Data privacy policy

Choosing luko means trusting us in case of any problems, but also in the use of your data. To maintain your trust, we believe it is essential to help you understand our privacy practices.

Last updated on 20/11/2020.

Why have a privacy policy?

In the context of its commercial activity of multi-risk housing insurance, luko is required to process sensitive personal data. We therefore attach the utmost importance to the security and confidentiality of the data of the users of luko's services, both on the luko.eu website and on the mobile application made available to them.

The purpose of this privacy policy is to help you understand how we treat the personal data you provide us, in accordance with the GDPR and the recommendations of the CNIL, the EDPS, and in particular the insurance compliance pack.

This privacy policy may be updated regularly, to enrich it, according to the needs and functioning of luko, circumstances or if required by law. We therefore invite you to regularly check for updates, although we will always notify you of significant changes affecting the way your data is processed.

Our main principles

Above all, we have set ourselves two key principles which are also included in our contracts:

  • luko will never sell the data collected about its customers and prospects within the framework of the services offered. We make our living by building and managing insurance products and services around the protection of your home, not by reselling our users' data. They remain in control of their data,
  • luko will never use your household protection data to apply discriminatory tariffs. We strongly believe in the strength of solidarity and the mutualisation of risks between insured persons.

In accordance with the regulations and in particular the general regulations on data protection, we undertake to collect and process only the data that is strictly necessary with regards to their finality. Likewise, we undertake to ensure that the data collected is kept in a form that allows your identification for a period that does not exceed the time required for the purposes for which the data is collected and processed. Finally, we undertake not to disclose this personal data to other persons not entitled to access it, whether private or public, natural or legal persons.

Who is responsible for processing?

Luko acts as data controller or joint data controller (with your insurer) within the meaning of article 4 of the GDPR (article 3 of law no. 78-17 of 6 January relating to information technology, files and freedoms) :

  • luko determines the means and purposes of the data processing necessary to set up your insurance cover (alone or with an insurance company).
  • Luko alone determines the means and purposes of data processing necessary for the installation of your devices (Luko Elec, luko Door, luko Bridge).
  • The operations carried out on the data by luko are necessary for its own activity. The criteria mentioned in the subcontractor's guide issued in September 2017 by the CNIL exclude the qualification of luko as a subcontractor ;

I have a request and wish to invoke my data protection rights

If you have any questions regarding security and personal data, or to enable you to exercise your rights of access, rectification, deletion, withdrawal of consent, limitation of processing, objection to processing or portability, you can contact us and our Data Protection Officer (DPO) at dpo@luko.eu. luko will ensure that you receive an answer as soon as possible.

For any complaint concerning your personal data, you can either contact our DPO or contact the Commission Nationale Informatique et Liberté (CNIL) directly at https://www.cnil.fr.

What personal data do we process?

For the management of MRH, PNO and NVEI contracts

When taking out an insurance contract, we collect the following personal data for each insured person or beneficiary of the cover:

  • First Name and Last Name
  • E-mail address
  • Phone number
  • Date of birth
  • Gender
  • Address of the insured accommodation (only in the case of MRH and PNO contracts)
  • Type of accomodation (only in the context of MHR and PNO contracts)
  • Occupancy status of the accomodation (only in the context of HRM and PNO contracts)
  • Bank information related to the payment

On what legal basis? How do we use it? 

  • Setting up of insurance operations (Art. 6 (1) (b) of the GDPR)
    - Management and implementation of insurance operations
    - Insurance intermediation and advice
    - Customer account management on the luko platform.
  • Compliance with our legal obligations (Art. 6 (1) (c) of the GDPR)
    - Fight against money laundering and terrorist financing
    - Fight against insurance fraud
    - Protection of personal data
  • Legitimate interest of luko (Art. 6 (1) (f) GDPR)
    - Commercial management and content marketing
    - Measuring the quality of our service and customer satisfaction
  • Customer consent (Art. 6 (1) (a) of the RGPD)

How long do we store this data?

