Last updated: 15th July 2022
Who we are
Our approach to privacy
Our companies and websites
Where and why we collect your personal data
Our legal basis for processing your personal data
What personal data we process
Sharing information with third parties
International transfers of personal data
Retention of your personal data
2. Who we are
Lumi is the leading global provider of fast, accurate and secure technologies to facilitate the smooth running of AGMs, shareholder or member meetings, legislative meetings and elections – whether that is a physical in-room meeting, a virtual meeting or a hybrid meeting. Our headquarters are in the United Kingdom, but we have offices in North America, Europe, the Middle East, Africa, Asia and Australia.
Lumi Global Ltd. is the parent company of our organisation, and we have provided a full list of our subsidiary companies in the Scope section below, where we include our registered address.
Lumi Holdings Ltd. operates the website that this policy appears on.
We are not legally required to appoint a Data Protection Officer (DPO). However, we have nominated members of our Information Security Management System (ISMS) Team to take overall responsibility for matters of data protection and privacy. You can contact them with any questions or concerns about your personal data by emailing email@example.com (for more contact details see below section).
3. Our approach to privacy
We do not sell, rent, or trade your personal data to third parties for marketing or promotional purposes. We do not abuse or misuse your personal data, or let it fall into the wrong hands. We only process your personal data for the reasons we say we do.
As a business, we supply mobile technology products and services which process personal data to help our customers (Clients) better understand a group of people. That personal data is as important to us as it is to you.
We only process your personal data in accordance with our Clients’ instructions. If these instructions are ethical, moral and legal, then we comply with our Clients’ directions as to how they want us to process the personal data. We also try to ensure that any obligations our Clients have concerning your privacy are carried out, subject to applicable laws.
We share your personal data with our Clients, who are the data controllers in respect of the personal data and have provided it to us and/or asked us to collect personal data and process it by using our technology and services. They have their own privacy policies that apply to your personal data. We are not responsible for those policies and we suggest you read them carefully.
4. Our companies and websites
The following companies are within scope for this policy;
- Lumi Global Ltd. (our parent company)
- Lumi Holdings Ltd.
- Lumi AGM UK Ltd.
- Lumi USA Inc.
- Lumi Canada Inc.
- Lumi Technologies SA (Pty) Ltd.
- Lumi Technologies Pty Ltd.
- Lumi Technologies BV (Belgium)
- Lumi Technologies B.V. (The Netherlands)
- Lumi France SAS
- Lumi Asia Ltd.
- Lumi Technologies Singapore PTE Limited
- Lumi Technologies Middle East FZE
The following websites are within scope for this policy;
This policy also covers any additional personal data collected in the following, which are our online web applications;
5. Where and why we collect your personal data
We collect your personal data from the following sources:
- when you visit our website(s);
- when you contact us for help or support (in person, by telephone, email, or webchat) including enquiring about our technology or technical support if you already use it;
- when you use one of our products or services (e.g. joining or participating in a virtual meeting, completing a survey, downloading an application, sending a message, responding to an electronic poll, visiting a web application, liking a comment, etc.)
- Registration pages within the Lumi platform (coming in the future);
- via our IT systems;
- from door entry systems and reception logs;
- through automated monitoring of our websites and other technical systems, such as our computer networks and connections, CCTV and access control systems, communications systems, email and instant messaging systems;
Because our business revolves around helping our Clients to reach and better understand groups of people, we may also receive your personal data from those Clients, who have analysed the information they already have about you or you have provided directly to them. We may also use publicly accessible information to verify information we have been provided and to manage and expand our business.
If you do not provide personal data we ask for it may delay or prevent us from providing products or services to you.
We process your personal data for one or more of the following purposes:
- you have come to us for our help (this could be enquiring about our technology or technical support if you already use it);
- you have provided consent to our Clients who are using our services for us to process your data;
- you are visiting our website;
- to provide you with information you have requested from us;
- to fulfil a contract that we have entered into with you or with an entity that you represent;
- to ensure the safe operation and security of our websites and underlying business infrastructure; or
- to manage any communication between us and you.
- conducting checks to identify meeting participants and verify their identity;
6. Our legal basis for processing your personal data
Under data protection law, we can only use your personal data if we have a proper reason, e.g:
- where you have given consent;
- to comply with our legal and regulatory obligations;
- for the performance of a contract with you or to take steps at your request before entering into a contract; or,
- for our legitimate interests or those of a third party.
A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests. We will carry out an assessment when relying on legitimate interests, to balance our interests against your own.
