Privacy Policy
Effective date: May 7, 2026 Last updated: May 7, 2026
This Privacy Policy describes how Kylian GALLOT (sole trader, SIREN 919 325 530), as data controller, collects, uses and protects the personal data of users of the Lumero website and application (hereinafter "Lumero"), in accordance with Regulation (EU) 2016/679 ("GDPR") and French Law No. 78-17 of 6 January 1978 as amended.
1. Data Controller
- Controller: Kylian GALLOT — Sole trader
- Address: 39 Rue du Chater, 69530 Orliénas, France
- Email: [email protected]
- Phone: +33 6 13 24 15 19
Lumero has not appointed a Data Protection Officer (DPO), as this is not required given the nature of the activity.
2. Data we collect
Lumero only collects data strictly necessary for the purposes described below.
2.1 Data you provide directly
When submitting a contact request, a quote, or the website creation questionnaire:
- Company name, contact name, email, phone
- Field of activity, website goals, style preferences, inspiration
- Logo (uploaded image), primary colour, desired features
- Existing online presence (current website, Google Business, Instagram, Facebook, LinkedIn)
- Free-form message
When creating a client account (portal):
- Email, first name, last name, phone
- Password (stored as a bcrypt hash — never in plaintext)
- Avatar (profile picture, optional)
- Where applicable, two-factor authentication secret (TOTP)
When using the client portal:
- Support tickets: subject, content, attachments, priority, category
- Customisation requests: title, description, attachments
- Information about your project and subscription
2.2 Data generated by usage
- Activity logs (audit trail): actions taken in the interface, timestamps
- Technical data: IP address, user-agent, login dates (for security purposes)
- Authentication session cookie (NextAuth, JWT, 30-day duration)
- Theme preference cookie (light / dark)
2.3 Data we do not collect
Lumero does not collect: precise location data, health data, payment card data (online payments are processed by our provider Stripe, which is PCI-DSS certified: no card details ever pass through or are stored on Lumero's servers — we only keep a transaction identifier and the payment status), data relating to minors (the service is not intended for persons under 18).
No data is used for targeted advertising, automated profiling, or sold to data brokers.
3. Purposes and legal bases
| Purpose | Legal basis (GDPR) |
|---|---|
| Responding to contact, quote and questionnaire requests | Pre-contractual measures (art. 6.1.b) |
| Creating and managing the client account | Performance of the contract (art. 6.1.b) |
| Delivery of the Lumero service (creation, hosting and maintenance of the client website) | Performance of the contract (art. 6.1.b) |
| Support and customisation request management | Performance of the contract (art. 6.1.b) |
| Sending transactional emails (confirmation, invitation, password reset, notifications) | Performance of the contract (art. 6.1.b) |
| Platform security, abuse prevention, audit logs | Legitimate interest (art. 6.1.f) |
| Compliance with legal obligations (invoicing, accounting, legal requests) | Legal obligation (art. 6.1.c) |
No automated marketing communications are sent without prior consent.
4. Recipients and processors
Your data is only accessible to authorised personnel at Lumero (the publisher and, where applicable, his team members). It may be processed by the following sub-processors, acting on documented instructions and providing appropriate safeguards:
| Sub-processor | Role | Data concerned | Location |
|---|---|---|---|
| Brevo (Sendinblue SAS) | Sending transactional emails | Recipient email, email content, possible attachments | European Union (France) |
| Stripe (Stripe Payments Europe Ltd) | Online payment processing and invoicing | Name, email, amount, transaction and card identifiers (collected and stored directly by Stripe, never by Lumero) | Ireland (EU) / United States — Standard Contractual Clauses |
| GitHub (GitHub Inc., Microsoft subsidiary) | Hosting code repositories of client websites | Project name, slug, generated site content (no visitor personal data) | United States — Standard Contractual Clauses |
| Vercel (Vercel Inc.) | Deployment and preview of client websites | Project IDs, deployment URLs, technical metadata | United States — Standard Contractual Clauses |
| Lumero platform host | Hosting the database and uploaded files | All platform data | European Union — [TO BE COMPLETED once the host is selected] |
None of these sub-processors are authorised to use your data for their own purposes.
5. Transfers outside the EU
The main hosting of the Lumero platform takes place within the European Union. Some technical sub-processors (GitHub, Vercel) may process data in the United States. These transfers are governed by the Standard Contractual Clauses adopted by the European Commission and, where applicable, by these providers' adherence to the EU-US Data Privacy Framework.
6. Retention periods
| Data | Period |
|---|---|
| Prospects (no contract signed) | 3 years from last contact |
| Active client accounts | For the duration of the contract |
| Client data after termination | 5 years (accounting and limitation obligations) |
| Invoices and accounting records | 10 years (French Commercial Code) |
| Activity logs and technical logs | 12 months maximum |
| Session cookies | 30 days |
| Tokens (reset, verification, invitations) | From 15 minutes to 30 days depending on type, deleted after use |
After these periods, data is deleted or anonymised.
7. Security
Lumero implements appropriate technical and organisational measures:
- TLS encryption for all communications
- Password hashing (bcrypt)
- Optional two-factor authentication (TOTP)
- Time-limited sessions (signed JWTs)
- Role-based access control (admin / client)
- Audit logs of sensitive actions
- Regular backups
- Validation and restriction of file uploads (types and size)
8. Cookies
Lumero uses a minimal number of cookies, all strictly necessary for the operation of the service:
| Cookie | Purpose | Duration |
|---|---|---|
next-auth.session-token | Maintaining your authenticated session | 30 days |
next-auth.callback-url, next-auth.csrf-token | Authentication security | Session |
theme | Storing your theme preference (light/dark) | 1 year |
No advertising, analytics or third-party audience-measurement cookies are placed. Prior consent is therefore not required for these "strictly necessary" cookies.
9. Your rights
In accordance with articles 15 to 22 of the GDPR, you have the following rights at any time:
- Right of access: obtain a copy of your data
- Right to rectification: correct inaccurate or incomplete data
- Right to erasure ("right to be forgotten")
- Right to restriction of processing
- Right to object to processing based on legitimate interest
- Right to data portability: receive your data in a structured format
- Right to withdraw your consent at any time, where processing is based on it
- Right to define directives regarding the fate of your data after your death
To exercise these rights, contact us at: [email protected] specifying the subject of your request. We will respond within a maximum of one month. Proof of identity may be requested in case of reasonable doubt.
You also have the right to lodge a complaint with the French Data Protection Authority (CNIL): www.cnil.fr — 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07.
10. Minors
Lumero is a service intended for professionals (companies, freelancers). It is not intended for persons under 18 and does not knowingly collect data relating to them. If you believe a minor has provided us with their data, please contact us so we can delete it.
11. Changes
This policy may be amended to reflect legal, technical or functional changes. The last update date appears at the top of the document. In the event of substantial changes, users with an account will be informed by email.
12. Contact
For any question regarding the protection of your data:
- Email: [email protected]
- Postal address: Kylian GALLOT — 39 Rue du Chater, 69530 Orliénas, France