Privacy Policy

1. About this Privacy Policy

This Privacy Policy explains how OneCodeToRuleAll DOO, doing business as Lumaris Studio ("Lumaris," "we," "us," or "our"), collects, uses, shares, and protects personal data through the website located at lumaris‑studio.com (the "Website") and any related interactions, including form submissions, downloads, scheduled calls, and email correspondence initiated through the Website.

We are committed to processing personal data in accordance with the Serbian Personal Data Protection Act (Zakon o zaštiti podataka o ličnosti, the "ZZPL"), the General Data Protection Regulation (Regulation (EU) 2016/679, the "GDPR") where applicable, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA") where applicable, and all other applicable data protection laws.

This Privacy Policy is intended to be read alongside our Terms of Use. Capitalized terms used here but not defined have the meanings given to them in the Terms of Use.

2. Who we are (data controller)

The data controller responsible for personal data processed through the Website is:

For all questions, requests, or complaints relating to personal data, the responsible contact is Marko Živić, reachable at marko@lumaris-studio.com.

We have assessed our processing activities and concluded that we are not required to appoint a Data Protection Officer under Article 56 of the ZZPL or Article 37 of the GDPR. Our core activities do not consist of large-scale systematic monitoring of data subjects or large-scale processing of special categories of personal data. We will reassess this designation if our processing activities change materially.

3. Personal data we collect

We collect personal data in the following categories:

3.1 Data you provide directly through forms and communications. This includes data you submit through the Free Video Audit form (your business email address, company name, YouTube channel URL or other video presence link, and focus area), data you submit through the Video Performance Guide download form (your business email address and, where applicable, your name and company), data you submit through the Fit Call booking interface (your name, business email address, scheduling preferences, and any free-form notes you choose to add), and the content of any email or message you send to us.

3.2 Data collected automatically through your use of the Website. When you visit the Website, we may automatically collect certain technical data, including your IP address (which may be partially anonymized for analytics purposes), browser type and version, operating system, device type, screen resolution, referring URL, pages visited, navigation paths, time spent on pages, and timestamps. This data is collected through cookies and similar technologies, subject to your consent as described in Section 6 below.

3.3 Data from third-party sources. In limited cases, we may receive data about you from third parties, including from public business directories, professional networking platforms where you have made information publicly available, or referrals from our existing clients or partners. Where we obtain personal data from third-party sources, we do so only when we have a lawful basis for processing it.

We do not knowingly collect any special categories of personal data (such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation), nor do we collect data relating to criminal convictions or offenses. We ask that you do not submit any such data through the Website.

4. How we collect personal data

We collect personal data through:

• the forms and interactive elements on the Website (Free Video Audit form, Video Performance Guide download form, Fit Call booking interface, and any other forms we may publish from time to time);
• direct email or telephone communications you initiate;
• cookies and similar tracking technologies, as described in Section 6;
• limited and specifically identified third-party sources, as described in Section 3.3.

5. Why we process personal data (purposes and lawful bases)

We process personal data for the purposes set out below, on the lawful bases identified for each.

5.1 To respond to your inquiry and provide the requested deliverable (audit, guide, call, or response to your message).
Lawful basis: performance of a contract or steps taken at your request prior to entering into a contract (Article 6(1)(b) GDPR / corresponding ZZPL ground).

5.2 To communicate with you about your inquiry and to provide follow-up information reasonably related to it.
Lawful basis: performance of pre-contractual steps (Article 6(1)(b) GDPR) and our legitimate interest in evaluating and pursuing prospective commercial relationships (Article 6(1)(f) GDPR), balanced against your rights and reasonable expectations as a business contact.

5.3 To operate, secure, maintain, and improve the Website and our services.
Lawful basis: our legitimate interest in operating a secure and effective business (Article 6(1)(f) GDPR).

5.4 To measure Website performance and understand visitor behavior through analytics.
Lawful basis: your consent (Article 6(1)(a) GDPR), obtained via our cookie consent mechanism.

