Privacy policy

Valid from 25.05.2018

1. Introduction

This policy applies where we are acting as a data controller with respect to the personal data of Luxid Group website visitors and users of services provided by Luxid Group; in other words, where we determine the purposes and means of the processing of that personal data.

We use cookies on our website. As far as those cookies are not strictly necessary for the provision of our website and services, we will ask you to consent to our use of cookies when you first visit our website.

Our website incorporates privacy controls which affect how we will process your personal data. By using the privacy controls, you can edit the initially given consent by clearing the browser cache, thus invoking the consent banner for editing the settings.

Luxid processes personal data in accordance with the principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and confidentiality.

In this policy, "we", "us" and "our" refer to Luxid Group Oy.

1.1 Data controller

For the purposes of applicable data protection laws, including the General Data Protection Regulation (GDPR), Luxid Group Oy acts as the data controller for the personal data described in this Privacy Policy.

Luxid Group Oy is responsible for determining the purposes and means of processing personal data.

Registered address:

Läntinen Rantakatu 3
20100 Turku
Finland

Company registration number: FI24963805

Questions relating to this Privacy Policy or to the processing of personal data may be directed to Luxid’s Chief Information Security Officer using the contact details provided in Section 9 of this policy.

2. How we process personal data

This section explains the categories of personal data that Luxid Group may process, the purposes for which the data is processed, and the legal bases under applicable data protection laws.

Luxid processes personal data only where necessary to operate our website and services, manage customer relationships, improve our services, or comply with legal obligations.

Depending on the context, Luxid relies on the following legal bases for processing personal data:

  • Performance of a contract, where processing is necessary to provide services requested by a customer or user.
  • Legitimate interests, where processing is necessary for operating, maintaining, and improving Luxid’s business, services, and website, provided such interests are not overridden by the rights of individuals.
  • Consent, where required by applicable law, for example in connection with marketing communications or non-essential cookies.
  • Legal obligation, where processing is necessary to comply with applicable laws or regulatory requirements.

Data minimisation principle

Luxid processes only personal data that is necessary and proportionate for the purposes described in this policy. We aim to limit the collection and processing of personal data to what is required to provide our services, maintain our operations, and comply with legal obligations.

2.1 Website and analytics data

Luxid may process information relating to the use of its website and online services ("usage data").

Usage data may include:

  • IP address
  • approximate geographic location
  • browser type and version
  • operating system
  • referring websites or sources
  • pages visited and navigation paths
  • visit duration and frequency
  • device identifiers or similar technical data
  • maintaining the functionality and security of the website
  • monitoring website performance and availability
  • analysing how users interact with the website
  • improving the usability and effectiveness of Luxid’s services

This data is typically collected automatically through website technologies such as analytics tools (for example Google Analytics).

Usage data is processed for the purposes of:

The legal basis for this processing is Luxid’s legitimate interest in operating and improving its website and services, and consent where required for analytics cookies.

2.2 Customer and business contact data

Luxid may process personal data relating to individuals representing customers, partners, and prospective customers ("customer contact data").

Customer contact data may include:

  • name
  • employer or organisation
  • job title or professional role
  • business email address
  • business telephone number
  • work address
  • records of communications with Luxid

This information may be obtained directly from the individual, from their employer, from business communications, or from publicly available professional sources.

Customer contact data is processed for the purposes of:

  • providing Luxid’s services
  • managing contractual relationships
  • communicating with customers and partners
  • maintaining business records
  • managing customer support and service delivery
  • maintaining service security and access management

The legal basis for this processing is typically performance of a contract or Luxid’s legitimate interest in managing customer relationships and operating its business.

Sources of personal data

Luxid typically receives personal data directly from individuals interacting with our website or services, from their employer in connection with a business relationship, or through communications with Luxid.

In some cases, Luxid may obtain professional contact information from publicly available sources such as company websites, professional networking platforms, or event registrations where individuals have chosen to make such information publicly accessible.


2.3 Service and operational data

Luxid may process personal data generated or entered during the use of Luxid’s services ("service data").

