Privacy Policy

1. General Provisions

next2u S.à r.l. - S. ("Company" or "we") processes and protects personal data of registered and unregistered users of next2u – everyone who accesses our website, as well as those who contact the Company via all the means listed on the website ("users" or "you").

This Privacy Policy is designed to comply with the General Data Protection Regulation (GDPR - EU Regulation 2016/679) and the laws of the Grand Duchy of Luxembourg. We are committed to protecting your privacy and ensuring your personal data is processed lawfully, fairly, and transparently in accordance with GDPR principles.

By providing us with personal data, you consent to its processing in accordance with this policy and applicable GDPR requirements.

2. Definitions

Personal Data – any information related to a directly or indirectly identified or identifiable individual (data subject).

Processing of Personal Data – performing actions or a set of actions on personal data, including collection, recording, systematization, accumulation, storage, refinement, updating, and modification, retrieval, use, provision, access, blocking, deletion, and destruction – with or without automated data processing tools.

We may process your data in the ways listed for the purposes outlined in Section 4 of this Policy.

Personal Data Operator – a government body, municipal body, legal entity, or individual that independently or jointly with others organizes and/or carries out the processing of personal data, and also determines the purposes of processing personal data, the composition of personal data to be processed, and the actions (operations) performed on personal data.

The Company is the operator with respect to the personal data we may receive in connection with your use of next2u (including the website).

3. What Data We Process

You provide us with personal data when:

• Registering on next2u;
• Using next2u services (i.e. posting listings, etc);
• Subscribing to newsletters;
• Participating in events, research, and surveys;
• Writing or calling us (e.g., contacting support or using the rights holder claim form);
• Communicating with other users;
• Exercising rights or fulfilling obligations under our terms and conditions:

Your device automatically transmits technical data:

• Information stored in cookies
• Browser information
• Settings
• Access dates and times
• Requested page addresses
• Website or app activities
• Device specifications
• IP address

Other useful links:

• Terms of Use
• Services Agreement
• Cookie policy

4. Purposes of Personal Data Processing

We process users personal data for the following purposes:

• Provide you access to next2u and its services:
  • Allow you to create a profile
  • Post listings
  • Use next2u
  • With your consent, offer you partner services
  • Data processed: Email, username, address, photos, videos and other data related to next2u services.
• Ensure stable operation and security of next2u:
  • Improve user experience
  • Improve service quality
  • Marketing activities
  • Develop new services and website features
  • Data processed: Technical data, behavioral metrics, transaction data.
• Prevent and stop violations:
  • Violations of laws
  • Violations of next2u's Terms of Use and other rules
  • Protect users from fraud and other dishonest actions
  • Data processed: All data necessary for fraud prevention and security enforcement.
• Fulfill legal obligations:
  • Accounting
  • Tax reporting
  • Responses to government inquiries
  • Data processed: Email, address.
• Provide responses to your inquiries:
  • Data processed: Email, inquiry content.
• Send marketing messages:
  • Messages about next2u and our partners
  • Data processed: Email.
• Display personalized offers:
  • Offers that may interest you
  • Data processed: Email, device identifiers, next2u usage data, location data.
• Organize your participation:
  • Participation in events
  • Research and surveys
  • Data processed: Email and voluntarily provided information.

5. Legal Basis for Processing (GDPR Compliance)

In accordance with Article 6 of the GDPR, we process your personal data based on the following legal grounds:

• Your consent (Article 6(1)(a) GDPR): Given when registering on next2u, logging in, using next2u services, interacting with next2u interfaces, clicking specific buttons, continuing calls, or performing other actions. You have the right to withdraw consent at any time.
• Contractual obligations (Article 6(1)(b) GDPR): Processing necessary for the execution, amendment, or termination of agreements such as next2u's Terms of Use and other service agreements.
• Legitimate interests (Article 6(1)(f) GDPR): Protecting the Company or third parties, fraud prevention, security, and service improvement, provided this does not override your fundamental rights and freedoms.
• Legal requirements (Article 6(1)(c) GDPR): Compliance with regulatory obligations under EU and Luxembourg law.

6. Transfer to Third Parties and Cross-Border Data Transfers

In compliance with GDPR Articles 44-49, we may transfer personal data to third parties when necessary to provide next2u services or with your consent. Data transfers include:

• Within our corporate group (e.g., customer service, fraud prevention, security, etc.).
• To infrastructure providers: We use OVH (OVHcloud) as our cloud infrastructure provider. All data is stored in OVH data centers located within the European Union, ensuring full GDPR compliance. OVH processes personal data on our behalf under appropriate data processing agreements (Article 28 GDPR).
• To partners (e.g., delivery services, financial organizations, telecom providers, and advertising services). We ensure that all third-party processors comply with GDPR requirements through appropriate data processing agreements (Article 28 GDPR).
• To government authorities if required by law or when necessary to comply with legal obligations.

All data transfers outside the European Economic Area (EEA), if any, are conducted with appropriate safeguards in place, such as Standard Contractual Clauses approved by the European Commission, to ensure GDPR-level protection of your personal data.

7. Data Placement on next2u

When you publish listings, reviews or information in your account on next2u, personal data included in such information becomes available to an indefinite number of people. You disclose such data yourself, without providing us as a data operator with a separate agreement. The company does not transfer your personal data. We process such data for the purpose of fulfilling the agreement with you concluded at your initiative.