You can object to processing on the basis of legitimate interests at any time and, if you do so, we will stop processing the personal data unless we can show compelling legitimate grounds which override your rights and interests, or we need the data to establish, exercise or defend legal claims – see “Your rights” below.
Where we process special category (i.e. sensitive) personal data, we will also ensure we are permitted to do so under data protection laws, e.g.:
- we have your explicit consent;
- the processing is necessary to protect your (or someone else’s) vital interests where you are physically or legally incapable of giving consent; or,
- the processing is necessary to establish, exercise or defend legal claims.
7. What personal data we process
Our products and services require the processing of your personal data. Depending on the particular application, website or technology you are using, this may include:
- your meeting registration including first name and surname, gender, date of birth, address, and any form of identification you have used to access a meeting on the Lumi platform
- biographical information that you have supplied to us or to our Clients;
- location information, meaning information which reveals a geographical location of you and/or your mobile or communications device (we only process this information where you have agreed to us or our Clients doing so or by agreeing to a notification on your mobile or communications device);
- information about the type of mobile or communications device you are using our products and services on (such as type of operating system, version of firmware, IP address, etc.);
- website and application metadata, meaning information about the way in which our applications and websites are used and how they function on your mobile or communications device (e.g. which application screens you use most, how long it takes to transmit information to us, the volume of information, etc.) which we process in order to improve the usability, security and performance of our website;
- survey, voting or any other type of information requested by our Clients and/or provided by you, meaning information contained in the responses you submit to surveys or electronic polls, how you vote in an electronic election or other information you provide or enter through our products and applications, an online dashboard or website (your participation is always voluntary and you do not have to provide any personal data); or
- personal data received from other sources including other websites we or our Clients operate or the other services we provide.
If you are visiting our website or trying to contact us for information, assistance or technical support, then the personal data we process or may ask for could include:
- your first and last name;
- Your gender if you choose to give us this;
- your contact details, such as a phone number and/or email address;
- Information from accounts you link us to
- your approximate location (depending on the settings on your device);
- technical data such as an Internet Protocol (IP) address, time zone, operating system and platform and information about your internet browser application;
- which of our products and/or services you use;
- which pages on our website you have visited, including where you have clicked your mouse and what buttons you have pressed (i.e. where you came to us from, where you went in our site, how you got there and serve you relevant content once you have left);
- which Client of ours you represent and your role within that organisation (e.g. your job title);
- information about our hardware which you own or use and information about the mobile or communications device accessing our online products and services; or
- any technical or diagnostic information we deem necessary to fix a problem or resolve an issue you are experiencing with our products or services.
8. Sharing information with third parties
The confidentiality, integrity and availability of your personal data remain of the utmost importance to us, especially if we need to transfer it to a third party (for international transfers please see Section 10 below). To demonstrate the measures we take to ensure the security of your personal data when being transferred to a third party, please see Section 9 below for more information, where we have considered any potential risks and taken necessary precautions.
We may share your personal data with:
- our Clients, including share registrars, who have asked us to process it on their behalf;
- our cloud hosting partners Amazon Web Services (https://aws.amazon.com/privacy/) and Microsoft Azure (https://privacy.microsoft.com/en-ca/privacystatement);
- our software development and support partner Auga Technologies.
- our meeting pre-registration processing partner, Centium Software (trading as EventsAir) (https://eventsair.com/privacy-policy/)
- our Middle East meeting pre-registration processing partner, JotForm (https://www.jotform.com/privacy/)
- our client portal host, Hubspot (https://legal.hubspot.com/privacy-policy)
- our sub-processors and/or suppliers/vendors working on our behalf, who provide us with IT and/or support services to help us process personal data, and who may require such personal data for the performance of any contract we enter into with them to conduct our business, and other third parties we use to help us run our business;
- our external professional advisors, consultants and auditors;
- our group companies as listed in the Scope section above, who may provide related or ancillary services; or
- internationally recognised legal or regulatory bodies.
We will only share your personal data in the following circumstances:
- if we reasonably believe that it is necessary to comply with a law, regulation, public policy or legal request (e.g. to assist in matters of public interest or safety or in connection with actual or proposed litigation);
- if we sell, transfer or otherwise share some or all of our assets in connection with a merger, acquisition, reorganisation or sale of assets, or in the event of liquidation or bankruptcy – potential purchasers and their advisors may have limited access to data as part of the process – (where we would endeavour to provide you with notice prior to the transfer of your personal data to a successor entity); However, use of your personal data will remain subject to this policy;
- to complete any transaction or provide any product or service you have requested or authorised;
- in relation to receiving professional advice or the audit of our accounts;
- to maintain the security of our products and services; or
- to protect ours, yours and our Clients’ rights and freedoms and to protect our property.
