Privacy Policy

1. Who we are

Lumina Risk Advisory ("we," "our," or "us") is the data controller responsible for your personal data. We operate this website at luminarisk.io and provide IT audit and compliance advisory services globally.

For all data privacy matters — including rights requests, complaints, and the Grievance Officer function under the Digital Personal Data Protection Act, 2023 — you may write to us at the address or email above.

2. Personal data we collect

The only way we collect personal data through this website is when you voluntarily submit the contact form or send us a direct email. We do not track visitors, run analytics, or collect data passively. If you browse the site without submitting the form or sending an email, we collect nothing about you.

When you submit the contact form or email us, the information you provide may include:

• —Your name and job title
• —Work email address
• —Company name
• —Any details you choose to include — such as compliance framework of interest, project timeline, or context about your current state

Contact form submissions are processed and delivered to us via Web3Forms (see Section 5). The data is forwarded to our email inbox. We do not store form submissions in any database we control.

We do not collect special category data (health, biometric, financial account, or similar sensitive data) through this website. We do not knowingly collect personal data from individuals under 18 years of age. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.

3. Why we process your data and our lawful basis

We process personal data for specific, explicit purposes only. The table below sets out each purpose and its lawful basis under the GDPR (for EEA/UK individuals) and the DPDP Act 2023 (for individuals in India).

Where we rely on legitimate interests, we have assessed that those interests are not overridden by your privacy rights. You may object to processing based on legitimate interests — see Section 8.

We do not sell, rent, share, or trade your personal data with any third party for their own commercial purposes.

4. Cookies

We do not use analytics, advertising, tracking, or profiling cookies. This website does not run any analytics tools and does not set any cookies of its own.

The only cookies that may be present on this site are strictly necessary security cookies set automatically by our hosting and CDN provider, Cloudflare. These are infrastructure-level cookies that we do not control, do not identify you personally, and do not require consent under GDPR or the DPDP Act.

If we ever introduce analytics or other non-essential cookies in future, we will update this policy, add a cookie consent mechanism, and obtain your explicit opt-in before any such cookies are set.

5. Third-party processors

We use a minimal set of third-party services that may process personal data on our behalf. Each is engaged as a data processor under appropriate data processing agreements and is not permitted to use your data for their own purposes.

A complete and current sub-processor list is available on request at hello@luminarisk.io. We will notify you of material changes where required by applicable law.

6. International data transfers

We are based in India. When you interact with our website, your data may be transferred to and processed in other countries. For example, contact form submissions are processed by Web3Forms, which operates in the United States.

For EEA and UK individuals (GDPR):

Transfers of personal data outside the EEA or UK are conducted under appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission (or their UK equivalent), or we rely on an applicable adequacy decision. You may request details of the specific transfer mechanism by contacting us.

For individuals in India (DPDP Act):

We transfer personal data outside India only to countries or territories as may be permitted under the Digital Personal Data Protection Act, 2023, and any rules or notifications issued thereunder. Where required, we ensure appropriate contractual protections are in place before any cross-border transfer.

To obtain details of the transfer safeguards we rely on, contact us at hello@luminarisk.io.

7. Data retention

We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by applicable law. Our retention periods are:

• — Enquiry and contact records: Up to 2 years from the date of last meaningful contact, or until you request deletion — whichever is earlier.
• — Marketing communications (opt-in): Until you withdraw consent or unsubscribe, at which point data held solely for this purpose is erased.
• — Client engagement records: 5 years from engagement close, in line with applicable professional standards, then securely destroyed.

We may retain data for longer than the periods above where required to comply with a legal obligation, resolve a dispute, enforce an agreement, or defend against a legal claim. In such cases, data will be retained only for as long as necessary for that specific purpose and then securely deleted.

At the end of each retention period, data is securely deleted or irreversibly anonymised. You may request earlier deletion at any time — see Section 8.

