Effective Date: 23.03.2026
At Lumolino, the well-being and privacy of children who use our products and services are our top priority. The Lumolino App is designed for offline use. To the best of our current knowledge, in the context of the App's pure offline operation, no personal data is collected, processed, or transmitted by us. When you visit our website, we automatically collect certain technical data from your device and connection to ensure the functionality and security of our online services. This data is considered personal data under the General Data Protection Regulation (GDPR). We want to emphasize that we do not use this data for advertising, tracking, or profiling purposes. We generally do not collect directly identifiable personal data from children, unless you, as a parent or legal guardian, voluntarily decide to provide it to us.
We strive to provide you with comprehensive information about the processing of your data and to enable you to exercise your legal rights
The Controller responsible for data processing is:
Lumolino GbR
c/o IP-Management #5503
Ludwig-Erhard-Str. 18
20459 Hamburg, Germany
We process some of your personal data based on the following legal grounds:
Consent (Art. 6(1)(a) GDPR): If you have given us your explicit consent to process your personal data for one or more specific purposes.
Performance of a Contract and Pre-contractual Measures (Art. 6(1)(b) GDPR): If the processing is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into a contract.
Compliance with a Legal Obligation (Art. 6(1)(c) GDPR): If the processing is necessary for compliance with a legal obligation to which we are subject, for example, to comply with tax obligations.
Protection of Legitimate Interests (Art. 6(1)(f) GDPR): If the processing is necessary for the purposes of our legitimate interests or those of a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data.
As a general rule, we only store personal data for as long as is necessary to fulfill the respective processing purposes.
Data that must be retained due to legal retention obligations (e.g., from the German Commercial Code or Tax Code) will be stored for the prescribed periods. In such cases, the processing of the data will be restricted.
Data required to be retained due to legal obligations (e.g., commercial or tax law) will be stored for the legally mandated period. During this time, data processing is restricted.
Data whose storage is necessary for the preservation of evidence within the framework of statutory limitation periods will be stored for the prescribed periods.
The transfer of personal data to recipients in third countries (outside the European Union or the European Economic Area) or to international organizations is only permissible if the conditions set out in the GDPR are met, to ensure that the level of protection for natural persons guaranteed throughout the Union is not undermined.
This can be based on an adequacy decision by the European Commission (pursuant to Art. 45 GDPR), which confirms that the third country in question provides an adequate level of data protection. The EU-U.S. Data Privacy Framework (DPF) is one such agreement recognized by the EU Commission as a secure legal framework for data transfers to the USA.
In the absence of such an adequacy decision, the transfer is based on appropriate safeguards (pursuant to Art. 46 GDPR), such as Standard Contractual Clauses (SCCs) issued by the Commission or approved by a supervisory authority, or Binding Corporate Rules (BCRs). These provide an additional layer of protection.
In individual cases, data transfers to third countries may also be based on your explicit consent (pursuant to Art. 49(1)(a) GDPR), after you have been informed of the possible risks of such a transfer without an adequacy decision or appropriate safeguards.
As a data subject, you have comprehensive rights under the General Data Protection Regulation regarding the processing of your personal data. We facilitate the exercise of these rights. You have the following rights:
Right of Access (Art. 15 GDPR): You have the right to obtain confirmation from us as to whether or not personal data concerning you is being processed. If that is the case, you have a right to access this data and further information, such as the purposes of the processing, the categories of data concerned, the recipients (especially in third countries), the planned duration of storage or the criteria used to determine that period, the origin of the data (if not collected from you), and the existence of automated decision-making, including profiling.
Right to Rectification (Art. 16 GDPR): You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you also have the right to have incomplete data completed.
Right to Erasure (Art. 17 GDPR): You have the right to request the immediate erasure of personal data concerning you, provided one of the grounds listed in Art. 17(1) GDPR applies (e.g., the data is no longer necessary for the purposes for which it was collected; you withdraw your consent; you object to the processing; the processing was unlawful). If we have made the data public and are obliged to erase it, we will take reasonable steps to inform other controllers of your erasure request.
Right to Restriction of Processing (Art. 18 GDPR): You have the right to request the restriction of the processing of your personal data if one of the conditions in Art. 18(1) GDPR is met (e.g., the accuracy of the data is contested; the processing is unlawful).
Right to Data Portability (Art. 20 GDPR): You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller without hindrance from us, where the processing is based on consent or a contract and is carried out by automated means. This right does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
Right to Object (Art. 21 GDPR): You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Art. 6(1)(e) (public interest) or (f) (legitimate interest) of the GDPR. In the event of an objection, we will no longer process the data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defense of legal claims.
Right to Withdraw Consent (Art. 7(3) GDPR): You have the right to withdraw your data protection consent declaration at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Right to Lodge a Complaint with a Supervisory Authority (Art. 77 GDPR): Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.
To exercise your rights, please contact us at:
info [at] lumolino.com
The exercise of your rights is free of charge for you.
We are responsible for the services available through our app Lumolino (hereinafter: "App"). The App is designed for offline use. To the best of our current knowledge, in the context of the App's pure offline operation, no personal data is collected or processed by us. Below, we provide detailed information about the relevant circumstances.
