Privacy Policy

The personal data controller is:

• Company name: Lumeva S.R.L.
• Data protection contact email: contact@lumeva.ro

We collect the following categories of personal data:

2.1. Data provided directly by you:

• Identification and account data: name, email address, phone number (optional), city, county, preferred language.
• Authentication data: password (stored encrypted), Google OAuth data (provider, unique Google identifier — if registering with Google).
• Designer profile data: display name, biography, profile photo, introduction video, years of experience, professional classification, education (institution, graduation year), services offered, languages spoken, design styles, areas of interest, social media URLs (website, Instagram, Facebook, LinkedIn), rates, availability.
• Studio profile data: studio name, team size, specializations.
• Project data (client): property type, area, budget, city, preferred style, project description, uploaded plans and photographs, inspiration images.
• Communication data: messages sent through the platform, attachments (files, images).
• Review data: ratings (quality, communication, value), review text, attached images.
• Guarantee claim data: dispute description, supporting documents.

2.2. Data collected automatically:

• Usage data: platform actions (page views, logins, requests created, offers submitted, messages sent, reviews published).
• Technical data: IP address (for rate limiting and security), browser user agent, device type.
• Session cookies: a technical session cookie (_lumeva_session) essential for platform operation.

2.3. Data from third parties:

• Google OAuth: when registering with Google, we receive the name and email address associated with your Google account.
• Stripe: we receive payment confirmations, Connect account status, and verification requirements (we do not store card data).
• Public sources (unclaimed profiles): for creating unclaimed profiles, we may collect publicly available information (name, professional description, portfolio photographs) from personal websites, professional social networks, and design directories.

We process your personal data for the following purposes, based on the indicated legal bases:

When relying on legitimate interest, we have conducted a proportionality assessment to ensure that your rights are not disproportionately affected. You can request details about these assessments by contacting us at contact@lumeva.ro.

Your data may be shared with the following categories of recipients:

• Other platform users: designer profiles are publicly visible; messages are visible to conversation participants; reviews are publicly visible after publication.
• Stripe, Inc. (payment processor) — for processing payments, managing Connect accounts, and KYC/AML compliance. Stripe Privacy Policy.
• Amazon Web Services (AWS) — file storage (photos, documents, videos) on S3 servers, EU region (eu-central-1, Frankfurt). AWS Privacy Policy.
• Resend — transactional email delivery service. Resend Privacy Policy.
• Google — exclusively for OAuth authentication (if you use Google sign-up). Google Privacy Policy.
• CDN (Content Delivery Network) — for fast delivery of images and static content.
• Public authorities — where we have a legal obligation or based on a court order.

We have concluded data processing agreements (DPA) pursuant to Art. 28 GDPR with all data processors mentioned above, or they provide adequate data protection safeguards.

We do not sell your personal data to third parties.

Some of the services we use may involve transferring data outside the European Economic Area (EEA), particularly to the United States of America (Stripe, Resend).

These transfers are carried out on the basis of the following safeguards:

• EU-U.S. Data Privacy Framework, where applicable;
• Standard Contractual Clauses (SCCs) approved by the European Commission;
• Additional technical measures (encryption in transit and at rest).

Files (photos, documents) are stored on AWS servers in the eu-central-1 (Frankfurt, Germany) region, within the European Economic Area.

We retain your personal data only for as long as necessary for the purposes for which it was collected:

Upon expiration of the retention period, data is deleted or irreversibly anonymized.

Under the GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15) — you may request a copy of the personal data we process about you.
• Right to rectification (Art. 16) — you may request correction of inaccurate data or completion of incomplete data. Many data points can be updated directly from your account settings.
• Right to erasure ("right to be forgotten," Art. 17) — you may request deletion of personal data, subject to legal retention obligations (e.g., tax records).
• Right to restriction of processing (Art. 18) — you may request limitation of data processing in certain circumstances.
• Right to data portability (Art. 20) — you may request to receive your data in a structured, commonly used, and machine-readable format.
• Right to object (Art. 21) — you may object to processing based on legitimate interest, including profiling for automatic matching purposes.
• Right not to be subject to automated decisions (Art. 22) — you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects.
• Right to withdraw consent — at any time, for processing based on consent (e.g., push notifications), without affecting the lawfulness of processing prior to withdrawal.

