Effective Date: March 8, 2019
PRIVACY MISSION STATEMENT
Lumina Analytics, LLC (“Lumina,” “we,” “us”), is committed to the protection of the individual privacy rights and personally identifiable information (“Personal Data”) of our clients, applicants, employees, contractors, and third party users (“you,” “your”) of our products, websites, software, services and applications (“Services” or “Products”)
SCOPE OF POLICY
INFORMATION LUMINA COLLECTS AND HOW IT IS USED
Lumina aggregates publicly available information from the Internet, such as websites, social media, blogs, news sources and anything else available publicly on the Internet (“Public Information”). This Public Information may be made available to users and customers through Lumina’s products and services. Lumina does not verify and cannot guarantee the accuracy of this Public Information.
The Personal Data we collect from Public Information will depend on the scope of the services ordered by our client. The majority of our Products only collects and processes the names of individuals and entities that clients provide us. Lumina does not verify the identity of individuals or the accuracy of the information provided through our Products. Sometimes, we may collect numerous elements of Personal Data, including without limitation photographs, addresses, and other information publically available. We may be asked by our clients to verify your identity, or we may be required to do so to complete our services. If so, we may collect ID cards or other documents from you or our client. We may request your sex or gender to verify your identity. Some clients wish to review sex offender registry data or other criminal records as part of their security program, so we may locate you there if you are listed. We may need to verify your identity based on your educational history. Some clients wish to check for presence on government watch or sanctions lists. Some clients wish to review litigation history in civil court. Some services require a place of birth to complete. Some clients wish to search various other public record sources for information. We may occasionally seek your feedback about your interactions with us to improve the quality of our service.
Personal Data may be used by our clients for security and/or screening before and during employment, in furtherance of volunteer or contractual relationships, in furtherance of security policies and procedures, security clearances, and to conduct due diligence research for investments, acquisitions, directorships, and other business relationships
To request that your Personal Data we obtained from Public Information be removed from Lumina’s databases and products, please email us at firstname.lastname@example.org. We cannot guarantee that such information will be removed.
Information You Provide.
We collect information that you voluntarily provide to us while using our Services, such as when you register an account, make a purchase of one of our products or services, respond to customer surveys, communicate with our customer service team, or apply for a job.
Lumina S4 (See Something Say Something).
HOW INFORMATION LUMINA COLLECTS IS SHARED OR COMMUNICATED
Generally, Lumina communicates Personal Data when necessary to provide Services to our customers, or for security and safety reasons. When we provide Services to a client, we may transmit Personal Data back to that client through our secure web platforms and occasionally by phone, email, fax, or mail. In some circumstances we may communicate Personal Data to law enforcement agencies, schools, national security agencies, courts, or other public bodies in any jurisdiction where we are subject to the law, regardless of where personal information is stored. If we receive a production order, warrant, subpoena, or other enforceable demand, we will comply as required by law. If we receive a request to provide Personal Data voluntarily, we will consider your interests, our business interests, the interests of our clients, public safety implications, and our legal obligations prior to deciding whether to communicate Personal Data. In any case where the Personal Data in question was collected from or on behalf of a client, we will consult with the client before proceeding unless prohibited by law. We may proactively communicate Personal Data to law enforcement or other third parties with jurisdiction if necessary to investigate or report a violation of the law or a contractual agreement, for the safety reasons, or if otherwise appropriate and permitted by law.
Where and when applicable, Personal Data may be disclosed to third parties for limited purposes such as to conduct security services. We may also need to provide information about you to outside parties, such as government agencies. We may also share your Personal Data with our business contacts and vendors including without limitation payroll providers, data storage and delivery providers, data centers, cloud providers, applicant tracking systems, recruiting systems, human resources information systems, IT support services, background screening and consumer reporting companies, court runners, drug testing labs, translation agencies, credit bureaus, benefits providers, healthcare providers, and financial institutions.
While most of our work is done by our employees or authorized personnel who access Personal Data directly from our systems and whose activities are under our direct control, we use third-party service providers for certain specialized tasks. These tasks include storage of data, information technology support, and certain marketing activities.
Usage of IP Addresses
Some Lumina products and services collect and use IP addresses to help clients and users detect and prevent risks and threats that could potentially be life threatening. Lumina does not collect additional personally identifying information associated with the IP Addresses it collects.
