GDPR Compliance

Lukian CORP SRL is committed to complying with the General Data Protection Regulation (GDPR — EU Regulation 2016/679) and national legislation on the protection of personal data (Law No. 190/2018). Data protection is built into our platform design through the principle of "Privacy by Design."

Our Role

Data Controller — Lukian CORP SRL acts as a data controller for user account data (name, email, billing data).

Data Processor — Lukian CORP SRL acts as a data processor for property data, photographs, and conversations managed by real estate agencies through our platform.

Legal Basis for Processing

• Contract performance (Art. 6(1)(b) GDPR) — for providing the service requested through account creation.

• Consent (Art. 6(1)(a) GDPR) — for marketing communications, newsletters, and non-essential cookies.

• Legitimate interest (Art. 6(1)(f) GDPR) — for service improvement, security, and fraud prevention.

• Legal obligation (Art. 6(1)(c) GDPR) — for retaining tax documents in accordance with Romanian legislation.

Data Subject Rights

• Right of access (Art. 15) — You can request a complete copy of all personal data we hold about you. We respond within a maximum of 30 days.

• Right to rectification (Art. 16) — You can correct inaccurate data directly from account settings or by contacting the DPO.

• Right to erasure (Art. 17) — You can request complete deletion of your account and all associated data. We process the request within 30 days.

• Right to portability (Art. 20) — You can export all data in a structured format (JSON or CSV) directly from the platform.

• Right to restriction (Art. 18) — You can request limitation of data processing in certain situations provided by GDPR.

• Right to object (Art. 21) — You can object to data processing for direct marketing. Unsubscription is instant.

• Right to withdraw consent (Art. 7) — You can withdraw consent at any time, without affecting the legality of prior processing.

International Transfers

Data is stored on servers in Romania and the European Union. When we use AI providers from the US (Anthropic, OpenAI), transfers are protected by:

• EU-US Data Privacy Framework (DPF).

• Standard Contractual Clauses (SCC) approved by the European Commission.

• Transfer Impact Assessments (TIA) conducted for each provider.

Security Measures

We implement technical and organizational measures in accordance with Art. 32 GDPR:

• AES-256 encryption at rest

• TLS 1.3 for data in transit

• Multi-factor authentication

• Encrypted daily backups

• Complete audit logging

• Role-based access control (RBAC)

• Periodic penetration testing

• Incident response plan

Data Protection Impact Assessment (DPIA)

We have conducted Data Protection Impact Assessments (DPIA) for high-risk features: AI photo processing, WhatsApp bots, and automated valuations. These assessments are reviewed annually or upon significant changes.

Record of Processing Activities

We maintain a complete record of processing activities in accordance with Art. 30 GDPR, available upon request to supervisory authorities.

Data Breach Notification

In the event of a security breach affecting personal data, we will notify the National Supervisory Authority (ANSPDCP) within 72 hours and affected data subjects without undue delay, in accordance with Art. 33 and Art. 34 GDPR.

Data Protection Officer (DPO)

We have designated a Data Protection Officer whom you can contact at:

Email: dpo@lukian.ai

Lukian CORP SRL

CUI 45484296 | J2022000113139

Aleea Murelor nr.10A, Sp. Com.1, Constanța, România

Supervisory Authority

The competent authority for GDPR compliance oversight in Romania is:

Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)

B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, București, România

www.dataprotection.ro