Home Page
Products
About Us
Technology
Contact
Lutkan © 2025. All rights reserved Website Privacy Notice - Terms of Service - Privacy Notice

Lutkan B.V. Website Privacy Notice

Effective Date: April 21, 2025

Introduction: Lutkan B.V. (“Lutkan”, “we”, “us”, or “our”) is committed to protecting your personal information and respecting your privacy. This Website Privacy Notice (“Notice”) explains how we collect, use, share, and safeguard personal data when you visit our websites – including our main company site (www.lutkan.com) and our product websites (www.neubids.com and www.neupubs.com) – collectively referred to as the “Websites”. It also describes your rights regarding your personal data and how you can exercise those rights. This Notice is intended for a global audience, including business customers and website visitors.

By using or accessing our Websites, you agree to the data practices described in this Notice. If you do not agree with this Notice, please refrain from using our Websites. We may update this Notice from time to time (see Updates to this Privacy Notice), and we encourage you to review it periodically.

1. What Data We Collect

We collect both information that you knowingly provide to us (for example, by filling out a contact form or creating an account) and information collected automatically through technological tools when you use our Websites. This data may qualify as “personal data” or “personal information” under relevant laws, meaning it can identify you directly or indirectly.

Information You Provide Voluntarily: You may choose to give us certain personal information when interacting with our Websites, such as:

  • Contact Form Data: If you fill out a contact form on any of our sites, we collect the information you submit. This typically includes your first name, last name, email address, and the reason for contacting us (e.g. your message or inquiry topic). We use this information to respond to your inquiry or request and to provide you with information or assistance you asked for.
  • Account Registration Data: If you register for an account on NeuBids or NeuPubs, our product platforms, we will collect information necessary to create and manage your user account. This can include your name, email address, username, password. We might also collect information when you set up a profile or user settings on these platforms. This data is used to set up and secure your account and to provide you access to the platform services.
  • Communication Data: If you communicate with us via email (for example, by contacting support or requesting a demo), we will collect the content of your communication along with your contact details (email address, and any other information you provide in your signature or message). This could include feedback you provide, survey responses, or requests for customer support. We keep these communications to address your questions and to improve our services (for instance, by tracking support issues and resolutions).

Information We Collect Automatically: When you visit our Websites, our system and third-party tools automatically collect certain information about your device and how you interact with our site. This information helps us understand usage and improve the user experience. It includes:

  • Device and Usage Data: We gather details about your visit such as your device’s Internet Protocol (IP) address, browser type and version, operating system, device type (desktop, mobile, tablet, etc.), and other technical identifiers. We also record your activity on our sites — for example, the specific web pages or content you view, the dates and times of your visits, the amount of time spent on each page, the links or buttons you click, and the page you visited immediately before navigating to our Websites (the “referring URL”). This information is typically logged by our web server and analytics systems whenever you interact with the Websites. While we do not use this data to identify you by name, it can be considered personal data (for instance, IP addresses may be treated as personal data in the EU). We use this data to administer the Websites, analyze trends, and track aggregate usage to improve our services.
  • Cookies and Analytics Data: Our Websites use cookies and similar tracking technologies to personalize your experience and to collect analytics information. Cookies are small text files that websites store on your browser or device; they often include an identifier that allows the site to recognize your browser over time. We use both first-party and third-party cookies for various purposes. For example, we utilize Google Analytics on our sites – a web analytics service provided by Google. Google Analytics uses cookies to track how often users visit our site, what pages they visit, and what other sites they used prior to coming to our site. It collects information such as your page views, the time spent on pages, scrolling and click behavior, and general geographic location (e.g. city or country, inferred from your IP address). This information is aggregated and reported to us, helping us understand overall user engagement with our Websites. We have configured Google Analytics to anonymize IP addresses where applicable, to provide an added layer of privacy. (Please note that Google Analytics may set its own cookies to distinguish unique users and may use both first-party cookies (set by our domain) and third-party cookies (set by Google’s domain) to track user interactions across our site and, in some cases, across different websites. All such non-essential cookies are deployed only with your consent, as described under Cookies and Similar Technologies below.
  • Advertising & Tracking Pixels: We (or our third-party advertising partners) may use tracking pixels (also known as web beacons, tags, or clear GIFs) on some pages of our Websites. A tracking pixel is a tiny transparent image or snippet of code embedded in a webpage that collects information when you view the page. When you load a page with a tracking pixel, it triggers a request to the server of the pixel’s host (for example, an advertising network) and sends certain data about your visit. This data can include information like the page you visited, the time, your IP address, and browser/device details. We use these pixels to understand the effectiveness of our marketing campaigns (for instance, to see if an ad on another platform led you to our site) and to retarget users with advertisements. “Retargeting” means if you have visited our site, we might later show you ads for our products on other websites or social media platforms. The tracking pixels enable this by informing our advertising partners that a browser (identified by a cookie or pixel) has visited a certain page, so they can show relevant ads to that same browser later. We currently may use pixels from platforms like Google Ads (for Google’s advertising network), and possibly Beeswax or Facebook, to reach our audience. These tracking technologies are used in accordance with your consent preferences and applicable law.
  • Consent Management Platform (CMP): To give you control over cookies and trackers, and to comply with privacy regulations, we have implemented a Consent Management Platform on our Websites. A CMP is a software tool that presents you with a cookie consent banner when you first visit our sites, and it lets you choose which categories of cookies or similar technologies you want to allow or disable. Through this banner, you can accept all, reject all, or customize your choices (for example, you might allow cookies for functionality and analytics but not for advertising). Until you make a selection, our CMP will block non-essential cookies from being set on your browser. This means features like Google Analytics or advertising pixels will not run unless you opt in to them. The CMP also provides a link in the footer of the site for you to review or change your consent choices at any time. By using this tool, you have full transparency and control over the tracking technologies on our Websites.