Service data may include:

  • user inputs within Luxid services
  • operational service usage data
  • system activity logs
  • configuration or account information necessary for service delivery

 

Service data is processed for the purposes of:

  • delivering Luxid’s services
  • maintaining system functionality
  • ensuring service reliability and availability
  • maintaining service security
  • troubleshooting and resolving technical issues
  • maintaining system backups and operational records

The legal basis for this processing is typically performance of a contract and Luxid’s legitimate interest in operating secure and reliable services.

2.4 Communications and enquiries

Luxid may process personal data provided when individuals contact Luxid or request information about its services ("communication data").

Communication data may include:

  • name
  • organisation
  • email address
  • telephone number
  • message content
  • metadata associated with communications

This data is processed for the purposes of:

  • responding to enquiries
  • providing information about Luxid services
  • maintaining records of communications
  • improving customer service and support

The legal basis for this processing is Luxid’s legitimate interest in managing communications and responding to enquiries, or consent where applicable.

2.5 Marketing communications

Luxid may process personal data provided for receiving newsletters, service notifications, or marketing communications ("marketing data").

Marketing data may include:

  • name
  • email address
  • communication preferences
  • records of consent for marketing communications

This data is processed for the purpose of sending relevant updates about Luxid’s services, events, or publications.

The legal basis for this processing is consent, which may be withdrawn at any time.

Where marketing communications are directed to business contacts, Luxid may also rely on legitimate interest, subject to applicable legal requirements and the ability to opt out at any time.

2.6 Customer relationship management

Luxid may process personal data relating to the management of its customer and partner relationships ("relationship data").

Relationship data may include:

  • professional contact details
  • records of meetings or interactions
  • communications between Luxid and customers
  • notes related to service delivery or collaboration

This data is processed for the purposes of:

  • managing customer relationships
  • administering contracts and service agreements
  • coordinating service delivery
  • maintaining business records
  • improving Luxid’s services

The legal basis for this processing is Luxid’s legitimate interest in managing and developing its business relationships.

2.7 Legal, compliance, and risk management

Luxid may process personal data where necessary for legal, compliance, and risk management purposes.

This may include processing necessary for:

  • establishing, exercising, or defending legal claims
  • complying with applicable legal or regulatory obligations
  • managing business risks
  • obtaining insurance coverage or professional advice

The legal basis for this processing is Luxid’s legitimate interest in protecting its legal rights and managing business risks, and compliance with legal obligations where applicable.

2.8 Additional processing

Luxid may also process personal data where necessary:

  • to comply with legal obligations to which Luxid is subject
  • to protect the vital interests of an individual
  • to protect the rights and freedoms of Luxid or others

Luxid does not intentionally collect personal data about individuals unless the information is voluntarily provided or necessary for the purposes described in this policy.

Individuals should not provide personal data relating to other persons unless they have the authority to do so. 

2.9 Automated decision-making

Luxid does not use personal data for automated decision-making that produces legal or similarly significant effects for individuals.

Where automated tools are used for operational purposes, such as analytics or service monitoring, these tools are used solely to support service improvement and operational management and do not involve automated decisions affecting individuals.

3. Disclosure and sharing of personal data

Luxid may disclose personal data to trusted third parties where this is necessary to operate our services, conduct our business, or comply with legal obligations. When Luxid shares personal data, we ensure that appropriate contractual, organizational, and technical safeguards are in place to protect the data.

Luxid only shares personal data where there is a valid legal basis for doing so and where the recipient is required to process the data in accordance with applicable data protection laws.

3.1 Sharing within the Luxid Group

Luxid may share personal data with other entities within the Luxid Group where necessary for internal administrative purposes, service delivery, customer relationship management, or operational support.

Such transfers occur only where necessary for the purposes described in this privacy policy and are subject to appropriate confidentiality and security requirements.

Further information about Luxid Group entities can be obtained by contacting Luxid’s Chief Information Security Officer (CISO), contact information at the bottom.

3.2 Service providers and data processors

Luxid may share personal data with third-party service providers that perform services on behalf of Luxid. These service providers act as data processors and process personal data only in accordance with Luxid’s instructions.

