Luko logo

Data privacy policy

Last updated on 01/08/2023

Luko deeply care about your personal data and your privacy. As a broker and an insurer, Luko may collect and process different type of personal data for which a good level of compliance and security is applied.

  • We don’t sell your personal data : Luko is independant and don’t share your personal data to any third party without your consent. Also, Luko is vigilant to apply the minimization principle and collect only the strict necessary.
  • We provide a high level of security : Luko is highly involved in implementing strong technical and organizational measures in order to provide a high level of security for its customer.
  • We care about your privacy : During the creation of new product and features, Luko’s pay attention to implement Privacy-by-design and integrate GDPR principles from the beginning.

What is the GDPR and the key notion ?

  • Personal data : any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly.
    Eg : name, phone number, age, email address, IP address, job title…
  • Data processing : any operation or set of operations which is performed on personal data or on sets of personal data.
    Eg : collection, storage, modification, extraction, erasure…
  • Data Controller : the entity who determines the means and the purposes of the processing.
    Eg : Luko decides to collect your payment method for invoicing.
  • Data Processor or sub-processor : the entity that act on the behalf of the Data Controller.
    Eg : AWS is the entity that store the personal data.

Who is the point of contact (Data Protection Officer) ?

The Data Protection Officer (DPO) is the internal point of contact for any issue related to the GDPR. He will be able to answer any question, to request the exercice of your rights.

You can reach out directly to him :

  • By email at the address: dpo@luko.eu.

  • By postal mail: Luko - 91 rue du Faubourg Saint Honoré 75008 PARIS

Who is the data Controller ?

The Data Controller is “Luko” who determines the purposes and the means of the data processing. Due to its insurance activity and depending on the product, Luko has several entity :

  • Luko Insurance AG :
    c/o WeWork
    Neue Schönhauser Str. 3-5
    10178 Berlin, Allemagne
    Amtsgericht Charlottenburg (Berlin): HRB 188013 B
    Soumis à la BaFin, Dreizehnmorgenweg 13-15, 53175 Bonn, Allemagne
  • Allianz Direct Versicherungs-AG/Succursale France :
    Allianz Direct Versicherungs-AG/Succursale France is a Société de droit étranger with a capital of €819,200, registered with the trade and companies register of Bobigny under number 953 811 338. Operating under the brand Luko, Allianz Direct Versicherungs-AG/Succursale France is an insurance distributor.

What data are collected and processed ?

  • Identification data : Name, Surname, gender, Date and place of birth
  • Contact details : phone number, email address
  • Professional data : socio-professional category
  • Housing data : postal address, flat surface, type of housing, status of occupation
  • Payment data : encrypted credit card number, IBAN
  • Claim data : contract, pictures and video, the content the claim and any data needed to analyse the claim
  • Internet data : logs, IP address, Geolocation points
  • Health data related to your Mortgage : height, weight, total or partial work stoppage, total or partial work stoppage for the last 10 years, holder of a pension, annuity or allowance for incapacity for work, covered at 100% for medical reasons by a social security organization, under medical treatment of more than 21 days in the 5 last years, hospitalization in the last 10 years, condition or disease requiring medical supervision in the last 10 years, accident resulting in after-effects, a disorder of the spine or any other musculoskeletal disorder in the last 10 years, a neuropsychic affection or any other psychic and psychiatric affection in the last 10 years, positive result to test on hepatitis B and C viruses or on the human immunodeficiency virus (HIV),
  • Loan data : Bank providing the loan, type of loan, total amount, rate, first deadline, co-borrower
  • Lifestyle informations : smoker or not, practice of extreme sport, work position, high risk work, recent travel to a high risk country, politically exposed

In order to provide its insurance services Luko may process data to put at your disposal different product and services. According to the GDPR, each processing relies on one of these 4 legal basis :

  • Consent : Under the GDPR, consent means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
    Ex : If you would like to subscribe to Luko’s newsletter.
  • Performance of a contract and pre-contractual obligations : Luko may process your data in order to provide its insurance services and products, as well as to comply with pre-contractual obligations such as providing a quote adapted to your needs for your housing insurance.
    Ex : When you are requesting a quote, Luko will send it to you via email.
  • Legal or regulatory obligations : Luko may process your personal data to comply with its legal or regulatory obligations, such as combatting money laundering, terrorist financing, and insurance fraud.
    Ex : As a broker and insurer, Luko has the duty to fight against terrorism and verify your identity.
  • Legitimate interest of Luko while preserving your right to privacy : In order to offer you a high level of service and quality, Luko may process personal data while preserving your fundamental rights, such as you right to privacy.
    Ex : Luko can keep the personal data you provided, if you would like to finish your quote another time.