2. How We Use Your Data

We use the personal information collected through our Websites for various purposes consistent with the contexts in which it was collected. Below is an overview of the purposes for which we process data and examples of how the data is used in each context:

  • To Respond to Your Inquiries or Requests: When you contact us via a form, email, or other means, we use the information you provided (e.g. your contact details and message) to respond to you. For example, if you submit a question about our services or request a demo, we will use your email address and any other info you gave us to communicate with you and fulfill your request. We also may save your inquiry to track frequently asked questions or improve our customer support process.
  • To Register and Manage User Accounts: If you create an account on NeuBids or NeuPubs, we process your registration data to create and administer your account. This includes using your credentials to allow you to log in, and using contact information (like email or phone) to verify your identity, send account confirmations, or notify you of important account-related information. We also maintain your user profile and settings, and store any preferences or information you save in your account. This processing is necessary to provide you with the services and features of our platforms.
  • To Provide and Improve Our Services: We use collected data to operate and improve the Websites and the services we offer. For instance, information about how users navigate our site helps us optimize the design and content for a better user experience. We might use analytics data to troubleshoot performance issues or to guide decisions about new features. If we see, for example, that a particular page has a high drop-off rate, we might investigate and update that page. Additionally, data about what content is most popular can influence our marketing and product development strategies. All of this falls under our effort to understand our audience and continuously improve our offerings.
  • For Analytics and Performance Monitoring: As noted, we utilize tools like Google Analytics to collect data about site traffic and user behavior. We analyze these data to generate reports and insights about how our Websites are used. These insights help us measure the performance of our marketing efforts (e.g., which blog posts attract the most visitors), understand user demographics and interests in aggregate, and identify usage patterns. Analyzing data may also alert us to technical issues (like broken pages or slow load times) so we can fix them. All analytics processing is performed on de-identified or aggregated data; we do not use Google Analytics to determine the identity of individual users.
  • For Advertising and Marketing: We may use your data to market our products and services to you. For example, if you consent to advertising cookies, we (and third-party partners) will use data collected via cookies and pixels to show you targeted advertisements for Lutkan’s services on other websites or platforms. This is often called interest-based advertising or retargeting. It means, for instance, you might see an ad for NeuBids on a Google search results page or on Facebook after visiting our site. The data used for this purpose might include cookies or device identifiers and information about which pages you visited or actions you took on our site. We do not share your contact information with third-party advertisers for their independent marketing, without your consent.
  • To Communicate with You: Beyond responses to inquiries and marketing, we also may need to send you administrative communications. For example, we might send you emails to inform you of changes to our terms or this Privacy Notice, to alert you about security updates, or to notify you of updates or outages in our services. These types of communications are generally necessary as part of our interaction with you and are not promotional in nature. If you are a registered user of NeuBids or NeuPubs, we may send service-related communications (e.g., confirmations of transactions or support tickets, announcements about new features relevant to your use of the service, etc.). Such communications are considered part of the services.
  • For Security and Fraud Prevention: We process certain data to help keep our Websites and systems secure and to prevent fraud or malicious activity. This includes using data like IP addresses, device information, and usage logs to detect and block potentially suspicious or unauthorized activities. For example, we might use IP address logs to recognize a pattern of repeated failed login attempts and take action to protect the account. We also monitor for attacks such as DDOS attempts or exploits of website vulnerabilities. If we suspect fraud (such as the misuse of a credit card or a fake account), we may use data we have to investigate and mitigate the issue. In some cases, we might need to share information with law enforcement to address security threats or fraud incidents (as detailed in How We Share Information below).
  • To Comply with Legal Obligations: We use and retain personal data as needed to comply with applicable laws, regulations, and legal processes. For instance, we may need to keep certain transaction records for tax or accounting purposes, or to comply with financial regulations. If we receive a lawful subpoena or court order, we may need to process and disclose data in response. We also process personal data to fulfill individuals’ data protection rights requests (e.g., if you ask us about your data, we will use your info to verify and respond). All such processing is done because it’s legally required.
  • Other Legitimate Business Purposes: Finally, we may use personal data for other internal business purposes that are compatible with the context of collection. This could include things like internal training (using communications as examples, after redacting personal info), performing audits and quality control, conducting statistical and market research (for example, analyzing what types of companies are interested in our products), or in connection with a business transaction (if we ever need to evaluate data as part of a merger or acquisition process). If we use data for a purpose that is materially different from what it was collected for, and not obvious to you, we will inform you and, if required, obtain your consent.

We will not use your personal data for purposes that are incompatible with the ones described above without notifying you and obtaining your consent when required.

3. Legal Bases for Processing (GDPR Compliance)

If you are in the European Economic Area (EEA), United Kingdom, or another jurisdiction with comprehensive data protection laws, we process your personal data only when we have a valid legal basis to do so under those laws. This section explains the legal grounds on which we rely for different processing activities, as required by Article 6 of the EU General Data Protection Regulation (GDPR). Our legal bases include: consent, contract, legitimate interests, legal obligation, and in rare cases, vital interest or public interest. Below we explain these in context:

