GDPR Compliance Policy

Last updated: September 10, 2025

Introduction

Livappy OÜ (Lõkke 12, 10122 Tallinn, Estonia) is committed to full compliance with the European Union's General Data Protection Regulation (GDPR) across all its operations. This GDPR Compliance Policy serves as both an internal guideline and a public-facing statement of how Livappy ensures data protection and privacy in accordance with GDPR.

For any questions or concerns regarding this policy or data protection at Livappy, please contact us at info@livappy.com.

Scope

This policy applies to all personal data processing activities conducted by Livappy OÜ in the context of offering services to individuals in the European Union. As an EU-established company, Livappy falls under the GDPR's jurisdiction for any processing of personal data of persons in the EU1. In practice, this means that any personal information collected, used, stored, or otherwise processed by Livappy – whether from customers, users, employees, or partners across the EU – is handled in accordance with GDPR requirements.

Livappy is dedicated to ensuring that GDPR's principles and rules govern all relevant data processing, regardless of the EU country in which the data subject resides. We recognize that the GDPR protects the fundamental rights to privacy of individuals in the EU and imposes obligations on us whenever we deal with EU personal data2.

Under this policy, Livappy's activities covered by GDPR include (but are not limited to): collecting personal data from users and customers, storing or hosting that data (for example, on our cloud servers), analyzing personal data for business purposes, and sharing data with authorized service providers. All such activities are performed in compliance with GDPR and within the European Economic Area (EEA) or under approved transfer mechanisms when data moves outside the EEA. In summary, if Livappy processes personal data of an EU individual, that processing is within the scope of this policy and GDPR compliance.

Transparency

Livappy upholds the principle of transparency by clearly informing data subjects about how we collect, use, and share their personal information. GDPR requires organizations to be open and honest about the personal data they gather and the purposes for which it is used3. In line with this, Livappy provides data subjects with comprehensive privacy notices whenever we collect personal data. These notices (such as our Privacy Policy) detail all mandated information, including:

Identity of the Controller:

We identify Livappy OÜ as the data controller and provide our contact details (address and email) in all privacy communications.

Data Collection and Use:

We explain what personal data we collect and how and why we collect it. This includes the categories of data (e.g. name, contact information, identification documents, etc.), and the purposes for which they are processed (such as providing our services, identity verification, customer support, marketing, etc.).

Legal Bases:

For each processing activity, we specify the legal basis under GDPR that justifies it – for example, whether we rely on user consent, contract necessity, legal obligation, or legitimate interests. We ensure that no personal data is processed without a valid legal basis under Articles 6 and 9 GDPR.

Data Retention:

We inform individuals how long we retain personal data. Livappy is committed to storage limitation, meaning we keep personal data only for as long as necessary to fulfill the purposes stated or as required by law, after which data is securely deleted or anonymized.

Data Recipients:

We disclose any third parties or partners who may receive personal data. This includes highlighting if personal data is shared with our service providers or processors (for example, cloud hosting providers, identity verification services, analytics tools) and ensuring individuals know the categories of recipients.

Rights and Contact:

We notify individuals of their GDPR data subject rights (detailed in the next section) and provide clear instructions on how to exercise those rights, including contacting us at info@livappy.com. We also include the right to lodge a complaint with a supervisory authority and other required information in our privacy notices.

All privacy information is presented in a concise, transparent, and easily accessible form, using clear language as required by GDPR. Livappy delivers this information at the time data is collected (or, if received from third parties, at the earliest opportunity as per GDPR Articles 13 and 14). We are committed to updating our privacy notices whenever our data practices change, and we will promptly communicate any significant changes to ensure continuous transparency. In essence, Livappy strives to make sure individuals are never in the dark about how their data is handled, reinforcing trust and meeting the GDPR's high standards for transparency3.

Data Subject Rights

Under the GDPR, individuals (data subjects) are granted robust rights regarding their personal data, and Livappy is fully committed to enabling and honoring these rights. The rights provided to data subjects include: the right to be informed, the right of access, the right to rectification, the right to erasure ("right to be forgotten"), the right to restrict processing, the right to data portability, the right to object to processing, and the right not to be subject to a decision based solely on automated processing (including profiling)4. We recognize all these rights and have established processes to facilitate their exercise.

Exercising Rights

Livappy has user-friendly procedures for individuals to exercise their GDPR rights. Data subjects may submit requests at any time by contacting us at info@livappy.com. We also provide online forms or in-app settings (where applicable) to streamline the submission of requests for access, correction, deletion, etc.

When a request is received, Livappy will:

Verify the Request:

For security, we may need to verify the identity of the requester to ensure that personal data is not disclosed to an unauthorized person. This might involve asking for additional information or authentication if the request is made from an email or account not already known to us.

Respond in a Timely Manner:

We respond to all data subject requests without undue delay and within one month of receipt, as required by GDPR6. If a request is complex or numerous, we may extend this period by up to two further months, but will inform the requester of the extension and reasons within the initial one-month period. In any case, the status and outcome of the request will be communicated clearly.