How to exercise your rights: Submit a request to contact@lumeva.ro. We will respond within 30 days of receiving the request. This period may be extended by a maximum of 60 days for complex or numerous requests, with prior notification.

Exercising these rights is free of charge. We reserve the right to charge a reasonable fee for manifestly unfounded or excessive requests.

We implement appropriate technical and organizational measures for the protection of your personal data, including:

• Encryption: communications are protected via TLS/SSL (mandatory HTTPS). Passwords are stored with bcrypt hashing.
• Access control: role-based restricted access for administrative staff, with logging of all actions.
• Attack protection: rate limiting for authentication and sensitive actions, CSRF protection, webhook signature verification, HTTP security headers.
• Account lockout: accounts are automatically locked after 10 failed authentication attempts.
• File verification: uploaded file content type validation through binary signature (magic bytes) verification.
• Secure cookies: HTTPOnly, Secure (HTTPS-only in production), Same-Site cookies.
• System isolation: the administrative system is completely isolated from the public application.

No security measure is perfect. In the unlikely event of a data security breach, we will notify the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) within 72 hours and affected data subjects without undue delay, in accordance with Articles 33 and 34 of the GDPR.

The Platform uses a minimal number of cookies necessary for operation:

We do not use marketing, advertising, or third-party tracking cookies. We do not use Google Analytics or other external analytics platforms.

Strictly necessary cookies do not require consent under Art. 5(3) of the ePrivacy Directive (transposed by Romanian Law No. 506/2004, as amended). They are essential for Platform operation and cannot be disabled.

10.1. Automatic matching. The Platform uses a matching algorithm to suggest relevant Designers for Client design requests. The algorithm considers: location (40%), design style (30%), availability (15%), verification (5%), classification (5%), and rating (5%).

These suggestions are indicative and do not produce legal or similarly significant effects. The Client decides freely based on their own evaluation. Automatic matching can be ignored — the Client can contact any available Designer on the Platform.

10.2. Classification and search ranking. Designer profiles are classified and ordered in search results based on objective criteria (availability, ratings, profile completeness, subscription). These criteria are applied uniformly to all designers.

10.3. We do not make decisions with significant legal effects based solely on automated processing. Decisions regarding accounts (approval, suspension, guarantee claims) are made by Lumeva team members.

The Platform is not intended for persons under 18 years of age. We do not knowingly collect personal data from minors. If you discover that a minor has provided personal data on the Platform, please contact us immediately at contact@lumeva.ro, and we will delete that data without delay.

12.1. Lumeva may create designer profiles based on publicly available information on the internet (professional websites, social networks, design directories). The legal basis is Lumeva's legitimate interest (Art. 6(1)(f) GDPR) to provide a comprehensive view of Romania's interior design market.

12.2. Proportionality assessment:

• Data collected is limited to information already publicly available (name, professional description, public portfolio photographs);
• Unclaimed profiles have limited functionality and are marked as unclaimed;
• Designers are informed by email and can claim or remove the profile at any time;
• The unsubscribe option from invitation emails is respected.

12.3. Your rights regarding unclaimed profiles:

• Claim: take full control through the unique claim link;
• Remove: request profile deletion by emailing contact@lumeva.ro or via the unsubscribe link in the email;
• Rectify: request correction of inaccurate information.

12.4. In accordance with Art. 14 of the GDPR, designers whose data is processed indirectly are informed by email within a reasonable period from profile creation.

We reserve the right to update this Privacy Policy. Changes will be published on this page with an updated date at the beginning of the document.

For substantial changes, we will send a notification via email or through the Platform at least 30 days before they take effect.

We recommend periodically reviewing this page to stay informed about our data processing practices.

For any questions regarding personal data processing or to exercise your rights, you can contact us at:

• Email: contact@lumeva.ro

If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with the supervisory authority: