GDPR Policy
Last updated: July 2026
This policy sets out how CareerLumi complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It explains our responsibilities as a data controller, the principles we uphold when processing personal data, and the rights available to you as a data subject.
For a full description of what personal data we collect, why we collect it, and who we share it with, please refer to our Privacy Policy.
Table of Contents
- Purpose
- Scope
- Data Controller
- The Six Data Protection Principles
- Legal Bases for Processing
- Special Category Data
- Your Rights as a Data Subject
- Subject Access Requests
- International Data Transfers
- Data Security
- Data Breach Notification
- Privacy by Design
- Third-Party Processors
- Updates to This Policy
- Contact and Complaints
1. Purpose
CareerLumi is committed to processing personal data in a lawful, fair, and transparent manner. This policy documents our approach to data protection compliance and forms part of our layered framework of privacy documentation, which also includes our Privacy Policy and Terms of Service. It is intended to provide clarity to data subjects, regulators, and third-party processors about how we meet our obligations under UK GDPR.
2. Scope
This policy applies to all personal data processed by CareerLumi in connection with the operation of our platform and website, including data relating to:
- Members (career explorers) who register and use our coaching services
- Coaches (independent contractors) who join and operate on our platform
- Website visitors and prospective users
- Anyone who contacts us directly
It applies regardless of where in the world the processing takes place. Third-party processors engaged by CareerLumi are required to comply with applicable data protection legislation and provide adequate assurances of their compliance before being granted access to personal data.
3. Data Controller
CareerLumi (trading name) is the data controller in respect of all personal data processed through our platform and website. As data controller, we determine the purposes and means by which personal data is collected and used.
We are accountable for demonstrating compliance with UK GDPR and can be contacted at:
- Email: [email protected]
- Address: CareerLumi, England, UK
4. The Six Data Protection Principles
All personal data processed by CareerLumi must comply with the six principles set out in UK GDPR. We are accountable for demonstrating compliance with each of these principles at all times.
- Lawfulness, fairness, and transparency - Personal data must be processed on a valid legal basis, in a manner that is fair to the data subject, and in a way that is transparent. We achieve this through our privacy notices and this policy.
- Purpose limitation - Personal data must be collected for specified, explicit, and legitimate purposes and must not be processed in a manner that is incompatible with those purposes. Where the purpose changes, data subjects will be informed.
- Data minimisation - Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. We do not collect data beyond what is needed to provide our services.
- Accuracy - Personal data must be accurate and, where necessary, kept up to date. We take reasonable steps to ensure inaccurate data is rectified or erased without delay, and we encourage users to keep their profile information current.
- Storage limitation - Personal data must not be kept in a form that permits identification of data subjects for longer than is necessary for the purposes for which it is processed. Our retention periods are set out in our Privacy Policy, Section 12.
- Integrity and confidentiality - Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical and organisational measures.
5. Legal Bases for Processing
Processing personal data is prohibited under UK GDPR unless at least one of the following legal bases applies. CareerLumi relies on the following bases when processing personal data:
- Consent - the data subject has given clear, explicit consent for one or more specific purposes and may withdraw consent at any time without detriment
- Contract - processing is necessary to enter into or perform a contract with the data subject (e.g. to facilitate a coaching session booking or deliver a digital product)
- Legal obligation - processing is necessary to comply with a legal obligation we are subject to under UK law (e.g. financial record-keeping)
- Vital interests - processing is necessary to protect the vital interests of the data subject or another person in circumstances where consent cannot be obtained
- Legitimate interests - processing is necessary for our legitimate business interests (or those of a third party), provided those interests are not overridden by the rights and freedoms of the data subject. Examples include platform security, fraud prevention, and coach identity verification.
For the specific legal bases we rely on in practice, please refer to our Privacy Policy, Section 5.
6. Special Category Data
Special category data (including data relating to racial or ethnic origin, health, religion, political opinion, sexual orientation, or biometric data) is afforded stricter protections under UK GDPR. CareerLumi does not intentionally collect special category data through our platform.
If special category data is processed, it will only be done so where at least one of the following additional conditions is satisfied:
- Explicit consent has been given by the data subject for one or more specified purposes
- Processing is necessary to carry out obligations or exercise rights under employment or social protection law, with appropriate safeguards in place
- Processing is necessary to protect the vital interests of the data subject or another person where the subject is physically or legally incapable of giving consent
- The data subject has manifestly made the data public
- Processing is necessary for the establishment, exercise, or defence of legal claims
- Processing is necessary for reasons of substantial public interest in accordance with data protection legislation
If you believe you have disclosed special category data to us, please contact us at [email protected] so we can ensure it is handled appropriately.
