Privacy Policy

1. Introduction

2RL Sàrl-S (hereinafter "2RL", "we", "us", or "our") is committed to protecting the privacy and personal data of every visitor to this website (https://2rl.ai) and every person who contacts us (hereinafter the "data subject" or "you").

This Privacy Policy (the "Policy") explains, in a transparent manner and in accordance with Articles 12, 13 and 14 of the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), which personal data we collect, why we collect it, how we use it, with whom we share it, how long we keep it, and which rights you can exercise with regard to your personal data.

We encourage you to read this Policy carefully. By using this website or by submitting the contact form, you acknowledge that you have read and understood this Policy. This Policy does not constitute a contract and does not create any contractual rights or obligations.

2. Data Controller

The controller responsible for the processing of your personal data within the meaning of Article 4(7) GDPR is:

Given the scale and nature of our processing activities, 2RL is not required under Article 37 GDPR to appoint a Data Protection Officer (DPO). Privacy-related enquiries are handled directly by 2RL at the address above.

3. Legal Framework

This Policy is established in accordance with, and processing activities are carried out under, the following instruments:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR);
• The Luxembourg law of 1 August 2018 on the organisation of the National Commission for Data Protection and on the general data protection framework, as amended;
• Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (ePrivacy Directive), as amended by Directive 2009/136/EC;
• The Luxembourg law of 30 May 2005 on the protection of privacy in the electronic communications sector, as amended (transposing the ePrivacy Directive);
• The Luxembourg law of 14 August 2000 on electronic commerce, as amended;
• Relevant guidelines, recommendations and decisions issued by the European Data Protection Board (EDPB) and the Luxembourg Commission Nationale pour la Protection des Données (CNPD).

4. Key Definitions

For the purposes of this Policy, the following definitions apply in accordance with Article 4 GDPR:

• Personal data: any information relating to an identified or identifiable natural person;
• Processing: any operation performed on personal data, whether or not by automated means;
• Controller: the natural or legal person which determines the purposes and means of the processing;
• Processor: a natural or legal person processing personal data on behalf of the controller;
• Data subject: the identified or identifiable natural person to whom the personal data relate;
• Consent: any freely given, specific, informed and unambiguous indication of the data subject's wishes.

5. Personal Data We Collect

5.1 Data you provide through the contact form

When you submit our contact form, we collect and process the following categories of personal data. Fields marked with (*) are mandatory; without these, we are not able to process your request.

• Identification data*: first name, last name;
• Contact data*: email address;
• Professional data: company name (optional);
• Telephone number: mandatory only if you request a phone call or a scheduled consultation; optional otherwise;
• Project information*: project type (software, hardware or combined), desired MVP delivery horizon, free-text message describing your enquiry;
• Scheduling data: if you tick "Request a call", the date and time slots you propose for a consultation (up to five slots, in 30-minute increments, between 08:00 and 18:00 CET).

We do not knowingly collect any special categories of personal data (Article 9 GDPR) or data relating to criminal convictions (Article 10 GDPR) through our contact form. Please do not include such information in the free-text message field.

5.2 Data collected automatically (technical data)

For security, stability and audit purposes, our web server automatically logs a limited set of technical data when you visit the website:

• IP address of the connecting device (processed in truncated / shortened form wherever feasible);
• Date, time and time zone of the request;
• HTTP method, URL and status code of the response;
• Referrer URL (if transmitted by your browser);
• User-agent string (browser type, version and operating system);
• Approximate geographic location derived from the IP address (country level only).

These data are processed in accordance with Recital 49 GDPR, which recognises network and information security as a legitimate interest of the controller.

5.3 Cookies, local storage and similar technologies

This website uses only strictly necessary technologies. It does not use any advertising, marketing, profiling or third-party analytics cookies, nor any fingerprinting, social-media plug-ins or cross-site tracking mechanisms.

Strictly necessary technologies fall within the exemption of Article 5(3) of the ePrivacy Directive, as transposed into Luxembourg law by the amended law of 30 May 2005, because they are "strictly necessary in order to provide an information society service explicitly requested by the subscriber or user". No prior consent is therefore required.

The following item is stored on your device:

You can delete this entry at any time through the settings of your browser (typically: "Clear site data" or "Clear storage" for the domain 2rl.ai). Doing so will cause the cookie banner to reappear on your next visit.

6. Purposes of Processing and Legal Basis

In accordance with Article 13(1)(c) GDPR, the table below sets out, for each processing activity, the purpose pursued and the legal basis relied upon under Article 6 GDPR:

Where we rely on legitimate interest (Article 6(1)(f) GDPR), we have carried out a balancing test and consider that our interests are not overridden by your interests, rights and freedoms. You may obtain further information about this balancing test by contacting us at the address listed in Section 2.

7. Recipients of Personal Data

Your personal data are accessed only on a strict need-to-know basis by authorised staff of 2RL. We do not sell, rent or licence your personal data, nor do we use them for any form of advertising profiling. Personal data may be disclosed to the following categories of recipients:

• Hosting and infrastructure providers — providers of the servers, content-delivery networks and technical platforms hosting this website, acting as processors under Article 28 GDPR and bound by written data-processing agreements (servers located within the European Union / European Economic Area);
• Email service providers — providers used to transmit and receive contact-form enquiries, acting as processors;
• Professional advisers — lawyers, auditors, accountants and other advisers, bound by statutory or contractual confidentiality obligations;
• Public authorities — courts, regulators or law-enforcement bodies, strictly where we are under a legal obligation to disclose (e.g. pursuant to a lawful order under Luxembourg or EU law);
• Acquirers — in the event of a merger, acquisition, reorganisation or sale of assets, subject to appropriate safeguards and to this Policy.

8. International Data Transfers

Your personal data are, as a rule, processed within the European Union / European Economic Area (EU/EEA). If a processor exceptionally processes data outside the EU/EEA, 2RL ensures that the transfer is subject to appropriate safeguards under Chapter V GDPR, notably:

• a European Commission adequacy decision (Article 45 GDPR); or
• standard contractual clauses adopted by the European Commission (Article 46(2)(c) GDPR), combined where necessary with supplementary technical, contractual and organisational measures in line with EDPB Recommendations 01/2020.

You may obtain a copy of the safeguards applied to a specific transfer by contacting us at contact@2rl.ai.

9. Data Retention Periods

In accordance with the storage-limitation principle (Article 5(1)(e) GDPR), we retain personal data only for as long as necessary for the purposes for which they were collected, or for as long as required by law:

• Contact-form enquiries that do not lead to a contract: up to 12 months from the last exchange, then deletion or anonymisation;
• Enquiries leading to a contractual relationship: for the duration of the contract and, thereafter, for the limitation periods applicable under Luxembourg law (in principle, ten years under Article 189 of the Luxembourg Commercial Code for commercial matters);
• Accounting and tax records: ten years, in accordance with Article 16 of the Luxembourg Commercial Code and applicable tax legislation;
• Server logs and technical telemetry: up to 30 days, unless a longer retention is strictly necessary to investigate a security incident;
• Cookie-consent preference: stored on your device until you delete it via your browser settings;
• Data subject to legal hold: for the duration of any actual or reasonably anticipated legal proceedings.

10. Data Security

In accordance with Article 32 GDPR, 2RL implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• encryption in transit (TLS/HTTPS) for all data transmitted between your browser and our servers;
• HTTP security headers (including HSTS, X-Content-Type-Options, Referrer-Policy) configured on our web server;
• server-side input validation and sanitisation on all form submissions;
• strict access controls, unique authentication and the principle of least privilege for staff access;
• regular patching of operating systems, runtimes and dependencies;
• logging, monitoring and incident-response procedures;
• contractual confidentiality obligations for staff and processors, and written data-processing agreements under Article 28 GDPR.

