Data protection notice

Last review: 08/05/2026

This Privacy Notice explains how Luxgap Sàrl (“Luxgap”, “we”, “us”) collects and processes personal data in connection with its websites, portals, online tools, quote processes, contact forms, AI assistants, Dark Web scanning and monitoring services, partner area, reports and related digital services.

This Privacy Notice is intended to apply as the canonical privacy notice available at: https://luxgap.com/privacy-notice

It is drafted in accordance with Regulation (EU) 2016/679 (“GDPR”) and applicable Luxembourg data protection laws.

1. Data controller

The data controller is:

Luxgap Sàrl

RCS Luxembourg B 281 826

2 rue de l’École

L-8376 Kahler

Luxembourg

Luxgap has designated a Data Protection Officer (DPO) in accordance with Article 37 GDPR. For any question relating to this Privacy Notice or the exercise of your rights, you may contact the DPO at: dpo@luxgap.com.

2. Scope of this Privacy Notice

This Privacy Notice applies to the processing of personal data carried out by Luxgap in connection with:

• the website luxgap.com;
• the portal devis.luxgap.com;
• the partner area available through dpo.luxgap.com;
• contact forms and commercial inquiries;
• quote generation, review and approval processes;
• AI assistants used on Luxgap websites or in connection with quotes;
• public Dark Web scanning tools;
• contracted monitoring services, including Luxgap Vigil;
• detailed monitoring reports, including reports generated with Gamma;
• editorial content published by Luxgap; and
• technical logs, security measures and strictly necessary cookies.

This Privacy Notice does not apply to LuxApps services, which are governed by separate privacy information and contractual documentation.

3. Processing activities

3.1. Contact form and commercial inquiries

When you contact Luxgap through a website form, email or similar channel, we process the personal data necessary to respond to your inquiry and, where relevant, prepare a commercial proposal.

Personal data processed may include:

• first name and last name;
• company name;
• professional email address;
• phone number;
• job title or function;
• topic of the request;
• free-text message;
• source page and preferred language;
• IP address and user-agent.

Purpose : to respond to your inquiry, manage pre-contractual exchanges and, where requested, send a proposal or quote.

Legal basis : legitimate interest under Article 6(1)(f) GDPR, namely managing commercial inquiries and maintaining business development activities, and pre-contractual measures under Article 6(1)(b) GDPR where the request relates to a quote, proposal or service.

Retention : 3 years after the last interaction, unless a contract is concluded, in which case relevant data may be retained for the duration of the contractual relationship and applicable legal retention periods.

Recipients : authorised Luxgap personnel and technical hosting or email providers used by Luxgap.

3.2. Quote review and approval

When Luxgap sends a quote through a unique link or online quote page, we process the data necessary to present, discuss, review and approve the quote.

Personal data processed may include:

• first name and last name;
• professional email address;
• company name;
• job title or function;
• preferred language;
• quote content and metadata;
• IP address;
• user-agent;
• opening timestamp;
• approval or refusal response;
• comments or messages submitted in connection with the quote.

Purpose : quote management, pre-contractual exchanges, commercial follow-up, proof of approval or refusal, and preparation of the contractual relationship.

Legal basis : pre-contractual measures under Article 6(1)(b) GDPR and legitimate interest under Article 6(1)(f) GDPR, namely commercial follow-up and proof of pre-contractual exchanges.

Retention : 3 years after the last interaction, then legal archiving where a contract is concluded or where retention is required for evidentiary, accounting, tax or legal purposes.

Recipients : authorised Luxgap personnel, hosting providers, email providers and, where relevant, AI assistant providers used to support quote-related interactions.

3.3. Self-service quote creation

When you generate a quote yourself through a Luxgap online quote generator, we process the data necessary to create the quote and manage follow-up.

Personal data processed may include:

• company name;
• professional email address;
• areas of interest or selected services;
• preferred language;
• IP address;
• user-agent;
• session metadata and anti-abuse data.

Luxgap may reject personal email addresses, such as consumer webmail addresses, where the relevant service is intended for professional or business use.

Purpose : self-service quote creation, commercial follow-up, abuse prevention, security and pre-contractual management.

