Version: 1.0 

Effective Date: [DD MMM YYYY] 

Next Review: [DD MMM YYYY] 

 
This policy sets out how Illumos Ltd. (“we”, “us”, “our”) protects personal data in line with the EU GDPR and UK GDPR. It applies to all processing of personal data relating to our, B2B contacts (customers, suppliers, and prospects), website users, and employees/contractors. 

 1) Scope & Definitions 

All business units and systems (ecommerce store(s), CRM/ERP, email marketing, payment processing, logistics/shipping, warranty/returns, customer support, HR). It applies to data collected via website forms, phone calls, emails, and third-party integrations. We are typically the controller for customer & employee data; vendors like payment gateways and cloud platforms act as processors. 

We collect and process personal data to: 

- Manufacture and deliver LED lighting products 

- Manage B2B relationships with clients and suppliers 

- Operate our e-commerce platform 

- Provide customer service and technical support 

- Send product updates and promotional offers 

Categories of personal data: 

- Identity and contact data (name, company, email, phone) 

- Transaction data (orders, invoices, payment details) 

- Technical data (IP address, browser type, device info) 

- Communication data (emails, support tickets) 

2) Roles & Responsibilities: 

Board: Ensures resources and promotes a culture of privacy by design and default.  

Data Protection Lead / DPO (if appointed): Advises on obligations, monitors compliance, and is the contact point for regulators and data subjects.  

Department Heads: Maintain accurate Records of Processing Activities (RoPA) and ensure staff training.  

All staff: Handle personal data only as instructed, Employees must use company-approved tools for communication and data sharing, complete mandatory training, and report incidents immediately. 

3) Lawful Bases for Processing 

We process personal data only when a lawful basis applies. 

Under UK GDPR, we rely on:  

- Contract (Order placement, payment, shipping, warranty, support) 

- Consent (for marketing)  

- Legitimate interest (for site analytics and improvement) 

4) Data We Process (by category) 

Customers (B2B): Business information & contact details; order, delivery, and returns data; payment tokens (via payment processor); communications; preferences/consents; website analytics & device/usage data (with consent where required). 

B2B Contacts: Names, role, business email/phone, interaction history; opt‑out preferences. 

Employees/Contractors: HR/payroll data, performance, access logs (handled under separate HR policy). 

Vendors/Partners: Business information & contact details, transactional data and due‑diligence records. 

5) Data Protection Principles 

We embed GDPR’s principles into our operations: 

Lawfulness, fairness, transparency — clear notices; no hidden uses. 

Purpose limitation — use data only for explicit purposes. 

Data minimisation — collect what we need, nothing more. 

Accuracy — keep data current; rectify promptly. 

Storage limitation - retain only as long as necessary. 

Integrity & confidentiality — protect against unauthorised processing, loss, or damage. 

Accountability — we maintain documentation proving compliance. 

6) Privacy by Design & Default 

We build privacy into our systems and processes by minimising data fields on forms; disable non‑essential tracking until consent. 

We apply role‑based access, secure defaults, periodic configuration reviews and keeping data only as long as required. 

7) Transparency: Privacy Notices 

 We provide layered, plain‑language notices at or before collection, including: purposes, lawful bases, recipients, international transfers, retention, rights, and contact details. Website cookie banners explain non‑essential cookies and obtain consent where required. 

8) Consent & Preference Management 

Consent is freely given, specific, informed, and unambiguous (no pre‑ticked boxes). 

We log consent, allow easy withdrawal, and respect “do not market” preferences across systems. 

B2B outreach respects legitimate‑interest balancing. 

9) Records of Processing Activities (RoPA)- Appendix A 

We maintain detailed records of all personal data processing activities to comply with GDPR. These records demonstrate accountability, transparency, and lawful processing, and must be available to supervisory authorities upon request. 

10) Data Retention & Deletion – Appendix B 

 Retention is defined per purpose (e.g., orders, warranties/returns, customer service records, financial/tax records, marketing consent logs). 

We anonymise or securely delete data when no longer needed and maintain deletion evidence logs. 

Retention periods reflect legal/tax obligations in relevant jurisdictions; marketing data is retained until consent withdrawal or defined inactivity thresholds. 

11) Security Measures 

We implement robust measures to protect personal data. 

Technical: SSL Encryption on our website; Firewalls and anti-malware systems; strong authentication; role‑based access controls; logging & monitoring; Data is stored in a cloud-based CRM system (e.g., HubSpot) with role-based access controls; secure development & patching; encrypted backups on secure cloud-based storage systems.  

Organizational: Access reviews; vendor due diligence; Vendor access to data is limited to the minimum necessary for service delivery; staff training; clean desk; incident drills. 

Payment data: Secure payment gateways; we do not store raw card details. 

Physical: Secure facilities, CCTV facilities and controlled access for any on‑prem systems. 

12) Processors & International Transfers 

We only use processors that meet GDPR standards and compliance. When personal data is transferred outside the EEA or UK, we follow GDPR rules, and we ensure adequate safeguards are in place to protect personal data. 

13) Data Subject Rights (DSRs) – Appendix C 

We provide and operate the following rights: 

Access, Rectification, Deletion, Restriction, Portability, Objection, and withdrawal of consent. We verify identity, respond without undue delay (normally within one month), and maintain a DSR log.  

Marketing objections are honored promptly across all systems. 

14) Direct Marketing & Cookies 

Email/SMS/phone marketing: Respect consent or legitimate interest as applicable; include clear unsubscribed options; screen against applicable preference services by jurisdiction. 

Cookies & tracking: Prior consent for non‑essential cookies; easy reject options; granular controls; a public cookie list that stays current. 

15) Data Breach Response 

Report immediately any suspected breach to the Data Protection Lead. 

We follow an incident plan: contain, assess risk, document, and notify the regulator within 72 hours when required; inform affected individuals where high risk exists; keep an incident register. 

16) Training & Awareness  

All staff complete induction and annual refresher training; key roles receive role‑specific modules (customer support, marketing, engineering, warehouse/logistics). Managers ensure completion and corrective actions where needed. 

17) Audits & Continuous Improvement 

Quarterly checks on consent logs, suppression lists, cookie banner behavior, and access rights. 

Annual RoPA review, retention schedule review, and vendor re‑assessments. 

Findings feed into our risk register and improvement plan. 

18) Children’s Data 

Our products and services are not directed at children. We do not knowingly collect children’s data. If we discover such data, we will delete it promptly unless legally required to keep it. 

19) Document Control 

 Version history: [[v1.0 – Initial release, DD Mon YYYY]] 

Approval: [[Executive/Board name & role]] 

Next review date: [[DD Mon YYYY + 12 months]]. 

Appendix A —RoPA  

Insert path 

Appendix B — Standard Retention Schedule 

Orders & invoices: keep for legal/tax retention period 6 years from the last financial year they relate to, then securely delete/anonymise. 

Customer service (emails, tickets, returns): 6 years after last interaction (including 3-year warranty/claims window). 

Marketing contact data & consent logs: until withdrawal or defined inactivity period of 24 months, then delete/suppress. 

Website analytics (non-essential; with consent): Squarespace analytics 25 months, Google analytics (GA4)14months or shorter. 

B2B contact records: as long as relevant to the relationship or until objection; review at least annually. 

HR/payroll: per statutory schedules; see HR policy. 

Appendix C — Data Subject Request (DSR) log 

Insert path