TRANSFER OF PERSONAL DATA BETWEEN COUNTRIES
THE EU-US & SWISS-US PRIVACY SHIELD FRAMEWORK
Lumina complies with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Data transferred from the EU and Switzerland to the United States (and Canada). Lumina has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. Lumina remains responsible for Personal Data that is communicated to third parties for processing.
ACCURACY OF PERSONAL DATA
Much of the Personal Data we collect comes directly from you, in which case you are in control of its accuracy. Information that is found to be inaccurate, either through our own audits or following your request for correction, is updated as reasonably practicable.
REUSE OF PERSONAL DATA
We will not reuse Personal Data for a new purpose other than the original one(s) for which it was collected, unless the new use is compatible with the original one, we have notified you of the new use and given you an opportunity to object to it, or the new use is permitted or required by law.
CHOOSING HOW AND WHETHER WE CAN USE YOUR PERSONAL DATA
In most cases, providing your information to us is voluntary. The list below explains how to make choices about the collection and use of your Personal Data for various purposes, and the consequences of your choice not to provide any Personal Data. Whenever our legitimate basis for collecting and using Personal Data is your consent, you can withdraw or modify your consent for future collection or use of your Personal Data at any time.
Figure 1: Choices about collection and use of Personal Data you or our client’s provide
|Purpose for collection||How to exercise choice||Consequences|
|Our own tracking on our web sites||Do not use our web sites.||You will not view our web content.|
|Third-party tracking on our web sites||Activate ad blocking functionality in your browser.||You will not receive advertising that is tailored to your interests and activities.|
|Security and safety reasons||Do not fill out our client’s form(s), our forms, and/or do not use our services or applications.||You may not be able to use our services, or you may not be eligible for certain transactions with our clients.|
|Sales and marketing||Ask us not to contact you or opt out of certain mailing lists. If you are unsure of how to do so, contact us.||You will not receive proactive sales and marketing communication from us, or those communications will be limited to those you have selected.|
|Employment with Lumina||Do not fill out our form(s) or do not consent to our data collection.||You may be ineligible for initial or continued employment by Lumina.|
In some cases, providing your Personal Data is mandatory. For example, this is the case when we are required by law to collect Personal Data from our workers (such as for tax or workers’ compensation purposes), when the collection is necessary to fulfill our contract with you (such as for payroll purposes), and when we have determined that the collection is in our or our legitimate interest, and is done in accordance with your rights.
In other cases, we collect and process your Personal Data from Public Information and we provide that to clients or third parties for legitimate, vital and public safety reasons. If you believe that information we have from Public Information is inaccurate, please contact us at email@example.com.
As discussed previously, Lumina may share information we have about you in our databases with our customers and third parties (including but not limited to Personal Data and IP geolocation data). If you want to opt-out of Lumina sharing your database information with our customers and third parties, please send your request to firstname.lastname@example.org or to the address set forth in the Notice section herein. This opt-out has several important qualifications:
(a) You will only be able to opt-out to the extent that we can identify information we have about you. It is possible that even after you opt-out our databases will contain some residual information about you.
(b) Lumina will cease sharing your information in any databases created after your opt-out date. Our customers may continue to have access to legacy database information.
(c) Even if you do opt-out of having us share the information we have about you in our databases, Lumina must continue to gather, retain, use, and share such information for security and public safety purposes or contractual purposes with clients.
Data subjects in Europe have additional rights as set forth in the section entitled "GDPR" below.
Third-party cookies: the function of this type of cookie is to retain your interaction with a particular website for an entity that does not own that website. They are stored and sent between the third party’s server and your computer’s hard drive. These cookies are usually persistent cookies.
Our marketing websites use session cookies to track your use of the sites and persistent cookies to remember any preferences you select, such as your location. Our service platforms, which we use to collect information from you and our clients, do not use third-party cookies. They may use first-party session cookies to track your use of the sites and first-party persistent cookies to remember any preferences you select, such as your location.
The major browsers have attempted to implement the draft “Do Not Track” (“DNT”) standard of the World Wide Web Consortium in their latest releases. As this standard has not been finalized, our sites are not compatible with DNT and so do not recognize DNT settings.
