Privacy Policy

Last updated: May 23, 2018

  • 01. Data Controller

    This Privacy Policy provides information on how Lucidtech AS (“Lucidtech”) processes personal data as a Data Controller. Lucidtech is a company established and registered in Norway with organization number 918 345 787, address: Bentsebrugata 31E, 0469 OSLO, Norway, email: Internally responsible for following up personal data protection is Ståle Zerener Haugnæss.

    As Data Processor Lucidtech provides machine learning as a cloud service (the "Service") for training and using machine learning models for interpreting and validating documents such as receipts and invoices. The processing involves extracting key information from the documents (e.g. date, total amount, supplier currency, etc. for invoices and receipts) which may contain personal information. The extracted information will be returned to the Data Controller in a structured format. In this context the Customer is Data Controller and responsible for their own personal data.

  • 02. Information about Lucidtech’s processing of personal data
    • Data subject: Customers and users
      Personal data

      Payment information and contact information of Lucidtech’s customers. Lucidtech also processes personal data as Data Processor. The personal data is related to data from the customers’ employees or the customers' customers that appear on documents submitted to the Service (f.ex. names and email-addresses may appear on e.g. invoices).


      The purpose of the processing is delivering Lucidtech’s service to the customer; including offering the Service, execute payment and send order confirmation. Furthermore, improve and develop the machine learning models by training on customer data.

      Legal basis

      The legal basis for processing personal data as described here is fulfilling an agreement with the customer (Norwegian Personal Data Act § 8(1a) and GDPR art. 6(1b)).

      Collection and disclosure of personal data to/from third parties

      The personal data is collected from the customer in connection with purchase and/or use of the Service. Lucidtech may disclose personal information to law enforcement or similar when there is a legal obligation or decision from the authorities.

    • Data subject: Lucidtech’s employees
      Personal data

      Basic contact data such as contact information, information necessary to pay remuneration, tax information, etc.


      Administrating the employment relationship, including remuneration and personel administration.

      Legal basis

      PDA §§ 8(1), 8 a, b or f, 9 a, b, or f

      Collection and disclosure of personal data to/from third parties

      The data is collected from the employee. Some data (e.g.) relating to taxation is collected from the authorities. Data is disclosed to e.g. governmental authorities to the extent this is necessary to fulfil obligations related to the employment relationship.

  • 03. Storage, retention and deletion of personal data

    When using the Service, the user can opt-in on a per-document basis whether or not the document may be stored and used for training the machine learning models. Personal data that we process for any purpose shall not be kept for longer than is necessary for that purpose.

    Lucidtech will retain personal data collected through the Service as follows:

    • For documents where the user does not opt-in for training

      Lucidtech will delete or anonymize personal data as soon as the purpose of the processing is fulfilled. The processing is fulfilled when the extracted information is returned to the Data Controller in a structured format. In this case, Lucidtech does not store personal data.

    • For documents where the user does opt-in for training

      For documents where the user opts-in for training, Lucidtech may retain the documents together with the extracted information for the purpose of training for a maximum period of 10 years following the date of the submission of the document to the Service.

    Employee data will be stored as long as is necessary according to applicable law.

    Personal data is hosted on Amazon Web Services (“Amazon”), a cloud service provider, located on servers in Dublin, Ireland. Furthermore, Lucidtech uses Google Ireland Ltd as a cloud service provider. This processing takes place in the US and the legal basis for the transfer is Privacy Shield, under which the sub-processor is certified.

  • 04. Data subject’s rights

    Information obligations according to PDA § 18(1) are fulfilled in this privacy policy. Data subjects have rights to request access to data, rectification and erasure of data. For questions relating to Lucidtech’s processing of personal data, or requests to use any of the data subject’s rights according to applicable personal data legislation, please contact Lucidtech at

    From the time the General Data Protection Regulation comes into effect in May 2018, the data subjects’ rights also comprise right to request restriction of processing, object to processing and data portability.

  • 05. Security

    Lucidtech has implemented appropriate technical and organizational measures to safeguard the personal data which it processes, against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and other unlawful forms of processing. Lucidtech uses administrative, technical, and physical measures to safeguard data against loss, theft and unauthorized uses, access or modifications. In case of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customers personal data, Lucidtech will inform the Customer of the breach without undue delay, including a summary description of the potential impact and a recommendation on measures to mitigate the possible adverse effects of the breach.

    Subcontractors such as IT-service providers processing data on Lucidtech’s behalf are held by legally binding confidentiality and security requirements. Lucidtech uses Amazon Web Services and Google Cloud Platform as data processors, and have entered into a data processing agreements with these data processors. The security measures applicable for the processing done by Amazon and Google is described here and here

  • 06. Changes to the Privacy Policy

    This Privacy Policy will be modified to reflect changes in applicable laws or regulations, or changes in our practices or procedures.

  • 07. Cookie Policy

    Lucidtech uses cookies (HTML5 local storage) for storing user credentials when logging into Lucidtech's services (e.g. the demo site). The purpose is to provide a seamless user experience by letting the user stay logged into the Serivce.

    Amazon Web Services administrate the information. By entering and using our website you agree that cookies are placed in your browser as most browsers are set to automatically accept cookies. If you do not want to accept our use of cookies you can withdraw your consent by changing the settings in the browser. For more information about how to manage browser cookies, please follow the instructions provided by your browser.

  • 08. Contact information and complaints

    Data subjects may lodge a complaint on the data processing with their Data Protection Authority. For any questions regarding personal data protection in Lucidtech, please contact us at or Lucidtech’s registered office at Bentsebrugata 31E, 0469 Oslo, Norway. Lucidtech is registered in the Norwegian Register of Business Enterprises with organization number 918 345 787.