1
Preamble
Are you tired of not knowing how companies use your personal data that you provide through their websites or when you choose to fill out a contact form or subscribe to their newsletter?
Do you want to know exactly how our company will use your personal data, right?
Read this document to find out how our company will use your personal data, and you will get comprehensive information about how we will collect, use, and disseminate your personal data.
Dear user / future collaborator, a key benefit of reading this document is that you will be able to understand how your personal data will be used, feel more confident in sharing your personal data, decide on your own judgment whether to share your personal data with us, and have a higher level of trust regarding the transmission of your personal data because you know how it will be used.
Our role is to create a relationship based on transparency and mutual trust with you. We want you to understand every aspect of how we will use your personal data. We will provide simple, concise, and precise information using simple and easy-to-understand language about how your personal data will be collected, used and disseminated.
The one most important thing you need to know is that we are obligated to provide you with information about how we will collect, use, and disseminate your personal data. We have made every effort and analyzed to ensure the information we provide complies with transparency requirements as set forth in Articles 12-14 of the GDPR.§
We have put ourselves in your shoes and realized that you need to understand as clearly as possible how your personal data will be used so that you feel safe on our website and confident that your personal data will be properly protected.
STARTING TODAY, you know how our company will use your personal data and you can decide whether it is appropriate for you to share this information with us.
Through this document, we intend to give you information about the purposes and means of processing personal data. We also want to demonstrate that we are responsible and fulfill the obligations that fall on us under the GDPR as a personal data operator.
In addition to complying with the General Data Protection Regulation (GDPR), this policy also adheres to the provisions of Federal Law No. 45 of 2021 concering the Protection of Personal Data in the United Arab Emirates (PDPL), ensuring compliance with the local requirements of the UAE jurisdiction.
This privacy policy is designed to demonstrate our compliance with transparency requirements and to communicate as efficiently and transparently as possible with all our users. We have made a firm commitment to provide the most transparent information to all our users regarding how their personal data will be collected, used, and disseminated.
The most important thing to know is that through this document we will inform you about the most important aspects concerning how we will use your personal data. If you want to know how our website uses cookies, we invite you to access our cookie usage policy by clicking the floating Cookie Icon in the bottom right corner of the website.
2
Definition of Terms Used in the Policy
We know that sometimes in this policy we use technical or legal terms specific to personal data protection. We have put ourselves in your shoes and designed this document for you... Thus, through this chapter, we intend to provide explanations of each legal term specific to personal data protection used in this document.
According to guidelines adopted over time by the European Data Protection Board and the Article 29 Working Party, we have an obligation to ensure that information about personal data protection is understood by ordinary people. To help you understand the information we provide, we have created a glossary (table) explaining each legal term specific to personal data protection used here. Although we avoid as much as possible technical or legal jargon, it is inevitable in certain contexts.
Despite this, we have made every effort to ensure that the information is understood by a typical user of our website by using simple and easy-to-understand language. If you are a user of our website, you must know that according to Guidelines 3/2022 on dark patterns in social media platform interfaces: How to recognize and avoid them, we have the obligation to provide a glossary containing definitions of any unfamiliar terms.
The key idea to remember is that whenever we use technical terms or unfamiliar words related to personal data protection, we will provide a clear definition using simple language so that you, as a website user, understand the information we provide.
According to the European Data Protection Board guidelines, unknown terms may also be explained through a glossary (table).
Tired of not understanding personal data protection concepts? LOOK NOW, below are all the definition you will ever need to understand what GDPR is all about.
Personal Data Controller : Means the company, individual, or public authority that decides how your personal data will be used and has full autonomy to do so.
Personal Data Processor : Another company, individual, or public authority delegated by us to process users' personal data on our behalf, acting only on our instructions.
Competent Supervisory Authority : Public authority monitoring GDPR compliance in Each EU/EEA member state must appoint one or more independent authorities for this purpose. Also for users from the United Arab Emirates (UAE), the authority is the Data Protection Regulatory Authority (DPA), responsible for enforcing the provisions of the PDPL.
Recipient : Any individual, company, or public authority to whom personal data is disclosed, whether or not a third party.
Consent : Any free, specific, informed, and unambiguous indication of the data subject's will by declaration or clear affirmative action to allow processing.
Data Protection Officer : The legal person who provides consultancy to the personal data operator regarding GDPR compliance.
Legal Basis : The lawful basis we have used to legally process your personal data.
Personal Data : Any information relating to an identified or identifiable natural person (data subject), such as name, number, online identifier, physical, physiological, genetic, mental, economic, cultural, or social identity factors. Examples include eye color, height, gender, or income.
Processing : Any operation or set of operations performed on personal data, with or without automated means, e.g., collection, recording, structuring, usage, deletion, disclosure, etc.
Data Security Breach : A security breach leading to illegal access, modification, or unauthorized destruction of personal data.
Techincal and Organizational Measures : Security measures implemented to ensure appropriate security of personal data.
Personal Data Retention : The reasonable or appropriate period for which your personal data will be kept.
Refer to this definitions whenever you need to understand all the information provided here about how your personal data will be collected, used, and disseminated!
3
Identity and contact details of the personal Data Operator
You may have noticed that we use your personal data when you decide to schedule a 1:1 meeting with us or subscribe to our newsletter. It is natural that you share personal data with us in those cases. However, this is only possible if you, our user, consent to the processing of your personal data.
WARNING! It is important to know that we determine the purposes and means of processing your personal data. Essentially, we have full autonomy to decide how to use your personal data, which purposes we will use it for, the retention period, and the legal basis we will rely on.
The most important fact to know is that our company is the personal data operator concerning your personal data. In simple terms, we decide how your personal data will be collected, used, and disclosed.
We want you to receive information about all personal data protection aspects as simply as possible using clear, concise, precise, and easy-to-understand language.
The operator of your personal data is the LUNIS DESIGN LAB L.L.C-FZ, located in Meydan Grandstand, 6th floor, Meydan Road, Nad Al Sheba, Dubai U.A.E. Our company establishes the essential purposes and means concerning personal data processing performed via the website concerning your personal data.
The personal data controller complies with the provisions of the GDPR as well as the personal data protection legislation in the United Arab Emirates (PDPL), ensuring the protection and respect of the rights of data subject in both jurisdictions.
The personal data operator has established a friendly and appropriate communication channel through which you can contact us: hello@lunisdesignlab.com
4
CATEGORIES OF DATA SUBJECTS TARGETED BY OUR PROCESSING ACTIVITY
Dear website user, it's time to learn who the data subjects are whose personal data we use. The essential thing to know is that these persons are called data subjects.
Data subjects are the natural persons whose personal data we collect or who are the owners of such data or key data subjects (leads).
Simply put, these persons are the owners of the personal data, and the data can be attributed to them.
Our company LUNIS DESIGN LAB L.L.C-FZ collects personal data on the following data subjects:
Categories of personal data subjects affected by the processing activity performed through our website are: our users, persons who want to schedule a 1:1 meeting with one of our specialists, or persons who want to stay updated with all updates, news, or offers available over time (newsletter).
We, specifically LUNIS DESIGN LAB L.L.C-FZ will collect/pick personal data only from the data subjects mentioned above.
5
CATEGORIES OR SETS OF PERSONAL DATA TARGETED FOR PROCESSING
LUNIS DESIGN LAB L.L.C-FZ continuously evaluates which personal data it collects from data subjects. Dear user, you should know that we will not collect more data from you than necessary for the purposes for which we intend to use your personal data.
We continually evaluate the amount of personal data requested from data subjects and aim to minimize it. We will collect and ask you to provide only the strictly necessary personal data.
We have made all efforts to minimize the amount of personal data collected regarding you. We never ask for auxiliary personal data not required to fulfill our processing purposes.
We help you understand what personal data we collect about you. See below now:
Category of Data Subjects Processed on Our Website
Users: Natural persons;
➢ Personal Data Processed
Full Name: To identify and address you correctly during our 1:1 meetings.
Business Name (Optional): To provide professional context for the requested services.
Email Address: Used as the primary communication channel for scheduling and project updates.
Referral Source: Information on how you discovered our services (e.g., LinkedIn, Google Search, Recommendation) to help us analyze our marketing reach.
Project Details: Goals and requirements provided by you to help us prepare for the consultation.
Budget (Optional): Estimated project budget to assess the feasibility of the collaboration.When navigating our site, certain terminal equipement information might also be collected automatically:
Automatically Collected Information:
IP Address: For security and basic location analytics.
User Agent: To ensure the website is displayed correctly on your specific device.
Motion Tracking (Hotjar): To analyze how you navigate and interact with our site elements to improve user experience.
The easiest way to know what personal data we use about you is: we will collect and use only personal data about you, not special categories of personal data. This applies only to our company’s website.
Personal data about our website users will be collected directly from them when they schedule a 1:1 meeting with our specialists or subscribe to the newsletter. The data we use is always adequate, relevant, and limited to what is necessary.
The data we use is always adequate, relevant, and limited.
Personal data collected from you via our company website will be stored electronically via our hosting service.
6
PURPOSES OF PROCESSING AND LEGAL BASIS FOR PROCESSING
You want us to have a clear purpose for using your personal data and to present it transparently. You also want your data to be used legally with a legal basis.
Probably you looked through this document for info about the purposes and legal bases, but did not find it.
Read this chapter because we will provide information about the purposes and legal bases used to process your personal data. We always have a purpose when using your data and select the legal basis before collecting any personal data.
We always use your data for determined, explicit, and legitimate purposes, never general purposes.
The key point is that we establish the legal basis for using your personal data before starting to use any data. We document the legal basis and choose it based on the processing circumstances, nature of our activity, and our relationship with you.
Also we think that is very imporntat for you to know that under the PDPL Law of the United Arab Emirates, the consent of the data subjects is mandatory, and the you may withdraw it at any time, without affecting the lawfulness of processing prior to the withdrawal.
We respect purpose limitation and legality principles when processing your personal data.
Here are the purposes we intend to use your data and the legal basis:
Purpose of processing your personal data:
✓ Scheduling 1:1 meetings with one of oure specialist (interacting with the website CTA’s)
✓ Subscribing to our newsletter
✓ Marketing and personalized advertising (to deliver relevant ads via Google Ads, LinkedIn, and social media platforms based on user interests).
Legal basis:
✓Article 6(1) (a) – The data subject has given consent for one or more specific purposes
✓ We will use your personal data until you decide to unsubscribe from our newsletter, after that we will delete all your personal data from our servers.
VI.I WITHDRAWAL OF CONSENT
Important: where we rely on your consent to use your personal data, you may withdraw consent anytime without affecting the legality of processing before withdrawal.
Did you know you have the right to withdraw consent anytime? Now you do.
Withdrawal must be as easy as giving consent and done in a similar way.
For example, to stop direct marketing or newsletter emails, you can click the "Unsubscribe" button. This makes withdrawing consent as easy as giving it.
Also we consider that is very important for you to know that as a citizen of the UAE you can also withdraw the consent whenever you want. We place great emphasis on the data subject, our client.
For cookies and other tracking technologies, consent can be managed at any time via the floating icon on our website.
Therefore, when you decide to withdraw your consent for the processing of your personal data, our company will delete all your personal data that have been processed in the past. However, it is important to keep in mind that if you do not withdraw your consent for the newsletter, those data will remain stored in our database and you will continue to receive such newsletter emails until you also withdraw consent regarding this matter.
7
RETENTION PERIOD FOR YOUR PERSONAL DATA
You may have noticed we collect some personal data when you use our website.You might think that without sharing your personal data, you can't contact our specialists via website CTAs or subscribe to our newsletter, so you can't stay updated.
You are right! Without certain personal data, we cannot fulfill your request or complete the process. Any attempt to schedule a 1:1 meeting requires you to provide personal data.
We have set retention periods, so data is not kept indefinitely. Your personal data will be kept only for a reasonable or defined period.
We have developed a Data Retention Policy establishing how long data is stored. We continuously review to avoid using data longer than necessary.The important thing is that we limit retention time per necessity and proportionality principles.
Internally, LUNIS DESIGN LAB L.L.C-FZ. has set retention periods to comply with storage limitation and keeps data only for the appropriate period.
GDPR requires personal data not to be stored indefinitely. Data retention periods are clearly defined.
See the rows below for data retention periods:
Personal data processed
➢ Personal data collected when a user schedules a 1:1 meeting - Retention starts when scheduling begins; data will be deleted after meeting completion.
➢ Personal data for newsletter subscription (email address) - Retention starts on subscription date; data kept while subscribed. Removed upon withdrawal/unsubscription.
P.S. We have a retention policy ensuring personal data is stored following legal requirements and for a reasonable period.
P.P.S. Any changes to retention periods will be communicated in advance as these are significant changes to processing purposes and means.
8
RECIPIENTS OR CATEGORIES OF RECIPIENTS OF YOUR PERSONAL DATA
We transfer your personal data only to recipients or categories of recipients with a lawful basis to process data legally. Both we and recipients must have a legal basis for processing.
