Back

Privacy Policy

Last updated: January 15, 2026

1. Introduction

FIRMA ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our legal CRM platform and KYC verification services.

We comply with the General Data Protection Regulation (GDPR) and Luxembourg data protection laws.

2. Data Controller

The data controller responsible for your personal data is:

FIRMA S.à r.l.
[Address]
Luxembourg
Email: privacy@firma.lu

3. Information We Collect

3.1 Personal Information

We may collect the following types of personal information:

  • Identity Data: First name, last name, date of birth, nationality
  • Contact Data: Email address, telephone number, postal address
  • Identity Documents: Passport, national ID card, proof of address
  • Financial Data: Bank account details, source of funds documentation
  • Technical Data: IP address, browser type, device information

3.2 KYC Documents

For identity verification purposes, we collect and process identity documents including but not limited to:

  • Passport or national ID card
  • Proof of address (utility bills, bank statements)
  • Selfie photographs for identity verification
  • Tax certificates and declarations
  • Company registration documents (for corporate clients)

4. Legal Basis for Processing

We process your personal data based on the following legal grounds:

  • Consent: You have given consent for processing for specific purposes
  • Contract: Processing is necessary for the performance of a contract
  • Legal Obligation: Processing is necessary to comply with anti-money laundering (AML) and know-your-customer (KYC) regulations
  • Legitimate Interest: Processing is necessary for our legitimate business interests

5. How We Use Your Information

We use your personal data for the following purposes:

  • Identity verification and KYC compliance
  • Providing our legal CRM services
  • Communicating with you about our services
  • Complying with legal and regulatory requirements
  • Preventing fraud and ensuring security
  • Improving our services

6. Data Retention

We retain your personal data for as long as necessary to fulfill the purposes for which it was collected, including:

  • Active client relationships: Duration of the relationship plus 10 years
  • KYC documents: 5 years after the end of the business relationship (as required by AML regulations)
  • Technical logs: 12 months

7. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption of data at rest (AES-256)
  • Encryption of data in transit (TLS 1.3)
  • Access controls and authentication
  • Regular security audits
  • Employee training on data protection

8. Data Sharing

We do not sell your personal data. We may share your data with:

  • Service Providers: Cloud hosting, email services (under data processing agreements)
  • Regulatory Authorities: When required by law
  • Professional Advisors: Lawyers, auditors (under confidentiality obligations)

9. Your Rights

Under GDPR, you have the following rights:

  • Access: Request a copy of your personal data
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion of your data ("right to be forgotten")
  • Restriction: Request limitation of processing
  • Portability: Receive your data in a portable format
  • Objection: Object to processing based on legitimate interests
  • Withdraw Consent: Withdraw consent at any time

To exercise these rights, please contact us at privacy@firma.lu.

10. Cookies

We use essential cookies to ensure the proper functioning of our platform. These cookies are necessary for authentication and security purposes and do not require consent.

11. International Transfers

Your data is stored within the European Economic Area (EEA). If we transfer data outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:

Email: privacy@firma.lu
Address: [Address], Luxembourg

14. Supervisory Authority

You have the right to lodge a complaint with the Luxembourg data protection authority:

Commission Nationale pour la Protection des Données (CNPD)
15, Boulevard du Jazz
L-4370 Belvaux
Luxembourg
Website: cnpd.public.lu