PRIVACY NOTICE — BOOKING CUSTOMERS
Information for people who book appointments through a salon using Lumera Studio Lab
Policy Version: 1.0
Last Updated: March 1, 2026
1. WHO PROCESSES YOUR DATA
When you book an appointment through a salon that uses Lumera Studio Lab (the booking platform), two parties are involved in the processing of your personal data:
-
The salon (the business you are booking with) is the data controller. The salon decides why and how your personal data is collected and used. The salon is responsible for providing you with its own privacy information and for handling your requests regarding your data (access, correction, deletion, etc.).
-
Lumera Studio Lab is the data processor. We provide the booking technology and related services (e.g. confirmations, reminders, optional payments, calendar sync) on behalf of the salon. We process your data only on the salon’s instructions and in accordance with our Data Processing Agreement (DPA) with the salon.
This notice explains what data is collected in the booking flow, for what purposes, and how you can exercise your rights. For the full processor obligations and sub-processor list, see our Data Processing Agreement.
2. WHAT DATA IS COLLECTED
In the context of making and managing your appointment, the following personal data may be collected and processed:
| Category | Data | Why |
|---|---|---|
| Identity and contact | Your name, email address, phone number | To create and manage your booking, send confirmations and reminders, and allow the salon to contact you |
| Booking details | Appointment date and time, service(s) selected, status (e.g. confirmed, cancelled), any notes or special requests you or the salon add | To run the salon’s schedule and provide the service you requested |
| Consent and preferences | Whether you have agreed to the processing of your data and, if offered, to marketing communications | To demonstrate lawful processing and respect your choices |
| Payment (if the salon uses online payment) | Payment status, transaction reference, amount; card data is processed by Stripe and not stored by us | To process deposits or payments at booking |
| Technical / audit | IP address at the time of booking | For security and audit purposes |
If the salon or its staff use Google Calendar, appointment details (including your name and appointment time) may be synchronised to their calendar via Google’s services.
3. WHY YOUR DATA IS PROCESSED
Your data is processed to:
- Create, confirm, modify, and manage your appointment.
- Send you booking confirmations, reminders, and cancellation notices (via our email provider).
- Process payments when the salon has enabled payment at booking (card processing is done by Stripe).
- Allow the salon to manage its schedule and provide you with the requested service.
- Comply with legal and contractual obligations (e.g. assisting the salon in responding to data subject requests, maintaining security and audit logs).
The lawful basis for this processing is determined by the salon (the controller). Typically it will be contract (Art. 6(1)(b) GDPR) for the booking itself, and consent where applicable (e.g. marketing).
4. HOW LONG YOUR DATA IS KEPT
The salon (controller) decides how long your data is retained. We (as processor) retain it for as long as the salon uses our platform and in line with our agreement with them. When the salon’s account ends or they ask us to delete your data, we delete or return it in accordance with our Data Processing Agreement, subject to any legal retention requirements.
You can ask the salon at any time how long they keep your data or request deletion.
5. YOUR RIGHTS
Under the GDPR you have the right to access, rectify, erase, restrict processing, data portability, and to object, as well as the right to lodge a complaint with a supervisory authority.
Because the salon is the controller of your data, you should contact the salon to exercise these rights (e.g. request a copy of your data, ask for correction or deletion). The salon can use the tools we provide (such as client export, anonymisation, or deletion) to respond to your request.
If you contact Lumera Studio Lab directly about your booking data, we will forward your request to the relevant salon (controller) and will not respond to the substance of the request unless instructed by the salon or required by law. For technical or platform issues you can contact us at [email protected].
6. SUB-PROCESSORS AND INTERNATIONAL TRANSFERS
We use sub-processors (e.g. for hosting, email, payments, calendar sync) to provide the booking service. Some may be located outside the EEA. We ensure appropriate safeguards (e.g. Standard Contractual Clauses) are in place. The current list of sub-processors and transfer details is set out in our Data Processing Agreement (Schedule 3) and at https://lumerastudio.com/privacy-business#sub-processors.
7. SECURITY
We implement appropriate technical and organisational measures to protect your data (e.g. encryption, access controls, secure hosting). Details are described in our Data Processing Agreement and related documentation.
8. CONTACT
- For your personal data (access, correction, deletion, etc.): Contact the salon where you made your booking. They are the data controller.
- For technical or platform issues, or to send a data request to the controller via us:
WELT-ŠPED d.o.o. (trading as Lumera Studio Lab)
Email: [email protected]
Address: Selska cesta 123/2, Zagreb, 10000, Croatia
9. CHANGES TO THIS NOTICE
We may update this notice from time to time. The "Last Updated" date at the top indicates the latest version. Continued use of the booking service after changes constitutes acceptance where permitted by law.
Document History
| Version | Date | Summary of changes |
|---|---|---|
| 1.0 | March 1, 2026 | Initial Privacy Notice for booking customers (salon = controller, Lumera = processor). |
END OF DOCUMENT