Privacy Policy

This Privacy Policy explains how Lucky Nomads (“we”, “us”) collects, uses, stores, and protects personal data when you visit luckynomads.io, use the GeoCompass analytical service, or use the Personal Cockpit while logged into your account. It is published in compliance with Article 13 of Regulation (EU) 2016/679 (“GDPR”).

1. Data Controller

Data protection contact: Lucas Maillard - contact@luckynomads.io. Lucky Nomads does not meet the thresholds requiring mandatory appointment of a Data Protection Officer (DPO) under Article 37 GDPR.

2. Scope of This Policy

This Policy applies to personal data processed in connection with: (a) visits to and interactions with the website luckynomads.io; (b) purchases of the GeoCompass diagnostic service; (c) completion of the personal assessment questionnaire; (d) use of the Best Country Finder tool (including optional email opt-in); (e) use of the Atlas AI assistant on the public website; (f) all communications with Lucky Nomads by any channel; and (g) use of the Personal Cockpit while logged into your account.

This Policy should be read in conjunction with the Legal Notice, Cookie Policy, and Terms of Service.

3. Personal Data Collected

3.1 Identity and contact data

• - Full legal name (free text, questionnaire)
• - Email address (provided at checkout and confirmed in the questionnaire)

3.2 Data automatically collected when using the questionnaire (Lucky Nomads site)

• - Technical identifiers generated by our systems (for example submission ID, order token) to link your questionnaire response to your purchase and keep the record consistent.

3.3 Questionnaire profile data

Personal, financial, geographic, fiscal, and attitudinal data provided by you through the GeoCompass personal assessment questionnaire. This data is used exclusively to generate your personalised analytical report and for no other purpose.

Note: the questionnaire does not collect special categories of personal data within the meaning of Article 9 GDPR.

3.4 Transaction data

Transaction reference, purchase amount, date of purchase, and payment confirmation data. Payment card data is processed exclusively by Stripe and is never stored by Lucky Nomads.

3.5 Public website analytics (internal system - no personal data)

This subsection concerns traffic on public pages of luckynomads.io only. Authenticated use of the Personal Cockpit is described in section 3.10.

Lucky Nomads uses a minimal, privacy-first internal analytics system to measure aggregated traffic statistics. This system does not use cookies, does not store personal data, and does not identify individual users. IP addresses are processed ephemerally to derive an approximate geographic location and are immediately discarded without storage. This processing is based on the legitimate interest of Lucky Nomads (Art. 6(1)(f) GDPR) to understand its website audience. No individual user can be identified from the statistics collected. Users who prefer not to be counted may opt out at luckynomads.io/analytics/exclude-me.

3.6 Performance metrics (Vercel Speed Insights)

Lucky Nomads uses Vercel Speed Insights to measure site performance (load times, Core Web Vitals). This data is anonymous and does not identify individual visitors. No cookies are used for this purpose. This processing is separate from authenticated usage analytics inside the Personal Cockpit (see section 3.10).

3.7 Technical connection data

IP addresses and connection data collected automatically by the Vercel hosting infrastructure when you visit the website. These data are not used for analytics purposes by Lucky Nomads.

3.8 Best Country Finder

The free Best Country Finder tool (luckynomads.io/best-country-finder) collects the following data when you voluntarily generate a shareable link:

• - First name
• - Avatar (lifestyle illustration selected)
• - Results (top 3 countries and scores)
• - Email (optional - only if you opt in to receive your results and updates)

If you do not generate a shareable link or provide your email, no personal data is sent to our servers. The legal basis for processing is consent (Art. 6(1)(a) GDPR). Data is retained for 3 years from the date of collection. You have the right to request deletion of your data at any time by contacting contact@luckynomads.io.

3.9 Atlas AI assistant (website chat)

The website may offer Atlas, an AI-powered chat that answers general informational questions about Lucky Nomads, GeoCompass, methodology, pricing, and other content published on luckynomads.io. Atlas is not connected to private customer profiles, GeoCompass intake answers, decision-engine outputs, or other confidential service data.

When you use Atlas, we may process: the free-text messages you type (including any personal information you choose to include), and technical data needed to operate and secure the feature (for example session or request metadata, timestamps, and security-related logs as implemented on our stack). Please do not paste confidential, sensitive, or unnecessary personal data into the chat. Further detail is set out in section 14.

3.10 Personal Cockpit usage data

When you use the Personal Cockpit while logged into your account, Lucky Nomads may process first-party usage and interaction data generated through your use of the interface. This may include, for example, session duration, pages or views accessed within the Cockpit, buttons or interface elements clicked, frequency of feature usage, timestamps of interactions, and similar in-product event data necessary to understand how the Cockpit is used and improved.

This processing is carried out without cookies and without third-party analytics trackers. The data are collected through Lucky Nomads' own internal systems and are used solely for product analytics, service improvement, UX optimisation, feature evaluation, troubleshooting, and platform security or abuse prevention where relevant.