7. Your Rights as a Data Subject
Under UK GDPR, you have the following rights in relation to your personal data:
- Right to be informed - to receive clear, concise information about how your personal data is collected and used, provided through our Privacy Policy and this policy
- Right of access - to request a copy of the personal data we hold about you (see Subject Access Requests below)
- Right to rectification - to request correction of inaccurate or incomplete personal data we hold about you
- Right to erasure - to request deletion of your personal data where there is no longer a legitimate reason for us to continue processing it ("right to be forgotten"), subject to any legal retention obligations
- Right to restriction of processing - to request that we limit how we process your data in certain circumstances, for example while a dispute about accuracy is resolved
- Right to data portability - to receive personal data you have provided to us in a structured, commonly used, machine-readable format, and to have it transferred to another controller where technically feasible
- Right to object - to object to processing carried out on the basis of legitimate interests or for direct marketing purposes; in the case of direct marketing, we will cease processing immediately upon receipt of an objection
- Rights related to automated decision-making - to not be subject to a decision based solely on automated processing (including profiling) that produces legal or similarly significant effects, without the opportunity for human review
To exercise any of these rights, please contact us at [email protected]. We will respond within one calendar month. Where a request is particularly complex or numerous, we may extend this by a further two months and will notify you within the first month of the reason for the extension.
We may take reasonable steps to verify your identity before processing any request.
8. Subject Access Requests
You have the right to request a copy of the personal data we hold about you. To submit a Subject Access Request (SAR), please email [email protected] with the following:
- Your full name and email address associated with your account
- A description of the information you are seeking
We will acknowledge your request on receipt and aim to comply within one calendar month. We will not charge a fee for a SAR unless the request is manifestly unfounded or excessive, in which case a reasonable administrative fee may apply or we may refuse to comply, providing our reasons in writing.
Upon providing the requested information, we will also remind you of your rights to rectification, erasure, and restriction of processing where applicable.
9. International Data Transfers
Some of our third-party service providers operate outside the UK or European Economic Area (EEA). Where personal data is transferred internationally, we ensure appropriate safeguards are in place, which may include:
- Transfers to countries with an adequacy decision issued by the UK Secretary of State or the EU Commission
- Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA), as appropriate
- Explicit consent of the data subject, where the data subject has been clearly informed of the potential risks of the transfer in the absence of an adequacy decision or appropriate safeguards
We will always ensure that an equivalent level of protection is maintained for any data transferred internationally. Where required, we will inform data subjects of the reason for the transfer and their associated rights.
10. Data Security
CareerLumi implements appropriate technical and organisational measures to ensure the security of personal data, protecting it against:
- Unauthorised or unlawful access or processing
- Accidental loss, destruction, or damage
- Disclosure to unauthorised parties
Security measures include, but are not limited to:
- Encrypted data transmission (HTTPS/TLS)
- Access controls and authentication requirements
- Regular review of security practices and third-party processor compliance
- Stripe-managed payment security and identity verification (PCI-DSS compliant)
All third-party processors engaged by CareerLumi are required to implement equivalent security standards and to notify us immediately of any incident that may affect the personal data they hold on our behalf.
Despite our best efforts, no method of electronic transmission is entirely secure. You are responsible for keeping your account credentials confidential and for notifying us immediately of any suspected unauthorised access.
11. Data Breach Notification
In the event of a personal data breach, CareerLumi will act promptly in accordance with our obligations under UK GDPR:
- Where a breach is likely to result in a risk to the rights and freedoms of data subjects, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach
- Where a breach is likely to result in a high risk to the rights and freedoms of data subjects, we will notify the affected individuals without undue delay
- All breaches, including those not meeting the threshold for mandatory notification, will be recorded internally
If you become aware of or suspect a data breach involving CareerLumi data, please report it immediately to [email protected].
12. Privacy by Design
CareerLumi embeds data protection into the design of our platform, processes, and third-party integrations from the outset. Our privacy by design approach means we:
- Collect only data that is strictly necessary for specified purposes (data minimisation)
- Apply security measures at the point of building any new feature or integration, not as an afterthought
- Design systems that allow data subjects to exercise their rights efficiently
- Use pseudonymisation or anonymisation where appropriate to reduce privacy risks
- Review our data practices regularly to reflect changes in legislation, guidance from the ICO, and developments in technology
13. Third-Party Processors
Where CareerLumi engages third-party processors to handle personal data on our behalf, we ensure that:
- A data processing agreement (DPA) is in place that obligates the processor to comply with UK GDPR
- The processor implements appropriate technical and organisational security measures
- The processor does not engage further sub-processors without our prior written consent
- The processor notifies us immediately of any personal data breach or incident affecting the data they hold on our behalf
Our key third-party processors include Stripe (payments, escrow, and coach identity verification via Stripe Identity), Shopify (digital products), Google (Analytics and Forms), and providers of email marketing, video calling, and AI tools. Please refer to our Privacy Policy, Section 6, for a complete overview.
14. Updates to This Policy
This policy is reviewed and updated periodically to reflect changes in our data practices, applicable legislation, or ICO guidance. The "last updated" date at the top of this page reflects the most recent revision. Where changes are material, we will make reasonable efforts to notify affected data subjects.
15. Contact and Complaints
If you have any questions about this policy, or concerns about how we handle your personal data, please contact us:
- Email: [email protected]
- Address: CareerLumi, England, UK
We will always try to address your concern directly and promptly. However, if you remain dissatisfied, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Helpline: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF