This section provides additional details about the personal information we process subject to the General Data Protection Regulation (GDPR) and UK GDPR.
Controller of Your Information: Unless otherwise stated in a supplemental notice, Lucenia, Inc. is the data controller of your personal information.
Your Rights
Subject to applicable law, you have the following rights with respect to your personal information:
- Right to access: You have the right to access your personal information that we hold and receive it in a portable way.
- Right to update: You have the right to request that we update your personal information.
- Right to delete: You have the right to have your personal information deleted.
- Right to restrict processing: You have the right to request us to restrict or suppress the processing of your personal information where our processing is inappropriate.
- Right to object: You have the right to object to the processing of your personal information.
- Right to withdraw consent: You have the right to withdraw your consent at any time where we are processing your personal information based on your prior consent.
To exercise your rights, please complete our Data Subject Rights intake form or contact us as outlined in the “Contact Us” section below. Please note that we may ask you to provide us with additional information to confirm your identity.
Legal Bases for Processing Personal Information
We process your personal information on one or more of the following legal bases:
- Where necessary to enter into or perform under a contract with you, including to provide the Lucenia Products;
- Where necessary for us to comply with a legal obligation;
- For our legitimate interests, as outlined in this Privacy Policy; or
- With your consent.
International Data Transfers
Your personal information may be collected in, transferred to, accessed from, or stored in a country other than the one you are in, including the United States, which may have data protection rules that are different from those of your country. Your personal information is only transferred out of your country in accordance with applicable data protection law, including, for example, to third countries that adequately safeguard personal data, or under the European Commission-approved Standard Contractual Clauses. Your rights with respect to your personal information are outlined above in the “Your Rights” section above.
We comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce (together, the “DPF”), and we have certified to the U.S. Department of Commerce that we adhere to the EU-U.S. Data Privacy Framework Principles with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework Principles with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF (together, the “DPF Principles”). A full list of all participating organizations is available on the U.S. Department of Commerce’s dedicated DPF website.
If you have any questions, concerns, or complaints about our compliance with the DPF, we encourage you to contact us as outlined in the “Contact Us” section below, where you can also find information regarding our EU representative that can respond to your questions or complaints. If you have an unresolved complaint regarding our handling of personal data received in reliance on the DPF, you may contact TRUSTe, our U.S.-based third-party dispute resolution provider, here free of charge. Finally, if you have a complaint that we have violated the DPF Principles that has not been resolved by other means, you may have the ability to invoke binding arbitration as outlined more fully on the DPF website. Please note that we are subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).
In some cases, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. More information about the safeguards we’ve implemented to protect transfers of personal data is available in our Lucenia Transfer Impact Assessment.
If we transfer your personal data onward to a third party, we will continue to remain liable under the DPF Principles if the information is processed in a manner inconsistent with the DPF Principles.
Complaints
You may lodge a complaint with a data protection authority for your country or region where you have your habitual residence, where you work, or where an alleged infringement of applicable data protection law occurs. A list of EEA data protection authorities is available here, and the contact details for the UK Information Commissioner’s Office is available here.