5.5 To deliver, measure, and optimize advertising campaigns on advertising networks (currently Google Ads).
Lawful basis: your consent (Article 6(1)(a) GDPR), obtained via our cookie consent mechanism.

5.6 To comply with our legal obligations, including tax, accounting, and record-keeping obligations under the law of the Republic of Serbia.
Lawful basis: compliance with a legal obligation (Article 6(1)(c) GDPR).

5.7 To establish, exercise, or defend legal claims.
Lawful basis: our legitimate interest in protecting our legal rights (Article 6(1)(f) GDPR).

At the date of this Privacy Policy, we do not use personal data submitted through the Website to send marketing newsletters or commercial broadcasts. Communication with you following a form submission is limited to the response or deliverable you requested and to follow-up directly related to that request. If we introduce a marketing communications program in the future, we will only enroll you on the basis of a separate, specific, informed, and freely given opt-in (Article 6(1)(a) GDPR), and you will be able to withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.

6. Cookies and similar technologies

The Website uses cookies and similar technologies to function correctly, to measure traffic and performance, and to support advertising campaigns.

6.1 Strictly necessary cookies. These cookies are required for the Website to function and to remember your cookie consent preference. They do not require your consent because they are strictly necessary for the service you have requested.

6.2 Analytics cookies. We use Google Analytics 4 (provided by Google Ireland Limited and Google LLC) to understand how visitors interact with the Website. These cookies set a Google Analytics identifier on your device and transmit data about your visit to Google. They are not strictly necessary, and we set them only after you give your consent through the cookie banner displayed when you first visit the Website.

6.3 Advertising cookies. We use Google Ads (provided by Google Ireland Limited and Google LLC) to measure the effectiveness of our advertising campaigns and to enable conversion tracking when visitors arrive from advertising placements. These cookies are not strictly necessary, and we set them only after you give your consent through the cookie banner.

6.4 Embedded content. The Website may embed third-party content from Vimeo (operated by Vimeo.com, Inc.). When you interact with embedded Vimeo content, Vimeo may set cookies and collect data about your interaction in accordance with its own privacy practices.

6.5 Managing your preferences. You can withdraw or change your consent for non-essential cookies at any time by clearing the consent banner cookie in your browser and refreshing the Website. Most browsers also allow you to control cookies through their settings. Disabling cookies may affect certain features of the Website.

7. Third-party services and sub-processors

We rely on a limited number of third-party service providers (each a "processor" or "sub-processor") to operate the Website. Each processor processes personal data on our behalf, under contractual data-protection commitments. The current list of processors is:

7.1 Vercel Inc. (United States). Provides hosting infrastructure for the Website. Processes IP addresses, request metadata, and any data submitted through the Website incidental to its delivery.

7.2 Google Ireland Limited and Google LLC (Ireland and United States). Provides Google Analytics 4, Google Ads conversion tracking, and Google Tag Manager. Processes IP addresses (typically truncated), device identifiers, browser metadata, and behavioral data, subject to your cookie consent.

7.3 Vimeo.com, Inc. (United States). Provides video hosting and embedded playback for portfolio and educational content. Processes IP addresses and playback interaction data when you interact with embedded video, in accordance with Vimeo's own privacy policy.

7.4 Calendly LLC (United States). Provides scheduling functionality for the Fit Call booking interface. Processes your name, business email address, scheduling selections, and any free-form information you provide to book a call.

7.5 Web3Forms (operated by Statichunt Technologies Private Limited). Provides form-processing infrastructure that routes Website form submissions to our email inbox. Processes the contents of your form submission in transit.

We review and update this list when our processor relationships change. If you would like the current version of our processor list at any time, please contact us at marko@lumaris-studio.com.

8. International data transfers

Some of our processors are established in, or process data in, jurisdictions outside the Republic of Serbia and outside the European Economic Area, including the United States.