Examples of such service providers may include:

  • cloud hosting and infrastructure providers
  • website analytics providers
  • IT service providers
  • communication and collaboration platforms
  • payment processing providers
  • professional advisers such as legal, accounting, or insurance providers

Luxid requires all such service providers to implement appropriate technical and organizational security measures and to process personal data only for the purposes specified in the relevant service agreement. 

3.3 Business partners and event co-organisers

Luxid may occasionally organize events, webinars, or joint activities together with partner organizations.

Where individuals register for such events, Luxid may share relevant registration data with the participating partner organizations where this is necessary to organize and deliver the event.

Such data sharing will occur only where:

  • the individual has registered for the joint event or activity, and
  • the sharing of data is necessary for organizing the event or has been communicated at the time of registration.

Partner organizations receiving such data will typically act as independent data controllers and will provide their own privacy notices governing their use of the personal data. 

3.4 Enquiries involving third-party services

Where an individual submits an enquiry relating to services provided jointly with a partner or where the enquiry specifically concerns a partner offering, Luxid may share the relevant contact details with the relevant partner organization so that the enquiry can be addressed.

Such sharing will occur only where it is necessary to respond to the enquiry or where the individual has requested information relating to the partner’s services.

3.5 Legal and regulatory disclosures

Luxid may disclose personal data where such disclosure is necessary:

  • to comply with applicable laws or regulatory requirements
  • to respond to lawful requests from public authorities
  • to enforce Luxid’s legal rights
  • to protect the rights, safety, or property of Luxid, its customers, or others
  • to establish, exercise, or defend legal claims

Such disclosures will be limited to what is necessary to comply with the relevant legal obligation or to protect legitimate interests. 

3.6 Business transfers

If Luxid is involved in a merger, acquisition, corporate restructuring, or sale of assets, personal data may be transferred to the relevant third party as part of the transaction.

In such circumstances, Luxid will ensure that appropriate safeguards are in place to protect personal data and that any recipient of the data is subject to appropriate confidentiality and data protection obligations.

3.7. Data processing agreements and safeguards

Where Luxid engages third-party service providers to process personal data on its behalf, Luxid enters into appropriate contractual arrangements with those providers to ensure that personal data is processed in accordance with applicable data protection laws.

These arrangements typically include data processing agreements that define:

  • the subject matter and duration of the processing
  • the nature and purpose of the processing
  • the types of personal data processed
  • the obligations and responsibilities of the parties

Luxid requires its service providers to implement appropriate technical and organizational measures to protect personal data and to process personal data only on documented instructions from Luxid.

Luxid may periodically review its service providers to ensure that appropriate safeguards remain in place.

4. International transfers of personal data

Luxid may transfer personal data to service providers, partners, or group entities located outside the European Economic Area (EEA) where this is necessary for the operation of our services or our business activities.

Where such transfers occur, Luxid ensures that appropriate safeguards are implemented to protect personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR).

Luxid implements appropriate safeguards to ensure that personal data transferred internationally remains protected and processed in a manner consistent with the safeguards described in this policy. 

4.1 Locations of data processing

Luxid’s operations and service providers may process personal data in countries both within and outside the European Economic Area (EEA).

Luxid’s offices and operational entities are located in:

  • Finland
  • the United Kingdom
  • the United States

Additionally, Luxid may use cloud-based service providers or infrastructure that process personal data in other jurisdictions.

Where personal data is transferred outside the EEA, Luxid ensures that such transfers comply with applicable data protection laws.

4.2 Transfer mechanisms and safeguards

Where personal data is transferred to countries that do not benefit from an adequacy decision issued by the European Commission, Luxid implements appropriate safeguards to ensure that personal data remains protected.

Such safeguards may include:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • participation in recognized international data transfer frameworks, such as the EU-US Data Privacy Framework where applicable
  • additional contractual, technical, and organizational safeguards designed to protect personal data during international transfers

These safeguards are designed to ensure that personal data transferred outside the EEA receives a level of protection that is substantially equivalent to the protection provided under EU data protection laws.

Where required under applicable data protection laws, Luxid also evaluates the legal and technical risks associated with international transfers and may implement supplementary measures, such as encryption, access restrictions, or contractual commitments, to ensure that personal data remains adequately protected.

