Lumeo

GDPR Compliance

Last updated: 22 April 2026

Lumeo Learning Ltd is committed to compliance with the EU General Data Protection Regulation (GDPR) and the UK GDPR. This page summarises how we meet our obligations and how you can exercise your rights.

1. Roles

When you sign up for a Lumeo account, Lumeo Learning Ltd is the data controller of your account information.

When your organisation uses Lumeo to deliver courses to learners, your organisation is the data controller of any learner data, and Lumeo Learning Ltd acts as a data processoron your behalf.

2. Your rights under GDPR

  • Right of access — request a copy of the personal data we hold about you.
  • Right to rectification — ask us to correct inaccurate data.
  • Right to erasure ("right to be forgotten") — ask us to delete your data.
  • Right to restrict processing — ask us to pause the use of your data.
  • Right to data portability — receive your data in a portable format.
  • Right to object — object to processing based on legitimate interests.
  • Right to withdraw consent — where processing relies on consent.
  • Right to lodge a complaint with a supervisory authority (ICO in the UK).

3. International transfers

Where personal data is transferred outside the UK or EEA, we rely on the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum to ensure an equivalent level of protection.

4. Data Processing Agreement (DPA)

Customers acting as controllers can request a signed Data Processing Agreement covering the obligations set out in Article 28 GDPR. Email support@learnlumeo.com to request a copy.

5. Security measures

  • TLS encryption for all data in transit.
  • Encryption at rest for all stored data.
  • Row-level security policies on all customer data tables.
  • Principle of least privilege for internal access.
  • Regular dependency and vulnerability scanning.

6. Breach notification

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and inform affected users without undue delay.

7. Contact

For any GDPR-related request or question, contact us at support@learnlumeo.com. We will respond within one month, as required by the regulation.

← Back to home