Privacy Policy

1. Data Controller

IT-secure Luxembourg SARL, publisher of the e-KYC.lu platform, registered with the Luxembourg Trade and Companies Register under number B174255, with its registered office at 87, route d'Esch, L-4450 Belvaux, Grand Duchy of Luxembourg.

Hosted by HostCitadel (hostcitadel.com).

2. Data Collected

We collect and process the following categories of data:

• Identification data: name, surname, professional email address, job title — for account management and authentication
• KYC data: data relating to our users' clients and counterparties, strictly within the AML/CFT compliance framework (encrypted with an individual password per file)
• Training data: AML/CFT training results, certifications obtained, progression history
• Technical data: IP address, browser, cookies, access logs — for security and service improvement
• Billing data: payment information — e-KYC.lu does not store bank card data

Data is transmitted via SSL/TLS security protocol, ensuring encryption of data in transit.

3. Purposes of Processing

Your data is used for:

• Provision of KYC/AML compliance services
• User account and credit management
• Issuance of AML/CFT training certifications
• Communication with users (notifications, support)
• Billing and subscription management
• Platform improvement and anonymised statistics
• Platform security and technical issue detection
• Compliance with legal and regulatory obligations

4. Legal Basis

The processing of your data is based on:

• Performance of contract: provision of KYC/AML compliance service pursuant to accepted Terms of Use (Art. 6.1.b GDPR)
• Legal obligation: retention of compliance data pursuant to the Law of 12 November 2004 on combating money laundering and terrorist financing (Art. 6.1.c GDPR)
• Legitimate interest: service improvement, security, fraud prevention (Art. 6.1.f GDPR)
• Consent: non-essential cookies, marketing communications (Art. 6.1.a GDPR)

5. Retention Period

• Account data: duration of contract + 3 years after deletion
• Encrypted KYC data: 5 years after the end of the business relationship (AML/CFT legal obligation)
• Training data: 5 years (legal obligation)
• Billing data: 10 years (accounting obligation)
• Access logs: 12 months
• Cookies: 13 months maximum

6. Data Recipients

Personal data will not be provided to third parties except as required by law. Your data is accessible only to:

• Authorised persons within your organisation (administrators, compliance officers) according to configured roles
• e-KYC.lu technical teams for support and maintenance

Technical subcontractors:

• HostCitadel — server hosting (European Union)

7. International Transfers

e-KYC.lu is committed to taking all necessary measures to ensure your data is processed securely and in compliance with the GDPR. Currently, all our primary servers and subcontractors are located within the European Union. No transfers of data outside the EEA are made.

8. Your Rights

In accordance with the GDPR, you have the following rights:

• Right of confirmation: to know whether your data is being processed
• Right of access: to obtain a copy of your personal data
• Right of rectification: to correct inaccurate or incomplete data
• Right to erasure: to request deletion of your data (subject to AML/CFT legal retention obligations)
• Right to data portability: to receive your data in a structured format
• Right to object: to object to the processing of your data
• Right to restriction: to restrict the processing of your data

To exercise your rights, contact us at contact@it-secure.lu enclosing a copy of your identity document.

9. Cookies and Tracking Technologies

We use only strictly necessary cookies:

• Session cookies: to identify your login session
• Preference cookies: to remember your settings (language, theme)
• Security cookies: to protect your account

No advertising or analytics tracking cookies are used.

10. Security

The security of your data is our priority. We implement appropriate technical and organisational measures:

• TLS encryption in transit
• End-to-end encryption of sensitive KYC data
• Individual password per KYC file
• Role-based access control
• Access logging
• Regular backups and business continuity plan
• Secure hosting within the European Union

However, no method of transmission over the Internet or electronic storage is 100% secure. We endeavour to use commercially acceptable means to protect your data.

11. Data Protection Impact Assessment (DPIA)

In accordance with Article 35 of the GDPR, a Data Protection Impact Assessment (DPIA) has been carried out for processing activities likely to result in a high risk to the rights and freedoms of individuals, in particular the large-scale processing of KYC data.

12. Protection of Minors

Our service is exclusively for professionals and does not knowingly collect personal data from minors.

13. Amendments to this Policy

We may update this policy in response to legal and regulatory developments. Amendments take effect upon publication on this page. We will inform you of any material change by email or in-app notification.

14. Unsolicited Communications

e-KYC.lu does not send unsolicited commercial communications. Only service-related notifications (screening alerts, compliance updates, training notifications) are sent automatically. Marketing communications require your prior consent.

15. Contact

For any questions regarding this privacy policy, please contact us:

• Email: contact@it-secure.lu
• Company: IT-secure Luxembourg SARL
• Address: 87, route d'Esch, L-4450 Belvaux, Luxembourg

You may also lodge a complaint with the CNPD (Commission Nationale pour la Protection des Données — Luxembourg Data Protection Authority): cnpd.public.lu

Last updated: March 2026