Transparency
Privacy Policy
At trigger, we take your data protection seriously. This page explains how we collect, use, and protect your personal information, in accordance with the General Data Protection Regulation (GDPR) and Luxembourg law.
Last updated: July 2, 2026
Data Controller
Data controller
SGFS LFKC SARL
- Address
- 2, rue de la Corniche · L-5956 Itzig, Luxembourg
- [email protected]
- Data Protection Officer (DPO)
- [email protected]
- RCS Luxembourg
- Pending assignment
- Intra-community VAT
- Pending assignment
The company is in the process of being registered in Luxembourg. The RCS and VAT numbers will be published here as soon as they are assigned by the register.
For any questions regarding your personal data, write to us at [email protected].
Data Collected
Depending on your use of the website, we collect:
Data you provide to us directly:• Contact and callback forms: first name, last name, phone number, country of residence, preferred callback slot• Simulators: the parameters you enter (salary, family situation, age...) to generate the estimate• Newsletter: email address• Chat: the content of your conversations with our assistant
Automatically collected data:• Browsing data: pages visited, duration of visit, device used (only after your consent, see Cookies section)• Technical data: browser type and operating system
No sensitive banking or financial data is collected directly.
Data you provide to us directly:• Contact and callback forms: first name, last name, phone number, country of residence, preferred callback slot• Simulators: the parameters you enter (salary, family situation, age...) to generate the estimate• Newsletter: email address• Chat: the content of your conversations with our assistant
Automatically collected data:• Browsing data: pages visited, duration of visit, device used (only after your consent, see Cookies section)• Technical data: browser type and operating system
No sensitive banking or financial data is collected directly.
Purposes and Legal Bases
Your data is processed for the following purposes:
Consent for processing and transmission to a partner is explicitly collected via a checkbox when submitting the form. You can withdraw your consent at any time.
| Purpose | Legal Basis (GDPR) |
|---|---|
| To contact you following your request | Consent (Art. 6.1.a) |
| To transmit your contact details to an approved partner | Explicit consent (Art. 6.1.a) |
| To improve our simulators | Legitimate interest (Art. 6.1.f) |
| To comply with our legal obligations | Legal obligation (Art. 6.1.c) |
| Audit trail and regulatory traceability | Legitimate interest / legal obligation |
Consent for processing and transmission to a partner is explicitly collected via a checkbox when submitting the form. You can withdraw your consent at any time.
Data Sharing
Your data may be shared with:
• CAA-approved buyer partners: only if you have given your explicit consent. These partners are brokers or insurance companies approved by the Commissariat aux Assurances of Luxembourg, with whom we have signed a Data Processing Agreement (DPA).
Technical subcontractors:
• Supabase (hosting in the European Union): database, authentication, media storage, backend Edge Functions• Railway (hosting in the European Union): hosting of the Next.js site (trigger.lu)• Resend: sending transactional emails• PostHog (hosted in the European Union): audience measurement, error monitoring, session recordings and heatmaps. Audience measurement and recordings are only activated after your explicit consent via the cookie banner, and what you type into forms (phone, first name) is always masked in recordings• Google Tag Manager / Google Analytics: anonymized traffic analysis, activated only in production and after explicit consent via the cookie banner
Each subcontractor is bound by a Data Processing Agreement compliant with the GDPR. We never sell your data.
Data location and international transfers
All your data is hosted within the European Union. The main subcontractors (Supabase and Railway) operate their cloud regions in the EU for storage and processing. For any access carried out from third countries (notably in the context of technical support operations), transfers are covered by GDPR-compliant safeguards: standard contractual clauses of the European Commission, and where applicable additional technical measures.
Sharing with a partner only occurs as part of personalized support that you have explicitly requested.
• CAA-approved buyer partners: only if you have given your explicit consent. These partners are brokers or insurance companies approved by the Commissariat aux Assurances of Luxembourg, with whom we have signed a Data Processing Agreement (DPA).
Technical subcontractors:
• Supabase (hosting in the European Union): database, authentication, media storage, backend Edge Functions• Railway (hosting in the European Union): hosting of the Next.js site (trigger.lu)• Resend: sending transactional emails• PostHog (hosted in the European Union): audience measurement, error monitoring, session recordings and heatmaps. Audience measurement and recordings are only activated after your explicit consent via the cookie banner, and what you type into forms (phone, first name) is always masked in recordings• Google Tag Manager / Google Analytics: anonymized traffic analysis, activated only in production and after explicit consent via the cookie banner
Each subcontractor is bound by a Data Processing Agreement compliant with the GDPR. We never sell your data.
Data location and international transfers
All your data is hosted within the European Union. The main subcontractors (Supabase and Railway) operate their cloud regions in the EU for storage and processing. For any access carried out from third countries (notably in the context of technical support operations), transfers are covered by GDPR-compliant safeguards: standard contractual clauses of the European Commission, and where applicable additional technical measures.
