4️⃣ Privacy Policy

Privacy Policy

Last updated: 24 June 2026

Page title: Privacy Policy · Shopify slug: privacy-policy

LUMIXY ("we", "us", "our") takes the protection of your personal data seriously. This Privacy Policy explains in a transparent and accessible manner what personal data we collect, why we collect it, and how it is managed. The applicable frameworks include the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR) and the Data Protection Act 2018.

1. Data Controller

The data controller within the meaning of the UK GDPR is the operator of lumixy.com. For any queries regarding this policy or the processing of your data, please write to contact@lumixy.com. Full provider details are available on our Legal Notice page.

2. Types of Data We Process

When you place an order or send an enquiry, we handle the following categories of data:

  • First and last name, together with email address
  • Delivery and billing address
  • Phone number (optional — used only for delivery notifications)
  • Payment details (securely managed by our payment partners — card data is never stored by us)
  • Order and purchase history
  • Technical data concerning your device and browsing behaviour (IP address, browser type, pages visited)

3. Purposes of Processing and Legal Bases

  • Order fulfilment — name, address, email and payment details are needed to execute the purchase agreement with you (Art. 6(1)(b) UK GDPR).
  • Buyer communications — including order confirmations, despatch notifications and responses to service queries (Art. 6(1)(b) UK GDPR).
  • Improvement of our service — usage data helps us refine and develop our website on an ongoing basis (Art. 6(1)(f) UK GDPR — legitimate interest).
  • Compliance with legal obligations — commercial records are retained in line with applicable tax and company law (Art. 6(1)(c) UK GDPR).

4. Payment Processing

Transactions are handled by our payment partners (including Stripe, PayPal, Klarna and Viva Wallet), all of whom hold PCI DSS Level 1 certification. Card details are entered directly within their secure environments — the full card number, CVV and expiry date are never visible to or stored by LUMIXY.

5. Data Retention Period

Order-related data is retained for between 6 and 10 years in accordance with UK tax and accounting legislation (notably HMRC requirements and the Companies Act 2006). Marketing preferences are stored until you opt out. Data no longer required for its original purpose is deleted or anonymised promptly.

6. Recipients of the Data

Personal data is shared with third parties only to the extent necessary to fulfil your order:

  • Logistics providers (e.g. Royal Mail, DHL, DPD, Evri, UPS) for the delivery of goods
  • Payment partners for secure transaction processing
  • Email service providers for transactional communications
  • Hosting providers for the technical operation of the website
  • Accountants and legal advisers, where required by law

Data processing agreements compliant with Art. 28 UK GDPR have been concluded with all our processors.

7. Data Transfers to Third Countries

Transfers of personal data to countries outside the United Kingdom or the European Economic Area (EEA) are carried out only where an adequacy decision exists, or where appropriate safeguards — such as the Standard Contractual Clauses approved by the UK or EU Commission — are in place under Art. 45 ff. UK GDPR.

8. Cookies and Tracking

Our website uses cookies and comparable technologies. Further information is set out in our Cookie Policy. Non-essential cookies may be declined or adjusted at any time via the cookie banner or your browser settings.

9. Your Rights as a Data Subject

You hold the following rights with respect to your personal data:

  • Right of access (Art. 15 UK GDPR) — you may request a summary of the data we hold about you
  • Right to rectification (Art. 16 UK GDPR) — inaccurate data may be corrected
  • Right to erasure (Art. 17 UK GDPR) — subject to any applicable legal retention obligations
  • Right to restriction of processing (Art. 18 UK GDPR)
  • Right to data portability (Art. 20 UK GDPR)
  • Right to object (Art. 21 UK GDPR) — to processing based on legitimate interest
  • Right to withdraw consent at any time (Art. 7(3) UK GDPR)
  • Right to lodge a complaint with a supervisory authority (Art. 77 UK GDPR)

To exercise any of these rights, please send a brief message to contact@lumixy.com.

10. Security of Your Data

We have put in place appropriate technical and organisational measures to protect your data against unauthorised access, loss and misuse. These include SSL/TLS encryption, secured server environments, access restrictions and regular security reviews.

11. Automated Decision-Making

We do not engage in automated decision-making or profiling within the meaning of Art. 22 UK GDPR.

12. Right to Complain

If you believe that our handling of your data infringes the UK GDPR, you have the right to lodge a complaint with a supervisory authority — in particular the Information Commissioner's Office (ICO) in the United Kingdom (www.ico.org.uk), or any competent authority in the EU member state of your habitual residence, place of work or the location of the alleged infringement.

13. Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in legislation or our business operations. The version currently in force is always available on this page.