As Data Processor Lucidtech provides machine learning as a cloud service (the "Service") for training and using machine learning models for interpreting and validating documents such as receipts and invoices. The processing involves extracting key information from the documents (e.g. date, total amount, supplier currency, etc. for invoices and receipts) which may contain personal information. The extracted information will be returned to the Data Controller in a structured format. In this context the Customer is Data Controller and responsible for their own personal data.
Payment information and contact information of Lucidtech’s customers. Lucidtech also processes personal data as Data Processor. The personal data is related to data from the customers’ employees or the customers' customers that appear on documents submitted to the Service (f.ex. names and email-addresses may appear on e.g. invoices).
The purpose of the processing is delivering Lucidtech’s service to the customer; including offering the Service, execute payment and send order confirmation. Furthermore, improve and develop the machine learning models by training on customer data.
The legal basis for processing personal data as described here is fulfilling an agreement with the customer (Norwegian Personal Data Act § 8(1a) and GDPR art. 6(1b)).
The personal data is collected from the customer in connection with purchase and/or use of the Service. Lucidtech may disclose personal information to law enforcement or similar when there is a legal obligation or decision from the authorities.
Basic contact data such as contact information, information necessary to pay remuneration, tax information, etc.
Administrating the employment relationship, including remuneration and personel administration.
PDA §§ 8(1), 8 a, b or f, 9 a, b, or f
The data is collected from the employee. Some data (e.g.) relating to taxation is collected from the authorities. Data is disclosed to e.g. governmental authorities to the extent this is necessary to fulfil obligations related to the employment relationship.
When using the Service, the user can opt-in on a per-document basis whether or not the document may be stored and used for training the machine learning models. Personal data that we process for any purpose shall not be kept for longer than is necessary for that purpose.
Lucidtech will retain personal data collected through the Service as follows:
Lucidtech will delete or anonymize personal data as soon as the purpose of the processing is fulfilled. The processing is fulfilled when the extracted information is returned to the Data Controller in a structured format. In this case, Lucidtech does not store personal data.
For documents where the user opts-in for training, Lucidtech may retain the documents together with the extracted information for the purpose of training for a maximum period of 10 years following the date of the submission of the document to the Service.
Employee data will be stored as long as is necessary according to applicable law.
Personal data is hosted on Amazon Web Services (“Amazon”), a cloud service provider, located on servers in Dublin, Ireland. Furthermore, Lucidtech uses Google Ireland Ltd as a cloud service provider. This processing takes place in the US and the legal basis for the transfer is Privacy Shield, under which the sub-processor is certified.
From the time the General Data Protection Regulation comes into effect in May 2018, the data subjects’ rights also comprise right to request restriction of processing, object to processing and data portability.
Lucidtech has implemented appropriate technical and organizational measures to safeguard the personal data which it processes, against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and other unlawful forms of processing. Lucidtech uses administrative, technical, and physical measures to safeguard data against loss, theft and unauthorized uses, access or modifications. In case of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customers personal data, Lucidtech will inform the Customer of the breach without undue delay, including a summary description of the potential impact and a recommendation on measures to mitigate the possible adverse effects of the breach.
Subcontractors such as IT-service providers processing data on Lucidtech’s behalf are held by legally binding confidentiality and security requirements. Lucidtech uses Amazon Web Services and Google Cloud Platform as data processors, and have entered into a data processing agreements with these data processors. The security measures applicable for the processing done by Amazon and Google is described here and here
Data subjects may lodge a complaint on the data processing with their Data Protection Authority. For any questions regarding personal data protection in Lucidtech, please contact us at email@example.com or Lucidtech’s registered office at Bentsebrugata 31E, 0469 Oslo, Norway. Lucidtech is registered in the Norwegian Register of Business Enterprises with organization number 918 345 787.