Sharing with a partner only occurs as part of personalized support that you have explicitly requested.
Data Retention Period
Your data is retained for the following durations:
• Active leads: duration of the commercial relationship + 3 years• Archived leads: maximum 5 years (legal obligations and audit trail)• Simulation data: anonymized after 12 months if no commercial follow-up• Deleted data (GDPR erasure): irreversible physical deletion, only the anonymized audit trail is retained
The distinction between archiving and deletion is critical: archiving preserves history for the audit trail, physical deletion is irreversible.
• Active leads: duration of the commercial relationship + 3 years• Archived leads: maximum 5 years (legal obligations and audit trail)• Simulation data: anonymized after 12 months if no commercial follow-up• Deleted data (GDPR erasure): irreversible physical deletion, only the anonymized audit trail is retained
The distinction between archiving and deletion is critical: archiving preserves history for the audit trail, physical deletion is irreversible.
Your Rights
In accordance with the GDPR and Luxembourg law, you have the following rights:
• Right of access (art. 15): obtain a copy of your data• Right to rectification (art. 16): correct inaccurate data• Right to erasure (art. 17): request the deletion of your data• Right to portability (art. 20): receive your data in a structured format• Right to object (art. 21): object to the processing• Right to restriction (art. 18): restrict processing in certain cases• Right to withdraw consent: at any time, without affecting the lawfulness of the processing carried out prior to withdrawal
To exercise your rights, use our dedicated form or contact us directly.
Response time: we respond to any request to exercise rights within one month of receipt (art. 12(3) GDPR). This period may be extended by an additional two months for complex or numerous requests, in which case we will inform you within the initial one-month period.
DPO Contact: for any questions regarding the protection of your data, write to us at [email protected].
Right to lodge a complaint: if you believe that the processing of your data does not comply with the GDPR, you can lodge a complaint with the National Commission for Data Protection (CNPD), 15 boulevard du Jazz, L-4370 Belvaux, Luxembourg, www.cnpd.lu.
• Right of access (art. 15): obtain a copy of your data• Right to rectification (art. 16): correct inaccurate data• Right to erasure (art. 17): request the deletion of your data• Right to portability (art. 20): receive your data in a structured format• Right to object (art. 21): object to the processing• Right to restriction (art. 18): restrict processing in certain cases• Right to withdraw consent: at any time, without affecting the lawfulness of the processing carried out prior to withdrawal
To exercise your rights, use our dedicated form or contact us directly.
Response time: we respond to any request to exercise rights within one month of receipt (art. 12(3) GDPR). This period may be extended by an additional two months for complex or numerous requests, in which case we will inform you within the initial one-month period.
DPO Contact: for any questions regarding the protection of your data, write to us at [email protected].
Right to lodge a complaint: if you believe that the processing of your data does not comply with the GDPR, you can lodge a complaint with the National Commission for Data Protection (CNPD), 15 boulevard du Jazz, L-4370 Belvaux, Luxembourg, www.cnpd.lu.
Security
We implement the following technical and organizational measures:
• Encryption of data in transit (HTTPS/TLS)• Authentication and access control across all systems• Tokenized consultation pages for leads (secure access without authentication)• Access logging and complete audit trail• Automatic incident monitoring via PostHog (hosted in the European Union)• Hosting within the European Union• Verification of partners' CAA approval before any data sharing
• Encryption of data in transit (HTTPS/TLS)• Authentication and access control across all systems• Tokenized consultation pages for leads (secure access without authentication)• Access logging and complete audit trail• Automatic incident monitoring via PostHog (hosted in the European Union)• Hosting within the European Union• Verification of partners' CAA approval before any data sharing
Supervisory Authority
If you believe that the processing of your data is not compliant, you can lodge a complaint with:
National Commission for Data Protection (CNPD)15 Boulevard du JazzL-4370 Belvaux, Luxembourghttps://cnpd.public.lu
National Commission for Data Protection (CNPD)15 Boulevard du JazzL-4370 Belvaux, Luxembourghttps://cnpd.public.lu
Modifications
This policy may be updated. The date of the last modification is indicated below. In the event of substantial changes, we will inform you via appropriate channels.
Last updated: July 2, 2026
Last updated: July 2, 2026
Do you want to exercise your rights?
Access, rectification, deletion, portability, objection: it's your right.
Exercise my rightsData controller: SGFS LFKC SARL, 2 rue de la Corniche, L-5956 Itzig, Luxembourg. Data Protection Officer: [email protected]. Supervisory authority: National Commission for Data Protection (CNPD), 15 Boulevard du Jazz, L-4370 Belvaux, Luxembourg. Document updated on July 2, 2026.