Privacy notice for beneficiaries and users of the websites
Last update: 31st of July 2025
PLUXEE Luxembourg S.A. is a public limited company belonging to the PLUXEE Group (hereinafter referred to as "PLUXEE" or "We"). Your privacy and the protection of your Personal Data are important to us. We have developed this Privacy Policy to inform you about how we collect, use and process your Personal Data (the "Policy"). This Notice also describes the measures we take to ensure the protection of your Personal Data and explains how you can contact us if you have any questions about the protection of your Personal Data.
PLUXEE undertakes to comply with all applicable regulatory and legislative provisions regarding the protection of Personal Data.
1. Purpose of this notice
This Notice applies to users of our Sites: the Websites available via the following links : www.pluxee.lu and https://consumers.pluxee.lu/ as well as the "Pluxee" application available on the Apple Store and Google Play and owned by PLUXEE International S.A. This Notice covers all users, including those who use the Website and Services without registering or subscribing to a specific service or account (hereinafter collectively referred to as "Users"). This Notice also applies to beneficiaries of Pluxee Tickets as defined in section 3 below.
Please read this Notice carefully to understand what categories of Personal Data are collected and processed, how we use this Personal Data and with whom we may share it. This Notice also describes your rights and how you can contact us to exercise them or to ask us any questions you may have about your Personal Data.
This privacy policy is an integral part of the General Terms and Conditions of Use of the Interface.
2. Identity and contact details of the data controller
The Data Controller is:
PLUXEE Luxembourg S.A.
Registered office: 39, rue du Puits Romain, L-8070 Bertrange, Grand Duchy of Luxembourg
R.C.S. Luxembourg: B 31382
3. Definitions
| Supervisory authority | Refers to an independent public authority responsible for the protection of personal data established by a Member State as indicated in the GDPR. In the Grand Duchy of Luxembourg, this is the National Commission for Data Protection, www.cnpd.public.lu |
| Account | Personal space dedicated to the User of a Site, which they access when they register and log in to the Sites. It allows the User to access the Services. |
| Local point of contact for data protection | Local point of contact for data protection: refers to the person appointed by a Pluxee entity and responsible for handling local issues relating to personal data protection. The contact is part of Pluxee's global personal data protection network. |
| Cookies | As defined in the Cookie Policy available at : https://www.pluxee.lu/ |
| Personal Data | All personal data processed by the Data Controller and/or collected directly or indirectly from Data Subjects. In particular, information relating to an identified or identifiable natural person is considered Personal Data under the Personal Data Protection Regulations. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific or sufficient to identify uniquely the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. |
| we or our | PLUXEE Luxembourg S.A. (hereinafter "PLUXEE"), a public limited company under Luxembourg law, established and having its registered office at 39, rue du Puits Romain, L-8070 Bertrange, registered in the Trade and Companies Register, Luxembourg, section B, under number 31382 (hereinafter "Pluxee"). |
| Data subject | Any identified or identifiable natural person whose Personal Data is subject to Processing. |
| Third country | Any country, territory or sector defined in that country, outside the European Union (EU) and the European Economic Area (EEA). |
| General Data Protection Regulation or GDPR or Regulation | General Data Protection Regulation or GDPR or Regulation: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, replacing Directive 95/46/EC. |
| Data Controller | The entity Pluxee (Pluxee Luxembourg S.A.) which, alone or jointly with other Pluxee entities or third parties, determines the purposes and means of the processing of Personal Data. |
| Service | All activities involving the provision of products ("Tickets", see below) offered by PLUXEE. |
| Processor | Any natural or legal person who processes or subcontracts the processing of Personal Data on behalf of the Data Controller and in accordance with the latter's instructions. |
| Websites | Refers to the website www.pluxee.lu as well as the Pluxee web portal available at https://consumers.pluxee.lu and the "Pluxee" application available on the Apple Store and Google Play and owned by PLUXEE International. |
| Third Party | Any company or entity other than the Data Controller, the Processor and the Data Subject which, under the direct authority of the Data Controller or the Processor, is authorised to process Personal Data. |
| Vouchers | (Pluxee Lunch) meal vouchers, gift vouchers (Pluxee Gift), or any other voucher made available by PLUXEE, whether issued in paper or electronic form. |
| Processing or Processed | Any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, communication by transmission, dissemination or any other form of making available, alignment or interconnection, restriction, erasure or destruction. |
| You or Users | Any user/visitor of the Sites and, more generally, all beneficiaries of the Titles using the Sites from Luxembourg territory or whose place of work is in the Grand Duchy of Luxembourg (even those who are not registered on our Sites). |
4. Collection and origin of personal data
We undertake to comply with all applicable legislation on the protection of personal data and will ensure that Personal Data is collected and processed in accordance with the provisions of European law on the protection of personal data and any other applicable local legislation, where applicable.