General to all Luko’s insurance product (PNO, MRH, MRI, NVEI, Mortgage)

  • Providing a quote adapted to your needs for your housing insurance

  • Management of your insurance contract

  • Phone call to finalize your quote

  • Management of your claim

  • Send you tips and offer about Luko’s product, improve the quality of services

  • Management of the unpaid invoices

  • For the management and execution of the assistance contract (with Opteven, your assistant)

  • Fight against fraud :

  • Elaboration of statistics and actuarial studies :

You have subscribed to Mortgage

  • Providing a quote adapted to your needs for Mortgage

Interaction with Luko

  • Participating to marketing campaign and lottery

  • Creation of your personal account

  • Measuring the satisfaction of our members

  • For audience measurement (analytics) and the smooth running of our Platform

  • Handling request under GDPR and consumer code

How did we obtain your data ?

  • Directly : via our website and the MyLuko application.
  • Indirectly : through a partner or an aggregator.

Who are the recipient ?

Internal

The main recipient are internal recipient and the data are exchanged internally within the different Luko’s entity.

External

In the management of its activities Luko has outsourced some services :

  • Level 1 Customer support : for minor question and low risk issue, the request are processed by an external (Sitel)
  • Insurer : Wakam, Mila, SADA, MunichRe, Luko Insurance AG, MNCAP
  • For the treatment of your civil liability and bodily damage : Stelliant
  • Commissaire de Justice : in charge of the unpaid invoices

Principal service providers

  • Amazon Web Services : to store your data and provide access to the App.
  • Intercom : to process all your requests received by the Customer Support.
  • Stripe : to process the payment of your contract.
  • Braze and Mailjet : to send the essential communication related to your contract or any other kind of communication.

What is the retention period ?

Luko's Data Life Cycle for an Insured

1. Onboarding: Account creation and administration: processing and collection of data for the life of the account until it is closed.

2. Use of Services: data is collected and processed to ensure the performance of the Services and retained, at a minimum, for the duration of the use of the Services.

3. Off-boarding: Closing the Luko account: archiving in an intermediate database until the limitation period in terms of the fight against fraud and/or money laundering (5 years from the closing of the account) has expired.

4. Final data purge: Luko's internal purge mechanism for deletion from all databases. Archived data is only accessible by the legal, compliance and IT departments for the purpose of investigating fraudulent use of the Services.

How Luko preserve the security of your data ?

Technical measures

  • Pseudonymisation of your personal data in the database in order to prevent the potential damageful impact of a data breach
  • Robust password policy at the moment of the Luko’s account creation
  • Systematic encryption of data on the hosting servers at the time of data transit (between the application and the servers) and during storage
  • Implementation of a team dedicated to incident management, monitoring of security controls and ongoing verification of the effectiveness of security measures
  • User access to the Platform monitored and protected by a system for detecting and preventing brute-force attacks, access from multiple IP addresses and multiple access from a single IP address.

Organizational measures

  • Physical protection of the premises and control at the entrance
  • Logging and traceability of connections
  • Policy of management of the authorizations of each personnel who can have access to the data
  • Authentication procedures for people accessing data with personal and secure access via confidential identifiers and passwords.

What are your rights ?

You can request the exercise of your rights, at any time, by reaching out to the DPO. But first, in order to process well you request, you have to specify the scope of your request and justify your identity by providing a unique number like your contract number.

  • 1

    Right to access

    You can request at any time the access of your data and obtain them in a format easy to read.

  • 2

    Right to rectification

    You can request the modification of some of your personal data if your status evolve throughout time. For example, if you move out and your home address changes you can notify the people to take into account this modification.

  • 3

    Right to deletion

    You can request the deletion of your personal data in some circumstances, depending on the legal basis on which your data are being processed. As the majority of data are processed on the basis of the execution of your labour contract and/or legal and regulation obligations, Luko is under to archive and store these data for a longer period of time.

    You can request the deletion of your data through this webform.

  • 4

    Right to withdraw your consent

    You have the right to withdraw their consent to the processing of their personal data at any time. Luko may rely on consent as a legal basis for processing personal data in some cases. If you wish to withdraw your consent, you can contact the Data Protection Officer (DPO) at dpo@luko.eu to make a request.

  • 5

    Right to portability

    You can request you right to data portability, which allows you to obtain and reuse your personal data across different services. Please note that this right only applies to personal data that you have provided to Luko, and only in cases where Luko processes your personal data with your consent or as part of a contract.