The personal data necessary for the execution and management of the insurance contract is kept for the duration of the contract. Also, we keep the personal data of 

(1) our customers following their termination for a maximum of 2 years, for unsigned quotations and contracts 5 years (the duration of the statutory limitation period) or 10 years if liability is incurred, based on our legal and contractual obligations 

(2) our prospects following their collection from the prospect for a maximum period of 3 years in intermediate archiving for the purposes of commercial prospecting and personalisation of our offers. For the moment, luko only keeps this data for 2 years on an active basis.

 What happens to my personal data at the end of their storage period?

Today, when the retention period of your data - defined according to the purpose for which the data was collected - has expired, we will delete your data. 

Can I request the deletion of these data when they concern me?

Data related to prospecting or those kept in the absence of a signed contract can be deleted. All you have to do is send a request to dpo@luko.eu. 

However, the personal data necessary for the execution and management of the insurance contract must be kept for the entire duration of the contract.

How can I view or change my data?

You can view or change your data at any tile directly from your luko personal account or via the luko application (Profile>My information). In some cases, an intervention of our customer service is requested (e.g. for certain retroactive changes).

 

For the operation of the contract (with GLISE, WAKAM/LPA, your insurers and Stelliant )

Personal data of our insured persons or other beneficiaries, as the case may be, are transmitted to us directly by our insured persons or on their behalf with their explicit consent (e.g. to automate the retrieval of receipts from their space or from a third party site), in particular :

  • First name and Last name
  • Personal e-mail address
  • Postal address
  • Bank details (for payments and reimbursements)
  • Documents required for the reimbursement of claims
  • Messages and attachments exchanged with our customer service department

On what legal basis? How do we use it?

  • Setting up of insurance operations (Art. 6 (1) (b) of the GDPR)
    - Management and implementation of insurance operations (reimbursing expenses according to contract guarantees, claims and litigation management)
    - Insurance intermediation and advice
    - Customer account management on the luko platform.
  • Compliance with our legal, regulatory and administrative obligations (Art. 6 (1) (c) of the GDPR)
    - Fight against money laundering and terrorist financing (it's very intimidating, but it's part of our legal obligations;
    - Fight against insurance fraud (in particular the analysis and detection of acts presenting an anomaly or the management of alerts and procedures following a case of fraud)
    - Protection of personal data
  • Legitimate interest of luko (Art. 6 (1) (f) of the GDPR)
    - Development of statistics and actuarial studies ;
    - Commercial management and marketing of content
    - Measuring the quality of our service and customer satisfaction

This data is necessary for the execution of the contract with luko by the insured person himself. It is therefore not subject to prior consent. 

How long do we keep this data?

The personal data necessary for the execution and management of the insurance contract is kept for the duration of the contract. Also, we retain our customers' personal data following termination of the contract for a maximum period of 2 years or 5 years for non-contractual information (the duration of the statute of limitations under general law), on the basis of our legal and contractual obligations.

Can I request the deletion of these data when they concern me?

No, this data is necessary for the operation of the contract and we are obliged to keep it.

For advice via our Docteur House videoconsultation service

After a consultation by an insured person, the following information is sent to us:

  • First name and Last name 
  • Number of rooms
  • Address
  • Date and duration of the videoconference
  • Conclusion on housing

On what legal basis? How do we use it? 

  • Legitimate interest of luko (Art. 6 (1) (f) of the GDPR).
    - Improvement of the quality of our telemedicine service Doctor House.
  • Customer consent (Art. 6 (1) (a) of the GDPR).
    Indeed, the consent of the insured person is collected

How long do we keep this data?

2 years.

Can I request the deletion of these data when they concern me?

Yes, just send a request to dpo@luko.eu.

 

For the management and execution of the assistance contract (with Opteven, your assistant)

Personal data is transmitted to us directly by the insured person:

  • First name and Last name
  • Personal e-mail address
  • Social security number
  • Bank details (for refunds)
  • Messages and attachments exchanged with our customer service department

On what legal basis?  How do we use it? 

  • Setting up of insurance operations (Art. 6 (1) (b) of the GDPR)
    - Management and setting up of insurance operations (reimbursing expenses according to the guarantees of the contract)
    - Client account management (communication with the contract holder, access to the account to manage the contract)
  • Compliance with our legal, regulatory and administrative obligations (Art. 6 (1) (c) of the GDPR)
    - Fight against money laundering and terrorist financing (it's very intimidating, but it's part of our legal obligations)
    - Fight against insurance fraud (in particular the analysis and detection of acts presenting an anomaly or the management of alerts and procedures following a case of fraud)
    - Protection of personal data
  • Legitimate interest of luko (Art. 6 (1) (f) of the GDPR)
    - Development of statistics and actuarial studies
  • Customer consent (Art. 6 (1) (a) of the GDPR).
    Indeed, the consent of the insured person is collected

How long do we keep this data?

