Lumen
Privacy Policy

Your trust matters to us. This policy explains how we handle your personal information.

Effective Date: 1 March 2025
Last Updated: 15 January 2026

Welcome to Lumen Cards

Your trust matters to us. This policy explains how we handle your personal information—what we collect, why we collect it, and how we keep it safe. We follow UK GDPR and the Data Protection Act 2018 to protect your privacy.

Who We Are

Lumen Cards ("we", "us", "our") is the data controller for your personal data.

Contact us anytime:

Email

privacy@lumen.cards

Mail

3rd Floor, 86-90 Paul Street, London EC2A 4NE

We are registered with the Information Commissioner's Office and our ICO registration number is ZB905149

Please note that our partner, Transact Payments Limited (“TPL”), is the issuer of your payment card and is an independent data controller for the personal data which you provide to us in relation to processing undertaken to enable you to use the card. TPL is an e-money institution, authorised and regulated by the Gibraltar Financial Services Commission.. When you apply for a Lumen Credit Card, you agree to TPL’s Cardholder Terms and Conditions and Privacy Policy which are provided to you when you sign up for a card. They are also available within the Lumen mobile application. We encourage you to read the TPL Privacy Policy.

What This Policy Covers

  • The types of personal data we collect
  • How we use and share your data
  • Your rights and choices
  • How to get in touch with us

What We Collect

Depending on how you interact with us, we may collect the following information about you:

Contact or identity data, such as your name, home address, email address, phone number, date of birth, government-issued identifier (e.g. passport, driving licence, or other government ID), nationality, username and password, and other information that directly identifies you.

Account data, such as account number, account history, account balances, loan details, property information

Transaction data, such as credit/debit card purchases, payment or transaction history, or statements.

Credit report information, such as your credit score, credit history, and other information that we receive from credit reporting agencies.

Demographic data, such as gender, marital status, age, household size/composition, income, occupation and employment status.

Vulnerability Data, based on the above data and further information provided by you, such as Health condition, financial difficulty, additional assistance required.

When you use or interact with our Online Services, including, for example, when you browse our website or use our mobile app, we may also collect:

Device data, such as your device type, web browser type and version, operating system type and version, display/screen settings, language preferences, internet protocol address, mobile network information, general location (e.g. city or country), cookie IDs, device IDs, mobile advertising IDs (e.g., Apple’s IDFA or Google’s Advertising ID), and likely connections among different browsers and devices that you use (collectively, “Device Data”).

Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.

Behavioural data, includes information about your usage of our services, such as interaction with our website or app, movement patterns

Survey and research data, such as your responses to questionnaires, surveys, requests for feedback, and research activities.

Our Services are not intended for children; we do not lend to under the age of 18. Thus, we do not knowingly collect data relating to children.

If you don't provide the information we request?

We require certain personal data to fulfil our contractual obligations and comply with legal and regulatory requirements. For example, we need your contact details to manage your account and your credit history to assess your eligibility for our products and ensure responsible lending.

If you choose not to provide the information we request, we may be unable to proceed with offering you a credit card or product, or to perform essential functions related to your account. In some cases, this may result in us having to cancel or decline a product or service. We will inform you if this becomes necessary.

However, where permitted, we may continue to process any personal data we already hold for other purposes outlined in our privacy notice.

How We Collect It

We get personal data about you from a number of sources as set out below:

  • Personal data you provide when you request a quote directly from us or via a price comparison, aggregator or similar website or if you apply to us for a card and/or one of our products.
  • Personal data you give to us in emails, letters, via online servicing (including via chat and chatbots), during phone calls (including any phone numbers that you use to contact us on).
  • Personal data we obtain about the IP address, operating system, devices and browser that you use, including the location of any devices used by you.
  • Personal data we obtain about you from the software we use to prevent fraud when transactions are made using your account.
  • Personal data you give when you participate in surveys, promotions or competitions
  • Personal data we receive when making a decision about your quote, application or account, including personal data we receive from enquiries and searches made at CRAs or from publicly available sources, for example the electoral roll.
  • Personal data we continue to exchange about you with CRAs on an ongoing basis. For more information about the information that we share with CRAs and how CRAs use your personal data in this manner please see the relevant section below.
  • Personal data we have about any account you have with us including details of transactions and payments.
  • Personal data we collect using analytics tools to track website page content and click/touch, movement, scroll, and keystroke activity; and/or
  • Personal data from card issuers or other organisations that you use to search for credit products, including price comparison, aggregator or similar websites that you visited before clicking through to any of our websites.
  • Personal data we get through open banking services. This involves us accessing account information that is held by other financial institutions, such as your bank account statements. We get open banking information through third party service providers. We refer to this information as “open banking data”.

