Data controller identity
The controller responsible for processing described here is Movewywashing.world, with its principal establishment at Sarphatistraat 72, 1018 EX Amsterdam, Netherlands.
You may contact talk@movewywashing.world for privacy requests. We respond within one month unless complexity legitimately extends the deadline, in which case we notify you beforehand.
Material scope
This Policy applies to personal data obtained through the website, mobile experiences mirroring it, email, telephony, trade-show capture, and retailer support portals that reference these disclosures.
Employment candidate data follows dedicated notices issued during recruitment. Purely anonymous analytics fall outside GDPR personal data definitions when irreversible aggregation is achieved.
Categories of personal data
Identity and contact
Name, billing and shipping addresses, phone numbers, birth year when needed for age gating, and company identifiers.
Account and commercial
Order history, SKU preferences, customer service tickets, loyalty identifiers, and marketing subscription flags.
Technical
IP address, device fingerprint components, browser language, approximate geolocation at city precision, and telemetry about page performance.
Financial
Payment tokens from PCI-DSS service providers—not full card numbers on our servers—and bank transfer references.
Sensitive information
We do not aim to collect health data. If you voluntarily disclose medical context in support emails, we minimise retention and steer you toward qualified professionals.
Purposes of processing
- Performing purchase contracts and pre-contractual steps you request.
- Maintaining website integrity, fraud analytics, and dispute resolution.
- Complying with tax, customs, product traceability, and court orders.
- Sending optional newsletters or Lumora education when you opt in.
- Improving accessibility, navigation design, and consent-rate metrics.
Digital advertising and measurement
When you consent to marketing or analytics cookies, tags or pixels may help us measure visits from Google Ads and similar networks in aggregated form, subject to each platform’s terms and regional requirements (including EU Digital Services Act transparency expectations where applicable).
We do not use ad platforms to promote products to children or to collect special categories of data for targeting. Remarketing lists, if used, are built only from consented site behaviour and exclude health inference categories prohibited by platform rules.
Lawful bases mapped
Contract performance (Article 6(1)(b) GDPR) covers checkout, delivery, and contractual warranties. Legal obligation (Article 6(1)(c)) covers invoicing archives. Legitimate interests (Article 6(1)(f)) cover network defence, corporate reorganisations, and aggregated reporting balanced against your rights. Consent (Article 6(1)(a)) gates optional marketing and non-essential cookies documented in the Cookie Policy.
When consent is withdrawn, we cease processing that depends on it unless another basis independently authorises continuation.
Recipients and processor roles
Processors sign Article 28 agreements: hosting within the EU, transactional email, payment gateways, warehouse management, label printing, analytics when consented, and customer chat tooling.
We never sell personal data in the sense of unrelated data brokers receiving your file for money. Sponsored content partners receive only aggregate readership statistics.
International transfers
Where remote support engineers access data from the United Kingdom or United States we implement Standard Contractual Clauses, encryption in transit, and need-to-know access reviews. Transfer impact assessments are available to regulators upon request.
Retention schedule highlights
- Accounting documents: seven years post fiscal year close.
- Marketing consents and unsubscribe proofs: life of brand relationship plus three years.
- Abandoned carts without purchase: ninety days unless you re-engage.
- Security logs: rolling ninety days unless incident investigations require longer holds.
Security measures
TLS 1.2+, segregated production credentials, quarterly access reviews, phishing-resistant MFA for administrators, vendor SOC reports, and pseudonymised test data environments. Breach notification procedures align with Articles 33–34 GDPR.
Data subject rights
You may request access, rectification, erasure, restriction, data portability where technically feasible, and human oversight for solely automated decisions producing legal effects—we currently avoid such automation.
Objection rights apply to legitimate-interest processing; we will assess override grounds and explain outcomes. You may complain to regulators without prejudice to judicial remedies.
Profiling and automated decisions
Fraud tools may score risk levels but manual analysts verify outcomes affecting contract refusal. Nutritional questionnaires on the site do not auto-determine eligibility for regulated products.
Children
Lumora marketing targets adults. We do not knowingly collect data from individuals under sixteen without verifiable parental authority. Parental notices trigger deletion protocols.
Policy updates
Material revisions appear on this page with refreshed narrative context. The dynamic date stamp reflects the day you loaded the document for quick orientation; substantive edits also appear in internal change logs.
Direct contacts