Lumina Analytics, LLC (“Lumina,” “we,” “us”), is committed to the protection of the individual privacy rights and personally identifiable information (“Personal Data”) of our clients, applicants, employees, contractors, and third party users of our websites and applications (“ you,” “your”).
The controlling and processing of your Personal Data may be subject to the General Data Protection Regulations (“GDPR”) if you are a resident of the European Union. As defined therein, a "Controller" is a person or entity that determines the purposes and means of the processing of Personal Data, while a “Processor” merely stores, maintains, and processes data on behalf of a Controller, but does not decide which items of Personal Data are stored or how Personal Data is used. Depending upon the services provided by Lumina, Lumina may be considered to be a Controller or Processor in various circumstances.
The GDPR identifies two types of Personal Data: regular and “special categories” of Personal Data. Regular Personal Data includes a person’s name, address, email address, photo, IP address, location data, online behavior (cookies), and profiling and analytics data. Special categories of Personal Data includes race, religion, political opinions, trade union membership, sexual orientation, health information, biometric data, and genetic data.
The GDPR expressly prohibits the processing of the above special categories of Personal Data without the explicit consent of the subject of the Personal Data, or, absent such consent, where processing is necessary in certain limited circumstances, including without limitation:
Lumina collects Personal Data, whether as a Controller or Processor, for a number of legitimate business reasons. The use of Personal Data collected will be limited to its express purpose as reflected by the scope of your express consent, except and unless
Lumina has a compelling and legitimate interest to use the information absent your consent or otherwise to protect against security threats, or where disclosure is legally compelled. Generally, most Personal Data is retained only for as long as necessary
for its intended purpose. Certain information must be kept to comply with legal obligations under local employment and tax laws. Notwithstanding the foregoing, Lumina may otherwise maintain and retain Personal Data in accordance with the procedures
Generally, Lumina communicates Personal Data when necessary to provide services to its customers or results to our clients. When we provide services to a client, we may transmit Personal Data back to that client through our secure web platforms and occasionally by phone, email, fax, or mail. In exceptional circumstances we may be asked to communicate personal information to law enforcement agencies, national security agencies, courts, or other public bodies in any jurisdiction where we are subject to the law, regardless of where personal information is stored. If we receive a production order, warrant, subpoena, or other enforceable demand, we will comply as required by law. If we receive a request to provide Personal Data voluntarily, we will consider your interests, our business interests, the interests of our clients, public safety implications, and our legal obligations prior to deciding whether to communicate Personal Data. In any case where the Personal Data in question was collected from or on behalf of a client, we will consult with the client before proceeding unless prohibited by law. We may proactively communicate Personal Data to law enforcement or other third parties if necessary to investigate or report a violation of the law or a contractual agreement, or if otherwise appropriate and permitted by law.
Where and when applicable, Personal Data may be disclosed to third parties for limited purposes such as to conduct screening or security services. We may also need to provide information about you to outside parties, such as government agencies. We may
also share your Personal Data with our business contacts and vendors including without limitation payroll providers, data storage and delivery providers, data centers, cloud providers, applicant tracking systems, recruiting systems, human resources
information systems, IT support services, background screening and consumer reporting companies, court runners, drug testing labs, translation agencies, credit bureaus, benefits providers, healthcare providers, and financial institutions.
While most of our work is done by our employees or authorized personnel who access Personal Data directly from our systems and whose activities are under our direct control, we use third-party service providers for certain specialized tasks. These tasks include storage of data, information technology support, and certain marketing activities.
Lumina complies with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Data transferred from the EU and Switzerland to the United States (and Canada). Lumina has certified (or such certification is pending) to the Department of Commerce that it adheres to the Privacy Shield Principles. Lumina remains responsible for Personal Data that is communicated to third parties for processing.
Much of the Personal Data we collect comes directly from you, in which case you are in control of its accuracy. Our processes for collecting and transcribing Personal Data are automated to the greatest extent possible and are subject to rigorous quality
controls. Information that is found to be inaccurate, either through our own audits or following your request for correction, is updated as reasonably practicable.
