PRIVACY POLICY — BUSINESS CUSTOMERS
How WELT-ŠPED d.o.o. (Lumera Studio Lab) processes personal data of salon owners and account users
Policy Version: 1.0
Last Updated: March 1, 2026
1. INTRODUCTION
Lumera Studio Lab ("we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and protect the personal data of business customers—salon owners, staff, and other users of our booking and salon management platform—when we act as data controller under the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable national law.
This policy does not cover the processing of your end customers' (booking clients') personal data. That processing is governed by our Data Processing Agreement (DPA) and by the separate Privacy Policy for Booking Customers, where the salon is the controller and we act as processor.
2. DATA CONTROLLER
The data controller for your business account data is:
WELT-ŠPED d.o.o. (trading as Lumera Studio Lab)
Registered Address: Selska cesta 123/2, Zagreb, 10000, Croatia
Company Registration Number (OIB): 63453057610
Data protection contact: [email protected]
3. WHAT DATA WE COLLECT
We collect and process the following categories of personal data in connection with your business account and use of the Platform:
| Category | Data elements | Purpose |
|---|---|---|
| Account and identity | Name, email address, phone number (as provided at registration or in your profile) | Account creation, authentication, communication, support |
| Business / salon information | Salon name, address, phone, email, URL slug, services, working hours, branding (e.g. logo, brand colour) | Provision of the Platform, public booking page, billing and subscription management |
| Subscription and billing | Subscription tier, trial end date, Stripe customer ID, payment status; we do not store payment card numbers (these are processed by Stripe) | Billing, plan limits, access control |
| Usage and product | Login activity, feature usage, language preference | Service improvement, security, legitimate interest–based analytics (aggregated where possible) |
| Consent and compliance | GDPR consent timestamp, privacy policy version, marketing opt-in (if applicable), DPA acceptance (per salon) | Demonstration of lawful processing, compliance |
| Support and communications | Messages and subject matter of support requests you send to us | Handling enquiries and support |
| API and operations | API usage logs (endpoint, salon ID, timestamp) where applicable; retention limited (e.g. 90 days) | Security, abuse prevention, operations |
4. LEGAL BASIS FOR PROCESSING
We process your personal data on the following bases:
- Contract performance (Art. 6(1)(b) GDPR): Data necessary to create and manage your account, provide the Platform, manage subscriptions, and communicate with you in relation to the service.
- Legitimate interests (Art. 6(1)(f) GDPR): Aggregated analytics, security and fraud prevention, improvement of the Platform, and defence of legal claims, where our interests are not overridden by your rights.
- Legal obligation (Art. 6(1)(c) GDPR): Where we must retain or disclose data to comply with tax, accounting, or other legal obligations.
- Consent (Art. 6(1)(a) GDPR): Where we rely on your consent (e.g. marketing communications, optional cookies), you may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
5. DATA RETENTION
- Active accounts: We retain your data for the duration of your use of the Platform and, where required by law (e.g. tax, accounting), for up to 7 years after the end of the contractual relationship.
- Account deletion: If you request account deletion, we schedule permanent deletion after a 30-day grace period (during which you may cancel the request). After that, your account and associated personal data are erased from our systems, except where we must retain data under legal obligation.
- Operational logs: API usage and similar operational logs are retained for a limited period (e.g. 90 days) unless a longer retention is required for security or legal purposes.
6. YOUR RIGHTS
Under the GDPR you have the right to:
- Access — Obtain confirmation as to whether we process your personal data and, where that is the case, access to that data. You can download a copy of your data from the Privacy settings page in the admin dashboard.
- Rectification — Have inaccurate personal data corrected; you can update much of your information directly in the dashboard.
- Erasure — Request deletion of your personal data, subject to legal retention requirements. Account deletion (with 30-day grace period) is available from the Privacy settings page.
- Restriction of processing — In certain circumstances, request that we restrict how we use your data.
- Data portability — Receive your data in a structured, commonly used, machine-readable format (e.g. JSON export).
- Object — Object to processing based on legitimate interests; you may also cancel your subscription and stop using the Platform at any time.
- Withdraw consent — Where processing is based on consent, withdraw that consent at any time.
- Lodge a complaint — Lodge a complaint with a supervisory authority (e.g. in Croatia: AZOP – Agencija za zaštitu osobnih podataka).
To exercise your rights, contact us at [email protected] or use the tools provided in the Platform (e.g. Privacy settings for export and deletion).
7. SUB-PROCESSORS AND INTERNATIONAL TRANSFERS
We use the following sub-processors to operate the Platform and process your data. Where they are located outside the EEA, we ensure appropriate safeguards (e.g. Standard Contractual Clauses) are in place.
| Sub-processor | Purpose | Location / transfer | Safeguards |
|---|---|---|---|
| Supabase Inc. | Database hosting, authentication, storage | EEA (e.g. Ireland, Frankfurt) | DPA; ISO 27001, SOC 2; data in EEA |
| Stripe, Inc. | Payment processing, subscription billing | EEA / may involve US or other regions | DPA with SCCs; PCI DSS Level 1 |
| Resend, Inc. | Transactional email (e.g. account, billing, support) | US / global | DPA with SCCs |
| Google LLC | Calendar synchronisation (where you connect Google Calendar) | EEA / may involve US | DPA with SCCs; ISO 27001, SOC 2 |
A current sub-processor list is also maintained at: https://lumerastudio.com/privacy-business#sub-processors
We may add or change sub-processors; we will notify you of material changes in accordance with our Data Processing Agreement and Terms of Service.
8. SECURITY
We implement appropriate technical and organisational measures to protect your personal data, including encryption in transit and at rest, access controls, and secure development practices. Our infrastructure is hosted in the EEA where possible. Details are set out in our Data Processing Agreement (Schedule 2) and security documentation available on request, subject to confidentiality.
9. CONTACT
For questions about this Privacy Policy or to exercise your data protection rights:
Data protection contact:
Email: [email protected]
Address: WELT-ŠPED d.o.o., Selska cesta 123/2, Zagreb, 10000, Croatia
10. CHANGES TO THIS POLICY
We may update this Privacy Policy from time to time to reflect legal, technical, or operational changes. We will notify you of material changes via the Platform and/or by email. The "Last Updated" date at the top indicates the latest revision. Continued use of the Platform after the effective date of changes constitutes acceptance of the updated policy where permitted by law.
Document History
| Version | Date | Summary of changes |
|---|---|---|
| 1.0 | March 1, 2026 | Initial full Privacy Policy for business customers (Lumera as controller). |
END OF DOCUMENT