Privacy Policy

1. Introduction and scope

LUXROUTAGE is an e-commerce logistics solutions provider.

Its activities cover the receipt and quality control of goods, their storage, order preparation, shipping, as well as transport and parcel tracking, on behalf of its ordering parties.

LUXROUTAGE attaches great importance to the protection of privacy and respect for the personal data of the individuals with whom it interacts.

The purpose of this privacy policy is to inform you, in a clear and transparent manner, about the data processing we implement, the purposes pursued, the legal bases on which they rely, the recipients of the data, the retention periods applied, and the rights you have.

It applies to all processing carried out within the scope of our activities, in particular when you browse the site www.luxroutage.lu (hereinafter the "Site"), when you send us a contact or quote request, when you are a customer, prospect, supplier, or subcontractor, and when your data appears in an order we process on behalf of an ordering party.

This policy does not cover processing implemented by third parties, in particular by our ordering parties acting as data controllers, nor by the websites to which the Site may link via hyperlinks.

The LUXROUTAGE group has establishments in Luxembourg and France.

The processing of your data is carried out in accordance with Regulation (EU) 2016/679 of April 27, 2016 (hereinafter the "GDPR"), the Luxembourg law of August 1, 2018 on the organization of the National Commission for Data Protection and the general data protection framework, as well as, for the French establishment, the amended French law n° 78-17 of January 6, 1978 relating to information technology, data files and civil liberties.

2. Definitions

To facilitate the reading of this policy, the main terms used have the following meaning, in accordance with Article 4 of the GDPR:

  • Personal data: any information relating to an identified or identifiable natural person, directly or indirectly (name, identifier, location data, etc.).
  • Processing: any operation applied to data, such as collection, recording, organization, storage, consultation, use, disclosure, or erasure.
  • Data controller: the natural or legal person who determines the purposes and means of the processing, in this case LUXROUTAGE.
  • Processor: the natural or legal person who processes personal data on behalf of the controller and upon its instructions.
  • Data subject: the natural person whose data is processed (customer, prospect, contact, parcel recipient, etc.).
  • Recipient: a natural or legal person to whom the personal data are disclosed.
  • Consent: any freely given, specific, informed, and unambiguous indication of your wishes by which you agree to the processing of your personal data.
  • Data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.

3. Data Controller

The data is processed under the responsibility of Luxroutage:

LUXROUTAGE S.A.
Business Park Contern
11, rue Paul Rischard
L-5324 Contern, Luxembourg
Tel.: +352 28 12 52-1
dpo@luxroutage.lu

4. Data Protection Officer

LUXROUTAGE has appointed a Data Protection Officer (DPO), responsible for ensuring the compliance of processing operations and acting as your primary point of contact for any questions regarding the protection of your data or the exercise of your rights.

You can contact the Data Protection Officer:

  • by email: dpo@luxroutage.lu
  • by mail: LUXROUTAGE S.A., to the attention of the Data Protection Officer, Business Park Contern, 11, rue Paul Rischard, L-5324 Contern, Luxembourg.

5. Principles applicable to data processing

In accordance with Article 5 of the GDPR, LUXROUTAGE processes your data in compliance with the following principles:

  • Lawfulness, fairness and transparency: your data is processed lawfully, fairly and in a transparent manner, based on an identified legal basis.
  • Purpose limitation: your data is collected for specified, explicit and legitimate purposes, and is not further processed in a manner incompatible with those purposes.
  • Data minimization: only adequate, relevant, and limited data to what is necessary in relation to the purposes are collected.
  • Accuracy: reasonable steps are taken to ensure that inaccurate data are erased or rectified.
  • Storage limitation: data is kept only for the time necessary for the purposes pursued (see section 14).
  • Integrity and confidentiality: data is protected by appropriate technical and organizational measures (see section 15).
  • Accountability: LUXROUTAGE is able to demonstrate compliance with these principles.

6. Data subjects and categories of data

Depending on the context of our relationship, we process the following categories of persons and data:

  • Customers and their representatives (managers, contact persons): identification data (last name, first name, professional contact details), professional data (job title) and economic data (pricing conditions).
  • Prospects (quote request form): company name, contact person, contact details (address, email, phone, website) and information related to the logistics project (volumes, e-commerce platform, destination countries, etc.).
  • Persons contacting us (contact form): last name, first name, email address, subject and content of the message.
  • Parcel recipients (end customers of our ordering parties): identity, delivery address, and contact details necessary for shipping and tracking; in the event of a return, the data appearing on the return form possibly attached by the recipient (name, contract number and, where applicable, bank details for a refund).
  • Suppliers and subcontractors and their contacts : identification data, job title and economic data (including company bank details).
  • Site visitors : connection data and data deposited by cookies and trackers (see section 17).
  • Authors and persons targeted by a report (whistleblowing system): see section 20.