We will not reuse Personal Data for a new purpose other than the original one(s) for which it was collected, unless the new use is compatible with the original one, we have notified you of the new use and given you an opportunity to object to it, or the new use is permitted or required by law.
We do not use or maintain Personal Data for general research purposes, unless the Personal Data is anonymized and aggregated with the Personal Data of other data subjects.
In most cases, providing your information to us is voluntary. The list below explains how to make choices about the collection and use of your Personal Data for various purposes, and the consequences of your choice not to provide any Personal Data. Whenever our legitimate basis for collecting and using Personal Data is your consent, you can withdraw or modify your consent for future collection or use of your Personal Data at any time.
Figure 1: Choices about collection and use of Personal Data
|Purpose for collection||How to exercise choice||Consequences|
|Our own tracking on our web sites||Do not use our web sites.||You will not view our web content.|
|Third-party tracking on our web sites||Activate ad blocking functionality in your browser.||You will not receive advertising that is tailored to your interests and activities.|
|Screening||Do not fill out our form(s) or do not consent to our data collection.||You may be rejected for employment or other position for which our client was conducting the background check.|
|Sales and marketing||Ask us not to contact you or opt out of certain mailing lists. If you are unsure of how to do so, contact us.||You will not receive proactive sales and marketing communication from us, or those communications will be limited to those you have selected.|
|Employment with Lumina||Do not fill out our form(s) or do not consent to our data collection.||You may be ineligible for initial or continued employment by Lumina.|
In some cases, providing your Personal Data is mandatory. For example, this is the case when we are required by law to collect Personal Data from our workers (such as for tax or workers’ compensation purposes), when the collection is necessary to fulfill our contract with you (such as for payroll purposes), and when we have determined that the collection is in our legitimate interest and is done in accordance with your rights (such as for background screening).
To understand whether it is mandatory or optional to provide your Personal Data, and the consequences of choosing not to provide it, you may contact our Privacy Personnel at firstname.lastname@example.org.
Third-party cookies: the function of this type of cookie is to retain your interaction with a particular website for an entity that does not own that website. They are stored and sent between the third party’s server and your computer’s hard
drive. These cookies are usually persistent cookies.
Our marketing websites use session cookies to track your use of the sites and persistent cookies to remember any preferences you select, such as your location. Our service platforms, which we use to collect information from you and our clients, do not use third-party cookies. They may use first-party session cookies to track your use of the sites and first-party persistent cookies to remember any preferences you select, such as your location.
The major browsers have attempted to implement the draft “Do Not Track” (“DNT”) standard of the World Wide Web Consortium in their latest releases. As this standard has not been finalized, our sites are not compatible with DNT and so do not recognize DNT settings.
Cookies may also be used to track usage and security of our secure platform. Information about your activity on our secure platforms is collected to ensure the integrity and security of our systems and data in our custody, and is used to audit system access and investigate suspicious activity. Collection of Personal Data for security purposes is done based on our legitimate interest and legal obligation to ensure Personal Data in our custody is protected. The following types of information, some of which may be Personal Data, are logged when you access our secure platforms:
Please consult your web browser’s ‘Help’ documentation or visit www.aboutcookies.org for more information about how to turn cookies on and off for your browser.
The following provisions apply to EU residents.
Purpose and effect
Your Personal Data
Personal Data will be processed lawfully, fairly, and transparently. Upon request, we will be clear and transparent about how your Personal Data is going to be processed, by whom, and why. Personal Data will be collected only for legitimate purposes, and it will be relevant and limited to that which is necessary. Provided that you communicate to us updated information, we will keep your Personal Data accurate and up to date. We will only store it for as long as is necessary, and we will ensure appropriate security, integrity, and confidentiality against unauthorized or accidental processing, loss, destruction, or damage.
