Privacy policy
Lumessa operates this store and website, including all related information, content, features, tools, products and services, in order to provide you, the customer, with a curated shopping experience (the “Services”). Lumessa is powered by Shopify, which enables us to provide the Services to you. This Privacy Policy describes how we collect, use, and disclose your personal information when you visit, use, or make a purchase or other transaction using the Services or otherwise communicate with us.
If there is a conflict between our Terms of Service and this Privacy Policy, this Privacy Policy controls with respect to the collection, processing, and disclosure of your personal information.
This Privacy Policy is governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. For the purpose of applicable data protection laws, Lumessa is the data controller of your personal information.
Please read this Privacy Policy carefully. By using and accessing any of the Services, you acknowledge that you have read this Privacy Policy and understand the collection, use, and disclosure of your information as described in this Privacy Policy.
Personal Information We Collect or Process
When we use the term “personal information,” we are referring to information that identifies or can reasonably be linked to you or another person. Personal information does not include information that is collected anonymously or that has been de-identified, so that it cannot identify or be reasonably linked to you. We may collect or process the following categories of personal information, including inferences drawn from this personal information, depending on how you interact with the Services, where you live, and as permitted or required by applicable law:
• Contact details including your name, address, billing address, shipping address, phone number, and email address.
• Financial information including credit card, debit card, and financial account numbers, payment card information, transaction details, form of payment, payment confirmation and other payment details.
• Account information including your username, password, security questions, preferences and settings.
• Transaction information including the items you view, put in your cart, add to your wishlist, or purchase, return, exchange or cancel and your past transactions.
• Communications with us including the information you include in communications with us, for example, when sending a customer support inquiry.
• Device information including information about your device, browser, or network connection, your IP address, and other unique identifiers.
• Usage information including information regarding your interaction with the Services, including how and when you interact with or navigate the Services.
Personal Information Sources
We may collect personal information from the following sources:
• Directly from you including when you create an account, visit or use the Services, communicate with us, or otherwise provide us with your personal information;
• Automatically through the Services including from your device when you use our products or services or visit our websites, and through the use of cookies and similar technologies;
• From our service providers including when we engage them to enable certain technology and when they collect or process your personal information on our behalf;
• From our partners or other third parties.
How We Use Your Personal Information
Under UK GDPR, we must have a lawful basis for processing your personal information. Depending on how you interact with us or which of the Services you use, we may use personal information for the following purposes:
• Provide, Tailor, and Improve the Services. We use your personal information to provide you with the Services, including to perform our contract with you, to process your payments, to fulfil your orders, to remember your preferences and items you are interested in, to send notifications to you related to your account, to process purchases, returns, exchanges or other transactions, to create, maintain and otherwise manage your account, to arrange for shipping, to facilitate any returns and exchanges, to enable you to post reviews, and to create a customised shopping experience for you, such as recommending products related to your purchases. This may include using your personal information to better tailor and improve the Services. Lawful basis: performance of a contract and legitimate interests.
• Marketing and Advertising. We use your personal information for marketing and promotional purposes, such as to send marketing, advertising and promotional communications by email or text message, and to show you online advertisements for products or services on the Services or other websites, including based on items you previously have purchased or added to your cart and other activity on the Services. We will only send you direct marketing communications where you have given your explicit consent, in accordance with UK GDPR and the Privacy and Electronic Communications Regulations 2003 (PECR). You can opt out at any time by clicking the “unsubscribe” link in our emails, replying STOP to text messages, or contacting us at support@lumessa.com. Lawful basis: consent.
• Security and Fraud Prevention. We use your personal information to authenticate your account, to provide a secure payment and shopping experience, detect, investigate or take action regarding possible fraudulent, illegal, unsafe, or malicious activity, protect public safety, and to secure our services. If you choose to use the Services and register an account, you are responsible for keeping your account credentials safe. We highly recommend that you do not share your username, password or other access details with anyone else. Lawful basis: legitimate interests.
• Communicating with You. We use your personal information to provide you with customer support, to be responsive to you, to provide effective services to you and to maintain our business relationship with you. Lawful basis: performance of a contract and legitimate interests.