Special categories of data: we do not process, within the scope of these activities, so-called sensitive data within the meaning of Article 9 of the GDPR (racial or ethnic origin, opinions, health, etc.). We ask you not to provide us with such data, particularly in the free text fields of our forms.

7. Purposes and legal bases of processing

Each processing operation is based on one of the legal bases provided for in Article 6 of the GDPR, presented in the table below:

Purpose Data Legal Basis Retention
Customer relationship management (contracts, sales tracking, order management) Identification, professional data, economic data Performance of a contract and pre-contractual measures (Art. 6.1.b) for the contracting party; legitimate interest (Art. 6.1.f) for the contact details of clients' employees 10 years from the end of the contractual relationship
Supplier and subcontractor management Identification, function, economic data Performance of a contract (Art. 6.1.b); legitimate interest (Art. 6.1.f) for contact details 10 years from the end of the contractual relationship
Execution of logistics services (preparation, shipping, delivery and tracking of parcels) Identity and address of recipients, tracking data Performance of the contract concluded with the ordering party (Art. 6.1.b); legitimate interest (Art. 6.1.f) Time necessary to execute the order, then statutory retention obligations
Processing of returns and secure destruction of media Data appearing on return forms Performance of a contract (Art. 6.1.b) and legitimate interest (Art. 6.1.f) Destruction upon registration of the return
Responding to requests (contact and quote forms) Contact details and content of the request Pre-contractual measures (Art. 6.1.b) or legitimate interest to respond (Art. 6.1.f) Time necessary to process the request; for prospects, up to 3 years after the last contact
Management of cookies and trackers Browsing data Consent (Art. 6.1.a) for non-essential trackers; legitimate interest for strictly necessary trackers Maximum 13 months (see section 17)
Reporting system (whistleblowers) Data relating to the report and the persons concerned Legal obligation (Art. 6.1.c) and legitimate interest (Art. 6.1.f) Time necessary to process the report
Management of requests to exercise rights Identity and supporting documents Legal obligation (Art. 6.1.c) Time necessary for processing, then archiving for evidentiary purposes
Compliance with legal obligations (accounting, tax) Contractual and billing data Legal obligation (Art. 6.1.c) Statutory retention periods for accounting and tax

Details on the legal bases

  • Performance of a contract or pre-contractual measures (Art. 6.1.b). When you are our contracting party, or a prospect requesting a quote, the processing is necessary for the conclusion or performance of the contract.
  • Compliance with a legal obligation (Art. 6.1.c). Certain processing operations respond to obligations imposed on us, particularly in accounting, tax, and whistleblower protection matters.
  • Legitimate interest (Art. 6.1.f). Other processing operations are based on our legitimate interests, for example, the development and management of our business, the security of our systems, or communication with the contacts of our clients and suppliers. We perform a balancing test between these interests and your rights and freedoms when required. You can object to processing based on this ground at any time, for reasons relating to your particular situation (see section 21).
  • Consent (Art. 6.1.a). When processing is based on your consent, particularly for certain trackers, you can withdraw it at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

8. Mandatory or optional nature of the collection

In our forms, the fields that must be provided are indicated as mandatory (for example by an asterisk). Failure to provide them may result in our inability to process your request, establish a quote, or execute our services.

The other information is optional and is intended to better meet your needs.

9. Origin of data

Your data is collected:

  • directly from you, when you fill out a form on the Site, interact with our teams, or conclude a contract;
  • indirectly, from our ordering parties, regarding the data of parcel recipients transmitted in the context of the orders we execute on their behalf.

In the event of indirect collection, the information provided for in Article 14 of the GDPR is provided, where applicable, by the relevant ordering party as well as by this policy.

10. Data recipients

Your data is accessible, on a need-to-know basis, to the relevant internal departments (sales, operations and logistics, IT, accounting).

