Effective Date: 10.07.2025
At Lumolino, the well-being and privacy of children who use our products and services are our top priority. To ensure the functionality and security of our services, we automatically collect certain technical data from your device and connection. This data is considered personal data under the General Data Protection Regulation (GDPR). We want to emphasize that we do not use this data for advertising, tracking, or profiling purposes. We generally do not collect directly identifiable personal data from children, unless you, as a parent or legal guardian, voluntarily decide to provide it to us.
We strive to provide you with comprehensive information about the processing of your data and to enable you to exercise your legal rights
The Controller responsible for data processing is:
Lumolino GbR
c/o IP-Management #5503
Ludwig-Erhard-Str. 18
20459 Hamburg, Germany
We process some of your personal data based on the following legal grounds:
Consent (Art. 6(1)(a) GDPR): If you have given us your explicit consent to process your personal data for one or more specific purposes.
Performance of a Contract and Pre-contractual Measures (Art. 6(1)(b) GDPR): If the processing is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into a contract.
Compliance with a Legal Obligation (Art. 6(1)(c) GDPR): If the processing is necessary for compliance with a legal obligation to which we are subject, for example, to comply with tax obligations.
Protection of Legitimate Interests (Art. 6(1)(f) GDPR): If the processing is necessary for the purposes of our legitimate interests or those of a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data.
As a general rule, we only store personal data for as long as is necessary to fulfill the respective processing purposes.
Data that must be retained due to legal retention obligations (e.g., from the German Commercial Code or Tax Code) will be stored for the prescribed periods. In such cases, the processing of the data will be restricted.
Data required to be retained due to legal obligations (e.g., commercial or tax law) will be stored for the legally mandated period. During this time, data processing is restricted.
Data whose storage is necessary for the preservation of evidence within the framework of statutory limitation periods will be stored for the prescribed periods.
The transfer of personal data to recipients in third countries (outside the European Union or the European Economic Area) or to international organizations is only permissible if the conditions set out in the GDPR are met, to ensure that the level of protection for natural persons guaranteed throughout the Union is not undermined.
This can be based on an adequacy decision by the European Commission (pursuant to Art. 45 GDPR), which confirms that the third country in question provides an adequate level of data protection. The EU-U.S. Data Privacy Framework (DPF) is one such agreement recognized by the EU Commission as a secure legal framework for data transfers to the USA.
In the absence of such an adequacy decision, the transfer is based on appropriate safeguards (pursuant to Art. 46 GDPR), such as Standard Contractual Clauses (SCCs) issued by the Commission or approved by a supervisory authority, or Binding Corporate Rules (BCRs). These provide an additional layer of protection.
In individual cases, data transfers to third countries may also be based on your explicit consent (pursuant to Art. 49(1)(a) GDPR), after you have been informed of the possible risks of such a transfer without an adequacy decision or appropriate safeguards.
As a data subject, you have comprehensive rights under the General Data Protection Regulation regarding the processing of your personal data. We facilitate the exercise of these rights. You have the following rights:
Right of Access (Art. 15 GDPR): You have the right to obtain confirmation from us as to whether or not personal data concerning you is being processed. If that is the case, you have a right to access this data and further information, such as the purposes of the processing, the categories of data concerned, the recipients (especially in third countries), the planned duration of storage or the criteria used to determine that period, the origin of the data (if not collected from you), and the existence of automated decision-making, including profiling.
Right to Rectification (Art. 16 GDPR): You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you also have the right to have incomplete data completed.
Right to Erasure (Art. 17 GDPR): You have the right to request the immediate erasure of personal data concerning you, provided one of the grounds listed in Art. 17(1) GDPR applies (e.g., the data is no longer necessary for the purposes for which it was collected; you withdraw your consent; you object to the processing; the processing was unlawful). If we have made the data public and are obliged to erase it, we will take reasonable steps to inform other controllers of your erasure request.
Right to Restriction of Processing (Art. 18 GDPR): You have the right to request the restriction of the processing of your personal data if one of the conditions in Art. 18(1) GDPR is met (e.g., the accuracy of the data is contested; the processing is unlawful).
Right to Data Portability (Art. 20 GDPR): You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller without hindrance from us, where the processing is based on consent or a contract and is carried out by automated means. This right does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
Right to Object (Art. 21 GDPR): You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Art. 6(1)(e) (public interest) or (f) (legitimate interest) of the GDPR. In the event of an objection, we will no longer process the data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defense of legal claims.
Right to Withdraw Consent (Art. 7(3) GDPR): You have the right to withdraw your data protection consent declaration at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Right to Lodge a Complaint with a Supervisory Authority (Art. 77 GDPR): Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.
To exercise your rights, please contact us at:
info [at] lumolino.com
The exercise of your rights is free of charge for you.
We are responsible for the services available through our app Lumolino (hereinafter: "App"). By using these services, personal data is processed. Below, we provide detailed information about the data processing that takes place.
No user registration or provision of a personal identifier is required to use the App. To always load current content and ensure the functionality of the App, the App connects to the technical infrastructure of our service provider, Supabase Inc.
When the connection necessary for the App's function is established, technical data is automatically transmitted from your device via the network to our service providers and processed there. According to Art. 4(1) GDPR, this data is considered personal data, as it can identify an identifiable natural person, particularly by assigning an online identifier such as an IP address. This includes the following data, which may be collected with each access:
Your IP address, which is essential for the delivery of the data.
