Our Commitment to Data Protection
Lumora Energy is committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We take the protection of personal data seriously, particularly given that our services involve children and families.
Data Controller Information
Lumora Energy acts as the data controller for personal information collected through our website and services.
Registered Address:
Lumora Energy Ltd
Unit 14, The Custard Factory
Gibb Street, Digbeth
Birmingham B9 4AA
ICO Registration Number: ZA987654
Data Protection Contact: [email protected]
Lawful Bases for Processing
We process personal data under the following lawful bases as defined by Article 6 of UK GDPR:
Consent (Article 6(1)(a))
- Processing children's personal data for educational programmes
- Sending marketing communications
- Using non-essential cookies
Contractual Necessity (Article 6(1)(b))
- Processing bookings and enrolments
- Delivering educational services
- Processing payments
- Communicating about scheduled sessions
Legitimate Interests (Article 6(1)(f))
- Improving our services based on feedback
- Website analytics for service improvement
- Maintaining business records
- Fraud prevention and security
Legal Obligation (Article 6(1)(c))
- Tax and accounting records
- Safeguarding obligations
- Responding to legal requests
Your Rights Under UK GDPR
You have the following rights regarding your personal data:
Right of Access (Article 15)
You can request a copy of the personal data we hold about you. We will respond within one month of receiving your request.
Right to Rectification (Article 16)
You can request correction of inaccurate or incomplete personal data.
Right to Erasure (Article 17)
You can request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the purposes it was collected.
Right to Restrict Processing (Article 18)
You can request that we limit how we use your data while we address concerns you have raised.
Right to Data Portability (Article 20)
You can request your data in a structured, commonly used format to transfer to another provider.
Right to Object (Article 21)
You can object to processing based on legitimate interests or for direct marketing purposes.
Rights Related to Automated Decision-Making (Article 22)
We do not make automated decisions that significantly affect you. All decisions involving our services are made by humans.
Children's Data
Given the nature of our services, we process personal data relating to children. We apply enhanced protections:
- We always obtain parental or guardian consent before collecting children's data
- We collect only the minimum data necessary for our educational services
- We do not use children's data for marketing purposes
- Parents have full access to and control over their child's data
- We apply strict access controls to children's data
- We conduct enhanced DBS checks on all staff who access children's data
Data Processors
We use carefully selected third-party processors who comply with UK GDPR:
- Payment processing: Secure, PCI-DSS compliant payment providers
- Email services: GDPR-compliant email delivery platforms
- Website hosting: UK-based servers with appropriate security measures
- Booking systems: GDPR-compliant scheduling software
All processors are bound by data processing agreements that ensure they protect your data appropriately.
International Transfers
We primarily store and process data within the United Kingdom. Where international transfers are necessary (for example, through certain cloud services), we ensure appropriate safeguards are in place, such as:
- Standard Contractual Clauses approved by the ICO
- UK Adequacy Decisions where applicable
- Binding Corporate Rules for relevant service providers
Data Security
We implement technical and organisational measures to protect personal data:
- Encryption of data in transit (TLS/SSL) and at rest
- Regular security assessments and updates
- Staff training on data protection and security
- Access controls based on role and necessity
- Secure disposal of data when no longer needed
- Incident response procedures
Data Breach Procedures
In the event of a personal data breach, we will:
- Assess the breach and contain it as quickly as possible
- Notify the ICO within 72 hours if required
- Notify affected individuals without undue delay if there is a high risk to their rights and freedoms
- Document the breach and our response
- Review and improve our security measures as needed
How to Exercise Your Rights
To exercise any of your GDPR rights, please contact us:
Email: [email protected]
Post: Data Protection, Lumora Energy, Unit 14, The Custard Factory, Gibb Street, Digbeth, Birmingham B9 4AA
We will respond to your request within one month. In complex cases, we may extend this by up to two additional months, but we will inform you of any extension.
We may need to verify your identity before fulfilling certain requests.
Complaints
If you are not satisfied with how we handle your personal data or your rights request, you have the right to lodge a complaint with the Information Commissioner's Office:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Website: lumora-energy.com
Updates to This Notice
We may update this GDPR compliance information periodically. Significant changes will be communicated through our website and, where appropriate, directly to individuals whose data we process.