Privacy policy.

Introduction

 

Lunyra Group, Inc. and its other global subsidiaries and affiliates (hereafter collectively referred to as the “Company”, “us”, “our” or “we”) may act as data controller or as data processor depending its relationship to you, the data subject.

 

This Privacy Policy (hereafter, “Policy”) describes our collection and processing of Personal Data about test candidates, clients, contractors and partners (hereafter, “Data Subjects”, “you” or “your”). 

 

The Company endeavors to comply with all applicable data protection laws and regulations wherever it operates.

 

Unless otherwise noted, the following definitions apply to this Policy:

 

“Applicable Law” refers to the relevant country, state or territory data protection law or applicable regulation relating to data protection.

 

“Personal Data” means any information relating to an identified or identifiable natural person.

 

“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

 

“Supervisory Authority” or “Supervisory Authorities” means an independent public authority which is established by a government body and is responsible for monitoring and/or enforcing the application of data protection laws and regulations in a given jurisdiction.

 

1. What types of Personal Data do we collect?

 

The Company may collect the following Personal Data depending on your relationship to the Company, nature of the exam, services provided, and as subject to Applicable Law:

Contact details, including name, address, telephone numbers, and email address.

The Company will not use special categories of Personal Data for a purpose other than the purpose for which it was originally collected or subsequently authorized by the Data Subject unless we have received your affirmative and explicit consent (opt-in).

 

2. Personal Data of Minors

 

The Company does not knowingly collect Personal Data from or relating to minors without the consent of either the minor’s parent(s) or legal guardian.

 

3. How do we collect your Personal Data?

 

In most cases, the Company collects such Personal Data directly from the Data Subject.

 

When using our website, and subject to how you configure your cookie settings, we may automatically collect certain information regarding your use of the website, such as the dates and times you access the website, the browsers, operating systems and devices you use to access the website, the website pages you access, and the referring and exit website pages.

 

Certain users of the Company’s website choose to interact with us in ways that require the Company to gather Personal Data so that we may provide you with the services you request. The amount and type of information that we gather depends on the nature of that interaction.

 

It is important to note that Company’s website may contain links to other websites or online services. When you use those links, you are contacting another website or service. The Company has no responsibility or liability for, or control over, those other websites or service or their collection, use, disclosure, retention and deletion of your personal information. Please refer to the privacy policies and terms of use that apply to those other websites or online services.

 

4. Why do we collect your Personal Data?

 

On behalf of our test sponsors, the Company collects your Personal Data for the purposes of:

Consulting Services

For suppliers and other third parties, we collect your Personal Data for the following purposes:

Supplier management and administration

Invoice processing

Know-your-supplier due diligence and other legal requirements

We only disclose Personal Data to the Company’s employees, contractors and subcontractors that: (i) must access that information in order to process it on our behalf or to provide services available on the Company’s website and through our mobile applications; and (ii) agree not to disclose that information to others. The Company does not rent, sell or exchange Personal Data to any third party.

 

5. What are the legal bases of processing your Personal Data?

 

Personal Data is generally collected and processed according to the following legal bases:

 

The performance of a contract.

Your consent for the collection and processing of special categories of Personal Data.

Your consent if required by Applicable Law for cross-border data transfers.

For legitimate business purposes such as invoice processing and financial account management, website administration, fulfillment, analytics, security and fraud prevention, corporate governance, disaster recovery planning, auditing, reporting, and training and improving our artificial intelligence technology as permitted by Applicable Law.

Compliance with any legal or regulatory obligations.

 

6. Disclosure of Personal Data

 

Third parties who may process your Personal Data include other Company affiliates.

 

Government agencies may access Personal Data as the result of lawful requests, including to meet national security or law enforcement requirements.

 

Where permitted by Applicable Law, the Company uses website analytical and advertising platforms to understand user behavior on our website and deliver relevant advertisements. These platforms may use cookies, pixels, or similar technologies to collect data about your interactions with our websites. This information is used to help us measure the effectiveness of our campaigns, personalize advertising content, and enhance overall user experience. The extent of the use of such tools will depend on how you decide to configure the cookie settings on your browser, and you may opt out of personalized advertising at any time by managing your cookie preferences.

 

7. For how long do we store your Personal Data?

 

The Company has adopted a comprehensive Records Management Program and related retention schedule that it adheres to for the purposes of retention, storage and destruction of all records created in the course of its business including those containing Personal Data. 