How We Use Your Data

As described in more detail in the table below, we will use the information we collect or information you provide to our trusted third parties:

  • to provide our credit card services to you.
  • to help us improve our products and services to ensure they better suit our customers’ needs.
  • to carry out security checks, which helps us protect your account and our systems.
  • to confirm your identity before we provide credit cards to you, so we can prevent identity fraud, money laundering, and other forms of financial crime.
  • to complete an affordability assessment to determine whether you are eligible for credit card or whether you are eligible for a credit limit increase.
  • for our staff training.
  • to communicate with you.
  • to meet our legal obligations and to comply with relevant regulations.
  • where we have a legitimate interest in using your information, for example to protect our business interests; and,
  • to inform you about our products and services that relate to you.

Basis for Processing

Data Protection Law protects you and your personal information by requiring organisations to justify its use in a Privacy Notice like this. The General Data Protection Regulation as incorporated in the UK (GDPR) specifies six lawful bases for organisations to process personal data.

We’ve summarised the ones relevant to the way we use information at Lumen below.

Necessary to fulfil our service/contract – We need to collect, store and process some of your data in order for us to be able to provide our service to you. This basis covers things like us storing your contact details so we can respond to your queries or remind you that your payment due date is coming up.

Consent - Where you agree you have given clear consent for us to process your data for a particular purpose, like opting-in to receiving marketing from us. You can withdraw consent at any time, although this might impact your service.

Legal or Regulatory requirement - Where we are required by law, or by our regulators, to maintain certain records, such as our financial accounts for UK tax authorities

Legitimate business interest - This is when we do the things that you would expect us to do in the normal course of running a business. This could include monitoring use of the website, online servicing or mobile app to prevent cyberattack or fraud to keep our customers safe, improve our products and services and prevent financial loss

The table below shows the key processes we perform and the related lawful basis:

We process your data: Justified by this Legal Basis
To provide and manage your accounts and our relationship with you.
  • Necessary to fulfil our service/contract
  • Legal or Regulatory requirement
  • Legitimate business interest – to ensure that Lumen provides a high standard of service
To give you statements, balances, alerts, and other important information about your service.
  • Necessary to fulfil our service/contract
  • Legal or Regulatory requirement.
To handle enquiries and complaints.
  • Necessary to fulfil our service/contract
  • Legal or Regulatory requirement
  • Legitimate business interest – to ensure your queries are investigated and resolved to a high standard of service.
To provide our services to you
  • Necessary to fulfil our service/contract
  • Legal or Regulatory requirement.
To assess your credit needs and to determine your eligibility for our service.
  • Necessary to fulfil our service/contract
  • Legal or Regulatory requirement
  • Legitimate business interest.
To evaluate, develop and improve our services to you.
  • Legitimate business interest – to evaluate, develop or improve our products and user experience.
To protect our business interests and to develop our business strategies.
  • Legitimate business interest – to protect our people, and business strategies
  • Necessary to fulfil our service/contract
  • Legal or Regulatory requirement
  • Consent.
To contact you, by post, phone, text, email and other digital methods in order to provide you with servicing, selected product information and marketing communication from us
  • Legal or Regulatory requirement
  • Consent
  • Necessary to fulfil our service/contract.
To make or receive any type of payment or transaction
  • Legitimate business interest
  • Necessary to fulfil our service/contract
  • Legal or Regulatory requirement.
To prevent, detect, investigate, and prosecute fraud and alleged fraud, money laundering and other crimes, and to check your identity.
  • Legal or Regulatory requirement
  • Legitimate business interest – to prevent and investigate fraud, money laundering and other crimes.
To monitor, record and analyse any communications between you and us, including phone calls.
  • Legal or Regulatory requirement
  • Legitimate business interest – to prevent and investigate fraud and to improve our service to you.
To transfer your information to or share it with any organisation following a restructure, sale or takeover.
  • Necessary to fulfil our service/contract
  • Legitimate business interest – restructuring or selling part of our business.
To share your information with relevant tax authorities, credit reference agencies, fraud prevention agencies.
  • Legal or Regulatory requirement
  • Legitimate business interest.
To share your information with our partners and service providers.
  • Necessary to fulfil our service/contract
  • Legitimate business interest.
To make our online advertising content relevant to you and remove adverts that we know aren’t suitable or relevant to our customers.
  • Consent.

