Luko logo
My account Get covered

Data Privacy Notice

Choosing Luko means trusting us in case of any problems, but also in the use of your personal data. To maintain your trust, we believe it is essential to help you understand our privacy practices.

Last updated on 20/01/2022.

Why do we have a privacy notice?

At Luko and Coya AG (Coya AG also called Luko Insurance) (Luko), we attach the utmost importance to the security and confidentiality of the personal data of the users of Luko's services, both on our website and on the mobile application made available to you.

The purpose of this privacy notice is to help you understand how we treat the personal data you provide us, in accordance with all applicable laws and regulations.

This privacy notice may be updated regularly, according to the needs and functioning of Luko, if required by other circumstances or law. 

Our main principles

Above all, we have set ourselves four key principles which are also included in our contracts:

  • Luko will never sell the personal data collected about its customers and prospects within the framework of the services offered. We make our living by building and managing insurance products and services around the protection of your home, not by reselling our users' data. You remain in control of your data;
  • Luko will never use your household protection data to apply discriminatory tariffs. We strongly believe in the strength of solidarity and the mutualisation of risks between insured persons;In accordance with applicable regulations on data protection, we undertake to collect and process only the data that is necessary with regards to their purpose. Likewise, we undertake to ensure that the data collected is kept in a form that allows your identification only for as long as  required for the purposes for which the data has been collected and processed; 
  • Finally, we undertake not to disclose this personal data to other persons not entitled to access it.

Who is responsible for processing of your personal data?

Luko Cover SAS is the Data Controller for all Processing described in this Privacy notice, unless this Privacy Notice mentions a different Data Controller for specific processing activities.

Luko Insurance (under its official name Coya AG) is the Data Controller for the following:

  • underwriting insurance contracts;
  • collecting and receiving premiums from clients under these insurance contracts, adjusting claims and making payments to those clients; and
  • servicing the client relationship, including billing, claims & complaints handling.
  • Luko Insurance has entered into an Agreement with Luko Cover SAS and authorized Luko to act as its agent. For the purposes of this Privacy Notice it means that Luko Cover SAS is the Data Processor for this Processing.

What are we talking about, when we say …?

"Personal data" means any information relating to an identified or identifiable natural person (hereinafter referred to as "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by assignment to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more special features that express the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.

"Processing" means any operation or series of operations carried out with or without the aid of automated procedures in connection with personal data. The term goes a long way and covers practically every handling of data.

"Pseudonymisation" means the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that this additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

"Profiling" means any automated processing of personal data consisting in the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to the work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or relocation of that natural person.

Data Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. 

Data Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller. 

What do I have to do to invoke my rights?

  • In accordance with art. 15 of the GDPR, you have the right to request confirmation as to whether the data concerned is being processed and to request information about these data as well as further information and a copy of the data;
  • In accordance with art. 16 of the GDPR, you have the right to request the completion of data or the rectification of inaccurate data concerning you;
  • In accordance with art. 17 and 18 of the GDPR, you have the right to demand that relevant data be erased immediately or alternatively demand a restriction on the processing of the data;.
  • In accordance with art. 20 of the GDPR, you have the right to request the reception of the data which you have provided us with and concerning you as well as its transmission to other data controllers.
  • You have the right to withdraw consents granted pursuant to art. 7 para. 3 of the GDPR with future effect. You can object to the future processing of the data concerning you in accordance with art. 21 of the GDPR at any time. The objection may be lodged in particular against processing for direct marketing purposes.

If you have any questions regarding security and personal data, or to enable you to exercise your rights described above, you can contact us and our Data Protection Officer (DPO) at dpo@getluko.com. 

If the request is related to an activity carried out where Luko Insurance is the Data Controller, you can also contact the DPO at datenschutz@coya.com.

For any complaint concerning your personal data, where Luko is the Data Controller, you can either contact the DPO at dpo@getluko.com or contact the Commission Nationale Informatique et Liberté (CNIL) directly at https://www.cnil.fr.

For any complaint concerning your personal data, where Luko Insurance AG (the official name still being Coya AG) is the Data Controller, you can either contact our DPO at the address mentioned above, at this address datenschutz@coya.com, or contact the Berliner Beauftragte für den Datenschutz und die Informationsfreiheit.

What personal data do we process and why?

For the management of insurance contracts

When we perform services in connection with entering into and administratively managing an insurance contract that you have with an insurance company, we collect the following personal data for each insured person or beneficiary of the cover. Note, that the Data Controller in this instance is the insurance company, including Luko Insurance:

  • First Name and Last Name
  • E-mail address
  • Phone number
  • Date of birth
  • Gender
  • Address of the insured accommodation (only in the case of MRH and PNO contracts)
  • Type of accommodation (only in the context of MHR and PNO contracts)
  • Occupancy status of the accommodation (only in the context of HRM and PNO contracts)
  • Bank information related to the payment

On what legal basis? For what purposes? 