Because these usage data may be associated with your authenticated account, they may constitute personal data under the GDPR. The legal basis for this processing is Lucky Nomads' legitimate interests under Article 6(1)(f) GDPR, namely to operate, evaluate, secure, and improve the Personal Cockpit and its features.

Unless a longer retention period is required for security, fraud prevention, or legal obligations, Personal Cockpit usage and interaction data are retained for up to 12 months from collection, after which they are deleted or irreversibly aggregated or anonymised where appropriate.

4. Purposes and Legal Bases for Processing

More than one row may rely on legitimate interests (Art. 6(1)(f)) with similar retention periods. Each row still reflects a separate purpose described in the sections above.

AI-assisted analysis (transparency note): Lucky Nomads may use third-party AI services (such as Claude API, OpenAI GPT, or similar) to analyse aggregated and anonymised data derived from historical questionnaire patterns for service improvement. Anonymisation is performed internally before any data is sent to a third party. No data that could identify an individual user is transmitted.

5. Automated Processing and Profiling

GeoCompass performs automated processing of your questionnaire data to generate a personalised Strategic Location Decision Report. This constitutes “profiling” within the meaning of Article 4(4) GDPR.

No legally significant automated decision-making: this processing does not produce any decision with legal effects or otherwise significantly affecting you within the meaning of Article 22 GDPR. The report is an informational tool. All decisions remain entirely your own. You may request a human review of the analytical process at any time by contacting contact@luckynomads.io.

6. Data retention

We retain personal data for as long as your account is active. Retention periods for each major category of data also appear in the table below, including where processing does not involve an online account.

6.1 Account deletion

If you request deletion of your account:

• - your account is immediately deactivated
• - your personal data is retained for a maximum period of 30 days
• - after this period, your personal data is permanently deleted

Certain data may be retained for longer where required by law or for legitimate administrative purposes, including accounting, fraud prevention, or legal obligations.

Lucky Nomads, acting as data controller, implements deletion of questionnaire data at the end of the applicable retention period on the relevant systems (database, storage, backups managed by our hosting sub-processors).

Deletion: Questionnaire data, identity and contact data, PDF reports, and customer support communications are securely deleted at the end of their respective retention periods. Transaction and financial records are deleted after 10 years from the date of transaction (accounting obligations). Technical logs are deleted after 12 months.

Anonymisation: Questionnaire profile data stored in Supabase are irreversibly anonymised after 5 years from report delivery. Public website analytics data are processed exclusively as aggregated anonymised statistics and do not constitute personal data under GDPR. Authenticated Personal Cockpit usage and interaction data are handled separately as described in section 3.10 and in the data category table above.

7. Data Sharing and Sub-processors

Lucky Nomads does not sell, rent, or trade your personal data. Data are shared only with the following sub-processors strictly necessary for service delivery, each acting under contractual data processing agreements pursuant to Article 28 GDPR:

8. International Data Transfers

Some sub-processors are established outside the EEA. Lucky Nomads relies on the following safeguards:

• - EU-US Data Privacy Framework (DPF): Stripe, Vercel, Google (including services used for Atlas where DPF applies), and Resend are DPF-certified (Adequacy Decision of 10 July 2023).
• - Canada adequacy: Sync.com benefits from the Commission adequacy decision recognising PIPEDA.
• - Standard Contractual Clauses (SCCs): used where no adequacy decision or DPF certification applies.

Lucky Nomads actively monitors the validity of the EU-US DPF framework. In the event of its invalidation, transfers would be immediately covered by Standard Contractual Clauses (SCCs) adopted by the European Commission, which are already included in our Data Processing Agreements (DPAs).

Lucky Nomads also monitors the Canada adequacy framework (PIPEDA). In the event of any change to this framework, Lucky Nomads will adapt its transfer safeguards accordingly.

You may obtain a copy of applicable transfer safeguards by contacting contact@luckynomads.io.

9. Data Security

Lucky Nomads implements appropriate technical and organisational measures including HTTPS encryption for all data in transit, access controls limiting data access to authorised personnel, and reliance on infrastructure providers maintaining enterprise-level security standards.

Data are encrypted at rest at the relevant sub-processors (Supabase, Resend, Sync.com, and Google Workspace for business mailboxes) in accordance with their security standards documented in the respective Data Processing Agreements (DPAs).

Data breach notification: in the event of a personal data breach likely to result in a risk to your rights and freedoms, Lucky Nomads will notify the CNIL within 72 hours (Article 33 GDPR) and inform affected individuals without undue delay where a high risk is likely (Article 34 GDPR).

