Privacy Policy
Version 1.0 — Last updated: October 7, 2025
1. Data Controller Information
ACEL a.s.b.l. ("us", "we", or "our"), registered under Luxembourg law (R.C.S. Luxembourg F 969), acts as the Data Controller for the Premiere.lu website and mobile application (the "Service"), hosted and operated in Luxembourg.
Contact Information:
- Company: ACEL a.s.b.l. (Association des Cercles d’Étudiants Luxembourgeois)
- Website: https://acel.lu/
- Email:
- Address: 2, avenue de l’Université L-4365 Esch-sur-Alzette
- Data Protection Officer: Not required under GDPR Article 37. For any privacy-related inquiries, please contact our Privacy Contact at
2. Legal Basis and Purpose of Processing
We process your personal data based on the following legal grounds under GDPR Article 6:
2.1 Account Creation and Service Provision
- Legal Basis: Contract performance (Article 6(1)(b))
- Data: Email address, encrypted password, account creation date, last login date
- Purpose: Creating and managing your account, providing access to our services, managing inactive accounts
- Retention: Until account deletion or 3 years after last login
2.2 Document Upload and Verification
- Legal Basis: Consent (Article 6(1)(a))
- Data: Uploaded documents/exams, submission metadata
- Purpose: Receiving and verifying educational content before publication
- Retention: Until document is verified and published or rejected (maximum 90 days for pending submissions)
- Important: Once a document is verified and published, all identifying information linking it to your account is permanently deleted. Published documents become anonymous educational resources.
2.3 Published Educational Content
- Legal Basis: Legitimate interest (Article 6(1)(f))
- Data: Verified exam documents (anonymized, no user attribution)
- Purpose: Providing educational resources to students
- Retention: Indefinitely as educational resources, unless removal is requested by copyright holder or if personal data is discovered
2.4 Technical Operation and Security
- Legal Basis: Legitimate interest (Article 6(1)(f))
- Data: IP addresses, device information, access logs
- Purpose: Security, fraud prevention, spam protection, technical optimization
- Retention: 24 months maximum for security logs and IP addresses
- Clarification: IP addresses are stored separately from user account data and are not used for analytics or profiling.
2.5 Analytics and Service Improvement
- Legal Basis: Legitimate interest (Article 6(1)(f))
- Data: Anonymized usage statistics via self-hosted Plausible.io
- Purpose: Understanding service usage, improving functionality
- Retention: As configured in our Plausible.io instance (typically 24 months)
2.6 Spam Prevention
- Legal Basis: Legitimate interest (Article 6(1)(f))
- Data: CAPTCHA verification via Altcha (GDPR-compliant, privacy-friendly)
- Purpose: Preventing automated abuse and spam
- Retention: Session-based only, not stored
3. Categories of Personal Data
We collect and process the following categories of personal data:
3.1 Account Data
- Email address (login credential)
- Encrypted password
- Account creation date
- Last login date
We do NOT collect: Usernames, real names, phone numbers, or postal addresses
3.2 Technical Data
We collect limited technical data necessary for the secure and efficient operation of our service.
This data is processed separately from user accounts and cannot be used to identify an individual user.
- IP address (for security and fraud prevention)
- Browser type and version
- Device type and operating system
- Mobile device unique identifier
- Pages visited and time spent
- Access dates and times
3.3 Content Data (Temporary)
- Documents/exams uploaded (during verification phase only)
- Submission timestamps
- Content metadata
Important: After a document is verified and published, we permanently delete the connection between the document and your account. There is no way to determine who uploaded which published exam.
4. Data Sharing and Third Parties
4.1 Self-Hosted Analytics
We use a self-hosted instance of Plausible.io for privacy-friendly, GDPR-compliant analytics. Because we host Plausible.io ourselves:
- No data is shared with third parties
- Only anonymized, aggregated statistics are collected
- No personal identifiers or IP addresses are tracked in analytics
Review their privacy policy at: https://plausible.io/privacy
4.2 CAPTCHA Service
We use Altcha, a GDPR-compliant, privacy-friendly CAPTCHA solution that:
- Does not track users
- Does not use cookies
- Does not share data with third parties
- Processes verification data locally
4.3 Legal Disclosures
We may disclose personal data when:
- Required by law, court order, or regulatory authority
- Necessary to protect our legal rights or prevent illegal activities
- Investigating potential copyright infringement or illegal uploads
Important: We do NOT store IP addresses during document uploads. We cannot provide IP addresses to authorities for uploaded content.
4.4 No Other Third Parties
We do not share, sell, or rent your personal data to any other third parties for marketing or any other purposes.
5. Your Rights Under GDPR
As a data subject, you have the following rights:
5.1 Right of Access (Article 15)
Request a copy of all personal data we hold about you. How to exercise: Send a request to with proof of identity
5.2 Right to Rectification (Article 16)
Request correction of inaccurate or incomplete personal data (e.g., update your email address).
