Skip to content

Legal

Privacy Policy

Last updated: 19 April 2026

Lux Monsters takes your privacy seriously. This policy tells you what we collect, why we collect it, who we share it with, and how you stay in control of your data. Read it in full. If anything is unclear, email privacy@luxmonsters.com and a human will answer.

Who we are

Lux Monsters is the data controller for the information we collect through this website, our order system, and the NFC authentication service at /verify. You can reach us at privacy@luxmonsters.com for any question about your data. If you prefer, you may designate a Data Protection Officer on your side and we will correspond with them directly.

What we collect

We collect the following categories of personal data:

  • Identity data: your first and last name, and any name you ask us to engrave.
  • Contact data: email address, shipping address, billing address, and phone number when you place an order or join the waitlist.
  • Transaction data: the pieces you buy, order value, and the time of purchase. We never see or store your full card number.
  • Technical data: IP address, browser type, device, and pages you visit, gathered through Google Analytics 4 and Google Tag Manager.
  • NFC interaction data: when you tap a Lux Monsters chip on the /verify page, we log the chip ID, timestamp, and approximate region to confirm authenticity and detect tampering.
  • Marketing data: your consent choices for cookies, email, and SMS.

Why we collect it and on what legal basis

Under the GDPR we rely on three legal bases:

  • Contract performance: to confirm orders, take payment, produce the piece, ship it, and support you after delivery.
  • Legitimate interest: to prevent fraud, secure the site, verify authenticity through NFC, and improve the product. We always balance this against your rights.
  • Consent: to send marketing emails, set non-essential cookies, and run analytics. You can withdraw consent at any time and we will stop processing on that basis.

Who we share data with

We share personal data only with partners who help us run the business. Each one is bound by a data processing agreement.

  • Stripe processes payments. Your card details go directly to Stripe and never touch our servers.
  • MailerLite handles our email list and sends drop announcements when you opt in.
  • DHL and FedEx ship the piece to your door. They receive your name, address, and phone number for delivery only.
  • Hostinger hosts our website and stores order records in an encrypted database.
  • Google provides Analytics 4, Tag Manager, and Workspace (email). Google receives pseudonymous analytics data and any email you send us.

We do not sell your personal data. We do not share it for cross-context behavioural advertising.

International transfers

Some of our providers are based in the United States. Where data leaves the European Economic Area, the transfer is protected by the EU US Data Privacy Framework where the provider is certified, or by the Standard Contractual Clauses approved by the European Commission. Stripe, Google, and MailerLite are currently DPF certified. Copies of the relevant safeguards are available on request.

Your rights under GDPR

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights:

  • Access: get a copy of the data we hold about you.
  • Rectification: correct anything inaccurate.
  • Erasure: ask us to delete your data where we no longer need it.
  • Restriction: freeze processing while a dispute is resolved.
  • Portability: receive your data in a common machine readable format.
  • Objection: object to processing based on legitimate interest or direct marketing.
  • Automated decision making: we do not use automated decision making or profiling that produces legal effects. If that ever changes, we will tell you first.

To exercise any right, email privacy@luxmonsters.com. We reply within 30 days. If you are unhappy with our response, you can complain to your local supervisory authority. In France that is the CNIL.

Your rights under CCPA

If you are a California resident, you have the right to know what personal information we collect, the right to delete it, and the right to opt out of any sale or share of personal information. We do not sell your data. To make a request, email privacy@luxmonsters.com and write "CCPA request" in the subject line. You may designate an authorised agent to act on your behalf.

How long we keep your data

  • Customer and order records: 10 years, as required by French tax and commercial law.
  • Marketing email contacts: until you unsubscribe, after which we keep a minimal suppression record so we do not email you again by accident.
  • Analytics data: 26 months in Google Analytics 4, then deleted automatically.
  • NFC authentication logs: 5 years, to protect the lifetime craftsmanship warranty and detect counterfeit activity.

Security

All traffic to the site is encrypted with TLS. Stored data is encrypted at rest. Access is restricted to named staff who need it for their job, and every access is logged. If there is a personal data breach that puts your rights at risk, we will tell you and the supervisory authority within 72 hours.

Children

Lux Monsters is not for people under 18. We do not knowingly collect data from children. If you think a child has given us data, email privacy@luxmonsters.com and we will delete it.

Changes to this policy

We update this policy when the law changes or when we change how we handle your data. The "last updated" date at the top always reflects the current version. For material changes we will email customers and waitlist members before the new version takes effect.

Contact

For any privacy question or request, write to privacy@luxmonsters.com. For general questions about Lux Monsters, use info@luxmonsters.com.