Fulfill the Request When Possible:

If the request is valid and no legal exemption applies, Livappy will fulfill the request. For example, we will provide a copy of the individual's personal data we process (access right), correct any inaccuracies (rectification), delete data if asked and if no overriding lawful reason prevents it (erasure), or cease certain processing upon objection or restriction requests, all in accordance with GDPR conditions. When data portability is requested, we will provide the personal data in a structured, commonly used, machine-readable format.

Explain Any Refusal or Limitation:

In the rare case that we cannot comply with a request (for instance, if an exemption applies or if the request is manifestly unfounded or excessive), we will inform the individual of the specific reason we cannot fulfill the request and inform them of their right to complain to a supervisory authority. We do not charge any fee for responding to rights requests, unless a request is repetitive or excessive (in which case any fee or refusal will be strictly as permitted by GDPR).

Facilitate and Document:

Livappy's internal procedures ensure that staff are trained to recognize and properly handle data subject requests7. We maintain records of requests and responses to demonstrate our compliance. We also notify any relevant third-party data processors or recipients if necessary (for example, if data has been shared and needs to be erased or rectified, we will communicate the request to those parties as required).

Livappy deeply respects individuals' control over their personal data. By upholding these rights and making the process straightforward, we demonstrate our accountability and commitment to GDPR's empowerment of data subjects. Our team stands ready to assist individuals in understanding and exercising their rights at all times.

Privacy by Design and Default

Livappy embraces Privacy by Design and Privacy by Default as core principles in all our products, services, and business processes. This means that from the very inception of any project or system, we integrate data protection considerations and ensure privacy safeguards are built in by default, not added as an afterthought8. Our approach includes the following practices:

Design Phase Integration:

Whenever we develop or update software, applications, or business processes that involve personal data, we proactively assess privacy risks and incorporate protective measures at the design stage. For example, we minimize data collection to only what is necessary for the specified purpose (data minimization) and choose system architectures that safeguard personal data (such as using pseudonymization or aggregation techniques where appropriate).

Default Privacy Settings:

Livappy's services are configured with privacy-friendly defaults. This means that, unless a user actively chooses otherwise, the minimum necessary personal data is collected and used. Any features that could impact privacy are set to the most protective settings by default9. Users are not required to opt-in to extra data collection for the service to function – privacy is the standard setting.

Data Protection Impact Assessments (DPIAs):

We conduct Data Protection Impact Assessments for any new or significantly changed processing activities that may pose high risks to individual privacy. Through DPIAs, we identify potential privacy issues early and address them by adjusting our design or implementing additional safeguards. This process ensures compliance with GDPR Article 35 and demonstrates our thorough consideration of privacy risks in advance.

Training and Awareness:

Our engineering and product teams receive training on Privacy by Design principles. We cultivate an internal culture where employees and contractors are aware of privacy obligations and consistently apply privacy-centric thinking when handling personal data. Before launching new features, we conduct privacy reviews or checklists to ensure compliance controls are in place.

Ongoing Reviews and Improvements:

Privacy by Design is not a one-time effort. Livappy continuously monitors and reviews its systems to ensure they uphold privacy standards over time. We perform periodic audits and updates to security and privacy controls, adapt to new regulatory guidance, and incorporate user feedback to improve data protection. If changes in technology or data use occur, we revisit our designs to maintain the highest level of data protection by default.

By embedding privacy into the fabric of our operations, Livappy not only complies with GDPR's requirement for Privacy by Design and Default, but also builds trust with users. Our goal is to ensure that privacy is an integral part of our company's innovation and services – protecting personal data from the ground up and by default in every instance.

Technical and Organisational Measures

Livappy has implemented a comprehensive set of technical and organizational security measures to protect personal data and ensure a level of security appropriate to the risk, as required by GDPR Article 3211. We recognize that safeguarding personal data is paramount, and we employ industry best practices to prevent unauthorized access, disclosure, alteration, or loss of data. Key measures include:

Encryption:

All personal data handled by Livappy is protected by strong encryption, both in transit and at rest. We use up-to-date encryption protocols (such as TLS) for data in transit over networks, and robust encryption algorithms to encrypt data stored in our databases and backups. This ensures that even if data were to be intercepted or accessed without authorization, it would remain unintelligible and secure12. Where feasible, we offer mechanisms for managing encryption keys securely to prevent any single point of compromise.

Access Controls:

Livappy enforces strict access control mechanisms to ensure personal data is only accessible to authorized personnel on a need-to-know basis. We have implemented role-based access controls and user authentication systems (including multi-factor authentication for sensitive systems) to limit who can access data. Staff access to personal data is granted based on job role and revoked or adjusted promptly when roles change. Every employee or contractor with access to personal data is bound by confidentiality obligations and receives training on data security.

Logging and Monitoring:

We maintain detailed logging of system access and data processing activities. All access to personal data repositories, as well as significant actions taken with personal data, are logged in secure audit trails. Livappy employs monitoring tools to review logs and detect any irregular or unauthorized activities. This not only helps us prevent and identify potential security incidents, but also provides an audit record to demonstrate accountability for data access and modifications.