The personal data necessary for the execution and management of the insurance contract is kept for the duration of the contract. Also, we retain our customers' personal data following termination of the contract for a maximum period of 5 years (the duration of the statutory limitation period under ordinary law) or 10 years if civil liability is involved, on the basis of our legal and contractual obligations.

What happens to my personal data at the end of their storage period?

Today, when the retention period of your data - defined according to the purpose for which the data was collected - has expired, we will delete your data. 

Can I request the deletion of these data when they concern me?

No, this data is necessary for the operation of the contract and we are obliged to keep it.

 

Measuring the satisfaction of our members

Because it is important for us to build a tailor-made service for our policyholders, we measure their satisfaction over time through a rating system that they can choose to enter in the application. From this scoring system, we calculate a "Net Promoter Score" or "NPS".

On what legal basis? How do we use it? 

  • Legitimate interest of luko (Art. 6 (1) (f) of the GDPR)
    It is in luko's legitimate interest to improve its services according to the satisfaction of its members. In concrete terms, this allows us to identify factors of dissatisfaction that could allow us to improve our services or, conversely, things that need to be reinforced because they are highly appreciated.

How long do we keep this data?

We keep them the time to make the analyses and to measure their evolution, in coherence with the luko treatment register. We anonymize them or delete them afterwards.

Is this data transferred?

The transfer of personal data by our company to subcontractors who support us in our service proposal is necessary in order for luko to dedicate itself to taking care of you and to have the tools. 

Any transfer project as referred to in the previous paragraph, for any reason whatsoever and to any person whatsoever, must be presented to the DPO so that the DPO can study the feasibility of the transfer operation beforehand and implement the appropriate procedures.

Can I ask for my data to be deleted?

Yes, just send a request to dpo@luko.eu.

 

Covid-19 Attestation

As part of the management of the health crisis linked to Covid 19, we are making available to our members online certificate templates allowing them to travel for the reasons foreseen in relation to the health crisis. All the data filled in on the certificate remains on your device, without luko making a link between the member informing him/her and the information filled in.

On what legal basis? How do we use it?

  • Customer consent (Art. 6 (1) (a) of the GDPR)
    The certificate is filled on a voluntary basis by users. We do not use the data you provide at all.

How long do we keep this data?

We do not store the data.

For audience measurement (analytics) and the smooth running of our platform

Some data is collected automatically when you visit luko.eu (including other sites published by luko such as blog.luko.eu and map.luko.eu) and when you use our mobile application. The data collected includes :

  • IP address and access provider
  • Technical login
  • Information about your equipment (e.g. type of Internet connection, type of device used, browser used and its version, etc.).
  • Time-stamp and visit duration information
  • Visited pages
  • Clicks and other interactions on the different pages
  • Possible errors (on the browser, the mobile application or our servers)

 On what legal basis? How do we use it?

  • Customer consent (Art. 6 (1) (a) of the GDPR)
    Where applicable, the collection is subject to the explicit consent of the user (cookie banner). This consent is valid for 13 months from the date of registration. 
  • Legitimate interest of luko (Art. 6 (1) (f) of the GDPR)
    - Commercial management and content marketing
    - Identification of customers or prospects to improve the service by offering products or services to reduce claims or to offer a contract or additional service.
    - Customer knowledge and customer relationship management
    - Customer Satisfaction Management
  • Compliance with our legal, regulatory and administrative obligations (Art. 6 (1) (c) of the GDPR)
    - Fight against money laundering and terrorist financing (it's very intimidating, but it's part of our legal obligations)
    - Fight against insurance fraud (in particular the analysis and detection of acts presenting an anomaly or the management of alerts and procedures following a case of fraud)

How long do we keep this data?

2 years maximum.

Can I ask for my data to be deleted?

Absolutely (with the exception of those collected as part of a legal obligation), all you have to do is send a request to dpo@luko.eu.

