1. The short version
Prime.lu collects the minimum personal data needed to show you properties, run your account and communicate with you. We host in the EU, we don’t sell your data, and you can exercise your GDPR rights any time via our data request form.
2. Controller
The controller of your personal data is Prime.lu, operated in Luxembourg. Contact: privacy@prime.lu.
3. What we collect
Account data
- Email address and (optional) full name you give us at sign-up.
- If you sign in with Google: your Google account email, name, and avatar URL.
- Hashed password (never stored in plain text — handled by Supabase Auth).
Usage data
- Listings you save, alerts you create, valuations you request.
- Anonymous analytics (page views, referrer, locale, device class).
Payment data
- Card details are handled by our processor (Dodo Payments). We only store the payment reference, amount, currency and status — never card numbers or CVC.
Listing content
- Property descriptions, photos and floor plans that you publish on Prime.
4. Why we use it (lawful basis)
- Contract (Art. 6(1)(b) GDPR) — to run your account and fulfil orders.
- Legitimate interest (Art. 6(1)(f)) — fraud prevention, service analytics, security.
- Consent (Art. 6(1)(a)) — non-essential cookies and marketing emails.
- Legal obligation (Art. 6(1)(c)) — accounting, tax, AML.
5. Who we share with
- Supabase — authentication & database hosting (EU region).
- Dodo Payments — payment processing.
- Resend — transactional and alert emails.
- Mapbox — map tiles (we send only coordinates, never who asked).
- Anthropic — optional AI valuation explanations (prompt data only, no identifiers).
- Upstash — rate-limit cache.
We never sell your personal data. We don’t hand it to advertisers. If we ever need to add a new sub-processor that changes this, we’ll tell you before we do.
6. Where your data lives
Primary storage is in the European Union. A small number of our processors (e.g. Anthropic for AI features) may process data in other jurisdictions under standard contractual clauses and with appropriate safeguards.
7. How long we keep it
- Account data: for as long as your account is open, plus 30 days after deletion.
- Payment records: 10 years (Luxembourg accounting law).
- Listings: until you remove them; sold/archived copies anonymised after 24 months.
- Analytics: 14 months at most.
8. Your rights (RGPD)
You have the right to access, rectify, erase, restrict, port, and object to processing of your personal data, plus the right to withdraw consent for anything based on consent. Exercise any of these via the data request form or at privacy@prime.lu.
If you believe we’ve mishandled your data you can lodge a complaint with the Commission nationale pour la protection des données (CNPD) in Luxembourg — cnpd.public.lu.
9. Security
TLS in transit, encryption at rest for account data, role-based access, row-level security in the database, and audit logs on admin actions. We run regular backups and disaster- recovery drills.
10. Changes
We’ll update this page when processing changes. Material changes will be notified by email before they take effect.
Data request? Use the form, or write to privacy@prime.lu.