We have implemented what we consider to be robust and appropriate technical and organizational security measures designed to protect the security of any personal data we process to guard against unauthorised or unlawful processing of your personal data and against accidental loss or destruction of, or damage to, your personal data. Risk assessment, including assessing risks to the rights and freedoms of data subjects, is at the heart of our Information Security Management System (ISMS), which is certified to the ISO/IEC 27001:2013 standard. Importantly, we also assess our suppliers and sub-processors, who maintain the same and/or additional accreditations, certifications and compliance programmes. We have security measures in place to protect our user database and access to this database is restricted internally.
However, even with these measures in place we have no control over what happens between your mobile or communications device and the perimeter of our information infrastructure. You should always be aware of the many cyber security risks that exist in the modern environment and take appropriate steps to safeguard your own personal data (keeping devices and applications up to date, good password practice, adoption of techniques such as two-factor authentication, being aware of modern threats such as phishing and malware, etc.) Despite the measures taken by us and the third parties we engage, the internet is not secure. As a result others may nevertheless unlawfully intercept or access private transmissions or data. Our website(s) may contain links to third parties’ websites. We are not responsible for the privacy practices or the content of those websites. Therefore, please read carefully any privacy policies on those links or websites before either agreeing to their terms or using those websites. Note also that if you have asked us to share data with third party sites (such as social media sites), their servers may not be secure.
We take the privacy and protection of your personal data very seriously and use a number of methods to try to keep your personal data secure from loss or unauthorised use, alteration or access when it is in our possession or control and that of any third parties. These methods include reasonable physical, technical and organisational measures to restrict access to your personal data. Your personal data is encrypted at rest (i.e. whilst it is being stored) but also whilst in transit by using the latest cryptography technologies. Access to your personal data (e.g. amongst our employees and Clients) is strictly controlled by a combination of policies, secure passwords, permissions-based user roles, best practice processes and procedures, multi factor authentication and more. Additionally, we ensure that your personal data is further protected through enforceable contractual agreements with any third parties (e.g. Data Protection Agreements, standard contractual clauses, confidentiality clauses, etc.)
Where you have chosen a password which enables you to access certain parts of our website and/or applications, you are responsible for keeping this password confidential. You should never share a password with anyone nor should it be used to provide shared access for example over a network and you should ensure that passwords are strong, unique and that you do not reuse or recycle passwords. You should also ensure no-one else uses the website while your device is logged on to the website (including by logging on to your device through a mobile, Wi-Fi or shared access connection you are using).
Where required by applicable law, we will notify you or our Clients of any loss of or unauthorised access or alteration to your personal data, and we will cooperate with the appropriate authorities to investigate such incidents in a timely fashion.
10. International transfers of personal data
We are a global company with service providers and Clients operating in many countries around the world, including outside of the European Economic Area (EEA). We use cloud-based storage solutions, meaning that your personal data may be transferred and processed in locations outside of your state, province or country, where the privacy laws may not be as protective as those in your jurisdiction. Our Clients may also operate in such locations and may require that we transfer your personal data to them in those locations. Under data protection law, we can only transfer your personal data to a country outside the UK and EEA under certain legally prescribed circumstances such as where a so-called Adequacy Decision has been granted to a country or applying legally-approved standard data protection contract clauses. We will ensure that protections required by applicable UK and EEA laws are met concerning such international transfers your personal data.
We take steps to ensure that your personal data is kept secure regardless of its location and when being transferred internationally, in compliance with applicable laws. Please refer to Section 9 above for more information on where we have considered any potential risks and taken necessary precautions.
11. Retention of your personal data
We keep your personal data for as long as is necessary to fulfil the purpose for which it was processed. In most cases, this will be the duration of a particular meeting, event, project or campaign for which our Client has asked us to process your personal data. However, we are subject to our Clients’ instructions and they may ask us to retain it for longer or to delete it sooner. We regularly audit the personal data we retain to ensure that it remains relevant to our current requirements and those of our Clients. In some circumstances we may also need to keep your personal data for as long as necessary in order to:
- respond to any questions, complaints or claims made by you or on your behalf;
- to show that we treated you fairly;
- to keep records required by law.
We may maintain a permanent record of anonymized location, demographic and survey information. This information is used to produce aggregated consumer insights and cannot be used to identify individuals.