Cookies may also be used to track usage and security of our secure platform. Information about your activity on our secure platforms is collected to ensure the integrity and security of our systems and data in our custody, and is used to audit system access and investigate suspicious activity. Collection of Personal Data for security purposes is done based on our legitimate interest and legal obligation to ensure Personal Data in our custody is protected. The following types of information, some of which may be Personal Data, are logged when you access our secure platforms:
Please consult your web browser’s ‘Help’ documentation or visit www.aboutcookies.org for more information about how to turn cookies on and off for your browser.
Lumina is directed to people who are at least 13 years old, and Lumina does not knowingly collect Personal Information from anyone under the age of 13. If You are aware that Lumina has collected Personal Information from someone under the age of 13, please alert Lumina at Privacy@luminaanalytics.com and the information will be removed from our system as soon as is reasonably possible.
Lumina does not knowingly aggregate or provide Public Information about people under the age of 13. Some of Lumina’s technology and services may collect and process, and communicate to third parties Public Information about children between the ages of 13 and 18 because this Public Information originates from third-party social networking sites and websites that permit children who are 13 years and older to create public profiles. To remove any Lumina results, including a result that contains information about a person under the age of 13, contact us at Privacy@luminaanalytics.com
PRIVACY SHIELD COMPLIANCE
International data transfers
Personal Data that we collect may be stored, processed in, and transferred between any of the countries in which we operate in order to enable us to use the information in accordance with this policy. Personal Data that we collect may be transferred to countries, including the United States, which do not have data protection laws equivalent to those in force in the European Economic Area. Personal Data transferred to the United States will comply with the Privacy Shield. Personal Data that you publish on our website or submit for publication on our website may be available, via the internet, around the world. We cannot prevent the use or misuse of such information by others. You expressly agree to the transfers of Personal Data described in this Section.
EU-US and Swiss-US Privacy Shield Framework
This policy applies to personal data from the European Union and from Switzerland that is collected, used, and retained in the United States.
Lumina is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) with regard to the Privacy Shield Frameworks.
Lumina Analytics, LLC
501 E. Kennedy Blvd, Ste 801
Tampa, FL, 33611
Lumina has further committed to refer unresolved privacy complaints under the EU-US and Swiss-US Privacy Shield Principles to an independent dispute resolution mechanism, the European Union (EU) Data Protection Authorities, operated by the United States Counsel for International Business (USCIB). The USCIB is the American affiliate of the International Chamber of Commerce, the Business and Industry Advisory Committee to the OECD, and the International Organization of Employers, and has agreed to act as a trusted third party on behalf of the EU Data Protection Authorities. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://www.uscib.org/privacy-shield/ for more information and to file a complaint. The services of USCIB are provided at no cost to you.
Please note that if your complaint is not resolved through these channels, under limited circumstances, a binding arbitration option may be available before a Privacy Shield Panel.
This Site is operated in the United States. If you are located in the European Union or elsewhere outside of the United States, please be aware that any information you provide to us will be transferred to the United States. By using our site or app, participating in any of our Services, or providing us with your information, you consent to this transfer.
Lumina’s wholly owned Subsidiaries, Lumina Employment Corp. and Lumina WE ApS, also adhere to the Privacy Shield Principals.
Lumina may disclose Personal Data without offering an opportunity to opt out (1) to service providers Lumina has retained to perform services on its behalf; (2) if it is required to do so by law or legal process, (3) to law enforcement or other government authorities, (4) when Lumina believes disclosure is necessary to prevent physical harm or financial loss, or (5) in connection with an investigation of suspected or actual illegal activity. Lumina also reserves the right to transfer Personal Data in the event it sells or transfers all or a portion of its business or assets including in the event of a reorganization, dissolution, or liquidation). Should such a sale or transfer occur, Lumina will use reasonable efforts to direct the transferee to use the Personal Data in a manner that is consistent with Lumina privacy policies.
Onward Transfer Accountability
The following provisions apply to European Union (EU) residents. We are based in the U.S. and the information we collect is governed by U.S. law. We do not knowingly collect or process Personal Data of EU residents.
Purpose and effect
CONTROLLING AND PROCESSING DATA
The controlling and processing of your Personal Data may be subject to the General Data Protection Regulations (“GDPR”) if you are a resident of the European Union. As defined therein, a "Controller" is a person or entity that determines the purposes and means of the processing of Personal Data, while a “Processor” merely stores, maintains, and processes data on behalf of a Controller, but does not decide which items of Personal Data are stored or how Personal Data is used. Depending upon the services provided by Lumina, Lumina may be considered to be a Controller or Processor in various circumstances.