In the event of any data breach, you will be notified without undue delay and, in no event, later than 72 hours of our discovery of the breach, including whether we believe there is any risk to your rights and freedoms, e.g., identity theft, personal safety. You may not be notified if the data breach is unlikely to result in any harm to you. In the event of a breach that we suspect may result in harm to you, you will be notified of: (1) a description of the data breach, including the numbers of data subjects affected and the categories of data affected; (2) the name and contact details of our privacy personnel; (3) the likely consequences of the data breach; and (4) any measures taken to remedy or mitigate the breach. We may be exempt from this enhanced notice requirement if the risk of harm is remote because the affected data are protected (e.g., through strong encryption), we have taken measures to protect against the harm (e.g., suspending affected accounts), or the notification requires disproportionate effort (in which case a public notice of the breach is required). We will keep records of all data breaches, including the facts and effect of the breach and remedial action taken. Credit card information is used solely for billing purposes, and is encrypted and transmitted securely for processing.
When we are operating as a Processor, we will have a written agreement with each Controller, in which we commit to: (1) only act on Personal Data in accordance with the instructions of the Controller or the requirements of EU law or the national laws of EU member states; (2) impose confidentiality obligations on all personnel who process Personal Data; (3) ensure the security of Personal Data; (4) not appoint a sub-processor without the prior written consent of the Controller; (5) implement measures to assist the Controller in complying with the rights of Personal Data subjects; (6) assist the Controller in obtaining approval from EU regulatory authorities; (7) at the Controller's election, either return or destroy the Personal Data at the end of the relationship; and (8) provide the Controller with information necessary to demonstrate compliance with the GDPR.
Your Personal Data remains your property at all times, subject to the permissive uses granted hereunder.
How we use your Personal Data
When we are operating as a Controller, any Personal Data submitted to us through our app, website, or by other means will be used for the purposes specified in this policy above, including without limitation to the following:
If you submit Personal Data for publication on our website, we will publish and otherwise use that information in accordance with the license you grant to us.
We will not, without your express consent, supply your Personal Data to any third party (other than our Controller or Processor, as the case may be) for direct marketing.
Storage, Objection, Correction, Erasure, Information
Personal Data will be stored by us, our Processor or Controller. Personal Data will be stored in a manner that ensures appropriate security, integrity, and confidentiality against unauthorized or accidental processing, loss, destruction, or damage. We will take reasonable technical and organizational precautions to prevent the loss, misuse, or alteration of your Personal Data. We will store the Personal Data you provide on our secure (password and firewall-protected) servers. All electronic financial transactions entered into through our app or website will be protected by encryption. You acknowledge that the transmission of information over the internet is inherently insecure, and we cannot guarantee the security of data sent over the internet. You are responsible for keeping the password you use for accessing our app, services, or website confidential; we will not ask you for your password except when you log in to our website.
Personal Data will be stored in a format that allows for easy portability. Portability means your Personal Data will be stored in a manner that allows you to obtain and reuse your Personal Data for your own purpose by transferring it to a different environment. Upon your written request, you will be provided with the ability to access your Personal Data to verify its accuracy, download it in an easily-portable format, or obtain a copy of it. Personal Data that we process for any purpose shall not be kept for longer than is necessary for that purpose.
You have the right to object in writing to the processing of your Personal Data. If we receive your written objection, your Personal Data will not be processed, unless we demonstrate compelling and legitimate grounds for the processing that override your interests, rights, and freedoms, or we require the data to establish, exercise, or defend legal rights. You further have the right to object to the processing of your Personal Data for the purpose of direct marketing, including profiling. Where Personal Data are processed for scientific and historical research purposes or statistical purposes, you have the right to object, unless the processing is necessary for the performance of a task carried out for reasons of public interest. If you object to the processing of your Personal Data, you agree to the termination of the Services in the event that we determine, in our sole discretion, that we are unable to perform the Services due to your objection to the processing of your Personal Data. This objection right is given free of charge, although we may charge a reasonable fee for repetitive requests or manifestly unfounded or excessive requests for additional copies of information you request. You also have the right to object and prevent any decision that could have a legal or similarly significant effect on you from being made solely based on automated processes. This right is limited, however, if the decision is necessary for performance of any contract between you and us, is allowed by applicable EU law, or is based on your explicit consent.