Legal basis : pre-contractual measures under Article 6(1)(b) GDPR, legitimate interest under Article 6(1)(f) GDPR, namely abuse prevention and commercial follow-up, and, where applicable, consent under Article 6(1)(a) GDPR for specific follow-up communications. Where consent is the legal basis, you may withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

Retention : 3 years after the last interaction, unless a contract is concluded, in which case relevant data may be retained for the duration of the contractual relationship and applicable legal retention periods.

Recipients : authorised Luxgap personnel, hosting providers, email providers and technical service providers used for quote generation.

3.4. Partner area

Luxgap provides access to a partner area through dpo.luxgap.com.

When you access the partner area, we process data necessary to authenticate access, secure the platform and maintain session continuity.

Personal data processed may include:

• login or session credentials;
• session cookie;
• IP address;
• user-agent;
• access timestamp;
• security logs.

Purpose : authentication, access control, platform security and prevention of unauthorised access.

Legal basis : legitimate interest under Article 6(1)(f) GDPR, namely platform security and prevention of unauthorised access, and, where access is linked to a contractual relationship, contract performance under Article 6(1)(b) GDPR.

Retention : authenticated sessions are retained for a maximum of 8 hours. Security logs are retained for up to 12 months.

Recipients : authorised Luxgap personnel and hosting or security providers used by Luxgap.

3.5. Public Dark Web scan

When you use a public Dark Web scan, breach-check or exposure-check tool made available by Luxgap, we process the data necessary to perform the scan and provide the result.

Personal data processed may include:

• the business email address or domain submitted by you;
• IP address;
• user-agent;
• request timestamp;
• scan result;
• request status;
• domain metadata;
• exposure indicators;
• lookalike domain results, where applicable.

The scan is performed through Luxgap infrastructure. Submitted inputs are not forwarded directly by the visitor to external threat intelligence sources. Luxgap infrastructure may query relevant sources and APIs to generate the result.

Where exposed credentials are detected, Luxgap does not ask you to provide a password and does not display passwords in clear text. Passwords or credential indicators may be masked, truncated, hashed or otherwise limited to avoid reusability.

Purpose : to provide the scan requested by the user, detect public exposure, assess cybersecurity risks, prevent abuse and, where the user has consented, allow Luxgap to contact the user regarding the result or relevant protection services.

Legal basis : legitimate interest in cybersecurity under Article 6(1)(f) GDPR for the scan itself, and consent under Article 6(1)(a) GDPR for commercial contact following the scan where such contact is not strictly necessary to provide the result. Where consent is the legal basis, you may withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

Retention : 24 months from the last request, unless earlier deletion is requested and no overriding legal, security or evidentiary reason requires retention.

Recipients : authorised Luxgap personnel, hosting providers, email providers and relevant technical sources queried through Luxgap infrastructure.

3.6. Contracted monitoring services

Where a client subscribes to a contracted monitoring service, including Luxgap Vigil or similar services, Luxgap processes data required to configure, run and maintain the monitoring. In this context, Luxgap acts as a processor within the meaning of Article 28 GDPR, on behalf of the client as data controller. A data processing agreement governs the relationship between Luxgap and the client.

Personal data processed may include:

• domains to be monitored;
• business keywords;
• executive names or professional identifiers where provided by the client;
• sensitive project names or internal keywords where provided by the client;
• notification email addresses;
• detected compromised credentials;
• partially masked passwords or hashes;
• scan metadata;
• alerts and alert history;
• technical logs relating to monitoring operations.

Purpose : continuous cybersecurity monitoring, leak detection, alert generation, risk identification and provision of contracted services.

Legal basis : contract performance under Article 6(1)(b) GDPR and legitimate interest under Article 6(1)(f) GDPR, namely network security, leak detection and protection of the client's information systems.

Retention : for the duration of the contract and 12 months after the end of the relevant monitoring service, unless longer retention is required by law, contract, security incident handling or evidentiary purposes.

Recipients : authorised Luxgap personnel, hosting providers, email providers, relevant threat intelligence sources and technical providers used by Luxgap for monitoring.