We may collect your Personal Data directly (in particular via the collection forms available on our Site) or indirectly (via our service providers, customers, subcontractors).
5. Categories of personal data processed and purpose
a. Personal data processed
We may collect and process the following categories of Personal Data in particular:
- data provided by the employer when ordering Tickets;
- information you provide when filling out forms on the Website (e.g. for registration, participation in surveys, marketing purposes, participation in competitions, when downloading the application, contact forms, etc.);
- information you provide for authentication purposes;
- transaction data such as payment information and payment card information, which is transmitted directly to third parties who process your requests;
- Information you provide about your Pluxee card number;
- your preferences for receiving commercial/marketing information from us and our third parties and your communication preferences;
- Your geolocation data, where you have consented to this;
- Your browsing data.
- Information collected via cookies as defined in our Cookie Policy .
Personal Data identified by an asterisk (*) in the collection forms is mandatory as it is necessary for the request to be processed. If this mandatory information is not provided, these operations cannot be carried out.
Please find details of the different data collected for the different purposes in the table in Appendix 1 below.
Without this list being exhaustive, Personal Data may be collected for the following purposes (a more detailed description of the processing of your Data can be found in Appendix 1 below):
- Cookies
- Account creation and management
- Website and Application management
- Management of the relationship with the beneficiary or user
- Commercial management
Please note that you can click on the icons for social media platforms such as Instagram, Facebook, LinkedIn, YouTube, etc. on our Websites.
When you click on these icons, we may have access to the Personal Data that you have indicated as public and accessible from your profiles on the relevant social networks. However, we do not create or use any database independent of these social networks from the Personal Data that you may publish there, and we will not process any data relating to your private life through this means.
If you do not want us to have access to Personal Data published in the public area of your social media profiles or accounts, you must use the means provided by the social media networks concerned to restrict access to this data.
b. Sensitive personal data
We do not collect Sensitive Personal Data. Sensitive Personal Data is considered to be any information relating to a natural person's racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, health, or sex life or sexual orientation. This definition also includes Personal Data relating to criminal convictions and offences.
In the event that the collection of such Data is strictly necessary to fulfil the purpose of the processing, we will do so in accordance with the requirements of local legislation on the protection of Personal Data and, where applicable, with your prior explicit consent and under the conditions described in this Notice.
c. Personal data of minors
PLUXEE's services and Website are intended for adults who are capable of entering into legal obligations in accordance with the legislation of the country in which you are located.
Minors under the age of 16 or who are legally incapable must obtain the prior consent of their legal guardian before entering their Personal Data on the Website.
6. Legal basis for the processing of personal data
All Processing of Personal Data that we carry out is done in a fair, transparent and lawful manner within the meaning of the GDPR. We may Process your Personal Data on the basis of one of the legal grounds listed below:
(i) in the context of the performance of an agreement to which you are a party;
(ii) compliance with a legal obligation to which we are subject;
(iii)to protect your vital interests or those of a data subject;
(iv) your prior consent to the Processing in question;
(v) the legitimate interests pursued by PLUXEE, unless your interests or fundamental rights and freedoms prevail; and
(vi) the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
In practical terms, we mainly process your Personal Data in connection with the performance and management of our contractual relationship with you, our legitimate interest in improving the quality and operational excellence of the Services we offer you, or compliance with certain regulatory obligations depending on the purpose of the processing as identified in the table in Appendix 1 below.
Your Personal Data may also be processed on the basis of your prior consent, where this is required in certain situations (for example, concerning data collected for marketing purposes or for the use of certain types of Cookies).
Please find more information on the legal basis for each of our processing operations in in Appendix 1 below.