Your Rights

Under certain circumstances, you have rights under data protection laws in relation to your personal data. You have the right to:

"Request access" to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

"Request correction" of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

"Request erasure" of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

"Object to processing" of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

"Request restriction of processing" of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:

  1. if you want us to establish the data's accuracy.
  2. where our use of the data is unlawful, but you do not want us to erase it;
  3. where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
  4. you have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it;

"Request the transfer" of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to information which you initially provided consent for us to use or where we used the information to perform a contract with you; and

"Withdraw consent at any time" where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

If you wish to exercise any of the rights set out above, please contact us as above.

Sharing Your Data

From time-to-time we may need to share your information with third-parties, to ensure we're able to meet our obligations as a responsible lender and to protect our customers and ourselves against fraud. Lumen Cards will make every effort to protect your personal data, share only with trusted organisations and will not sell on any personal information it holds.

Sharing your Information with CRAs

In order to process your quote or application, we will perform credit and identity checks on you with one or more CRAs. Where you take financial services from us, we may also make periodic searches at CRAs to manage your account with us. Where you have been declined for a credit product and have decided to appeal the decision, we will perform another search with certain CRAs. A "soft search" allows us to make a check on your credit file and will leave a footprint so that you can see that we made the check, but the search will not show up to other lenders and will not affect your credit rating. We use soft searches when we carry out eligibility checks, in order to provide quotes and where you have appealed a decline decision. If you make an application for one of our products, we perform a "hard search" with certain CRAs. These searches are visible to other lenders and may affect your credit rating.

To do this, we will supply your personal data to CRAs and they will give us information about you. This will include information from your credit application and about your financial situation and financial history. CRAs will supply to us both public (including the electoral register) and shared credit, financial situation and financial history information and fraud prevention information.

We will use this personal data to:

  • Assess your creditworthiness and whether you can afford to take the product.
  • Verify the accuracy of the data you have provided to us.
  • Where you are applying for a balance transfer, to check whether the account from which the balance is transferring is registered to the same address as the address that you have provided to us.
  • Prevent criminal activity, fraud and money laundering.
  • Manage your account(s).
  • Trace and recover debts; and
  • Ensure any offers provided to you are appropriate to your circumstances.

We will continue to exchange personal data about you with CRAs while you have a relationship with us.

We will also inform some CRAs about your settled accounts. If you borrow and do not repay in full and on time, then CRAs will record the outstanding debt. This information may be supplied to other organisations by CRAs.

When CRAs receive a search from us they will place a search footprint on your credit file that may be seen by other lenders.

Equifax, Experian and TransUnion, the ICO and the major financial services trade associations have developed a common statement, Credit Reference Agency Information Notice (CRAIN). This defines the standards that all three Credit Reference Agencies will apply across all products and services in relation to processing consumer data. These can be found atexperian.co.uk/crain, transunion.co.uk/crain, and equifax.co.uk/crain

If you have any further questions about our use of CRAs (or would like to receive details of these agencies) please email us using the contact details provided above in this Privacy Policy.

Sharing your information with Fraud Prevention Agencies

We will share your information with fraud prevention agencies (including CIFAS, the UK’s largest fraud database) who will use it to prevent fraud and money laundering. They may share information back with us to confirm your identity.

Fraud prevention agencies may also allow law enforcement agencies to access and use your personal information to detect, investigate and prevent crime. If fraud is detected, you could be refused certain services or finance. Fraud prevention agencies can hold your personal information for different periods of time. If you are considered to present a fraud or money-laundering risk, they can hold your information for up to six years.

For more information, please refer to CIFAS https://www.cifas.org.uk/fpn.

Identity Verification

As part of our credit card application, we may ask you to provide personal data directly to our partner, Yoti. They may collect personal information extracted from consensually submitted identification documents. They use facial biometric data extracted from your submitted photos, videos and contact details to verify your identity and protect you and our financial interests.

