Sign Up
We use cookies to make the website work, to further improve your user experience
and to analyse our traffic. You can find more information about our cookies here.

Privacy Policy of UAB Lunu Europe

UPDATED ON MARCH 24, 2023
UAB Lunu Europe, Gedimino pr. 44A-201, Vilnius, registered in Lithuania under the number 305774629 in the State Enterprise Centre of registers of Lithuania (thereinafter “we“, “us“ or “Lunu“) Lunu provides a technical solution which enables the Retailer to accept cryptocurrencies as payment from their customers (the “Customers”) and be paid in local currency to the Retailer’s bank account (the “Lunu Services”).

Lunu sells Terminals (“Terminals”) and provides the Retailer with an online widget (“Widget”) for accepting cryptocurrencies through the Lunu Services at the point of sale (“POS”) from Customers on behalf of the Retailer, stores and exchanges cryptocurrencies with subsequent delivery of funds in local currency to the Retailer's bank account.

With the following information, we would like to inform you about how we implement the provisions of the EU General Data Protection Regulation (hereinafter "GDPR") and protect your personal data, when visiting the Lunu Website at https://lunu.io/ (“Lunu Website”) and when using the Lunu Services, as a Retailer or an Arbitrageur.

Please note that the use of Lunu Services may involve a number of service providers who are themselves controllers and therefore responsible for the processing of your personal data within the meaning of the GDPR. These service providers have their own privacy policies. These data protection notices reflect only the data processing when visiting the Lunu Website and when using the Lunu Services for which we are the controller within the meaning of the GDPR.
Section 1

Name and Contact Details of the Controller and the Company Data Protection Officer


UAB Lunu Europe
Gedimino pr. 44A-201, Vilnius
LT-01110
Lithuania

Contact details of the data protection officer

E-Mail: support@lunu.io

Section 2

Competent data protection supervisory authority


The State Data Protection Inspectorate
L. Sapiegos st. 17
LT-10312 Vilnius
Lithuania
Tel. +370 5 271 2804 +370 5 279 1445
Fax +370 5 261 9494
E-Mail: ada@ada.lt
Website: https://vdai.lrv.lt/

Section 3

Data Processing for Providing Lunu Website as a visitor without registration

  • Scope of the processing of personal data

    Each time you access any content on our Lunu Website, our system automatically collects data and information from the computer system from which you are accessing the content. The following data is collected (hereinafter "Log Data"):
    • Information about the browser type and version used (so-called "User-Agent");
    • the operating system of your computer system;
    • the IP address of your computer system;
    • the amount of data sent in bytes;
    • date, time, and duration of access;
    • language setting;

    Except for the IP address, the log data listed above cannot be used to identify you personally. Personal identification can only be established by assigning or linking the Log Data to data on the user of an IP address, which is generally not available to us.

  • Purpose of the processing

    The collection and processing of Log Data on the Lunu Website, in particular the IP address, is for the purpose of providing the content of the Lunu Website. This requires temporary storage of the IP address. This is necessary to address the data traffic between your computer system and the Lunu Website.
    Further processing and storage of the IP address in log files take place for the purpose of ensuring the functionality of our Lunu Website and to ensure the security of our information technology systems.

  • Legal Basis

    The legal basis for the collection and processing of Log Data, insofar as these are personal data, is Art. 6 para. 1 sentence 1 lit. b GDPR (performance of a contract and initiation of contract). Legal basis for storage beyond the communication process, i.e. for the functionality of our Lunu Website as well as to ensure the security of our information technology systems, the log data (if these are personal data), is Art. 6 para. 1 sentence 1 lit.f GDPR (protection of legitimate interests).

  • Deletion of data and storage period

    The data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of the collection of data for the provision of the Lunu Website, this is the case when the relevant session – i.e. the visit to the Lunu Website – has ended. The storage of log data beyond this, including the IP address for the purpose of system security, takes place for a maximum period of [please add time period] days after the page was accessed.

  • Possibility of objection and deletion

    The collection of Log Data for the provision of the Lunu Website, including its storage in log files within the limits mentioned above, is essential for the operation of the Lunu Website. Therefore, there is no possibility to object.