7. Accuracy and limitation of the retention period of personal data
PLUXEE will ensure that the Personal Data processed is accurate and, where necessary, kept up to date. However, please note that PLUXEE also relies on your cooperation to notify us of any changes to your Personal Data. In addition, we will only retain Personal Data for as long as necessary for the purposes for which it was collected, including to meet legal, accounting or reporting obligations. Where necessary, we will also retain Data for as long as necessary to enable PLUXEE to defend or assert its rights in court.
Please note that the retention period may vary depending on the Processing and Personal Data concerned. To determine the retention period applicable to your Personal Data, we take into account several criteria such as:
- The purpose for which we retain your Personal Data (for example, we retain your Personal Data for a period necessary to enable us to fulfil our legal or regulatory obligations, or necessary for the provision of our Services or on the basis of our legitimate interest);
- Our legal and regulatory obligations regarding such Personal Data (e.g., accounting reporting obligations) or any European or local recommendations (e.g., regarding the use of cookies);
- If you have agreed to receive commercial/marketing communications, we will retain your Personal Data until you: (i) unsubscribe from receiving marketing communications (ii) request that we delete your Personal Data, or (iii) after a period of inactivity (i.e. when you have not interacted with us for a certain period of time). This period is defined in accordance with local regulations and guidelines;
- Any specific request from you regarding the deletion of your Personal Data or your account; and
- The statutory limitation periods that allow us to exercise our own rights, such as defending any legal claims in the event of a dispute;
Please find more information on the retention period for your Personal Data in Appendix 1 below.
If you would like more information about the retention periods for your Personal Data as set out in our Data Retention Policy, please contact us at privacy.lu@pluxeegroup.com
Upon expiry of the applicable retention period, we will ensure that your Personal Data is destroyed or anonymised in accordance with the Personal Data Protection Regulations.
Please find more information on the retention period for your Personal Data in Appendix 1 below.
8. Sharing and communication of personal data
The security and confidentiality of your Personal Data is of great importance to us. That is why we restrict access to your Personal Data to members of our staff who are relevant to processing your Personal Data and to the extent that the processing of your Data is strictly necessary to process your request or to provide you with the requested Service. We ensure that persons authorised to process Personal Data are subject to a duty of confidentiality, an obligation of confidentiality or are subject to an appropriate legal obligation of confidentiality.
We may also share your Personal Data with entities within PLUXEE and with other recipients in order to ensure the proper performance of our Services or for other purposes described in this Notice. Without this list being exhaustive, these may include the following recipients:
- With duly authorised external service providers and only in connection with the Services we provide. Without this list being exhaustive, these include the following categories of service providers:
- IT service providers responsible for hosting and maintaining the Sites;
- The service provider responsible for producing the PLUXEE Card;
- Service providers responsible for processing the data necessary for the execution of transactions via the Sites;
- Service providers responsible for monitoring the quality of Services (Customer Service (call centre));
- The service provider responsible for direct mail on behalf of PLUXEE;
- PLUXEE's legal, financial and accounting advisors.
- With companies that provide services to combat money laundering and terrorist financing, and other types of fraud or illegal activities, and with third parties that provide similar services, such as financial institutions or regulators ;
- With courts, law enforcement authorities, regulators, government authorities, and with other parties when reasonably necessary for the exercise or defence of a legal right, or for the purposes of extrajudicial dispute resolution;
- With internal or external service providers that we engage locally or in third countries to process Personal Data on our behalf for the purposes described above (e.g., shared service centres);
- In the event of a sale, merger or acquisition of businesses or assets, in which case we may transfer your Personal Data to the potential buyer or seller in order to assign or novate rights or obligations.
We ensure that any sharing, transfer or communication of your Personal Data to an approved service provider is governed by a personal data processing agreement that reflects the commitments set out in this Notice. Furthermore, PLUXEE only works with service providers that have undergone a prior risk assessment and offer sufficient guarantees, particularly in terms of data security and confidentiality.
We do not authorise these service providers to use or disclose your data, except to the extent necessary to perform the Services on our behalf or to comply with legal obligations. Furthermore, we may share Personal Data (i) if required to do so by law or legal process, (ii) in response to a request from public authorities or other government officials, or (iii) if we believe that the disclosure is necessary or appropriate to prevent physical harm or financial loss, or in connection with an investigation of suspected or actual illegal activity.
