Livingroom Analytics - Software Privacy Policy

Livingroom Analytics – Software Privacy Policy

Last updated: September 18, 2025

1. Who we are and scope

1.1 Company. Livingroom Analytics ApS (“Livingroom”, “we”, “us”, “our”), Fruebjergvej 3, 2100 København Ø, Denmark. Company registration: DK38840606.
1.2 Our Service. We provide a browser-based Employee Experience Management Platform (the “Service”) that helps organizations measure and improve employee experience through short conversations, insights, and role-based workflows. The Service is accessed on desktop and mobile browsers with a single login; roles (employee, manager, admin) control what users can see and do.
1.3 Controller vs. Processor.

Controller (Livingroom). For account, billing, support, website and product analytics data.
Processor (Livingroom on Customer’s behalf). For Service Data processed under Customer’s instructions within the Service (e.g., roster/structure, conversation inputs, team actions). This processing is governed by our Data Processing Addendum (“DPA”). If this Policy conflicts with the DPA for Service Data, the DPA controls.
1.4 Acceptance. By using the Service, you agree to this Policy.

2. Children

The Service is for organizations and their workforce and is not directed to children. You may use the Service only if you have reached the age required by local law to consent to information-society services. Where parental/guardian consent is required, the organization is responsible for ensuring lawful access.

3. Personal data we collect

We collect personal data in three categories (examples are illustrative, not exhaustive).

3.1 Account & Billing Data (Controller). Name, work email, company, role, authentication data, and billing details. Payments may be handled by a PCI-DSS-compliant provider; we store only limited billing tokens (e.g., last-4 digits, expiry) for account administration.

3.2 Service Data (Processor). Data Customer and its users provide to operate the Service—e.g., employee roster and structure, segmentation, conversation inputs, comments, role assignments, team actions, and other Customer-configured fields.
Sensitive data. We do not request or require special-category or highly sensitive data (e.g., health, biometrics). Customers should not upload such data. If a Customer enables optional fields that could be sensitive, the Customer is responsible for a lawful basis, transparency, and ensuring the DPA covers that processing. The Service is not designed for HIPAA-regulated Protected Health Information.

3.3 Product Analytics & Technical Data (Controller). IP address, device and browser type, language/region, timestamps, in-product URLs and events, referrers, session metadata, diagnostics, crash reports, and security logs. We use cookies and similar technologies (see Section 12).

4. How we use personal data (and legal bases)

4.1 Provide and operate the Service; set up/administer accounts; provide support (contract).
4.2 Secure the Service; prevent abuse; detect, investigate, and remediate incidents; maintain integrity and availability (legitimate interests and, where applicable, legal obligation).
4.3 Improve the Service; develop features; run product analytics and quality assurance on de-identified or pseudonymized data where possible (legitimate interests).
4.4 Communicate about updates and administrative matters; send optional product and event communications (legitimate interests; consent where required).
4.5 Comply with law and respond to lawful requests (legal obligation).
Where we rely on consent, you may withdraw it at any time via available controls or by contacting us (see Section 15).

5. AI features and automated decision-making

5.1 Use of AI. Some features use AI models (including Azure OpenAI) to analyze inputs, summarize themes, generate insights, and propose actions. We inform users when interacting with AI features.
5.2 No sole automated decisions with legal/similarly significant effects. We do not make decisions solely by automated means that produce legal or similarly significant effects about individuals. You may request human review or object to certain AI uses where required by law.
5.3 Model training controls. When we use Azure OpenAI, we configure it so that prompts and outputs are not used to train or improve third-party foundation models and are processed solely to provide the Service.

6. How we share personal data

6.1 No sale or ad “sharing.” We do not sell personal data and do not “sell” or “share” personal information as defined by US state privacy laws. We do not use personal data for cross-context behavioral or targeted advertising.
6.2 Service providers / sub-processors. We use vetted providers under contract to process personal data for us and only per our instructions, including Microsoft Azure for hosting and Azure OpenAI for AI features, as well as payments, email, analytics, and support tools. A current list of sub-processors is available on request.
6.3 Customer access (Service Data). For Service Data, your organization (the controller) and its authorized users can access and export data within their tenant.
6.4 Corporate transactions. In a merger, acquisition, or asset sale, personal data may be transferred under safeguards and with notice where required.
6.5 Legal reasons. We may disclose data where in good faith we believe it is necessary to comply with law or lawful requests, enforce agreements, or protect rights, safety, or property.
6.6 De-identified/aggregated insights. We may create and use de-identified or aggregated statistics and benchmarks that cannot reasonably be used to identify an individual or Customer.

