GDPR · Privacy
Privacy policy
GDPR-compliant (EU Regulation 2016/679) — updated 27 April 2026
1. Data controller
Carmony SARL-S, 27 Am Aker, L-4893 Lamadelaine, Luxembourg — VAT LU37272784. Contact: contact@carmonygmbh.com / +352 691 540 463.
2. Data collected
We collect and process the following personal data during your relationship with Carmony:
| Category | Data | Source |
|---|---|---|
| Identity | Title, surname, first name, date of birth, nationality | You, KYC |
| Contact | Email, phone, postal address | You |
| Customer account | Login, password (Argon2id-hashed), language/channel preferences | You |
| KYC documents | ID document, proof of address, bank details, business register extract, articles of association (B2B), UBO | You, registers |
| Orders | Quotes, order forms, invoices, payments | Carmony |
| Navigation | Server logs (IP, user-agent), essential cookies | Automatic |
| Communications | Emails, SMS, WhatsApp exchanged with our teams | You, Carmony |
3. Purposes and legal bases
| Purpose | Legal basis (GDPR art. 6) | Retention |
|---|---|---|
| Customer account management and sales execution | Contract (art. 6.1.b) | 10 years after last order |
| Identity verification (KYC/AML) | Legal obligation (art. 6.1.c) — Law of 12/11/2004 | 5 years after end of relationship |
| Invoicing and accounting | Legal obligation (art. 6.1.c) — VAT Law of 19/12/2020 | 10 years |
| Marketing and newsletters | Consent (art. 6.1.a) | Until unsubscription |
| Service security, fraud prevention | Legitimate interest (art. 6.1.f) | 12 months (logs) |
4. Recipients
Your data is never sold. It may be disclosed to:
- our subcontractors (hosting Hostinger, email providers, accountants, financial bodies in case of financing) — bound by contract (GDPR art. 28);
- the Registration Duties, Estates and VAT Authority (AED) and the Financial Intelligence Unit (CRF) in case of legal obligation;
- judicial authorities upon requisition.
No data is transferred outside the EU/EEA.
5. Security
- mandatory HTTPS connection (TLS 1.3);
- passwords hashed with Argon2id;
- KYC documents encrypted AES-256-GCM at rest, outside webroot;
- daily encrypted backups;
- logging of access to sensitive data (audit log).
6. Your rights
You may exercise the following rights at any time (GDPR art. 15 to 22):
- right of access: obtain a copy of your data;
- right to rectification: correct inaccurate data;
- right to erasure ("right to be forgotten"), except for legal retention obligations;
- right to restriction of processing;
- right to data portability;
- right to object, in particular to profiling and marketing;
- right to withdraw consent at any time.
To exercise these rights: contact@carmonygmbh.com. We will respond within one month.
In case of unresolved dispute, you may lodge a complaint with the National Commission for Data Protection (CNPD), 15 Boulevard du Jazz, L-4370 Belvaux — cnpd.public.lu.
7. Cookies
Carmony only uses strictly necessary cookies for the site to function (session, CSRF security, language preference). No profiling or advertising cookies are placed without your explicit consent via the dedicated banner.
8. Changes
This policy may change. Substantial changes will be notified to you by email or banner upon your next connection.
For any question: Carmony DPO — contact@carmonygmbh.com.