Privacy Policy
Last updated: June 10, 2026
LumaLip Beauty ("we," "us," or "our") respects your privacy and is committed to protecting the personal data you share with us. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit lumalipbeauty.com (the "Site"), place an order, subscribe to our newsletter, or otherwise interact with us.
This policy applies to all visitors, users, and customers worldwide, including residents of the European Economic Area (EEA), the United Kingdom, and the State of California. We comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and all other applicable data protection laws.
1. Information We Collect
1.1 Information You Provide Directly
- Account & Order Information: name, email address, phone number, billing and shipping address, and order history when you create an account or place an order.
- Payment Information: payment card details are collected and processed exclusively by our PCI DSS Level 1 certified payment processor, Stripe. We never store, access, or transmit your full card number.
- Communications: any information you include in messages sent through our contact form, live chat, or email correspondence.
- Reviews & User Content: product reviews, ratings, and any other content you voluntarily submit.
- Newsletter & Marketing: your email address when you subscribe to our newsletter or opt in to marketing communications.
- Quiz Responses: answers provided through our AI Shade Guide Quiz, used solely to generate product recommendations.
1.2 Information Collected Automatically
- Device & Browser Data: IP address, browser type and version, operating system, device identifiers, screen resolution, and language preferences.
- Usage Data: pages viewed, links clicked, time spent on pages, referring/exit URLs, and timestamps.
- Cookies & Tracking Technologies: we use cookies, pixel tags, and similar technologies. See Section 7 below for full details.
1.3 Information From Third Parties
We may receive data from analytics providers (e.g., Google Analytics), advertising networks, and social media platforms when you interact with our ads or content on those platforms.
2. How We Use Your Information
We process your personal data for the following purposes:
- Fulfilling and managing orders, payments, shipping, and returns.
- Creating and maintaining your customer account.
- Providing customer support and responding to inquiries.
- Sending transactional emails (order confirmation, shipping updates).
- Sending marketing and promotional communications only with your explicit opt-in consent.
- Personalizing your shopping experience and product recommendations.
- Operating and improving the Site, including analytics and performance monitoring.
- Preventing fraud, detecting security incidents, and protecting against malicious activity.
- Complying with legal obligations and enforcing our terms.
3. Legal Bases for Processing (GDPR / UK GDPR)
If you are located in the EEA or the United Kingdom, we rely on the following legal bases under the GDPR:
- Performance of a Contract: processing necessary to fulfill your orders and provide requested services (Art. 6(1)(b)).
- Consent: when you opt in to marketing emails, non-essential cookies, or our shade-matching quiz (Art. 6(1)(a)). You may withdraw consent at any time.
- Legitimate Interests: improving our products and services, website analytics, and fraud prevention, where these interests are not overridden by your rights (Art. 6(1)(f)).
- Legal Obligation: complying with applicable tax, accounting, and regulatory requirements (Art. 6(1)(c)).
4. Data Sharing & Disclosure
We do not sell your personal information. We may share data with the following categories of recipients, strictly on a need-to-know basis and under binding contractual obligations:
- Payment Processors: Stripe, for secure transaction processing.
- Shipping & Logistics Providers: to deliver your orders.
- Email & SMS Service Providers: for transactional and marketing communications.
- Analytics & Advertising Partners: Google Analytics, Meta, and TikTok, for aggregated site analytics and advertising measurement.
- AI Service Providers: to power our customer support chatbot and shade quiz (no personally identifiable data is retained by these providers beyond the session).
- Legal Authorities: when required by law, regulation, or valid legal process.
All third-party service providers are required to protect your data in accordance with applicable law. Where data is transferred outside the EEA/UK, we ensure adequate safeguards are in place (e.g., Standard Contractual Clauses).
5. Data Retention
We retain your personal data only as long as necessary for the purposes described in this policy:
- Order & transaction records: 7 years, as required by tax and accounting regulations.
- Customer accounts: until you request deletion or the account has been inactive for 3 years.
- Marketing data: until you unsubscribe or withdraw consent.
- Contact form submissions: 2 years from the date of inquiry.
- Analytics & cookie data: up to 26 months (Google Analytics default).
