Privacy Policy
Last updated: 7 May 2026
Document generated by the ekomfort Legal Pages squad — DPO/legal counsel review recommended before publication.
Legal bases: Regulation (EU) 2016/679 (GDPR), Directive 2002/58/EC (ePrivacy), Luxembourg Law of 1 August 2018 on the organisation of the CNPD, French Law No. 78-17 “Informatique et Libertés” (LIL) as amended, Bundesdatenschutzgesetz (BDSG, Germany), Code of Economic Law (Belgium).
Table of contents
- Preamble and scope
- Identity of the controller
- Contact details for “data protection”
- Categories of data collected
- Purposes and legal bases for processing
- Recipients of the data
- Transfers outside the European Union
- Retention periods
- Your rights
- How to exercise your rights
- Data security
- Cookies and tracking technologies
- Complaint to a supervisory authority
- Changes to this policy
1. Preamble and scope
This privacy policy (hereinafter the “Policy“) aims to inform users of the website ekomfort.lu (hereinafter the “Website“) of how their personal data is collected, used, shared and protected by SAKEPIXEL SARL-S (hereinafter “ekomfort“, “we” or “the Controller“).
This Policy applies to any person who:
- browses the Website (visitor),
- creates a customer account or subscribes to the newsletter,
- places an order or attempts to place an order on the Website,
- contacts us by email, telephone or form,
- interacts with our communications (emails, SMS, social media).
We undertake to process your data in accordance with Regulation (EU) 2016/679 of 27 April 2016 (hereinafter the “GDPR“), the Luxembourg Law of 1 August 2018 on the organisation of the National Commission for Data Protection, the French Law No. 78-17 of 6 January 1978 as amended (“Informatique et Libertés”), the German Bundesdatenschutzgesetz and the Belgian Code of Economic Law.
Note: ekomfort serves four markets (Luxembourg, France, Belgium, Germany). This Policy applies uniformly to residents of the four countries. The competent supervisory authorities are listed in section 13.
2. Identity of the controller
The controller of your personal data is:
| Field | Value |
|---|---|
| Company name | SAKEPIXEL SARL-S |
| Legal form | Simplified limited liability company |
| Trade register number | Luxembourg B286895 |
| Business license number | 10167719/1 (Luxembourg Ministry of the Economy) |
| EU VAT number | LU35860625 |
| Share capital | EUR 1,200 |
| Registered office | 13 rue Anna Lindh, L-4547 Differdange, Grand Duchy of Luxembourg |
| Legal representative | Serge Sakepa, sole manager |
| Website operated | https://ekomfort.lu |
| General email | [email protected] |
| Telephone | +352 661 201 619 |
SAKEPIXEL SARL-S alone determines the purposes and means of processing the data collected through the Website, within the meaning of Article 4(7) of the GDPR.
3. Contact details for “data protection”
Given the size of SAKEPIXEL SARL-S and the nature of the processing operations carried out, the appointment of a Data Protection Officer (DPO) within the meaning of Article 37 of the GDPR is not mandatory. Nevertheless, in accordance with the spirit of the Regulation and to facilitate the exercise of your rights, we have set up a dedicated contact point for data protection:
- Email: [email protected]
- Postal address: SAKEPIXEL SARL-S — Data Protection, 13 rue Anna Lindh, L-4547 Differdange, Luxembourg
This contact point will respond to any questions you may have regarding this Policy, the exercise of your rights, or any concerns about the processing of your data.
4. Categories of data collected
We only collect the data necessary for the purposes described in section 5. The categories of data are as follows:
4.1 Data you provide directly
| Category | Examples | Source |
|---|---|---|
| Identification data | surname, first name, title | Account creation, order |
| Contact data | email address, telephone number | Account creation, order, contact form |
| Delivery and billing data | full postal address, country | Order |
| Account data | username, password (hashed), preferences | Account creation |
| Order data | products purchased, amount, payment method (without card number), history | Order |
| Communication data | message content, after-sales requests | Contact form, email |
| Marketing preferences | newsletter subscription, areas of interest, consents | Newsletter sign-up, form |
4.2 Data collected automatically
| Category | Examples | Source |
|---|---|---|
| Technical data | IP address (anonymised), browser type, operating system, screen resolution | Browsing on the Website |
| Browsing data | pages visited, duration, journey, traffic source, date and time of visit | Analytics cookies (with consent) |
| Session identifiers | WordPress, WooCommerce, WPML technical identifiers | Strictly necessary cookies |
| Security data | authentication logs, login attempts, anti-fraud signals | Server logs, Cloudflare, Stripe |
4.3 Data we never collect
ekomfort never collects:
- your full payment card numbers (processed directly by Stripe or PayPal in a PCI-DSS environment),
- your health data, political, religious, philosophical or trade-union opinions, or sexual orientation (special categories within the meaning of Article 9 GDPR),
- your biometric or genetic data,
- data of minors under 16 years of age (the Website is not intended for minors; orders require legal capacity to contract).