9. Transfer of personal data
Given the international nature of the PLUXEE group, your Personal Data may be transferred to recipients, either within the PLUXEE group or outside it, who are authorised to perform services on our behalf. These recipients may be located in third countries, i.e. outside the European Union or the European Economic Area, which are not considered to offer an adequate level of protection for Personal Data. If your Personal Data must be transferred to third countries, PLUXEE will take all necessary and appropriate measures to ensure the security and confidentiality of your Personal Data transferred and thus ensure a level of protection equivalent to that in force within the European Union or the European Economic Area. Such transfers will be governed by one of the mechanisms provided for in Chapter V of the GDPR (adequacy decision, Standard Contractual Clauses, binding corporate rules, etc.). If you would like more information about the international transfers of Personal Data that we may carry out and the appropriate safeguards in place to secure such transfers, please refer to section 16 "Contact us" of this Notice.
10. Security of personal data
We take all reasonable measures in accordance with the principles of privacy by design and privacy by default to implement the necessary safeguards and secure the Processing of Personal Data. Depending on the level of risk presented by the Processing, we also carry out a privacy impact assessment to adopt appropriate protective measures and ensure the protection of Personal Data. We also offer additional security guarantees for sensitive Personal Data.
Furthermore, we implement appropriate technical and organisational measures to protect Personal Data against accidental or unlawful alteration or loss, or against unauthorised use, disclosure or access, in accordance with our Procedure for the Management of Personal Data Breaches and our Information and IT Systems Security Policy. In this regard, we take all necessary precautions, given the nature of the Personal Data and the risks presented by the processing, to preserve the security of the data and, in particular, to prevent it from being distorted, damaged or accessed by unauthorised third parties (physical protection of premises, authentication procedures with personal and secure access via confidential usernames and passwords, connection logging, encryption of certain data, etc.).
We regularly carry out audits to verify the proper operational application of the rules relating to the security of your Personal Data. However, you also have a responsibility to ensure the security and confidentiality of your Personal Data, and we therefore invite you to remain vigilant, particularly when using an open system such as the internet.
You undertake to keep your password and access code secret and confidential. Any use of identification details is your sole responsibility. In the event of loss, theft or fraudulent use of any of these details, you must notify PLUXEE in writing as soon as possible.
11. Your rights
PLUXEE undertakes to facilitate the exercise of your rights in accordance with applicable regulations. Below is a table summarising the various rights you have under the GDPR:
| Right to information | You may request information or explanations about how your Personal Data is processed and about the existence and exercise of your rights under the GDPR. |
| Right of access | You may request access to and a copy (if reasonable in volume) of the Personal Data we hold about you. |
| Right to rectification | You may also request the rectification of inaccurate Personal Data or the completion of incomplete Personal Data. |
| Right to erasure/right to be forgotten |
Your right to be forgotten allows your Personal Data to be erased when:
|
| Right to restriction of processing |
You may request that processing be restricted when:
|
| Right to data portability |
Where applicable, you may request the portability of your Personal Data that you have provided to PLUXEE in a structured, commonly used and machine-readable format, and you have the right to transmit this Personal Data to another Data Controller without PLUXEE preventing this, when:
|
| Right to object | You have the right to object (right to "withdrawal") to the Processing of your Personal Data (in particular profiling or commercial communications). When we Process your Personal Data on the basis of your consent, you may withdraw your consent at any time. |
| Right not to be subject to automated decisions, including profiling | You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This means that you have the right to request that a human being intervene in the decision-making process. You also have the right to express your point of view and to contest the decision. |
| Right to lodge a complaint | You may decide to lodge a complaint with the Data Protection Supervisory Authority in your country of habitual residence. In Luxembourg, this is the National Commission for Data Protection (CNPD), 15, boulevard du Jazz L-4370 Belvaux Luxembourg, http://www.cnpd.lu ). You also have the right to bring legal proceedings before the courts of the country in which PLUXEE has an establishment or the country in which you have your habitual residence. |
You may exercise all of the above rights at any time, or you may contact us with any questions or concerns regarding data protection by completing the request form as indicated in the Privacy Notice available at the time of collection of your Personal Data or by contacting our data protection officer at privacy.lu@pluxeegroup.com .
