Contact Friendship Lodge 4
If you live in Luxembourg, you speak English and you have an interest in Freemasonry, please feel free to contact us for more information.
Send a Message
Privacy Policy
This document is only available in English
Last updated: 10 February 2026
Friendship Lodge No. 4 (“we”, “us”, “our”, or “the Lodge”) operates the website www.f4.lu. We are committed to protecting the privacy and personal data of everyone who interacts with our website, whether as a visitor, prospective member, or current member.
This privacy policy explains what personal data we collect, why we collect it, how we use it, who we share it with, and what rights you have under the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the Luxembourg Law of 1 August 2018 organising the National Data Protection Commission.
1. Data Controller
The data controller responsible for processing your personal data is:
Friendship Lodge No. 4
c/o The Worshipful Master
5, rue de la Loge
Luxembourg
For any questions or requests regarding this privacy policy or your personal data, please contact us:
- Email: [email protected]
- Phone: +352 229451
- Fax: +352 26864977
- Contact form: www.f4.lu/contact
2. What Personal Data We Collect
The categories of personal data we collect depend on how you interact with our website.
2.1 Website Visitors (Public Pages)
When you browse our public pages (Home, Contact, Privacy Policy), we collect:
- Technical data: IP address, browser type and version, operating system, pages visited, date and time of access. This data is collected automatically through server logs and our security systems.
- Cookie data: Strictly necessary cookies required for the website to function and, with your consent, cookies for consent management. See Section 8 for full details.
2.2 Contact Form Submissions
When you submit our contact form, we collect:
- All enquiries: First name, last name, email address, message content, and your consent acknowledgement.
- General enquiries: Subject line.
- Visit enquiries: Phone number, and optionally your current lodge, Masonic rank, and preferred visit date.
- Membership enquiries: Phone number, postal address, date of birth, occupation, and optionally how you heard about us.
- Technical metadata: Your IP address and the date and time of submission are logged for security and anti-abuse purposes.
2.3 Members and Registered Users
If you are a member or registered user of the Lodge, we additionally process:
- Account data: Username, email address, password (stored as a cryptographic hash, never in plain text).
- Membership data: Lodge affiliation, membership dates, roles, and degree information.
- Event data: Event invitations, RSVP responses, and attendance records.
- Communication data: Emails sent to you through our platform (transactional notifications, event invitations, lodge communications).
- Session data: IP address, browser information, and session activity timestamps, collected when you log in.
- Audit data: Records of significant account actions (e.g., login, profile changes) including IP address and browser information, maintained for security purposes.
- Financial data: Dues and fee records associated with your membership.
- Documents: Any documents uploaded or associated with your account.
2.4 Candidate (Membership Application) Data
If you apply for membership, we process additional data as part of the application process:
- Date of birth, postal address, occupation, and any information you provide in your application.
2.5 Data We Do Not Collect
We do not use any analytics services (such as Google Analytics), advertising trackers, social media pixels, or remarketing tools on this website. We do not sell, rent, or trade your personal data.
3. Sensitive Personal Data
Certain data we process may reveal philosophical beliefs or association membership, which constitutes special category data under GDPR Article 9. This includes information relating to your membership of or affiliation with the Lodge, such as Masonic degree and lodge membership.
We process this data on the basis of GDPR Article 9(2)(d): processing is carried out in the course of the legitimate activities of our non-profit association, with appropriate safeguards, and relates solely to our members, former members, or persons who have regular contact with us in connection with our purposes. This data is not disclosed outside the Lodge without your explicit consent.
4. Purposes and Legal Bases
We process your personal data for the following purposes, each with its corresponding legal basis under GDPR Article 6(1):
| Purpose | Legal Basis |
|---|---|
| Responding to your contact form enquiry | Consent — Art. 6(1)(a). You give consent by ticking the checkbox on the contact form. |
| Processing membership applications | Performance of a contract (or pre-contractual steps at your request) — Art. 6(1)(b) |
| Managing member accounts, events, communications, and dues | Performance of a contract — Art. 6(1)(b) |
| Sending transactional emails (event notifications, password resets, lodge communications) | Performance of a contract — Art. 6(1)(b) |
| Protecting the website against attacks, abuse, and unauthorised access (firewall, IP logging, rate limiting, security monitoring) | Legitimate interest — Art. 6(1)(f). Our legitimate interest is ensuring the security and integrity of our website and members’ data. |
| Maintaining audit logs of significant user actions | Legitimate interest — Art. 6(1)(f). Our legitimate interest is accountability and security. |
| Checking passwords against known data breaches | Legitimate interest — Art. 6(1)(f). Our legitimate interest is protecting user accounts. Only the first 5 characters of a SHA-1 hash are sent; your actual password is never disclosed. |
| Optimising images for faster page loading | Legitimate interest — Art. 6(1)(f). Our legitimate interest is website performance. Only image files are transmitted; no personal data is included. |
| Creating and storing backups of the website | Legitimate interest — Art. 6(1)(f). Our legitimate interest is protecting against data loss. |
| Setting strictly necessary cookies | Exempt from consent under ePrivacy Directive Art. 5(3) — these cookies are essential for the website to function. |
| Recording your cookie consent preferences | Legal obligation — Art. 6(1)(c). We are required under the ePrivacy Directive to obtain and record your consent for non-essential cookies. |
Where processing is based on consent, you may withdraw your consent at any time (see Section 10). Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
Where processing is based on legitimate interest, you have the right to object at any time (see Section 10). We will then assess whether our compelling legitimate grounds override your interests, rights, and freedoms.
