Privacy Policy

Introduction

At Lumbus, we are committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use our eSIM services.

This policy complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Information We Collect

1.1 Information You Provide

• Account Information: Name, email address, password (encrypted)
• Payment Information: Billing address, payment card details (processed securely by Stripe)
• Communication Data: Support inquiries, feedback, referral information
• Affiliate Applications: Business details if you apply for our affiliate program

1.2 Information Collected Automatically

• Device Information: Device type, operating system, browser type, device identifiers
• Usage Data: Pages visited, features used, time spent on site, click patterns
• Location Data: IP address, general location (country/city level)
• eSIM Usage Data: Data consumption, connection times, network usage statistics
• Cookies and Tracking: Session cookies, analytics cookies, preference cookies

1.3 Information from Third Parties

• Payment Providers: Transaction confirmation from Stripe
• Network Operators: eSIM activation status, data usage from our eSIM provider
• Analytics Services: Aggregated usage statistics from Google Analytics

2. How We Use Your Information

We use your personal data for the following purposes:

2.1 Service Delivery

• Processing and fulfilling your eSIM orders
• Activating and provisioning eSIMs
• Monitoring data usage and validity periods
• Providing customer support
• Sending service-related notifications (order confirmations, activation instructions)

2.2 Account Management

• Creating and maintaining your account
• Authenticating your identity
• Managing your referral rewards and data wallet
• Processing password resets and security updates

2.3 Payment Processing

• Processing payments securely via Stripe
• Detecting and preventing fraud
• Issuing refunds when applicable

2.4 Marketing and Communications

• Sending promotional emails about new plans and offers (with your consent)
• Managing referral programs and affiliate partnerships
• Conducting customer surveys and feedback requests

2.5 Analytics and Improvement

• Analyzing website and app usage to improve user experience
• Identifying technical issues and bugs
• Developing new features and services
• Understanding customer preferences and behavior

2.6 Legal and Security

• Complying with legal obligations and regulations
• Preventing fraud, abuse, and illegal activities
• Protecting our rights and property
• Enforcing our Terms and Conditions

3. Legal Basis for Processing

Under UK GDPR, we process your personal data based on the following legal grounds:

• Contractual Necessity: To fulfill our contract with you (providing eSIM services)
• Legitimate Interests: To improve our services, prevent fraud, and conduct analytics
• Legal Obligation: To comply with tax, accounting, and regulatory requirements
• Consent: For marketing communications (you can withdraw consent at any time)

4. Data Sharing and Disclosure

We may share your personal data with the following third parties:

4.1 Service Providers

• Stripe: Payment processing (PCI-DSS compliant)
• Network Providers: eSIM provisioning and network connectivity
• Supabase: Database hosting and authentication services
• Vercel: Website and application hosting
• Resend: Transactional email delivery

4.2 Analytics and Marketing

• Google Analytics: Website usage analytics (anonymized data)

4.3 Legal Requirements

We may disclose your information if required by law, court order, or government request, or to:

• Comply with legal processes and law enforcement requests
• Protect the rights, property, and safety of Lumbus, our users, or the public
• Detect, prevent, or investigate fraud, security issues, or illegal activities

4.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. We will notify you of any such change and your rights regarding your data.

5. International Data Transfers

Some of our service providers are located outside the UK and European Economic Area (EEA). When we transfer your data internationally, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office (ICO)
• Adequacy decisions recognizing equivalent data protection standards
• Service providers certified under recognized data protection frameworks

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy:

• Account Data: Retained while your account is active, plus 3 years after closure
• Transaction Records: Retained for 7 years for tax and accounting purposes (UK law requirement)
• Support Communications: Retained for 2 years after resolution
• Marketing Data: Retained until you withdraw consent or unsubscribe
• Analytics Data: Anonymized and retained indefinitely for statistical purposes

After the retention period, we securely delete or anonymize your data.

7. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

• Right of Access: Request a copy of the personal data we hold about you
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your data (subject to legal obligations)
• Right to Restriction: Limit how we use your data in certain circumstances
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests or for marketing purposes
• Right to Withdraw Consent: Withdraw consent for marketing communications at any time
• Right to Complain: Lodge a complaint with the Information Commissioner's Office (ICO)

To exercise any of these rights, contact us at privacy@lumbus.com. We will respond within 30 days.

8. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience:

8.1 Essential Cookies

• Session management and authentication
• Security and fraud prevention
• Load balancing and performance

8.2 Analytics Cookies

• Google Analytics: Track website usage and performance
• User behavior analysis for service improvement

8.3 Marketing Cookies

• Referral tracking (affiliate and user referral programs)
• Campaign performance measurement

You can control cookies through your browser settings. Note that disabling essential cookies may affect website functionality.

9. Data Security

We implement industry-standard security measures to protect your data:

• Encryption in transit (HTTPS/TLS) and at rest
• Secure authentication with password hashing (bcrypt)
• Regular security audits and vulnerability assessments
• Access controls and role-based permissions
• Secure payment processing via PCI-DSS compliant Stripe
• Database backups and disaster recovery procedures

While we take all reasonable precautions, no system is completely secure. You are responsible for maintaining the confidentiality of your account credentials.

10. Children's Privacy

Our Services are not intended for children under 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at privacy@lumbus.com, and we will delete it promptly.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of significant changes via email or a prominent notice on our website. Your continued use of our Services after changes are posted constitutes acceptance of the updated policy.

12. Contact Information

For questions about this Privacy Policy or to exercise your data rights, contact us:

Supervisory Authority

You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):