pot.lu

Privacy Notice

GDPR information about how pot.lu processes personal data.

This notice is written for a cautious, low-data operating model and should be revised again once live processors are chosen.

1. Identity of the Controller

[OPERATOR: name, address, contact]

2. Data Protection Officer

Not appointed (Art. 37 thresholds not met). [OPERATOR: revise if appointed]

3. Categories of Personal Data We Process

  • Email addresses submitted through newsletter, report, or shop waitlist forms.
  • Submitted business listing data, including business name, country, contact email, and listing notes.
  • Contact, advertising, and referral enquiry text submitted through forms on the site.
  • HTTP server logs generated by the host, including IP address, user-agent, timestamp, and requested URL, retained N days per host. Replace this placeholder once the host is chosen: [OPERATOR: revise host log retention if not 30]

4. Purposes and Lawful Basis

Newsletter
We process newsletter sign-up data on the basis of Art. 6(1)(a) GDPR consent and use double opt-in before adding a subscriber to the live list.
Contact, advertising, legal referral, and listing submissions
We process these enquiries on the basis of Art. 6(1)(b) GDPR where the request is a pre-contractual step, and Art. 6(1)(f) GDPR where we have a legitimate interest in responding, moderating submissions, and running the site safely.
Server logs
We process server logs on the basis of Art. 6(1)(f) GDPR to keep the site available, secure, and abuse-resistant.

5. Recipients / Processors

  • Email service provider: [OPERATOR: ESP name when chosen, e.g. Mailchimp/Buttondown/Beehiiv]
  • Hosting provider: [OPERATOR: hosting provider, e.g. Cloudflare/Netlify]
  • CRM or lead-routing tool: [OPERATOR: CRM if used]

6. International Transfers

[OPERATOR: state whether any processor is non-EU; SCCs required if so]

7. Retention

  • Newsletter list: until unsubscribe plus 30 days.
  • Form submissions: 24 months.
  • Server logs: 30 days.

8. Data Subject Rights

You may request access under Art. 15 GDPR, rectification under Art. 16, erasure under Art. 17, restriction under Art. 18, portability under Art. 20, and object under Art. 21. Art. 22 automated decision-making is not applicable because pot.lu does not make automated decisions with legal or similarly significant effect.

To exercise your rights, email privacy@[OPERATOR: domain].

9. Right to Lodge a Complaint

If you believe your personal data has been processed unlawfully, you may lodge a complaint with the Luxembourg CNPD at cnpd.public.lu. If you are resident in Germany, you may also complain to the BfDI or the competent state data protection authority in your Land.

10. Cookies

See cookies.html.

11. Changes to This Notice

This notice may be updated when pot.lu adds new processors, analytics, or services. Material changes will be logged below.

2026-05-14
Initial v3 privacy notice published.

Effective date: 2026-05-14.