5. Purposes and legal bases for processing
In accordance with Article 6 of the GDPR, each processing operation is based on a specific legal basis. The table below details each purpose, the applicable legal basis and the data concerned.
| Purpose | Legal basis (Art. 6 GDPR) | Data processed |
|---|---|---|
| Customer account management (creation, authentication, update) | Art. 6(1)(b) — performance of the contract | Identification, contact, account |
| Processing and fulfilment of orders (payment, delivery, after-sales service, invoices, returns, legal warranty) | Art. 6(1)(b) — performance of the contract | Identification, contact, delivery, order |
| Retention of invoices and accounting records | Art. 6(1)(c) — legal obligation (LU Commercial Code + LU/FR/BE/DE tax obligations) | Order data, billing |
| Combating payment fraud | Art. 6(1)(f) — legitimate interest (financial security) | Technical data, IP, Stripe signals |
| Sending the newsletter and commercial communications | Art. 6(1)(a) — consent (explicit prior opt-in) | Contact, preferences |
| Personalisation of the user experience (language, currency) | Art. 6(1)(f) — legitimate interest (ergonomics) | Technical data, functional cookies |
| Audience measurement and statistics (Google Analytics 4) | Art. 6(1)(a) — consent | Browsing data, analytics cookies |
| Targeted advertising and retargeting (Google Ads, Meta — if activated) | Art. 6(1)(a) — consent | Browsing data, advertising cookies |
| Website security (anti-bot, anti-DDoS, anti-injection) | Art. 6(1)(f) — legitimate interest (IT security) | IP, logs, security cookies |
| Responding to contact requests | Art. 6(1)(b) — pre-contractual measures, or Art. 6(1)(f) — legitimate interest | Identification, contact, content |
| Responding to GDPR rights requests | Art. 6(1)(c) — legal obligation (GDPR Art. 12 to 22) | Identification, contact, data concerned |
| Defence of our interests in case of litigation | Art. 6(1)(f) — legitimate interest (safeguarding rights) | All relevant categories |
Balancing test (legitimate interest): for each processing operation based on Article 6(1)(f), we have carried out a balancing test (weighing our legitimate interest against the rights and freedoms of the data subjects). You may at any time object to processing based on legitimate interest — see section 9.
6. Recipients of the data
Your data is only shared with recipients strictly necessary to achieve the purposes described in section 5, in compliance with contractual and regulatory obligations.
6.1 Internal recipients
- The manager and authorised staff of SAKEPIXEL SARL-S, strictly within the limits of their duties (commercial management, after-sales service, accounting).
6.2 Processors within the meaning of Article 28 GDPR
All processors listed below are bound to ekomfort by a data processing agreement (DPA) incorporating the clauses required by Article 28 GDPR.
| Processor | Service provided | Data location | DPA signed |
|---|---|---|---|
| Hostinger International Ltd | Hosting of the Website and database | Headquarters: Cyprus — operational data centres: EU (Lithuania / Netherlands) | Yes |
| Stripe Payments Europe Ltd | Payment card processing | Ireland (EU) + United States (DPF) | Yes |
| PayPal (Europe) S.à r.l. et Cie SCA | PayPal payment processing | Luxembourg (EU) | Yes |
| Google Ireland Ltd | Google Analytics 4, Google Tag Manager | Ireland (EU) + United States (DPF) | Yes |
| Cloudflare Inc. | Security, CDN, anti-bot protection | United States (DPF) + EU | Yes |
| WPML / OnTheGoSystems | WordPress multilingual module (no transfer of users’ personal data) | EU | Yes |
| FluentCRM (Really Simple Plugins B.V.) | Newsletter management (self-hosted on Hostinger) | EU | Not applicable (self-hosted) |
| Amazon Web Services (Amazon SES) | Sending transactional emails and newsletters | EU (Frankfurt, Ireland) | Yes |
| Complianz GDPR (Really Simple Plugins B.V.) | Cookie consent management | EU (Netherlands) | Yes |
6.3 Carriers and logistics providers
Data strictly necessary for delivery (name, postal address, telephone, email) is transmitted to the carrier selected at the time of the order:
- DPD Luxembourg / DPD France / DPD Belgium / DPD Deutschland (DPDgroup)
- Mondial Relay (pickup point delivery in FR / BE)
- UPS Europe SRL/BV
6.4 Public authorities
Your data may be communicated to administrative or judicial authorities only upon a legally founded request (judicial requisition, tax demand, etc.) and within the strict limits provided by law.
