Privacy Policy

The controller of your personal data is Lumos Coffee and Brunch, located at Strada Mitropoliei 1, Sibiu 550179, România.

Contact: lumoscoffeeandbrunch@gmail.com, +40 711 916 258.

Through the reservation form we collect: full name, email address, phone number, party size, desired date and time, and (optionally) the message attached to the request.

Through cookies and analytics tools (with your consent) we may collect: IP address, browser type, pages visited, duration of visit, traffic source.

We do not intentionally collect sensitive data (health data, ethnic origin, political opinions, etc.).

Processing reservations and follow-up phone contact for confirmation or rescheduling.

Communicating with you regarding your request (responding to questions, clarifications).

Improving the website and services based on aggregated analytics data.

Complying with legal obligations (for example, record-keeping in case of authority inspections).

Contract performance (or pre-contractual steps): for reservation processing — Art. 6 (1) (b) GDPR.

Your consent: for optional cookies, marketing and promotional communications — Art. 6 (1) (a) GDPR.

Legitimate interest: for website security and abuse prevention (e.g., IP-based rate-limiting) — Art. 6 (1) (f) GDPR.

Legal obligation: for accounting records and responses to authority requests — Art. 6 (1) (c) GDPR.

Your data is accessible only to authorized Lumos personnel.

It may be transmitted to trusted service providers acting on our behalf (e.g., web hosting — Vercel Inc., database — Neon Inc.), based on data processing agreements.

Data may be transmitted to competent authorities when required by law.

We do not sell or rent your data to third parties for marketing purposes.

Some of our technical services (e.g., hosting) may process data outside the European Economic Area. In these cases, we ensure that the transfer complies with the standard contractual clauses approved by the European Commission or other equivalent protection mechanisms.

Reservation data: maximum 24 months from the date of the reservation, after which it is anonymised or deleted.

Analytics data: maximum 26 months (per Google Analytics defaults, if enabled).

Accounting data: 10 years, in accordance with Romanian legislation.

Requests or complaints submitted by email: maximum 36 months from the date of the last interaction.

Under GDPR, you have the following rights:

Right of access to your data.

Right to rectification of inaccurate data.

Right to erasure ("right to be forgotten").

Right to restriction of processing.

Right to data portability.

Right to object to processing.

Right to withdraw consent at any time, without affecting the lawfulness of previous processing.

Right to lodge a complaint with the National Supervisory Authority for Personal Data Processing (ANSPDCP, www.dataprotection.ro).

To exercise these rights, please contact us at lumoscoffeeandbrunch@gmail.com. We will respond within at most 30 days.

We use reasonable technical and organisational measures to protect data: TLS encryption, access control, audit logs, passwords hashed with modern algorithms.

However, no method of internet transmission is 100% secure; we encourage you to use strong passwords and to be cautious of suspicious messages claiming to be from us.

We use cookies necessary for the operation of the website and (with your consent) cookies for analytics. Full details in the Cookies Policy.

We reserve the right to update this policy periodically. The updated version will be published on this page with the date noted.

For any questions regarding the processing of your personal data, please write to us at lumoscoffeeandbrunch@gmail.com.