Notice on Personal Data Protection
Last updated: April 2026
1. Data Controller
The data controller for your personal data is Hanna Consulting S.À R.L.-S, operating under the commercial trade name Framed, registered with the Luxembourg Trade and Companies Register under number B283248, with its registered office at 177 rue du Luxembourg, L-8077 Bertrange, Luxembourg.
For any questions regarding this notice, please contact us at: contact@framed.lu or by phone at +352 661 853 231.
2. Data Collected
In the context of managing your booking requests and executing the service, we collect the following data:
- •Identification and contact data — name, email address, phone number. Collected when submitting the booking request.
- •Event data — date, venue address, times and practical information required to carry out the service.
- •Professional data — company name, VAT number, contact person. For business bookings only.
- •Visual data — photos taken during the event, handed over to the Client and deleted within 3 weeks.
- •Technical security data — IP address stored as a SHA-256 hash (non-reversible), used exclusively for abuse prevention, retained for a maximum of 1 hour.
3. Purposes and Legal Bases for Processing
Each processing activity is based on a specific legal ground under the GDPR:
| Purpose | Legal basis |
|---|---|
| Processing your request, issuing a quote, pre-contractual communications | Art. 6(1)(b) GDPR — pre-contractual measures at your request |
| Service delivery (delivery, setup, event manager assistance) | Art. 6(1)(b) GDPR — performance of a contract |
| Invoicing and accounting records | Art. 6(1)(c) GDPR — legal obligation (Luxembourg accounting law) |
| Customer satisfaction survey (Google Forms) | Art. 6(1)(f) GDPR — legitimate interest (service improvement) |
| Fraud prevention and website security (rate limiting) | Art. 6(1)(f) GDPR — legitimate interest (protection against abuse) |
We do not carry out any profiling or automated decision-making.
4. Contractual Relationship
The service contract is formed upon confirmation of your booking by email and performed on the agreed event date. No separate contractual document is required: the booking request, its confirmation, and the execution of the service together constitute the contractual relationship within the meaning of Article 6(1)(b) of the GDPR.
5. Retention Period
- •Booking and service management data: retained until the end of the calendar year in which the event took place, extended by 3 months (i.e. no later than 31 March of the following year), then deleted or anonymised.
- •Billing and accounting records: retained for 10 years in accordance with the Luxembourg Accounting Act of 19 December 2002.
- •Photos taken during the event: retained for a maximum of 3 weeks from the event date, then permanently deleted. This period allows the Client to retrieve their files; after this deadline, no recovery is possible.
- •Satisfaction survey responses (Google Forms): retained for 1 year from the event date, then deleted. You may exercise your right to object at any time.
- •IP address (SHA-256 hash, anti-abuse): retained for a maximum of 1 hour, then automatically deleted (Redis sliding window).
After these periods, your data is permanently deleted or rendered anonymous.
6. Sub-processors and International Transfers
Your personal data is not transferred to third parties for commercial purposes. In operating the service, we use the following technical sub-processors, each bound by a Data Processing Agreement (DPA):
| Provider | Country | Safeguards |
|---|---|---|
| Neon Inc. (database) | 🇩🇪 Germany (EU) | — |
| Vercel Inc. (hosting) | 🇺🇸 United States | SCC / DPF |
| Resend Inc. (emails) | 🇺🇸 United States | SCC |
| Upstash Inc. (Redis cache) | 🇩🇪 Germany (EU) | — |
| GitHub Inc. / Microsoft (code) | 🇺🇸 United States | SCC / DPF |
| Google LLC (Google Forms) | 🇺🇸 United States | SCC / DPF |
| DSLRBooth (photobooth software) | 🇺🇸 United States | SCC |
Transfers outside the European Union
Providers based in the United States (Vercel, Resend, GitHub, Google, DSLRBooth) involve transfers of personal data outside the European Economic Area. These transfers are governed by Standard Contractual Clauses (SCC) approved by the European Commission and, where applicable, by participation in the EU-US Data Privacy Framework (DPF).
Further sub-processor: Neon Inc. hosts its data on Amazon Web Services (AWS), Europe region (Frankfurt, Germany). AWS is bound to Neon by a GDPR-compliant DPA.
Technical service providers strictly necessary for photobooth operation are bound by confidentiality obligations.
SCC = Standard Contractual Clauses (European Commission). DPF = EU-US Data Privacy Framework.
7. Your Rights
Under the General Data Protection Regulation (GDPR — EU 2016/679), you have the following rights:
- Right of access: obtain a copy of your personal data
- Right of rectification: correct inaccurate or incomplete data
- Right to erasure: request deletion of your data
- Right to data portability: receive your data in a structured format
- Right to object: object to processing based on legitimate interest (Art. 6(1)(f))
- Right to restriction: request suspension of processing
To exercise these rights, contact us at contact@framed.lu. We are committed to responding within one month.
8. Cookies and Analytics
Our website uses only:
- GDPR consent cookie (framed_consent): stores your choice for 13 months. Functional only — no personal data collected.
- Admin session cookie: used exclusively for internal team authentication (httpOnly, not accessible via JavaScript, 8h duration).
For website analytics, we use Vercel Analytics, a cookie-free tool that collects no personally identifiable data. It measures only aggregated, anonymised metrics (pages visited, country, device type). No individual profiles are built.
No advertising, tracking or social media third-party cookies are used.
9. Complaints to the Supervisory Authority
If you believe that the processing of your personal data constitutes a breach of the GDPR, you have the right to lodge a complaint with the Commission Nationale pour la Protection des Données (CNPD) in Luxembourg: cnpd.public.lu.
10. Amendments
This notice may be updated at any time. The date of last modification is shown at the top of this page. We encourage you to review it regularly.