Once processed, an identity decision is provided back to us.

Open Banking

As part of our credit card application process, we may also ask you to use Open Banking to connect with our partner, D-One. They may access your account information from other financial institutions following your consent for them to do so. If you give consent for D-One to access this account information, they will share this with us. This data can include information about your account details, transactions and account balances.

Where available, we may use Open Banking information to assess whether we are able to offer you a credit limit increase. If you have not given consent to D-One to access your account information from other financial institutions and provide this to us, we may contact you to ask for permission.

Who else we may share your information with

We may share your information under certain circumstances with:

  • Other finance companies to process payments (such as Visa and Mastercard).
  • Other companies to process transactions (such as Apple Pay and Google Pay).
  • Other financial institutions and third parties when you make payments towards your account (such as GoCardless). This enables us to process payments quickly and directly through your bank account.
  • Other third parties where we outsource our Collections activity, as appropriate.
  • The companies that make our physical credit cards.
  • Central Government, Regulators and Tax Authorities; or,
  • Law enforcement.

Transferring Data Overseas

We and third parties with whom we share personal data with may transfer your personal data overseas so that we can manage your account and provide other services from countries within the European Economic Area (EEA) (where similar data protection standards apply as in the UK) and countries outside the EEA. When personal data is transferred to countries outside of the UK and the EEA, those countries may not offer an equivalent level of protection for personal information to the laws in the UK. Where this is the case, we and those third parties will ensure that appropriate safeguards are put in place to protect your personal information. We make sure your data is protected by:

  • UK adequacy decisions
  • Standard Contractual Clauses (SCCs)
  • Extra safeguards like encryption and strict access controls

Automated Decision-Making

We sometimes use tools (algorithms) to make decisions on our behalf. This is referred to as automated decision-making. We have provided further detail regarding the means and purposes of automated decision-making below.

How the automated processes make decisions

We use automated decision-making for the following purposes, which are necessary for the performance of the contract between us, and to comply with our legal and regulatory requirements:

  • To verify you and assess your application for an account. Our algorithms verify your identity and assess your suitability for an account with us based on information such as your age, residency, nationality, financial position and other circumstances, such as the results of anti-money laundering and sanctions checks. This means that we may automatically decide that you present a fraud or money-laundering risk or pose a risk to us in terms of breaking financial sanctions, in which case we will reject your application for an account.
  • To determine creditworthiness and affordability. This is based on the information we collect regarding your income, spending and credit history. We may also use open banking data, collected and provided to us by third parties. We use this to decide how easily you will be able to manage repaying credit and the interest rate we may charge you. We may compare you with other people in a set (for example, people who are in a certain age bracket may be more likely to be able to manage credit).
  • To decide whether we need to help you. If our algorithms detect that you may have become financially vulnerable, we may have a regulatory obligation to help you. Such decisions may be based on your repayment history and adverse changes to your credit score, together with additional information you have provided to us.
  • To detect and prevent fraud. Our algorithms may freeze a transaction or account if we suspect fraud or money-laundering against Lumen or our customers. Such decisions are based on patterns in our data, such as a Lumen service being used in a way that fraudsters work.

Personal data derived from the above will be used to obtain information about you from, and carry out checks with credit reference agencies (for further details, please see the section below regarding credit reference and fraud prevention agencies).

If you do not pass all of our checks then your credit card application will either be refused or will be referred for further checks and additional consideration by us.

Your rights relating to automated decision-making

You have the right to request that we review or reconsider any decision that we make about your application which is based solely on automated processes. If you wish to exercise this right, please contact us as above.

How Long We Keep Your Data

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements. By law we have to keep information about our customers for six years after they cease being customers for regulatory and tax purposes.

In some circumstances you can ask us to delete your data: see your legal rights above for further information.

In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

Cookies

We use cookies to make our website work better and to improve your experience. See our [Cookie Policy link] for details.

Complaints

You have the right to make a complaint at any time to the Information Commissioner’s Office, the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concern before you approach the ICO, so please contact us in the first instance.

Contact Us

Have questions or want to exercise your rights?

Email

privacy@lumen.cards

Mail

3rd Floor, 86-90 Paul Street, London EC2A 4NE

You can also contact the Information Commissioner’s Office (ICO) at ico.org.uk.

Updates

We may update this policy from time to time. The latest version will always be on our website.