Lumya Student Living Ltd, Lumya Student Living GmbH and Lumya Living DE GmbH
("Lumya Living")
Last updated: 19 June 2026
This Privacy Policy governs the handling of personal data processed when visiting the website of Lumya Living. In the following, we will inform you about what data is being processed, how it will be processed and what rights you have in this regard.
The controller with regard to the processing of personal data when visiting the website and in the UK is:
Lumya Student Living Ltd 6 Chesterfield Gardens 5th Floor London England, W1J 5BQ
The controller with regard to the processing of personal data in Austria is:
Lumya Student Living GmbH Mariahilfer Straße 84/31 1070 Wien Austria
and in Germany is:
Lumya Living DE GmbH c/o Dentons GmbH Wirtschaftsprüfungsgesellschaft Steuerberatungsgesellschaft Markgrafenstraße 33 10117 Berlin Germany
For data protection related concerns and to exercise your rights under Art. 15 ff. GDPR, please contact: info@lumyaliving.com
The appointed Data Protection Officer, registered with the ICO, is Dilyana Walker. She can be contacted on: dpo@lumyaliving.com
Whenever you visit the website, even if you only use the website for information purposes, we process personal data from you that your browser transmits.
The following personal data of yours will be processed:
IP address
Date and time of the query
Contents of the query (concrete page)
Access status/HTTP status code
Amount of data transmitted in each case
Website where the query originated
Browser, language, and version of the browser software
Operating system and its interface
for the placement of rental apartments, the data entered by you in each case, such as your name, contact address (including e-mail and telephone numbers), etc
The legal basis for processing this data is either Art. 6 (1) b) GDPR for entering into or pursuing a rental agreement or Art. 6 (1) 1 lit. f) GDPR, as we have a legitimate interest in properly displaying the website to you.
The data regarding the website is deleted after 30 days.
We use the following cookies on our websites (for more information, see our cookie banner):
Borlabs Cookie
: The purpose of this processing is the administration of the website (cookie consent management), in which there is a legitimate interest (Art. 6 (1) (f) GDPR).
Google Analytics
: This processing is used for an anonymous, statistical analysis of website usage.
Marketing cookies are only used by consent (Art. 6 (1) (a) GDPR) to display personalised advertising. These are
Google Tag Manager
and
Google Ads
.
Also only by consent (Art. 6 (1) (a) GDPR),
content from third-party providers
is displayed via further cookies. These include: Facebook, Google Maps, NID (Instagram), pigeon_state (OpenStreetMap), _osm_location, _osm_session, - _osm_totp_token, _osm_welcome, _pk_id., _pk_ref., _pk_ses., qos_token (all X resp. Twitter), __widgetsettings, local_storage_support_test (all VIMEO) and YouTube.
For more information, please refer to the information and further links of the respective cookie banner used.
If you submit an application to us via the application form on the website, we store your first and last name, your telephone number, your e-mail address and the application documents you provide (application letter, CV, certificates, etc.).
We process and use the personal data provided only for the purpose of filling positions within our company.
The legal basis for processing the data is Section 26 (1) Sentence 1 of the German Federal Data Protection Act (BDSG).
Your data will be deleted three months after completion of the application process, unless otherwise required by law.
If you rent a room through the website, we store your first and last name, your address, your telephone number, your e-mail address and the documents you provide for the purpose of renting the room.
We process and use the personal data provided only for the purpose of renting the room.
The legal basis for processing the data is Art. 6 (1) 1 lit. b) GDPR. As soon as the tenancy has ended and and all claims are time-barred, the personal data will be deleted.
To help us assess applications, prevent fraud, and meet our legal and regulatory obligations, we may obtain information about you from credit reference agencies (CRAs).
We obtain this information via Creditsafe, which uses its data partner TransUnion to supply consumer credit and identity data.
Creditsafe Business Solutions Limited is authorised and regulated by the Financial Conduct Authority. FCA Firm Reference Number: 742313
TransUnion International UK Limited is authorised and regulated by the Financial Conduct Authority. FCA Firm Reference Number: 737740
The information we receive may include data relating to your identity, credit commitments, payment history, and public record information. This data is used solely for legitimate business purposes, including creditworthiness assessment, identity verification, and fraud prevention, in accordance with applicable data protection laws.