6.5 No resale
ekomfort never sells or rents your personal data to third parties for commercial purposes.
7. Transfers outside the European Union
The majority of your data is processed and stored within the European Economic Area (EEA).
Some of our processors have their parent company or infrastructure in the United States. Any transfers to the United States are governed by the following safeguards provided for in Chapter V of the GDPR:
| Processor | Transfer mechanism |
|---|---|
| Stripe Payments Europe Ltd (EU subsidiary of Stripe Inc.) | Data processed by the EU subsidiary on a priority basis; occasional transfers to Stripe Inc. (US) covered by the EU-US Data Privacy Framework (DPF) and by the Standard Contractual Clauses (SCC) of the European Commission (decision 2021/914 of 4 June 2021). |
| Google Ireland Ltd (EU subsidiary of Google LLC) | Google LLC enrolled in the Data Privacy Framework (validated by the European Commission on 10 July 2023). Standard Contractual Clauses as a fallback. |
| Cloudflare Inc. | Enrolled in the Data Privacy Framework + Standard Contractual Clauses of the European Commission. |
| Amazon Web Services Inc. (via European subsidiaries) | EU regions used by default (Frankfurt, Ireland). For any transfer outside the EU: DPF + Standard Contractual Clauses. |
Data Privacy Framework reference: https://www.dataprivacyframework.gov
Upon request to [email protected], you may obtain a copy of the contractual safeguards applicable to a transfer to a third country concerning your data.
No transfer to China, Russia, or any country subject to a regime of mass surveillance incompatible with the fundamental right to data protection within the meaning of CJEU judgment C-311/18 “Schrems II” of 16 July 2020.
8. Retention periods
In accordance with the storage limitation principle (Article 5(1)(e) GDPR), your data is retained only for the period strictly necessary for the purposes pursued, or for the period required by law.
| Data category | Active retention period | Intermediate archiving | Total |
|---|---|---|---|
| Customer account (no login or purchase) | 3 years from the last activity | — | 3 years |
| Order data and invoices | 1 year from dispatch (after-sales service / 2-year legal warranty under Directive (EU) 2019/771) | 10 years (LU accounting obligation, art. 16 Commercial Code; FR 10 years art. L.123-22; BE 7 years art. III.86 of the Code of Economic Law; DE 10 years § 257 HGB) | 10 years |
| Banking data | No retention by ekomfort (PCI-DSS Stripe / PayPal) | — | 0 |
| Commercial prospecting data (newsletter) | Until consent is withdrawn, or 3 years after the last interaction (click / open) | — | Max. 3 years |
| Browsing data (analytics) | 13 months maximum | Anonymisation after 13 months | 13 months |
| Cookies | 13 months maximum (CNIL/CNPD recommendation) | — | 13 months |
| Technical security logs | 1 year (CNIL recommendation — IS security) | — | 1 year |
| Litigation data | Duration of the proceedings + appeal / limitation periods | — | Variable |
| Rights exercise requests | 3 years (proof of GDPR compliance) | — | 3 years |
At the end of these periods, the data is permanently deleted or irreversibly anonymised (aggregated statistics with no possible re-identification).
9. Your rights
In accordance with Articles 15 to 22 of the GDPR, you have the following rights regarding your personal data:
9.1 Right of access (Art. 15)
You may obtain confirmation as to whether or not your data is being processed by ekomfort, and where applicable, obtain a complete copy together with information on the purposes, categories, recipients, retention periods and associated rights.
9.2 Right to rectification (Art. 16)
You may request the rectification of any inaccurate or incomplete data concerning you. You may also update your contact details directly from your customer account (“My account” → “Address”).
