying business infrastructure; or
  10. to manage any communication between us and you.

 

6.  Our legal basis for processing your personal data

We process your personal data for the purposes described in this policy, where it is necessary for our legitimate interests.

Legitimate Interest means the interest of our business in conducting and managing our business to enable us to provide our clients with the best products and services and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).

 

7.  What personal data we process

Our products and services require the processing of your personal data. Depending on the particular application, website or technology you are using, this may include:

  1. biographical information that you have supplied to us or to our Clients;
  2. location information, meaning information which reveals a geographical location of you and/or your mobile device (we only process this information where you have agreed to us or our Clients doing so or by agreeing to a notification on your mobile device);
  3. information about the type of mobile device you are using our products and services on (such as type of operating system, version of firmware, IP address, etc.);
  4. website and application metadata (where application metadata does not include any personal data), meaning information about the way in which our applications and websites are used and how they function on your mobile device (e.g. which application screens you use most, how long it takes to transmit information to us, the volume of information, etc.) which we process in order to improve the usability, security and performance of our website;
  5. survey, voting or any other type of information requested by our Clients and/or provided by you, meaning information contained in the responses you submit to surveys or electronic polls, how you vote in an electronic election or other information you provide or enter through our products and applications, an online dashboard or website (your participation is always voluntary and you do not have to provide any personal data); or
  6. personal data received from other sources including other websites we or our Clients operate or the other services we provide.

    If you are visiting our website or trying to contact us for information, assistance or technical support, then the personal data we process or may ask for could include:

  7. your first and last name;
  8. your contact details, such as a phone number and/or email address;
  9. your approximate location (depending on the settings on your device);
  10. technical data such as an Internet Protocol (IP) address, time zone, operating system and platform and information about your internet browser application;
  11. which of our products and/or services you use;
  12. which pages on our website you have visited, including where you have clicked your mouse and what buttons you have pressed (i.e. where you came to us from, where you went in our site, how you got there and where you went to after visiting);
  13. which Client of ours you represent and your role within that organisation (e.g. your job title);
  14. information about our hardware which you own or use and information about the mobile device accessing our online products and services; or
  15. any technical or diagnostic information we deem necessary to fix a problem or resolve an issue you are experiencing with our products or services.

 

8.  Sharing information with third parties

We do not disclose any personal data about you to any third party for marketing, advertising or promotional purposes, unless you have given us express consent to do so or unless otherwise described in this privacy policy.

The confidentiality, integrity and availability of your personal data remain of the utmost importance to us, especially if we need to transfer it to a third party (for international transfers please see Section 10 below). To demonstrate the measures we take to ensure the security of your personal data when being transferred to a third party, please see Section 9 below for more information, where we have considered any potential risks and taken necessary precautions.

We may share your personal data with:

  1. our Clients, who have asked us to process it on their behalf;
  2. our partners, sub-processors and/or suppliers/vendors working on our behalf, who provide us with IT and/or support services to help us process personal data, and who may require such personal data for the performance of any contract we enter into with them to conduct our business (e.g. Microsoft, Amazon Web Services, etc.);
  3. our group companies as listed in the Scope section above, who may provide related or ancillary services; or
  4. internationally recognised legal or regulatory bodies.

    We will only share your personal data in the following circumstances:

  5. if we believe that it is reasonably necessary to comply with a law, regulation or legal request (e.g. to assist in matters of public interest or safety);
  6. if we sell, transfer or otherwise share some or all of our assets in connection with a merger, acquisition, reorganisation or sale of assets, or in the event of bankruptcy (where we endeavour to provide you with notice prior to the transfer of your personal data to a successor entity);
  7. to complete any transaction or provide any product or service you have requested or authorised;
  8. to maintain the security of our products and services; or
  9. to protect ours, yours and our Clients’ rights and freedoms.

 

 

9.  Security

We have what we believe are robust, appropriate and sufficient security controls in place to protect your personal data. Risk assessment, including assessing risks to the rights and freedoms of data subjects, is at the heart of our Information Security Management System (ISMS), which is certified to the ISO/IEC 27001:2013 standard. Importantly, we also assess our suppliers and sub-processors, who maintain the same and/or additional accreditations, certifications and compliance programmes.

However, even with these measures in place we have no control over what happens between your mobile device and the perimeter of our information infrastructure. You should always be aware of the many cyber security risks that exist in the modern environment and take appropriate steps to safeguard your own personal data (keeping devices and applications up to date, good password practice, adoption of techniques such as two-factor authentication, being aware of modern threats such as phishing and malware, etc.)

We take the privacy and protection of your personal data very seriously and use a number of methods to try to keep your personal data secure from loss or unauthorised use, alteration or access when it is in our possession or control and that of any third parties. These methods include reasonable physical, technical and organisational measures to restrict access to your personal data. Your personal data is encrypted at rest (i.e. whilst it is being stored) but also whilst in transit by using the latest cryptography technologies. Access to your personal data (e.g. amongst our employees and Clients) is strictly controlled by a combination of policies, secure passwords, permissions-based user roles, best practice processes and procedures, multi factor authentication and more. Additionally, we ensure that your personal data is further protected through enforceable contractual agreements with any third parties (e.g. Data Protection Agreements, standard contractual clauses, confidentiality clauses, etc.)

Where you have chosen a password which enables you to access certain parts of our website and/or applications, you are responsible for keeping this password confidential. You should never share a password with anyone and you should ensure that passwords are strong, unique and that you do not reuse or recycle passwords.