We do not knowingly process personal data of minors or children. We have no control over who contacts us, or means of verifying their age, but it is not our policy to conduct business with anyone under 18 years of age. For our Clients (the data controller), if they are using our products and services to process personal data of children, then they must comply with the data protection laws applicable to them. In these very rare circumstances, our Clients are obliged to obtain express consent from the children’s parents or legal guardians prior to the use of our service.
13. Your rights
As a data subject whose personal data we process, you have certain rights, subject to some conditions and exceptions. If you wish to exercise any of these rights, then please email firstname.lastname@example.org or use the contact details supplied below. In order to process your requests, we may need to ask you to provide up to two valid forms of identification for verification purposes. Depending on the reasons we are processing your personal data, we may have to refer you to our Client you have provided consent to (i.e. as the data processor or in some cases sub-processor, we are obliged to refer you to the data controller to make such requests).
If you have given permission, we may contact you by mail, telephone, SMS, text/picture/video message, email about products, services, promotions, special offers, events, webcasts, conferences and charitable causes that may be of interest to you. If you prefer not to receive any direct marketing communications from us, you can opt out at any time. You have the right to object to the processing of your personal data for direct marketing purposes. If your objection is not to direct marketing in general, but to direct marketing by a particular channel e.g. email or telephone, please specify the channel you are objecting to.
Your rights are as follows:
- The right to be informed. Further, you also have the right to access, correct, delete, restrict, be forgotten, or object to processing of, or request data portability of the personal data collected about you, subject to some conditions and exceptions. You can find out more about these rights in the UK and EU respectively by reading the UK Data Protection Act 2018 here https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted and the EU General Data Protection Regulation here https://eur-lex.europa.eu/eli/reg/2016/679/oj.
- The right of access. You may request a copy of the personal data we hold about We may need to verify your identity. In such instances, once we have verified your identity and, if relevant, the authority of any third-party requestor, we will provide access to the personal data we hold about you as well as the following;
- The categories of personal data concerned
- The purpose for processing the personal data
- If applicable, who we have disclosed the personal data to
- The proposed or planned retention period for that personal data
- The source of personal data, if collected from a third party
- The right to rectification. If you feel we hold inaccurate or incomplete personal data about you, you may exercise your right to correct or complete it. This may be used in conjunction with the right to restrict processing (see below) to make sure that incorrect or incomplete personal data is not processed until it has been rectified.
- The right to erasure. Often referred to as the ‘right to be forgotten’. For example, where no overriding legal basis or legitimate reason continues to exist for processing your personal data, you have the right to request that we delete that personal data. We will always take all reasonable steps to ensure the erasure or deletion of your personal data.
- The right to restrict processing. You have the right to ask us to stop processing your personal data. We will still store the personal data, but will not process it further. This right is an alternative to the right to erasure. If any of the following conditions apply, then you may exercise your right to restrict processing;
- You contest accuracy of your personal data and we are verifying it.
- Your personal data has been unlawfully processed and you oppose its erasure.
- We no longer need the personal data for processing but the personal data is required by you to establish, exercise or defend a legal claim).
- You have exercised your right to object and processing is restricted pending verification as to whether the legitimate grounds of a data controller override yours (in particular situations)
- The right to data portability. You may request personal data which we hold, to be transferred to you, another controller, processor or third party. We must ensure we provide it in a structured, commonly used and machine-readable format. This right only applies where the lawful basis for processing is either consent or for the performance of a contract and the processing is carried out by automated means.
- The right to object. You have the right to object to our processing of your personal data including in circumstances concerning your legitimate interests and direct marketing respectively.
14. Contact Us
Should you have any questions, comments or concerns about this policy or how we handle and process your personal data then please email email@example.com.
As an alternative, you can get in touch with us at our headquarters using the following postal address or phone number;
Lumi Holdings Ltd.
Ordnance Business Park
Tel: +44 (0)3300 583 952
Our UK hours of operation are 09:00 – 17:30, Monday to Friday (except public holidays).
If English is not your first language, then please visit the Contact Us page on our website to find telephone numbers and addresses for our regional offices. If you would like this notice in another format (for example audio, large print, braille) please contact us.
If you wish to complain or discuss any grievances with us, please don’t hesitate to contact us using the details provided above. All complaints are treated confidentially. Should you be unhappy with how we are handling or have handled your personal data, or about any former complaints you have made to us, then you are entitled to escalate your complaint to a supervisory authority within the region you are based. As detailed above, our company headquarters are based in the United Kingdom, where the Information Commissioner’s Office (ICO) is the data protection regulator (https://ico.org.uk/).