Privacy Policy
This policy describes how Lumatix Biotech GmbH processes personal data in connection with this website. Last updated: 4 May 2026.
Deutsche Fassung verfügbar unter /legal/datenschutz.
1. Controller
The controller responsible for the processing of personal data on this website within the meaning of the EU General Data Protection Regulation (GDPR) is:
Lumatix Biotech GmbH
Lichtenbergstraße 8
85748 Garching bei München
Germany
Phone: +49 (0) 89 21 23 10 600
Email: info@lumatix.bio
Managing Director: Andreas Reichert
We have not appointed a data protection officer. Lumatix Biotech GmbH does not meet the criteria of Art. 37 GDPR for mandatory appointment of a DPO. For all data-protection enquiries please contact the address above.
2. Categories of personal data we process
When you use this website, the following categories of personal data may be processed:
- Form submissions — name, business email, company / institution, job function, country, phone (where provided), product or modality interest, and any free-text project context you choose to share. Collected via our quote form, contact form, and resource-request forms.
- Server access logs — IP address, user-agent, referrer, requested URL, response status, and timestamp. Generated automatically by our hosting provider for security and operations.
- Aggregate site analytics — page-view counts, referrer categories, country (derived without IP storage), device class, and conversion events. Collected via Plausible Analytics in a privacy-first, cookieless configuration. No personal identifiers are stored.
- Email communication — content of any email you send to us, including header metadata.
3. Purposes and legal bases of processing
| Purpose | Data | Legal basis (GDPR) |
|---|---|---|
| Responding to quote, contact, or resource requests | Form submissions | Art. 6(1)(b) — pre-contractual measures at your request; Art. 6(1)(f) — our legitimate interest in answering enquiries |
| Sending transactional confirmation emails | Email address and name from form submission | Art. 6(1)(b) — performance of pre-contractual measures |
| Operating, securing, and stabilising the website | Server access logs | Art. 6(1)(f) — legitimate interest in technical security and integrity |
| Measuring aggregate audience reach and content performance | Pseudonymous analytics events (no IP storage, no cookies) | Art. 6(1)(f) — legitimate interest in reach measurement and content improvement |
| Storing your enquiry for follow-up and internal CRM use | Form submissions, prior email correspondence | Art. 6(1)(f) — legitimate interest in maintaining a record of business enquiries |
Providing personal data via our forms is voluntary; without it we cannot respond to your specific request. Browsing the site without submitting a form does not require you to provide any personal data beyond the technical minimum logged automatically by our hosting provider.
4. Service providers and recipients
We use carefully selected service providers (processors within the meaning of Art. 28 GDPR) to operate this website. We have concluded data processing agreements with each of them.
- Vercel Inc. (USA) — hosting, content delivery, serverless function execution. Server logs and form submissions transit Vercel infrastructure. Privacy: vercel.com/legal/privacy-policy
- Sanity Aps (Denmark, EU; with global CDN edges) — content management system. Stores the public marketing content displayed on this site; does not directly process visitor personal data. Privacy: sanity.io/legal/privacy
- Resend Inc. (USA) — transactional email delivery. Used to send notification emails to our team and confirmation emails to you after a form submission. Privacy: resend.com/legal/privacy-policy
- Plausible Insights OÜ (Estonia, EU) — privacy-friendly analytics provider. Cookieless, does not store IP addresses, and does not generate cross-site identifiers. Privacy: plausible.io/data-policy
- sc synergy GmbH (Germany) — operator of our Microsoft Exchange email infrastructure. Receives the email you send to addresses ending in @lumatix.bio.
5. Transfers to third countries
Vercel Inc. and Resend Inc. are based in the United States. To the extent that personal data is transferred to or accessed from the United States, the transfer is safeguarded by the European Commission’s Standard Contractual Clauses (SCC)as adopted in Decision (EU) 2021/914, supplemented where appropriate by technical and organisational measures (encryption in transit and at rest, access controls, contractual data minimisation). For providers participating in the EU-U.S. Data Privacy Framework, we additionally rely on the European Commission’s adequacy decision of 10 July 2023.
6. Retention periods
- Form submissions and email correspondence are retained for as long as needed to address your enquiry and pursue any resulting business relationship. Where no business relationship develops, we delete or anonymise the personal data within 24 months of the last interaction, unless longer retention is required by statutory tax, commercial, or product-liability law (typically 6–10 years under German §§ 147 AO, 257 HGB).
- Server access logs are retained by our hosting provider for a maximum of 30 days for security and abuse detection, then deleted automatically.
- Aggregate analytics data contains no personal identifiers and is retained indefinitely in anonymised form.
7. Cookies and similar technologies
This website does not use third-party tracking cookies and does not require a cookie banner under Art. 25 TTDSG / Art. 5(3) ePrivacy Directive. Strictly necessary technical cookies may be set by our hosting provider to keep the site secure and functional; these cookies are not used for analytics or behavioural tracking. Aggregate analytics is provided by Plausible Analytics in a cookieless configuration.
For a detailed description of which cookies are used in which context, see our Cookies page.
8. Your rights as a data subject
Under the GDPR, you have the following rights with respect to the personal data we process about you:
- Right of access (Art. 15 GDPR) — to obtain confirmation as to whether or not we process personal data concerning you, and a copy of that data.
- Right to rectification (Art. 16 GDPR) — to have inaccurate personal data corrected.
- Right to erasure (Art. 17 GDPR) — to have personal data deleted under the conditions described in the GDPR.
- Right to restriction of processing (Art. 18 GDPR) — to have processing restricted under the conditions described in the GDPR.
- Right to data portability (Art. 20 GDPR) — to receive personal data you provided to us in a structured, commonly used, machine-readable format and to transmit it to another controller.
- Right to object (Art. 21 GDPR) — to object, on grounds relating to your particular situation, to processing of personal data based on Art. 6(1)(f) GDPR. Where we cannot demonstrate compelling legitimate grounds that override your interests, we will stop the processing.
- Right to withdraw consent (Art. 7(3) GDPR) — where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of processing prior to withdrawal.
To exercise any of these rights, please contact us at info@lumatix.bio. We will respond within one month, as required by Art. 12(3) GDPR.
9. Right to lodge a complaint
You have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your residence, place of work, or place of the alleged infringement. The competent authority for Lumatix Biotech GmbH is:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18
91522 Ansbach, Germany
www.lda.bayern.de
10. Automated decision-making
We do not use automated decision-making, including profiling, within the meaning of Art. 22 GDPR.
11. Changes to this policy
We may update this privacy policy to reflect changes in our processing or in applicable law. The version in force at any given time is the one published on this page. Material changes will be highlighted at the top of this page. The date at the top of this policy reflects the last revision.