9.3 Right to erasure (“right to be forgotten”) (Art. 17)
You may request the erasure of your data in the cases provided for by the GDPR, in particular where:
- the data is no longer necessary in relation to the purposes,
- you withdraw your consent and no other legal basis applies,
- you object to processing based on legitimate interest,
- the data has been unlawfully processed.
Limitation: we cannot erase data whose retention is required by law (invoices, accounting — 10 years) for as long as that obligation remains in force.
9.4 Right to restriction of processing (Art. 18)
You may request that the processing be temporarily suspended, for example while the accuracy of the data is being verified or in the event of an objection.
9.5 Right to data portability (Art. 20)
You may receive, in a structured, commonly used and machine-readable format (JSON, CSV), the data you have provided to us, and transmit it to another controller.
9.6 Right to object (Art. 21)
You may object at any time, on grounds relating to your particular situation, to processing based on legitimate interest (Article 6(1)(f)).
With regard to commercial prospecting (newsletter), you may object without giving any reason and unconditionally, either by clicking the “Unsubscribe” link in each email, or by writing to [email protected].
9.7 Right to withdraw consent (Art. 7(3))
Where processing is based on your consent, you may withdraw it at any time, as easily as you gave it. Withdrawal does not affect the lawfulness of processing carried out before such withdrawal.
9.8 Right not to be subject to automated decision-making (Art. 22)
ekomfort does not make any automated decisions producing legal effects (automated order refusal without human intervention, discriminatory scoring, etc.) regarding its customers. The anti-fraud checks carried out by Stripe or PayPal may include an automated component, but human intervention is always available on request.
9.9 Right to set post-mortem directives (FR only — Art. 85 LIL)
If you reside in France, you may set general or specific directives regarding the fate of your data after your death (Law No. 2016-1321 of 7 October 2016).
10. How to exercise your rights
10.1 Channels for exercising rights
To exercise any of the rights described in section 9, two channels are available to you:
- Email: [email protected]
- Postal mail:
SAKEPIXEL SARL-S — Data Protection
13 rue Anna Lindh
L-4547 Differdange
Luxembourg
10.2 Identity verification
For security reasons, we may ask you to prove your identity (copy of an identity document with non-essential data redacted) where reasonable doubt exists as to the identity of the requester, in accordance with Article 12(6) GDPR.
10.3 Response time
In accordance with Article 12(3) GDPR, we undertake to respond to your request within one (1) month of receipt. This period may be extended by a further two (2) months in the event of a complex request or numerous requests, in which case we will inform you within the initial period and provide the reasons.
10.4 Free of charge
The exercise of your rights is free of charge, except in the case of a manifestly unfounded or excessive request (notably owing to its repetitive nature), in which case a reasonable amount covering our administrative costs may be requested, or the request may be refused (Art. 12(5) GDPR).
11. Data security
In accordance with Articles 25 and 32 of the GDPR (“privacy by design” and security of processing), ekomfort implements appropriate technical and organisational measures to ensure a level of security adapted to the risk.
11.1 Technical measures
- Encryption in transit: HTTPS / TLS 1.2+ protocol across the entire Website (Let’s Encrypt certificate, automatic renewal).
- Password encryption: bcrypt algorithm (one-way salted hash), compliant with OWASP and CNIL recommendations.
- Two-factor authentication (2FA): available for administrator accounts and offered to customers.
- Web application firewall (WAF): Cloudflare protection against OWASP Top 10 attacks (SQL injection, XSS, CSRF, etc.).
- Anti-bot and anti-DDoS protection: Cloudflare Turnstile + rate limiting.
- Regular backups: daily encrypted backups, retained for 30 days, restoration tested.
- Security updates: systematic application of patches for WordPress, WooCommerce, critical plugins (weekly cycle).
- Access segregation: principle of least privilege, named administrator accounts.
- Logging: retention of authentication and administrator access logs for 1 year.
11.2 Organisational measures
- Staff awareness (manager and collaborators) on data protection.
- Security incident management policy with CNPD notification procedure within 72 hours (Art. 33 GDPR).
- Procedure for notifying data subjects in the event of a high-risk breach (Art. 34 GDPR).
- Data processing agreements (DPA) signed with each provider processing personal data.