  • Consent: We will ask for your consent before processing your personal data in cases where consent is the appropriate legal basis. In practice, this applies to most non-essential cookies and tracking activities on our Websites, as well as to sending marketing communications. For example, we rely on your consent to place analytics and advertising cookies on your device. Withdrawal of consent will not affect the lawfulness of processing that occurred before you withdrew consent, but it will stop the specific activity you had consented to (for example, if you withdraw consent for analytics cookies, we will stop collecting your data via Google Analytics going forward).
  • Contractual Necessity: When we process personal data that is necessary to perform a contract with you or to take steps at your request before entering into a contract, this serves as our legal basis. For instance, when you create an account on NeuBids/NeuPubs, we must process your login credentials, contact details information to fulfill our obligations to you (providing the service, granting access). Similarly, if you inquire about our services and provide details in anticipation of possibly using our products, processing that information might be considered a pre-contractual step taken at your request. Without this data, we wouldn’t be able to provide the services or respond effectively. In short, the processing is necessary for the performance of a contract you have entered into (or are about to enter into) with us.
  • Legitimate Interests: We process certain data under the legal basis of legitimate interests (GDPR Art. 6(1)(f)). This means that the processing is within our legitimate business or commercial interests, and we have assessed that it does not override your rights and freedoms. We rely on legitimate interests, for example, to understand and improve our products and Websites, to secure our services, and to communicate with our business customers. Specifically, activities like basic analytics (where not strictly consent-based), responding to unsolicited inquiries, engaging in B2B marketing to company contact info, preventing fraud, or improving website functionality may be justified by our legitimate interests. In doing so, we balance our interests against your privacy rights to ensure fairness. You have the right to object to processing based on legitimate interests (see Your Rights below) if you believe your rights outweigh our interests. If you object, we will re-evaluate our justifications and either cease the processing or explain why we believe our legitimate interests should prevail in that instance.
  • Legal Obligation: Some processing is done because it is necessary for compliance with a legal obligation to which we are subject (GDPR Art. 6(1)(c)). For example, laws may require us to retain certain business records for a minimum period, verify the identity of customers in certain transactions, or provide information to governmental authorities upon proper request. When we process personal data to comply with law, this is our lawful basis. This can include compliance with tax laws, accounting rules, data protection regulations (e.g., honoring opt-out or deletion requests), and other applicable laws. In such cases, we only process the data to the extent required by law (for instance, retaining invoice records for the legally mandated retention period).
  • Vital Interests / Public Interest: These bases are applied only in exceptional circumstances. Vital interest would apply if processing is necessary to protect someone’s life or physical safety. Public interest could apply if the processing is needed for a task carried out in the public interest or under official authority (which is generally not relevant to a private company like Lutkan, except possibly in cooperating with public health or safety initiatives). We mention these bases for completeness, but it’s unlikely that they are relevant in the context of our Websites’ day-to-day data processing. If they ever become relevant (e.g., an emergency situation where we have to share data to protect someone’s life), we will let you know as required by law.

Whenever multiple legal bases could apply, we will rely on the one that best fits the specific purpose and context. If you have questions about the legal basis for any specific processing of your personal data, you can of course contact us for more information (see Contact Us at the end of this Notice).

4. How We Share Information

We understand the importance of your personal data and only share it with others in certain situations and with appropriate safeguards. We do not sell your personal information to data brokers or third parties for their independent commercial use (such as selling your email to another company for marketing). Any sharing of data is described below, along with the reasons for it:

  • With Service Providers (Processors): We share personal data with third-party companies that we hire or utilize to perform services on our behalf, often called “data processors” under GDPR or simply service providers. These include:
    • Website and IT Hosting Providers: Companies that host our Websites and backend systems (ensuring our site is available and running) or provide cloud storage for our data. Your data (including contact form submissions or account info) may be stored on their servers as part of these services.
    • Analytics and Marketing Tool Providers: For example, we use Google Analytics to analyze our website traffic, which means Google acts as a service provider that processes certain data (website usage information) on our behalf. We have agreements in place (such as Google’s data processing terms) to protect the data.
    • Payment and Billing Processors: Our products allow purchases or payments, we would use certified payment processors to handle your credit card and billing information. These processors are compliant with security standards and are contractually forbidden from using your payment data for anything other than processing transactions you’ve authorized. (Note: Currently, NeuBids involve payments, those details would be processed by such third parties, and we ourselves do not store full financial information like credit card numbers on our own servers.)

In all cases, our service providers are bound by confidentiality and data protection obligations. They cannot legally use your personal data for any purpose other than to provide the service we’ve contracted them for. We carefully select our vendors and ensure there is a data processing agreement in place where required, to protect your information.

  • With Advertising and Analytics Partners: As described in the Cookies/Tracking section, when you allow advertising cookies and trackers, some data is automatically shared with third parties that provide those technologies. For example, if we use a Beeswax Pixel on our site and you consent to it, data about your visit (like that you visited a certain product page) will be sent to Beeswax. This enables us to later show you ads on Beeswax’s platform. Similarly, when Google Analytics runs on our site, it collects data and shares it with Google for analysis on our behalf. These third parties (Google, Beeswax, LinkedIn, etc.) may act as our processors or, in some cases, as independent controllers of the data they receive (using it for their own purposes, such as improving their services or, in the case of advertising partners, for ad personalization on their platforms). We disclose in our Cookie Policy which third-party cookies and pixels are in use. You have control over these via our CMP settings. If you opt out or decline such cookies, these partners will not receive your data from our site. For transparency: any sharing for advertising is something you can opt out of (and in jurisdictions like California, you have the right to opt out of what is deemed a “sale” of personal info – see California Privacy Rights below). We do not provide your contact info or any directly identifiable data to our advertising partners unless you have given us permission to do so. The sharing is typically limited to online identifiers and context (for example, a cookie ID and the fact you visited page X at time Y).
  • Within Our Corporate Group (Affiliates): Lutkan B.V. may share personal data with its affiliates, subsidiaries, or parent company (if we have related corporate entities) as needed for business and operational purposes. Currently, if NeuBids and NeuPubs are products operated by Lutkan B.V., data between these sites might be shared internally to give you a seamless experience or to centralize administration (for example, if you use both products, your contact profile might be unified in our CRM). Any intra-group sharing will follow the same security standards and privacy protections described in this Notice. If any affiliate is outside of your country (including outside the EU), we will ensure appropriate transfer mechanisms are in place as described under International Data Transfers below.
  • Business Transfers or Restructuring: If Lutkan undergoes a business transaction such as a merger, acquisition by another company, sale of all or part of its assets, or a financing or consolidation, personal data may be transferred to the successor or affiliated entity as part of that transaction. For example, if another company acquires Lutkan B.V. or its assets, customer information and user data would likely be one of the transferred assets. In such cases, we will ensure that your personal data remains subject to confidentiality obligations and we will provide notice on our Websites (and/or directly to you, if feasible) before your data is transferred and becomes subject to a different privacy policy. You will have the opportunity to opt-out of any such transfer if required by applicable law.
  • Legal Compliance and Protection of Rights: We may disclose your personal information to third parties (such as courts, law enforcement agencies, regulators, or outside counsel) when we believe in good faith that such disclosure is necessary to:
    • Comply with the law or legal process: If we receive a valid subpoena, court order, search warrant, or any other legal request, we may need to disclose data in response. We will review each request carefully and only provide information to the extent required by law.
    • Enforce our terms and agreements: If necessary, we may share information in the course of enforcing our Terms of Service or other agreements, or to investigate potential violations. For example, if a user is found to be abusing our services in violation of our terms, we might share data with investigators or legal authorities.
    • Protect against harm: We might share information to protect and defend the rights, property, or safety of Lutkan, our customers, our business partners, or the public. For instance, exchanging information with other companies and organizations for fraud protection or to mitigate cybersecurity threats. If a user poses a security risk or we detect fraudulent activity, we may report details to law enforcement.
    • Handle emergencies: In rare cases, we might disclose information to help prevent an imminent threat to someone’s life or safety.