3.7. Detailed monitoring reports and Gamma-generated reports

As part of a signed engagement, Luxgap may produce detailed monitoring reports, including spreadsheet reports, presentation reports or reports generated with Gamma.

Reports may include:

• scan statistics;
• detected exposure indicators;
• affected domains;
• technical findings;
• partially masked samples;
• professional email addresses or identifiers where relevant;
• credential indicators, excluding full passwords;
• recommendations and remediation information.

Gamma may be used to generate presentation-style reports. Where Gamma is used, Luxgap seeks to limit the data transmitted to what is necessary for report generation. Full passwords are not sent to Gamma.

Purpose : reporting, presentation of monitoring results, cybersecurity analysis, contractual deliverables and client follow-up.

Legal basis : contract performance under Article 6(1)(b) GDPR and legitimate interest under Article 6(1)(f) GDPR, namely cybersecurity analysis and delivery of actionable security insights to the client.

Retention : 12 months after delivery, unless deletion is requested earlier and no overriding legal, security or evidentiary reason requires retention.

Recipients : authorised Luxgap personnel, Gamma where used, hosting providers and communication providers used to transmit the reports.

Security : reports are transmitted through restricted or appropriate channels and are not published or shared with unauthorised third parties.

3.8. AI assistant on luxgap.com

Luxgap may provide an AI assistant on its public website to answer questions about its services and help qualify inquiries.

Personal data processed may include:

• messages submitted by the user;
• optional name and email address;
• session ID;
• language;
• page or source context;
• IP address;
• user-agent.

Purpose : responding to questions, improving pre-contractual assistance, qualifying inquiries and facilitating contact with Luxgap.

Legal basis : legitimate interest under Article 6(1)(f) GDPR, namely improving pre-contractual assistance and qualifying inquiries efficiently, and, where the exchange concerns a specific request for services, pre-contractual measures under Article 6(1)(b) GDPR.

Retention : 13 months from the last interaction.

Recipients : authorised Luxgap personnel and Anthropic PBC as provider of the Claude AI model, acting as processor under Article 28 GDPR.

Important : the AI assistant is not a secure channel for sensitive or confidential personal data. Users should not submit sensitive, confidential, privileged, security-critical or highly personal information through the public AI assistant.

3.9. AI assistant on quotes

Luxgap may provide a separate AI assistant in connection with online quotes.

When you ask a question in relation to a quote, your message and relevant quote context may be transmitted to Anthropic PBC through the Claude model to generate an answer. A copy of the conversation may also be made available to the relevant Luxgap representative for follow-up quality, commercial accountability and continuity.

Personal data processed may include:

• messages submitted by the user;
• quote context;
• company name;
• professional contact details;
• selected services;
• language;
• IP address;
• user-agent;
• conversation metadata.

Purpose : answering quote-related questions, supporting pre-contractual exchanges, improving quote comprehension and ensuring follow-up by Luxgap.

Legal basis : pre-contractual measures under Article 6(1)(b) GDPR and legitimate interest under Article 6(1)(f) GDPR, namely supporting quote comprehension and ensuring follow-up quality.

Retention : 13 months.

Recipients : authorised Luxgap personnel, Anthropic PBC and technical providers involved in the quote process.

Important : the AI assistant should not be used to submit sensitive, confidential, privileged, security-critical or highly personal information unless expressly instructed by Luxgap through a secure process.

3.10. Editorial articles and authors

Where Luxgap publishes editorial articles, insights or similar content authored by Luxgap staff or contributors, Luxgap may process limited author information.

Personal data processed may include:

• author name;
• role or professional title;
• publication date;
• article content;
• professional biography or photograph where applicable.

Purpose : publication of editorial content, attribution of authorship and communication about Luxgap expertise.

Legal basis : contract performance, employment-related necessity or legitimate interest under Article 6(1)(f) GDPR, depending on the author’s relationship with Luxgap.

Retention : for as long as the article remains published, unless removal is requested and no overriding legitimate reason justifies continued publication.

Recipients : website visitors, authorised Luxgap personnel, hosting providers and website service providers.

3.11. Server logs and security logs

When you use Luxgap websites, portals or online services, Luxgap processes technical logs required for security, troubleshooting and service operation.

