GDPR Compliance

1. Overview

This GDPR Compliance Policy explains how INNERLUXES collects, uses, stores, and protects personal data of individuals within the European Economic Area (EEA) and the United Kingdom. We are deeply committed to data privacy and transparency.

This policy applies to all personal data processed through our website, services, client engagements, recruitment processes, and any other interactions with INNERLUXES.

2. Data Controller

INNERLUXES acts as the Data Controller for personal data collected through our website and direct interactions. For client projects where we process data on behalf of clients, we act as a Data Processor under appropriate Data Processing Agreements (DPAs).

For any data-related inquiries, you may contact our designated Data Protection representative at innerluxes@gmail.com.

3. Data We Collect

Personal Identification Data

• Full name, email address, phone number
• Company name and job title
• Mailing address and country of residence

Technical Data

• IP address, browser type and version
• Device information and operating system
• Pages visited, time spent, and referral source

Recruitment Data

• CV/resume, cover letter, portfolio links
• Employment history and skills
• Expected salary and availability

Communication Data

• Messages sent through contact forms
• Email correspondence with our team
• Feedback and survey responses

4. Lawful Basis for Processing

We process personal data under the following lawful bases as defined by Article 6 of the GDPR:

• Consent: Where you have given clear, informed consent for us to process your data for a specific purpose (e.g., newsletter subscription).
• Contractual Necessity: Where processing is necessary to fulfil a contract with you or to take steps at your request before entering into a contract.
• Legitimate Interest: Where processing is necessary for our legitimate business interests, provided those interests do not override your fundamental rights.
• Legal Obligation: Where processing is necessary to comply with a legal obligation to which we are subject.

5. How We Use Your Data

We use personal data exclusively for the following purposes:

• To provide, maintain, and improve our services
• To respond to enquiries and support requests
• To process and evaluate job applications
• To send project updates and relevant communications
• To comply with legal obligations and enforce our terms
• To analyse website performance and user experience
• To protect against fraud, abuse, and security threats

6. Data Sharing & Third Parties

We do not sell, rent, or trade your personal data. We may share data with:

• Service Providers: Trusted third-party providers who assist in delivering our services (hosting, analytics, email), bound by strict confidentiality agreements.
• Legal Requirements: When required by law, court order, or governmental authority.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, with prior notice to affected individuals.

7. International Data Transfers

As an international agency, we may transfer personal data outside the EEA. When we do, we ensure adequate safeguards are in place:

• Transfers to countries with an EU adequacy decision
• Standard Contractual Clauses (SCCs) approved by the European Commission
• Binding Corporate Rules where applicable
• Explicit consent for specific transfers when required

8. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected:

• Client data: Duration of the business relationship plus 6 years for legal and accounting requirements.
• Recruitment data: Up to 12 months after the last interaction, unless consent is given for longer retention.
• Website analytics: Aggregated and anonymised data may be retained indefinitely.
• Contact enquiries: Up to 24 months from last correspondence.

9. Your Rights Under GDPR

As a data subject, you have the following rights:

• Right of Access: Request a copy of all personal data we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete data.
• Right to Erasure: Request deletion of your personal data ("right to be forgotten").
• Right to Restrict Processing: Request limitation of how we use your data.
• Right to Data Portability: Receive your data in a structured, machine-readable format.
• Right to Object: Object to processing based on legitimate interests or direct marketing.
• Right to Withdraw Consent: Withdraw previously given consent at any time.
• Right to Lodge a Complaint: File a complaint with your local supervisory authority (e.g., the ICO in the UK).

10. Security Measures

We implement robust technical and organisational measures to protect your personal data:

• SSL/TLS encryption for all data in transit
• Encrypted storage for sensitive personal data at rest
• Role-based access controls and multi-factor authentication
• Regular security audits and vulnerability testing
• Employee training on data protection and privacy best practices
• Incident response procedures for data breaches

In the event of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay.

11. Cookies

Our website uses cookies to enhance your browsing experience. We use:

• Strictly Necessary Cookies: Essential for the website to function (e.g., session management, theme preference).
• Analytics Cookies: Help us understand how visitors use our site (anonymised, no personally identifiable data).
• Functional Cookies: Remember your preferences and settings.

We do not use advertising or tracking cookies. You can manage cookie preferences through your browser settings at any time.

12. Changes to This Policy

We may update this GDPR Compliance Policy periodically. When we make material changes, we will update the "Effective" date at the top of this page and, where appropriate, notify you via email or a prominent notice on our website. Continued use of our services after changes constitutes acceptance of the updated policy.