DE FR EN

Privacy Policy

Information on the processing of personal data according to GDPR

As of: 02.05.2026

1. Controller

The controller within the meaning of GDPR and other data protection regulations is:

iSOLUTIONS S.à r.l.
274, route de Thionville
L-5884 Howald, Luxembourg
Email: hello@secondhandshop.lu

2. What data we process

Upon registration

  • Email address
  • Name (freely chosen, may be a pseudonym)
  • Password (encrypted with bcrypt — we do not know your password)
  • Language preference
  • Time of registration
  • IP address at the time of registration (protection against abuse)

When creating listings

  • Uploaded photos
  • Listing title and description
  • Category, condition, price
  • Location (city/postcode — approximate geo-coordinates for the map)

For communication

  • Contents of your messages to other Users
  • Timestamps and read status

Automatically collected data

  • Login attempts with IP address (brute-force protection)
  • Views of your listings (anonymized, just counters)
  • Server logs (IP, useragent, timestamp — automatically deleted after 30 days)

3. Why we use the data

Processing serves to provide platform functions:

  • Account management (Art. 6(1)(b) GDPR — contract performance)
  • Publishing listings (contract performance)
  • Enabling chat between Users (contract performance)
  • Spam/fraud prevention (Art. 6(1)(f) GDPR — legitimate interest)
  • AI-assisted listing creation (contract performance — see section 4)
  • Statistics and platform improvement (anonymized, legitimate interest)

4. Third parties / Data transfer

Anthropic (AI service)

When you upload a photo and use our AI function for listing creation, we transmit the photo and a short hint text to Anthropic, PBC (USA, Standard Contractual Clauses according to GDPR). Anthropic processes the data only to answer the request and does not store it for training according to its own statements. More: anthropic.com/legal/privacy

OpenStreetMap / Nominatim

For the map and geocoding (postcode → coordinates) we use the service OpenStreetMap Foundation (UK). Transmitted are: city/postcode of a listing (for geocoding), IP address when calling up the map. More: osmfoundation.org

Email delivery

Transactional emails (verification, password reset, etc.) are sent via our own SMTP server at iSOLUTIONS in Luxembourg.

Hosting

The platform is hosted in a data center in Luxembourg (iSOLUTIONS-owned infrastructure). No data transfer to third countries — except for the AI/map services mentioned above.

5. Cookies

We use minimal cookies:

  • Session cookie (essential): Keeps you logged in. Deleted on logout.
  • CSRF token (essential): Protection against Cross-Site-Request-Forgery.
  • Language (comfort): Stores your preferred language.
  • Cookie-Consent (essential): Stores your cookie decision.

We do not use tracking cookies, no Google Analytics, no advertising cookies, no third-party pixels.

6. Data retention

  • Account data: Until account deletion by you or us
  • Listings: Until you delete them or 30 days after account deletion
  • Chat messages: Until conversation deletion by both parties
  • Login attempts: 30 days
  • Server logs: 30 days
  • AI analysis cache: Anonymized, 90 days

7. Your rights

Under GDPR you have the following rights at any time:

  • Access to data stored about you (Art. 15)
  • Rectification of incorrect data (Art. 16)
  • Erasure of your data ("right to be forgotten", Art. 17)
  • Restriction of processing (Art. 18)
  • Data portability (Art. 20)
  • Objection to processing (Art. 21)
  • Complaint to a supervisory authority (see below)

To exercise your rights, write to hello@secondhandshop.lu. We respond within 30 days.

8. Supervisory authority

You have the right to lodge a complaint with the competent data protection authority at any time:

Commission Nationale pour la Protection des Données (CNPD)
15, Boulevard du Jazz
L-4370 Belvaux, Luxembourg
cnpd.public.lu

9. Security

We employ technical and organizational measures to protect your data:

  • HTTPS/TLS encryption for all connections
  • Passwords stored encrypted with bcrypt (Cost 11)
  • Brute-force protection on login (max. 5 attempts / 15 min)
  • CSRF protection on all forms
  • Regular backups
  • Server access only via SSH keys

10. Changes to this Privacy Policy

For substantial changes, we inform registered users by email. The current version is available on this page.