5. Who We Share Your Data With
We do not sell, rent, or trade your personal data. We share personal data only with the following categories of recipients, strictly to the extent necessary for the purposes described above:
5.1 Hosting Provider
| Provider | Service | Data Processed | Location |
|---|---|---|---|
| 352 Digital S.à r.l. (CloudHosting.lu) | Web hosting | All website data, server logs (IP addresses, request data) | Luxembourg |
5.2 Email Delivery
| Provider | Service | Data Processed | Location |
|---|---|---|---|
| Sinch / Pathwire (Mailgun) | Transactional email delivery | Email addresses, email content (subject, body, attachments) | EU (European endpoint) |
| Mailjet (backup) | Transactional email delivery | Email addresses, email content | EU |
5.3 Security Services
| Provider | Service | Data Processed | Location |
|---|---|---|---|
| Defiant Inc. (Wordfence) | Web application firewall, security monitoring | IP addresses, request data, attack signatures, security events | United States |
| Troy Hunt (HaveIBeenPwned) | Password breach detection | First 5 characters of SHA-1 password hash only (k-anonymity model) | United States |
5.4 Image Optimisation
| Provider | Service | Data Processed | Location |
|---|---|---|---|
| WP Media (Imagify) | Image compression and optimisation | Image files (no personal data unless images contain personal data) | France (EU) |
5.5 Third-Party Content Embedded on Our Pages
| Provider | Content | Page | Data That May Be Transmitted | Location |
|---|---|---|---|---|
| OpenStreetMap Foundation | Map embed (iframe) | Contact page | Your IP address and browser information are sent to OpenStreetMap’s servers when the map loads | United Kingdom |
| Automattic Inc. (Gravatar) | Member avatar images | Members-only dashboard | An MD5 hash of the member’s email address is sent to Gravatar’s servers; your IP address and browser information are transmitted when the avatar image loads | United States |
We do not embed any social media plugins, advertising networks, analytics scripts, or Google services on this website.
6. International Data Transfers
Some of the services listed above involve the transfer of personal data outside the European Economic Area (EEA), specifically to the United States and the United Kingdom.
6.1 United States
Where personal data is transferred to service providers in the United States, we rely on one or more of the following safeguards:
- EU-U.S. Data Privacy Framework (DPF): Where the recipient is certified under the DPF, the European Commission’s adequacy decision (Implementing Decision (EU) 2023/1795) provides an appropriate level of protection.
- Standard Contractual Clauses (SCCs): Where the recipient is not DPF-certified, we ensure that appropriate Standard Contractual Clauses adopted by the European Commission are in place.
6.2 United Kingdom
The European Commission has adopted an adequacy decision for the United Kingdom (Implementing Decision (EU) 2021/1772). Transfers to the UK (OpenStreetMap Foundation) are therefore permitted without additional safeguards.
6.3 European Union
Data processed by our hosting provider (Luxembourg), email service (EU endpoint), and image optimisation service (France) remains within the EU/EEA and does not require additional transfer safeguards.
You may request a copy of the applicable safeguards by contacting us at the address provided in Section 1.
7. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. The following retention periods apply:
| Data Category | Retention Period |
|---|---|
| Contact form submissions (non-members) | Deleted once the enquiry is resolved. No personal data is retained for non-members beyond what is necessary to respond to the enquiry. |
| Membership application data (unsuccessful candidates) | Deleted promptly after the decision. No personal data is retained for non-members. |
| Member account data | For the duration of membership. Upon leaving the Lodge, personal data is deleted except where longer retention is required by law. |
| Financial records (dues, fees) | Retained for as long as legally required under Luxembourg accounting and tax obligations (Art. 16 Code de Commerce). |
| Security logs (firewall, traffic, audit logs) | Up to 30 days for live traffic data. Other security logs retained for as long as legally required. |
| Session data | Deleted when the session expires or the user logs out. |
| Email delivery logs | Retained for as long as legally required. |
| Cookie consent records | Retained for as long as required to demonstrate compliance (minimum duration of the consent — up to 12 months). |
| Server access logs | Determined by our hosting provider’s retention schedule. |
| Backup copies | Retained according to our backup schedule; oldest backups are deleted on a rolling basis. |
As a general principle, we do not retain personal data for non-members. Data relating to members is kept for the duration of membership and for as long as legally required thereafter (for example, financial records under Luxembourg accounting law). When personal data is no longer required, it is securely deleted or anonymised.
8. Cookies and Similar Technologies
Our website uses cookies — small text files placed on your device — to ensure the website functions correctly, to protect it against security threats, and to remember your consent preferences.