4.3 Transfers to service providers

Luxid may transfer personal data to third-party service providers that operate infrastructure or services outside the European Economic Area.

Such service providers may include:

  • cloud hosting and infrastructure providers
  • analytics providers
  • software service providers supporting Luxid operations
  • communication and collaboration platforms

Where Luxid transfers personal data to such service providers, the providers are required to process personal data only in accordance with Luxid’s instructions and applicable data protection requirements. 

4.4 Further information on international transfers

Individuals may request additional information regarding Luxid’s international data transfer safeguards by contacting Luxid’s Data Protection Officer using the contact details provided in this privacy policy.

Where required by applicable law, Luxid will provide further information about the safeguards applied to protect personal data transferred outside the European Economic Area.

5. Data retention and deletion

Luxid retains personal data only for as long as necessary to fulfil the purposes for which the data was collected and processed, including the provision of services, management of customer relationships, improvement of services, and compliance with legal or regulatory obligations.

Luxid applies the principle of storage limitation, meaning that personal data is not retained for longer than is necessary for the purposes described in this privacy policy.

When personal data is no longer required, Luxid takes reasonable steps to ensure that it is securely deleted, anonymized, or otherwise removed from active systems.

5.1 Retention periods

The retention period for personal data depends on the nature of the data, the purpose of processing, and applicable legal requirements.

Typical retention periods applied by Luxid include:

  1. Website usage and analytics data: retained for up to 12 months
  2. Customer and business contact data: retained for the duration of the business relationship and for a reasonable period thereafter to manage customer relationships and business records
  3. Communications and enquiries: retained for up to 24 months unless required for longer retention due to legal or contractual obligations
  4. Marketing consent records: retained until consent is withdrawn or the individual opts out of communications

Where personal data is associated with contractual obligations, accounting requirements, or legal claims, Luxid may retain the data for longer periods where required by applicable laws.

5.2 Criteria for determining retention

Where it is not possible to specify a precise retention period in advance, Luxid determines the appropriate retention period based on factors such as:

  1. the purpose for which the personal data was collected
  2. the nature and sensitivity of the personal data
  3. applicable legal, regulatory, or contractual obligations
  4. the potential risk of harm from unauthorized use or disclosure
  5. the need to maintain business records or defend legal claims

Luxid periodically reviews retained personal data to ensure that it is not kept longer than necessary. 

5.3 Secure deletion and anonymisation

When personal data is no longer required for the purposes for which it was collected, Luxid will take appropriate measures to ensure that the data is securely deleted or anonymized.

Such measures may include:

  • removal of personal data from operational systems
  • deletion or anonymisation of archived records where feasible
  • restricting access to data pending secure deletion

Where deletion is not immediately possible due to technical or legal constraints, Luxid will ensure that access to the data is restricted and that the data is retained only for the minimum period necessary.

Deletion and anonymisation of personal data are carried out in accordance with Luxid’s internal information security policies and procedures designed to ensure secure handling and disposal of information. 

5.4 Legal and regulatory retention requirements

Notwithstanding the above provisions, Luxid may retain personal data where such retention is necessary:

  • to comply with legal or regulatory obligations
  • to establish, exercise, or defend legal claims
  • to maintain financial or accounting records required by law
  • to protect the rights, safety, or legitimate interests of Luxid or others

In such cases, personal data will be retained only for as long as required to fulfil the relevant legal obligation or purpose.

6. Updates to this privacy policy

Luxid may update this Privacy Policy from time to time to reflect changes in our services, data processing practices, legal requirements, or regulatory guidance.

When this policy is updated, the revised version will be published on the Luxid website together with the updated revision date.

Where the changes materially affect how personal data is processed, Luxid may provide additional notice, such as by displaying a notice on the website, within the service, or by contacting affected individuals where appropriate.

Individuals are encouraged to review this Privacy Policy periodically to stay informed about how Luxid protects personal data.

This Privacy Policy was last updated on 18.11.2025.

7. Your data protection rights

Individuals whose personal data is processed by Luxid have certain rights under applicable data protection laws, including the General Data Protection Regulation (GDPR).

