Privacy policy.
This Privacy Policy is drafted in concise, transparent, intelligible, and easily accessible form (Art. 12 GDPR). Every processing activity described below is tied to a lawful basis under Art. 6 GDPR.
1. Who is the Data Controller?
The Data Controller of your personal data is: Company name: JD Capa Registered address: Luxembourg, Grand-Duché de Luxembourg Luxembourg RCS: B234567 VAT number: LU23456789 Data protection inquiries: contact@jdcapa.lu Phone: +352 621 000 001 We have not appointed a Data Protection Officer (DPO), as this is not mandatory for our processing activities under Art. 37 GDPR.
2. What Data We Collect, Why, and on What Lawful Basis
Contact and enquiry data — name, email, phone, project description, commune, voluntary attachments. Purpose: responding to your request, technical qualification, quotes, and appointment scheduling. Lawful basis: Art. 6(1)(b) GDPR — pre-contractual steps / performance of a contract. Session and assistant data — conversation content, secure resume tokens, language preference. Purpose: operating the contact assistant and preserving session continuity. Lawful basis: Art. 6(1)(b) GDPR — pre-contractual steps; Art. 6(1)(f) GDPR — legitimate interest (service security and abuse prevention). Technical data — IP address, browser type, device information, server logs, cookies. Purpose: ensuring Website security, traffic analysis, and performance optimisation. Lawful basis: Art. 6(1)(f) GDPR — legitimate interest (security); Art. 6(1)(a) GDPR — consent (for analytical and marketing cookies where required). Newsletter data — email address and subscription preferences. Purpose: sending updates you have requested. Lawful basis: Art. 6(1)(a) GDPR — your explicit consent. Payment data — not collected directly through this Website. If you enter into a separate commercial agreement with us, payment and invoicing records may be processed to perform that contract and meet tax/accounting obligations under Art. 6(1)(b) and Art. 6(1)(c) GDPR.
3. Cookies and Tracking Technologies
We use cookies to improve your user experience. Strictly necessary cookies: enabled automatically to provide core functionalities (security, session management, consent storage). Analytical and marketing cookies: enabled only after your explicit consent via our cookie banner, in accordance with the ePrivacy Directive. You can withdraw your consent at any time via the cookie settings on our Website.
4. Data Recipients (Who We Share Your Data With)
We do not sell your data. We only transfer data to trusted third-party service providers acting as Data Processors under strict Data Processing Agreements (DPA pursuant to Art. 28 GDPR), including: — Hosting and edge infrastructure: Cloudflare (processing primarily within the EEA / with appropriate safeguards). — Analytics: Google Analytics / Google Tag Manager, activated only with consent and with IP anonymisation where configured. — Productivity and CRM tools: Google Workspace / Google Sheets, email, and calendar providers used to manage enquiries and appointments. Each processor is instructed only to process personal data on our documented instructions and subject to confidentiality and security obligations.
5. International Data Transfers (Outside the EEA)
If we transfer your data outside the European Economic Area (EEA), we ensure a level of protection equivalent to the GDPR by utilising: — European Commission adequacy decisions (including the EU-US Data Privacy Framework, where applicable). — Standard Contractual Clauses (SCCs) approved by the European Commission. — Additional technical and organisational measures where required by applicable guidance.
6. Data Retention Period
We retain your personal data only as long as necessary to fulfil the purposes for which it was collected: — Enquiry and lead data: for the duration of the commercial relationship and up to 5 years thereafter for legal and accounting purposes. — Newsletter data: until you withdraw consent (via the unsubscribe link or by contacting us). — Technical logs: up to 12 months, unless a longer period is required for security investigations. — Cookie consent records: as required to demonstrate valid consent under applicable law.
7. Your Rights Under the GDPR (Data Subject Rights)
You may exercise the following rights by contacting us at contact@jdcapa.lu. We will respond within 30 days (one month) of receipt. — Right of access (Art. 15): request a copy of your personal data. — Right to rectification (Art. 16): correct inaccurate or incomplete data. — Right to erasure / "right to be forgotten" (Art. 17): request deletion of your data. — Right to restriction of processing (Art. 18): limit processing in specific scenarios. — Right to data portability (Art. 20): receive your data in a structured, machine-readable format. — Right to object (Art. 21): object to processing based on legitimate interest or direct marketing. — Right to withdraw consent (Art. 7(3)): where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.
8. Right to Lodge a Complaint with a Supervisory Authority
If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a competent Data Protection Authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. In Luxembourg, the supervisory authority is the Commission nationale pour la protection des données (CNPD): cnpd.public.lu. A directory of EU national data protection authorities is available here: https://edpb.europa.eu/about-edpb/about-edpb/members_en.
9. Updates to This Policy
The current version of this Privacy Policy is always available on this page. We may update this policy when our processing activities or legal requirements change. Material changes will be communicated via the Website or, where appropriate, by email.