7. International data transfers

7.1 Global operations from Denmark. While established in Denmark, we sell and support the Service globally. We aim to process and store Service Data in EU/EEA regions where feasible and supported by our providers.
7.2 Safeguards. When transferring personal data from the EEA/UK to countries without an adequacy decision, we use appropriate safeguards such as the EU Standard Contractual Clauses (and UK IDTA/Addendum as applicable) plus technical and organizational measures. Where a US provider maintains recognized certifications, we may rely on those where appropriate.

8. Security

8.1 Measures. We maintain administrative, technical, and physical safeguards appropriate to risk, including encryption in transit and at rest (where supported), access controls, audit logging, vulnerability management, and incident response.
8.2 Authentication. We support multi-factor authentication for manager and admin accounts. Employee end-users authenticate with a password and any SSO options configured by the Customer.
8.3 Your responsibility. Keep credentials secure, use strong passwords/MFA where available, and promptly notify us of suspected compromise.

9. Data retention and deletion

9.1 We retain personal data only as long as necessary for the purposes described in this Policy or as required by law.
9.2 Typical periods (may vary by Customer configuration and legal duties):

Account & Billing Data: for the customer relationship plus required legal retention (e.g., tax/audit).
Service Data: for the term of the customer agreement; upon termination, we delete or return Service Data per the DPA (with backup copies subject to secure deletion cycles).
Product Analytics & Logs: up to 12 months, or longer where required for security, compliance, or legal obligations.
9.3 We implement backup and archival deletion schedules to complete clean deletion following account closure or Customer instructions under the DPA.

10. Your rights

Depending on your location, you may have rights to access, rectify, erase, restrict, object, or port your personal data, and to withdraw consent where processing is based on consent.
10.1 Service Data (processor). If you are an employee end-user, please first contact your employer/organization (the controller) for requests under the GDPR/UK GDPR or other laws. We will assist the controller in responding under the DPA.
10.2 Account/Billing/Analytics (controller). For data we control, contact us per Section 15.
10.3 You may also lodge a complaint with your local supervisory authority. In Denmark: Datatilsynet (the Danish Data Protection Agency).

11. Cookies and similar technologies

11.1 We use cookies, SDKs, and similar technologies to operate the Service (e.g., session management, security), understand usage, and improve features.
11.2 Where required, we present a cookie banner with granular controls. You can change your preferences at any time via our cookie settings. For essential cookies, our basis is legitimate interests or contract.
11.3 Where supported by your browser, we honor Global Privacy Control (GPC) signals for controller-side marketing cookies.

12. Third-party services

The Service may include links to third-party sites or services; their privacy practices are governed by their own policies. Payment processing is handled by a PCI-DSS-compliant provider, which may process your payment information as its own controller for fraud prevention and regulatory compliance.

13. Communications

13.1 Transactional. We send transactional or service messages (e.g., security alerts, billing, changes to terms).
13.2 Marketing. Where permitted by law, we may send marketing communications. You can unsubscribe at any time via the message or by contacting us.

14. Changes to this Policy

We may update this Policy from time to time. We will post the updated version with a new “Last updated” date. If changes materially affect your rights, we will provide additional notice (e.g., email or in-product) and, where required, seek your consent.

15. Contact us

Livingroom Analytics ApS
Fruebjergvej 3, 2100 København Ø, Denmark
Email: privacy@livingroomanalytics.com

16. Definitions

“Personal data” means information relating to an identified or identifiable natural person.
“Service Data” means data processed in a Customer’s tenant on that Customer’s instructions (we act as processor).
“Customer” means the organization that purchased or administers a tenant of the Service.
“User” means any individual who accesses or uses the Service.
“Controller/Processor” have the meanings given in the GDPR and applicable data protection laws.

Appendix: Roles summary (informative, not part of the DPA)

Controller (Livingroom): website, account & billing, product analytics, security logs, support.
Processor (Livingroom on behalf of Customer): Service Data inside the platform.
For processor activities, the DPA governs details (subject categories, retention, deletion, sub-processors, transfer mechanisms, assistance with rights).