DE FR EN

Privacy Policy

Information on the processing of personal data according to GDPR

As of: 16.06.2026

1. Controller

The controller within the meaning of GDPR and other data protection regulations is:

iSOLUTIONS S.à r.l.
274, route de Thionville
L-5884 Howald, Luxembourg
Email: hello@secondhandshop.lu

2. What data we process

Upon registration

  • Email address
  • Name (freely chosen, may be a pseudonym)
  • Password (encrypted with bcrypt — we do not know your password)
  • Language preference
  • Time of registration
  • IP address at the time of registration (protection against abuse)

When creating listings

  • Uploaded photos
  • Listing title and description
  • Category, condition, price
  • Location (city/postcode — approximate geo-coordinates for the map)

For communication

  • Contents of your messages to other Users
  • Timestamps and read status

Automatically collected data

  • Login attempts with IP address (brute-force protection)
  • Views of your listings (anonymized, just counters)
  • Server logs (IP, useragent, timestamp — automatically deleted after 30 days)

3. Why we use the data

Processing serves to provide platform functions:

  • Account management (Art. 6(1)(b) GDPR — contract performance)
  • Publishing listings (contract performance)
  • Enabling chat between Users (contract performance)
  • Spam/fraud prevention (Art. 6(1)(f) GDPR — legitimate interest)
  • AI-assisted listing creation (contract performance — see section 4)
  • Statistics and platform improvement (anonymized, legitimate interest)

4. Third parties / Data transfer

Anthropic (AI service)

To improve your user experience, we use the AI service Claude from Anthropic, PBC (548 Market Street, PMB 90375, San Francisco, CA 94104, USA — transfer based on EU Standard Contractual Clauses pursuant to Art. 46 GDPR).

When does a transmission occur?

Only in two clearly defined situations, which you yourself trigger through your action:

  1. Photo analysis: After you upload a photo when creating a listing, the image is automatically analyzed to generate suggestions for title, description, category, and condition. During the analysis, the app displays a visible notice "AI analysis in progress…".
  2. Translation: When publishing a listing, the title and description are translated into the other supported languages (German, French, English), so that your listing is understandable to more users.

What data is specifically transmitted to Anthropic?

  • The listing photo you uploaded (product photos only — we recommend not depicting persons)
  • The title and description of your listing (for translation)
  • A short technical instruction text (prompt) for the AI

What data is NOT transmitted?

  • Your name, email address, phone number
  • Your account or login data
  • Your location or IP address
  • Your chat messages to other users
  • Any other personally identifiable data

Processing at Anthropic: Anthropic processes the transmitted data exclusively to answer the respective request. Anthropic does not use the transmitted content for training its AI models according to its own statements. More information: anthropic.com/legal/privacy.

Your choice: AI-assisted listing creation is a convenience feature. If you do not want data transmission to Anthropic, you can refrain from creating listings — the other functions of the app (browsing, chat, account management) are available without AI usage.

OpenStreetMap / Nominatim

For the map and geocoding (postcode → coordinates) we use the service OpenStreetMap Foundation (UK). Transmitted are: city/postcode of a listing (for geocoding), IP address when calling up the map. More: osmfoundation.org

Email delivery

Transactional emails (verification, password reset, etc.) are sent via our own SMTP server at iSOLUTIONS in Luxembourg.

Hosting

The platform is hosted in a data center in Luxembourg (iSOLUTIONS-owned infrastructure). No data transfer to third countries — except for the AI/map services mentioned above.

5. Cookies

We use minimal cookies:

  • Session cookie (essential): Keeps you logged in. Deleted on logout.
  • CSRF token (essential): Protection against Cross-Site-Request-Forgery.
  • Language (comfort): Stores your preferred language.
  • Cookie-Consent (essential): Stores your cookie decision.

We do not use tracking cookies, no Google Analytics, no advertising cookies, no third-party pixels.

6. Data retention

  • Account data: Until account deletion by you or us
  • Listings: Until you delete them or 30 days after account deletion
  • Chat messages: Until conversation deletion by both parties
  • Login attempts: 30 days
  • Server logs: 30 days
  • AI analysis cache: Anonymized, 90 days

7. Your rights

Under GDPR you have the following rights at any time:

  • Access to data stored about you (Art. 15)
  • Rectification of incorrect data (Art. 16)
  • Erasure of your data ("right to be forgotten", Art. 17)
  • Restriction of processing (Art. 18)
  • Data portability (Art. 20)
  • Objection to processing (Art. 21)
  • Complaint to a supervisory authority (see below)

To exercise your rights, write to hello@secondhandshop.lu. We respond within 30 days.

8. Supervisory authority

You have the right to lodge a complaint with the competent data protection authority at any time:

Commission Nationale pour la Protection des Données (CNPD)
15, Boulevard du Jazz
L-4370 Belvaux, Luxembourg
cnpd.public.lu

9. Security

We employ technical and organizational measures to protect your data:

  • HTTPS/TLS encryption for all connections
  • Passwords stored encrypted with bcrypt (Cost 11)
  • Brute-force protection on login (max. 5 attempts / 15 min)
  • CSRF protection on all forms
  • Regular backups
  • Server access only via SSH keys

10. Changes to this Privacy Policy

For substantial changes, we inform registered users by email. The current version is available on this page.