5.3 Right to Erasure (Article 17)
Request deletion of your personal data ("right to be forgotten"). Note: This will result in account closure. Published documents will be handled according to section 5.8 below.
5.4 Right to Restrict Processing (Article 18)
Request limitation of how we process your data.
5.5 Right to Data Portability (Article 20)
Receive your personal data in a structured, machine-readable format (JSON or CSV).
5.6 Right to Object (Article 21)
Object to processing based on legitimate interests.
5.7 Right to Withdraw Consent (Article 7)
Withdraw consent for data processing at any time by deleting your account.
5.8 Document Removal Requests
Due to our anonymization process, once a document is published, we cannot identify which user uploaded it. Therefore:
We will remove published documents if:
- You can prove you are the copyright owner of the document (e.g., by providing the original file or sufficient proof of authorship)
- The document contains your personal data (e.g., your name, student ID, or other identifying information)
- The document violates applicable laws
We will NOT remove documents:
- If you cannot prove copyright ownership or show that personal data is present
- Based solely on a claim without verification
Response Time: We will respond to all requests within 30 days (extendable to 60 days for complex requests).
6. Data Retention
| Data Type | Retention Period | Justification |
|---|---|---|
| Account information (email, password, dates) | Until deletion request or 3 years after last login | Contract performance, account management |
| Uploaded documents (pending verification) | Until publication or rejection, max 90 days | Processing and verification |
| Published documents (anonymized) | Indefinitely | Legitimate interest in educational resources |
| Technical logs and IP addresses | 24 months maximum | Security, fraud prevention, technical operation |
| Analytics data (anonymized) | 24 months maximum | Service improvement |
| CAPTCHA data | Session only, not stored | Spam prevention |
6.1 Inactive Account Deletion
Accounts that have not been logged into for 3 consecutive years will be automatically deleted. We will send a notification email 30 days before deletion to give you the opportunity to preserve your account by logging in.
7. International Data Transfers
All data is hosted and processed in Luxembourg within the European Union. We do not transfer personal data outside the EU/EEA.
8. Data Security
We implement appropriate technical and organizational measures:
- Encryption of passwords using industry-standard hashing (bcrypt or similar)
- Secure transmission protocols (HTTPS/TLS)
- Regular security assessments
- Access controls and authentication
- Automated logout for inactive sessions
- Data backup and recovery procedures
- Self-hosted infrastructure to minimize third-party access
Limitation: No internet transmission is 100% secure. We cannot guarantee absolute security.
9. Cookies and Tracking
We use minimal cookies for:
- Session management (essential)
- Login authentication (essential)
- Security features (essential)
Analytics: Our self-hosted Plausible.io instance uses privacy-friendly analytics without personal cookies or cross-site tracking.
CAPTCHA: Altcha does not use cookies.
You can manage cookies through your browser settings, but disabling essential cookies may affect functionality.
10. Age Restrictions and Children's Privacy
Our service is not directed at children under 16 years old. We do not knowingly collect personal data from children under 16.
If you are under 16: Do not create an account or provide personal information. Parents/Guardians: Contact us immediately if you believe your child has provided personal data.
11. Automated Decision-Making
We do not use automated decision-making or profiling that significantly affects users. Document verification is performed manually by human administrators.
12. Data Breach Notification
In case of a personal data breach:
- We will notify the Luxembourg Commission Nationale pour la Protection des Données (CNPD) within 72 hours
- Affected users will be informed without undue delay if high risk is involved
- We maintain records of all data breaches as required by GDPR
13. Supervisory Authority
You have the right to lodge a complaint with the Luxembourg data protection supervisory authority:
Commission Nationale pour la Protection des Données (CNPD)
- Address: 15, boulevard du Jazz, L-4370 Belvaux, Luxembourg
- Website: https://cnpd.public.lu
- Phone: (+352) 26 10 60 - 1
14. Contact Information
For all privacy-related inquiries, exercise of rights, or complaints:
- Email:
- Postal Address: 2, avenue de l’Université L-4365 Esch-sur-Alzette
- Data Protection Officer: Not required under GDPR Article 37. A designated Privacy Contact handles data-protection matters on behalf of ACEL.
15. Policy Updates
We may update this Privacy Policy to reflect:
- Changes in our data processing practices
- Legal or regulatory requirements
- Service improvements
Notification: Material changes will be communicated via:
- Prominent notice on our website
- Email notification to registered users
- Updated "Last modified" date
Your Responsibility: Please review this policy periodically for updates.
Consent Declaration for Document Upload
By uploading documents/exams, you explicitly consent to:
- Verification by our administrators before publication
- Publication of the uploaded content on our platform after successful verification
- Anonymization - the permanent deletion of the connection between you and the published document
- Acknowledgment that you have the legal right to share the content and are not infringing copyright
- Understanding that once published and anonymized, you can only request removal by proving copyright ownership or presence of your personal data
You can withdraw this consent before publication by contacting us during the verification phase. After publication and anonymization, removal requires proof of copyright ownership or personal data presence as outlined in section 5.8.