This policy explains what personal data Luxembourg Expats ("we", "us", "our") collects, how we use it, who we share it with, and the choices you have. Luxembourg Expats is operated by Flywheel Global SARL-S, a simplified private limited liability company registered in Luxembourg. We are the data controller for the processing described here.
1. Who to contact
- Privacy / data-protection / GDPR requests: dpo@luxexpats.lu
- General support: team@luxexpats.lu
2. What we collect
Account & profile
- Full name, email, password (stored as a one-way hash we never see in plain text).
- Date of birth, gender, account type (private / business), 18+ confirmation.
- City, country, approximate coordinates (if you allow the location picker).
- Profile photo, cover photo, bio, title, timezone, interests.
- OAuth provider identifier if you sign in with Google or Facebook.
Content you post
- Listings (Buy & Sell, Real Estate, Jobs, Events, Offers), including titles, descriptions, prices, photos, and location.
- Discussions, stories, comments, reactions.
- Direct messages and group-chat messages.
- Saved items, blocked users, reports you file.
Technical & session data
- IP address, browser, operating system, device type, session identifier.
- Pages and features you use, timestamps (for abuse detection and analytics).
- Push-notification token, if you install the mobile app and grant permission.
Payments
- Stripe customer id and subscription status for Club Membership / Featured Listings.
- We never see or store your card number — that data stays with Stripe.
- VAT / billing country (if applicable for invoicing).
Elso AI interactions
- The messages you send to Elso, Elso's responses, and timestamps. Used to deliver the feature and improve prompts. See sub-processors below.
- Don't send Elso government IDs, bank details, medical records, passwords, or other confidential information.
3. Why we use it (purposes & lawful bases)
- Run the service — your account, listings, messaging, chat, AI. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
- Safety, abuse prevention, moderation — detect spam, fraud, harassment, and violations of our Terms. Legal basis: legitimate interest (Art. 6(1)(f)) in keeping the platform safe.
- Analytics & product improvement — aggregated usage metrics, feature funnels. Legal basis: consent via the cookie banner for non-essential analytics; legitimate interest for server-side aggregated metrics.
- Communications — service notifications (verification, security), optional updates about new features. Legal basis: performance of a contract for transactional email; consent for marketing.
- Payments — process Club Membership and Featured Listing purchases via Stripe. Legal basis: performance of a contract.
- Legal obligations — accounting, fraud reporting, responses to lawful authority requests. Legal basis: legal obligation (Art. 6(1)(c)).
4. Who we share it with
We do not sell personal data. We share it only with the service providers listed below, each bound by a data-processing agreement and restricted to their specific purpose.
| Provider | Purpose | Region |
|---|---|---|
| Vercel | Website hosting & serverless compute | EU & US |
| DigitalOcean Spaces | Photo & file storage (CDN) | EU (Frankfurt) |
| Stripe | Payment processing | EU & US |
| OAuth sign-in, Maps / Places, Analytics | US (SCCs) | |
| Facebook (Meta) | OAuth sign-in (only if you use it) | US (SCCs) |
| Mailgun | Transactional email (verification, password reset) | EU |
| Freshchat | In-app help widget | EU / US |
| AI model provider (Elso) | Generate AI assistant responses | US (SCCs) |
| Apple / Google (mobile) | App distribution, push notifications, in-app purchases | US (SCCs) |
Where a provider is outside the European Economic Area, transfers rely on EU Standard Contractual Clauses or an adequacy decision. You can request a copy of the relevant safeguards from dpo@luxexpats.lu.
We may also disclose personal data if required by law, to enforce our Terms, to investigate fraud or abuse, or to protect the rights, safety, and property of Luxembourg Expats, our members, or the public.
5. How long we keep it
- Active account data — for as long as your account exists.
- After account deletion — most data is removed promptly. Limited records (billing, abuse reports, fraud signals) may be retained for up to 24 months for legal, security, and accounting reasons, then deleted or fully anonymised.
- Backups — encrypted backups are retained for a short rolling window (typically 30 days) and overwritten.
- Elso AI logs — retained for up to 30 days for abuse detection and quality improvement, unless applicable law requires otherwise.
6. Your rights (GDPR)
Under the GDPR you have the right to:
- Access the personal data we hold about you.
- Correct inaccurate or incomplete data.
- Erase your data ("right to be forgotten") — see how to delete your account.
- Restrict or object to certain processing.
- Data portability — receive a copy of your data in a machine-readable format.
- Withdraw consent at any time (where processing is based on consent).
- File a complaint with the Luxembourg supervisory authority, the Commission nationale pour la protection des données (CNPD), or your local EU data-protection authority.
To exercise any of these rights, email dpo@luxexpats.lu. We aim to respond within 30 days.
7. Security
We use industry-standard technical and organisational measures to protect your data: encryption in transit (HTTPS / TLS), one-way hashing for passwords, access controls on our backend, audit logs, and ongoing dependency monitoring. No system is perfectly secure — if we ever detect a personal-data breach that is likely to pose a risk to your rights, we will notify the CNPD within 72 hours and, where required, notify you directly.
8. Children
Luxembourg Expats is for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe an under-18 user has created an account, email us at dpo@luxexpats.lu and we will remove it promptly.
9. Cookies
We use cookies and similar technologies for essential functionality and (with your consent) analytics. See our Cookie Policy for the full list and how to manage them.
10. Changes to this policy
We may update this policy as the product evolves or the law changes. Material changes will be announced in-app or by email. The "Last updated" date at the top always shows the current version.
11. Contact
Privacy & data requests: dpo@luxexpats.lu. General support: team@luxexpats.lu. Or use the contact page.
See also: Terms of Service · Cookie Policy · Delete my account
Flywheel Global SARL-S, registered in Luxembourg (RCS B231101).