Privacy Policy

Last updated May 23, 2018.

01. Data Controller

This Privacy Policy provides information on how Lucidtech AS (“Lucidtech”) processes personal data both as a Data Controller (on behalf of employees) and a Data Processor (on behalf of customers/users).

Lucidtech is a company established and registered in Norway with organization number 918 345 787, address: Bentsebrugata 31E, 0469 OSLO, Norway, email: privacy@lucidtech.ai. Internally responsible for following up personal data protection is Ståle Zerener Haugnæss.

Lucidtech provides machine learning as a cloud service (the "Service") for training and using machine learning models for interpreting and validating documents such as receipts and invoices. The processing involves extracting key information from the documents (e.g. date, total amount, supplier currency, etc. for invoices and receipts) which may contain personal information. The extracted information will be returned to the Data Controller in a structured format. In this context the Customer is Data Controller and responsible for their own personal data.

02. Information about Lucidtech’s processing of personal data
Data subject: Customers and users

Lucidtech collect personal data from the customers, the customers' customers and the customers’ employees that appear on documents submitted to the Service (f.ex. names and e-mail addresses may appear on e.g. invoices).

Types of personal data we collect

Contact information and Payment information, such as telephone number and address(es), including postal address, and country of domicile if the address is outside Norway, e-mail, date, total amount, supplier, currency, etc. for invoices and receipts.

Purpose for which personal data is used

The purpose for which personal data is used is delivering Lucidtech’s service to the customer; including offering the Service, executing payment and sending order confirmation. Furthermore, improving and developing the machine learning models by training on customer data in order to get higher accuracy on the data.

Lawful basis for processing

Lucidtech primarily process personal data which are necessary to perform its obligations under an agreement with the customer pursuant to (Norwegian Privacy Act and the GDPR art. 6 (1b)).

If there is no other statutory basis for processing, Lucidtech’s processing of personal data must be based on a freely-given, specific consent pursuant to (Norwegian Privacy Act and the GDPR art. 6 (1a)). A consent may be withdrawn at any time. If the consent is withdrawn, the processing will be stopped and further storage of the data in question is conditional on explicit consent.

Collection and disclosure of personal data to third parties

The personal data is collected from the customer in connection with purchase and/or use of the Service. Lucidtech may disclose personal data to law enforcement or similar when there is a legal obligation or decision from the authorities.

Data subject: Lucidtech’s employees
Types of personal data we collect

Basic contact data such as contact information, information necessary to pay remuneration, tax information, etc.

Purpose for which personal data is used

Administrating the employment relationship, including remuneration and personnel administration.

Legal basis

GDPR art. 6 (1, a,b,c and f), art 9 nr 2 b).

Collection and disclosure of personal data to/from third parties

The data is collected from the employee. Some data (e.g.) relating to taxation is collected from the authorities. Data is disclosed to e.g. governmental authorities to the extent this is necessary to fulfil obligations related to the employment relationship.

03. Storage, retention and deletion of personal data

When using the Service, the user can opt-in on a per-document basis whether or not the document may be stored and used for training the machine learning models. Personal data that we process for any purpose shall not be kept for longer than is necessary for that purpose.

Lucidtech will retain personal data collected through the Service as follows:

For documents where the user does not opt-in for training

Lucidtech will delete or anonymize personal data as soon as the purpose of the processing is fulfilled. The processing is fulfilled when the extracted information is returned to the Data Controller in a structured format. In this case, Lucidtech does not store personal data.

For documents where the user does opt-in for training

For documents where the user opts-in for training, Lucidtech may retain the documents together with the extracted information for the purpose of training for a maximum period of 10 years following the date of the submission of the document to the Service, or until the consent is withdrawn.

Employee data

Employee data will be stored as long as is necessary according to applicable law.

Storage

Personal data is hosted on Amazon Web Services (“Amazon”), a cloud service provider, located on servers in Dublin, Ireland. Furthermore, Lucidtech uses Google Ireland Ltd as a cloud service provider. This processing takes place in the US and the legal basis for the transfer is Privacy Shield, under which the sub-processor is certified.

04. Data subject’s rights

Data subjects have rights to request access to data, rectification and erasure of data. For questions relating to Lucidtech’s processing of personal data, or requests to use any of the data subject’s rights according to applicable personal data legislation, please contact Lucidtech at privacy@lucidtech.ai.

From the time the General Data Protection Regulation comes into effect in May 2018, the data subjects’ rights also comprise the right to request restriction of, object to processing and data portability.

05. Security

Lucidtech has implemented appropriate technical and organizational measures to safeguard the personal data which it processes, against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and other unlawful forms of processing. Lucidtech uses administrative, technical, and physical measures to safeguard data against loss, theft and unauthorized uses, access or modifications. In case of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customers personal data, Lucidtech will inform the Customer of the breach without undue delay, including a summary description of the potential impact and a recommendation on measures to mitigate the possible adverse effects of the breach.

Subcontractors such as IT-service providers processing data on Lucidtech’s behalf are held by legally binding confidentiality and security requirements. Lucidtech uses Amazon Web Services and Google Cloud Platform as data processors, and have entered into a data processing agreements with these data processors. The security measures applicable for the processing done by Amazon and Google is described here and here

06. Changes to the Privacy Policy

This Privacy Policy will be modified to reflect changes in applicable laws or regulations, or changes in our practices or procedures.

07. Cookie Policy

Lucidtech uses cookies (HTML5 local storage) for storing user credentials when logging into Lucidtech's services (e.g. the demo site). The purpose is to provide a seamless user experience by letting the user stay logged into the Serivce.

Amazon Web Services administrate the information. By entering and using our website you agree that cookies are placed in your browser as most browsers are set to automatically accept cookies. If you do not want to accept our use of cookies you can withdraw your consent by changing the settings in the browser. For more information about how to manage browser cookies, please follow the instructions provided by your browser.

Use of Google Analytics

Our website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site. The information generated by your use of the website is stored in the cookie. Such information includes, for example, the number of times you have used a certain subpages of our website, the time spent on single pages, the pages on which you left our website, data concerning the location of your access (e.g. city or country) or details on the conversion rate of subpages. We have activated anonymizeIP and can therefore not see your computer’s IP address and connect it with the abovementioned date. The data stored in the cookie will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google. You may refuse the use of cookies by selecting the appropriate settings on your browser or to install a deactivation-add-on (http://tools.google.com/dlpage/gaoptout?hl=de) to your browser.

08. Contact information and complaints

Data subjects may lodge a complaint on the data processing with their Data Protection Authority. For any questions regarding personal data protection in Lucidtech, please contact us at privacy@lucidtech.ai or Lucidtech’s registered office at Bentsebrugata 31E, 0469 Oslo, Norway. Lucidtech is registered in the Norwegian Register of Business Enterprises with organization number 918 345 787.