 

For Luko Protection Technologies

Luko offers an advanced home protection service using proprietary protection technologies. These are based on and measure data, which is then processed to provide you with the best service. This data can be :

  • Data relating to your identity: your account details for the use of the Luko application, the address of the household to be protected (already under contract) and complete information for the delivery of the technologies.
  • Data relating to measurements in your household: the open status of your door (open, closed, locked, moving), your electricity consumption, the number and type of appliances in the household
  • Technical data, to ensure the configuration and security of the protection products and services: activation date of the Products, battery level, serial number of the Products, debugging information and Wi-Fi network.

Your bank details are processed when you order Products and Protection Services on our website or on our application. They are only used for verification purposes and are not stored.

On what legal basis? How do we use it?

The processing register precisely defines the legal basis for the data processing undertaken by Luko.

  • Contractual execution Art. 6 (1) (b) of the RGPD)
    - Supply of Home Protection Products and Services. The data collected is stored on your Luko account and is accessible on your application. They are indicated as raw data (hourly electricity consumption, door opening event) or as data that has been analysed or interpreted (electricity consumption over the month, week, intrusion alert in your home).
    - Customer knowledge and customer relationship management
  • Legitimate interest of luko (Art. 6 (1) (f) GDR)
    - Commercial management and content marketing
    - Identification of customers or prospects to improve the service by offering products or services to reduce claims or to offer a contract or additional service.
    - Customer Satisfaction Management
    - Communication with our Customer Service: When you contact our customer service department to resolve a problem you have reported, members of our team may need to process your personal data.
    Improving our Products and Services: To improve the quality of our Products and Services and your user experience, we may process certain information to correct or change software settings. For each of these purposes, your consent to this Policy, collected when you order home protection products, is required by law. In addition, your data may be anonymised, i.e. no longer identifiable to you or linked to your Luko account, and used as raw data by our Luko teams to establish studies and analyses in the field of home protection in order to advance scientific research.

When is this data collected?

  • When you create a Luko account, you must provide us with some of your personal identity information. This account is the central element of our Home Protection Products and Services as it allows you to access and control your personal data. 
  • When you use our application, some of your personal data is stored in your Luko account. This is the case when you set up time alerts for movement on your door, share information, fill in a field on the Application, install and synchronise your Products, as well as when you activate certain optional features such as geolocation in your phone settings. 
  • When you use our Home Protection Products and Services, your personal data is collected to enable you to monitor your home as closely as possible. Depending on the purpose, each Product requires the collection and processing of specific personal data. For example, Luko Elec collects your electricity consumption, whereas Luko Door only collects data related to the security of your door. 
  • When you choose to share Luko data with other applications, we exchange data with partners via API (Application Programming Interface). You can stop this connection at any time by logging in to your account and changing your sharing preferences.
  • When you contact customer support, some of your personal data stored in your Luko account is accessible to our teams until the problem is solved.

Our protection technologies are entirely optional for all Luko policyholders, and can be removed at any time by the policyholders who installed them.

What do I have to do to use my connected devices sensibly?

Luko attaches great importance to privacy, and we assume that our products are guests in your home.

When you use a Luko product (or other connected device), you should bear in mind that you may be collecting information about other people. It is your responsibility to comply with all laws governing the use of connected devices, and to seek the consent of persons on whose behalf you may collect data.

How long do we keep the data?

The data of your protection technologies are kept for a maximum of 3 years by default. 

The data of your account, created for the Luko insurance service, is kept for 2 years after the termination of your contract, 5 years for data not related to the insurance contract.

Can I ask for my data to be deleted?

Absolutely (with the exception of those collected as part of a legal obligation), all you have to do is send a request to dpo@luko.eu.

What protection for my data?

Data security is an extremely important issue for us and we do our utmost to be worthy of the trust you place in us. Here are a few examples of the measures we have taken. If you're not an IT enthusiast, it's possible that not everything speaks to you. To make it as short as possible, we won't go into detail, but we have put explanatory links according to the sections. If you have any questions on a specific point, we will be happy to answer them: write to us at dpo@luko.eu..

Learn more about cookies

Get information on what cookies are used on www.luko.eu and manage your cookie consent from this page.