Where such transfers occur, we ensure that an appropriate transfer mechanism is in place. For transfers from the EEA to the United States, we rely on the European Commission's adequacy decision for the EU-U.S. Data Privacy Framework where the receiving processor is certified under it, or on Standard Contractual Clauses approved by the European Commission, supplemented by additional technical and organizational safeguards where appropriate. For transfers from the Republic of Serbia, we rely on the corresponding mechanisms available under the ZZPL, including the Standard Contractual Clauses adopted by the Commissioner for Information of Public Importance and Personal Data Protection.

You may request a copy of the safeguards in place for any specific transfer by contacting us at marko@lumaris-studio.com.

9. Data retention

We retain personal data only for as long as is necessary for the purposes for which it was collected, or for the duration required to comply with our legal obligations, resolve disputes, and enforce our agreements. Our default retention periods are:

9.1 Audit request submissions and pre-engagement correspondence: 24 months from the date of last meaningful contact, after which records are deleted or anonymized.

9.2 Fit Call booking records: 24 months from the date of the call (or the cancelled appointment), after which records are deleted or anonymized.

9.3 Video Performance Guide download records: 24 months from the date of download, after which records are deleted or anonymized.

9.4 Marketing email subscribers (where future newsletter subscription is introduced): until you unsubscribe, and in any event no longer than 24 months from the date of last engagement (open, click, or reply), after which the record is deleted unless you re-confirm subscription.

9.5 Google Analytics 4 user and event data: 14 months from the date of collection (the GA4 retention period configured for our property), after which user-level data is automatically deleted from Google's systems. Aggregate and anonymized data may be retained.

9.6 Google Ads conversion data: subject to Google's own retention periods, with the click-through attribution window configured at 90 days.

9.7 Financial and tax records: retained for the period required by Serbian tax and accounting law, regardless of the periods above.

After the applicable retention period expires, we delete personal data or anonymize it so that it can no longer be associated with you.

10. Sharing and disclosure

We do not sell your personal data. We do not share your personal data with third parties for their independent marketing purposes.

We may share personal data in the following limited circumstances:

10.1 With our processors, as described in Section 7, strictly to deliver the services they provide to us and under appropriate contractual safeguards.

10.2 With our professional advisors (such as accountants, auditors, and external legal counsel) acting under duties of confidentiality, where reasonably necessary for the operation, protection, or compliance of our business.

10.3 With public authorities or courts, where we are legally required to do so by a valid order, request, or process under applicable law.

10.4 In connection with a corporate transaction, such as a merger, acquisition, restructuring, or sale of assets, in which case we will require the recipient to honor the commitments made in this Privacy Policy.

We do not disclose any personal data submitted in connection with a confidential pre-engagement discussion to any third party except as set out above or as separately agreed in writing.

11. Your rights

Subject to and in accordance with the ZZPL, the GDPR (where applicable), the CCPA/CPRA (where applicable), and other applicable data protection laws, you have the following rights in relation to your personal data.

11.1 Right of access. You may request confirmation as to whether we process personal data about you and, where we do, a copy of that data and information about the processing.

11.2 Right to rectification. You may request correction of any inaccurate personal data we hold about you, or completion of incomplete data.

11.3 Right to erasure. You may request deletion of your personal data where one of the legal grounds for erasure applies (for example, where the data is no longer necessary, where you withdraw consent and we have no other lawful basis, or where the data has been unlawfully processed).

11.4 Right to restriction of processing. You may request that we restrict the processing of your personal data in certain circumstances (for example, while we verify the accuracy of disputed data).

11.5 Right to data portability. You may request that we provide you with the personal data you have provided to us in a structured, commonly used, machine-readable format, or transmit it to another controller, where the processing is based on consent or contract and is carried out by automated means.

11.6 Right to object. You may object to the processing of your personal data where we rely on legitimate interests as the lawful basis. Where you object to processing for direct marketing purposes, we will stop the marketing processing.

11.7 Right to withdraw consent. Where we process personal data on the basis of your consent, you may withdraw that consent at any time, without affecting the lawfulness of processing carried out before withdrawal.

