Privacy Policy

Last updated: 5 May 2026

Protecting your personal data is a high priority for us. This policy informs you, in accordance with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and the German Telecommunications-Telemedia Data Protection Act (TDDDG), about which personal data we process, for what purpose, and what rights you have.

1. Controller

The controller within the meaning of Art. 4(7) GDPR is:

Valerian Huber (LUVEX, sole proprietorship under German law)
Dahlienweg 11
83109 Großkarolinenfeld
Deutschland
Email: info@luvex.tech

2. Data Protection Officer

We have not appointed a Data Protection Officer because the statutory requirements (Art. 37 GDPR in conjunction with § 38 BDSG) do not apply to us. For data-protection-related queries, please contact us directly at info@luvex.tech.

3. Hosting

This website is operated at Hostinger International Limited, 61 Lordou Vironos Street, 6023 Larnaca, Zypern. The servers used for operation are located in Frankfurt am Main, Deutschland. A data processing agreement pursuant to Art. 28 GDPR is in place with the hosting provider.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the technically secure and stable provision of this website).

4. Server Log Files

When you access our website, the web server automatically records:

  • IP address (truncated / anonymised after a short period)
  • date and time of the request
  • requested URL and referrer
  • HTTP status code and amount of data transferred
  • browser type, operating system, and language

This data is processed exclusively to ensure trouble-free operation and to defend against attacks. It is deleted after no more than 14 days unless a specific security incident justifies longer retention. The data is not combined with other data sources.

Legal basis: Art. 6(1)(f) GDPR.

5. SSL/TLS Encryption

For security reasons and to protect the transmission of confidential content, this website uses SSL/TLS encryption. You can recognise an encrypted connection by the "https://" in the address bar of your browser and by the lock symbol.

6. Cookies

Cookies are small text files that your browser stores on your device. We use only strictly necessary cookies. Tracking, analytics, and marketing cookies are not used. No profiling takes place.

CookiePurposeDuration
luvex.session_tokenLogin session (Better Auth)up to 30 days / logout
luvex.cookie-consentStores your cookie acknowledgement12 months

Legal basis for strictly necessary cookies: § 25(2) No. 2 TDDDG in conjunction with Art. 6(1)(f) GDPR. Should the cookies used in future change (for example through reach measurement), we will obtain your express consent in advance.

7. Registration and User Account

Certain features (saving simulations, knowledge-hub contributions, partner dashboard) require registration. We collect:

  • display name
  • email address
  • password (stored as a secure hash, never in plaintext)
  • optional: avatar image and language/display preferences

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
Retention: until you delete your user account.

8. Sign in with Google ("Google Sign-In")

Alternatively, you can sign in with a Google account. When you click "Sign in with Google", you will be redirected to Google's login page. After successful authentication, Google transmits the following profile data to us:

  • Google account ID
  • name
  • email address
  • profile picture URL (where available)

The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Data may also be transferred to Google LLC, headquartered in the United States. Google is certified under the EU-US Data Privacy Framework.

Legal basis: Art. 6(1)(a) GDPR (consent through your active click on the sign-in button) and Art. 6(1)(b) GDPR (performance of a contract). For more information, please refer to Google's Privacy Policy.

9. Cross-Domain Login (Single Sign-On)

After successful authentication, a session cookie is set on the domain .luvex.tech. As a result, you are signed in on luvex.tech and simulator.luvex.tech at the same time. No additional data exchange takes place between the subdomains — both applications check the same session cookie against our central user database.

10. Newsletter

If you subscribe to our newsletter, we process your email address and, where applicable, your name solely to send editorial newsletters. Distribution uses a double-opt-in procedure: after you subscribe, we send you a confirmation email; only after you click the link contained in it are you added to the distribution list. You can unsubscribe at any time via the unsubscribe link in every email or by message to info@luvex.tech.

Legal basis: Art. 6(1)(a) GDPR (consent).

