Skip to main content
Lumbox
FR

Privacy Policy

Last updated:

This Privacy Policy explains how Tatan Corp SAS, operator of Lumbox, collects, uses, and protects personal data when you visit lumbox.eu, create an account, or use the platform.

1. Controller

The data controller is Tatan Corp SAS, Paris, France. For privacy questions or to exercise your rights, contact privacy@lumbox.eu.

2. Data we process

We process different categories of data depending on how you use the service:

  • Account data: name, email address, language preferences, login identifiers, session logs, and access metadata.
  • Project data: project slug, deployment metadata, region class, image references, environment-variable keys, and operational logs.
  • Billing data: company name, billing email, billing address, VAT number, and Stripe identifiers.
  • Security and audit data: privileged actions, affected resources, timestamps, and logs needed for security and compliance.
  • Website analytics data: page URL, referrer, browser family, operating system, and country in aggregate form via Plausible Analytics.

3. Purposes and legal bases

  • Providing and operating the platform: performance of a contract (GDPR Article 6(1)(b)).
  • Managing billing, VAT, and accounting obligations: legal obligation and performance of a contract (Articles 6(1)(b) and 6(1)(c)).
  • Preventing abuse, securing accounts, and keeping audit logs: legitimate interests and compliance obligations (Articles 6(1)(f) and 6(1)(c)).
  • Measuring use of the public website: legitimate interests, using cookieless analytics (Article 6(1)(f)).

4. Data retention

  • User accounts: up to 30 days after a deletion request.
  • Project data: up to 90 days after project deletion; build logs retained for 30 days.
  • Billing data: 10 years where required by law.
  • Audit logs: up to 7 years for security and compliance purposes.
  • GDPR requests (export/deletion): 3 years as evidence of compliance.

5. Sub-processors and transfers

We use sub-processors for hosting, transactional email, billing, and website analytics. An up-to-date list is published at the sub-processor page . Most production infrastructure is hosted in the European Economic Area. Payment processing through Stripe may involve transfers to the United States, protected by Standard Contractual Clauses.

6. Cookies and analytics

The marketing site uses Plausible Analytics, a cookieless analytics tool. We do not use a consent gate for analytics cookies because this service does not set non-essential analytics cookies. We still display a privacy notice so visitors know analytics is active.

7. Security

We apply technical and organisational measures designed to limit access to data, protect accounts, and log sensitive actions. These include encryption in transit, role-based access controls, audit logs, and infrastructure security reviews.

8. Your rights

You can request access, rectification, erasure, restriction, objection, and portability of your data, subject to legal limits. Authenticated users can request a full data export or account deletion through the platform's dedicated endpoints. You can also contact privacy@lumbox.eu.

9. Contact and complaints

For any question, contact privacy@lumbox.eu. If you believe your rights have been infringed, you may also lodge a complaint with your local data protection authority.