• Legal Reasons. We use your personal information to comply with applicable law or respond to valid legal process, including requests from law enforcement or government agencies, to investigate or participate in civil discovery, potential or actual litigation, or other adversarial legal proceedings, and to enforce or investigate potential violations of our terms or policies. Lawful basis: legal obligation and legitimate interests.
How We Disclose Personal Information
In certain circumstances, we may disclose your personal information to third parties for legitimate purposes subject to this Privacy Policy. Such circumstances may include:
• With Shopify, vendors and other third parties who perform services on our behalf (e.g. IT management, payment processing, data analytics, customer support, cloud storage, fulfilment and shipping).
• With business and marketing partners to provide marketing services and advertise to you, where you have consented to this. Our business and marketing partners will use your information in accordance with their own privacy notices. You have the right to object to the processing of your data for direct marketing purposes at any time.
• When you direct, request us or otherwise consent to our disclosure of certain information to third parties, such as to ship you products or through your use of social media widgets or login integrations.
• With our affiliates or otherwise within our corporate group.
• In connection with a business transaction such as a merger or bankruptcy, to comply with any applicable legal obligations (including to respond to subpoenas, search warrants and similar requests), to enforce any applicable terms of service or policies, and to protect or defend the Services, our rights, and the rights of our users or others.
We do not sell your personal information. We do not share your personal information with third parties for their own direct marketing purposes without your explicit consent.
Relationship with Shopify
The Services are hosted by Shopify, which collects and processes personal information about your access to and use of the Services in order to provide and improve the Services for you. Information you submit to the Services will be transmitted to and shared with Shopify as well as third parties that may be located in countries other than where you reside, in order to provide and improve the Services for you.
To learn more about how Shopify uses your personal information and any rights you may have, you can visit the Shopify Consumer Privacy Policy (https://www.shopify.com/ph/legal/privacy/consumers). You may exercise certain rights with respect to your personal information here: https://privacy.shopify.com/en.
International Data Transfers
Some of our third-party service providers, including Shopify, may be located outside the United Kingdom. Where your personal data is transferred outside the UK, we ensure that appropriate safeguards are in place to protect your data in compliance with UK GDPR. These safeguards may include:
• Transfers to countries that the UK Government has determined provide an adequate level of data protection.
• Standard Contractual Clauses (SCCs) approved by the Information Commissioner’s Office (ICO).
• Other legally recognised transfer mechanisms that ensure your data receives equivalent protection.
If you would like more information about the specific safeguards we have in place, please contact us at support@lumessa.com.
Third Party Websites and Links
The Services may provide links to websites or other online platforms operated by third parties. If you follow links to sites not affiliated or controlled by us, you should review their privacy and security policies and other terms and conditions. We do not guarantee and are not responsible for the privacy or security of such sites, including the accuracy, completeness, or reliability of information found on these sites.
Information you provide on public or semi-public venues, including information you share on third-party social networking platforms may also be viewable by other users of the Services and/or users of those third-party platforms without limitation as to its use by us or by a third party. Our inclusion of such links does not, by itself, imply any endorsement of the content on such platforms or of their owners or operators, except as disclosed on the Services.
Children’s Data
The Services are not intended to be used by children, and we do not knowingly collect any personal information about children under 16 years of age. If you are the parent or guardian of a child who has provided us with their personal information, you may contact us using the contact details set out below to request that it be deleted.
As of the effective date of this Privacy Policy, we do not have actual knowledge that we “share” or “sell” (as those terms are defined in applicable law) personal information of individuals under 16 years of age.
Cookies and Similar Technologies
Our website uses cookies and similar tracking technologies. Cookies are small text files placed on your device that help us provide and improve our services. In accordance with UK law and PECR, we will ask for your consent before placing non-essential cookies on your device.
Strictly necessary cookies:
These cookies are essential for the website to function and cannot be switched off. They include cookies that manage your shopping cart, session, and secure checkout. These do not require your consent.
Analytics and performance cookies:
These cookies help us understand how visitors interact with our website by collecting information such as pages visited, time on site, and referring URLs. This data is collected in anonymised or aggregated form. These cookies are only placed with your consent.
Marketing and advertising cookies:
These cookies are used to deliver relevant advertisements to you and to measure the effectiveness of our advertising campaigns. They may be set by us or by third-party advertising partners. These cookies are only placed with your consent.