  • Disclosure to third parties

    We always only disclose your personal data to third parties if:
    • You have given your express consent to do so under Art. 6 Para. 1 sentence 1 lit. a GDPR.
    • This is legally permissible and, according to Art. 6 Para. 1 sentence 1 lit. b GDPR, necessary for the performance of a contract with you or in order to take steps at your request prior to entering into a contract.
    • According to Art. 6 Para. 1 sentence 1 lit. c GDPR disclosure is necessary for compliance with a legal obligation. We are legally obliged to transmit data to state authorities, e.g. criminal prosecution authorities.
    • The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party pursuant to Art. 6 Para. 1 sentence 1 lit. f GDPR, and there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data.
    • In accordance with Art. 28 GDPR, we use external service providers, so- called processors, who are obliged to handle your data with care.

    The data mentioned under clause 3.1. will be passed on to the following service providers who are our processors:
    • Service providers that we use to ensure the security of our information technology systems,
    • our hosting provider
    • and cloud provider.


  • No processing outside the EU

    The Log Data is processed exclusively within the European Union

Section 4

Use of cookies in Lunu Website

  • Scope of data processing

    We collect the following data:
    • individual users on the domain
    • limit amount of user requests
    • unique ID assigned to each user on the domain
    • unique ID that makes Google Analytics and Ads work together


  • Purpose of the processing

    Our system collects cookies for google analytics.

  • Legal Basis

    The ePrivacy Directive.

  • Deletion of data and storage period

    The information collected expires after 2 years.

  • Possibility of objection and deletion

    You can object to the collection of cookies.

  • Disclosure to third parties

    We always only disclose your personal data to third parties if:

    1. You have given your express consent to do so under Art. 6 Para. 1 sentence 1 lit. a GDPR.
    2. This is legally permissible and, according to Art. 6 Para. 1 sentence 1 lit. b GDPR, necessary for the performance of a contract with you or in order to take steps at your request prior to entering into a contract.
    3. According to Art. 6 Para. 1 sentence 1 lit. c GDPR disclosure is necessary for compliance with a legal obligation. We are legally obliged to transmit data to state authorities, e.g. criminal prosecution authorities.
    4. The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party pursuant to Art. 6 Para. 1 sentence 1 lit. f GDPR, and there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data.
    5. In accordance with Art. 28 GDPR, we use external service providers, so- called processors, who are obliged to handle your data with care.


  • No processing outside the EU

    The Cookies are processed exclusively within the European Union.

Section 5

Data Processing of Retailers personal data when registering for the Lunu Console in accordance with the “Terms and Conditions for the Lunu Processing Service and Terminal Sale” and using the Lunu Services as registered user of the Lunu Console

  • Scope of data processing

    During the registration of the Lunu Console and use of Lunu Services we process the following personal data:
    • Company name or name of the contractual partner;
    • Legal form of the contractual partner;
    • Address of the registered office or principal place of business of the contracting party;
    • Registration number;
    • Tax identification number;
    • Name and email address of the person for whom the account is being set up;
    • Mobile number;
    • fiat account number.
  • Purpose of the processing

    The collection and processing of the personal data stated in section 5.1. is for the purpose of registering you for the Lunu Console and providing the Lunu Services. Also, we will process personal data in order to comply with legal obligations (e.g. tax laws).

  • Legal Basis

    The legal basis for the collection and processing of data stated in section 5.1., insofar as these are personal data, is Art. 6 para. 1 sentence 1 lit. b GDPR (performance of a contract and initiation of contract). The purpose of the processing also includes pre-contractual measures to arrange and initiate the contracts.
    Lunu is subject to various legal regulations, e.g. tax laws, as well as the supervisory regulations, which are laid down by e.g. the Data Protection Supervisory Authority in Berlin (Berliner Beauftragte für Datenschutz und Informationsfreiheit), which interpret and further specify the relevant legal provisions. In so far as these legal requirements oblige us to process personal data, the purpose of the processing is to fulfil these legal obligations (Art. 6 para. 1 sentence 1 lit. c GDPR).

  • Deletion of data and storage period

    The data is stored for 8 years in compliance with Lithuanian AML Laws.

  • Disclosure to third parties

    We always only disclose your personal data to third parties if:
    • You have given your express consent to do so under Art. 6 Para. 1 sentence 1 lit. a GDPR.
    • This is legally permissible and, according to Art. 6 Para. 1 sentence 1 lit. b GDPR, necessary for the performance of a contract with you or in order to take steps at your request prior to entering into a contract.
    • According to Art. 6 Para. 1 sentence 1 lit. c GDPR disclosure is necessary for compliance with a legal obligation. We are legally obliged to transmit data to state authorities, e.g. criminal prosecution authorities.
    • The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party pursuant to Art. 6 Para. 1 sentence 1 lit. f GDPR, and there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data.
    • In accordance with Art. 28 GDPR, we use external service providers, so-called processors, who are obliged to handle your data with care.

