Privacy Policy

1. Introduction & Controller Identity

This Privacy Policy explains how Royal Mile Silver (“we”, “us”, “our”) collects, uses, and protects your personal data when you visit lumithra.cyou (the “Website”), sign up for an account, request information, or communicate with us about our educational courses on ethical jewelry design, production, and responsible retail.

For the purposes of the UK GDPR and EU GDPR, the data controller is Royal Mile Silver Ltd, registered at 11 Jeffrey Street, Edinburgh, EH1 1DR, Scotland, United Kingdom. You can contact us at [email protected].

We do not appoint a Data Protection Officer (DPO) because we do not process personal data on a scale or in a way that requires a DPO under applicable law. If you have privacy questions, please email us and we will route your message to the appropriate person.

Effective Date: March 14, 2026.

2. Personal Data We Collect

The personal data we collect depends on how you use the Website. We aim to collect only what is necessary for registration, course access communications, customer support, and website operation.

• Identity and contact details: name, email address, and any other details you provide when communicating with us.
• Account registration data: information you provide in the registration form, including your name, email address, and password (stored in secure form by the platform; we do not display your password in plain text).
• Form content and messages: the content of messages you send to us, course questions, and any details you share about your learning goals or project context.
• Technical information: IP address, browser type, device and operating system information, language settings, and approximate location inferred from IP (country or region-level).
• Usage information: pages viewed, time spent on pages, referring pages, click paths, and interactions with site features.
• Cookies and identifiers: information stored via cookies and similar technologies (explained in Section 4 and in our Cookie Policy).
• Conversion events: signals that indicate a form submission, registration completion, or other engagement with our Website.

We do not intentionally collect special-category data (such as health information, biometric identifiers, political opinions, religious beliefs), financial account details, or government identification numbers through our standard course registration and support processes. Please do not include sensitive information in free-text fields.

3. Why We Process Personal Data & Legal Bases

Where UK GDPR/EU GDPR applies, we process personal data only when we have a lawful basis. Depending on the context, our lawful bases include:

• Account creation and course access (Article 6(1)(b)): processing is necessary to take steps at your request and to provide access to course materials and related communications.
• Contact and support requests (Articles 6(1)(b) and 6(1)(f)): to respond to your questions, provide troubleshooting, and maintain a record of communications. Our legitimate interest is to operate and improve our educational service.
• Consent-based processing (Article 6(1)(a)): analytics and marketing cookies and related tracking technologies are used only with your consent where required.
• Security and fraud prevention (Article 6(1)(f)): to protect the Website, prevent abuse, investigate suspicious activity, and maintain availability.
• Legal compliance (Article 6(1)(c)): to comply with applicable laws, lawful requests, and to exercise or defend legal claims.

Automated decision-making (Article 22): we do not engage in automated decision-making or profiling that produces legal or similarly significant effects for you.

4. Cookies & Tracking Technologies

Our Website uses cookies and similar technologies (including pixel tags and server-side events) to provide core functionality, understand site usage, and measure advertising performance. Categories used on this Website align with the cookie controls shown in our cookie banner and preferences panel.

Essential cookies (always active)

Essential cookies are required for the Website to function. They support basic session continuity, security features, and storing your cookie preferences. These cookies do not require consent.

• _site_session: helps keep a consistent browsing session.
• cookie_consent: stores your cookie category choices for up to 12 months.
• CSRF and security cookies (where applicable): used to protect forms and reduce abusive traffic.

Retention for essential cookies varies: session cookies expire when you close your browser; preference cookies typically persist up to 12 months.

Analytics cookies (consent required)

With your consent, we may use Google Analytics 4 (GA4) to understand how visitors use the Website. Analytics data helps us improve course pages, remove friction from registration, and fix navigation issues. Where possible, IP addresses are anonymized or truncated before storage by the analytics provider.

Example analytics cookies include _ga and _ga_XXXXXXXXXX. GA4 data retention is typically configured to 14 months.

Marketing cookies (consent required)

With your consent, we may use marketing cookies and conversion tracking to measure the effectiveness of advertising and to show more relevant content. Examples include Google Ads cookies such as _gcl_au and Meta cookies such as _fbp and _fbc. These are commonly used for remarketing, conversion attribution, and building aggregated audiences (such as lookalike audiences).

Beyond cookies, some advertising measurement may use server-side signals derived from events (for example, a completed registration) and technical identifiers such as IP address and User-Agent. Where server-side advertising integrations are used, any identifiers may be hashed before transmission, depending on the provider integration.

You can read more about cookies and manage your preferences at any time using “Manage cookie preferences” in the footer, or by visiting our Cookie Policy.

5. Consent (EEA and UK)

Users in the EEA and the UK receive a consent notice under GDPR and UK GDPR. Analytics and marketing cookies are activated only after explicit, informed, freely given consent (Article 6(1)(a)). Your consent status is recorded in the cookie_consent cookie and retained for up to 12 months.

You can withdraw consent at any time by using “Manage cookie preferences” in the footer or by clearing cookies in your browser settings. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

6. Sharing With Advertising & Service Partners

We use carefully selected service providers to run the Website and to understand and improve performance. Depending on your cookie choices and how you use the Website, we may share limited personal data with:

• Google LLC (Google Analytics 4, Google Ads, Google Tag Manager, remarketing): cookie identifiers, usage data, and conversion events. Learn more: https://policies.google.com/privacy
• Meta Platforms, Inc. (Meta Pixel, custom/lookalike audiences, conversion API where configured): page views, conversions, and audience membership signals. Learn more: https://www.facebook.com/privacy/policy
• Cloudflare (CDN and security): IP-based threat detection and performance optimization. Learn more: https://www.cloudflare.com/privacypolicy/

We do not sell personal data. When we share data with these providers, it is to operate our Website, measure performance, and support advertising measurement based on your consent choices. We do not permit these providers to use site data for their own independent commercial purposes.

