Privacy Policy
Luméro values your privacy and handles personal data with care. This statement explains which data Luméro processes, for what purpose and on what legal basis, how long it is retained, and what rights you have.
1. Who is responsible
Luméro is the data controller for the processing of personal data described in this statement.
Luméro (Menno Verheij)
CoC: 99056011
Email: privacy@lumero.nl
Luméro is not legally required to appoint a Data Protection Officer (DPO) and has not done so. For all privacy questions you can use the email address above.
2. What data does Luméro process?
Luméro processes exclusively business contact details of (potential) clients and individuals who make contact via the form or email. This includes:
- Name and (if applicable) company name and position
- Business email address and potentially phone number
- Invoice and payment details (for assignments)
- The content of your message or assignment description
Luméro does not process special personal data such as date of birth, SSN, or medical data.
3. Purposes, legal grounds and retention periods
Luméro uses your data only for clear, necessary purposes. Where processing is based on a legitimate interest (GDPR art. 6(1)(f)), that interest is named below.
| Processing activity | Category of data subject | Purpose | Legal basis (GDPR art. 6) | Personal data | Retention period |
|---|---|---|---|---|---|
| Quote and assignment handling | Client, private client, contact person of a business client | Quotes, assignments, project administration | 6(1)(f) legitimate interest: contacting business contacts to carry out assignments. 6(1)(b) where the data subject is the contracting party. 6(1)(c) tax administration | Name and address, contact details, job title, project data, invoice data | Invoice data 7 years. Project data for as long as needed for performance, warranty, liability and disputes |
| Supplier administration | Supplier, subcontractor, contact person | Procurement, payment, invoicing | 6(1)(f) legitimate interest: business operations and procurement. 6(1)(b) where the data subject is the supplier. 6(1)(c) tax administration | Name and address, contact details, job title, bank account, Chamber of Commerce number, VAT number | 7 years for tax administration |
| Client and project communication | Client, supplier, prospect, contact person | Communication, record-keeping, project delivery | 6(1)(f) legitimate interest: business operations and project communication. 6(1)(b) where the data subject is the contracting party | Name, contact details, message content, channel, project reference | Duration of the project plus up to 7 years, or longer in case of a dispute |
| Correspondence and contact requests | Prospect, website visitor who makes contact, business relation | Answering questions via the form or email, follow-up and relationship management without an active assignment | 6(1)(f) legitimate interest: communication and relationship management | Name, contact details, message content, channel | Up to 24 months after last contact, unless an ongoing relationship arises or you request deletion earlier |
| Newsletter | Subscriber | Sending the newsletter and measuring effectiveness | 6(1)(a) consent | Name, email address, preferences, click behaviour if permitted | Until unsubscribe. Limited evidence data kept longer if necessary |
| Complaint handling | Client, supplier, third party | Handling and recording complaints | 6(1)(f) legitimate interest: complaint handling and legal position | Name, contact details, complaint content, correspondence | 2 years after resolution, longer in case of a dispute |
| Job applications | Applicant | Recruitment and selection | 6(1)(b) pre-contractual steps. 6(1)(a) for longer retention | CV, cover letter, contact details, correspondence | 4 weeks after the procedure. Up to 1 year with consent |
| Security reports (CVD) | Reporter of a vulnerability (security researcher) | Assessing and remediating reported vulnerabilities and coordinating disclosure | 6(1)(f) legitimate interest: securing our systems | Name (if provided), contact details, content of the report | 12 months after closure, longer in case of a dispute |
| Client references on the website | Client, contact person | Publishing a reference or testimonial | 6(1)(a) consent | Name, job title, company name, photo, quote | Until consent is withdrawn |
4. Cookies and tracking (privacy by design)
This website is designed with privacy as a starting point. Luméro does not use cookies, tracking pixels, or software to track your individual behaviour, and does not apply profiling.
Luméro does use cookieless, aggregated visitor statistics hosted in the EU. These statistics cannot be traced to individuals and store nothing on your device. Because nothing is technically stored on your device, you will not see a cookie banner here. Your visit remains anonymous.
5. Automated decision-making
Luméro does not use automated decision-making or profiling with legal or similarly significant effects for data subjects (GDPR art. 22).
6. Security
Luméro takes appropriate technical and organizational measures to secure personal data. Access is limited to Luméro and, where strictly necessary, to processors who support Luméro (such as accounting or hosting/email).
7. Sharing with third parties
Luméro does not sell personal data. Data is only shared with third parties if necessary for Luméro's services or administration (e.g., accounting, hosting, email). Luméro concludes data processing agreements with these parties where necessary.
8. Processing and transfers outside the EEA
Luméro aims to process personal data within the European Economic Area (EEA). However, for hosting this website and for email, Luméro uses providers that are part of US companies. This may involve transfer to, or access from, the United States:
- Web hosting: Netlify (United States). The website is static; no contact details or form content are structurally stored via the hosting.
- Email: Microsoft 365, with storage (tenant) in the European Union. Administration or support may, in some cases, take place from the United States.
For these transfers Luméro relies on the EU-US Data Privacy Framework (DPF), under which both Netlify and Microsoft are certified, supplemented by the European Commission's Standard Contractual Clauses as a safeguard. This ensures an adequate level of protection.
9. Your rights
You have the right to access, rectification, deletion, restriction of processing, data portability, and objection.
Where processing is based on your consent (such as the newsletter, client references, or longer retention of a job application), you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing prior to the withdrawal.
Do you want to exercise one of these rights or do you have questions? Contact us at privacy@lumero.nl.
You also have the right to lodge a complaint with the Dutch supervisory authority, the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).
10. Contact
Luméro
Menno Verheij
CoC: 99056011
Email: privacy@lumero.nl
11. Changes
This privacy statement may be changed when necessary. The most recent version can always be found on this page. For significant changes, Luméro states the date of the last update at the top of this statement.
Last updated: June 2026
