Privacy Policy

1. Data Controller

LUMOO Gambia Ltd is the data controller responsible for your personal data.

2. What Data We Collect

• Name and email address (registration)
• Delivery address (orders)
• Order history and transaction records
• Payment proof images (uploaded by you)
• Product reviews and ratings
• Technical data: IP address, browser type, cookies

3. How We Use Your Data

• Process and fulfil your orders
• Verify payments and prevent fraud
• Send order status updates and notifications
• Improve our platform and services
• Comply with legal obligations under Gambian law

4. Legal Basis (PDPA 2022)

Under the Personal Data Protection Act 2022 of The Gambia, we process your data based on:

• Contract performance — processing necessary to fulfil your orders
• Consent — for cookies and marketing (you may withdraw at any time)
• Legitimate interest — fraud prevention and platform security
• Legal obligation — compliance with Gambian laws and regulations

5. Your Rights

Under the Gambia PDPA 2022, you have the right to:

• Access — request a copy of your personal data
• Rectification — correct inaccurate data
• Erasure — request deletion of your data ("right to be forgotten")
• Portability — receive your data in a structured format
• Restriction — limit how we process your data
• Objection — object to data processing for direct marketing
• Withdraw consent — at any time, without affecting past processing

To exercise any of these rights, contact us at privacy@lumoo.my. We will respond within 30 days.

6. Data Retention

We retain personal data for up to 365 days, after which it is securely deleted or anonymised.

7. Cookies

We use essential cookies for site functionality and session management. With your consent, we may use analytics cookies to improve our service. You can manage cookie preferences at any time via the consent banner.

8. Data Security

We implement appropriate technical and organisational measures to protect your data, including encrypted storage of payment proof images, hashed passwords, and HTTPS-only communication. In the event of a data breach, we will notify the Personal Data Protection Agency and affected users within 72 hours as required by the PDPA 2022.

9. Complaints

If you believe your data rights have been violated, you have the right to lodge a complaint with the Personal Data Protection Agency of The Gambia (PDPA). We encourage you to contact us first so we can resolve your concern directly.