Privacy policy
Last updated: 8 May 2026.
Important. LMbox SAS is incorporated under French law. The legally binding version of this Privacy Policy is the French version. The English version is provided as a courtesy translation; in case of any discrepancy, the French version prevails.
LMbox SAS is committed to protecting personal data. This policy describes data processing carried out via lmbox.eu and associated services, in compliance with the General Data Protection Regulation (EU 2016/679 — GDPR) and the French Informatique et Libertés Act of 6 January 1978.
In one sentence: LMbox sells a solution designed so that customers' data never leaves their LAN. On this marketing site, we apply the same minimisation principle: strictly what is necessary, hosted in the European Union, never sold, never transferred to the United States.
Data controller
The data controller, within the meaning of article 4-7 of the GDPR, is:
- LMbox SAS — Simplified Joint-Stock Company (SAS) under French law, currently being registered with the RCS
- Represented by Mr. Renaud Delacotte, designated President, acting in the name and on behalf of the company in formation
- Postal address: to be published upon registration
- Contact: contact@lmbox.eu — dpo@lmbox.eu
Company in formation. Until the K-bis is issued, Mr. Renaud Delacotte personally assumes the obligations of the data controller within the meaning of the GDPR. The undertakings will be automatically taken over by LMbox SAS upon registration, pursuant to article L.210-6 of the French Commercial Code.
Data Protection Officer
LMbox SAS has appointed a Data Protection Officer (DPO):
- Email: dpo@lmbox.eu
- Postal: registered office, attn. DPO
Data processed, purposes, legal bases
| Data category | Purpose | Legal basis | Retention |
|---|---|---|---|
| Identity (name, role, company) submitted via contact or demo form | Respond, qualify, organise commercial discussion | Pre-contractual measures — art. 6.1.b | 3 years from last contact |
| Professional contact details (email, phone) | B2B prospecting | Legitimate interest — art. 6.1.f | 3 years from last contact |
| Aggregated navigation data (no persistent cookie) | Anonymous audience metrics via Plausible | Legitimate interest — art. 6.1.f | 12 months |
| Technical data (IP, user-agent, referer) | Site security, abuse prevention | Legitimate interest — art. 6.1.f | 30 days |
| Admin account (email, hashed password, access logs) | Back-office authentication | Contract — art. 6.1.b | Contract duration + 5 years |
| Contractual data (quotes, contracts, invoices) | Performance and invoicing | Contract — art. 6.1.b and legal obligation — art. 6.1.c | 10 years (accounting) |
LMbox does not collect sensitive data within the meaning of GDPR article 9.
No sale, no profiling
LMbox SAS does not sell your data. No advertising cookies (Google Ads, Meta, LinkedIn, TikTok, etc.). No third-party tracking pixel.
Recipients
Data is accessed only by authorised LMbox SAS staff. Sub-processors, all located in the European Union and bound by GDPR article 28 contracts:
| Sub-processor | Purpose | Location |
|---|---|---|
| Scaleway SAS (Paris Trade Register 433 115 904, 75008 Paris) | Marketing site and database hosting | Datacenters in metropolitan France |
| Plausible Analytics | Audience metrics | Germany (EU) |
| [Transactional email — to be completed] | Contact form replies | France or EU |
No sub-processor is subject to the CLOUD Act, nor to any transfer to the United States or any third country lacking an adequacy decision.
Cross-border transfers
No personal data is transferred outside the European Union, nor to any jurisdiction subject to extra-territorial laws conflicting with the GDPR (CLOUD Act, FISA 702, etc.).
Security
Technical and organisational measures: TLS 1.3 encryption, encrypted backups, 2FA for administrators, least-privilege access, password hashing (Argon2id), security patching SLA < 30 days for critical CVEs, automated vulnerability scanning (Brakeman, bundler-audit) on every deploy.
In case of personal data breach likely to result in a high risk, LMbox will notify the CNIL within 72 hours and inform affected individuals as soon as possible (GDPR articles 33–34).
Your rights
Under GDPR articles 15–22, you have the rights to: access, rectification, erasure, restriction of processing, data portability, objection, and post-mortem directives.
To exercise your rights: dpo@lmbox.eu. LMbox responds within one month, extendable by two months for complex requests.
Lodging a complaint
If you believe your rights are not respected after contacting us, you may lodge a complaint with the French data protection authority (CNIL):
- Online: www.cnil.fr/en/plaintes
- Postal: 3 place de Fontenoy — TSA 80715 — 75334 Paris Cedex 07 — France
Cookies
The site uses a minimal set of strictly necessary cookies:
| Cookie | Purpose | Duration |
|---|---|---|
_lmbox_session |
Session, CSRF protection | Browser session |
locale |
Language preference (FR/EN) | 1 year |
cookie_consent |
Cookie choice memory | 6 months |
No third-party, advertising or behavioural tracking cookies.
Plausible Analytics operates without cookies and collects no personally identifiable data; consequently — under CNIL deliberation 2020-091 — no prior consent is required.
Modifications
This policy may be updated. The current version date appears at the top. In case of substantial change, users with an account or who provided their email will be notified.