Further information about how Creditsafe and TransUnion process your personal data can be found in their respective privacy notices:
Creditsafe Privacy / Transparency Notice: Transparency Notice | Customers & Suppliers
TransUnion CRAIN (Credit Reference Agency Information Notice): https://www.transunion.co.uk/legal/privacy-centre/pc-credit-reference
TransUnion Bureau Privacy Notice: https://www.transunion.co.uk/legal/privacy-centre/pc-bureau
If you contact us by email or using the contact form on this Website, we will store your email address and, if you provide this information, your name and telephone number in order to be able to process your request and contact you.
In any case, we will collect, process and use the personal data provided in this way only for the purpose of responding to your query and/or giving you access to the information you requested.
The legal basis is Art. 6 (1) 1 lit. b) GDPR. Once the relevant purpose(s) is/are achieved, the personal data will be deleted.
The provision of certain personal data is primarily contractual and, in some circumstances, required to meet legal and regulatory obligations.
Personal data is required to:
enter into and perform contracts with customers, suppliers, or business partners.
process orders, manage accounts, and deliver goods and services.
verify identity and prevent fraud; and
comply with applicable legal, regulatory, accounting, and tax obligations.
What are the consequences of not providing personal data?
If you choose not to provide the personal data, we request:
we may be unable to enter into a contract with you.
we may be unable to fulfil orders, supply goods, or provide services.
we may be unable to conduct necessary verification, compliance, or fraud prevention checks; and
as a result, our services may be delayed, restricted, or declined.
Where personal data is requested for optional purposes, such as marketing communications, providing this data is not mandatory, and you may withdraw your consent at any time without affecting your ability to receive goods or services from us.
Non-Automated Decision Making and Profiling
We may use automated systems and tools to support certain business processes, such as risk assessment, fraud prevention, affordability checks, identity verification, or record management.
These tools may analyse personal data using predefined criteria or rules to generate indicators, scores, or recommendations. However, we do not make decisions that have a legal or similarly significant effect on individuals based solely on automated processing. Any such decisions are subject to meaningful human review.
The use of these tools may influence the speed or level of review applied to an application or request, but individuals will not be subject to automatic rejection or adverse decisions without human involvement.
For the technical infrastructure required for the operation of the website, the IT service providers commissioned by us receive your data as part of the technical support. All processors are contractually obligated to treat your data confidentially and to process it only within the scope of the commissioning by us.
Details of any international data transfers outside the UK/EU and the safeguards in place.
We may transfer personal data to recipients or service providers.
Where such transfers take place, we ensure appropriate safeguards are in place to protect personal data in accordance with applicable data protection laws. These safeguards may include the use of approved standard contractual clauses, international data transfer agreements, or transfers to countries that have been recognised as providing an adequate level of data protection.
You have the right at any time to receive from us free of charge information about the data stored about you, its origin, recipients or categories of recipients to whom this data is disclosed, and the purpose of storage.
You have the right to request that we correct any inaccurate personal data concerning you.
After termination of the relationship, your personal data will be deleted, if applicable, after expiration of the tax and commercial law as well as other statutory retention and limitation periods, unless you have expressly consented to the further use of your data.
Provided that legal retention periods are not affected by this and your data is no longer required for the processing of the contract or your inquiry, you can request the deletion of your data at any time.
You have the right to request the restriction of the processing of your data if the relevant requirements under the GDPR are met.
If the data processing is based on consent or on the performance of a contract and if it is also carried out using automated processing, you have the right to receive your data in a structured, common and machine-readable format and to transfer it to another data processor.
If the processing is based on an overriding legitimate interest, you have the right to object to the processing of your data. We will then no longer process your data unless we have a legitimate interest in processing your data that outweighs your interests, rights and freedoms.
If the processing of data is based on consent, you have the right to revoke your consent to the use of your data at any time with effect for the future. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.
You have the right to complain to a supervisory authority about the processing of your data.
WeChat