Privacy Policy

1. Data Controller

LuxFundIQ (operated by Vivek Gupta) is the data controller for personal data processed through the LuxFundIQ platform (https://luxfundiq.com).

Contact: privacy@luxfundiq.com

LuxFundIQ operates from Luxembourg and complies with Regulation (EU) 2016/679 (GDPR) and the Luxembourg Law of 1 August 2018 on the organisation of the Commission Nationale pour la Protection des Données (CNPD).

2. Data We Collect

We collect only the data necessary to provide the service:

• Account data: email address, display name, hashed password (when you register with credentials)
• Usage data: chapters started/completed, scenario attempt scores, badges earned
• Technical data: IP address, browser type, and session tokens (for security and fraud prevention)
• Communications: if you contact us by email, we retain that correspondence

We do not collect payment data, government IDs, or sensitive personal data as defined under GDPR Art. 9.

3. Legal Basis for Processing

We process personal data on the following legal bases (GDPR Art. 6):

• Contract performance (Art. 6(1)(b)): to provide your account and track your learning progress
• Legitimate interests (Art. 6(1)(f)): to prevent abuse, secure the platform, and improve service quality
• Consent (Art. 6(1)(a)): for non-essential cookies and optional communications — you may withdraw consent at any time

4. How We Use Your Data

• Authenticating your account and maintaining your session
• Storing and displaying your learning progress and badges
• Sending transactional emails: email verification and password reset
• Detecting and preventing fraudulent or abusive behaviour
• Aggregated, anonymised analytics to improve the platform (no individual profiles sold or shared)

5. Data Retention

We retain your data for as long as your account is active. If you delete your account, all personal data is erased within 30 days, except where retention is required by applicable law.

Server access logs are retained for a maximum of 90 days for security purposes.

6. Data Sharing

We do not sell, rent, or trade your personal data. Data may be shared only in these limited circumstances:

• Infrastructure providers: the server hosting LuxFundIQ (processor role, bound by data processing agreements)
• Legal obligation: if required by a court order or competent supervisory authority

All data is stored on servers located within the European Union.

7. Cookies

We use strictly necessary cookies to maintain your authenticated session. No third-party advertising or tracking cookies are set. See our Cookie Policy for full details.

8. Your Rights Under GDPR

As a data subject, you have the following rights:

• Right of access (Art. 15): obtain a copy of the personal data we hold about you
• Right to rectification (Art. 16): correct inaccurate data
• Right to erasure (Art. 17): request deletion of your account and associated data
• Right to restriction of processing (Art. 18): ask us to pause processing while a dispute is resolved
• Right to data portability (Art. 20): receive your data in a structured, machine-readable format
• Right to object (Art. 21): object to processing based on legitimate interests
• Right to withdraw consent: at any time, without affecting prior processing

To exercise any of these rights, email privacy@luxfundiq.com. We will respond within 30 days.

You also have the right to lodge a complaint with the Luxembourg CNPD (Commission Nationale pour la Protection des Données): cnpd.public.lu

9. Data Security

We implement appropriate technical and organisational measures including: bcrypt password hashing, HTTPS/TLS encryption in transit, JWT session tokens, and access controls limited to authorised personnel.

10. Changes to This Policy

We may update this policy to reflect changes in our practices or applicable law. Material changes will be communicated by posting the updated policy with a new "last updated" date. Continued use after notice constitutes acceptance.