GDPR Compliance
Luca Analytics is committed to protecting the privacy and rights of individuals in the European Union under the General Data Protection Regulation (GDPR).
Our Commitment to GDPR
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that protects the fundamental rights of individuals in the European Economic Area (EEA). At Luca Analytics, we are fully committed to GDPR compliance and have implemented robust measures to ensure we meet all requirements.
Lawful Basis for Processing
We process personal data only when we have a valid lawful basis. Depending on the processing activity, we rely on:
- Consent: Where you have given clear consent for us to process your personal data for a specific purpose
- Contract: Where processing is necessary for the performance of a contract with you or to take steps at your request before entering into a contract
- Legitimate Interests: Where processing is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests
- Legal Obligation: Where processing is necessary to comply with a legal obligation
Your Rights Under GDPR
As an individual in the EEA, you have the following rights regarding your personal data:
Right of Access (Article 15)
You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to access that data and receive information about how it is processed.
Right to Rectification (Article 16)
You have the right to have inaccurate personal data corrected and incomplete data completed.
Right to Erasure (Article 17)
Also known as the "right to be forgotten," you can request the deletion of your personal data in certain circumstances.
Right to Restriction of Processing (Article 18)
You can request that we limit the processing of your personal data in certain situations.
Right to Data Portability (Article 20)
You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
Right to Object (Article 21)
You can object to processing based on legitimate interests or for direct marketing purposes.
Rights Related to Automated Decision Making (Article 22)
You have rights related to automated decision-making, including profiling, that produces legal or similarly significant effects.
How to Exercise Your Rights
To exercise any of your GDPR rights, please contact our Data Protection team at dpo@lucaanalytics.com. We will respond to your request within 30 days. In some cases, we may need to verify your identity before processing your request.
Data Processing Activities
As a data processor, Luca Analytics processes personal data on behalf of our customers (data controllers). Our processing activities include:
- Analyzing advertising campaign performance data
- Generating audit reports and recommendations
- Storing campaign metrics and historical data
- Providing analytics dashboards and visualizations
Data Processing Agreement
For customers who require it, we offer a Data Processing Agreement (DPA) that governs how we process personal data on your behalf. Our DPA includes:
- Details of processing activities and purposes
- Security measures and confidentiality obligations
- Sub-processor management and notification procedures
- Assistance with data subject requests
- Data breach notification procedures
- Audit rights and compliance verification
- Data deletion and return provisions
To request a copy of our DPA, please contact us at legal@lucaanalytics.com.
International Data Transfers
When personal data is transferred outside the EEA, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs): We use EU-approved SCCs for data transfers to third countries
- Adequacy Decisions: Where applicable, we transfer data to countries with EU adequacy decisions
- Supplementary Measures: Additional technical and organizational measures to ensure data protection
Sub-Processors
We use carefully selected sub-processors to help deliver our services. All sub-processors are bound by data processing agreements and must meet our security and privacy standards. Our current sub-processors include:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Amazon Web Services | Cloud infrastructure | US/EU |
| Stripe | Payment processing | US |
| HubSpot | CRM and communications | US |
| Intercom | Customer support | US |
We will notify customers of any changes to our sub-processors with at least 30 days' notice.
Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected. Our standard retention periods are:
- Account data: Duration of account plus 30 days
- Campaign data: Duration of subscription plus 30 days
- Audit reports: 12 months from generation
- Support communications: 24 months
- Billing records: 7 years (legal requirement)
Data Breach Notification
In the event of a personal data breach, we will:
- Notify affected customers without undue delay and within 72 hours of becoming aware of the breach
- Provide details of the breach, affected data, and remediation steps
- Assist customers with their own notification obligations to supervisory authorities and data subjects
- Document all breaches and response actions
Data Protection Officer
For questions about our GDPR compliance or to exercise your data protection rights, please contact our Data Protection Officer:
Data Protection Officer
Luca Analytics
Email: dpo@lucaanalytics.com
Supervisory Authority
If you are not satisfied with how we handle your personal data or your request, you have the right to lodge a complaint with a supervisory authority. In the EU, you can contact the data protection authority in your country of residence.
Updates to This Page
We may update this GDPR compliance information from time to time. The latest version will always be available on this page with the current revision date.
Last updated: January 16, 2026