11.3 Notification of data breaches
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we undertake to:
- notify the CNPD (and the competent authorities of the other jurisdictions concerned) within 72 hours of becoming aware of it,
- inform you without undue delay if the breach poses a high risk to you (Art. 34 GDPR).
12. Cookies and tracking technologies
The Website uses cookies and similar technologies to ensure its operation, measure its audience, and — subject to your explicit consent — display personalised advertising content.
Full details (categories, purposes, durations, providers, consent management) are described in our dedicated Cookie Policy.
Your cookie preferences can be changed at any time via the “Manage my cookies” link in the footer of every page of the Website.
13. Complaint to a supervisory authority
If, after contacting us, you consider that your rights have not been respected, you may lodge a complaint with the competent supervisory authority. You have the right to refer the matter to the authority of the country of your habitual residence, your place of work, or the place where the alleged infringement occurred (Art. 77 GDPR).
| Country | Supervisory authority | Contact details |
|---|---|---|
| Luxembourg | CNPD — Commission Nationale pour la Protection des Données | 15, boulevard du Jazz, L-4370 Belvaux — https://cnpd.public.lu — [email protected] |
| France | CNIL — Commission Nationale de l’Informatique et des Libertés | 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07 — https://www.cnil.fr |
| Belgium | APD / GBA — Data Protection Authority | Rue de la Presse 35, 1000 Brussels — https://www.autoriteprotectiondonnees.be — [email protected] |
| Germany | BfDI — Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (+ Länder authorities) | Graurheindorfer Straße 153, 53117 Bonn — https://www.bfdi.bund.de |
Judicial remedy: independently of any complaint to a supervisory authority, you may bring a judicial remedy before the competent courts (Art. 79 GDPR).
14. Changes to this policy
This Policy may be updated to reflect legal, jurisprudential, technical or organisational developments.
14.1 Notification of substantial changes
In the event of a substantial change (change of purpose, addition of a major recipient, modification of a retention period, transfer to a new third country, etc.), we will notify you:
- by email sent to the address associated with your account or your newsletter subscription,
- at least 30 days before the new provisions take effect,
- with a clear summary of the changes and a reminder of your right to object / to withdraw consent.
14.2 Minor changes
Minor changes (typo corrections, contact detail updates, additions of clarifications without impact on your rights) are published without individual notification; the “last updated” date at the top of this page will be refreshed.
14.3 Version history
| Version | Date | Changes |
|---|---|---|
| 2.0 | 7 May 2026 | Complete overhaul compliant with GDPR + ePrivacy + LU/FR/BE/DE — ekomfort Legal Pages squad |
| 1.x |
Contact summary
| Subject | Contact details |
|---|---|
| General enquiries | [email protected] — +352 661 201 619 |
| Data protection / exercise of rights | [email protected] |
| Postal address | SAKEPIXEL SARL-S, 13 rue Anna Lindh, L-4547 Differdange, Luxembourg |
| Trade register | Luxembourg B286895 |
| Business license | 10167719/1 |
| EU VAT | LU35860625 |
Legal bases and references:
- Regulation (EU) 2016/679 of 27 April 2016 (GDPR), Articles 5, 6, 7, 9, 12 to 22, 25, 28, 32, 33, 34, 37, 44 to 49, 77, 79.
- Directive 2002/58/EC of 12 July 2002 (ePrivacy), as amended by Directive 2009/136/EC.
- Luxembourg Law of 1 August 2018 on the organisation of the National Commission for Data Protection and the general regime on data protection.
- French Law No. 78-17 of 6 January 1978 as amended (“Informatique et Libertés”), as adapted by Law No. 2018-493 of 20 June 2018.
- Bundesdatenschutzgesetz (BDSG) of 30 June 2017, current version.
- Belgian Code of Economic Law, Book XII and Belgian legislation transposing the GDPR (Law of 30 July 2018).
- European Commission adequacy decision of 10 July 2023 (EU-US Data Privacy Framework).
- Decision 2021/914 of 4 June 2021 — Standard Contractual Clauses of the European Commission.
- CJEU judgment C-311/18 of 16 July 2020 (“Schrems II”).
- CNIL guidelines on retention periods, security, cookies (updated 2024).
- CNPD guidelines applicable to Luxembourg controllers.
ekomfort Privacy Policy — operated by SAKEPIXEL SARL-S, Luxembourg. Document generated on 7 May 2026.
