Who we are
The Tokenizer Company S.à r.l. (The “Company) Is a company incorporated in Luxembourg domiciled 5, route d’Arlon 8310 Capelle. The Company operates the website www.wineconfidentialcircle.com (The “Website”).
1. General Provisions
1.1. Preamble
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, known as the General Data Protection Regulation (GDPR), establishes the legal framework applicable to the processing of personal data. The GDPR strengthens the rights and obligations of data controllers, processors, data subjects, and recipients of data.
In Luxembourg, the GDPR is complemented by the Law of 1 August 2018 on the organization of the National Commission for Data Protection (CNPD) and the general data protection framework.
The applicable regulations for personal data protection include:
- The GDPR,
- The Law of 1 August 2018,
- Recommendations and guidelines issued by the CNPD.
For clarity, the following definitions apply:
- Data Controller: The natural or legal person who determines the purposes and means of processing personal data. In this policy, the data controller is The Tokenizer Company S.à r.l.
- Data Subjects: Individuals who can be identified, directly or indirectly, by reference to personal data collected by the data controller. This includes all individuals associated with our clients, prospects, and partners, regardless of their status (employees, directors, etc.).
Article 12 of the GDPR requires that data subjects be informed of their rights in a concise, transparent, understandable, and easily accessible manner.
1.2. Definitions
Personal Data: Any information relating to an identified or identifiable natural person (data subject). An identifiable person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, identification number, or specific factors related to their physical, physiological, genetic, mental, economic, cultural, or social identity.
Enriched Data: Personal data that has been enhanced or derived by the data controller, as opposed to raw data provided directly by the data subject.
Processing of Personal Data: Any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, alignment, or destruction.
Personal Data Breach: A security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.
1.3. Purposes
To ensure its proper functioning, The Tokenizer Company S.à r.l. is required to process personal data related to our clients, prospects, and partners in the context of commercial relationships and contracts.
This policy aims to fulfill our obligation to inform data subjects of their rights and to outline the principles governing the processing of their personal data.
1.4. General Principles
No processing of personal data is carried out by The Tokenizer Company S.à r.l. unless it:
- Relates to personal data collected by or for our services,
- Complies with the general principles of the GDPR.
Any new processing, modification, or deletion of existing processing will be communicated to data subjects through updates to this policy.
2. Identification of Processing Activities
2.1 Categories of Data Collected and Sources
Data is primarily collected directly from individuals associated with our clients and prospects. We only collect and use data necessary for the performance of contracts or commercial relationships, including:
Technical data (e.g., IP addresses, logs).
Identity data (e.g., title, name, surname),
Professional contact details (e.g., work email, phone number, address),
Professional information (e.g., job title, role),
2.2 Purposes of Processing
| Purpose | Description |
|---|---|
| Pre-contractual exchanges | We process data of individuals who interact with us during pre-contractual discussions or negotiations. |
| Contract management | We process data of individuals associated with our clients to manage and fulfill contractual obligations. |
| Billing, payment, and accounting | We process data for invoicing, payment processing, and accounting purposes. |
| Client/prospect relationship management | We process data to communicate with clients and prospects regarding ongoing or future contracts. |
| Client/prospect directory | We maintain a directory of clients and prospects, including key contact persons. |
| Event organization | We process data when inviting clients and prospects to events we organize or co-organize. |
| Newsletters and information updates | We process data to send newsletters or updates to clients and prospects. |
| Statistical analysis | We may process data for statistical purposes to improve our services and operations. |
2.3 Data Retention Periods
We retain personal data for the duration necessary to fulfill the purposes for which it was collected, in compliance with legal and contractual obligations. Retention periods are determined based on:
- Legal requirements,
- Contractual needs,
- Business purposes.
After the retention period, data is either deleted or anonymized for statistical purposes.
2.4 Legal Basis for Processing
Processing activities are based on one or more of the following legal grounds:
Consent (where applicable)
Performance of a contract,
Compliance with legal obligations,
Legitimate interests pursued by The Tokenizer Company S.à r.l.,
2.5 Data Recipients
Personal data may be shared with:
- Authorized internal personnel,
- External service providers (e.g., IT providers),
- Competent authorities (e.g., tax or regulatory bodies).
We ensure that all recipients are bound by confidentiality obligations and comply with GDPR requirements.
3. Data Subject Rights
3.1 Right of Access and Copy
Data subjects have the right to request confirmation of whether their personal data is being processed and to obtain a copy of such data.
3.2 Right to Rectification
Data subjects may request the correction of inaccurate or outdated personal data.
3.3 Right to Erasure
Data subjects may request the deletion of their personal data in specific circumstances, such as when the data is no longer necessary for the purposes for which it was collected.
3.4 Right to Restriction of Processing
Data subjects may request the restriction of processing under certain conditions, such as when the accuracy of the data is contested.
3.5 Right to Data Portability
Data subjects may request the transfer of their personal data to another controller in a structured, commonly used format.
3.6 Right to Object
Data subjects may object to the processing of their personal data for direct marketing purposes or on grounds relating to their particular situation.
3.7 Exercising Rights
To exercise their rights, data subjects may contact our Data Protection Officer (DPO):
Benjamin Agostini
Email: benjamin@thesafebox.io
We will respond to requests within one month, extendable to two months for complex cases.
4. Additional Provisions
4.1 Subcontracting
We may engage subcontractors to process personal data. All subcontractors are contractually bound to comply with GDPR requirements.
4.2 Record of Processing Activities
We maintain a record of all processing activities, as required by the GDPR.
4.3 Security Measures
We implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, or destruction.
4.4 Data Breach Notification
In the event of a data breach, we will notify the CNPD and affected data subjects as required by law.
5. Contact Information
5.1 Data Protection Officer (DPO)
For questions or concerns regarding data processing, please contact our DPO:
Benjamin Agostini
5 route d’Arlon
8310 Capellen
Email: benjamin@thesafebox.io
5.2 Right to Lodge a Complaint
Data subjects may lodge a complaint with the CNPD if they believe their rights have been violated.
5.3 Policy Updates
This policy may be modified or adjusted at any time in the event of changes in legislation, case law, decisions and recommendations of the CNPD (National Commission for Data Protection), or industry practices.
Any new version of this policy will be communicated to our clients and prospects through any means we deem appropriate, including electronic means (e.g., via email or online publication).