Privacy Policy

This Privacy Policy explains how Lumo.Dance handles personal data when dance studios use our software to manage their operations.

We take privacy seriously. Lumo.Dance is built to keep each studio's data isolated and to give you clear control over what's collected.

Depending on where your studio is established, you contract with one of two entities. Both operate the Lumo.Dance platform under common ownership.

Under the EU General Data Protection Regulation (GDPR), each party has a distinct responsibility:

• The dance studio you attend (or your child attends) is the Data Controller — it decides what data to collect and why.
• Lumo.Dance is the Data Processor — we store and process data on the studio's behalf, following their instructions and this policy.

The data processor responsible for your studio's data depends on where your studio is established. Each entity is supervised by a different data protection authority:

• EU studios: Onepads SRL acts as the Data Processor. The supervisory authority is the Romanian Data Protection Authority (ANSPDCP) — https://www.dataprotection.ro.
• Non-EU studios: Seacoders Ltd acts as the Data Processor. The supervisory authority is the UK Information Commissioner's Office (ICO) — https://ico.org.uk.

You can always lodge a complaint with the supervisory authority in your own country in addition to ours.

The data stored depends on what your studio enters. Typically this includes:

• Name and surname
• Email address, phone number, and (if provided) messaging handles (Telegram, WhatsApp)
• For students: date of birth, level, medical notes or accessibility needs, emergency contact — all optional and entered by the studio
• Class enrollments, attendance records, scheduling information
• Invoices, payments, and membership details
• Technical logs required to operate the service (login times, IP address for security, device information for push notifications)

GDPR requires a lawful basis for each processing activity. Your studio relies on one of the following:

• Contract: processing needed to deliver the classes and services you signed up for
• Legal obligation: invoice and payment records retained for accounting and tax law (typically 10 years in Romania)
• Consent: for processing minors' data, obtained from a parent or guardian before participation
• Legitimate interest: keeping the service secure and running reliably

Many students are minors. In line with GDPR Article 8, the studio obtains parental consent before recording any personal data about a child under 16. Consent is recorded with the parent's name, date, and the method by which it was given (written, WhatsApp, email, etc.).

A parent or guardian can withdraw consent at any time by contacting the studio. Withdrawal leads to erasure of the child's personal data, except records legally required to be retained (e.g., tax invoices).

Data is stored on EU-based infrastructure (Neon PostgreSQL, EU region) with encryption at rest and in transit. Backups are retained for up to 30 days. Application hosting runs on Vercel with EU-resident functions where possible.

Retention depends on the type of data:

• Student and contact records: kept while the student is active, plus a reasonable grace period set by the studio (typically up to 2 years after the last activity).
• Invoices, payments, and financial records: retained for 10 years as required by Romanian accounting law (Law 82/1991).
• Security and activity logs: up to 12 months.

We only share data with service providers strictly required to operate the platform, and only to the minimum necessary extent:

• Vercel (hosting) and Neon (database) — both bound by their own GDPR-compliant data processing terms.
• Inngest for scheduled background jobs (e.g., class reminders, invoice generation).
• Web Push services (Apple, Google, Mozilla) to deliver push notifications — no personal data beyond the endpoint token is sent.

We do not sell or rent personal data. We do not use personal data for advertising.

Under GDPR, you have the following rights regarding your personal data:

• Right of access — request a copy of the data we hold about you.
• Right to rectification — ask the studio to correct inaccurate data.
• Right to erasure — request deletion of your personal data (subject to legal retention obligations).
• Right to restrict processing — ask us to pause processing in certain circumstances.
• Right to data portability — receive your data in a machine-readable format.
• Right to object — object to processing based on legitimate interest.
• Right to lodge a complaint — contact the supervisory authority in your country (in Romania: ANSPDCP, www.dataprotection.ro).

To exercise any of these rights, contact your studio first (the Data Controller) or email us directly using the contact details below.

We protect data through multi-tenant isolation at the database layer, role-based access control, encrypted connections (HTTPS), password hashing, and short-lived authentication tokens. If a data breach occurs that is likely to result in a risk to your rights, we will notify the supervisory authority and affected users without undue delay, in line with GDPR Article 33-34.

We may update this policy from time to time. Material changes will be communicated to studios, who are responsible for informing their members. The "Last updated" date at the top of this page always reflects the most recent version.

For any questions about how Lumo handles personal data, you can reach us at:

legal@lumo.dance