Upon termination of the Services for any reason, and upon your written request, your Personal Data may be erased. Or we may elect to have it anonymized. Additionally, you have the right at any time to demand that inaccurate or incomplete Personal Data are erased or rectified. You have the right of erasure if:
You have the right to obtain the following information:
Upon your request for any of the above-referenced information, we will, within one month of receiving your written request, provide such requested information. In the event we fail to meet this deadline, you may complain to the governing Data Protection
Authority in the EU and may seek a judicial remedy. In the event we receive a large number of requests, or complex requests, the time limit may be extended by a maximum of two additional months. You also have the right to bring a claim directly against
the Processor (of not Lumina), although the Processor is liable for the damage caused by its processing activities only where it has: (1) not complied with obligations under the GDPR that are specifically directed to Processors; or (2) acted outside
or contrary to lawful instructions of the Controller.
We will not refuse to give effect to your rights unless we cannot identify you through the use of reasonable efforts to verify your identity. Where we have reasonable doubts as to your identity, we may request the provision of additional information to confirm your identity.
You may restrict processing of your Personal Data, meaning the Personal Data may only be held by us, and may only be used for limited purposes, if the accuracy your Personal Data is contested (and only for as long as it takes to verify accuracy), the processing is unlawful and you request restriction (as opposed to exercising the right to erasure), we no longer need the Personal Data for their original purpose but the Personal Data are still required by us to defend legal rights, or verification of overriding grounds is pending in the context of an erasure request.
Disclosing your Personal Data
We may disclose your Personal Data to any of our employees, officers, insurers, professional advisers, agents, suppliers, subcontractors, and subsidiaries as reasonably necessary for the purposes set out in this Policy. We may disclose your Personal Data:
Except as provided in this Policy, we will not provide your Personal Data to third parties.
International data transfers
Personal Data that we collect may be stored, processed in, and transferred between any of the countries in which we operate in order to enable us to use the information in accordance with this policy. Personal Data that we collect may be transferred to countries, including the United States, which do not have data protection laws equivalent to those in force in the European Economic Area. Personal Data transferred to the United States will comply with the Privacy Shield. Personal Data that you publish on our website or submit for publication on our website may be available, via the internet, around the world. We cannot prevent the use or misuse of such information by others. You expressly agree to the transfers of Personal Data described in this Section.
This policy incorporates all of the above with respect to GDPR compliance, and further applies to personal data from the European Union and from Switzerland that is collected, used, and retained in the United States.
Lumina is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) with regard to the Privacy Shield Frameworks.
Lumina has further committed to refer unresolved privacy complaints under the EU-US and Swiss-US Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://www.bbb.org/EU-privacy-shield/for-eu-consumers for more information and to file a complaint.
Please note that if your complaint is not resolved through these channels, under limited circumstances, a binding arbitration option may be available before a Privacy Shield Panel.
This Site is operated in the United States. If you are located in the European Union or elsewhere outside of the United States, please be aware that any information you provide to us will be transferred to the United States. By using our site or app, participating in any of our Services, or providing us with your information, you consent to this transfer.
IN ACCORDANCE WITH THE ABOVE STATEMENT, YOU HEREBY ACKNOWLEDGE, UNDERSTAND, AND AGREE THAT, BY CLICKING THE “I AGREE” BUTTON, WHEN PRESENTED, YOU EXPRESSLY CONSENT TO THE USE OF YOUR PERSONAL DATA IN THE MANNER SET FORTH HEREIN.
Consent may be withdrawn at any time by written notice to our privacy personnel at: email@example.com.