Privacy Policy
Information We Collect
We collect personal information that you provide directly to us, information that is collected automatically when you use the Services, and information from third-party sources. The specific information depends on how you interact with lumamber.com.
Information you provide directly
Contact details — name, address, billing and shipping address, phone number, email address
Account information — username, password, preferences, settings (if you create an account)
Order & transaction details — items purchased, returned, or exchanged; transaction history
Communications — the content of emails, Messenger conversations, or contact form submissions you send us
Marketing preferences — consent choices for email marketing, advertising, and cookies
Information collected automatically
Device & browser data — IP address, browser type, operating system, screen resolution, device identifiers
Usage information — pages viewed, items added to cart, traffic source, time spent on pages, click patterns
Location (approximate) — derived from your IP address for shipping availability and tax purposes
Cookies & tracking pixels — see Section 03 for full disclosure of advertising and analytics pixels
Payment information — we never see your full card details
When you pay by card, BLIK, Apple Pay, or Google Pay, the payment is processed by Shopify Payments (PCI-DSS Level 1 certified). Lumamber receives confirmation that payment succeeded and a token reference — we never store or have access to your full card number, CVV, or expiry date. For BLIK transactions, your bank authenticates and authorises the payment within its app; we only see the result.
How We Use Your Information & Legal Basis
Under EU GDPR Article 6, every use of your personal data must rest on a defined lawful basis. The table below identifies each processing purpose and the corresponding legal basis we rely on.
Cookies & Tracking Pixels
lumamber.com uses cookies and tracking pixels to provide the site, measure performance, and run advertising. A cookie consent banner appears on your first visit, giving you granular control over which categories you accept. Cookie consent in Poland is governed by Article 173 of the Polish Telecommunications Law and the EU ePrivacy Directive 2002/58/EC. You can change your preferences at any time via the cookie settings link in the footer.
Essential cookies (always on)
Required for the cart, checkout, session management, and payment processing. Managed by Shopify Inc. Cannot be disabled. Legal basis: legitimate interests / contract necessity.
Non-essential (consent required)
Analytics and advertising cookies (including the two pixels disclosed below) only fire after you accept them in the cookie banner. Legal basis: consent (GDPR Art. 6(1)(a) + ePrivacy).
Tracking pixels we use
Advertising pixel
Meta Pixel
Operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Used for Facebook and Instagram advertising.
What it tracks
Page views, products viewed, items added to cart, purchases (with order value), browser data, IP address, hashed email (where you provide one at checkout).
Why we use it
To measure the performance of Facebook and Instagram ads, build Custom Audiences of past visitors for retargeting, and create Lookalike Audiences to find similar potential customers.
Data destination
Meta servers globally, including the United States. Transfers based on EU Standard Contractual Clauses and the EU-US Data Privacy Framework (Meta is DPF-certified).
Joint controller
For certain processing, Lumamber and Meta are joint controllers under EDPB guidance. Joint controller terms apply.
How to opt out
Decline advertising cookies in our cookie banner, or visit Meta Ad Preferences.
Analytics & advertising
Google (GA4 + Ads)
Operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Used for site analytics (Google Analytics 4) and Google Ads conversion tracking.
What it tracks
Page views, traffic source, behaviour flow, conversion events, IP address (anonymised per GA4 default), browser and device data, time on site, click patterns.
Why we use it
To understand how visitors find and use lumamber.com (GA4), measure Google Ads campaign performance, and build remarketing lists for serving relevant ads on Google's Search, Display, and YouTube networks.
Data destination
Google servers globally, including the United States. Transfers based on EU Standard Contractual Clauses and the EU-US Data Privacy Framework (Google is DPF-certified).
Retention
GA4 data retained for 14 months by default; you can request earlier deletion via the contact below.
How to opt out
Decline analytics and advertising cookies in our cookie banner. You can also visit Google Ad Settings or install the GA4 opt-out extension.