7. International Transfers

Some of our service providers may process data outside the UK or EEA, including in the United States. Where relevant, transfers are protected using appropriate safeguards, which may include:

• EU–US Data Privacy Framework (including the UK Extension and Swiss–US DPF where applicable).
• Standard Contractual Clauses (EU 2021/914) as a fallback mechanism.
• UK International Data Transfer Agreement (IDTA) as a fallback mechanism.

We take reasonable steps to ensure that international transfers comply with applicable privacy laws and that transferred data remains protected.

8. Data Retention

We keep personal data only as long as necessary for the purposes described in this Policy, unless a longer retention period is required or permitted by law. Typical retention periods include:

• Contact and registration submissions: up to 2 years from the last interaction, unless you become an active learner requiring ongoing course communications.
• Analytics data: typically 14 months (provider configuration and reporting windows may vary).
• Marketing cookies: retained according to cookie lifetimes (often 90 days) and your consent settings.
• Email correspondence: for the duration of the relationship, plus up to 1 year for continuity and record-keeping.
• Security logs: typically up to 90 days, unless needed longer to investigate incidents or comply with legal obligations.
• Cookie consent record: up to 3 years for compliance auditing, where applicable.

When retention periods expire, we delete or anonymize personal data, unless we must keep it for legal claims, compliance, or legitimate security purposes.

9. Your Rights (GDPR and UK GDPR)

If GDPR or UK GDPR applies, you may have the following rights, subject to legal limitations:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure (Article 17)
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)
• Right to withdraw consent at any time (Article 7(3))
• Right to lodge a complaint with a supervisory authority (Article 77)

To exercise your rights, email [email protected]. We respond within 30 days, although this may be extended by up to 60 additional days for complex requests as permitted by law. We may request information to verify your identity before acting on a request.

Supervisory authority information:

• EU: European Data Protection Board directory: https://edpb.europa.eu
• UK: Information Commissioner’s Office (ICO): https://ico.org.uk

10. Children

This Website is not directed at individuals under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided personal data to us without verifiable parental consent, please contact [email protected] and we will take steps to delete the information promptly.

11. Do Not Track

Some browsers offer a “Do Not Track” (DNT) signal. This Website does not respond to DNT signals. Third-party providers may have their own policies regarding DNT and similar mechanisms.

12. Account & Data Deletion Requests

To request deletion of personal data, please email [email protected] with the subject line “Data Deletion Request”. We may ask you to verify your identity before processing the request. We aim to complete deletion within 30 days, subject to legal requirements and legitimate business purposes such as security and fraud prevention.

In some circumstances, we may retain limited information where required by law or where necessary to establish, exercise, or defend legal claims.

13. Business Transfers

If we are involved in a merger, acquisition, restructuring, asset sale, financing, or insolvency event, personal data may be transferred as part of that transaction. If such a transfer materially changes how personal data is used, we will provide notice on the Website.

14. California (CCPA / CPRA)

This section provides additional information for California residents. Over the last 12 months, we may have collected the following categories of personal information, depending on how you use the Website and your cookie preferences:

• Identifiers: name, email address, IP address, and cookie identifiers.
• Internet or network activity information: browsing interactions with the Website.
• Inferences: interests or preferences derived from site interactions for advertising measurement (where marketing consent is enabled).

We do not sell personal information as defined by the CCPA. We may share information for cross-context behavioral advertising depending on your cookie preferences. California residents may opt out of sharing for cross-context behavioral advertising via our cookie preferences panel (“Manage cookie preferences” in the footer).

California residents may have the right to know, delete, correct, and opt out of sale/sharing, and to not be discriminated against for exercising these rights. To submit a request, email [email protected] with the subject line “California Privacy Request”. We may need to verify your identity before completing the request. Authorized agents may submit requests with proof of authorization.

15. Virginia (VCDPA)

Virginia residents may have rights to access, correct, delete, and obtain a copy of personal data, and to opt out of targeted advertising. We do not sell personal data and we do not engage in profiling that produces legal or similarly significant effects.

To submit a request, email [email protected] with the subject line “Virginia Privacy Request”. If we decline your request, you may appeal by emailing with the subject line “Appeal of Refusal — Privacy Request”. We will respond to appeals within 60 days as required by law.

16. Nevada

Nevada residents may submit a verified request to opt out of the sale of personal information by emailing [email protected] with the subject line “Nevada Do Not Sell Request”. We do not currently sell personal information as defined by Nevada Revised Statutes Chapter 603A.

17. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, technologies, legal requirements, or the Website. If we make material changes, we will post an updated version on this page and, where appropriate, provide a notice on the homepage at least 14 days before the changes take effect.

The “Last Updated” date at the top of this page indicates when the Policy was last revised.

18. Contact

If you have questions about this Privacy Policy or our data practices, contact:

• Legal entity: Royal Mile Silver Ltd
• Address: 11 Jeffrey Street, Edinburgh, EH1 1DR, Scotland, United Kingdom
• Email: [email protected]
• Phone: +44 131 202 4728