Data privacy policy

Luko deeply care about your personal data and your privacy. As a broker and an insurer, Luko may collect and process different type of personal data for which a good level of compliance and security is applied.

• We don’t sell your personal data : Luko is independant and don’t share your personal data to any third party without your consent. Also, Luko is vigilant to apply the minimization principle and collect only the strict necessary.
• We provide a high level of security : Luko is highly involved in implementing strong technical and organizational measures in order to provide a high level of security for its customer.
• We care about your privacy : During the creation of new product and features, Luko’s pay attention to implement Privacy-by-design and integrate GDPR principles from the beginning.

• Personal data : any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly.
  Eg : name, phone number, age, email address, IP address, job title…
• Data processing : any operation or set of operations which is performed on personal data or on sets of personal data.
  Eg : collection, storage, modification, extraction, erasure…
• Data Controller : the entity who determines the means and the purposes of the processing.
  Eg : Luko decides to collect your payment method for invoicing.
• Data Processor or sub-processor : the entity that act on the behalf of the Data Controller.
  Eg : AWS is the entity that store the personal data.

The Data Protection Officer (DPO) is the internal point of contact for any issue related to the GDPR. He will be able to answer any question, to request the exercice of your rights.

You can reach out directly to him :

The Data Controller is “Luko” who determines the purposes and the means of the data processing. Due to its insurance activity and depending on the product, Luko has several entity :

• Luko Insurance AG :
  c/o WeWork
  Neue Schönhauser Str. 3-5
  10178 Berlin, Allemagne
  Amtsgericht Charlottenburg (Berlin): HRB 188013 B
  Soumis à la BaFin, Dreizehnmorgenweg 13-15, 53175 Bonn, Allemagne
• Allianz Direct Versicherungs-AG/Succursale France :
  Allianz Direct Versicherungs-AG/Succursale France is a Société de droit étranger with a capital of €819,200, registered with the trade and companies register of Bobigny under number 953 811 338. Operating under the brand Luko, Allianz Direct Versicherungs-AG/Succursale France is an insurance distributor.

• Identification data : Name, Surname, gender, Date and place of birth
• Contact details : phone number, email address
• Professional data : socio-professional category
• Housing data : postal address, flat surface, type of housing, status of occupation
• Payment data : encrypted credit card number, IBAN
• Claim data : contract, pictures and video, the content the claim and any data needed to analyse the claim
• Internet data : logs, IP address, Geolocation points
• Health data related to your Mortgage : height, weight, total or partial work stoppage, total or partial work stoppage for the last 10 years, holder of a pension, annuity or allowance for incapacity for work, covered at 100% for medical reasons by a social security organization, under medical treatment of more than 21 days in the 5 last years, hospitalization in the last 10 years, condition or disease requiring medical supervision in the last 10 years, accident resulting in after-effects, a disorder of the spine or any other musculoskeletal disorder in the last 10 years, a neuropsychic affection or any other psychic and psychiatric affection in the last 10 years, positive result to test on hepatitis B and C viruses or on the human immunodeficiency virus (HIV),
• Loan data : Bank providing the loan, type of loan, total amount, rate, first deadline, co-borrower
• Lifestyle informations : smoker or not, practice of extreme sport, work position, high risk work, recent travel to a high risk country, politically exposed

In order to provide its insurance services Luko may process data to put at your disposal different product and services. According to the GDPR, each processing relies on one of these 4 legal basis :

• Consent : Under the GDPR, consent means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
  Ex : If you would like to subscribe to Luko’s newsletter.
  
• Performance of a contract and pre-contractual obligations : Luko may process your data in order to provide its insurance services and products, as well as to comply with pre-contractual obligations such as providing a quote adapted to your needs for your housing insurance.
  Ex : When you are requesting a quote, Luko will send it to you via email.
  
• Legal or regulatory obligations : Luko may process your personal data to comply with its legal or regulatory obligations, such as combatting money laundering, terrorist financing, and insurance fraud.
  Ex : As a broker and insurer, Luko has the duty to fight against terrorism and verify your identity.
  
• Legitimate interest of Luko while preserving your right to privacy : In order to offer you a high level of service and quality, Luko may process personal data while preserving your fundamental rights, such as you right to privacy.
  Ex : Luko can keep the personal data you provided, if you would like to finish your quote another time.

• Directly : via our website and the MyLuko application.
• Indirectly : through a partner or an aggregator.

Internal

The main recipient are internal recipient and the data are exchanged internally within the different Luko’s entity.

External

In the management of its activities Luko has outsourced some services :

• Level 1 Customer support : for minor question and low risk issue, the request are processed by an external (Sitel)
• Insurer : Wakam, Mila, SADA, MunichRe, Luko Insurance AG, MNCAP
• For the treatment of your civil liability and bodily damage : Stelliant
• Commissaire de Justice : in charge of the unpaid invoices

Principal service providers

• Amazon Web Services : to store your data and provide access to the App.
• Intercom : to process all your requests received by the Customer Support.
• Stripe : to process the payment of your contract.
• Braze and Mailjet : to send the essential communication related to your contract or any other kind of communication.

Luko's Data Life Cycle for an Insured

1. Onboarding: Account creation and administration: processing and collection of data for the life of the account until it is closed.

2. Use of Services: data is collected and processed to ensure the performance of the Services and retained, at a minimum, for the duration of the use of the Services.

3. Off-boarding: Closing the Luko account: archiving in an intermediate database until the limitation period in terms of the fight against fraud and/or money laundering (5 years from the closing of the account) has expired.

4. Final data purge: Luko's internal purge mechanism for deletion from all databases. Archived data is only accessible by the legal, compliance and IT departments for the purpose of investigating fraudulent use of the Services.

Technical measures

• Pseudonymisation of your personal data in the database in order to prevent the potential damageful impact of a data breach
• Robust password policy at the moment of the Luko’s account creation
• Systematic encryption of data on the hosting servers at the time of data transit (between the application and the servers) and during storage
• Implementation of a team dedicated to incident management, monitoring of security controls and ongoing verification of the effectiveness of security measures
• User access to the Platform monitored and protected by a system for detecting and preventing brute-force attacks, access from multiple IP addresses and multiple access from a single IP address.
  

Organizational measures

• Physical protection of the premises and control at the entrance
• Logging and traceability of connections
• Policy of management of the authorizations of each personnel who can have access to the data
• Authentication procedures for people accessing data with personal and secure access via confidential identifiers and passwords.

You can request the exercise of your rights, at any time, by reaching out to the DPO. But first, in order to process well you request, you have to specify the scope of your request and justify your identity by providing a unique number like your contract number.