Privacy Policy
This policy explains how we process your personal data under the EU General Data Protection Regulation (GDPR). LumaKeys is in waitlist mode: the only personal data we actively process is your email address, so we can send you one launch notification.
1. Controller
The controller responsible for the processing of personal data on this website is:
Ramon Melchior, RM Webdesign & AI
Auf dem Römer 8, 55765 Birkenfeld, Germany
Email: ramon@lumakeys.app
Full legal details are in our Imprint.
2. What we process, why, and on what legal basis
Waitlist sign-up
When you enter your email address to join the waitlist, we send it to our email provider (Resend, see section 4) to store it and to send you a confirmation and, later, a single notification when LumaKeys launches. We do not use your address for any other purpose, and we do not send a newsletter or marketing series.
Data categories: your email address; technical metadata
associated with sending the email (for example the send timestamp and
delivery status).
Purpose: to register you on the waitlist and send you one
launch notification.
Legal basis: your consent, Art. 6 (1)(a) GDPR. You can
withdraw your consent at any time with effect for the future (see section
6), for example by emailing us or using an unsubscribe link; this does not
affect the lawfulness of processing carried out before the withdrawal.
Website hosting and server logs
When you visit this website, our hosting provider (Cloudflare, see section 4) automatically processes technical access data that your browser transmits. This includes your IP address, the date and time of the request, the page or file requested, the referring URL, and information about your browser and operating system.
Purpose: to deliver the website reliably and securely,
and to detect and defend against attacks and abuse.
Legal basis: our legitimate interest in a secure,
stable, and functioning website, Art. 6 (1)(f) GDPR.
Contacting us by email
If you email us, we process the details you provide (such as your email address and the content of your message) solely to handle your request.
Legal basis: our legitimate interest in responding to enquiries, Art. 6 (1)(f) GDPR, and — where your enquiry relates to a (pre-)contractual matter — Art. 6 (1)(b) GDPR.
3. Cookies and analytics
This website does not use tracking or advertising cookies, and it does not run any web-analytics tool at this time. We use only self-hosted fonts and storage that is strictly necessary to deliver the site, so no consent banner is required.
4. Recipients and processors
We use the following service providers, each of which processes personal data on our behalf as a processor under a data processing agreement (Art. 28 GDPR):
- Resend (Plus Five Five, Inc., USA) — email delivery for the waitlist. Processes your email address, name (if provided), IP address, and email metadata.
- Cloudflare (Cloudflare, Inc., USA) — website hosting and delivery. Processes your IP address and request/server log data.
Not yet in use
The services below are planned for the paid launch of LumaKeys and are not active while the site is in waitlist mode. This policy will be updated to describe them in full before they go live:
- Analytics (privacy-friendly, cookieless) — to be added at launch. Not currently running.
- Payments via a merchant of record (Polar Software, Inc.) — to be added at launch. When purchasing becomes available, the merchant of record will process your checkout and payment data as an independent controller under its own privacy policy.
5. International data transfers
Some of our processors are based in the United States, which means your personal data may be transferred to and processed there. These transfers are safeguarded under the EU Standard Contractual Clauses (Art. 46 GDPR) and, where the provider is certified, the EU–US Data Privacy Framework (an adequacy decision under Art. 45 GDPR). Both Resend and Cloudflare are covered on this basis.
6. Retention
We keep your waitlist email address until LumaKeys launches and the launch notification has been sent, or until you withdraw your consent or ask us to delete it — whichever comes first. Server log data is kept only for as long as needed for security and stable operation and is then deleted or anonymised. Email correspondence is kept for as long as needed to handle your request. Where statutory retention periods apply (for example under tax or commercial law), we retain the relevant data for the duration of those periods.
7. Your rights
Under the GDPR you have the right to:
- access your personal data (Art. 15);
- rectification of inaccurate data (Art. 16);
- erasure of your data (Art. 17);
- restriction of processing (Art. 18);
- data portability (Art. 20);
- object to processing based on our legitimate interests (Art. 21); and
- withdraw any consent you have given, at any time and with effect for the future (Art. 7 (3)).
To exercise any of these rights, simply email us at ramon@lumakeys.app. There is no cost to you, and we will respond within the statutory time limits.
8. Right to lodge a complaint
You have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The authority responsible for us is the State Commissioner for Data Protection and Freedom of Information of Rhineland-Palatinate (Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz). You may also contact the supervisory authority in your EU country of residence or workplace.
Last updated: July 2026.