Such disclosures will be made in accordance with applicable laws. Wherever feasible and legally permissible, we may notify you if we are required to provide your data to third parties as part of a legal process.

  • Aggregate or De-Identified Information: We may share information that has been aggregated or anonymized in such a way that it can no longer be associated with you personally. For example, we might publish reports or share statistics with partners that say “X% of our site visitors are from Europe” or “we saw a 50% increase in traffic last month.” These reports do not contain any personal data and cannot be used to identify any individual. They are not restricted in the same way personal data is, since no individual’s privacy is at risk. We may freely use and share such de-identified data for business or research purposes. (If we ever combine de-identified data with personal data in a way that it could identify you, we treat the combined data as personal and ensure it’s handled in line with this Notice.)

To summarize, we share personal data only with the parties and for the purposes described above. Whenever your data is shared, we take steps to ensure it’s handled securely and lawfully. If you have questions about third parties that may have access to your data, feel free to contact us for more information.

International Data Transfers

Lutkan B.V. is a company based in the Netherlands, and our Websites are operated from the European Union. However, the personal data we collect may be transferred to and stored on servers in other countries, because some of our affiliates, service providers, and partners are located worldwide. In particular, we may transfer data to the United States (where certain cloud service providers or analytics providers like Google are based) and possibly other locations.

When we transfer your personal data out of the European Economic Area (EEA) or other regions with data transfer restrictions, we take steps to ensure that appropriate safeguards are in place to protect your information. Our approach to international transfers is as follows:

  • Adequacy Decisions: If your data is being sent to a country that the European Commission (or relevant authority) has determined provides an “adequate” level of data protection (meaning its laws are essentially equivalent to EU privacy laws), we rely on that adequacy decision for the transfer. For example, transfers to countries in the EEA or to countries like Canada or Japan (which have adequacy status) can be done freely. (Note: As of the effective date of this Notice, the United States is not universally deemed adequate by the EU, so additional measures are required for EU-US data flows.)
  • Standard Contractual Clauses: For transfers to countries without an adequacy decision (such as the U.S.), we typically use the European Commission’s Standard Contractual Clauses (SCCs) as the legal mechanism for the transfer. SCCs are standardized contractual terms between the data exporter (us) and data importer (e.g., a service provider outside the EU) that legally bind the importer to protect the personal data to EU standards. We have incorporated SCCs into our contracts with major service providers when required. This means, for example, that when we use U.S.-based cloud or SaaS providers to process EU personal data, those providers have agreed through the SCCs to handle the data in compliance with European data protection principles.
  • Consent for Transfer: Where we cannot rely on an adequacy decision or SCCs or another mechanism for a particular transfer (which is rare), we would seek your explicit consent for that specific transfer, after informing you of any potential risks. You always have the right to refuse or withdraw such consent.
  • UK and Swiss Transfers: For transfers from the United Kingdom, we use the UK’s International Data Transfer Agreement or Addendum (which is based on SCCs). For Switzerland, we ensure the SCCs include provisions to satisfy Swiss data protection law (such as specifying the FDPIC as the competent authority).
  • Other International Regimes: If we transfer data from other countries with data export requirements (such as Brazil under the LGPD, or personal information from China, etc.), we will comply with those local requirements as well, which may include using that country’s standard contracts or obtaining consent.

If you would like more information about our international data transfer practices or the safeguards in place, you can contact us (see Contact Us below). In some cases, we may be able to provide you with a copy of the standard contractual clauses or refer you to further documentation, subject to confidentiality.

Please note that data transferred to another country may be subject to foreign laws and accessible to foreign governments, courts, law enforcement, and regulatory agencies. However, our safeguards (such as SCCs) aim to ensure that, whatever the local laws, any organization handling your personal data must protect it in line with EU-level standards. We also consider government access risks in our transfer impact assessments and choose providers with strong privacy and transparency track records.

5. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or to satisfy legal, accounting, or reporting requirements. There is no one-size-fits-all retention period, as it depends on the type of data and the context. We strive to adhere to the principle of storage limitation, meaning we do not keep personal data in identifiable form indefinitely. Below are some general guidelines on how we approach retention:

