Privacy Policy — Level200 Consulting

This Privacy Policy explains how we collect, use, share and protect your personal data when you use our website, client and company portals, and consulting services. We process personal data in accordance with the General Data Protection Regulation (GDPR), the Luxembourg Law of 1 August 2018 on the protection of individuals with regard to the processing of personal data, and the guidance of the Commission nationale pour la protection des données (CNPD).

1Data controller

The data controller responsible for your personal data is:

Level200 Consulting
45 Avenue de la Gare, 4873 Lamadelaine, Luxembourg
VAT: LU31529961
Business permit (autorisation d'établissement): B237106
Email: [email protected] · Tel: +352661858933
Website: https://level200.lu

2Personal data we process

Identity & contact data — name, email address, phone, postal address, company affiliation.
Account & access data — login credentials (passwords are hashed, never stored in clear), role, language preference, two-factor authentication settings.
Service & case data — service requests, support tickets, messages and documents you upload.
Financial data — invoices, payments, and expense records related to the services.
Technical data — IP address, approximate (city-level) location derived from it, browser/device information and security/audit logs.

We do not seek to collect special categories of data (Article 9 GDPR). Please do not upload such data unless strictly necessary for your request.

3Purposes and legal bases (Article 6 GDPR)

Purpose	Legal basis
Providing our consulting services and managing your service requests/tickets	Performance of a contract — Art. 6(1)(b)
Creating and securing your account, authentication and access control	Performance of a contract / Legitimate interest — Art. 6(1)(b), (f)
Invoicing, accounting and meeting Luxembourg tax/commercial obligations	Legal obligation — Art. 6(1)(c)
Security, fraud prevention, audit logging and IT administration	Legitimate interest — Art. 6(1)(f)
Service-related communications	Performance of a contract / Legitimate interest — Art. 6(1)(b), (f)
Optional communications where applicable	Consent — Art. 6(1)(a)

4Where your data comes from

We obtain personal data directly from you (when you register, submit a request, or communicate with us), automatically through your use of the platform (technical and log data), and where relevant from a company that authorises you to act on its behalf.

5Recipients and processors

Your data is accessible only to authorised Level200 staff and is shared only as necessary with:

Approved external accountants, legal advisers or auditors, where required;
Infrastructure, email, payment and document-processing providers acting as processors under appropriate data-processing agreements (Article 28 GDPR);
Public authorities where we are legally required to do so.

6International transfers

We host and process data within the EU/EEA wherever possible. Where a processor involves a transfer outside the EEA, it is protected by an appropriate safeguard under Chapter V of the GDPR (such as European Commission Standard Contractual Clauses or an adequacy decision).

7Data retention

We keep personal data only for as long as necessary for the purposes above, then securely delete or archive it:

Category	Indicative retention
Accounting and invoicing records	10 years (Luxembourg commercial/tax law)
Service requests, tickets and uploaded documents	Duration of the relationship + limitation period for legal claims
Account data	Until the account is closed, then deleted or anonymised
Security and audit logs	Limited period necessary for security purposes

8How we protect your data

We apply technical and organisational measures appropriate to the risk (Article 32 GDPR), including HTTPS/TLS encryption in transit, encrypted storage of uploaded documents and receipts, hashed passwords, role-restricted administrative access, optional two-factor authentication, single active administrator sessions, brute-force rate limiting and HTTP security headers.

9Your rights

Subject to the conditions of the GDPR, you have the right to:

Access your personal data (Art. 15) and rectify inaccurate data (Art. 16);
Request erasure (Art. 17) and restriction of processing (Art. 18);
Data portability (Art. 20) and to object to processing (Art. 21);
Withdraw consent at any time, without affecting prior lawful processing.

To exercise your rights, contact us at [email protected]. We respond within one month. We may need to verify your identity before acting on a request.

10Cookies

We use cookies and similar technologies that are strictly necessary to operate the platform and keep you signed in securely. Where we use any non-essential cookies, we request your consent in accordance with the Luxembourg electronic-communications rules.

11Automated decision-making

We do not make decisions producing legal or similarly significant effects about you based solely on automated processing (Article 22 GDPR).

12Complaints — supervisory authority

If you believe your data-protection rights have been breached, you may lodge a complaint with the Luxembourg supervisory authority:

Commission nationale pour la protection des données (CNPD)
15, Boulevard du Jazz, L-4370 Belvaux, Luxembourg
Tel: (+352) 26 10 60-1 · cnpd.public.lu

We would, however, appreciate the chance to address your concerns first — please contact us at [email protected].

13Changes to this policy

We may update this Privacy Policy from time to time. The “last updated” date above indicates when it was last revised. Material changes will be communicated through the platform where appropriate.

← Back to Home