Privacy Policy & Data Protection Notice

This Privacy Policy explains how Storytime Online Inc., doing business as Luma Library, collects, uses, discloses, stores, and otherwise processes personal data through the Luma Library website and related digital services. Privacy notices should clearly explain the controller’s identity and contact details, purposes, legal bases, recipients, retention, and rights, and they should be concise, transparent, intelligible, and easy to access.

Who is responsible for your data

The data controller for Luma Library is Storytime Online Inc., doing business as Luma Library. Under GDPR-style transparency rules, individuals should be told the identity and contact details of the controller and, where applicable, the controller’s representative.


Controller: Storytime Online Inc. d/b/a Luma Library
Location:
Wilmington, Delaware, United States
Privacy contact:
privacy@lumalibrary.com


Luma Library uses the privacy email above as its main public contact channel for privacy questions and rights requests. A privacy notice should tell people how to contact the organization and how to exercise their rights.

Scope

This Privacy Policy applies to personal data collected through the Luma Library website, account registration flows, subscription and purchase flows, customer support communications, newsletters, analytics tools, and related online services. Organizations must make privacy information accurate, complete, and easily accessible to the people whose information they collect.

Personal data collected

Depending on how the service is used, Luma Library may collect the following categories of personal data:

  • Name, display name, username, and account identifier.
  • Email address and other contact details provided by the user.
  • Account details, subscription status, login activity, saved preferences, and content selections.
  • Transaction details, billing records, refunds, and payment status.
  • Limited payment-related information supplied by payment providers, such as tokenized payment references, card type, and billing country or postcode; full card numbers should generally be handled by payment processors rather than stored directly by the website.
  • Reading, browsing, search, and usage information, such as titles viewed, time spent, downloads, bookmarks, and other engagement data needed to operate and improve the service.
  • Device, browser, IP address, language, cookie identifiers, and similar technical information collected automatically when the website is used.
  • Messages sent to customer support or privacy@lumalibrary.com, including attachments and follow-up correspondence.
  • Marketing preferences, newsletter sign-up status, campaign interactions, and unsubscribe status.
  • Security and anti-fraud information, such as access logs, abuse indicators, and activity associated with account protection.

Luma Library does not intend to collect more personal data than is reasonably necessary for the purposes described in this notice. GDPR transparency guidance focuses on explaining what is collected and why it is used.

How personal data is collected

Luma Library may collect personal data directly from users when they create an account, sign up for emails, make a purchase, contact support, submit information through forms, or otherwise interact with the service. Privacy notices should explain whether information comes directly from the individual or from other sources.

Luma Library may also collect information automatically through cookies, similar technologies, server logs, and analytics tools when users browse or interact with the website. In some cases, information may also come from service providers such as payment processors, fraud-prevention vendors, login providers, or analytics partners.

Why personal data is used

Luma Library uses personal data for the following purposes:

  • To create and manage user accounts.
  • To provide access to content, subscriptions, purchases, and website features.
  • To process payments, refunds, bookkeeping, and tax-related records.
  • To respond to support requests, complaints, and privacy inquiries.
  • To send service messages, such as account, security, billing, and transactional communications.
  • To send newsletters or marketing messages where permitted by law and, where required, with consent.
  • To analyze website use, improve performance, troubleshoot issues, and develop features.
  • To protect the service, users, and the business against fraud, abuse, unauthorized access, and other harmful activity.
  • To comply with legal obligations and enforce terms, policies, and legal rights.

Legal bases for processing

Where GDPR or UK GDPR applies, Luma Library relies on one or more of the following legal bases, depending on the context:

  • Contract: processing needed to create accounts, provide subscriptions, deliver paid or requested services, process payments, and respond to service-related requests.
  • Legitimate interests: processing needed to operate, secure, improve, and administer the website and services, prevent fraud, understand how the service is used, and manage ordinary business operations, provided these interests are not overridden by users’ rights and freedoms.
  • Consent: processing based on consent where required, including certain email marketing and certain non-essential cookies or similar technologies.
  • Legal obligation: processing needed to comply with tax, accounting, regulatory, law-enforcement, and other legal requirements.

Where consent is used, it can be withdrawn at any time, but withdrawal does not affect processing already carried out before that withdrawal. Privacy notices should tell individuals the legal basis for processing and their right to withdraw consent where consent is used.

Cookies and similar technologies

Luma Library uses cookies and similar technologies to operate the website, remember settings, keep users signed in where relevant, understand traffic and usage, improve performance, and support security and analytics. UK GDPR guidance requires privacy information to explain the purposes for processing, and cookie-related processing often also requires a separate, clear notice.

Where required by applicable law, non-essential cookies and similar technologies should only be used after valid consent is obtained. Users can also control certain cookie settings through their browser or consent tools made available on the site.

Marketing

Luma Library may send newsletters, updates, recommendations, or promotional messages to users who sign up or where such communication is otherwise permitted by law. Users can unsubscribe from marketing emails at any time by using the unsubscribe link in the email or by contacting privacy@lumalibrary.com. Even where a user opts out of marketing, Luma Library may still send non-marketing communications relating to accounts, subscriptions, payments, security, or service changes. ICO-style privacy notices commonly distinguish between service communications and marketing communications.

