GDPR Compliance

Last Updated: January 21, 2026

1. Our Commitment to GDPR

LuxSign is committed to complying with the General Data Protection Regulation (GDPR) and Luxembourg data protection laws. This page outlines how we handle your personal data in accordance with these regulations.

Important: LuxSign operates under GDPR principles but does not hold specific GDPR certifications. We implement technical and organizational measures to protect your data as required by applicable law.

2. Legal Basis for Processing

We process your personal data based on the following legal grounds:

  • Contract Performance: To provide the Service you have subscribed to
  • Legitimate Interests: To improve our Service, prevent fraud, and ensure security
  • Consent: Where you have given explicit consent for specific processing activities
  • Legal Obligations: To comply with applicable laws and regulations

3. Data Subject Rights

Under GDPR, you have the following rights regarding your personal data:

3.1 Right of Access

You have the right to request access to your personal data and obtain information about how we process it.

3.2 Right to Rectification

You can request correction of inaccurate or incomplete personal data.

3.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data, subject to certain exceptions (e.g., legal obligations, legitimate business interests, pending disputes).

3.4 Right to Restriction of Processing

You can request that we limit how we use your data in certain circumstances.

3.5 Right to Data Portability

You can request a copy of your data in a structured, commonly used, machine-readable format.

3.6 Right to Object

You can object to certain types of processing, including processing based on legitimate interests.

3.7 Right to Withdraw Consent

Where processing is based on consent, you can withdraw your consent at any time.

To exercise any of these rights, contact us at support@luxsign.lu. We will respond to your request within one month, as required by GDPR. This period may be extended by two further months where necessary, taking into account the complexity and number of requests. We will inform you of any such extension within one month of receipt of the request. We may require verification of your identity before processing your request.

4. Data Protection Measures

We implement appropriate technical and organizational measures to protect your data, including:

  • Industry-standard encryption for data at rest and in transit
  • Data storage in secure EU data centers
  • Regular security assessments and updates
  • Access controls and authentication mechanisms
  • Incident response procedures
  • Regular backups and disaster recovery plans

5. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected individuals without undue delay and, where required, notify the Luxembourg National Commission for Data Protection (CNPD) within 72 hours of becoming aware of the breach, in accordance with GDPR requirements.

6. Data Processing Agreements

When we engage third-party processors to handle personal data on our behalf, we ensure they are contractually bound to GDPR-compliant data processing terms. We only work with processors that provide sufficient guarantees of appropriate technical and organizational security measures.

7. International Data Transfers

Your personal data is stored and processed in Luxembourg, within the European Economic Area (EEA). We do not transfer personal data outside the EEA unless necessary and with appropriate safeguards in place (e.g., Standard Contractual Clauses, adequacy decisions).

8. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including legal, accounting, or reporting requirements. Retention periods vary based on data type and purpose:

  • Account Data: Retained while your account is active and for a reasonable period after deletion
  • Documents: Retained as long as you maintain them in your account
  • Audit Logs: Retained for compliance and security purposes as required by law
  • Backup Data: Deleted according to our backup retention schedule (typically within 90 days)

9. Automated Decision-Making and Profiling

LuxSign does not use automated decision-making or profiling that would have legal or similarly significant effects on you.

10. Children's Data

Our Service is not directed to individuals under 18 years of age. We do not knowingly collect or process personal data from children. If we become aware that we have collected data from a child without appropriate parental consent, we will take steps to delete such information.

11. Supervisory Authority

If you have concerns about how we handle your personal data, you have the right to lodge a complaint with the Luxembourg National Commission for Data Protection (CNPD):

Commission nationale pour la protection des données (CNPD)
15, Boulevard du Jazz
L-4370 Belvaux
Luxembourg
Website: cnpd.public.lu

You also have the right to lodge a complaint with a supervisory authority in the EU member state of your habitual residence, place of work, or place of alleged infringement.

12. Updates to This Page

We may update this GDPR Compliance page from time to time to reflect changes in our practices or legal requirements. We encourage you to review this page periodically.

13. Contact Us

For questions about GDPR compliance or to exercise your data subject rights, contact us at:

Email: support@luxsign.lu
General Inquiries: contact@luxsign.lu

← Back to Home