  • User Account Data: If you have an account on NeuBids or NeuPubs, we will keep your account information for as long as your account is active. You can also usually view and update the information in your account profile. If you choose to close your account, we will delete or anonymize personal data associated with your account within a reasonable time after closure, except for any data we are required or have a lawful basis to retain (e.g., billing records, audit logs). Even if you don’t actively close an account, if it remains inactive for an extended period, we may contact you to ask if you want to maintain it or we may delete it after a specified period of dormancy (with prior notice).
  • Contact/Inquiries: When you contact us or submit an inquiry (without creating an account), we will retain that correspondence and your contact details for as long as needed to respond and resolve your inquiry, plus a short additional period in case you follow up. For example, if you email us with a question, we might keep that email for some months in case you have further questions or to have a history of our communication. In many cases, these communications are kept for up to 1–2 years for reference, then deleted, unless we have a reason to keep them longer (such as for legal defense if the inquiry related to a dispute, or to document consent if you agreed to something).
  • Analytics Data: Data collected via Google Analytics and similar tools is stored as per Google’s policies and our configuration. We have set Google Analytics to retain user-level and event-level data for a limited time (e.g., 14 months) before it is automatically deleted from Analytics’ servers, as per Google’s available settings. We generally receive this data in aggregate form (e.g., monthly reports), and do not personally identify users from it. Web server logs (which include IP addresses) are typically rotated and deleted within a few weeks to a few months, unless needed for security analysis.
  • Cookies: Cookies have varying lifespans. Some cookies (session cookies) exist only for the duration of your browser session and are deleted when you close your browser. Others (persistent cookies) remain for a defined period unless cleared by you. For instance, cookies used by Google Analytics may persist for 24 hours (_gid cookie), 2 years (_ga cookie), or other durations, depending on their purpose. Advertising cookies may last from a few days to a year or more. You can always manage cookie storage via your browser or our CMP. We align our use of cookies with their intended lifespans and ensure they aren’t used longer than necessary. If you withdraw consent for certain cookies, those cookies should be deleted or expire, and any previously collected data may still be retained in backups for a time, but we will not use it actively.
  • Legal Requirements and Disputes: Sometimes, we need to keep certain data for longer because of legal requirements or to resolve disputes. For example, financial records (invoices, payments) are typically kept for at least 7 years under tax laws. If a legal claim is filed or anticipated, we may retain relevant information until the issue is resolved (even if that goes beyond our standard retention). We also retain records of consents and privacy requests as required by GDPR (to demonstrate compliance). Such information is retained securely and access is restricted.

In summary, we aim to retain personal data for no longer than necessary for the purposes stated in this Notice. When data is no longer needed, we will ensure it is either securely deleted or irreversibly anonymized. After deletion, we may maintain aggregated, non-identifiable information (since it’s no longer personal data).

6. Data Security

Lutkan takes data security very seriously. We employ a variety of technical and organizational measures to protect your personal information from loss, misuse, unauthorized access or disclosure, alteration, and destruction. We align our security practices with industry standards to ensure an appropriate level of security relative to the risk. Some of the key measures we have in place include:

  • Encryption: Our Websites use HTTPS (TLS encryption) to secure data in transit between your browser and our servers. This means any data you submit (such as form entries or login credentials) is encrypted while being transmitted. We also encrypt sensitive data at rest where appropriate, especially any financial information or authentication credentials, to add an extra layer of protection.
  • Access Controls: We restrict access to personal data to authorized personnel who need it to perform their job duties. Access to systems containing personal data is protected via strong password policies, two-factor authentication (where possible), and role-based access controls (so staff only see the data necessary for their role). Administrative access to our databases and systems is limited to a small number of trained individuals.
  • Third-Party Security: When we share data with service providers (as described earlier), we contractually require them to implement adequate security measures. We choose reputable vendors with proven security track records and who comply with standards like ISO 27001, SOC 2, or equivalent, where relevant. We also review their security documentation and certifications.

Despite all these precautions, it’s important to note that no method of transmission over the internet or method of electronic storage is 100% secure. While we strive to protect your personal data and use commercially acceptable means to do so, we cannot guarantee absolute security of information. Cyber threats continue to evolve, and even top-tier security measures carry some residual risk.

If we become aware of a data breach that affects your personal information, we will act promptly to contain and investigate the incident. We will also notify you and any applicable regulatory authorities of breaches as required by law. Our notification would include information about what happened and recommendations for your protection (for example, we might advise you to reset your password in case of credential compromise).

You also play a role in keeping your data secure. We encourage you to choose strong passwords for any accounts, never share your account credentials, and alert us immediately if you suspect any unauthorized use of your account or a security issue related to Lutkan. We will never ask you for your password via email, so be cautious of phishing attempts.

7. Your Rights Under GDPR (and Equivalent Laws)

If you are located in the European Union, European Economic Area (EEA), United Kingdom, or other jurisdictions with similar data protection laws, you have certain rights regarding the personal data that we hold about you. These rights allow you to have more control over your personal information. We will facilitate the exercise of these rights consistent with applicable laws (notably the EU GDPR and UK GDPR). Even if you are not in those jurisdictions, we will try to honor your requests to the extent feasible (and at minimum as required by applicable law).

Your key data protection rights are:

  • Right to Access: You have the right to request confirmation of whether we are processing your personal data, and if so, to obtain access to that personal data. This is often called a “Data Subject Access Request.” You can ask us to provide a copy of the personal data we hold about you, as well as information on how we process it. This includes details like the purposes of processing, the categories of data, the categories of recipients with whom we share the data, and the source of the data if not collected from you directly. Upon request, and verification of your identity, we will provide you with a copy of your personal data in a commonly used format (unless doing so adversely affects the rights of others). For additional copies, we may charge a reasonable fee if permitted by law.
  • Right to Rectification: You have the right to have inaccurate personal data corrected and incomplete data completed. If any of your information that we have is incorrect (for example, if you notice we have the wrong spelling of your name or an outdated email address), please let us know and we will rectify it without undue delay. Many of our services (like account profiles) also allow you to self-correct your data. We encourage you to keep your details updated and will help in updating any data you cannot change yourself.
  • Right to Erasure (Right to be Forgotten): You have the right to request that we delete your personal data in certain circumstances. This right is not absolute, but we will honor it if one of the GDPR grounds applies. Common scenarios include: the data is no longer necessary for the purposes it was collected for; you withdraw consent (if consent was the basis) and we have no other legal basis; you object to processing based on our legitimate interest and we have no overriding grounds; we processed your data unlawfully; or erasure is required to comply with a legal obligation. If you request erasure and we have no legal reason to keep the data, we will delete your personal data and also instruct any relevant service providers to do the same.
  • Right to Object: You have the right to object to our processing of your personal data at any time, on grounds relating to your particular situation, when the processing is based on our legitimate interests (or those of a third party). If you lodge an objection, we must stop processing the personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or unless we need to continue processing for the establishment, exercise, or defense of legal claims. For objections to other processing, please describe your situation so we can evaluate it. We will then either cease processing or let you know why we believe we have overriding grounds to continue (for example, some minimal data might need to be kept for fraud prevention which we can justify).
  • Right to Withdraw Consent: If we are processing your personal data based on your consent, you have the right to withdraw your consent at any time. This will not affect the lawfulness of any processing we conducted prior to your withdrawal, but it means we will stop the processing that was based on consent. For instance, you can withdraw consent for optional cookies by adjusting your preferences on our site’s CMP, and we will stop using those cookies on your browser moving forward. It’s as easy to withdraw consent as it was to give it – for example, toggling off a cookie category. If you withdraw consent for something, we might ask to confirm or might inform you if there are consequences (e.g., if a certain service can’t be provided without that data). But the choice is yours. Keep in mind, if we have another legal basis to process the data (for example, we require it to perform a contract with you), we might proceed on that basis.

