Livingroom Analytics - Software Privacy Policy

LAST UPDATED Aug 22, 2025

1. Who We Are and Scope

1.1 Company. Livingroom Analytics ApS (“Livingroom”, “we”, “us”, “our”), Fruebjergvej 3, 2100 København Ø, Denmark. Company registration: DK38840606.

1.2 Our service. We provide a browser-based Employee Experience Management Platform (EXMP) that helps organizations measure and improve employee experience and engagement through surveys, insights and role-based workflows (the “Service”). There is no separate mobile app; the Service can be accessed on desktop and mobile browsers with a single login and roles assigned automatically by the customer’s configuration.

1.3 Controller vs. Processor.

  • For Account, Website, Billing, Support and Product Analytics data, Livingroom acts as a data controller.

  • For Service Data we process on our customers’ instructions (e.g., employee survey responses inside the customer’s EXMP tenant), the customer is the controller and Livingroom is the processor under a Data Processing Agreement (DPA). Our DPA governs processor obligations and our list of sub-processors.

  • If there is any conflict between this Privacy Policy and the DPA for Service Data, the DPA controls for that processing.

1.4 Acceptance. By using the Service, you agree to this Privacy Policy.

2. Children

2.1 The Service is intended for use by organizations and their workforce. It is not directed to children. You may only use the Service if you have reached the age required by your local law to consent to information-society services (for example, 15 in Denmark, 16 in many EU Member States). Where parental or guardian consent is required, the organization is responsible for ensuring lawful access.

3. Personal Data We Collect

We collect personal data in three main categories. Examples below are illustrative, not exhaustive.

3.1 Account & Billing Data (Controller). Name, work email, company, role, authentication data, and billing details.
Payments: We do not store full credit card details. Payments are processed by our PCI-DSS-compliant provider (e.g., Stripe). We retain only tokens, last-4 digits, and expiry to manage billing.

3.2 Service Data (Processor). Content provided by our customer (your employer/organization) and its users within EXMP—e.g., survey questions and responses, comments, team/organizational structure, role assignments, and other customer-configured fields.

  • Special-category data: We do not request or require special-category data (e.g., racial/ethnic origin, health, biometrics). Customers should not submit such data. If a customer enables optional fields that could be sensitive, they are responsible for establishing a lawful basis and informing employees in accordance with the DPA and applicable law.

3.3 Product Analytics & Technical Data (Controller). To keep the Service secure and reliable, we collect technical logs and usage analytics, such as IP address, device and browser information, language and region settings, timestamps, URLs visited within the Service, referrers, session and event metadata, and diagnostics. We use cookies and similar technologies; see Section 12.

4. How We Use Personal Data (and Our Legal Bases)

We use personal data to:

4.1 Provide and operate the Service; set up and administer accounts; provide support (contract).
4.2 Secure the Service; prevent abuse; detect, investigate, and remediate incidents; maintain integrity and availability (legitimate interests and, where applicable, legal obligation).
4.3 Improve the Service; develop new features; run product analytics and quality assurance on de-identified or pseudonymized data where possible (legitimate interests).
4.4 Communicate with you about updates and administrative matters; send optional product and event communications (legitimate interests; consent where required).
4.5 Comply with law; respond to lawful requests (legal obligation).

Where we rely on consent, you can withdraw it at any time via provided controls or by contacting us (see Section 15).

5. AI Features and Automated Decision-Making

5.1 Parts of the Service may use AI-assisted features (e.g., summarization, suggested actions, analytics). We inform users when interacting with AI features.
5.2 We do not make decisions solely by automated means that produce legal or similarly significant effects about individuals. You may request human review or object to certain AI uses where required by law.

6. How We Share Personal Data

6.1 No sale or “share” for ads. We do not sell personal data and do not share it for cross-context behavioral or targeted advertising.

6.2 Service providers / sub-processors. We use vetted providers (e.g., cloud hosting, email, analytics, payments) under contract to process personal data for us and only per our instructions. We publish a current list of sub-processors here: [link to Sub-processors page].

6.3 Customer access (Service Data). For Service Data, your organization (the controller) and its authorized users can access and export data within their tenant.

6.4 Corporate transactions. If we are involved in a merger, acquisition, or asset sale, personal data may be transferred under safeguards and with notice where required.