Your Internet Service Provider, which can be derived from the IP address.
Location and regional information, such as the country, region, city, and the set time zone.
Device and software information, such as the device type, operating system and its version, the set language, and technical details of the network protocol used. This data is transmitted in the so-called "User-Agent".
Connection metadata, such as the time of the request, the accessed resource or URL, the amount of data transferred, and the access status (HTTP status code).
The processing of this data is based on our legitimate interest according to Art. 6(1)(f) GDPR. Our legitimate interest lies in ensuring a secure, stable, and functional provision of our App, as well as optimizing its content and technical processes.
To provide our services, we use the services of our data processor, Supabase, Inc., a Delaware corporation, 970 Toa Payoh North #07-04, Singapore 318992, Singapore, with whom we have concluded a Data Processing Agreement (DPA). The DPA concluded with Supabase incorporates the EU Standard Contractual Clauses (SCC) and thus offers sufficient guarantees within the meaning of Art. 46 et seq. GDPR. The DPA can be found here: https://supabase.com/legal/dpa
We generally do not transmit your personal data to third parties who are not directly involved in the provision and function of the App. Our contracted service provider, Supabase Inc., acts as a recipient of your technical data in its capacity as a data processor. Data is transmitted to them exclusively within the framework of the existing data processing agreements.
The content of the App is suitable for children. The App is primarily designed for use by parents and legal guardians. We generally do not collect personal data from children that allows for direct identification unless it is voluntarily provided to us by the legal guardians. The technical data mentioned under section 2.1 is automatically collected from every device, regardless of the user's age. However, we want to emphasize that this technical data is not used by us for profiling children or for advertising purposes directed at children. Should we become aware that personal data of children has been collected without corresponding parental consent, we will delete this data immediately.
When downloading the App via the Apple App Store or the Google Play Store, the respective providers may process technical and personal data (e.g., account data, payment information, device characteristics). We have no influence on this data processing. The respective privacy policies of the store operators apply.
We are responsible for our website www.lumolino.com and its subpages (hereinafter: "Website"). By using our Website, personal data is processed. Below, we provide detailed information about the data processing that takes place.
This website is hosted externally. The personal data collected on this website is stored on the servers of the host(s). This may include, in particular, IP addresses, contact requests, meta and communication data, contract data, contact details, names, website access, and other data generated via a website. When you visit our website, we automatically collect data and information from your end device (so-called log files).
The website is hosted on Cloudflare Pages and uses the Cloudflare Content Delivery Network (CDN) from Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA (hereinafter "Cloudflare"). Cloudflare offers a globally distributed Content Delivery Network (CDN) that directs the transfer of information between your browser and our website and analyzes traffic to fend off potentially malicious traffic. Cloudflare may use cookies or similar technologies for the recognition of internet users, which are, however, used solely for this purpose.
The use of Cloudflare is based on our legitimate interest in providing our web services as flawlessly and securely as possible. The data transfer is based on the Standard Contractual Clauses of the EU Commission, and the company is certified under the EU-US Data Privacy Framework (DPF). We have concluded a Data Processing Agreement (DPA) with Cloudflare, which ensures that personal data of our website visitors is processed only according to our instructions and in compliance with the GDPR.
This website does not collect any directly identifiable personal data. We also completely refrain from using external analytics software. Each time the website is accessed, a series of general data and information is collected and stored in the server's log files. This can include:
Your IP address.
Name and URL of the retrieved file.
Date and time of the request.
Amount of data transferred.
Notification of successful retrieval (HTTP response code).
Browser type and browser version.
Operating system.
Referrer URL (i.e., the previously visited page).
Websites that are accessed by the user's system via our website.
The user's internet service provider.
The respective time zone.
This log data is usually stored in the server log files and then deleted or anonymized. Data whose further retention is required for evidentiary purposes in the event of attacks on the server infrastructure or other legal violations is excluded from deletion until the respective incident has been finally clarified.
The collection of this data serves to correctly deliver the content of our website, to ensure the long-term functionality of our information technology systems and the technology of our website, as well as to increase security and optimize our website. This includes the analysis of user behavior and the prevention of abusive automated spying and SPAM.
The legal basis for the processing of this data is our legitimate interest according to Art. 6(1)(f) GDPR. Our legitimate interest lies in the secure, stable, functional, and efficient provision of our online services.
You can contact us via email. We would like to point out that data transmission over the Internet (e.g., when communicating by email) can have security vulnerabilities. A complete protection of data from access by third parties is not possible.
In addition to your email address, we process the personal data that you provide to us within the email communication (e.g., your name and the content of your message).
The personal data is processed exclusively for the purpose of handling the request and in case of follow-up questions.
If the communication aims at concluding a contract, the legal basis for the processing is Art. 6(1)(b) GDPR.
In all other cases, Art. 6(1)(f) GDPR is the legal basis. Your interest does not override our interest in answering your inquiry; since you are writing to us, a response is also in your interest, and you are aware that we must process your personal data to answer your inquiry.
The data you send us in contact requests will remain with us until the purpose for data storage no longer applies (e.g., after your request has been fully processed) or you request us to delete it. Mandatory legal provisions, especially commercial or tax retention periods, remain unaffected.
This privacy policy will be adapted if technical or legal changes occur. The current version will be published on our website.