No method of transmission over the Internet or of electronic storage is absolutely secure. We therefore cannot guarantee absolute security, but we continuously review and improve our security measures.

11. Personal Data Breach Notification

In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, 2RL will notify the Commission Nationale pour la Protection des Données (CNPD) without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR. Where the breach is likely to result in a high risk, we will also inform affected data subjects in accordance with Article 34 GDPR.

12. Your Rights as a Data Subject

Subject to the conditions laid down in Articles 15 to 22 GDPR, you are entitled to the following rights in relation to your personal data:

• Right of access (Art. 15) — obtain confirmation as to whether personal data concerning you are being processed and, if so, a copy of such data, together with the supplementary information listed in Article 15(1) GDPR;
• Right to rectification (Art. 16) — obtain without undue delay the correction of inaccurate personal data and the completion of incomplete data;
• Right to erasure — "right to be forgotten" (Art. 17) — obtain the deletion of personal data where one of the grounds listed in Article 17(1) applies;
• Right to restriction of processing (Art. 18) — obtain the restriction of processing in the circumstances listed in Article 18(1);
• Right to notification (Art. 19) — be informed of any rectification, erasure or restriction of processing communicated to recipients;
• Right to data portability (Art. 20) — receive the personal data you have provided in a structured, commonly used and machine-readable format and transmit them to another controller, where processing is based on consent or on a contract and is carried out by automated means;
• Right to object (Art. 21) — object at any time, on grounds relating to your particular situation, to processing based on legitimate interest (Article 6(1)(f) GDPR); we will no longer process the data unless we demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims;
• Rights in relation to automated individual decision-making (Art. 22) — not to be subject to a decision based solely on automated processing which produces legal effects concerning you or similarly significantly affects you;
• Right to withdraw consent (Art. 7(3)) — where processing is based on consent, you may withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

13. How to Exercise Your Rights

You may exercise any of the rights set out in Section 12 by writing to us at contact@2rl.ai or by post to our registered office listed in Section 2. To help us process your request efficiently, please specify which right you wish to exercise and describe your request as precisely as possible.

We may ask you for additional information necessary to confirm your identity where we have reasonable doubts about the identity of the person making the request (Article 12(6) GDPR). We will respond to your request without undue delay and in any event within one month of receipt (this period may be extended by two further months where necessary, taking into account the complexity and number of requests, in accordance with Article 12(3) GDPR). Responses are provided free of charge, except in the cases referred to in Article 12(5) GDPR.

14. Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right under Article 77 GDPR to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement.

The competent supervisory authority for 2RL is the Commission Nationale pour la Protection des Données (CNPD):

CNPD
15, Boulevard du Jazz
L-4370 Belvaux
Grand Duchy of Luxembourg
Phone: +352 26 10 60 -1
Website: cnpd.public.lu

We nevertheless encourage you to contact us first so that we can address your concerns directly.

15. Children's Privacy

This website is intended for a professional audience and is not directed at children. In accordance with Article 8 GDPR and the Luxembourg law of 1 August 2018, information society services may not be offered directly to children under the age of 16 without parental consent. We do not knowingly collect personal data from children. If you become aware that a child has provided personal data through our website, please contact us so that we can delete the data.

16. Automated Decision-Making and Profiling

2RL does not carry out any automated individual decision-making, within the meaning of Article 22(1) GDPR, producing legal effects concerning you or similarly significantly affecting you, on the basis of data collected through this website. We do not engage in profiling for marketing purposes.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our processing activities, in applicable law, or in guidance issued by the CNPD or the EDPB. Any material changes will be announced by updating the "Last updated" and "Version" indicators at the top of this page. Where required by law, we will seek your renewed consent or notify you through an appropriate channel.

We encourage you to review this page periodically to stay informed about how we protect your personal data.

18. Contact

If you have any question regarding this Policy or the processing of your personal data, please contact us at:

2RL Sàrl-S
16B Robert Schuman-Strooss
L-5751 Frisange, Grand Duchy of Luxembourg
Email: contact@2rl.ai