11.8 Rights under the CCPA/CPRA (California residents). If you are a California resident, you have the additional rights to know what categories of personal information we collect and disclose, to request deletion of your personal information, to correct inaccurate personal information, to opt out of any sale or sharing of personal information for cross-context behavioral advertising (we do not sell personal data, but our use of advertising cookies may constitute "sharing" under the CCPA/CPRA, and you may opt out via our cookie banner), and to non-discrimination for exercising your rights.

11.9 Right to lodge a complaint. You have the right to lodge a complaint with a competent data protection supervisory authority. In Serbia, the supervisory authority is the Commissioner for Information of Public Importance and Personal Data Protection (Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti), Bulevar kralja Aleksandra 15, 11000 Belgrade, Serbia, www.poverenik.rs. If you are located in the European Economic Area, you may also lodge a complaint with the supervisory authority of the EU member state of your habitual residence, place of work, or place of the alleged infringement.

12. How to exercise your rights

To exercise any of the rights set out in Section 11, please contact us at marko@lumaris-studio.com with a clear description of your request. We may need to verify your identity before we can act on a request, and we may ask you for additional information for that purpose.

We will respond to your request within thirty (30) days of receipt. Where a request is particularly complex or where we receive a high volume of requests, we may extend this period by up to a further sixty (60) days, in which case we will inform you of the extension and the reasons for it within the initial thirty-day period.

There is no fee for exercising your rights. However, we may charge a reasonable administrative fee, or refuse to act on a request, where the request is manifestly unfounded or excessive, in accordance with applicable law.

13. Marketing communications

At the date of this Privacy Policy, we do not send marketing communications, newsletters, or commercial broadcasts to individuals whose personal data we have collected through the Website. Communication with you following a form submission is limited to the response or deliverable you requested and to follow-up directly related to that request.

If we introduce a marketing communications program in the future, we will only enroll you on the basis of a separate, explicit, informed, and freely given opt-in. You will be able to unsubscribe at any time, free of charge, using the unsubscribe link in any marketing message or by contacting us at marko@lumaris-studio.com.

14. Children's data

The Website is intended for business representatives over the age of 18 acting in a professional capacity. The Website is not directed to children. We do not knowingly collect personal data from individuals under the age of 18. If you believe a minor has provided personal data through the Website, please contact us at marko@lumaris-studio.com and we will take prompt steps to delete it.

15. Security

We implement appropriate technical and organizational measures designed to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure. These measures include encryption of data in transit, restricted access controls, secure infrastructure provided by reputable cloud providers, and ongoing review of our security practices.

No security measure can guarantee absolute security. You acknowledge that any transmission of data over the internet involves residual risks that cannot be entirely eliminated.

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority within seventy-two (72) hours of becoming aware of the breach, where required by applicable law. Where the breach is likely to result in a high risk, we will also notify affected individuals without undue delay.

16. Automated decision-making and profiling

We do not make decisions based solely on automated processing that produce legal effects concerning you or similarly significantly affect you. Our use of analytics and advertising tools may involve limited automated grouping of visitors for measurement and ad optimization purposes, but no such grouping results in a decision that affects your legal status, rights, or obligations.

17. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, our processors, the legal landscape, or the services we offer. The "Effective date" and "Last updated" fields at the top of this Privacy Policy reflect the date of the most recent revision.

Where a revision materially changes how we process your personal data, we will use commercially reasonable efforts to notify affected individuals through email or prominent notice on the Website. Your continued use of the Website after a revised version is posted constitutes your acknowledgement of the revised Privacy Policy. Where consent is required, we will request your fresh consent in respect of any new processing activity.

18. Contact and complaints

For any question, request, or complaint relating to this Privacy Policy or the processing of your personal data, please contact:

If you are not satisfied with our response, you have the right to lodge a complaint with the Commissioner for Information of Public Importance and Personal Data Protection in Serbia (www.poverenik.rs) or, if you are located in the European Economic Area, with the supervisory authority of your country of habitual residence, place of work, or place of the alleged infringement.