The purpose for which users post data on next2u is to establish contact with a potential buyer (client) who is interested in concluding a deal on the listing. Users do not process other users' data for any other purposes. This means that:

• You cannot call or send messages to users to offer your goods or services.
• You cannot copy users' data to post them on other services.
• You cannot use next2u users' information for scoring purposes.

8. Security and Data Protection Measures (GDPR Article 32)

Responsible attitude to personal data is the company's standard of operation. In accordance with GDPR Article 32, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing personal data. 

To protect personal data, we: 

• Published a comprehensive data processing policy on the website in compliance with GDPR transparency requirements (Articles 12-14). 
• Approved local acts on the processing and protection of personal data in line with GDPR accountability principle (Article 5(2)). 
• Ensure employees are familiar with these documents on their first day at the company and maintain ongoing GDPR awareness.
• Conduct regular training for employees on personal data protection and GDPR compliance.
• Regularly audit the company's processes and documents for GDPR compliance and alignment with Luxembourg data protection law. 
• Conduct Data Protection Impact Assessments (DPIA) as required by GDPR Article 35 to assess risks and potential harm from data processing activities. 
• Taking into account risk assessments, we select appropriate technical and organizational measures to ensure GDPR compliance.
• Implement the principle of data minimization and provide access to personal data only to those Company employees who genuinely need it to perform their duties (need-to-know basis). 
• Apply comprehensive legal, organizational and technical measures including pseudonymization, encryption, access controls, and regular security testing to ensure the security of personal data. 

When taking measures to protect personal data, we rely on: 

• GDPR requirements and legal obligations under EU and Luxembourg law. 
• The established level of protection of personal data based on risk assessment. 
• Industry best practices and security standards appropriate to our processing activities. 
• A risk-oriented approach when choosing optimal protection measures (GDPR Article 32).
• The principle of accountability and demonstrating GDPR compliance (Article 5(2)). 
• Priority of data subjects' rights and legitimate interests.

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours as required by GDPR Article 33, and inform affected data subjects when required by Article 34.

9. Storage of Personal Data and Data Localization

We record, systematize, accumulate, store, clarify (update, change), and extract your personal data using databases located in the EU, ensuring compliance with GDPR data localization principles.

Our technical infrastructure is provided by OVH (OVHcloud), with all data stored in OVH data centers located within the European Union. This ensures that all data processing occurs within the European Economic Area (EEA), maintaining full GDPR compliance.

We store your data in accordance with the data processing periods necessary to achieve the processing purposes specified in Section 4 of this Policy, in line with the GDPR principle of storage limitation (Article 5(1)(e)). 

10. Data Retention Periods (GDPR Article 5(1)(e))

In accordance with the GDPR principle of storage limitation, we stop processing your personal data within the timeframes established by law:

• Upon achieving the processing purposes specified in Section 4 of this Policy, or when there is no longer a need to achieve them (unless there are other grounds for processing provided by law).

For example, in order to fulfill our obligations, prevent and suppress violations of laws, our rules, protect users from fraudulent and other unfair actions, as well as to respond to requests, we must process data within the timeframes determined in accordance with the law (procedural, tax, civil, accounting, etc.).

Such goals as providing the opportunity to use next2u services, ensuring the stable operation and security of services, improving the user experience, quality of services, services and marketing activities, sending marketing messages will be achieved upon termination of obligations arising from contracts with us.

• Upon expiration of the consent period or upon withdrawal of consent (unless there are other grounds for processing provided by law). For example, in the case of processing for the purpose of organizing participation in events, research and surveys.

We will also stop processing your data:

• If we detect unlawful processing, if it is impossible to ensure lawfulness.
• If the Company is liquidated.

After the established deadlines have expired, we automatically delete the data from the information systems. If the data is processed without the use of automatic processing tools (e.g. paper requests), we destroy such material carriers.

11. Deleting Your Account on next2u

To delete your next2u account and all the data in it, go to the "Privacy & Data" page on the website or in the application and select the account deletion option. If there are unfinished transactions, wait for them to be completed before proceeding with deletion.

We will stop processing your personal data and delete it in accordance with legal requirements. We will not be able to restore your data, even if you change your mind later.

The law requires that we store user information for at least a year after deleting an account.

12. Your GDPR Rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of access (Article 15): You can request information about the personal data we process about you.
• Right to rectification (Article 16): You can request correction of inaccurate or incomplete personal data.
• Right to erasure (Article 17 - "Right to be forgotten"): You can request deletion of your personal data under certain circumstances.
• Right to restriction of processing (Article 18): You can request that we limit the processing of your personal data in specific situations.
• Right to data portability (Article 20): You can receive your personal data in a structured, commonly used format and transmit it to another controller.
• Right to object (Article 21): You can object to processing based on legitimate interests or for direct marketing purposes.
• Right to withdraw consent (Article 7(3)): Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.
• Right to lodge a complaint (Article 77): You have the right to lodge a complaint with the Luxembourg National Commission for Data Protection (CNPD) or your local supervisory authority if you believe your rights have been violated.

To exercise any of these rights, withdraw consent, or inquire about data privacy, contact customer support.

13. Data Controller Details

Data Controller:
next2u S.à r.l. - S.
14A Rue du Bambusch
L-8213, Mamer, Luxembourg

Supervisory Authority:
Commission Nationale pour la Protection des Données (CNPD)
15, Boulevard du Jazz
L-4370 Belvaux, Luxembourg
Website: https://cnpd.public.lu