Personal Cockpit — additional data categories

When you use the Personal Cockpit while logged into your account, Lucky Nomads processes account data (email, username), dashboard snapshot data you edit, timestamps of analytical runs, and first-party usage and interaction data generated through your use of the Cockpit interface, as described in section 3.10. Optional renewal payments are processed by Stripe under its own privacy notice.

Retention by account status: while your account is active, data are kept to operate the service. If the Cockpit is in read-only mode after non-renewal, profile and history data are retained until you request erasure or the relationship ends, unless a longer period is required by law. You may request full account deletion at any time from Settings in the Cockpit (see section 6). That process deactivates access immediately and schedules permanent deletion of personal data within a maximum of 30 days, subject to legal retention where applicable. Where access is revoked following a refund, personal data may be deleted within thirty days.

You may exercise GDPR rights (access, rectification, erasure, restriction, portability, objection) through your account interface where available, or by contacting contact@luckynomads.io. Where applicable, you can also update profile fields directly in the Cockpit while your access is active.

10. Your rights

10.1 Right to erasure

You have the right to request the erasure of your personal data at any time.

You can do so directly from your account settings.

Upon request:

• - your access to the service is revoked immediately
• - your account enters a deletion process
• - your data is permanently deleted within a maximum period of 30 days

The following table summarises the main GDPR rights that may apply. Erasure in practice, including through your account settings, is described in section 10.1 above.

10.2 How to exercise your rights

You can exercise your rights directly through your account interface.

If you are unable to do so, you may contact us at contact@luckynomads.io.

We will respond to your request within one month, in accordance with applicable data protection laws. This deadline may be extended by up to two additional months for particularly complex or numerous requests. Lucky Nomads will inform you of any such extension within the first month. All requests are free of charge.

Right to lodge a complaint: you may lodge a complaint with the CNIL (3 Place de Fontenoy, 75334 Paris Cedex 07) or with the supervisory authority of your country of residence within the EU.

11. Children's Data

The GeoCompass service is intended exclusively for individuals aged 18 and over. Lucky Nomads does not knowingly collect personal data from persons under the age of 18. If you believe a minor has provided personal data, please contact contact@luckynomads.io.

12. Cookies and Tracking Technologies

The website luckynomads.io uses only strictly necessary cookies. No consent banner is displayed. Traffic on public pages is measured using a cookieless, privacy-first internal analytics system that collects no personal data. In-product usage measurement in the Personal Cockpit while you are logged in is also carried out without cookies and without third-party analytics trackers, as described in section 3.10. The opt-out at luckynomads.io/analytics/exclude-me applies only to anonymous public traffic statistics, not to authenticated Cockpit usage analytics. If you prefer not to be counted in those anonymous public statistics, use that link. For full details, see the Cookie Policy.

13. Changes to This Privacy Policy

Lucky Nomads may update this Privacy Policy to reflect legal, technical, or operational changes. Where changes are material, Lucky Nomads will notify you by email with a minimum of 30 days' notice. Historical processing remains governed by the Policy in force at the time of collection.

14. Atlas AI assistant (website chat)

Atlas is an optional feature on luckynomads.io. It helps visitors find and understand public information about Lucky Nomads, GeoCompass, methodology, pricing, and other pages on this site. It is not connected to private customer decision-engine data, intake questionnaires, or similar confidential records.

Data that may be processed: the content of your messages (which may include personal data if you choose to type it), plus technical data required to run, secure, and troubleshoot the chat (for example device or browser type, approximate location derived from IP where applicable, timestamps, session or request identifiers, and security-related logs). Please avoid sending confidential, sensitive, or unnecessary personal data.

Purposes: to provide responses, to operate and secure the service, and to improve the feature where we do so in a privacy-conscious way (for example quality and safety monitoring), without using Atlas to access private GeoCompass client data.

Legal basis (GDPR): primarily legitimate interests (Art. 6(1)(f)) in offering a helpful website experience, supporting visitors, securing our systems, and improving our public-facing services, balanced against your rights. Where consent is required for a specific technology (for example certain non-essential cookies, if ever used in connection with the chat), Art. 6(1)(a) may also apply as described in our Cookie Policy.

Recipients: hosting and infrastructure providers (including Vercel), AI model and API providers (including Google Generative AI for Atlas where configured), and other technical subprocessors strictly necessary to deliver the feature, acting on our instructions under Article 28 GDPR where applicable.

Retention: we keep chat-related data only as long as necessary for the purposes above, including security, legal compliance, and dispute resolution. Unless a shorter technical period applies by design, a typical upper bound is 12 months. Exact periods may depend on logging and provider settings.

Your rights: where the GDPR applies, you may have the rights of access, rectification, erasure, restriction, objection (where applicable), portability, and the right to lodge a complaint with a supervisory authority, as set out in section 10. To exercise your rights or ask privacy questions, contact contact@luckynomads.io.

15. Contact

Published in compliance with Regulation (EU) 2016/679 (GDPR) and applicable French data protection legislation.