6.5 Legal reasons. We may disclose data where we believe in good faith it is necessary to: (a) comply with law or lawful requests; (b) enforce our agreements; or (c) protect rights, safety, or property of Livingroom, our users, or others.

6.6 De-identified/aggregated insights. We may publish or license de-identified and aggregated statistics and benchmarks that cannot reasonably be used to identify any individual or customer.

7. International Data Transfers

7.1 We may transfer personal data outside the country where it was collected. When we transfer personal data from the EEA/UK to countries without an adequacy decision, we use approved safeguards such as the EU Standard Contractual Clauses (and UK IDTA/Addendum as applicable). Where a U.S. vendor is certified to the EU–US Data Privacy Framework, we may rely on that certification.

8. Security

8.1 We maintain administrative, technical, and physical safeguards appropriate to the risk, including encryption in transit and at rest, access controls, audit logging, vulnerability management, and incident response.
8.2 Authentication: We support MFA (multi-factor authentication) for manager and admin accounts. Employee end-users authenticate with a password (and any SSO options configured by the customer).
8.3 Your responsibility: Keep credentials secure, use strong passwords/MFA where available, and promptly notify us of suspected compromise.

9. Data Retention and Deletion

9.1 We retain personal data only as long as necessary for the purposes described in this Policy or as required by law.
9.2 Typical periods (which may vary by customer configuration and law):

  • Account & Billing Data: for the customer relationship plus required legal retention (e.g., tax/audit).

  • Service Data: for the term of the customer agreement; upon termination, we delete or return Service Data per the DPA (with limited-time backups subject to secure deletion cycles).

  • Product Analytics & Logs: retained for up to 12 months unless a longer period is needed for security, auditing, or to comply with law.

9.3 We implement back-up and archival deletion schedules to complete “clean deletion” following account closure or customer instructions under the DPA.


10. Your Rights

Depending on your location, you may have the right to access, rectify, erase, restrict, object, or port your personal data, and to withdraw consent where processing is based on consent.

10.1 If you are an employee end-user: For Service Data, please first contact your employer/organization (the controller). We will assist the controller in responding to your request under the DPA.
10.2 For Account/Billing/Analytics data (where we are controller), contact us per Section 15.
10.3 You may also lodge a complaint with your local supervisory authority. In Denmark: Datatilsynet (The Danish Data Protection Agency).

11. Cookies and Similar Technologies

11.1 We use cookies, SDKs, and similar technologies to operate the Service (e.g., session management, security), to understand usage, and to improve features.
11.2 Where required, we present a cookie banner with granular controls. You can change your preferences at any time via our cookie settings. For essential cookies, our basis is legitimate interests or contract.

12. Third-Party Services and Links

12.1 The Service may include links to third-party sites or services. Their privacy practices are governed by their own policies. We encourage you to review them.
12.2 Our payment processing is handled by a PCI-DSS-compliant provider (e.g., Stripe). That provider processes your payment information as its own controller for fraud prevention and regulatory compliance.

13. Communications

13.1 Transactional. We may send you transactional or service messages (e.g., security alerts, billing, changes to terms).
13.2 Marketing. Where permitted by law, we may send marketing communications. You can unsubscribe at any time via the message or by contacting us.

14. Changes to This Policy

14.1 We may update this Policy from time to time. We will post the updated version with a new “Last Updated” date. If changes materially affect your rights, we will provide additional notice (e.g., email or in-product) and, where required, seek your consent.

15. Contact Us

Livingroom Analytics ApS
Fruebjergvej 3, 2100 København Ø, Denmark
Email: privacy@livingroomanalytics.com

EEA/UK inquiries and complaints: You may contact Datatilsynet (or your local authority). We will cooperate with supervisory authorities and customers’ DPOs as required.

16. Definitions

  • “Personal data” means information relating to an identified or identifiable natural person.

  • “Service Data” means data processed in a customer’s EXMP tenant on that customer’s instructions (we act as processor).

  • “Controller/Processor” have the meanings given in the GDPR and applicable data protection laws.

  • “Customer” means the organization that purchased or administers an EXMP tenant.

  • “User” means any individual who accesses or uses the Service.

 

Appendix: Roles Summary (informative, not part of the DPA)

  • Controller (Livingroom): website, account & billing, product analytics, security logs, support.

  • Processor (Livingroom on behalf of Customer): Service Data inside EXMP.

  • For processor activities, the DPA governs details (subject categories, retention, deletion, subprocessors, transfer mechanisms).