TYPES OF PERSONAL DATA
The GDPR identifies two types of Personal Data: regular and “special categories” of Personal Data. Regular Personal Data includes a person’s name, address, email address, photo, IP address, location data, online behavior (cookies), and profiling and analytics data. Special categories of Personal Data includes race, religion, political opinions, trade union membership, sexual orientation, health information, biometric data, and genetic data.
The GDPR expressly prohibits the processing of the above special categories of Personal Data without the explicit consent of the subject of the Personal Data, or, absent such consent, where processing is necessary in certain limited circumstances, including without limitation:
COLLECTION OF PERSONAL DATA
Lumina collects Personal Data, whether as a Controller or Processor, for a number of legitimate business reasons. When we collect Personal Data for our safety and security Services, our client is the Controller under the GDPR and is responsible for determining which Personal Data we collect and how we use it, establishing a legitimate basis to collect and process Personal Data, ensuring that the collection and processing complies with applicable law, ensuring that you are notified of the collection and processing of your Personal Data, and that you have consented thereto, in accordance with applicable law, and complying with any legal obligations it may have as the Controller.
Lumina has a compelling and legitimate interest to use the information absent your consent or otherwise to protect against security threats, other exemptions, or where disclosure is legally compelled. Generally, most Personal Data is retained only for as long as necessary for its intended purpose. Certain information must be kept to comply with legal obligations under local employment and tax laws. Notwithstanding the foregoing, Lumina may otherwise maintain and retain Personal Data in accordance with the procedures outlined below.
Lumina relies upon the following lawful grounds to collect and use your Personal Data:
Your Personal Data
Personal Data will be processed lawfully, fairly, and transparently. Upon request, we will be clear and transparent about how your Personal Data is going to be processed, by whom, and why. Personal Data will be collected only for legitimate purposes, and it will be relevant and limited to that which is necessary. Provided that you communicate to us updated information, we will keep your Personal Data accurate and up to date. We will only store it for as long as is necessary, and we will ensure appropriate security, integrity, and confidentiality against unauthorized or accidental processing, loss, destruction, or damage.
In the event of any data breach, you will be notified without undue delay and, in no event, later than 72 hours of our discovery of the breach, including whether we believe there is any risk to your rights and freedoms, e.g., identity theft, personal safety. You may not be notified if the data breach is unlikely to result in any harm to you. In the event of a breach that we suspect may result in harm to you, you will be notified of: (1) a description of the data breach, including the numbers of data subjects affected and the categories of data affected; (2) the name and contact details of our privacy personnel; (3) the likely consequences of the data breach; and (4) any measures taken to remedy or mitigate the breach. We may be exempt from this enhanced notice requirement if the risk of harm is remote because the affected data are protected (e.g., through strong encryption), we have taken measures to protect against the harm (e.g., suspending affected accounts), or the notification requires disproportionate effort (in which case a public notice of the breach is required). We will keep records of all data breaches, including the facts and effect of the breach and remedial action taken. Credit card information is used solely for billing purposes, and is encrypted and transmitted securely for processing.
When we are operating as a Processor, we will have a written agreement with each Controller, in which we commit to: (1) only act on Personal Data in accordance with the instructions of the Controller or the requirements of EU law or the national laws of EU member states; (2) impose confidentiality obligations on all personnel who process Personal Data; (3) ensure the security of Personal Data; (4) not appoint a sub-processor without the prior written consent of the Controller; (5) implement measures to assist the Controller in complying with the rights of Personal Data subjects; (6) assist the Controller in obtaining approval from EU regulatory authorities; (7) at the Controller's election, either return or destroy the Personal Data at the end of the relationship; and (8) provide the Controller with information necessary to demonstrate compliance with the GDPR.
Your Personal Data remains your property at all times, subject to the permissive uses granted hereunder.
How we use your Personal Data
When we are operating as a Controller, any Personal Data submitted to us through our app, website, or by other means will be used for the purposes specified in this policy above, including without limitation to the following:
If you submit Personal Data for publication on our website, we will publish and otherwise use that information in accordance with the license you grant to us.
We will not, without your express consent, supply your Personal Data to any third party (other than our Controller or Processor, as the case may be) for direct marketing.