Your control over tracking
You can decline all advertising and analytics cookies in our cookie banner on first visit, or change your preferences at any time via the cookie settings link in our footer. Declining cookies does not affect your ability to browse and purchase from lumamber.com.
Who We Share Your Information With
We share your personal information with the following categories of third parties, each of which acts either as a processor on our behalf or, in some cases, as an independent or joint controller. We never sell your personal information to data brokers.
Service providers (processors acting on our behalf)
Shopify Inc. (Ottawa, Canada) and Shopify International Ltd. (Dublin, Ireland) — the platform that hosts lumamber.com, manages checkout, and processes payments via Shopify Payments.
Shipping carriers — DHL Express, DPD, InPost, and other partners handling delivery from Hong Kong to your address. Carriers receive your shipping address, name, and phone number only.
Customer service tools — email infrastructure providers and Facebook Messenger (Meta) for customer support.
Fulfilment partner — our Hong Kong-based fulfilment partner who picks, packs, and dispatches your orders.
Advertising & analytics partners
Meta Platforms Ireland Limited — for Facebook and Instagram advertising via the Meta Pixel (Section 03).
Google Ireland Limited — for Google Analytics 4 and Google Ads via the Google Pixel (Section 03).
These transfers only occur if you have accepted advertising cookies in our cookie banner.
Corporate group & legal
BULKECOM LLC-FZ (Dubai, UAE) — our parent and brand-owner entity, on a need-to-know basis for brand operations and strategic reporting.
Tax authorities, regulators & law enforcement — when required by Hong Kong, Polish, or EU law (e.g., tax filings, lawful requests, fraud investigations).
Professional advisors — accountants, lawyers, and auditors bound by professional confidentiality.
We don't sell your data
Lumamber does not sell your personal information to data brokers, list rental companies, or any third party for commercial profit. Where data is shared with advertising partners (Meta, Google), it is for the specific purposes disclosed in Section 03 and only with your cookie consent.
International Data Transfers
Because BULKECOM LIMITED is incorporated in Hong Kong (outside the European Economic Area), your personal information will be transferred outside the EU/EEA when you place an order, contact us, or interact with our site. We use legally recognised transfer mechanisms to ensure your data receives equivalent protection.
Transfer mechanisms we rely on
Standard Contractual Clauses (SCCs) — for transfers from the EU/EEA to Hong Kong (BULKECOM LIMITED) and to other non-adequate jurisdictions. Approved by the European Commission Decision 2021/914.
EU-US Data Privacy Framework (DPF) — for transfers to US-based processors. Meta and Google are both DPF-certified. Decision 2023/1795.
Adequacy decisions — where transfers go to countries the European Commission has determined provide adequate protection (e.g., Canada for Shopify Inc.).
Hong Kong's data protection framework
Hong Kong is not currently the subject of an adequacy decision by the European Commission, but operates its own data protection regime under the Personal Data (Privacy) Ordinance (PDPO) supervised by the Privacy Commissioner for Personal Data (PCPD). Standard Contractual Clauses bridge the protection gap by contractually binding us to GDPR-equivalent standards.
Request a copy of our SCCs
You have the right to request a copy of the Standard Contractual Clauses we use for transferring your data outside the EU/EEA. Email info@lumamber.com with the subject “SCC Request” and we will provide the relevant documentation within 30 days.
Your Rights & Choices
Under EU GDPR, the Polish Act on the Protection of Personal Data, and equivalent national laws, you have the following rights regarding your personal information. We will respond to any verified request within 30 days as required by GDPR Article 12.
Your GDPR rights
Right of access (Art. 15) — request a copy of the personal information we hold about you.
Right to rectification (Art. 16) — ask us to correct inaccurate or incomplete information.
Right to erasure / “right to be forgotten” (Art. 17) — ask us to delete your data, subject to legal retention obligations.
Right to restriction (Art. 18) — ask us to limit how we process your information.
Right to data portability (Art. 20) — receive your data in a structured, machine-readable format and request its transfer to another controller.
