Privacy Policy
1. Who we are
Cordint Ltd (company number 09579776) is the provider of the Lumiuz software-as-a-service platform. In this Privacy Policy, “Cordint”, “we”, “us” and “our” refer to Cordint Ltd.
Lumiuz is a platform used to manage employee and workforce background screening, identity verification workflows, candidate communications, document collection, check ordering, reporting, and related compliance processes.
Registered office:21 Great Bounds Drive, TN4 0TR, United Kingdom. If you have questions about this Privacy Policy or how we use personal data, please contact us using those details. Privacy contact / DPO: dpo@lumiuz.co.uk.
2. How this policy applies
This Privacy Policy covers personal data processed by Cordint when: (a) organisations subscribe to and use Lumiuz; (b) candidates or screened individuals interact with Lumiuz workflows, portals, forms, or communications; (c) users interact with our website, demos, sales process, onboarding, or support channels; and (d) we administer our contracts, security, compliance, and corporate operations.
In many cases, the employer, recruiter, or other customer using Lumiuz decides why screening is carried out and what checks are requested. In those cases, that customer is the controller of candidate information and Cordint usually acts as its processor. The customer’s own privacy notice will therefore also apply.
Cordint acts as controller for personal data about our own business contacts, billing contacts, website users, marketing recipients, support contacts, and certain operational and compliance records relating to the Service.
3. Categories of personal data we process
Depending on the context, we may process: identity and contact details; login and account information; employment and role information; application and screening workflow data; communications; technical and device data; usage and audit logs; billing and payment details; training and support records; and correspondence with us.
For screening workflows configured by our customers, the data entered into Lumiuz may include references, employment history, education history, right-to-work documentation, identity documents, sanctions or watchlist matches, criminal offence data, and in limited cases special category data, where the customer has determined that such processing is lawful and necessary.
We do not intentionally require customers to upload more personal data than is reasonably necessary for the relevant screening package or lawful purpose.
4. Sources of personal data
We collect personal data directly from customers, authorised users, candidates, referees, and other individuals who interact with Lumiuz or communicate with us.
We also receive personal data from our customers, integrations, identity/document verification tools, third-party screening providers, public sources, government registers, sanctions databases, and service providers, where configured by the customer or necessary for our business operations.
5. Roles under data protection law
When Cordint hosts and processes candidate or workforce screening data for a customer’s purposes, Cordint generally acts as a processor and the customer acts as controller.
When Cordint handles personal data for our own purposes, such as account administration, billing, fraud prevention, service security, internal analytics, supplier management, or direct business-to-business marketing, Cordint acts as controller.
In limited circumstances, Cordint and a customer may each act as independent controllers for different parts of the same workflow. The precise allocation depends on who decides the purposes and essential means of the processing.
6. Our purposes and lawful bases
| Purpose | Examples of personal data | Lawful basis |
|---|---|---|
| Provide and administer Lumiuz accounts and contracts | User names, business contact details, roles, contract and subscription data, billing contacts | Performance of a contract; legitimate interests |
| Onboarding, support, training, and service communications | Support tickets, emails, call notes, account metadata, usage information | Performance of a contract; legitimate interests |
| Service security, fraud prevention, logging, and resilience | IP addresses, login records, device/browser data, audit logs, incident records | Legitimate interests; legal obligation where applicable |
| Billing, finance, tax, and record keeping | Billing contacts, invoices, payment metadata, transaction history | Performance of a contract; legal obligation |
| Business development and B2B marketing | Business contact details, meeting notes, preferences, communications history | Legitimate interests; consent where required by law |
| Corporate governance, legal claims, and compliance | Correspondence, records relevant to complaints, disputes, audits, or regulator enquiries | Legal obligation; legitimate interests |
7. Candidate data and screening data handled for customers
Where a customer uses Lumiuz to carry out employee or contractor screening, Cordint usually processes candidate and screening data only on that customer’s documented instructions and for the purposes of providing the Service.
The relevant customer is typically responsible for identifying the lawful basis for the screening activity and, where required, any additional conditions for criminal offence data or special category data, for providing privacy information to candidates, and for handling decisions about hiring, engagement, adverse findings, or adjudication.
If you are a candidate or screened individual and want to exercise rights relating to a screening process run by one of our customers, you should usually contact that customer first. We will assist our customers in responding where required under applicable law.
8. Criminal offence data and special category data
Background screening can involve criminal offence data and, in some cases, special category data. We expect our customers to configure and use Lumiuz only where they have identified an appropriate lawful basis and any required additional conditions under applicable law.
Cordint applies heightened confidentiality, access control, and security measures to this type of data and seeks to limit access to personnel who need it to provide and support the Service.
We do not use criminal offence data or special category data uploaded by customers for our own independent marketing or product promotion purposes.
9. How we share personal data
We share personal data with identity or verification service providers, analytics and security tools, professional advisers, auditors, payment processors, and other vendors who support our business or the Service.
For customer-controlled screening workflows, we may also process or transmit data to the customer’s configured integrations and screening providers, acting on the customer’s instructions.
We may disclose personal data where required by law, regulation, court order, or competent authority, or where necessary to establish, exercise, or defend legal claims.
10. International transfers
Where personal data is transferred outside the UK, EEA, or another territory with data transfer restrictions, we will use an appropriate safeguard recognised by applicable law, such as adequacy regulations, standard contractual clauses, the UK International Data Transfer Agreement or Addendum, or another permitted mechanism.
You may contact us for more information about the safeguards relevant to a particular transfer.
11. Data retention
We retain personal data only for as long as necessary for the purposes for which it was collected, including to provide the Service, comply with legal and regulatory obligations, resolve disputes, enforce agreements, and maintain appropriate business records.
For customer-controlled screening data, retention periods are typically set by the customer’s instructions, contract terms, and applicable law. After the end of services, we will delete or return such data in accordance with our contractual commitments, subject to legally required retention and routine backup cycles.
For our own controller data, retention periods vary by record type, for example account records, support history, security logs, and finance records.
12. Security
We maintain technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include role-based access controls, logging, monitoring, supplier management, secure development and change controls, encryption or equivalent safeguards where appropriate, and incident response procedures.
No system can be guaranteed to be completely secure, but we work to maintain security measures proportionate to the risks presented by our processing activities.
13. Your rights
Depending on the applicable law and whether Cordint acts as controller or processor, individuals may have rights to request access, rectification, erasure, restriction, objection, portability, and review of certain automated decisions, and to withdraw consent where processing is based on consent.
When Cordint acts as controller, you may contact us directly to exercise your rights. When Cordint acts only as processor for a customer’s screening workflow, we will normally direct your request to the relevant customer, but may assist them in responding.
You also have the right to complain to the Information Commissioner’s Office in the UK, or to another competent supervisory authority where applicable.
14. Cookies and similar technologies
Our website or Service interfaces may use cookies or similar technologies for authentication, security, preferences, analytics, and service performance. Any website or cookie notice should be read together with this Privacy Policy.
Where required by law, we will seek consent for non-essential cookies or similar technologies.
15. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in law, guidance, our practices, or the Service. We will publish the updated version with a revised effective date and, where appropriate, provide additional notice.
16. Contact us
Cordint Ltd (Company No. 09579776)
Product: Lumiuz
Privacy contact: dpo@lumiuz.co.uk
Registered office: 21 Great Bounds Drive, Tunbridge Wells, TN4 0TR, United Kingdom
If you contact us about a rights request, complaint, or privacy question, we may need to verify your identity before responding.