To exercise any of your rights, please contact us through the channels listed in Contact Us below. We will need to verify your identity adequately before fulfilling certain requests (especially for access, deletion, or portability, to ensure we don’t give your data to the wrong person or delete the wrong account). For example, we may ask you to confirm some details we have on file, or if you have an account, we might carry out the request through your logged-in account for verification. We will respond to your request as soon as possible and at least within the timeframe required by law (under GDPR, generally within 1 month, extendable by another 2 months for complex requests – we’ll inform you if an extension is needed). There is usually no fee for exercising your rights, but if requests become excessive or repetitive, we are allowed by law to either charge a reasonable fee or refuse the request.

Lastly, if your country or region provides additional privacy rights not listed above (for example, some countries have rights related to automated decision-making or marketing objections beyond GDPR’s scope), we will respect those as applicable. This section primarily addressed GDPR-based rights because they cover a broad range that overlaps with many global regulations.

8. California Privacy Rights (CCPA/CPRA)

If you are a resident of California, you are protected by the California Consumer Privacy Act (CCPA) of 2018, as amended by the California Privacy Rights Act (CPRA) of 2020. These laws provide California residents with specific rights regarding their personal information. The following section (in conjunction with the rest of this Privacy Notice) is intended to meet the requirements of the CCPA/CPRA and to provide California residents with a description of their rights and how to exercise them.

Categories of Personal Information Collected: In the past 12 months, we have collected (as detailed throughout this Notice) the following categories of personal information, as defined by CCPA: identifiers (such as name, email address, IP address, online identifiers), information akin to customer records (contact details, employment information if you provide it, etc.), internet or other electronic network activity information (browsing history on our site, interactions with our website or ads), and geolocation data (imprecise location from IP). We do not collect sensitive personal information like social security numbers, driver’s license numbers, financial account passwords, or precise geolocation. We also do not intentionally collect information of protected classifications (like race, gender, etc.) through our Websites. All personal information we collect is for the business and commercial purposes outlined in How We Use Your Data above. For example, we collect identifiers to respond to inquiries and for marketing (with consent), and we collect internet activity via cookies for analytics and advertising (with consent). The sources of this information are: you (the consumer) directly (when you fill forms or communicate with us), and automated collection through your interactions with our Websites (cookies, pixels, etc.). We may also infer information from what we collect (for instance, user preferences or potential interest in a product based on browsing). We do not purchase personal data from third-party data brokers. For a detailed mapping of categories to purposes and sources, please refer to the relevant portions of this Notice above, which serve as our disclosure for CCPA purposes.

Now, under California law, you have the following rights:

  • Right to Know: You have the right to request that we disclose to you the personal information we have collected about you and certain details about our handling of it. This is similar to the GDPR access right but with specific required information. Upon verification of your request, we will provide: (1) the categories of personal information we have collected about you; (2) the categories of sources from which we collected the personal information; (3) our business or commercial purposes for collecting (or selling/share, if applicable) that information; (4) the categories of third parties to whom we disclosed the personal information; and (5) the specific pieces of personal information we collected about you. If we have “sold” or “shared” any of your personal information or disclosed it for a business purpose, we will also provide: (a) the categories of personal information so sold or shared, and the categories of third parties to whom it was sold/shared; and (b) the categories of personal information disclosed for a business purpose, and the categories of persons to whom it was disclosed. You may request this information up to twice in a 12-month period, and it will be provided free of charge. Our goal is to be transparent, and much of this information is already in this Privacy Notice, but we will compile it specifically for your personal data upon request.
  • Right to Delete: You have the right to request that we delete personal information that we have collected from you (and direct our service providers to do the same), subject to certain exceptions. Once we receive a verified deletion request, we will delete (and instruct our service providers and contractors to delete) your personal information from our records, unless an exception applies. CCPA exceptions include situations where the information is needed to: complete the transaction or service requested (for example, if you’re mid-way through a service with us, we may need the data to finish it), detect security incidents or protect against illegal activity, debug and fix errors, exercise or ensure free speech (or another legal right), comply with the California Electronic Communications Privacy Act, engage in public or peer-reviewed research (if you’ve provided informed consent to that), enable solely internal uses that are reasonably aligned with consumer expectations, comply with a legal obligation, or use the information internally in a lawful manner compatible with the context in which you provided it. If we deny a deletion request, we will inform you of the reason. Importantly, if you have an account with us, you may alternatively just delete your account (which will remove most of your info), but some data might still be retained as per the exceptions above.
  • Right to Correct: The CPRA added a new right for California residents – the right to request correction of inaccurate personal information maintained by us. If you find that any personal data we have about you is incorrect, you may request that we correct it. Upon verification and consideration of the nature of the personal information and the purposes of processing, we will use commercially reasonable efforts to correct the inaccuracy. In many cases, it may be easier and faster for you to correct certain information through your account settings (if applicable), but we are happy to do it upon request as well.
  • Right to Opt-Out of Sale or Sharing: You have the right to direct us not to sell your personal information to third parties, and to opt out of the sharing of your personal information for cross-context behavioral advertising (which is a form of sharing covered by the CPRA). In CCPA terms, “sell” includes any exchange of personal information for valuable consideration (not just money), and “share” refers to making personal info available to third parties for targeted advertising. Lutkan does not sell personal information in the traditional sense (we don’t exchange your data for money with data brokers). However, some of our use of advertising cookies/pixels might be considered a “sale” or “sharing” under California’s broad definitions, because we allow third parties (like Google, Beeswax) to collect identifiers and activity data from our users for targeted advertising. To respect your rights, we have enabled mechanisms for you to opt out of such sale/sharing. Specifically:
    • You can toggle your cookie consent settings (via our CMP banner or privacy settings on the site) to refuse advertising cookies – by doing so, you prevent those third-party trackers from engaging in what could be deemed a sale/sharing of data.
    • We have provided a “Do Not Sell or Share My Personal Information” link on our Websites in the footer which you can click to record your preference. Using that link (or the cookie settings) will signal to us and our third-party partners that you have opted out of sale/sharing of your data, and we will honor that request across all data collection on our site.