Personal data processed may include:

• IP address;
• URL requested;
• timestamp;
• user-agent;
• HTTP status code;
• session or security identifiers;
• authentication events;
• admin or partner access logs where applicable.

Purpose : security, fraud and abuse prevention, troubleshooting, audit trails, incident investigation and protection of Luxgap infrastructure.

Legal basis : legitimate interest under Article 6(1)(f) GDPR, namely security of information systems, fraud prevention and incident investigation, and, where applicable, legal obligation under Article 6(1)(c) GDPR, in particular obligations arising from applicable cybersecurity and electronic communications legislation.

Retention : 12 months.

Recipients : authorised Luxgap personnel, hosting providers and security providers.

3.12. Cookies and similar technologies

Luxgap websites use a limited number of cookies and similar technologies. As of the date of this Privacy Notice, Luxgap uses only first-party cookies that are strictly necessary for service operation, security, session management or language preferences. No third-party cookies, analytics cookies or advertising cookies are used.

The following cookies and similar technologies are used on luxgap.com:

• lxg_csrf — first-party cookie, duration: 1 week, purpose: cross-site request forgery (CSRF) protection, category: strictly necessary;
• lxg_lang — first-party cookie, duration: 1 year, purpose: storing the user’s language preference, category: functionality.

The following cookies and similar technologies are used on devis.luxgap.com:

• PHPSESSID — first-party cookie, duration: session (deleted when the browser is closed), purpose: maintaining the user session between pages, category: strictly necessary;
• lang — first-party cookie, duration: 1 year, purpose: storing the user’s language preference, category: functionality;
• wpEmojiSettingsSupports — session storage (not a cookie), purpose: technical rendering support, category: strictly necessary.

Legal basis : legitimate interest under Article 6(1)(f) GDPR for strictly necessary cookies and similar technologies, namely ensuring the security and proper functioning of the websites. For functionality cookies (lxg_lang, lang), the legal basis is legitimate interest under Article 6(1)(f) GDPR, namely providing the website in the user’s preferred language. These cookies do not require prior consent under applicable ePrivacy legislation as transposed in Luxembourg, as they are either strictly necessary for the provision of the service requested by the user or serve a legitimate functionality purpose.

Retention : as indicated per cookie above (session, 1 week or 1 year as applicable).

Recipients : the cookies listed above are first-party only and are not shared with third parties.

Should Luxgap introduce non-essential cookies or similar technologies in the future, such as analytics or marketing cookies, prior consent will be obtained in accordance with applicable law, including the requirements of the CNPD and the amended Luxembourg Law of 30 May 2005 on data protection in electronic communications.

4. Recipients and processors

Personal data processed under this Privacy Notice may be accessed by authorised Luxgap personnel only where necessary for their duties.

Luxgap may rely on the following categories of recipients and processors:

• hosting and infrastructure providers;
• email and communication providers;
• AI service providers;
• presentation-generation providers;
• threat intelligence and cybersecurity data providers;
• technical service providers supporting websites, portals, monitoring and security;
• professional advisers, authorities or courts where legally required or necessary to protect Luxgap’s rights.

The following providers or sources may be used, depending on the relevant service:

• OVH SAS / OVHcloud — hosting, infrastructure, database, email or technical execution;
• Microsoft — email, communications and related business services;
• Anthropic PBC — Claude AI model used for AI assistants, acting as processor under Article 28 GDPR;
• Gamma App, Inc. — presentation-generation for reports;
• Snusbase;
• IntelX;
• LeakCheck;
• DeHashed;
• Hudson Rock;
• LeakRadar;
• AlienVault OTX;
• Have I Been Pwned;
• abuse.ch, including URLhaus, ThreatFox and MalwareBazaar;
• crt.sh;
• VirusTotal;
• GitHub Code Search;
• WhoisDS.

Threat intelligence sources are queried through Luxgap infrastructure where relevant to the service. Visitor inputs submitted through public forms are not directly submitted by the visitor to those sources.

Luxgap does not sell personal data to third parties.

5. International transfers

Some recipients or technical providers may be located outside the European Economic Area, including in the United States or other jurisdictions.