  • Setting up of insurance operations (Art. 6 (1) (b) of the GDPR)
    - Management and implementation of insurance operations
    - Insurance intermediation and advice
    - Customer account management on the luko platform.
  • Compliance with our legal obligations (Art. 6 (1) (c) of the GDPR)
    - Fight against money laundering and terrorist financing
    - Fight against insurance fraud
    - Protection of personal data
  • Legitimate interest of luko (Art. 6 (1) (f) GDPR)
    - Commercial management and content marketing
    - Measuring the quality of our service and customer satisfaction
  • Where required, we might ask you for your consent (Art. 6 (1) (a) of the RGPD)

 

How can I view or change my data?

You can view or change your data at any time directly from your Luko personal account or via the Luko application (Profile>My information). In some cases, an intervention of our customer service is requested (e.g. for certain retroactive changes).

For the operation of the contract with the insurers we are working with 

Personal Data of persons insured under an insurance contract or other beneficiaries, as the case may be, are transmitted to us directly by these insured persons or on their behalf with their explicit consent (e.g. to automate the retrieval of receipts from their space or from a third party site), in particular:

  • First name and last name
  • Personal e-mail address
  • Postal address
  • Bank details (for payments and reimbursements)
  • Documents required for the reimbursement of claims
  • Messages and attachments exchanged with our customer service department

On what legal basis? For what purposes?

  • Setting up of insurance operations (Art. 6 (1) (b) of the GDPR)
    - Management and implementation of insurance operations (reimbursing expenses according to contract guarantees, claims and litigation management)
    - Insurance intermediation and advice
    - Customer account management
  • Compliance with our legal, regulatory and administrative obligations (Art. 6 (1) (c) of the GDPR)
    - Fight against money laundering and terrorist financing (it's very intimidating, but it's part of our legal obligations;
    - Fight against insurance fraud (in particular the analysis and detection of acts presenting an anomaly or the management of alerts and procedures following a case of fraud)
    - Adequately securing  personal data
  • Legitimate interest of Luko (Art. 6 (1) (f) of the GDPR)
    - Development of statistics and actuarial studies ;
    - Commercial management and marketing of content
    - Measuring the quality of our service and customer satisfaction

For advice via our Docteur House videoconsultation service

If you use this service, after a consultation by an insured person, the following information is sent to us:

  • First name and Last name 
  • Number of rooms
  • Address
  • Date and duration of the videoconference
  • Conclusion on housing

On what legal basis? How do we use it? 

  • Legitimate interest of Luko (Art. 6 (1) (f) of the GDPR).
    - Improvement of the quality of our telemedicine service Doctor House.
  • Customer consent (Art. 6 (1) (a) of the GDPR).

How long do we keep this data?

2 years.

For the management and execution of the assistance contract (with Opteven, your assistant)

If you use that service, Personal Data is transmitted to us directly by the person having an insurance with one of the insurance companies we cooperate with:

  • First name and last name
  • Personal e-mail address
  • Social security number
  • Bank details (for refunds)
  • Messages and attachments exchanged with our customer service department

On what legal basis?  How do we use it? 

  • Setting up of insurance operations (Art. 6 (1) (b) of the GDPR)
    - Management and setting up of insurance operations (reimbursing expenses according to the guarantees of the contract)
    - Client account management (communication with the contract holder, access to the account to manage the contract)
  • Compliance with our legal, regulatory and administrative obligations (Art. 6 (1) (c) of the GDPR)
    - Fight against money laundering and terrorist financing (it's very intimidating, but it's part of our legal obligations)
    - Fight against insurance fraud (in particular the analysis and detection of acts presenting an anomaly or the management of alerts and procedures following a case of fraud)
    - Protection of personal data
  • Legitimate interest of Luko (Art. 6 (1) (f) of the GDPR)
    - Development of statistics and actuarial studies

How long do we keep this data?

The personal data necessary for the execution and management of the insurance contract is kept for the duration of the contract. Also, we retain our customers' personal data following termination of the contract for a maximum period of 5 years (the duration of the statutory limitation period under ordinary law) or 10 years if civil liability is involved, on the basis of our legal and contractual obligations.

What happens to my personal data at the end of their storage period?

Today, when the retention period of your data - defined according to the purpose for which the data was collected - has expired, we will delete your data. 