    The data mentioned under clause 5.1. will be passed on to the following service providers who are our processors:
    • our hosting provider

  • No Procession Outside the EU

    The data mentioned in this section 6 will be processed exclusively within the European Union.

Section 6

Data Processing of Customers when using the Lunu Services

  • Scope of data processing

    During the use of the Lunu Services, we process the following personal data:
    • email;
    • ID;
    • biometric data
  • Purpose of the processing

    The collection and processing of the personal data stated in section 6.1. is for the purpose of KYC and providing the Lunu Services. Also, we will process personal data in order to comply with legal obligations.

  • Legal Basis

    The legal basis for the collection and processing of data stated in section 6.1., insofar as these are personal data, is Art. 6 para. 1 sentence 1 lit. b GDPR (performance of a contract and initiation of contract). The purpose of the processing also includes pre-contractual measures to arrange and initiate the contracts.
    Lunu is subject to various legal regulations, e.g. tax laws, as well as the supervisory regulations, which are laid down by e.g. the Data Protection Supervisory Authority in Berlin (Berliner Beauftragte für Datenschutz und Informationsfreiheit), which interpret and further specify the relevant legal provisions. In so far as these legal requirements oblige us to process personal data, the purpose of the processing is to fulfil these legal obligations (Art. 6 para. 1 sentence 1 lit. c GDPR).

  • Deletion of data and storage period

    The data is stored for 8 years in compliance with Lithuanian AML Laws.

  • Disclosure to third parties

    We always only disclose your personal data to third parties if:
    • You have given your express consent to do so under Art. 6 Para. 1 sentence 1 lit. a GDPR.
    • This is legally permissible and, according to Art. 6 Para. 1 sentence 1 lit. b GDPR, necessary for the performance of a contract with you or in order to take steps at your request prior to entering into a contract.
    • According to Art. 6 Para. 1 sentence 1 lit. c GDPR disclosure is necessary for compliance with a legal obligation. We are legally obliged to transmit data to state authorities, e.g. criminal prosecution authorities.
    • The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party pursuant to Art. 6 Para. 1 sentence 1 lit. f GDPR, and there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data.
    • In accordance with Art. 28 GDPR, we use external service providers, so-called processors, who are obliged to handle your data with care.

    The data mentioned under clause 5.1. will be passed on to the following service providers who are our processors:
    • our hosting provider

  • No Procession Outside the EU

    The data mentioned in this section 6 will be processed exclusively within the European Union.

Section 7

Your Rights


You have the following rights
  • In accordance with Art. 7 Para. 3 GDPR to withdraw your once given consent to us at any time. As a result, we may no longer continue to process the data which was based on this consent in the future;

  • To request information about your personal data processed by us in accordance with Art. 15 GDPR. In particular, you may request information on the purposes of processing, the categories of personal data, the recipients or categories of recipients to whom your data have been or will be disclosed, the planned storage period, the existence of a right of rectification, erasure, restriction of processing or opposition, he right to lodge a complaint with a supervisory authority, the origin of your data, if not collected by us, as well as the existence of automated decision making including profiling and, if applicable, meaningful information on the details of the data;

  • In accordance with Art. 16 GDPR to immediately request the rectification of incorrect or completion of incomplete personal data stored by us;

  • To demand the deletion of your personal data stored with us in accordance with Art. 17 GDPR, unless the processing is necessary to exercise the right to freedom of expression and information, to fulfil a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims;

  • Pursuant to Art. 18 GDPR, to demand the restriction of the processing of your personal data if the accuracy of the data is contested by you, if the processing is unlawful but you refuse the deletion of it and we no longer require the data, but you require it for the establishment, exercise or defence of legal claims or you have lodged an objection to the processing pursuant to Art. 21 GDPR;

  • In accordance with Art. 20 GDPR, to receive your personal data that you have provided us with in a structured, commonly used, and machine-readable format or to request that it be transmitted to another controller and

  • Pursuant to Art. 77 GDPR, the right to lodge a complaint with a supervisory authority. Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes GDPR Regulation. The authority responsible for us, e.g. in Vilnius, is mentioned in section 2.

  • If your personal data is processed on the basis of legitimate interests pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR, you have the right, pursuant to Art. 21 GDPR, to object processing of your personal data if there are reasons for doing so arising from your particular situation. If you wish to exercise your right of objection, simply send an e-mail to support@lunu.io