Privacy Policy

1. Who We Are

Luxembourg for Transparency, abbreviated as "L4T" and referred to in this policy as "we", "us" or "our", is the data controller for the personal data it processes.

• Legal Form: Association sans but lucratif (ASBL)
• Full Legal Name: Luxembourg For Transparency
• RCS Number: F15280
• Registered Office: 6a, rue de Mamer, L-8185 Kopstal, Luxembourg
• Contact: compliance@l4t.lu

2. Personal Data We Collect

We process personal data that you provide directly to us, as well as limited technical data necessary to operate and protect the website.

• Identification Data: name, address, email address, phone number and date of birth, where such information is provided in connection with membership, events, volunteering, governance, donations or direct communications with us.
• Financial Data: payment information relating to donations or membership fees. Secure third-party processors are used, and L4T does not store full payment details.
• Communication Data: emails, messages and forms submitted to us.
• Participation Data: information connected with events, volunteering or governance roles.
• Contact Form Data: when you contact us through the website contact form, we process the information submitted through the form and the technical data needed to handle the submission securely. The current server-side contact form handler uses your name, email address, subject, message, acknowledgement of the Privacy Policy, submission time, IP address and browser/user-agent information. The form also contains optional company and phone fields; if completed, these values are submitted to the server as part of the form request, although the current email notification generated by the contact form does not include them.
• Technical and Security Data: IP address, browser/user-agent information, request metadata needed for same-origin checks, a signed form token used to validate the form submission, Google reCAPTCHA verification data, and temporary rate-limiting data used to protect the contact form from abuse.

3. Cookies and Similar Technologies

The website uses cookies and similar technologies only where they are needed for the operation, security or measurement of the website.

Cookie notice cookie

The website sets a first-party cookie named l4t_cookie_consent when a visitor accepts the cookie notice. This cookie is used only to remember that the notice has already been accepted, so that the banner does not reappear on each page or visit.

• Cookie name: l4t_cookie_consent
• Value stored: accepted
• Storage period: 365 days, unless deleted earlier through the browser settings
• Path: the whole website (/)
• Security attributes: SameSite=Lax; Secure is added when the website is accessed over HTTPS

Google reCAPTCHA

The contact form is protected by Google reCAPTCHA. For this purpose, the website obtains a reCAPTCHA token in the browser and the server sends that token, together with the visitor IP address where available, to Google for verification. Google may process technical information and may use cookies or similar technologies in accordance with Google's own privacy terms.

Google Analytics

Where Google Analytics is enabled on the website, analytics cookies or similar identifiers may be used to produce aggregated statistics about website usage, such as pages visited, approximate interaction data, device and browser information, and general usage patterns. The exact cookie names and retention periods depend on the Google Analytics configuration applied to the website.

4. Contact Form Security Processing

To protect the contact form, the website uses several security checks. These include a maximum request-size check, same-origin checks based on available origin or referrer information, a signed form token with an age check, a hidden anti-bot field, Google reCAPTCHA verification and rate limiting.

For rate limiting, the system creates a temporary server-side file linked to a hash generated from the visitor IP address and the website host. The file stores submission timestamps. The rate limit checks submissions within a 600-second window and allows up to five submissions within that window. Old timestamps are ignored when the file is next processed; temporary files may remain in the server's temporary storage until overwritten or removed by normal server cleanup.

5. Why We Process Your Data

We process personal data only where a lawful basis under Article 6 of the GDPR applies. The main purposes are:

• Membership Management: registering members and administering participation.
• Legal and Accounting Compliance: managing donations, issuing tax receipts where applicable and maintaining legally required accounts.
• Communication: responding to inquiries.
• Newsletters: sending updates and invitations.
• Website Security: protecting the website and contact form from spam, automated abuse, malicious submissions and excessive repeated requests.
• Website Statistics: understanding website usage where analytics tools are enabled.
• Mission-Related Research: in specific anti-corruption research contexts, sensitive data may be processed where the substantial public interest basis under Article 9(2)(g) GDPR applies, subject to strict safeguards.

6. Whistleblowing & Confidentiality

In accordance with the Luxembourg Law of 16 May 2023, L4T applies strict protocols for whistleblowing data. Information identifying a source is stored separately and is accessible only to designated case handlers.

7. Data Sharing and International Transfers

Data Sharing

We do not sell or rent personal data. Data may be shared with service providers acting as processors under our instructions, or with Luxembourg public authorities where required by law.

International Transfers

Personal data is primarily stored within the EEA. Some essential services, such as Google Workspace and Google reCAPTCHA, may involve transfers to the United States. Such transfers are protected by the EU-US Data Privacy Framework adequacy decision or by European Commission-approved Standard Contractual Clauses, where applicable.

8. Data Retention

Personal data is retained only for as long as necessary:

• Membership Data: for the duration of membership plus three years to manage potential claims.
• Financial and Accounting Data: ten years, in line with Luxembourg tax and accounting requirements.
• Communication Data: up to three years from the last contact.
• Cookie Consent Record: the l4t_cookie_consent cookie is stored for up to 365 days, unless you delete it earlier through your browser settings.
• Contact Form Rate-Limiting Data: submission timestamps are checked within a 600-second window for rate-limiting purposes. Temporary rate-limiting files may remain in server temporary storage until overwritten or removed by normal server cleanup.
• Google Analytics Data: where Google Analytics is enabled, retention depends on the Google Analytics configuration applied to the website.
• Whistleblowing Data: unsubstantiated allegations are deleted immediately.

9. Your Rights

Under the GDPR, you have the right to access, rectify, erase, restrict the processing of, object to the processing of, and receive your personal data in a portable format.

10. Contact Us

You may contact us to exercise your rights or ask questions about this Privacy Policy at compliance@l4t.lu.

You also have the right to lodge a complaint with the Commission Nationale pour la Protection des Données (CNPD), 15 Boulevard du Jazz, L-4370 Belvaux, Luxembourg, or through cnpd.public.lu.

Correspondence may also be addressed to Luxembourg for Transparency ASBL, BPM 316030, Banzelt 4 A, L-6921 Roodt-sur-Syre, Luxembourg.