These rights enable individuals to understand how their personal data is used and to exercise control over that data.

Luxid is committed to respecting and facilitating these rights in accordance with applicable laws. 

7.1 Right of access

You have the right to request confirmation as to whether Luxid processes personal data relating to you.

Where Luxid processes your personal data, you have the right to request access to that data together with additional information, including:

  • the purposes of the processing
  • the categories of personal data processed
  • the recipients or categories of recipients of the data
  • the expected retention period for the data
  • the source of the personal data where it was not obtained directly from you

Luxid will provide a copy of your personal data upon request, subject to applicable legal limitations. The first copy will normally be provided free of charge, although a reasonable administrative fee may apply to additional requests where permitted by law. 

7.2 Right to rectification

You have the right to request that Luxid correct inaccurate personal data concerning you.

You also have the right to request that incomplete personal data be completed where appropriate, taking into account the purposes of the processing.

7.3 Right to erasure

In certain circumstances, you have the right to request that Luxid delete personal data relating to you without undue delay.

This right may apply, for example, where:

  • the personal data is no longer necessary for the purposes for which it was collected
  • you withdraw consent where processing is based on consent
  • you object to the processing and there are no overriding legitimate grounds for continuing the processing
  • the personal data has been processed unlawfully

However, this right does not apply where Luxid is required to retain the data to comply with legal obligations or where retention is necessary for the establishment, exercise, or defence of legal claims. 

7.4 Right to restrict processing

In certain circumstances, you have the right to request that Luxid restrict the processing of your personal data.

This right may apply where:

  • you contest the accuracy of the personal data
  • the processing is unlawful but you oppose the deletion of the data
  • Luxid no longer requires the data for processing purposes but you require it for legal claims
  • you have objected to processing pending verification of legitimate grounds

Where processing is restricted, Luxid may continue to store the personal data but will only process it with your consent or for specific legal purposes.

7.5 Right to object

You have the right to object to the processing of your personal data where such processing is based on Luxid’s legitimate interests.

Where you object to processing for direct marketing purposes, Luxid will cease processing your personal data for such purposes.

Where you object to other forms of processing based on legitimate interests, Luxid will assess the request and cease processing unless compelling legitimate grounds exist for continuing the processing. 

7.6 Right to data portability

Where the processing of personal data is based on consent or on the performance of a contract and the processing is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format.

Where technically feasible, you may also request that Luxid transmit this data directly to another controller.

7.7 Right to withdraw consent

Where Luxid processes personal data based on consent, you have the right to withdraw that consent at any time.

Withdrawal of consent does not affect the lawfulness of processing carried out before the consent was withdrawn.

7.8 Right to lodge a complaint

If you believe that Luxid’s processing of your personal data infringes applicable data protection laws, you have the right to lodge a complaint with a supervisory authority responsible for data protection.

You may do so in the European Union member state of your habitual residence, your place of work, or the place of the alleged infringement.

7.9 Exercising your rights

Requests relating to the rights described above may be submitted to Luxid’s Chief Information Security Officer using the contact details provided in this privacy policy.

Luxid may request reasonable information to verify the identity of the individual submitting the request before responding to the request.

Luxid will respond to valid requests in accordance with applicable data protection laws.

Luxid will respond to requests concerning personal data rights without undue delay and, in any event, within one month of receiving the request, unless a longer period is permitted under applicable data protection laws. Where requests are complex or numerous, this period may be extended as permitted by law. In such cases, Luxid will inform the individual of the extension and the reasons for the delay.

8. Contact information

Our headquarters and principal place of business is at:
Läntinen Rantakatu 3, 20100 Turku, Finland.

You can contact us:

  • by mail, to the postal address given above;
  • using our website contact form;
  • by telephone, on the contact number published on our website from 09.00-16.00 EET; or
  • by email, using the email addresses published on our website.

9. Chief information security officer (CISO)

Luxid has designated its Chief Information Security Officer to oversee matters relating to personal data protection and privacy compliance.

Our Chief information officer's contact details are:

Henrik Lagercrantz

Läntinen Rantakatu 3, 20100 Turku, Finland.

henrik.lagercrantz@luxidgroup.com