Privacy Policy

PRIVACY POLICY

Privacy Policy

Last updated: May 2026

Lumme Skin ("we," "us," "our") is committed to protecting your personal data and being transparent about how we use it. This policy explains what we collect, why we collect it, and what your rights are.

Who We Are

Lumme Skin is a UK-based skincare brand. If you have any questions about this policy or how we handle your data, contact us at [your email].

What Data We Collect

When you interact with our website or place an order, we may collect:

  • Your name, email address, phone number, and delivery address
  • Payment information — processed securely through our payment provider; we never store your full card details
  • Your order history and purchase behaviour
  • Your IP address, browser type, and device information
  • How you navigate and interact with our website (via cookies — see our Cookie Policy)
  • Any information you voluntarily provide when contacting us

Why We Collect It

We use your data to:

  • Process and fulfil your orders
  • Send you order confirmations, shipping updates, and delivery notifications
  • Respond to your enquiries and customer service requests
  • Send you marketing emails if you've opted in — you can unsubscribe at any time
  • Improve our website and understand how customers use it
  • Comply with our legal obligations

We will never sell your personal data to third parties.

Our Legal Basis for Processing

Under UK GDPR, we process your data on the following grounds:

  • Contract — to fulfil orders you've placed with us
  • Legitimate interests — to improve our services and prevent fraud
  • Consent — for marketing communications and non-essential cookies
  • Legal obligation — where the law requires us to retain certain records

Who We Share Your Data With

We share your data only where necessary, with:

  • Our payment processors (to handle transactions securely)
  • Our shipping and fulfilment partners (to deliver your order)
  • Our email marketing platform (if you're opted in to communications)
  • Our website analytics provider
  • Legal authorities, if required by law

All third parties we work with are required to handle your data securely and in accordance with UK data protection law.

How Long We Keep Your Data

We retain your personal data for as long as necessary to fulfil the purposes outlined in this policy. Order records are kept for 7 years in line with HMRC requirements. If you request deletion of your account or data, we will action this within 30 days unless we are legally required to retain certain records.

Your Rights

Under UK GDPR, you have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data ("right to be forgotten")
  • Object to or restrict how we process your data
  • Withdraw consent for marketing at any time
  • Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk

To exercise any of these rights, email us at [your email]. We'll respond within 30 days.

Data Security

We take reasonable technical and organisational measures to protect your personal data against unauthorised access, loss, or misuse. Our website uses SSL encryption. However, no method of internet transmission is 100% secure — if you have concerns, contact us directly.

Third-Party Links

Our website may contain links to third-party sites. We are not responsible for the privacy practices of those sites and recommend you read their policies independently.

Changes to This Policy

We may update this policy from time to time. The "last updated" date at the top of this page will always reflect the most recent version. Continued use of our website after changes constitutes acceptance of the updated policy.

Got a question? We're real people and we actually reply. Drop us a message below and we'll get back to you within 24 hours.