Back to home

GDPR Policy

Last updated: July 2026

This policy sets out how CareerLumi complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It explains our responsibilities as a data controller, the principles we uphold when processing personal data, and the rights available to you as a data subject.

For a full description of what personal data we collect, why we collect it, and who we share it with, please refer to our Privacy Policy.

Table of Contents

  1. Purpose
  2. Scope
  3. Data Controller
  4. The Six Data Protection Principles
  5. Legal Bases for Processing
  6. Special Category Data
  7. Your Rights as a Data Subject
  8. Subject Access Requests
  9. International Data Transfers
  10. Data Security
  11. Data Breach Notification
  12. Privacy by Design
  13. Third-Party Processors
  14. Updates to This Policy
  15. Contact and Complaints

1. Purpose

CareerLumi is committed to processing personal data in a lawful, fair, and transparent manner. This policy documents our approach to data protection compliance and forms part of our layered framework of privacy documentation, which also includes our Privacy Policy and Terms of Service. It is intended to provide clarity to data subjects, regulators, and third-party processors about how we meet our obligations under UK GDPR.

2. Scope

This policy applies to all personal data processed by CareerLumi in connection with the operation of our platform and website, including data relating to:

It applies regardless of where in the world the processing takes place. Third-party processors engaged by CareerLumi are required to comply with applicable data protection legislation and provide adequate assurances of their compliance before being granted access to personal data.

3. Data Controller

CareerLumi (trading name) is the data controller in respect of all personal data processed through our platform and website. As data controller, we determine the purposes and means by which personal data is collected and used.

We are accountable for demonstrating compliance with UK GDPR and can be contacted at:

4. The Six Data Protection Principles

All personal data processed by CareerLumi must comply with the six principles set out in UK GDPR. We are accountable for demonstrating compliance with each of these principles at all times.

  1. Lawfulness, fairness, and transparency - Personal data must be processed on a valid legal basis, in a manner that is fair to the data subject, and in a way that is transparent. We achieve this through our privacy notices and this policy.
  2. Purpose limitation - Personal data must be collected for specified, explicit, and legitimate purposes and must not be processed in a manner that is incompatible with those purposes. Where the purpose changes, data subjects will be informed.
  3. Data minimisation - Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. We do not collect data beyond what is needed to provide our services.
  4. Accuracy - Personal data must be accurate and, where necessary, kept up to date. We take reasonable steps to ensure inaccurate data is rectified or erased without delay, and we encourage users to keep their profile information current.
  5. Storage limitation - Personal data must not be kept in a form that permits identification of data subjects for longer than is necessary for the purposes for which it is processed. Our retention periods are set out in our Privacy Policy, Section 12.
  6. Integrity and confidentiality - Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical and organisational measures.

Processing personal data is prohibited under UK GDPR unless at least one of the following legal bases applies. CareerLumi relies on the following bases when processing personal data:

For the specific legal bases we rely on in practice, please refer to our Privacy Policy, Section 5.

6. Special Category Data

Special category data (including data relating to racial or ethnic origin, health, religion, political opinion, sexual orientation, or biometric data) is afforded stricter protections under UK GDPR. CareerLumi does not intentionally collect special category data through our platform.

If special category data is processed, it will only be done so where at least one of the following additional conditions is satisfied:

If you believe you have disclosed special category data to us, please contact us at [email protected] so we can ensure it is handled appropriately.

7. Your Rights as a Data Subject

Under UK GDPR, you have the following rights in relation to your personal data:

To exercise any of these rights, please contact us at [email protected]. We will respond within one calendar month. Where a request is particularly complex or numerous, we may extend this by a further two months and will notify you within the first month of the reason for the extension.

We may take reasonable steps to verify your identity before processing any request.

8. Subject Access Requests

You have the right to request a copy of the personal data we hold about you. To submit a Subject Access Request (SAR), please email [email protected] with the following:

We will acknowledge your request on receipt and aim to comply within one calendar month. We will not charge a fee for a SAR unless the request is manifestly unfounded or excessive, in which case a reasonable administrative fee may apply or we may refuse to comply, providing our reasons in writing.

Upon providing the requested information, we will also remind you of your rights to rectification, erasure, and restriction of processing where applicable.

9. International Data Transfers

Some of our third-party service providers operate outside the UK or European Economic Area (EEA). Where personal data is transferred internationally, we ensure appropriate safeguards are in place, which may include:

We will always ensure that an equivalent level of protection is maintained for any data transferred internationally. Where required, we will inform data subjects of the reason for the transfer and their associated rights.

10. Data Security

CareerLumi implements appropriate technical and organisational measures to ensure the security of personal data, protecting it against:

Security measures include, but are not limited to:

All third-party processors engaged by CareerLumi are required to implement equivalent security standards and to notify us immediately of any incident that may affect the personal data they hold on our behalf.

Despite our best efforts, no method of electronic transmission is entirely secure. You are responsible for keeping your account credentials confidential and for notifying us immediately of any suspected unauthorised access.

11. Data Breach Notification

In the event of a personal data breach, CareerLumi will act promptly in accordance with our obligations under UK GDPR:

If you become aware of or suspect a data breach involving CareerLumi data, please report it immediately to [email protected].

12. Privacy by Design

CareerLumi embeds data protection into the design of our platform, processes, and third-party integrations from the outset. Our privacy by design approach means we:

13. Third-Party Processors

Where CareerLumi engages third-party processors to handle personal data on our behalf, we ensure that:

Our key third-party processors include Stripe (payments, escrow, and coach identity verification via Stripe Identity), Shopify (digital products), Google (Analytics and Forms), and providers of email marketing, video calling, and AI tools. Please refer to our Privacy Policy, Section 6, for a complete overview.

14. Updates to This Policy

This policy is reviewed and updated periodically to reflect changes in our data practices, applicable legislation, or ICO guidance. The "last updated" date at the top of this page reflects the most recent revision. Where changes are material, we will make reasonable efforts to notify affected data subjects.

15. Contact and Complaints

If you have any questions about this policy, or concerns about how we handle your personal data, please contact us:

We will always try to address your concern directly and promptly. However, if you remain dissatisfied, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):