Once you opt out of sharing, we will stop any sharing of your personal data.

9. Right to Limit Use of Sensitive Personal Information: The CPRA gives California residents the right to limit the use and disclosure of “sensitive personal information” (SPI) if a business uses it for purposes other than those allowed by law. SPI includes things like social security numbers, financial account info, precise geolocation, race/ethnicity, health data, biometric identifiers, etc. As mentioned, we do not collect sensitive personal information through our Websites in any meaningful way (certainly not social security numbers or financial info – any payment processing is done by third parties, and we don’t see full credit card numbers). We might arguably collect things like account login credentials (which could be considered sensitive under CPRA) or infer general location (city, state) from IP, but we use those only to provide the services or secure them, which are permitted purposes. Therefore, while we include this right for completeness, there is currently no separate SPI usage of yours that you would need to limit via a request, as we’re not using SPI except for necessary purposes. If that changes, we will update our practices and honor the right to limit.

  • Right of Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. This means we will not deny you goods or services, charge you a different price, or provide a different level of quality of service just because you exercised your privacy rights. The CCPA allows businesses to offer financial incentives for the collection of personal data (for example, a loyalty program or discount in exchange for signing up), but if we ever do something like that, it will be optional and we will present the terms clearly and fairly in compliance with the law. In any case, refusing cookies or asking to delete your data will not result in any punitive treatment from us. Do note, however, that if you ask us to delete your data or opt out of certain processing, you may naturally experience a different service (for instance, we won’t be able to personalize content for you, or your account may not remember settings) – but that’s a direct result of your choice, not a discriminatory action on our part.

Exercising Your California Rights: If you are a California resident and would like to exercise any of the rights above (Know, Delete, Correct, Opt-Out), you may submit a request to us through the contact methods listed in Contact Us below. For requests to know, delete, or correct, we will need to verify your identity to a “reasonable degree of certainty (or “high degree” for sensitive requests) as required by law. This might involve matching information you provide with information we have on record, or using a verification email response, etc. If you have an account, we may ask you to submit the request through your logged-in account for verification. If you do not have an account, we may ask for at least two or three pieces of information to cross-check (like your email, last interaction, etc.). We will use the information you provide in a request only to verify and to fulfill the request (or keep a record of compliance), and for no other purpose.

If you choose to use an authorized agent to submit a request on your behalf, we will require proof of the agent’s identity and authority (e.g., a written permission from you or a power of attorney, plus verification of the agent’s identity). We will also need to verify your identity directly (or the agent must provide proof that the request is authorized by you). This is to prevent fraud.

We aim to respond to consumer requests within 45 days as the CCPA requires. If we need more time (up to an additional 45 days, totaling 90 days), we will inform you of the reason and extension in writing. Our response will typically cover the 12-month period preceding your request (as required by law). For certain requests, we may provide information beyond 12 months if feasible and requested, especially for data collected after January 1, 2022 (since CPRA allows going beyond 12 months in some cases).

Notice at Collection: The CCPA requires that we provide a notice at the time of collection of personal information, informing consumers of the categories of personal information collected and the purposes. This Privacy Notice itself serves as our notice at collection for any data collected through our Websites, since it details the categories and purposes. If we were to collect personal info in a context outside this website (like a paper form or an in-person event), we would provide a specific notice then.

Shine the Light Law: Separately, California’s “Shine the Light” law (Civil Code § 1798.83) allows residents to request certain information about our disclosure of personal information to third parties for their direct marketing purposes. We do not disclose personal information to third parties for their own direct marketing purposes without consent. Therefore, we believe we have no disclosures within the scope of that law.

In summary, we uphold all the rights granted to California residents under the CCPA/CPRA, and this section is meant to explain those rights in a transparent way. If you have any questions about your California privacy rights or our practices, please contact us.

(Note for non-California residents: You may have similar rights under your own local laws (e.g., Virginia CDPA, GDPR as discussed, etc.). We encourage you to reach out with any privacy-related requests regardless of your location, and we will do our best to accommodate them in line with applicable law.)

10. Children’s Privacy

Our Websites and services are not directed to children under the age of 16, and we do not knowingly collect personal information from children. If you are under 16 (or under the applicable age of consent in your jurisdiction, if different), please do not use our Websites or provide any personal data to us. Lutkan does not intend to solicit or collect information of minors. In the event we discover that we have inadvertently collected personal information from a child without appropriate consent, we will promptly delete such information from our records.

If a parent or legal guardian becomes aware that their child has provided us with personal information, they should contact us immediately (see Contact Us below). We will then take the necessary steps to remove the child’s information and unsubscribe them from any of our services.

We recognize the importance of protecting children’s privacy. For users in the United States, we comply with the Children’s Online Privacy Protection Act (COPPA). For users in the EU, we adhere to GDPR’s age limitations. Our products and Websites are business-oriented and not intended for anyone under 16.

If we ever decide to tailor some part of our services to a younger audience (for example, an educational program involving teens), we will implement appropriate privacy safeguards and obtain verifiable parental consent as required by law.

Cookies and Similar Technologies

This section provides a full explanation of our use of cookies and similar tracking technologies across our Websites (lutkan.com, neubids.com, neupubs.com).

What Are Cookies?