They may be disclosed to the following categories of external recipients:

  • partner carriers and delivery service providers, for the routing of parcels;
  • IT and hosting service providers ensuring the operation of our tools and our warehouse management system;
  • waste management and destruction service providers, for the secure destruction of media;
  • external advisors (accountants, legal counsel);
  • authorities, administrations, and public bodies, when the law requires or authorizes us to do so.

We do not sell your personal data and do not disclose it to third parties for their own commercial prospecting purposes.

11. Use of processors

For certain operations, LUXROUTAGE uses processors (subcontractors) who process data on its behalf and on its instructions. In accordance with Article 28 of the GDPR, these service providers are selected based on the guarantees they offer and are bound by a contract governing their obligations, including:

  • to process the data only on documented instructions from the controller;
  • to ensure the confidentiality of the data and the training of authorized persons;
  • to implement appropriate security measures;
  • to assist the controller in ensuring compliance with its obligations and in managing requests for the exercise of rights;
  • to delete or return the data at the end of the provision of services.

12. Joint controllership

When the group's Luxembourg and French establishments jointly determine the purposes and means of processing, they act as joint controllers within the meaning of Article 26 of the GDPR.

In this case, an agreement transparently defines their respective obligations, particularly regarding the exercise of your rights and the provision of information.

13. Data transfers outside the European Union

In the context of international shipments, data strictly necessary for delivery (identity and address of the recipient) may be transmitted to carriers and customs authorities located in the destination country, including outside the European Economic Area, when the order requires it.

These transfers are then based on the necessity to perform a contract or to implement pre-contractual measures (Article 49.1.b of the GDPR).

14. Retention periods

Your data is kept for the period strictly necessary for the purposes described in section 7, according to the following principles:

Data concerned Retention period
Data of clients and suppliers (contracts, invoicing) 10 years from the end of the contractual relationship, in accordance with accounting and commercial obligations
Data of parcel recipients Time necessary to execute the order and process any complaints, then archiving in compliance with statutory obligations
Return forms Destruction upon registration of the return
Prospect data (quotes, contact) Time necessary to process the request; in the absence of a contractual relationship, up to 3 years after the last contact
Connection data and technical logs In accordance with the statutory obligations applicable to log retention
Cookies and trackers Maximum 13 months for trackers; maximum 25 months for associated audience data
Reports (whistleblowers) Time necessary to process the report, then archiving or deletion according to regulations
Supporting documents linked to the exercise of rights Time necessary for processing, then retention for evidentiary purposes within the limits of statutory limitation periods

At the expiration of these periods, your data is irreversibly deleted or anonymized.

Certain data may be subject to intermediate archiving with restricted access when its retention is necessary to comply with a legal obligation or for the establishment, exercise, or defense of legal claims.

15. Data security

LUXROUTAGE implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk and to protect your data against unauthorized destruction, loss, alteration, disclosure, or access, including:

  • control of physical access to premises and storage areas (locked offices and cabinets);
  • logical access management based on the need-to-know principle, as well as a policy of regular password renewal;
  • staff confidentiality commitments and contractual framing of service providers;
  • backup and protection measures for our information systems.

These measures are regularly reviewed to take into account the evolution of risks and the state of the art.

16. Data breaches

In the event of a personal data breach likely to result in a risk to your rights and freedoms, LUXROUTAGE notifies the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, in accordance with Article 33 of the GDPR.

When the personal data breach is likely to result in a high risk to your rights and freedoms, we will communicate the breach to you without undue delay, in accordance with Article 34 of the GDPR.

17. Cookies and trackers

A cookie is a small file deposited and read when you visit a website, use an application, or view an advertisement. The Site uses different categories of trackers:

  • Strictly necessary trackers: essential for the operation of the Site and the provision of the services you request. They do not require your consent.
  • Audience measurement trackers: intended to establish visitor statistics. When they do not benefit from an exemption, they are subject to your consent.
  • Functionality trackers: intended to remember your preferences to improve your browsing comfort.
  • Third-party content and third-party trackers: linked to the integration of external content (videos, social modules, etc.), likely to deposit their own trackers, subject to consent.

Non-essential trackers are only deposited after obtaining your consent, expressed through the consent management module.

You can change your choices or withdraw your consent at any time via this module, as well as by configuring your browser to accept or refuse cookies. Refusing certain trackers may affect access to certain features of the Site.

The lifespan of trackers subject to consent does not exceed 13 months, and the information collected through them is kept for a maximum of 25 months, in accordance with the recommendations of the supervisory authorities.

