Privacy Policy

1. Introduction

This Privacy Policy explains how personal data is collected, used, shared, stored, and protected when you visit or interact with www.lumiors.com (the “Website”) and when you engage with services provided through the Website. These services may include investment onboarding, impact reporting, regulatory compliance processes, and related operational activities.

This Policy applies to individuals whose personal data is processed in connection with the Website and associated services (“you” or “data subjects”). It describes the purposes for which personal data is processed, the legal bases relied upon, and the safeguards implemented to ensure that personal data is handled in accordance with applicable data protection laws.

This Privacy Policy explains:

What personal data we collect;
How and why we process it;
With whom we share it;
Your rights as a data subject;
The technical and organisational measures we take to protect your data;
How you can contact us with questions or concerns.

This Policy applies to all visitors of the Website and all individuals whose personal data we collect and process, including (but not limited to) potential and current investors, newsletter subscribers, platform users, and business contacts.

2. Identity of the Controller

The controller responsible for the processing of your personal data is:
CJC Research B.V.
Chamber of Commerce registration number: 97400777
Email: compliance@lumiors.com
Data Protection Officer
As the controller, CJC determines the purposes and means of processing personal data
within the meaning of Article 4(7) of the GDPR.

2.1 Processing

In the context of investor onboarding, investment administration and regulatory reporting, certain personal data is also processed by Elite Fund Management B.V. as AIFM, and by its fund administrator, depositary and custodian.

Depending on the specific processing activity, CJC and Elite Fund Management B.V. may act as independent controllers or joint controllers.

The allocation of responsibilities is laid down contractually and ensures that data subjects may exercise their GDPR rights with regard to either party.

3. Categories of Personal Data Collected

We may collect and process the following categories of personal data depending on your interaction with our Website and services.

3.1. Information You Provide to Us Directly

This includes personal data you actively submit via:

Contact forms
Newsletter sign-ups
Investment interest forms
Email communications
Document uploads for onboarding or due diligence.

Examples of such data may include:

First and last name
Email address
Telephone number
Company affiliation and job title
Professional biography or LinkedIn profile
Residential or mailing address
Country of residence and nationality
Identity documents (passport, ID card, driver’s license)
Proof of address (utility bill, bank statement)
Financial data (e.g., bank account number, investment preferences)
Personal investment experience or objectives.

3.2. Information Collected Automatically

When you use the Website, we automatically collect certain technical data using cookies or similar technologies.

This may include:

IP address
Device type and browser version
Operating system
Referrer URL
Time and date of access
Clickstream data
Cookie identifiers and preferences.

Non-essential cookies (including analytical and marketing cookies) are only used with your explicit consent.
You may withdraw this consent at any time using the cookie settings on our Website. For details, including cookie categories, storage periods and providers, see our Cookie Policy.

3.3. Data Received from Third Parties

We may also receive personal data about you from third parties such as:

KYC/AML service providers;
Identity verification tools;
Analytics or advertising platforms (e.g., Google, LinkedIn);
Publicly accessible sources (e.g., trade registers, sanctions lists);
Our business partners and fund administrators.

3.4. Required vs. Optional Data

Providing certain information (such as identity documents and KYC information) is a legal and contractual requirement under the Wwft and our fund documentation.

If you do not provide this information, we cannot enter into or continue an investment relationship with you. Other information, such as newsletter subscription data, is optional.

3.5. Children

Our services are intended exclusively for individuals aged 18 years and over.

We do not knowingly collect or process personal data relating to minors.
If we become aware that we have received data relating to a minor, we will delete such data without undue delay.

3.6. Special Categories and Criminal Data

CJC does not intend to process special categories of personal data (such as health, ethnicity, political beliefs or biometric identifiers) except where required under anti-money-laundering and sanctions legislation.

In such cases, processing is limited to what is legally necessary and subject to additional safeguards.

4. Purposes and Legal Bases for Processing

We process personal data for specific, explicit, and legitimate purposes.

The legal bases for such processing are provided under Article 6 of the GDPR. The purposes and their associated legal grounds are as follows:

Purpose	Legal Basis
To provide access to our Website and enable its core functionalities	Article 6(1)(f) GDPR – legitimate interest
To respond to contact requests and communications	Article 6(1)(f) GDPR – legitimate interest
To process subscription to newsletters and marketing communications	Article 6(1)(a) GDPR – consent
To onboard and verify investors, including identity verification and due diligence	Article 6(1)(b) GDPR – performance of contract Article 6(1)(c) GDPR – legal obligation (e.g., Wwft)
To maintain investor records and execute investment transactions	Article 6(1)(b) GDPR – performance of contract
To comply with applicable financial laws and regulations, including AML/KYC requirements	Article 6(1)(c) GDPR – legal obligation
To protect the platform against fraud, misuse, or security threats	Article 6(1)(f) GDPR – legitimate interest
To generate statistical reports and improve the Website’s functionality and content	Article 6(1)(f) GDPR – legitimate interest

Where processing is based on Article 6(1)(f) GDPR (legitimate interest), CJC performs a documented balancing test to ensure that our interests (such as fraud prevention, platform security, Website improvement and client communication) do not override your fundamental rights. These assessments are reviewed periodically in line with EDPB Guidelines on Article 6(1)(f).