11. Contact Requests

If you contact us via our contact form or by email, we process the information you provide solely for the purpose of handling your request. The data is not shared with third parties.

Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures) or Art. 6(1)(f) GDPR (legitimate interest in responding).
Retention: until your request has been concluded; thereafter as required by statutory retention periods.

12. Recommendation Profile

When you provide your industry and UV-topic interests after registration (onboarding wizard), we process this data solely to show you relevant content (knowledge-hub articles, manufacturer suggestions). You can disable personalization or delete the data at any time in your profile.

We do not share this data with third parties. It is also not transmitted to manufacturers in the context of inquiries — there is a separate, explicit per-inquiry opt-in for that (see §13).

Legal basis: Art. 6(1)(a) GDPR (consent through your active wizard completion or personalization toggle).

13. Lead Capture in the Manufacturer Directory

When you contact a partner manufacturer through our manufacturer directory, we record that a lead capture has occurred (date, manufacturer or lamp reference, source of the click where applicable). The content of your specific request is only forwarded to the partner manufacturer if you expressly consent.

Legal basis: Art. 6(1)(a) GDPR (consent) and Art. 6(1)(f) GDPR (legitimate interest in a transparent intermediation service).

14. Customer-Mentions Index — Internal Cross-Reference

We maintain an internal cross-reference index (customer_mentions) that records which customer organisation is mentioned in which platform content — knowledge-hub articles, forum threads, practice cases, lead processes, or closed engineering workspaces. The index is visible to our administrative staff only; it is never made public and is not shared with manufacturer partners.

The data may originate from:

  • data you entered yourself during the customer-profile onboarding (see §12);
  • external sources we have reviewed in the course of our editorial work (e.g. installation reports, industry research, public press releases). In such cases we hereby inform you of the collection and processing pursuant to Art. 14 GDPR. Individual notification is not provided, because the proportionality criterion of Art. 14(5)(b) GDPR is typically not met in a purely B2B engineering context; on request you will of course receive full access to the records concerning your organisation.

Per entry we record the company identity, industry, application context, and a reference to the source. Personally identifiable employee names are recorded only where strictly necessary for the cross-reference; we pseudonymise at company level by default.

Anonymisation and visibility tiers. Each entry carries a visibility path:

  • internal_only (default) — the entry stays fully internal. Default for all new entries.
  • public_anonymized — the company name is redacted, the industry context is retained (e.g. "a southern German clinic with roughly 800 beds"). Used for anonymised practice cases on the planned Praxiseinsicht surface.
  • public_named — your company is named explicitly. This tier is set only with your express consent; a technical consent timestamp is mandatorily recorded (database constraint).

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in maintaining a consistent internal knowledge index for platform operations and editorial practice cases). For entries flagged as public_named, Art. 6(1)(a) GDPR (consent) additionally applies.

Recipients: exclusively LUVEX administrative staff. No transfer to manufacturer partners, no publication without an explicit visibility path.

Retention: for as long as a legitimate interest in the cross-reference exists. On request we will delete your entry, unless overriding interests or statutory retention obligations apply.

Your rights: you may at any time request access to entries concerning your organisation (Art. 15 GDPR), object to further processing (Art. 21 GDPR), or request erasure (Art. 17 GDPR). An informal email to info@luvex.tech is sufficient.

15. Recipients of Your Data

Your personal data is shared with third parties only if:

  • you have consented (Art. 6(1)(a) GDPR),
  • sharing is necessary for the performance of a contract (Art. 6(1)(b) GDPR),
  • there is a statutory obligation (Art. 6(1)(c) GDPR),
  • it occurs in the context of order processing pursuant to Art. 28 GDPR.