Shopify cookies used on our site:
• _session_id — unique token, sessional. Allows Shopify to store information about your session (referrer, landing page, etc.).
• _shopify_visit — no data held, persistent for 30 minutes from the last visit. Used by our website provider’s internal stats tracker to record the number of visits.
• _shopify_uniq — no data held, expires midnight of the next day. Counts the number of visits to a store by a single customer.
• cart — unique token, persistent for 2 weeks. Stores information about the contents of your cart.
• _secure_session_id — unique token, sessional.
• storefront_digest — unique token, indefinite. Used to determine if the current visitor has access if the shop has a password.
When you first visit our website, you will be shown a cookie consent banner that allows you to accept or reject non-essential cookies. You can change your cookie preferences at any time by clicking the “Cookie Settings” link in the footer of our website. You can also control cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of our website.
Security and Retention of Your Information
Please be aware that no security measures are perfect or impenetrable, and we cannot guarantee “perfect security.” In addition, any information you send to us may not be secure while in transit. We recommend that you do not use unsecure channels to communicate sensitive or confidential information to us.
How long we retain your personal information depends on different factors, such as whether we need the information to maintain your account, to provide you with Services, comply with legal obligations (such as HMRC tax and accounting requirements, which require us to retain transaction records for 6 years), resolve disputes or enforce other applicable contracts and policies.
Your Rights and Choices
As you reside in the United Kingdom, you have the following rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, subject to exceptions and limitations provided by law:
• Right to Access / Know. You have the right to request access to personal information that we hold about you (known as a “subject access request”).
• Right to Delete. You have the right to request that we delete personal information we maintain about you, in certain circumstances.
• Right to Correct. You have the right to request that we correct inaccurate personal information we maintain about you.
• Right of Portability. You have the right to receive a copy of the personal information we hold about you in a structured, commonly used, machine-readable format, and to request that we transfer it to a third party, in certain circumstances and with certain exceptions.
• Right to Object to Processing and Restriction of Processing. You have the right to ask us to stop or restrict our processing of personal information for certain purposes. You have an absolute right to object to direct marketing at any time.
• Withdrawal of Consent. Where we rely on consent to process your personal information, you have the right to withdraw this consent at any time. If you withdraw your consent, this will not affect the lawfulness of any processing based on your consent before its withdrawal.
• Managing Communication Preferences. We may send you promotional emails, and you may opt out of receiving these at any time by using the unsubscribe option displayed in our emails to you. If you opt out, we may still send you non-promotional emails, such as those about your account or orders that you have made.
You may exercise any of these rights where indicated on the Services or by contacting us at support@lumessa.com. To learn more about how Shopify uses your personal information and any rights you may have, including rights related to data processed by Shopify, you can visit https://privacy.shopify.com/en.
We will not discriminate against you for exercising any of these rights. We may need to verify your identity before we can process your requests, as permitted or required under applicable law. In accordance with applicable laws, you may designate an authorised agent to make requests on your behalf to exercise your rights. Before accepting such a request from an agent, we will require that the agent provide proof you have authorised them to act on your behalf, and we may need you to verify your identity directly with us. We will respond to your request within one month, as required by law.
Text and Email Marketing
Text marketing and notifications (if applicable): By entering your phone number at checkout and explicitly opting in, you agree that we may send you text notifications (for your order, including abandoned cart reminders) and, if separately opted in, text marketing offers. We will only send marketing texts where you have given explicit consent, in compliance with PECR and UK GDPR. Text marketing messages will not exceed 4 per month. You can unsubscribe from further text messages by replying STOP. Message and data rates may apply.
Email marketing: We will only send you marketing emails where you have given explicit opt-in consent. Every marketing email contains an “unsubscribe” link. You can opt out at any time.
Complaints
If you have complaints about how we process your personal information, please contact us using the contact details provided below. We take all complaints seriously and will investigate your concerns promptly.
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time, including to reflect changes to our practices or for other operational, legal, or regulatory reasons. We will post the revised Privacy Policy on this website, update the “Last updated” date and provide notice as required by applicable law.
Contact
Should you have any questions about our privacy practices or this Privacy Policy, or if you would like to exercise any of the rights available to you, please email us at support@lumessa.com.
For the purpose of applicable data protection laws, we are the data controller of your personal information.
Last updated: 1 March 2026
