Privacy Policy

Last updated: 13 May 2026

Preamble

LEGEND Advisory SARL attaches fundamental importance to the protection of personal data and respect for the privacy of its contacts, prospects, clients and visitors of the website. The purpose of this privacy policy is to inform the persons concerned about the way LEGEND Advisory SARL collects, uses, retains and protects their personal data.

This policy complies with Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data ("GDPR"), as well as with the Luxembourg law of 1 August 2018 organising the National Commission for Data Protection (CNPD) and the general data protection regime.

Data controller

The controller of the data collected through this website is LEGEND Advisory SARL, whose registered office is located at 30 rue André Hentges, L-7680 Waldbillig, Luxembourg.

Data Protection Officer (DPO) / GDPR contact
Sébastien Bonnet — sebastien.bonnet@legend.partners. Any request regarding your personal data may be addressed to this email address.

Data collected

LEGEND Advisory SARL only collects data strictly necessary for the purposes set out below. The categories of data processed are as follows:

Direct contact data

When you contact us by email or telephone, we collect the information you voluntarily provide: surname, first name, email address, phone number, position, company and the content of your message.

Appointment-booking data

When you book an appointment through the Calendly service integrated into the website, we collect: surname, first name, email address, selected time slot, time zone, and any information you provide in the booking form. Calendly LLC acts as a processor.

Technical navigation data

The hosting provider Firebase Hosting (Google LLC) automatically collects, for security and operational purposes, certain technical data: IP address, browser type and version, operating system, connection date and time, pages visited.

Email correspondence data

Correspondence exchanged by email is managed via the Google Workspace solution. Message content, attachments and associated metadata (sender, recipient, date) are retained in accordance with our legal and professional obligations.

Purposes and legal bases

Your data is processed for the following determined, explicit and legitimate purposes:

Responding to contact and information requests

Processing your requests for information, quotes or contact via the various channels made available.

Legal basis : Legitimate interest of LEGEND Advisory SARL in responding to any enquiry (Art. 6(1)(f) GDPR) or performance of pre-contractual measures (Art. 6(1)(b) GDPR).

Scheduling and managing appointments

Enabling the planning, confirmation and follow-up of appointments via the Calendly service.

Legal basis : Performance of pre-contractual measures taken at your request (Art. 6(1)(b) GDPR).

Ensuring the security and proper operation of the website

Detecting technical incidents, preventing fraud, ensuring service integrity and logging for diagnostic purposes.

Legal basis : Legitimate interest of LEGEND Advisory SARL in ensuring the security of its information system (Art. 6(1)(f) GDPR).

Administrative, contractual and accounting management

Within the framework of a contractual relationship, processing the data required for invoicing, accounting and compliance with tax and legal obligations.

Legal basis : Performance of the contract (Art. 6(1)(b) GDPR) and compliance with legal obligations (Art. 6(1)(c) GDPR).

Recipients of the data

Your data is never sold, rented or transferred to third parties for commercial purposes. It may be disclosed to the following recipients, strictly to the extent necessary for the fulfilment of the purposes:

  • authorised personnel of LEGEND Advisory SARL, subject to a confidentiality obligation;
  • technical processors acting on behalf of LEGEND Advisory SARL and bound by a contract compliant with Article 28 GDPR;
  • competent administrative or judicial authorities when required by law or court order.

Identified processors

  • Google LLC — hosting (Firebase Hosting) and professional email (Google Workspace). Established in the United States.
  • Calendly LLC — online appointment booking service. Established in the United States.

Transfers outside the European Union

Some processors (Google LLC, Calendly LLC) are established in the United States. Accordingly, transfers of personal data outside the European Economic Area may take place.

Such transfers are governed by appropriate safeguards within the meaning of Chapter V of the GDPR, including adherence to the EU–US Data Privacy Framework and/or the signing of standard contractual clauses adopted by the European Commission, ensuring an adequate level of protection for your data.

Retention periods

Your data is retained for the period strictly necessary for the purposes of processing, in accordance with applicable Luxembourg law:

Prospect data (non-clients)
Three (3) years from the last active contact (CNPD recommendation).
Client data (contractual relationship)
Duration of the contractual relationship, then ten (10) years after the end of the relationship under Luxembourg accounting and tax obligations (Art. 16 of the Commercial Code and VAT legislation).
Server logs (technical)
Twelve (12) months maximum from their collection.
Appointment data
Retained for the time necessary for follow-up, then archived as part of commercial follow-up according to the periods indicated above.

Your rights

In accordance with the GDPR, you have the following rights regarding your personal data at any time, subject to proof of your identity:

  • Right of access : obtain confirmation that data concerning you is being processed and receive a copy.
  • Right to rectification : request the correction or completion of inaccurate or incomplete data.
  • Right to erasure : request the deletion of your data in the cases provided for in Article 17 GDPR.
  • Right to object : object, for reasons relating to your particular situation, to a processing based on legitimate interest.
  • Right to restriction : request the restriction of processing in the cases provided for in Article 18 GDPR.
  • Right to data portability : receive your data in a structured, readable format, or have it transmitted to another controller.
  • Withdrawal of consent : where processing is based on your consent, you may withdraw it at any time, without affecting the lawfulness of earlier processing.

To exercise these rights, you may contact the controller at sebastien.bonnet@legend.partners. Proof of identity may be requested in case of reasonable doubt. A response will be provided within one month, extendable by two months for complex requests.

Data security

LEGEND Advisory SARL implements appropriate technical and organisational measures to ensure a level of security adapted to the risk: encryption of communications (HTTPS/TLS), strict access management, strong passwords, regular backups, security updates and awareness of authorised personnel.

Cookies and trackers

The website uses cookies that are strictly necessary for its operation, as well as, subject to your prior consent, third-party cookies linked to integrated services (in particular Calendly). For more information, please refer to our cookies policy.

Updates to this policy

LEGEND Advisory SARL reserves the right to amend this privacy policy in order, in particular, to reflect legislative, regulatory or technical changes. The last update date appears at the top of the page. We invite you to consult it regularly.

Lodging a complaint with the supervisory authority

If you consider that your rights are not respected, you have the right to lodge a complaint with the National Commission for Data Protection (CNPD), 15 boulevard du Jazz, L-4370 Belvaux, Luxembourg — www.cnpd.lu.

Contact

For any question regarding this policy or the processing of your personal data, please write to sebastien.bonnet@legend.partners or by post to the registered office address.