8. Your rights

Rights under GDPR — EEA and UK residents

• — Right of access: Request a copy of the personal data we hold about you and information on how we use it.
• — Right to rectification: Request correction of inaccurate or incomplete data without undue delay.
• — Right to erasure ("right to be forgotten"): Request deletion of your personal data where it is no longer necessary, consent has been withdrawn, or processing is unlawful — subject to overriding legal obligations.
• — Right to restriction: Request that we temporarily restrict processing of your data while a dispute or objection is resolved.
• — Right to data portability: Where processing is based on consent or contract and carried out by automated means, receive your data in a structured, commonly used, machine-readable format and transmit it to another controller.
• — Right to object: Object at any time to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
• — Right to withdraw consent: Where processing is based on your consent, withdraw it at any time by emailing hello@luminarisk.io. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• — Right to lodge a complaint with a supervisory authority: You have the right to lodge a complaint with the data protection authority in your country of residence or place of work. For example: the Data Protection Commission (Ireland) at dataprotection.ie, or the Information Commissioner's Office (UK) at ico.org.uk. We would, however, welcome the opportunity to address your concern directly before you approach a supervisory authority.

Rights under the DPDP Act, 2023 — India residents

• — Right to information: Request a summary of the personal data we process about you, the purposes of processing, and the identities of any data fiduciaries or processors with whom it has been shared.
• — Right to correction and erasure: Request correction of inaccurate or misleading personal data, and erasure of data that is no longer necessary for the purpose for which it was collected, or where consent has been withdrawn.
• — Right to withdraw consent: Withdraw consent at any time. Withdrawal must be as easy as giving consent — email hello@luminarisk.io with the subject line "Withdraw Consent." Upon withdrawal, we will cease processing and erase your personal data, unless we have another lawful basis to retain it. Withdrawal does not affect the lawfulness of prior processing.
• — Right to grievance redressal: Raise a complaint with our Grievance Officer (see Section 11). If the complaint is not resolved to your satisfaction within the timeframe stated, you may escalate to the Data Protection Board of India.
• — Right to nominate: Nominate another individual to exercise your data protection rights on your behalf in the event of your death or incapacity. To register a nomination, write to us at hello@luminarisk.io with supporting details.

We will acknowledge all rights requests within 48 hours and respond substantively within 30 days. We may need to verify your identity before processing your request. If we are unable to fulfil a request, we will explain why.

9. Data breach notification

In the event of a personal data breach, we will:

• — Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required under GDPR and applicable law.
• — Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
• — Notify the Data Protection Board of India and affected data principals in accordance with the requirements of the DPDP Act, 2023, and any rules notified thereunder.

10. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, or disclosure. Our security practices — including access controls, encryption, device security, and incident response — are detailed on our Trust & Security page.

No method of transmission over the internet is completely secure. While we take reasonable and proportionate steps to protect your information, we cannot guarantee absolute security of data transmitted to us electronically.

11. Grievance Officer (DPDP Act, 2023)

In accordance with the Digital Personal Data Protection Act, 2023, we have designated a Grievance Officer to handle data protection complaints and requests:

We will acknowledge your grievance within 48 hours of receipt and resolve it within 30 days, unless the nature of the complaint requires additional time, in which case we will keep you informed. If you are not satisfied with our resolution, you may escalate your complaint to the Data Protection Board of India.

12. Changes to this policy

We may update this policy from time to time to reflect changes in law, regulatory guidance, or our practices. Material changes will be noted on this page with an updated date. Where required by applicable law, we will notify affected individuals of significant changes directly. Continued use of this website following a minor update constitutes acknowledgement of the revised policy.

We recommend reviewing this page periodically. Previous versions are available on request.

13. Contact us

For any questions, requests, or complaints about this policy or how we handle personal data, please contact us at hello@luminarisk.io.

This policy applies to personal data collected through this website. It does not govern data processed under separate client engagement agreements, which are subject to the terms of those agreements and our Trust & Security commitments.