No user registration or provision of a personal identifier is required to use the App. The App is designed for offline use and, to the best of our current knowledge, does not establish any connection to externally operated servers or technical infrastructure operated by us. Content is stored locally on your device. To the best of our current knowledge, in the context of the App's pure offline operation, no personal data — including technical data such as IP addresses, device information, or connection metadata — is collected, processed, or transmitted by us.
If you actively open external links within the App (e.g., to Privacy Policy, Legal Notice, Terms of Use, or email contact), the respective content is loaded via the browser or corresponding app on your device. Where this involves our own websites, the information on website-related data processing in section 3 of this privacy policy applies. Where third-party services are used (e.g., app stores or email/browser services), data processing is carried out under the data protection responsibility of the respective providers.
To the extent that no personal data is processed within this offline operation, Art. 6 GDPR is not applicable in this respect.
To the best of our current knowledge, no personal data is transmitted to external servers or infrastructure in the context of the App's pure offline operation. Accordingly, we do not engage any data processors for the App's offline operation in this respect.
To the best of our current knowledge, in the context of the App's pure offline operation, no personal data is collected or transmitted by us. Accordingly, in this respect, there are no recipients — whether third parties or contracted data processors — of personal data in connection with the App's operation.
The content of the App is suitable for children. The App is primarily designed for use by parents and legal guardians. To the best of our current knowledge, in the context of the App's pure offline operation, no personal data — including technical data such as IP addresses or device information — is collected from users by us, regardless of age. We therefore do not engage in profiling of children or directed advertising through the App. Should we become aware that personal data of children has been collected without corresponding parental consent, we will delete this data immediately.
When downloading the App via the Apple App Store or the Google Play Store, the respective providers may process technical and personal data (e.g., account data, payment information, device characteristics). We have no influence on this data processing. The respective privacy policies of the store operators apply.
We are responsible for our website www.lumolino.com and its subpages (hereinafter: "Website"). By using our Website, personal data is processed. Below, we provide detailed information about the data processing that takes place.
This website is hosted externally. The personal data collected on this website is stored on the servers of the host(s). This may include, in particular, IP addresses, contact requests, meta and communication data, contract data, contact details, names, website access, and other data generated via a website. When you visit our website, we automatically collect data and information from your end device (so-called log files).
The website is hosted on Cloudflare Pages and uses the Cloudflare Content Delivery Network (CDN) from Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA (hereinafter "Cloudflare"). Cloudflare offers a globally distributed Content Delivery Network (CDN) that directs the transfer of information between your browser and our website and analyzes traffic to fend off potentially malicious traffic. Cloudflare may use cookies or similar technologies for the recognition of internet users, which are, however, used solely for this purpose.
The use of Cloudflare is based on our legitimate interest in providing our web services as flawlessly and securely as possible. The data transfer is based on the Standard Contractual Clauses of the EU Commission, and the company is certified under the EU-US Data Privacy Framework (DPF). We have concluded a Data Processing Agreement (DPA) with Cloudflare, which ensures that personal data of our website visitors is processed only according to our instructions and in compliance with the GDPR.
This website does not collect directly identifying profile data such as account registration data. In addition, we currently do not use external analytics software. However, each time the website is accessed, a series of general technical data and information is collected and stored in the server's log files. This can include:
Your IP address.
Name and URL of the retrieved file.
Date and time of the request.
Amount of data transferred.
Notification of successful retrieval (HTTP response code).
Browser type and browser version.
Operating system.
Referrer URL (i.e., the previously visited page).
Websites that are accessed by the user's system via our website.
The user's internet service provider.
The respective time zone.
This log data is usually stored in the server log files and then deleted or anonymized. Data whose further retention is required for evidentiary purposes in the event of attacks on the server infrastructure or other legal violations is excluded from deletion until the respective incident has been finally clarified.
The collection of this data serves to correctly deliver the content of our website, to ensure the long-term functionality of our information technology systems and the technology of our website, as well as to increase security and optimize our website. This includes the analysis of user behavior and the prevention of abusive automated spying and SPAM.
The legal basis for the processing of this data is our legitimate interest according to Art. 6(1)(f) GDPR. Our legitimate interest lies in the secure, stable, functional, and efficient provision of our online services.
You can contact us via email. We would like to point out that data transmission over the Internet (e.g., when communicating by email) can have security vulnerabilities. A complete protection of data from access by third parties is not possible.
In addition to your email address, we process the personal data that you provide to us within the email communication (e.g., your name and the content of your message).
The personal data is processed exclusively for the purpose of handling the request and in case of follow-up questions.
If the communication aims at concluding a contract, the legal basis for the processing is Art. 6(1)(b) GDPR.
In all other cases, Art. 6(1)(f) GDPR is the legal basis. Your interest does not override our interest in answering your inquiry; since you are writing to us, a response is also in your interest, and you are aware that we must process your personal data to answer your inquiry.
The data you send us in contact requests will remain with us until the purpose for data storage no longer applies (e.g., after your request has been fully processed) or you request us to delete it. Mandatory legal provisions, especially commercial or tax retention periods, remain unaffected.
This privacy policy will be adapted if technical or legal changes occur. The current version will be published on our website.