8.1 Strictly Necessary Cookies
These cookies are essential for the website to function. They do not require your consent under the ePrivacy Directive.
| Cookie | Provider | Purpose | Duration |
|---|---|---|---|
wordpress_[hash] |
WordPress | Authenticates logged-in users | Session |
wordpress_logged_in_[hash] |
WordPress | Identifies the logged-in user to the website | Session |
wp-settings-{id} |
WordPress | Stores admin interface preferences (logged-in users only) | 1 year |
wp-settings-time-{id} |
WordPress | Records when admin settings were last changed | 1 year |
wordpress_test_cookie |
WordPress | Tests whether your browser accepts cookies | Session |
wfvt_[hash] |
Wordfence | Security session verification to protect against attacks | Session |
wordfence_verified_human_[hash] |
Wordfence | Confirms the visitor is a real person (bot detection) | Session |
8.2 Functional Cookies
These cookies support security features for logged-in users.
| Cookie | Provider | Purpose | Duration |
|---|---|---|---|
wf_loginalerted_[hash] |
Wordfence | Prevents duplicate login alert notifications when signing in from a recognised device | 365 days |
wfls-remembered-[data] |
Wordfence | Remembers a trusted device for two-factor authentication so you are not asked for a code on every login | 30 days |
8.3 Consent Management Cookies
| Cookie | Provider | Purpose | Duration |
|---|---|---|---|
_352_consent |
352-consent | Stores your cookie consent choices so you are not asked again on each visit | 12 months |
_352_consent_client_id |
352-consent | A unique identifier used to maintain a verifiable record of your consent, as required by the GDPR | 12 months |
8.4 Cookies We Do Not Use
This website does not set any analytics, advertising, social media, or third-party tracking cookies.
8.5 Managing Your Cookie Preferences
You can manage your cookie preferences at any time by clicking the cookie settings link in the footer of our website. You can also delete cookies through your browser settings. Please note that disabling strictly necessary cookies may prevent the website from functioning correctly.
9. Data Security
We take appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:
- Encryption in transit: All data transmitted between your browser and our website is encrypted using HTTPS/TLS.
- Web application firewall: We use a firewall solution (Wordfence) to monitor and block malicious traffic and known attack patterns.
- Access control: Access to personal data is restricted to authorised individuals on a need-to-know basis. User roles and permissions are enforced at the application level.
- Password security: Passwords are stored as salted cryptographic hashes, never in plain text. We also check passwords against known data breach databases to alert users of compromised credentials.
- Two-factor authentication: Available for user accounts as an additional security layer.
- Rate limiting: Automated protections against brute-force attacks and form abuse.
- Regular backups: The website is regularly backed up to ensure data can be recovered in the event of an incident.
- Secure hosting: The website is hosted in Luxembourg by a professional hosting provider.
While we strive to protect your personal data, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security.
10. Your Rights
Under the GDPR, you have the following rights with respect to your personal data:
- Right of access (Art. 15): You can request a copy of the personal data we hold about you.
- Right to rectification (Art. 16): You can ask us to correct inaccurate or incomplete personal data.
- Right to erasure (Art. 17): You can ask us to delete your personal data, subject to legal retention obligations.
- Right to restriction of processing (Art. 18): You can ask us to restrict the processing of your data in certain circumstances.
- Right to data portability (Art. 20): You can request to receive your personal data in a structured, commonly used, and machine-readable format.
- Right to object (Art. 21): You can object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
- Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing carried out before the withdrawal.
- Right not to be subject to automated decision-making (Art. 22): We do not carry out any automated decision-making or profiling that produces legal effects or similarly significantly affects you.
To exercise any of these rights, please contact us using the details provided in Section 1. We will respond to your request within one month. If your request is complex or we receive a large number of requests, we may extend this period by a further two months, in which case we will inform you.
We may ask you to verify your identity before processing your request, to ensure the security of your personal data.
11. Children’s Privacy
This website is not directed at children. In accordance with Luxembourg law implementing GDPR Article 8, we do not knowingly collect personal data from individuals under the age of 16 without parental consent. If you believe we have inadvertently collected data from a child under 16, please contact us immediately and we will take steps to delete that data.
12. Third-Party Links
Our website may contain links to external websites that are not operated by us. We have no control over the content or privacy practices of these third-party sites. We encourage you to review the privacy policy of every site you visit. We accept no responsibility or liability for the privacy practices of third-party websites.
13. Right to Lodge a Complaint
If you believe that our processing of your personal data violates the GDPR or Luxembourg data protection law, you have the right to lodge a complaint with the competent supervisory authority:
Commission nationale pour la protection des données (CNPD)
15, Boulevard du Jazz
L-4370 Belvaux
Luxembourg
- Website: cnpd.public.lu
- Phone: (+352) 26 10 60 1
We would appreciate the opportunity to address your concerns before you approach the CNPD. Please contact us first using the details in Section 1.
14. Changes to This Privacy Policy
We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the “Last updated” date at the top of this page.
We encourage you to review this privacy policy periodically. Your continued use of the website after any changes constitutes your acknowledgement of the updated policy.