Current data processors are:

  • Hostinger International Limited — hosting, servers in Frankfurt am Main, Deutschland
  • Google Ireland Limited — optional, where Google Sign-In is used

15a. AI Service Processors (Chatbot LEX, Knowledge Search)

Our chatbot LEX and the semantic knowledge search in Atlas rely on external AI providers as data processors:

  • Groq, Inc. (USA) — language-model inference for LEX in public mode. Processes only the message you send to LEX plus context snippets retrieved from our public knowledge base. Data transfer to the United States on the basis of EU Standard Contractual Clauses. Contractually opted out of training-data use per Groq DPA.
  • Anthropic, PBC (USA) — language-model inference for LEX in internal mode (only for logged-in LUVEX editorial staff, approved experts, and Luvex Pro members). Data transfer to the United States on the basis of EU Standard Contractual Clauses. Contractually opted out of training-data use per Anthropic DPA.
  • Voyage AI, Inc. (USA) — generates embeddings (numeric representations) of your search query for matching against our knowledge base. Does not process profile data. Data transfer to the United States on the basis of EU Standard Contractual Clauses.

15b. LEX Chatbot — Logging and Review

LEX stores your conversation only if you explicitly opt in via the consent banner inside the chat. Without consent LEX still answers, but contents are discarded at the end of the session.

What is stored (with consent):

  • Your messages and LEX' replies (public mode: PII auto-scrubbed before persistence)
  • Which knowledge snippets were retrieved and at what confidence level
  • Which tool calls / navigation suggestions LEX made
  • Latency and the language model used (for quality review)
  • Anonymous session hash (SHA-256 of IP + user-agent + daily-rotating salt) — not reversible to your identity

Purpose: periodic joint review with the LUVEX editorial team to identify knowledge gaps and improve LEX' responses.

Legal basis: Art. 6(1)(a) GDPR (your consent). You can withdraw consent at any time.

Retention: conversations not used in the editorial review are deleted automatically after 90 days. Conversations used for test sets or knowledge reviews are retained in anonymised form as a quality benchmark.

Recipients: during inference, your messages are sent to Groq (public mode) or Anthropic (internal mode). Both providers have contractually undertaken not to use the contents for training. See section 15a.

Internal mode: users with LUVEX staff role, verified expert status, or granted "Luvex Pro" capability talk to LEX in internal mode (visually marked by a Pro badge). Their conversations are stored by default (editorial audit duty).

16. Transfers to Third Countries

Personal data is generally processed within the European Economic Area (EEA). When using Google Sign-In, data may be transferred to Google LLC in the United States. Such transfers are based on the EU Standard Contractual Clauses and are covered by the EU-US Data Privacy Framework (adequacy decision of the European Commission of 10 July 2023).

17. Retention and Account Deletion

We retain your personal data only as long as necessary to provide our services or as required by statutory retention obligations.

Immediate account deletion: You can delete your user account at any time via your dashboard profile (Danger Zone → "Delete account permanently"). Once you have confirmed your email address — and, where applicable, your password — your login data, sessions, personal profile data, and your private application data (your own lamps, simulations, lead requests, organisation memberships) are removed from our systems without delay.

Posts in public discussion formats (forum, knowledge hub) remain in place with an anonymised author ("Deleted user") for read-consistency reasons. On request we will also remove these, provided no statutory retention obligations apply — an informal message to info@luvex.tech is sufficient.

Once deletion is complete, only anonymised statistical aggregates with no personal reference remain.

18. Your Rights as a Data Subject

You have the following rights:

  • Access to the data we hold about you (Art. 15 GDPR)
  • Rectification of inaccurate data (Art. 16 GDPR)
  • Erasure of your data ("right to be forgotten", Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Objection to processing (Art. 21 GDPR)
  • Data portability (Art. 20 GDPR)
  • Withdrawal of your consent with effect for the future (Art. 7(3) GDPR)

To exercise your rights, an informal message to info@luvex.tech is sufficient.

19. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority about our processing of your personal data. The authority responsible for us is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 27
91522 Ansbach
Deutschland
Web: https://www.lda.bayern.de

20. Changes to this Privacy Policy

We reserve the right to adapt this privacy policy to reflect changes in the law or in our services. The current version is always available on this page; the date of the most recent update is shown at the top.