18. Third-party content, links, and social networks

The Site may integrate content from other sites (for example, videos) or link to third-party sites, particularly social networks.

These contents and sites behave as if you were visiting the relevant site directly and may collect data about you and deposit their own trackers. LUXROUTAGE has no control over these processing operations, which are the responsibility of the respective publishers.

We invite you to consult their own privacy policies.

19. Data concerning minors

Our services are intended for professionals and are not aimed at minors. We do not knowingly collect data relating to minors.

If you believe that a minor has provided us with data without the required authorization, we invite you to contact our Data Protection Officer so that we can proceed, if necessary, with its deletion.

20. Reporting system (whistleblowers)

LUXROUTAGE provides a reporting system to report certain breaches.

Data processed in this context is subject to restricted access to authorized persons only and is processed strictly confidentially, while protecting the author of the report and the persons targeted.

This processing is based on compliance with a statutory obligation and on our legitimate interest, in accordance with applicable regulations on whistleblower protection (Luxembourg law of May 16, 2023, transposing Directive (EU) 2019/1937 and, for the French establishment, amended law n° 2016-1691). The data is kept for the time necessary to process the report, then archived or deleted in accordance with the regulations.

21. Your rights regarding your data

In accordance with the GDPR, you have the following rights, which you can exercise according to the procedures described in section 22:

  • Right of access (Art. 15). You can obtain confirmation as to whether or not personal data concerning you is being processed and, where that is the case, obtain a copy of it and information about this processing.
  • Right to rectification (Art. 16). You can obtain the rectification of inaccurate data and the completion of incomplete data.
  • Right to erasure (Art. 17). You can request the erasure of your data in the cases provided for by law, for example when it is no longer necessary or when you withdraw your consent, subject to our statutory retention obligations.
  • Right to restriction of processing (Art. 18). You can request the freezing of the use of certain data in defined cases, for example while verifying its accuracy.
  • Right to object (Art. 21). You can object, on grounds relating to your particular situation, to processing based on legitimate interest. You can also object at any time to processing for direct marketing purposes.
  • Right to data portability (Art. 20). For processing based on consent or a contract and carried out by automated means, you can receive the data you provided to us in a structured, machine-readable format, or request its transmission to another controller where technically feasible.
  • Right to withdraw consent. When processing is based on your consent, you can withdraw it at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
  • Automated decision-making and profiling (Art. 22). We do not make decisions based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
  • Post-mortem directives. If you reside in France, you can define directives regarding the retention, erasure, and disclosure of your data after your death.

22. How to exercise your rights

You can exercise your rights by contacting our Data Protection Officer by email at dpo@luxroutage.lu, or by mail at the address indicated in section 4.

In order to process your request, we may need to verify your identity and, in case of reasonable doubt, ask you for proof.

We undertake to respond within one month of receiving your request, a period that may be extended by two months in the case of a complex or numerous request, in which case you will be informed. The exercise of your rights is in principle free of charge; however, in the case of manifestly unfounded or excessive requests, we may charge a reasonable fee or refuse to act on the request, in accordance with Article 12 of the GDPR.

23. Complaint to a supervisory authority

If, after contacting us, you believe that the processing of your data does not comply with the regulations, you can lodge a complaint with the competent supervisory authority, in particular that of your place of residence or your place of work:

Luxembourg France
National Commission for Data Protection (CNPD)
15, Boulevard du Jazz
L-4370 Belvaux
Tel.: +352 26 10 60-1
cnpd.public.lu 		National Commission on Informatics and Liberty (CNIL)
3 Place de Fontenoy, TSA 80715
75334 Paris Cedex 07
Tel.: +33 1 53 73 22 22
cnil.fr

24. Changes to this policy

This privacy policy may be updated to reflect changes in our activities, our tools, or regulations.

The applicable version is the one published on the Site, whose date of last update appears at the top of the document. In the event of a substantial modification, we will strive to inform you by appropriate means.

We invite you to consult this page regularly.

Appendix: reference texts

  • Regulation (EU) 2016/679 of April 27, 2016 (GDPR);
  • Luxembourg law of August 1, 2018 on the organization of the National Commission for Data Protection and the general data protection framework;
  • French law n° 78-17 of January 6, 1978 modified relating to information technology, data files and civil liberties;
  • Directive 2002/58/EC (privacy and electronic communications) and its national transposition texts;
  • Luxembourg law of May 16, 2023, and French law n° 2016-1691 modified, relating to the protection of whistleblowers.