Where you have chosen a password which enables you to access certain parts of our website and/or applications, you are responsible for keeping this password confidential. You should never share a password with anyone and you should ensure that passwords are strong, unique and that you do not reuse or recycle passwords.

Where required by applicable law, we will notify you or our Clients of any loss of or unauthorised access or alteration to your personal data, and we will cooperate with the appropriate authorities to investigate such incidents in a timely fashion.

 

10.  International transfers of information

We are a global company with service providers and Clients operating in many countries around the world, including outside of the European Economic Area (EEA). We use cloud-based storage solutions, meaning that your personal data may be transferred and processed in locations outside of your state, province or country, where the privacy laws may not be as protective as those in your jurisdiction. Our Clients may also operate in such locations and may require that we transfer your personal data to them in those locations.

We take steps to ensure that your personal data is kept secure regardless of its location and when being transferred internationally, in compliance with applicable laws. Please refer to Section 9 above for more information on where we have considered any potential risks and taken necessary precautions.

 

11.  Retention of your information

We keep your personal data for as long as is necessary to fulfil the purpose for which it was processed. In most cases, this will be the duration of a particular meeting, event, project or campaign for which our Client has asked us to process your personal data. However, we are subject to our Clients’ instructions and they may ask us to retain it for longer or to delete it sooner. We regularly audit the personal data we retain to ensure that it remains relevant to our current requirements and those of our Clients.

We may maintain a permanent record of anonymized location, demographic and survey information. This information is used to produce aggregated consumer insights and cannot be used to identify individuals.

 

12.  Children

We do not knowingly process personal data of minors or children. We have no control over who contacts us, or means of verifying their age, but it is not our policy to conduct business with anyone under 18 years of age. For our Clients (the data controller), if they are using our products and services to process personal data of children, then they must comply with the data protection laws applicable to them. In these very rare circumstances, our Clients are obliged to obtain express consent from the children’s parents or legal guardians prior to the use of our service.

 

13.  Your rights

As a data subject whose personal data we process, you have certain rights. If you wish to exercise any of these rights, then please email privacy@lumiglobal.com or use the contact details supplied below. In order to process your requests, we may ask you to provide two valid forms of identification for verification purposes. Depending on the reasons we are processing your personal data, we may have to refer you to our Client you have provided consent to (i.e. as the data processor or in some cases sub-processor, we are obliged to to refer you to the data controller to make such requests).

Your rights are as follows:

  1. The right to be informed. You may request information about processing of your personal data and we will respond to your requests in accordance with law
  2. The right of access. You may request a copy of the personal data we hold about you. We will always provide this free of charge. Once we have verified your identity and, if relevant, the authority of any third-party requestor, we will provide access to the personal data we hold about you as well as the following;
    1. The categories of personal data concerned
    2. The purpose for processing the personal data
    3. If applicable, who we have disclosed the personal data to
    4. The proposed or planned retention period for that personal data
    5. The source of personal data, if collected from a third party
  3. The right to rectification. If you feel we hold inaccurate or incomplete personal data about you, you may exercise your right to correct or complete it. This may be used in conjunction with the right to restrict processing (see below) to make sure that incorrect or incomplete personal data is not processed until it has been rectified.
  4. The right to erasure. Often referred to as the ‘right to be forgotten’. Where no overriding legal basis or legitimate reason continues to exist for processing your personal data, you have the right to request that we delete that personal data. We will always take all reasonable steps to ensure the erasure or deletion of your personal data.
  5. The right to restrict processing. You have the right to ask us to stop processing your personal data. We will still store the personal data, but will not process it further. This right is an alternative to the right to erasure. If any of the following conditions apply, then you may exercise your right to restrict processing;
    1. You contest accuracy of your personal data and we are verifying it.
    2. Your personal data has been unlawfully processed.
    3. We no longer need the personal data for processing but the personal data is required for part of a legal process (e.g. establishing, exercising or defending a legal claim).
    4. You have exercised your right to object and processing is restricted pending a decision on the status of that processing.
  6. The right to data portability. You may request personal data which we hold, to be transferred to you, another controller, processor or third party. We must ensure we provide it in a commonly used and machine-readable format. This right only applies because our lawful basis for processing is either consent or for the performance of a contract.
  7. The right to object. You have the right to object to our processing of your personal data. This applies when processing is;
    1. Based on your legitimate interests (or those of a third party)
    2. For the purposes of direct marketing
    3. For research purposes (scientific, historic or statistical)
    4. Based upon public tasks or legitimate interests

 

15.  Contact Us

Should you have any questions, comments or concerns about this policy or how we handle and process your personal data then please email privacy@lumiglobal.com.

As an alternative, you can get in touch with us at our headquarters using the following postal address or phone number;

Lumi Holdings Ltd.

Armoury House

Ordnance Business Park

Midhurst Road

Liphook

Hampshire

GU30 7ZA

United Kingdom

Tel: +44 (0)3300 583 952

Our UK hours of operation are 09:00 – 17:30, Monday to Friday (except public holidays).

If English is not your first language, then please visit the Contact Us page on our website to find telephone numbers and addresses for our regional offices.

16.  Complaints

If you wish to complain or discuss any grievances with us, please don’t hesitate to contact us using the details provided above. All complaints are treated confidentially. Should you be unhappy with how we are handling or have handled your personal data, or about any former complaints you have made to us, then you are entitled to escalate your complaint to a supervisory authority within the region you are based. As detailed above, our company headquarters are based in the United Kingdom, where the Information Commissioner’s Office (ICO) is the supervisory authority for data protection (https://ico.org.uk/).

 

Cookies

Information about our use of cookies can be found here.