Who personal data is shared with

Luma Library may share personal data with the following categories of recipients when reasonably necessary:

  • Hosting, cloud storage, infrastructure, and content delivery providers.
  • Payment processors, billing providers, and financial service providers.
  • Analytics, performance monitoring, and error-tracking providers.
  • Email delivery, customer support, and communication service providers.
  • Security, fraud-prevention, and account-protection vendors.
  • Professional advisers such as auditors, lawyers, insurers, and accountants where necessary.
  • Courts, regulators, law enforcement, or public authorities when disclosure is legally required or lawfully requested.
  • Buyers, investors, affiliates, or successor entities as part of a merger, acquisition, financing, reorganization, or sale of assets, subject to appropriate safeguards.

Privacy notices should identify recipients or categories of recipients so individuals understand who may receive their personal data.

International transfers

Luma Library is based in the United States and may process or store personal data in the United States and other countries where its service providers operate. GDPR-style privacy notices should explain transfers to third countries and the safeguards used where applicable. Where personal data protected by the GDPR or UK GDPR is transferred internationally, Luma Library intends to rely on an appropriate lawful transfer mechanism where required, such as an adequacy decision, Standard Contractual Clauses, the UK addendum, or another recognized safeguard. Information about relevant safeguards may be requested by emailing privacy@lumalibrary.com.

Data retention

Luma Library keeps personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, including to provide the service, maintain business and financial records, resolve disputes, enforce agreements, and comply with legal obligations. Privacy notices should state retention periods or the criteria used to determine them.

As a general retention approach:

  • Account information is kept while the account remains active and for a reasonable period afterward in case of reactivation, disputes, fraud prevention, or compliance needs.
  • Transaction and billing records may be kept for up to seven years where needed for accounting, tax, audit, chargeback, and legal compliance purposes.
  • Support communications may be kept for up to three years after resolution for quality, training, security, and dispute-handling purposes.
  • Marketing suppression records may be kept as long as necessary to honor opt-out requests and prevent unwanted future messages.
  • Technical logs, analytics data, and security records may be kept for shorter periods, typically from a few days up to twenty-four months, depending on operational need, security risk, and legal requirements.

When data is no longer needed, Luma Library will delete it, de-identify it, or retain it only in a form permitted by law. Clear retention explanations help individuals understand how long their information remains in use.

Data protection rights

Depending on the user’s location and applicable law, users may have the right to:

  • Ask for access to their personal data.
  • Ask for correction of inaccurate or incomplete personal data.
  • Ask for deletion of personal data in some circumstances.
  • Ask for restriction of processing in some circumstances.
  • Object to processing based on legitimate interests, including direct marketing.
  • Ask for portability of certain personal data.
  • Withdraw consent where processing is based on consent.
  • Lodge a complaint with a competent supervisory authority or regulator.

To exercise these rights, users may contact privacy@lumalibrary.com. Luma Library may request information needed to verify identity before responding to a request.

Complaints

If a user has concerns about how Luma Library uses personal data, the user should first contact privacy@lumalibrary.com. UK regulatory guidance also notes that individuals may complain to the ICO if they remain unhappy after raising the issue with the organization.

For UK users, complaints may be made to the Information Commissioner’s Office using the ICO complaint page at ico.org.uk/make-a-complaint. Users in the EEA may also have the right to complain to the data protection authority in their country of habitual residence, place of work, or place of the alleged infringement.

Children’s privacy

Luma Library does not knowingly collect personal data from children in violation of applicable law. Regulatory guidance says privacy information for services used by children should be especially clear, accessible, and age-appropriate. If a parent or guardian believes a child has provided personal data unlawfully, they should contact privacy@lumalibrary.com.

Automated decision-making

Luma Library does not currently describe any decision-making based solely on automated processing that produces legal or similarly significant effects. Privacy guidance requires such processing to be disclosed in meaningful terms if it exists. If that changes, this Privacy Policy will be updated to explain the logic involved, the significance of the processing, and the likely consequences for affected individuals.

Security

Luma Library uses reasonable technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, alteration, or disclosure. Privacy notices should explain processing clearly, but they should not overpromise absolute protection. These measures may include access controls, encryption in transit, monitoring, backups, vendor diligence, and incident-management procedures. No website or internet transmission can be guaranteed to be completely secure.

Third-party services and links

The Luma Library website may include links to third-party websites, content, plug-ins, or services. Those third parties have their own terms and privacy practices, and this Privacy Policy does not cover them. Users should review the privacy notices of third-party services they use. Clear notices help individuals understand when another organization is responsible for their information.

Changes to this Privacy Policy

Luma Library may update this Privacy Policy from time to time to reflect changes in legal requirements, technology, vendors, or business practices. Privacy information should stay accurate and complete as processing changes over time. When changes are material, Luma Library may provide additional notice on the website, by email, or through the service where required by law. The “Last updated” date at the top of this page shows when this version took effect.

Contact

For privacy questions, complaints, or data rights requests, contact:

Storytime Online Inc. d/b/a Luma Library
Wilmington, Delaware, United States

privacy@lumalibrary.com