Last updated May 23, 2018.
01. Data Controller
Lucidtech is a company established and registered in Norway with organization number 918 345 787, address: Bentsebrugata 31E, 0469 OSLO, Norway, email: firstname.lastname@example.org. Internally responsible for following up personal data protection is Ståle Zerener Haugnæss.
Lucidtech provides machine learning as a cloud service (the "Service") for training and using machine learning models for interpreting and validating documents such as receipts and invoices. The processing involves extracting key information from the documents (e.g. date, total amount, supplier currency, etc. for invoices and receipts) which may contain personal information. The extracted information will be returned to the Data Controller in a structured format. In this context the Customer is Data Controller and responsible for their own personal data.
02. Information about Lucidtech’s processing of personal data
Data subject: Customers and users
Lucidtech collect personal data from the customers, the customers' customers and the customers’ employees that appear on documents submitted to the Service (f.ex. names and e-mail addresses may appear on e.g. invoices).Types of personal data we collect
Contact information and Payment information, such as telephone number and address(es), including postal address, and country of domicile if the address is outside Norway, e-mail, date, total amount, supplier, currency, etc. for invoices and receipts.Purpose for which personal data is used
The purpose for which personal data is used is delivering Lucidtech’s service to the customer; including offering the Service, executing payment and sending order confirmation. Furthermore, improving and developing the machine learning models by training on customer data in order to get higher accuracy on the data.Lawful basis for processing
Lucidtech primarily process personal data which are necessary to perform its obligations under an agreement with the customer pursuant to (Norwegian Privacy Act and the GDPR art. 6 (1b)).
If there is no other statutory basis for processing, Lucidtech’s processing of personal data must be based on a freely-given, specific consent pursuant to (Norwegian Privacy Act and the GDPR art. 6 (1a)). A consent may be withdrawn at any time. If the consent is withdrawn, the processing will be stopped and further storage of the data in question is conditional on explicit consent.Collection and disclosure of personal data to third parties
The personal data is collected from the customer in connection with purchase and/or use of the Service. Lucidtech may disclose personal data to law enforcement or similar when there is a legal obligation or decision from the authorities.
Data subject: Lucidtech’s employees
Basic contact data such as contact information, information necessary to pay remuneration, tax information, etc.Purpose for which personal data is used
Administrating the employment relationship, including remuneration and personnel administration.Legal basis
GDPR art. 6 (1, a,b,c and f), art 9 nr 2 b).Collection and disclosure of personal data to/from third parties
The data is collected from the employee. Some data (e.g.) relating to taxation is collected from the authorities. Data is disclosed to e.g. governmental authorities to the extent this is necessary to fulfil obligations related to the employment relationship.
03. Storage, retention and deletion of personal data
When using the Service, the user can opt-in on a per-document basis whether or not the document may be stored and used for training the machine learning models. Personal data that we process for any purpose shall not be kept for longer than is necessary for that purpose.
Lucidtech will retain personal data collected through the Service as follows:For documents where the user does not opt-in for training
Lucidtech will delete or anonymize personal data as soon as the purpose of the processing is fulfilled. The processing is fulfilled when the extracted information is returned to the Data Controller in a structured format. In this case, Lucidtech does not store personal data.For documents where the user does opt-in for training
For documents where the user opts-in for training, Lucidtech may retain the documents together with the extracted information for the purpose of training for a maximum period of 10 years following the date of the submission of the document to the Service, or until the consent is withdrawn.Employee data
Employee data will be stored as long as is necessary according to applicable law.Storage
Personal data is hosted on Amazon Web Services (“Amazon”), a cloud service provider, located on servers in Dublin, Ireland. Furthermore, Lucidtech uses Google Ireland Ltd as a cloud service provider. This processing takes place in the US and the legal basis for the transfer is Privacy Shield, under which the sub-processor is certified.
04. Data subject’s rights
Data subjects have rights to request access to data, rectification and erasure of data. For questions relating to Lucidtech’s processing of personal data, or requests to use any of the data subject’s rights according to applicable personal data legislation, please contact Lucidtech at email@example.com.
From the time the General Data Protection Regulation comes into effect in May 2018, the data subjects’ rights also comprise the right to request restriction of, object to processing and data portability.
Lucidtech has implemented appropriate technical and organizational measures to safeguard the personal data which it processes, against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and other unlawful forms of processing. Lucidtech uses administrative, technical, and physical measures to safeguard data against loss, theft and unauthorized uses, access or modifications. In case of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customers personal data, Lucidtech will inform the Customer of the breach without undue delay, including a summary description of the potential impact and a recommendation on measures to mitigate the possible adverse effects of the breach.
Subcontractors such as IT-service providers processing data on Lucidtech’s behalf are held by legally binding confidentiality and security requirements. Lucidtech uses Amazon Web Services and Google Cloud Platform as data processors, and have entered into a data processing agreements with these data processors. The security measures applicable for the processing done by Amazon and Google is described here and here
Use of Google Analytics
08. Contact information and complaints
Data subjects may lodge a complaint on the data processing with their Data Protection Authority. For any questions regarding personal data protection in Lucidtech, please contact us at firstname.lastname@example.org or Lucidtech’s registered office at Bentsebrugata 31E, 0469 Oslo, Norway. Lucidtech is registered in the Norwegian Register of Business Enterprises with organization number 918 345 787.