5. Newsletter and Marketing Communications

If you subscribe to our newsletter, we will use your name and email address to send you periodic updates about lumiors products, events, and market insights. You may withdraw your consent and unsubscribe at any time by clicking the unsubscribe link in any of our emails or by contacting us at compliance@lumiors.com. We do not send unsolicited commercial communications without your prior consent, in accordance with Article 11.7 of the Dutch Telecommunicatiewet.

6. Data Sharing and Categories of Recipients

CJC only shares your personal data with trusted third parties where necessary and under strict data processing agreements.

Categories of third-party recipients may include:

Cloud service providers and data processors (e.g., AWS, Google Workspace);
CRM and investor management platforms;
Fund administrators and AIFMD-compliant managers;
KYC/AML and sanctions screening providers;
Auditors, legal advisors, and compliance officers;
Financial regulators, tax authorities, or law enforcement agencies, where required by law.

Each third party is carefully vetted, and processing is governed by legally binding data
processing agreements pursuant to Article 28 GDPR.
We do not sell or rent personal data to third parties under any circumstance.

7. International Data Transfers

CJC may transfer your personal data to countries outside the European Economic Area
(EEA) only if:

The European Commission has issued an adequacy decision for the country in question;
Standard Contractual Clauses (SCCs) as approved by the European Commission are in place;
Supplementary measures (e.g., encryption, access limitations) are adopted where appropriate.

For example, Google Analytics or LinkedIn may transfer certain data to the United States. We ensure that such transfers are structured in full compliance with Chapter V of the GDPR.

Where personal data is transferred to service providers in the United States that participate in the EU–US Data Privacy Framework, such transfers rely on the European Commission adequacy decision of 10 July 2023. For all other transfers to third countries, CJC relies on Standard Contractual Clauses and implements additional safeguards where required.

8. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it
was collected or to comply with applicable laws.

The following retention periods generally apply:

Contact requests and general correspondence: 2 years after last interaction;
Investor data, KYC files, and transaction records: 7 years (as required by Wwft and tax laws);
Newsletter subscription data: until withdrawal of consent;
Cookies and tracking data: see Cookie Policy.

Data may be retained longer if required for legal claims or regulatory investigations.

9. Your Rights as a Data Subject

Under the GDPR, you have the following rights regarding your personal data:

Right of access: to obtain a copy of the data we hold about you;
Right to rectification: to correct inaccurate or incomplete data;
Right to erasure: to request deletion of your data under certain conditions;
Right to restriction of processing: to limit the way your data is used;
Right to object: to processing on grounds of legitimate interest or direct marketing;
Right to data portability: to receive your data in a machine-readable format;
Right to withdraw consent: where processing is based on your prior consent.

You can exercise these rights by emailing us at compliance@lumiors.com. We may ask for identity verification to protect your data.
If you believe we have not adequately responded to your request, you may file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at www.autoriteitpersoonsgegevens.nl.

10. Data Security Measures

CJC implements robust technical and organisational measures to protect personal data from unauthorised access, loss, misuse, or alteration. These measures include, but are not limited
to:

TLS/HTTPS encryption for all web traffic;
Encrypted data storage at rest and in transit;
Role-based access controls with multi-factor authentication;
Physical and network security protocols for hosted infrastructure;
Staff training on data protection obligations;
Periodic security assessments and vulnerability scans;
A documented data breach response and notification protocol in accordance with Articles 33 and 34 of the GDPR.

11. Automated Decision-Making and Profiling

CJC does not conduct automated decision-making that produces legal or similarly significant effects within the meaning of Article 22 GDPR.

We may use automated tools to assist with identity verification and risk screening (e.g., PEP
or sanctions list checks), but any onboarding approval or refusal is reviewed and decided by
a human.

12. Changes to This Privacy Policy

CJC reserves the right to amend this Privacy Policy at any time, particularly in response to legal developments, changes in our processing activities, or improvements in our services. The most recent version will always be available on our Website. In the event of material changes, we will notify you via the Website or through other appropriate channels.

We encourage you to review this Privacy Policy periodically.

13. Contact Us

If you have any questions, concerns, or wish to exercise your rights, please contact us via:
CJC Research B.V.
Attn: Data Protection Officer
Email: compliance@lumiors.com
KvK Number: 97400777