 

Measuring the satisfaction of our members

Because it is important for us to build a tailor-made service for you, we measure your satisfaction over time through a rating system that you can choose to enter in the application. From this scoring system, we calculate a "Net Promoter Score" or "NPS".

On what legal basis? How do we use it? 

  • Legitimate interest of Luko (Art. 6 (1) (f) of the GDPR)
    It is in luko's legitimate interest to improve its services according to the satisfaction of its members. In concrete terms, this allows us to identify factors of dissatisfaction that could allow us to improve our services or, conversely, things that need to be reinforced because they are highly appreciated.

For audience measurement (analytics) and the smooth running of our platform

An audience tracking is carried out on our site by the company Clickon (Admo.tv). The purpose of this tracking, via the installation of cookies, is to produce anonymous statistics on the use of our services and does not allow a user to be tracked on other sites or advertising platforms. The IP address of users is processed for reasons of security and data integrity. This IP address is stored for a minimum period of time and is never used to personally identify users. If you have enabled this Cookie, you can opt out of this processing through the Cookie settings on our website or by clicking on the following link: https://admo.tv/optout.

Some data is collected automatically when you visit luko.eu (including other sites published by luko such as blog.luko.eu and map.luko.eu) and when you use our mobile application. The data collected includes :

  • IP address and access provider
  • Technical login
  • Information about your equipment (e.g. type of Internet connection, type of device used, browser used and its version, etc.).
  • Time-stamp and visit duration information
  • Visited pages
  • Clicks and other interactions on the different pages
  • Possible errors (on the browser, the mobile application or our servers)

 On what legal basis? How do we use it?

  • Customer consent (Art. 6 (1) (a) of the GDPR)
    Where applicable, the collection is subject to the explicit consent of the user (cookie banner). This consent is valid for 6 months from the date of registration.
    - Commercial management and content marketing
    - Identification of customers or prospects to improve the service by offering products or services to reduce claims or to offer a contract or additional service.
    - Customer knowledge and customer relationship management
    - Customer Satisfaction Management
  • Compliance with our legal, regulatory and administrative obligations (Art. 6 (1) (c) of the GDPR)
    - Fight against money laundering and terrorist financing (it's very intimidating, but it's part of our legal obligations)
    - Fight against insurance fraud (in particular the analysis and detection of acts presenting an anomaly or the management of alerts and procedures following a case of fraud)

How long do we keep this data?

2 years maximum.

For Luko Protection Technologies

Luko offers an advanced home protection service using proprietary protection technologies. These are based on and measure data, which is then processed to provide you with the best service. This data can be:

  • Data relating to your identity: your account details for the use of the Luko application, the address of the household to be protected (already under contract) and complete information for the delivery of the technologies.
  • Data relating to measurements in your household: the open status of your door (open, closed, locked, moving), your electricity consumption, the number and type of appliances in the household
  • Technical data, to ensure the configuration and security of the protection products and services: activation date of the Products, battery level, serial number of the Products, debugging information and Wi-Fi network.

Your bank details are processed when you order Products and Protection Services on our website or on our application. They are only used for verification purposes and are not stored.

On what legal basis? How do we use it?

The processing register precisely defines the legal basis for the data processing undertaken by Luko.

  • Contractual execution Art. 6 (1) (b) of the RGPD)
    - Supply of Home Protection Products and Services. The data collected is stored on your Luko account and is accessible on your application. They are indicated as raw data (hourly electricity consumption, door opening event) or as data that has been analysed or interpreted (electricity consumption over the month, week, intrusion alert in your home).
    - Customer knowledge and customer relationship management
  • Legitimate interest of Luko (Art. 6 (1) (f) GDR)
    - Commercial management and content marketing
    - Identification of customers or prospects to improve the service by offering products or services to reduce claims or to offer a contract or additional service.
    - Customer Satisfaction Management
    - Communication with our Customer Service: When you contact our customer service department to resolve a problem you have reported, members of our team may need to process your personal data.
    Improving our products and services: To improve the quality of our products and services and your user experience, we may process certain information to correct or change software settings. For each of these purposes, your consent to this policy, collected when you order home protection products, is required by law. In addition, your data may be anonymised, i.e. no longer identifiable to you or linked to your Luko account, and used as raw data by our Luko teams to establish studies and analyses in the field of home protection in order to advance scientific research.

When is this data collected?