Cookies are small text files stored on your device when you visit a website. They help recognize your browser, remember your preferences, and understand how you interact with the website. Cookies may be:

  • First-party cookies: Set by our own domain.
  • Third-party cookies: Set by external services (e.g., Google, Cloudflare).
  • Session cookies: Deleted after your session ends.
  • Persistent cookies: Remain on your device for a set period or until manually removed.

11. Why We Use Cookies

We use cookies and similar technologies for the following reasons:

  • Essential Cookies: Required for site functionality, security (Cloudflare), login state, and form submissions.
  • Analytics Cookies: Help us understand user behavior and website performance (e.g., Google Analytics).
  • Functionality Cookies: Store preferences like language and consent settings.
  • Advertising Cookies: Allow us and partners (like Beeswax, Google Ads) to deliver relevant ads across other websites.
  • Consent Management: UniConsent CMP uses cookies to record and enforce your choices regarding non-essential cookies.

Detailed Cookie Table

Cookie Name(s)

Provider

Purpose

Duration

Category

_ga, _gid, _gat, etc.

Google Analytics

Tracks user behavior for analytics reporting and performance improvement

Up to 2 years

Analytics

__gads, IDE, NID

Google Ads

Measures ad performance, remarketing, and conversion tracking

Up to 13 months

Advertising

__cf_bm, __cfruid, cf_clearance

Cloudflare

Protects the site from bots and DDoS; ensures secure delivery and faster performance

30 minutes to 1 year

Essential

bwuid, bwp, bwpx

Beeswax

Tracks ad interaction, user segmentation, and retargeting

Up to 1 year

Advertising

unic_consent, unic_pref

UniConsent CMP

Stores user’s cookie preferences and consent status

6 to 12 months

Essential/Consent

session_id, csrf_token (if used)

First-party (Lutkan)

Maintains secure sessions, login states, and form submissions

Session

Essential

This list may be updated from time to time to reflect changes in our technology stack or cookie providers.

Your Cookie Choices

When you first visit our site, our cookie banner allows you to manage your preferences. You may accept all cookies, reject all, or toggle specific categories. You can return to these settings anytime by clicking the “Cookie Settings” link in the website footer.

You may also manage cookies via your browser settings or opt out of interest-based advertising using the following tools:

Please note: if you disable essential cookies, some features of our website may not work as intended.

Do Not Track & Global Privacy Control

While we do not currently respond to “Do Not Track” (DNT) browser signals, we honor Global Privacy Control (GPC) signals where legally required (e.g., California), allowing you to opt out of data sale/sharing.

12. Updates to this Privacy Notice

We may update this Privacy Notice from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make changes, we will let you know by appropriate means. This may include prominently posting a notice of changes on our Websites or alerting you via email (if we have your contact and the changes are significant). We will also update the “Effective Date” at the top of this Notice to indicate when the latest changes took effect.

Any changes will become effective when the revised Notice is posted on our Websites, unless stated otherwise. If we make material changes that affect how we handle personal data, we will endeavor to provide advance notice and/or obtain consent if required by law. For example, if we were to expand our use of personal data beyond what is outlined here, we would inform you and, if necessary, give you the opportunity to opt in or out.

Your continued use of our Websites after any updated Privacy Notice has been posted will indicate your acceptance of the changes, to the extent permitted by law. However, if the changes require your consent (for example, a new purpose that requires opt-in), we will make sure to obtain that from you.

We encourage you to review this Privacy Notice periodically to stay informed about how we are protecting your information. The latest version will always be available on this page. We will also maintain an archive or change log of previous versions (available upon request or via an archive link), so you can see how this Notice has evolved.

In summary, we reserve the right to modify this Notice at our discretion and will post the updated notice online with a new effective date whenever we do. If you disagree with the changes, you may discontinue use of our Websites and request us to delete your data (if applicable). If you continue using our services, it means you acknowledge the updated Notice.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Notice or our handling of your personal data, please do not hesitate to contact us. We are here to help and committed to addressing any privacy-related inquiries promptly and transparently.

Contact Information for Privacy Inquiries:

  • Email: You can reach our privacy team by email at [email protected]. This is the fastest way to get a response. Please include in your email your name and contact information, and a detailed description of your question or request. If you are exercising a specific right (like requesting access or deletion), please mention that in the subject line (e.g., “CCPA Right to Know Request” or “GDPR Data Deletion Request”) so we can handle it accordingly. Once we receive your email, we will acknowledge it and communicate with you through this channel to verify your identity (if needed) and to follow up on the request.
  • Data Protection Officer (DPO): Lutkan B.V. has appointed a Data Protection Officer to oversee our compliance with data protection laws. If you have inquiries that you would specifically like to direct to our DPO (for example, if you feel your privacy concern has not been addressed satisfactorily), you may contact the DPO at [email protected]. Please include "For DPO" in the subject line for clarity. The DPO is responsible for monitoring our data protection practices and will treat your inquiry with independence and priority.
  • Mailing Address: You can also write to us at the following postal address:
    Lutkan B.V. – Attn: Privacy Office/DPO
    Burgemeester Pabstlaan 10 C3
    2131 XE Hoofddorp
    The Netherlands.

Please note: When you contact us by mail, consider sending an email notification as well for a quicker response. If you are making a rights request (such as asking for your data or requesting deletion), it may expedite processing if you use email or our online form (if available), due to the time-sensitive nature of such requests. However, all formats of requests will be honored.

We will respond to your questions or requests as promptly as possible, generally within one month or the timeframe required by applicable law. In communications, we may need to verify your identity for security purposes, especially for data access, deletion, or modification requests – this is to ensure we don’t disclose or alter personal data at the request of someone other than the data subject.

Your Feedback: If you have any feedback on this Privacy Notice or our privacy practices, we welcome it. Privacy is an ongoing commitment, and we strive to improve continuously.

Thank you for reading our Website Privacy Notice. Lutkan B.V. is dedicated to safeguarding your personal information and being transparent about how we handle data. We appreciate the trust you place in us when you provide your information, and we will work hard to maintain that trust.