Storage, Objection, Correction, Erasure, Information
Personal Data will be stored by us, our Processor or Controller. Personal Data will be stored in a manner that ensures appropriate security, integrity, and confidentiality against unauthorized or accidental processing, loss, destruction, or damage. We will take reasonable technical and organizational precautions to prevent the loss, misuse, or alteration of your Personal Data. We will store the Personal Data you provide on our secure (password and firewall-protected) servers. All electronic financial transactions entered into through our app or website will be protected by encryption. You acknowledge that the transmission of information over the internet is inherently insecure, and we cannot guarantee the security of data sent over the internet. You are responsible for keeping the password you use for accessing our app, services, or website confidential; we will not ask you for your password except when you log in to our website.
Personal Data will be stored in a format that allows for easy portability. Portability means your Personal Data will be stored in a manner that allows you to obtain and reuse your Personal Data for your own purpose by transferring it to a different environment. Upon your written request, you will be provided with the ability to access your Personal Data to verify its accuracy, download it in an easily-portable format, or obtain a copy of it. Personal Data that we process for any purpose shall not be kept for longer than is necessary for that purpose.
You have the right to object in writing to the processing of your Personal Data. If we receive your written objection, your Personal Data will not be processed, unless we demonstrate compelling and legitimate grounds for the processing that override your interests, rights, and freedoms, or we require the data to establish, exercise, or defend legal rights. You further have the right to object to the processing of your Personal Data for the purpose of direct marketing, including profiling. Where Personal Data are processed for scientific and historical research purposes or statistical purposes, you have the right to object, unless the processing is necessary for the performance of a task carried out for reasons of public interest. If you object to the processing of your Personal Data, you agree to the termination of the Services in the event that we determine, in our sole discretion, that we are unable to perform the Services due to your objection to the processing of your Personal Data. This objection right is given free of charge, although we may charge a reasonable fee for repetitive requests or manifestly unfounded or excessive requests for additional copies of information you request. You also have the right to object and prevent any decision that could have a legal or similarly significant effect on you from being made solely based on automated processes. This right is limited, however, if the decision is necessary for performance of any contract between you and us, is allowed by applicable EU law, or is based on your explicit consent.
Upon termination of the Services for any reason, and upon your written request, your Personal Data may be erased. Or we may elect to have it anonymized. Additionally, you have the right at any time to demand that inaccurate or incomplete Personal Data are erased or rectified. You have the right of erasure if:
You have the right to obtain the following information:
Upon your request for any of the above-referenced information, we will, within one month of receiving your written request, provide such requested information. In the event we fail to meet this deadline, you may complain to the governing Data Protection Authority in the EU and may seek a judicial remedy. In the event we receive a large number of requests, or complex requests, the time limit may be extended by a maximum of two additional months. You also have the right to bring a claim directly against the Processor (of not Lumina), although the Processor is liable for the damage caused by its processing activities only where it has: (1) not complied with obligations under the GDPR that are specifically directed to Processors; or (2) acted outside or contrary to lawful instructions of the Controller.
We will not refuse to give effect to your rights unless we cannot identify you through the use of reasonable efforts to verify your identity. Where we have reasonable doubts as to your identity, we may request the provision of additional information to confirm your identity.
You may restrict processing of your Personal Data, meaning the Personal Data may only be held by us, and may only be used for limited purposes, if the accuracy your Personal Data is contested (and only for as long as it takes to verify accuracy), the processing is unlawful and you request restriction (as opposed to exercising the right to erasure), we no longer need the Personal Data for their original purpose but the Personal Data are still required by us to defend legal rights, or verification of overriding grounds is pending in the context of an erasure request.
Disclosing your Personal Data
We may disclose your Personal Data to any of our employees, officers, insurers, professional advisers, agents, suppliers, subcontractors, clients and subsidiaries as reasonably necessary for the purposes set out in this Policy. We may disclose your Personal Data:
Except as provided in this Policy, we will not provide your Personal Data to third parties.
IN ACCORDANCE WITH THE ABOVE STATEMENT, YOU HEREBY ACKNOWLEDGE, UNDERSTAND, AND AGREE THAT, BY CLICKING THE “I AGREE” BUTTON, WHEN PRESENTED, YOU EXPRESSLY CONSENT TO THE USE OF YOUR PERSONAL DATA IN THE MANNER SET FORTH HEREIN.
Consent may be withdrawn at any time by written notice to our privacy personnel at: email@example.com.