You may, at any time and without justification, exercise these rights or contact us with any request or complaint regarding the protection of your Personal Data in one of the following ways:
- by sending the context of your request (the right you wish to exercise, the data processing concerned by your request, etc.) to our data protection contact point at the following address:privacy.lu@pluxeegroup.com ; or
- by completing the request form.
In order to ensure the identity of the person making the request to exercise their rights or obtain information about their Personal Data, we will verify the identity of the person making the request in our systems. If we have reasonable doubts as to the identity of the person making the request to exercise their rights, we may request additional information to confirm the identity of the person concerned.
The exercise of your rights under the GDPR is free of charge unless we consider the request to be manifestly unfounded or excessive (e.g. in the case of repeated or excessive requests).
We will respond to your request within the time limit prescribed by the GDPR, i.e. one month from receipt of your request. This period may be extended by up to two months if the request is complex and/or due to the number of requests we have to process. If this period is extended, you will be notified of this and the reason for the extension.
Please note that in certain circumstances provided for by law, we may refuse access to your information or not grant your request when we are legally authorised or obliged to do so. In the event of a manifestly unfounded or excessive request, we may also refuse to comply with your request(s).
12. Cookies
Some of our Sites may use "cookies". Cookies are pieces of text placed on your computer's hard drive when you visit certain websites. This file includes information such as the domain name, Internet service provider, operating system, and the date and time of the user's access.
Cookies are not used to determine the identity of an individual visiting our Interface. Cookies enable us, for example, to determine your display language in order to improve your browsing experience. They also enable us to process information about your visit to the Interface, such as the pages you have viewed and the searches you have made, in order to improve the content of the Interface, track your interests and offer you the most relevant content.
For example, we may use cookies to track your activity to ensure that your visit to our Site is as smooth as possible and to ensure that we offer you options tailored to your preferences on your next visit. We may also use cookies to analyse traffic and for advertising purposes.
Cookies can improve your online experience by saving your preferences when you visit one of our websites. In this case, we will inform you about the types of cookies we use and how you can disable them. Under current regulations, you will also have the option of visiting our websites while refusing the use of cookies on your computer at any time. If you would like more information about the cookies we use and how to express your preferences in this regard, please consult our Notice on the use of cookies .
If you do not wish to receive cookies from our Interface, you can configure your browser. Each browser has different settings for managing your choices. These are described in your browser's help menu, which will tell you how to change your cookie preferences. Please note that for some cookies, you can indicate your choice directly in the Cookie Settings at the bottom of the Interface (https://consumers.pluxee.lu; Cookie Settings) or at www.pluxee.lu .
Finally, by clicking on the icons dedicated to social networks such as Instagram, Facebook, LinkedIn, etc. appearing on our Interface, if applicable, and if you have accepted the use of cookies by continuing to browse the Interface, the social networks concerned may also place cookies on your devices (computer, tablet, mobile phone). However, you can withdraw your consent to these social networks placing this type of cookie at any time.
For more information, including on the retention period and the type of cookies used, please consult our Cookie Management Policy here.
13. Links to other websites and social networks
We occasionally provide links to other platforms for convenience and information purposes. These platforms operate independently of our Sites and are not under our control.
These links to other websites should not be considered as tracking your browsing and we accept no responsibility for the Personal Data Protection implemented by these third-party companies, each of which acts as a separate Data Controller of your Personal Data within their own scope. Once you leave our Site or click on the logo/link to one of these third-party platforms or social networks, it is your responsibility to check the Terms of Use and Privacy Policy applicable to that other platform. We also decline all responsibility for the content of these sites, for the products and services that may be offered on them or for any other use.
14. Updates to our privacy notice
This Notice may be modified, supplemented or updated in order to comply with any changes in our legal, regulatory, jurisprudential or technical obligations or constraints. In the event that we make significant changes to this Notice, we will notify you when the changes come into effect. However, we encourage you to review this Notice regularly to stay informed of the latest changes.
15. Unsubscribing or changing your preferences
If you have subscribed to certain Services via our Site and no longer wish to receive emails in the future, please visit the unsubscribe page for the Service you have subscribed to or go to "Cookie Settings", the button in the footer of our website's home page, to change your preferences at any time.
16. Contact
If you have any questions or comments about this Notice, please feel free to contact our local data protection contact point via the online form or via the email address privacy.lu@pluxeegroup.com