This section is for users who want to know to whom and where their personal data is transferred.
If data is transferred to law enforcement, courts, or competent administrative bodies, they become recipients with full autonomy over data use, collection, and dissemination. This happens only upon lawful request or court order.
Data transferred to our delegates who process data on our behalf will act as authorized persons and use data only per our documented instructions, without using data for own purposes.
The quickest way to see recipients we disclose your data to is to look below this sentence:
Collaborators of LUNIS DESIGN LAB L.L.C-FZ (Recipients of Personal Data)
➢ FRAMER - Hosting service, acting as authorized person by the operator
9
TRANSFER OF PERSONAL DATA OUTSIDE THE EU OR EEA TO THIRD COUNTRIES OR INTERNATIONAL ORGANIZATIONS
Your personal data entered on our website is NOT transferred outside the EU or the European Economic Area.
You might wonder if your personal data is transferred outside the EU/EEA.
We do NOT transfer your personal data collected via our website outside the EU/EEA. Data is stored by FRAMER hosting service headquartered in the Netherlands.
Hence, your personal data is not transferred outside the EU or EEA.
Accordingly, your data is stored securely, and you enjoy your data protection rights.
Regardless of any EU Commission adequacy decisions, we do not transfer personal data collected online to any third countries or international organizations outside the EU/EEA.
IMPORTANT! Transfers outside the United Arab Emirates shall be carried out only under the legal conditions imposed by the PDPL, with adequate guarantees regarding data protection.
Thus, because we care about our clients, we want you to be aware of the measures we have in place when your personal data will be transferred outside the UAE, which are as follows:
The destination country having an adequacy decision by the UAE data protection authority, confirming similar levels of data protection.
The use of legally binding instruments such as standard contractual clauses between the data exporter and importer, ensuring enforceable data subject rights.
Binding corporate rules applied within multinational organizations.
Approved codes of conduct or certification mechanisms with binding commitments to maintain adequate protections.
Explicit consent of the data subject after being informed about the risks related to the transfer.
10
PERSONAL DATA SECURITY
The secret you must know is that we have implemented appropriate technical and organizational security measures to ensure an adequate level of security for personal data.
As a data controller, we are obligated to ensure your personal data is adequately protected.
We have taken all measures to protect your personal data adequately.
Your personal data will be stored via the hosting service (Framer), which acts as our authorized processor.
This means Framer can access your data only to store it and fulfill contractual obligations per our hosting agreement.
Your data will not be transferred outside the EU or EEA to third countries or international organizations.
We have a Data Processing Agreement with Framer to ensure they do not use your data for own purposes beyond the hosting contract.
Our website uses a secure SSL connection to encrypt data transferred between your browser and our web server.
This prevents cyber attackers or unauthorized persons from intercepting or modifying your data.
Data security requirements are key in GDPR, so we implement appropriate technical and organizational measures to ensure data security.
We also have implemented appropriate technical and organizational measures to ensure an adequate level of security for personal data, in accordance with the requirements of the GDPR, as well as the standards and provisions of the PDPL Law in the United Arab Emirates.
X. THE ROLE OF OUR COMPANY REGARDING YOUR PERSONAL DATA
You noticed at the beginning that we are your data controller.
This means we decide how your personal data is processed, collected, and disclosed.
We have full autonomy to decide how your personal data is used, set purposes and means, and can delegate data processing to others.
We decide the purposes, legal basis, storage, and data transfer recipients for your personal data.
Because of this, we are the data controller regarding your personal data.
11
CHANGES TO THE DATA PROCESSING NOTICE
Want to know when we change how we use your personal data and stay updated?
Forget about companies that don't inform you about your data use.
We aim for transparency and mutual trust because you are the most important person for our company.
See below how we will notify you about changes in data use.
Our company will inform users beforehand about any changes to this Data Protection Notice.
All substantial or significant changes will be documented chronologically under chapter XI.
GDPR requires us to inform data subjects about any changes using proper communication means.
We will notify you through announcements on our website.
You will be informed well in advance of significant changes, allowing you to understand and exercise rights to object or withdraw consent if you disagree.
Minor corrections, like typos or grammar fixes, are not considered substantial changes.
12
PREVIOUS VERSIONS OF THE PRIVACY POLICY
Currently, there are no substantial changes made to the Data Protection Notice.