1. Introduction
Netwanted S.à r.l.-S ("we", "us"), operating Komplync, is committed to protecting your personal data and complying with the General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679.
Data Controller
Netwanted S.à r.l.-S
31 Route de Luxembourg, L-7240 Bereldange
RCS Luxembourg: B296689
2. Legal Framework
We comply with:
- GDPR (Regulation EU 2016/679)
- Luxembourg Data Protection Law (Loi du 1er août 2018)
- ePrivacy Directive (Directive 2002/58/EC)
- Luxembourg Act on Electronic Commerce (Loi du 14 août 2000)
3. Principles of Data Processing (Art. 5 GDPR)
Lawfulness & Transparency
Legal basis for all activities, clear information provided.
Purpose Limitation
Data collected for specific, explicit, and legitimate purposes only.
Data Minimisation
Only data necessary for the stated purpose is collected.
Accuracy
Reasonable steps to keep data accurate and up-to-date.
Storage Limitation
Data retained only as long as necessary with defined retention periods.
Integrity & Confidentiality
Appropriate technical and organizational security measures.
Accountability
Records of processing activities and DPIAs where required.
4. Legal Basis for Processing (Art. 6 GDPR)
Contract Performance (Art. 6(1)(b))
To provide the Komplync Service: account information, subscription data, generated content, usage data. Without this, we cannot provide the Service.
Legitimate Interest (Art. 6(1)(f))
To improve the Service and prevent fraud: anonymized analytics, error logs, security logs. Safeguards: data minimization, anonymization, opt-out options available.
Consent (Art. 6(1)(a))
Marketing communications and optional analytics: email newsletters, analytics cookies (Google Analytics). You may withdraw consent at any time — this does not affect prior lawful processing.
Legal Obligation (Art. 6(1)(c))
To comply with legal requirements: billing and invoicing data (10-year retention for Luxembourg tax law), data required by court orders or regulatory authorities.
5. Data Protection Rights (Chapter III GDPR)
All requests should be sent to contact@netwanted.com. We respond within 30 days (extendable to 60 days for complex requests).
Right of Access
Obtain a copy of your personal data and information about how it is processed.
Right to Rectification
Correct inaccurate or incomplete data. Self-service via Account Settings.
Right to Erasure
Request deletion of your data (exceptions for legal obligations apply). Account deleted within 30 days.
Right to Restriction
Limit processing while we verify accuracy or resolve a complaint.
Right to Portability
Receive your data in JSON or CSV format; direct transfer to another provider on request.
Right to Object
Object to legitimate interest processing (you must show grounds). Absolute right to object to direct marketing.
Right to Withdraw Consent
Withdraw consent at any time via account settings or unsubscribe link. Prior processing remains lawful.
No Automated Decision-Making
We do not make automated decisions with legal or significant effects. AI content is always reviewed by you.
6. Data Processing Activities (Art. 30 Register)
| Activity | Purpose | Legal Basis | Retention |
|---|---|---|---|
| Account Management | Provide Service | Contract | Duration + 30 days |
| Content Generation | AI-powered content | Contract | Duration + 90 days |
| Compliance Checking | Regulatory compliance | Contract | Duration + 90 days |
| Billing | Payment processing | Contract | 10 years (tax law) |
| Marketing | Newsletters, updates | Consent | Until withdrawal + 30 days |
| Analytics | Usage statistics | Legitimate Interest | 13 months |
| Support | Customer assistance | Legitimate Interest | 2 years |
| Security | Fraud prevention | Legitimate Interest | 90 days |
7. International Data Transfers (Art. 44-50 GDPR)
We use the European Commission's Standard Contractual Clauses (SCCs, 2021 version) for all transfers outside the EEA, supplemented by encryption, pseudonymization, DPAs, and Transfer Impact Assessments.
| Recipient | Location | Safeguards | Purpose |
|---|---|---|---|
| Anthropic PBC | USA | SCCs (2021) | AI content generation |
| Stripe Inc. | USA | SCCs + Adequacy (via Ireland) | Payment processing |
| Resend Inc. | USA | SCCs (2021) | Transactional emails |
Note on Anthropic: AI processing occurs in the USA but data is deleted immediately after processing. Your content is NOT used to train AI models. SCCs and DPA are in place.
8. Data Security Measures (Art. 32 GDPR)
Technical Measures
- AES-256 encryption at rest; TLS 1.3 in transit
- bcrypt password hashing; 2FA available
- Role-based access control (RBAC) with least-privilege principle
- Daily encrypted backups with 30-day rolling retention
- Intrusion detection and automated vulnerability scanning
Breach Response (Art. 33-34 GDPR)
- Detection → Assessment → Containment → Notification → Documentation → Remediation
- CNPD notified within 72 hours of discovery (if breach affects rights)
- Affected individuals notified without undue delay for high-risk breaches
9. Privacy by Design and Default (Art. 25 GDPR)
Privacy by Design: Passwords hashed (never stored plain text), IP addresses anonymized after 30 days, analytics cookies disabled by default, minimal data collection.
Privacy by Default: Marketing emails opt-in only (not pre-checked), analytics cookies disabled (requires explicit consent), profile visibility private, data sharing minimal.
12. Contact & Complaints
To exercise your GDPR rights, email contact@netwanted.com with subject "GDPR [Right Name] Request" (e.g., "GDPR Access Request"). Include your full name, account email, description of request, and proof of identity if required.
File a Complaint with CNPD
If you believe we have violated your GDPR rights, you can file a complaint with the Commission Nationale pour la Protection des Données.
15, Boulevard du Jazz, L-4370 Belvaux, Luxembourg
Tel: +352 26 10 60 1 · info@cnpd.lu