Privacy Policy

Last Updated: January 2026

1. Legal Basis and Compliance

Swiss Law: This Privacy Policy is governed by the Swiss Federal Act on Data Protection (nFADP). As a Swiss company, our primary legal obligation is to Swiss law.

GDPR Compliance: We acknowledge the importance of the General Data Protection Regulation (EU) 2016/679 ("GDPR"). Although we are domiciled in Switzerland, we voluntarily adhere to GDPR standards for all visitors accessing our services from the European Economic Area (EEA).

2. Responsible Body & Data Protection Officer

The controller responsible for data processing on this website is Lucumo Security GmbH.

Specific privacy inquiries and requests regarding your data rights should be addressed directly to our Data Protection Officer:

3. No Cookies & No Tracking Policy

We are committed to data minimization and digital sovereignty. To ensure your privacy:

• No Cookies: We strictly do not use cookies. No files are placed on your device to identify you or save your session.
• No Analytics: We do not use Google Analytics, Matomo, or any third-party tracking scripts.
• No Fingerprinting: We do not employ browser fingerprinting techniques to track users across visits.
• No Social Plugins: There are no social media "Like" or "Share" buttons that transmit data to third-party networks without your consent.

4. Data Processing in Specific Scenarios

4.1. Job Applications

If you apply for a position at Lucumo (via email or other means), we process the data you provide (CV, certificates, correspondence) solely for the purpose of the application process. If an employment contract is concluded, the data will be stored in our personnel files. If no employment contract is concluded, the application documents will be automatically deleted 6 months after the rejection, provided that no other legitimate interests or statutory retention obligations prevent deletion.

4.2. Remote Consulting & Video Conferencing

We might use online conferencing tools (e.g., Microsoft Teams, Zoom, Signal) to conduct client meetings. When using these services, various data types are processed, including participant information, metadata (time/duration), and content data (audio/video). We configure these tools to the maximum privacy settings available ("Privacy by Default"), but we point out that the providers of these tools may process data on servers outside of Switzerland.

4.3. Performing Mandates

Data provided to us by clients specifically for the purpose of an audit or consulting mandate (e.g., source code, network logs, architecture diagrams) might be treated with a higher classification of confidentiality as defined in our Non-Disclosure Agreements (NDA) and General Terms and Conditions, separate from this website privacy policy.

5. Server Log Files

For technical security and to ensure the stability of our systems, our hosting provider collects standard server log data. This is a technical necessity might include:

• IP address (anonymized after short retention periods where possible)
• Date and time of access
• Browser type and version
• Operating system

This data is processed based on our legitimate interest (Art. 6 para. 1 lit. f GDPR) in maintaining the security and integrity of our IT infrastructure. This data is not combined with other data sources.

6. Your Rights

Under the nFADP and the GDPR, you have the following rights regarding your personal data:

• Right to Access: You may request information about your stored data, its origin, recipients, and purpose.
• Right to Rectification: You may request correction of incorrect data.
• Right to Erasure ("Right to be forgotten"): You may request deletion of your data unless statutory retention obligations exist.
• Right to Restriction of Processing: You may request that we limit the processing of your data.
• Right to Data Portability: You may request to receive your data in a structured, common, and machine-readable format.

To exercise these rights, please contact the Data Protection Officer listed in Section 2.