6. Payment Security
All payment information is processed by Stripe, a PCI DSS Level 1 certified payment processor. We do not store, process, or have access to your full credit card number, expiration date, or CVV. Stripe's privacy policy is available at stripe.com/privacy.
7. Cookies & Tracking Technologies
We use the following categories of cookies:
| Category | Purpose | Consent Required |
|---|---|---|
| Strictly Necessary | Session management, shopping cart, security, authentication | No |
| Functional | Remembering preferences, language, and region | Yes |
| Analytics | Google Analytics (GA4) — aggregated usage data and site performance | Yes |
| Advertising | Meta Pixel, TikTok Pixel — ad measurement and retargeting | Yes |
You can manage your cookie preferences at any time through your browser settings. Disabling non-essential cookies will not affect core Site functionality.
8. Your Rights Under the GDPR / UK GDPR
If you are in the EEA or the United Kingdom, you have the following rights:
- Right of Access (Art. 15): request a copy of the personal data we hold about you.
- Right to Rectification (Art. 16): request correction of inaccurate or incomplete data.
- Right to Erasure (Art. 17): request deletion of your personal data ("right to be forgotten").
- Right to Restriction (Art. 18): request that we limit how we process your data.
- Right to Data Portability (Art. 20): receive your data in a structured, machine-readable format.
- Right to Object (Art. 21): object to processing based on legitimate interests or direct marketing.
- Right to Withdraw Consent: withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.
- Right to Lodge a Complaint: file a complaint with your local Data Protection Authority (e.g., the ICO in the UK, the CNIL in France).
To exercise any of these rights, please contact us using the details in Section 12 below. We will respond within 30 days (or one calendar month under GDPR).
9. Your Rights Under the CCPA / CPRA (California Residents)
If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA"), provides you with the following specific rights:
- Right to Know: you may request, up to twice in a 12-month period, that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it.
- Right to Delete: you may request deletion of your personal information, subject to certain exceptions (e.g., completing a transaction, legal compliance).
- Right to Correct: you may request that we correct inaccurate personal information.
- Right to Opt-Out of Sale/Sharing: we do not sell or share (as defined under the CCPA) your personal information for cross-context behavioral advertising. Therefore, there is no need to opt out; however, if this practice changes, we will provide a "Do Not Sell or Share My Personal Information" link on our Site.
- Right to Limit Use of Sensitive Personal Information: we do not use or disclose sensitive personal information for purposes beyond what is necessary to provide our services.
- Right to Non-Discrimination: we will not discriminate against you for exercising any of your CCPA rights. You will not receive different pricing, quality, or service levels.
Categories of Personal Information Collected (Last 12 Months)
| Category | Examples | Sold/Shared |
|---|---|---|
| Identifiers | Name, email, shipping address, IP address | No |
| Commercial Information | Purchase history, products viewed, shopping cart contents | No |
| Internet / Network Activity | Browsing history on our Site, search queries, interaction data | No |
| Geolocation Data | Approximate location derived from IP address | No |
| Inferences | Product preferences, shade preferences from quiz | No |
To submit a verifiable consumer request, please contact us at the details in Section 12. We may need to verify your identity before processing your request. You may also designate an authorized agent to make a request on your behalf.
10. International Data Transfers
Your personal data may be transferred to and processed in countries outside your country of residence, including the United States. Where such transfers occur, we ensure adequate protection through:
- EU-US Data Privacy Framework (where applicable).
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- Binding corporate rules or other approved transfer mechanisms.
11. Children's Privacy
Our Site is not intended for individuals under the age of 16 (or 13 in the United States, per COPPA). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us immediately, and we will promptly delete it.
12. Contact Us
If you have questions about this Privacy Policy or wish to exercise any of your data rights, please contact us:
- 📧 Email: [email protected]
- 📬 Contact Form: lumalipbeauty.com/contact
For GDPR-related inquiries, you may also contact our Data Protection contact at the email above. We aim to respond to all legitimate requests within 30 days.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you by posting the updated policy on this page with a revised "Last updated" date and, where required by law, by email. We encourage you to review this page periodically.