Subject to client specific contract requirements and Applicable Law, our Company will keep your Personal Data for the duration of the processing, for the lesser period of five (5) years from the service; or the expiration of the purpose for which the Personal Data was collected; or the laws of the applicable jurisdiction where the Personal Data was collected. 

The Company will not keep Personal Data longer than necessary for the above-mentioned purposes. However, we may retain Personal Data longer if necessary to comply with client specific contract requirements and Applicable Law or if necessary to protect or exercise its rights.

 

8. Cross-border Transfers of Personal Data

 

Our business processes often require the transfer of Personal Data between the Company and its affiliated entities internationally.  Depending on the nature of your relationship with the Company and as per Applicable Law, your Personal Data is stored on secure servers located in the United States.

 

If Personal Data is disclosed to third parties or to a country not considered as providing a sufficient level of protection according to Applicable Law then the Company will ensure:

 

The implementation of standard contractual clauses as approved by the relevant Supervisory Authority;

The adoption of appropriate organizational, technical and legal safeguards to govern the cross-border data transfer and to ensure the necessary and adequate level of protection under Applicable Law.

If necessary, will evaluate the circumstances of the transfer and the legislation of the third country, and if required, complete a data transfer impact assessment to determine if supplemental measures are required to be implemented.

In regards to cross-border data transfers to the United States, the Company complies with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF as set forth by the U.S. Department of Commerce.

 

The Company has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of Personal Data received from the EU and the UK in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.  The Company has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of Personal Data received from Switzerland in reliance on the Swiss-U.S. DPF.

 

If there is any conflict between the terms in this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

 

9. What are your rights?

 

Depending on your location and Applicable Law, you may have the following rights related to your Personal Data:

 

Right to access

Right of rectification

Right to erasure

Right to restrict processing

Right to object to processing

Right to data portability

Right to decide how your Personal Data is used posthumously

The exercise of such rights is subject to limitations provided by Applicable Law and relevant guidance from Supervisory Authorities.

 

To exercise your rights, the data subject may contact the Company as described in the section “contact us.” Please keep in mind that deleting records may require us to terminate the account in question. Before we can complete your request, the Company may ask additional questions or take other steps to verify the identity of the requester. If we can’t satisfy your request (refusal or limitation) then we will justify our decision in writing.

 

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, the Company commits to resolve DPF Principles-related complaints about our collection and use of your Personal Data.

 

EU, UK, and Swiss Data Subjects with inquiries or complaints regarding our handling of Personal Data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact the Company.

 

California Privacy Rights

 

California Civil Code Section 1798 allows California residents to ask companies with whom they have an established business relationship to provide certain information about the companies’ sharing of Personal Data with third parties for direct marketing purposes.  The Company does not share any California consumer Personal Data with third parties for marketing purposes without consent.  If you are a test candidate, we will provide your Personal Data to your test sponsor, who may use the information in accordance with its own privacy policies.

 

10. How do we protect your Personal Data?

 

The Company implements a variety of security measures, such as technical, physical and administrative safeguards in order to protect all Personal Data from security incidents or unauthorized disclosure, and more generally from a Personal Data Breach. These security measures are recognized as appropriate security standards in the industry and include, inter alia, access controls, password, encryption, strict time limits for erasure, logging mechanisms and regular security assessments.

 

In the event of a Personal Data Breach potentially impacting your Personal Data, the Company follows its Incident Response Plan and will promptly take appropriate action to mitigate the risks to Data Subjects.  Such measures may include notifying the appropriate Supervisory Authority and the impacted Data Subjects, while providing the relevant details of the incident and mitigation measures as may be mandated under Applicable Law.

 

11. Changes to Privacy Policy

 

The Company may update this Policy to comply with new or amended privacy practices and changes to Applicable Law. An updated version of this Policy will be made available through an appropriate channel and will apply to data collected after its effective date.

 

13. How to Contact Us and Complaint Handling

 

For any inquiries, comments, or concerns about this Policy, or in order to exercise the privacy rights permitted by Applicable Law, please submit a request via our dedicated portal at Personal Data Requests.

 

Additionally, you may contact our Data Protection Officer at the following email address: privacy@lunyragroup.com

 

You may also reach us via postal mail at:

 

Two Oliver Street

Partial 8th Floor

Financial District, Boston, MA 02109

 

 

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, the Company commits to cooperate and comply respectively with the advice of the panel established by the EU Supervisory Authorities, the UK Information Commissioner’s Office (ICO), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of Personal Data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.

 

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms.

 

You also have the right to file a complaint directly with the competent Supervisory Authority in your relevant jurisdiction.