Lumoret

Bath and Spa products by Lumoret – Home made in Austria

Privacy Policy

1. Data Controller

The controller responsible for processing personal data on this website within the meaning of the GDPR is listed in the Imprint.

The purpose of this website is to sell and promote home made products and communication posts related to those products.

2. Principles of Data Processing

We process personal data only to the extent necessary to provide our website and services. Processing is carried out in accordance with the GDPR and the Austrian Data Protection Act (DSG). We collect only those data that are necessary for the respective purpose (data minimisation pursuant to Art. 5(1)(c) GDPR).

3. Categories of Data Collected and Legal Bases

3.1 Order Data / Customer Account

When you place an order or create a customer account, we process the following data:

  • Name and address (delivery and invoicing)
  • E-mail address (order confirmation, communication)
  • Phone number (optional, only if provided, for order enquiries)
  • Payment data (processed exclusively via our payment service provider; not stored by us)

Legal basis: Art. 6(1)(b) GDPR (performance of a contract). Name, address, and e-mail are required to process your order; without these data the contract cannot be fulfilled.

Note on gender: We do not collect gender as a required field. If such a field appears in a form, it is entirely optional and used solely for personal salutation.

3.2 Contact Requests

When you contact us by e-mail or via the contact form, the data you provide (name, e-mail, message) will be used to process your enquiry.

Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures) or Art. 6(1)(f) GDPR (legitimate interest in responding to customer enquiries).

3.3 Comments

When you leave a comment, we collect the data in the comment form together with your IP address and browser user-agent string for spam detection. An anonymised hash of your e-mail address may be sent to the Gravatar service (privacy policy: https://automattic.com/privacy/). Comments and associated metadata are retained for 24 months.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in maintaining a constructive comment section).

3.4 Newsletter

If you subscribe to our newsletter, we store your e-mail address together with the time of subscription and confirmation (double opt-in). You may unsubscribe at any time via the unsubscribe link in the newsletter or by writing to admin@lumoret.com.

Legal basis: Art. 6(1)(a) GDPR (consent).

3.5 Server Log Files

When you visit our website, the hosting provider automatically records server log files: IP address (anonymised after 7 days), URL accessed, date/time, data volume, referrer URL, browser, and operating system. These data are not merged with other data sources.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the technical provision and security of the website).

4. Cookies

Our website uses cookies. We distinguish between technically necessary cookies (which may be set without consent) and optional cookies (which require your consent).

4.1 Technically Necessary Cookies

  • Session cookie for spam detection (no personal content, deleted when browser is closed)
  • Login cookie (2 days; if ‘Remember Me’ selected: 14 days)
  • Display preferences cookie (1 year)
  • Comment cookie (name, e-mail for future comments; 1 year)

4.2 Optional Cookies (Consent Required)

  • Google Analytics (behavioural analysis – see Section 6.1 for details)

You may revoke or adjust your consent settings at any time via our cookie banner (CookieYes).

Legal basis: Technically necessary cookies: Art. 6(1)(f) GDPR; analytics cookies: Art. 6(1)(a) GDPR (consent).

5. Embedded Third-Party Content

Posts on this website may include embedded content (e.g. videos, images). Embedded content behaves as if you had visited those websites directly. They may collect data, set cookies, and track your interactions. We only embed third-party content where necessary.

6. Third-Party Services

6.1 Google Analytics

We use Google Analytics (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) to analyse user behaviour. Google Analytics transfers data to Google servers in the United States (third-country transfer). Google Ireland Limited and Google LLC (USA) have joined the EU-US Data Privacy Framework, recognised by the European Commission as adequate; Standard Contractual Clauses (SCCs) are additionally used. IP anonymisation is enabled. Google Analytics is activated only upon your explicit consent.

  • Google Analytics privacy policy: https://support.google.com/analytics/answer/6004245
  • Google Ads opt-out: https://adssettings.google.com

Legal basis: Art. 6(1)(a) GDPR (consent); third-country transfer: Art. 45 and/or Art. 46 GDPR.

6.2 Wordfence

To protect our website, we use Wordfence (Defiant Inc., 800 5th Ave Ste 101, PMB 581, Seattle, WA 98104, USA). Wordfence processes IP addresses for threat detection.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in IT security).

6.3 CookieYes

We use CookieYes (CookieYes Ltd., 3 Warren Yard, Milton Keynes, MK12 5NW, United Kingdom) to manage your cookie consents.

Legal basis: Art. 6(1)(c) GDPR (legal obligation to document consent).

6.4 Jetpack (Automattic)

We use Jetpack (Automattic Inc., 60 29th Street #343, San Francisco, CA 94110, USA) for security and performance features. Automattic has joined the EU-US Data Privacy Framework. Privacy policy: https://automattic.com/privacy/.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest).

6.5 Payment Processing

Payments are processed via external payment service providers (not yet implemented). We do not store complete payment data ourselves. Processing is governed by the provider’s own privacy policy.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

7. Retention Periods

We retain your data only for as long as necessary for the respective purpose:

  • Order data / customer account: 7 years (statutory retention under Section 132 BAO, Austrian Federal Fiscal Code)
  • Contact enquiries: 6 months after completion
  • Newsletter subscription: until consent is withdrawn
  • Server log files: 7 days (IP anonymisation), thereafter 30 days aggregated
  • Comments: 24 months
  • Cookie consents (CookieYes): 1 year

After the relevant period, your data will be routinely deleted unless a statutory retention obligation applies.

8. Your Rights

As a data subject you have the following rights under the GDPR:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure / ‘right to be forgotten’ (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object to processing based on legitimate interests (Art. 21 GDPR)
  • Right to withdraw consent at any time without giving reasons (Art. 7(3) GDPR)

To exercise your rights, please contact: admin@lumoret.com. We will respond within 30 days.

You also have the right to lodge a complaint with the Austrian Data Protection Authority:

Datenschutzbehoerde (DSB) | Barichgasse 40-42 | 1030 Vienna, Austria | E-mail: dsb@dsb.gv.at | Web: https://www.dsb.gv.at

9. Media Files

If you are a registered user uploading photos, please avoid images with embedded GPS location data (EXIF data). Visitors could download uploaded images and extract location information.

10. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy to reflect changes in law or our services. For material changes affecting your rights, we will notify you by e-mail or a prominent notice on the website before changes take effect.

11. Contact

If you have any questions about this Privacy Policy or the processing of your personal data:

E-mail: admin@lumoret.com | Web: https://lumoret.com/contact/