Right to object (Art. 21) — object to processing based on legitimate interests, including for direct marketing.
Right to withdraw consent (Art. 7) — where processing is based on consent, you can withdraw at any time without affecting previously lawful processing.
Right not to be subject to automated decisions (Art. 22) — we do not make significant automated decisions about you; if we ever did, you would have the right to human review.
How to exercise your rights
Email info@lumamber.com with the subject line “Privacy Request — [Right name]” (e.g., “Privacy Request — Access” or “Privacy Request — Erasure”). We will respond within 30 days.
To protect your data, we may need to verify your identity before fulfilling a request. We do not discriminate against customers who exercise their rights, and exercising your rights is free of charge except in cases of manifestly unfounded or excessive requests.
Right to lodge a complaint with UODO
If you believe we have not handled your personal information lawfully, you have the right to lodge a complaint with the Polish data protection authority:
Urząd Ochrony Danych Osobowych (UODO)
ul. Stawki 2, 00-193 Warsaw, Poland
Web: uodo.gov.pl
EU residents in other member states may contact their national data protection authority.
How Long We Keep Your Information
We retain your personal information only as long as necessary to fulfil the purposes for which it was collected, and to comply with legal obligations. Specific retention periods are listed below.
Retention periods
Order & transaction data — 7 years from the date of order, in compliance with Polish Accounting Act (Article 74) and Hong Kong Inland Revenue Ordinance record-keeping requirements.
Account data — for as long as your account remains active, plus a reasonable period after closure for legal and dispute-resolution purposes.
Marketing consent & preferences — until you withdraw consent or unsubscribe, plus a record of the withdrawal itself for compliance evidence.
Customer service correspondence — 2 years from last contact, unless retained longer for warranty or dispute purposes.
Google Analytics 4 data — 14 months by default; configurable per GA4 settings.
Cookie consent records — 12 months from acceptance, after which the banner reappears for renewed consent.
Fraud prevention logs — up to 5 years for security and dispute purposes.
Security of Your Information
We implement appropriate technical and organisational measures to protect your personal information from unauthorised access, alteration, disclosure, or destruction, as required by GDPR Article 32.
Security measures in place
TLS encryption — all traffic to and from lumamber.com is encrypted in transit (TLS 1.2 or higher).
PCI-DSS Level 1 — payment processing is handled by Shopify Payments at the highest level of payment security certification.
Access controls — access to personal information is restricted to authorised personnel on a need-to-know basis, with strong authentication.
No card storage — Lumamber never stores full card numbers, CVV codes, or expiry dates. All card data is tokenised by Shopify.
Regular review — security practices are reviewed periodically and updated to reflect new threats and regulatory requirements.
No system is perfect
While we take security seriously, no internet transmission or electronic storage system is 100% secure. We cannot guarantee absolute security. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the relevant supervisory authority (UODO) without undue delay, as required by GDPR Articles 33 and 34.
Children's Privacy
lumamber.com is not directed at children. We do not knowingly collect personal information from anyone under 16 years of age, which is the age of consent for data processing in Poland and in many EU member states. If you are under 16, please do not provide any personal information through our site, and ask a parent or guardian to make any purchase on your behalf.
If we have collected a child's data
If you are a parent or guardian and believe that we have collected personal information from a child without your consent, please contact us at info@lumamber.com. We will promptly delete the information and any associated account.
Changes to This Policy & Contact
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other operational reasons. The revised version will be posted on this page with an updated “Last updated” date. For material changes, we will notify you by email (if you have given us your email address) or via prominent notice on lumamber.com before the changes take effect.
This Privacy Policy is subject to change. The version currently in force is the one published on this page. For consumers resident in the European Union, the EU General Data Protection Regulation (2016/679) and the Polish Act on the Protection of Personal Data of 10 May 2018 apply in addition to and prevail over the terms of this policy wherever they offer more favourable protection. Effective 20 August 2025. Last updated 17 May 2026.