Where personal data is transferred outside the European Economic Area, Luxgap relies on appropriate safeguards under GDPR, including Standard Contractual Clauses approved by the European Commission under Article 46 GDPR, adequacy decisions where applicable, or other lawful transfer mechanisms.

Transfers outside the EEA may concern, depending on the relevant service, providers such as Anthropic, Gamma, DeHashed, IntelX, Hudson Rock, GitHub, VirusTotal and other technical or cybersecurity sources listed in this Privacy Notice.

6. Retention periods

Luxgap applies the following maximum retention periods, unless a longer retention period is required by law, contract, legal claim, security incident, accounting obligation, tax obligation or evidentiary necessity:

• contact form and commercial inquiries: 3 years after the last interaction;
• quotes, quote approvals and quote-related exchanges: 3 years after the last interaction, then legal archiving where required;
• self-service quote data: 3 years after the last interaction;
• partner area sessions: 8 hours for sessions;
• partner area security logs: 12 months;
• public Dark Web scan requests: 24 months from the last request;
• contracted monitoring alerts and metadata: contract duration plus 12 months;
• detailed monitoring reports, including Gamma-generated reports: 12 months after delivery;
• AI assistant conversations on luxgap.com: 13 months from the last interaction;
• AI assistant conversations on quotes: 13 months from the last interaction;
• server logs and security logs: 12 months;
• editorial author data: for as long as the relevant article remains published.

7. Your rights

Under GDPR, you may have the following rights, subject to the conditions and limits provided by applicable law:

• right of access under Article 15 GDPR;
• right to rectification under Article 16 GDPR;
• right to erasure under Article 17 GDPR;
• right to restriction of processing under Article 18 GDPR;
• right to data portability under Article 20 GDPR;
• right to object under Article 21 GDPR;
• right to withdraw consent at any time under Article 7(3) GDPR, where processing is based on consent.

Luxgap does not use personal data covered by this Privacy Notice for automated decision-making producing legal effects or similarly significant effects within the meaning of Article 22 GDPR.

Where processing is based on legitimate interest under Article 6(1)(f) GDPR, Luxgap has conducted a balancing test (legitimate interest assessment) for each relevant processing activity. You may request information on the applicable balancing test by contacting Luxgap.

To exercise your rights, contact Luxgap at: dpo@luxgap.com

Luxgap will respond within one month of receipt of the request, unless an extension is permitted under GDPR.

You may also lodge a complaint with the Luxembourg supervisory authority: Commission nationale pour la protection des données (CNPD):https://cnpd.public.lu

8. Security

Luxgap implements appropriate technical and organisational measures intended to protect personal data against unauthorised access, loss, misuse, alteration or disclosure.

These measures may include, depending on the relevant system or service:

• encryption in transit;
• encryption or protection of backups where applicable;
• access control and role-based permissions;
• multi-factor authentication for administrative access;
• logging and monitoring of access and security events;
• segmentation of systems and environments;
• minimisation of data processed and displayed;
• masking or truncation of exposed credential indicators;
• security review of technical providers;
• restricted access to reports and monitoring outputs.

No system is entirely secure. Luxgap continuously seeks to apply appropriate security measures having regard to the nature of the processing, the risks involved and the state of the art.

Where required under Article 35 GDPR, Luxgap has conducted data protection impact assessments for processing activities presenting a high risk to the rights and freedoms of data subjects.

9. Updates to this Privacy Notice

Luxgap may update this Privacy Notice to reflect changes to its websites, portals, services, processing activities, recipients, retention periods, security measures, legal requirements or regulatory guidance.

Version: 1.0 — 08/05/2026.

Material changes to this Privacy Notice, such as a change in processing purpose, a change in the identity of the controller, or a change in how data subjects may exercise their rights, will be communicated to data subjects through appropriate means, such as a notice on the relevant website or by email where feasible.

The current version is available at: https://luxgap.com/privacy-notice

The effective date at the top of this Privacy Notice indicates the latest version.

For any question regarding this Privacy Notice, contact: dpo@luxgap.com

2 rue de l'École, L-8376 Kahler, Luxembourg · Contact page · dpo@luxgap.com