  • When you create a Luko account, you must provide us with some of your personal identity information. This account is the central element of our Home Protection Products and Services as it allows you to access and control your personal data. 
  • When you use our application, some of your Personal Data is stored in your Luko account. This is the case when you set up time alerts for movement on your door, share information, fill in a field on the application, install and synchronise your products, as well as when you activate certain optional features such as geolocation in your phone settings. 
  • When you use our Home Protection Products and Services, your Personal Data is collected to enable you to monitor your home as closely as possible. Depending on the purpose, each product requires the collection and processing of specific Personal Data. For example, Luko Elec collects your electricity consumption, whereas Luko Door only collects data related to the security of your door. 
  • When you choose to share Luko data with other applications, we exchange data with partners via API (Application Programming Interface). You can stop this connection at any time by logging in to your account and changing your sharing preferences.
  • When you contact customer support, some of your personal data stored in your Luko account is accessible to our teams until the problem is solved.

Our protection technologies are entirely optional for all Luko policyholders, and can be removed at any time by the policyholders who installed them.

What do I have to do to use my connected devices sensibly?

Luko attaches great importance to privacy, and we assume that our products are guests in your home.

When you use a Luko product (or other connected device), you should bear in mind that you may be collecting information about other people. It is your responsibility to comply with all laws governing the use of connected devices, and to seek the consent of persons on whose behalf you may collect data.

How long do we keep the data?

The data of your protection technologies are kept for a maximum of 3 years by default. 

The data of your account, created for the Luko insurance service, is kept for 2 years after the termination of your contract, 5 years for data not related to the insurance contract.

What protection do we apply to your personal data?

Data security is an extremely important issue for us and we do our utmost to be worthy of the trust you place in us. We take appropriate technical and organisational measures to ensure an appropriate amount of  protection against risks. This takes into account the maintaining of the state of the art, implementation costs and the nature, scope, circumstances and purposes of processing as well as the varying probability in occurrence and severity of the risk regarding the rights and freedom of natural persons, in accordance with the applicable legal provisions.

Such measures shall in particular include ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as the access, input, transmission, security of availability and its separation. Furthermore, we have established procedures to ensure the exercise of rights of data subjects, deletion of data and reaction to endangerment of data. In addition, we already consider the protection of personal data during the development or selection of hardware, software and procedures, in accordance with the principle of data protection through technology design and data protection-friendly presettings.

This is only an overview of the measures we have taken. If you're not an IT enthusiast, it's possible that not everything speaks to you. To make it as short as possible, we won't go into detail, but we have put explanatory links according to the sections. If you have any questions on a specific point, we will be happy to answer them: write to us at dpo@luko.eu or respectively at datenschutz@coya.com

An wen werden To whom are your Personal Data disclosed?  personenbezogenen Daten weitergegeben? 

We may disclose your Personal Data, to the extent permitted or required under applicable laws and regulations, to the following categories of recipients:

  1. Service providers, professional advisors and consultants that perform services for us in the context of the purposes described in this Privacy Notice, which may include services typically provided by an insurance agent or broker, data hosting, mailing and emailing services, and payments processing 
  2. Entities of the Luko Group, with which we may share your personal data to carry out the purposes described in this Privacy Notice.
  3. Law enforcement, regulators and other parties for legal reasons, i.e. to (a) comply with our legal obligations, (b) respond to requests from public and government authorities, (c) enforce our agreements, (d) exercise or protect our rights, privacy, safety and that of our affiliates, you, or others.

In case that Personal Data is disclosed to other persons and companies, this transaction shall only take place on the basis of a legal permission or after concluding a data processing agreement with them, based on the respective roles in the process. 

If we disclose, transfer or otherwise grant access to data to other companies in our group of companies, this is done in particular for administrative purposes as a legitimate interest and beyond that on a basis in accordance with legal requirements.

What about transmissions into third countries (non-EU/EEA)?

In the case that we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA) or Switzerland) or if this occurs in the use of third-party services or the disclosure or transfer of data to third parties, this shall only take place on the basis of special guarantees, such as the officially recognised determination of the data protection level corresponding to the EU or compliance with officially recognised special contractual obligations (Standard Contractual Clauses).

Erasure of Data

In accordance with Art. 17 and 18 GDPR, Persona Data Processed by us will be deleted or its processing will be restricted. Unless explicitly stated in this Privacy Notice, the Personal Data stored by us will be deleted as soon as it is no longer required for its intended purpose and the deletion does not conflict with any statutory storage obligations. If data is not deleted for other necessities and legally permissible purposes, their processing is restricted. This means that data is blocked and not processed for other purposes and applies, for example, to data retained for commercial or tax reasons. Cookies will be deleted after 2 years at the latest.

Learn more about cookies

Get information on what cookies are used on luko.eu and manage your cookie consent from this page.