How does Lustre work?

Lustre works in three simple steps: Collect testimonials via shareable links, curate and organize them in your dashboard, then embed beautiful widgets on your website with one line of code.

Is there a free plan?

Yes! Lustre offers a generous free plan with 5 testimonials, 1 widget, and basic styles. No credit card required.

Do the widgets slow down my website?

No. Lustre widgets load asynchronously and are under 15KB. They have zero impact on your Core Web Vitals scores.

Can I customize the widget design?

Absolutely. Customize colors, fonts, layout, border radius, and switch between light and dark mode. White-label branding is available on paid plans so the widget looks native to your site.

Can I collect video testimonials?

Yes. Lustre supports both text and video testimonials. Customers can record directly from the collection page—no app install required. Videos are hosted and optimized automatically.

Does Lustre offer an API?

Yes. Lustre provides a full REST API for managing testimonials, widgets, and analytics programmatically. API access is available on Starter plans and above.

Privacy Policy

1. Controller

The controller responsible for the processing of your personal data within the meaning of the EU General Data Protection Regulation (GDPR) is:

Pelle Krukow
Ballindamm 3
Hamburg, Germany
VAT ID: pending
Email: privacy@uselustre.com

2. Overview

Lustre (“we”, “us”, “our”) provides a platform for collecting, managing, and displaying customer testimonials and social-proof widgets. This privacy policy explains what personal data we collect, how we use it, and what rights you have under applicable data-protection law — particularly the GDPR.

3. Types of Data Collected

3.1 Account & Personal Data

When you register for a Lustre account we collect your name, email address, and (for paid plans) billing/payment information.

3.2 Testimonial Data

When visitors submit testimonials through your collection pages, we process the data they provide, which may include their name, email address, company name, job title, testimonial text, star rating, and optional profile photo.

3.3 Usage Data

We automatically collect technical information when you use Lustre, including IP address, browser type, operating system, referring URLs, pages viewed, and interaction events. We also collect widget impression and click data for analytics.

3.4 Cookies & Similar Technologies

We use strictly necessary cookies for authentication and session management. We use PostHog for product analytics, which may set first-party cookies. We do not use third-party advertising cookies. You can manage cookie preferences in your browser settings.

4. Legal Basis for Processing (Art. 6 GDPR)

We process personal data on the following legal bases:

Purpose	Legal basis
Providing and maintaining the service	Performance of a contract (Art. 6(1)(b) GDPR)
Processing payments	Performance of a contract (Art. 6(1)(b) GDPR)
Sending transactional emails (e.g. new testimonial alerts)	Performance of a contract (Art. 6(1)(b) GDPR)
Product analytics and improvement	Legitimate interest (Art. 6(1)(f) GDPR)
Displaying testimonials via widgets	Consent of the testimonial author / legitimate interest of the account holder
Legal compliance and fraud prevention	Legal obligation (Art. 6(1)(c) GDPR)
Marketing communications (optional)	Consent (Art. 6(1)(a) GDPR)

5. Data Retention

Account data: Retained for the duration of your active account. Upon account deletion, personal data is permanently erased within 30 days, unless longer retention is required by law (e.g. tax records kept for 10 years per German fiscal regulations).
Testimonial data: Retained as long as the account holder keeps them. Testimonial authors may request deletion at any time. Upon account deletion, all associated testimonials are deleted within 30 days.
Usage / analytics data: Aggregated and anonymised data may be retained indefinitely. Identifiable usage data is deleted or anonymised after 26 months.
Payment data: Transaction records are retained for 10 years in accordance with German commercial and tax law (HGB, AO).

6. Third-Party Processors

We engage the following sub-processors to deliver our service. Each operates under a Data Processing Agreement (DPA) compliant with Art. 28 GDPR:

Processor	Purpose	Location
Clerk	Authentication & user management	USA (EU SCCs)
Convex	Database & backend	USA (EU SCCs)
Mollie	Payment processing	Netherlands (EU)
Resend	Transactional email delivery	USA (EU SCCs)
PostHog	Product analytics	EU (PostHog Cloud EU)
Vercel	Application hosting & CDN	Global / USA (EU SCCs)
Cloudflare	DNS, DDoS protection & CDN	Global / USA (EU SCCs)

7. International Data Transfers

Some of our sub-processors are located outside the European Economic Area (EEA). Where personal data is transferred to countries that the European Commission has not recognized as providing an adequate level of data protection, we rely on EU Standard Contractual Clauses (SCCs) as the transfer mechanism in accordance with Art. 46(2)(c) GDPR. You may request a copy of the relevant safeguards by contacting us at privacy@uselustre.com.

8. Your Rights Under the GDPR

As a data subject, you have the following rights. To exercise any of these rights, please contact us at privacy@uselustre.com. We will respond within 30 days.

Right of access (Art. 15 GDPR): You may request confirmation of whether we process your personal data and, if so, a copy of that data.
Right to rectification (Art. 16 GDPR): You may request correction of inaccurate or incomplete personal data.
Right to erasure (Art. 17 GDPR): You may request deletion of your personal data, subject to legal retention obligations.
Right to restriction of processing (Art. 18 GDPR): You may request that we restrict the processing of your personal data in certain circumstances.
Right to data portability (Art. 20 GDPR): You may request a machine-readable export of the personal data you have provided to us.
Right to object (Art. 21 GDPR): You may object to processing based on legitimate interests at any time. We will cease processing unless we demonstrate compelling legitimate grounds.
Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including encryption in transit (TLS) and at rest, access controls, regular security reviews, and secure development practices. Despite our efforts, no method of transmission over the Internet is 100% secure.

10. Children's Privacy

Lustre is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.

11. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated via email or a prominent notice on our website at least 14 days before they take effect. The “last updated” date at the top of this page indicates the most recent revision.

12. Right to Lodge a Complaint

If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. The competent authority for our business is:

Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit
Ludwig-Erhard-Str. 22, 7. OG
20459 Hamburg, Germany
Website: https://datenschutz-hamburg.de

13. Contact

For any privacy-related questions or requests, please contact us at:

Pelle Krukow
Ballindamm 3, Hamburg, Germany
Email: privacy@uselustre.com