Secure Infrastructure (AWS Cloud):

Our services are hosted on Amazon Web Services (AWS), a reputable cloud provider with high security standards and GDPR-compliant practices. We take advantage of AWS's security features and compliance certifications. For example, we choose data center regions in Europe to store EU personal data, leverage AWS's built-in firewalls and network security, and regularly apply software patches and updates. AWS provides strong guarantees and options for data protection (including customer control over data location, encryption, and access management)12, which we utilize to bolster our overall security posture.

Network and System Security:

Livappy protects its IT systems through measures such as firewalls, intrusion detection and prevention systems (IDS/IPS), anti-malware protection, and secure network architecture. We separate environments (e.g., development, testing, production) to reduce risk, and employ vulnerability management practices including regular vulnerability scanning and penetration testing. Any identified security issues are promptly addressed.

Organisational Policies and Training:

We have established internal security and data protection policies that all employees and contractors must follow. These policies cover proper handling of personal data, use of devices, incident reporting protocols, and more. We conduct regular training and awareness programs so that our team stays vigilant and knowledgeable about cybersecurity and privacy best practices. Access to personal data requires compliance with these policies, and violations can result in disciplinary action.

Regular Audits and Assessments:

Livappy periodically audits its data protection measures and conducts risk assessments to ensure ongoing effectiveness. We review user access rights regularly, test our incident response plans, and may engage independent auditors to evaluate our security controls. Any weaknesses or opportunities for improvement identified are promptly remediated. These audits help us maintain compliance and continually align with evolving security standards and regulatory guidance.

Business Continuity and Backups:

To protect against data loss or destruction, we maintain secure data backup routines and have disaster recovery plans in place. Backups of critical personal data are encrypted and stored securely (including off-site or cloud backups), and we periodically test data restoration. In the event of any system failure or disaster, Livappy can recover personal data to prevent permanent loss, in line with integrity and availability requirements.

Pseudonymization and Data Minimization:

Wherever appropriate, Livappy applies pseudonymization to personal data – replacing identifying fields with artificial identifiers – to reduce risk in case of unauthorized access. We also adhere strongly to the principle of data minimization, collecting and retaining only the personal data that is necessary for our specified purposes10. By minimizing the data we hold and separating or anonymizing data where possible, we limit the impact of any potential security issue.

Through these and other measures, Livappy ensures that personal data is protected by design and by default at all times13. We continuously evaluate new security technologies and practices to enhance our protections. Our commitment is to maintain a state-of-the-art security framework that meets or exceeds GDPR's requirements for data security, thereby safeguarding the trust that our users and customers place in us.

Data Protection Officer (DPO)

The GDPR requires certain organizations to appoint a Data Protection Officer when specific criteria are met, such as if core activities consist of large-scale processing of sensitive data or regular and systematic monitoring of individuals on a large scale19. Livappy OÜ has not yet appointed a Data Protection Officer, as our current scale and nature of data processing do not make this a mandatory requirement under Article 37 of the GDPR. Specifically, Livappy's core activities at present do not involve large-scale processing of special categories of data or large-scale regular monitoring of individuals that would legally compel a DPO appointment19. We have assessed our obligations and determined that, for now, a formal DPO is not required.

However, Livappy remains vigilant about this requirement. We are committed to appointing a qualified DPO in the future if our operations or legal obligations change such that a DPO becomes necessary. For example, if Livappy's business expands to process highly sensitive personal data on a large scale, or if we begin extensive profiling/monitoring activities, we will revisit the need for a DPO and promptly make an appointment in line with GDPR stipulations.

Current Data Protection Measures

Even in the absence of a formally designated DPO, Livappy ensures that data protection responsibilities are clearly assigned within the organization:

  • We have a dedicated privacy and compliance team (or officer) that oversees GDPR adherence and advises on data protection matters. This team monitors our data protection performance, provides guidance on GDPR obligations, and acts as an internal advocate for users' privacy.
  • We provide contact information (info@livappy.com) for all data protection inquiries or requests, and we treat these communications with the same care and attention as if a DPO were in place. Any inquiries or complaints received are handled diligently, and if needed, escalated to management or legal counsel specializing in privacy.
  • We maintain open lines of communication with supervisory authorities as needed and stay informed on regulatory guidance to ensure ongoing compliance.

Livappy understands the value that a DPO can bring, even if not strictly required – such as independent oversight and expert knowledge on privacy. We will continue to monitor our duties and will not hesitate to designate a DPO when the conditions or our growth make it appropriate. In the meantime, our commitment is that all the essential functions of a DPO (monitoring compliance, advising on DPIAs, training staff, etc.) are fulfilled through our internal governance structures.

Data Breach Notification

Despite strong protections, Livappy acknowledges that security incidents can potentially occur. In the event of a personal data breach (a security incident leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data), we have a clear procedure to manage the breach and fulfill GDPR's notification obligations. Our Data Breach Response Plan includes the following steps, in alignment with GDPR Articles 33 and 34:

Immediate Detection and Internal Alert:

We have systems and processes in place to detect and alert us to potential data breaches. Our employees are trained to recognize and escalate security incidents. The moment a breach is suspected or identified, our internal response team (which includes IT, security, and management personnel) is notified. We designate a specific incident manager to oversee the investigation.

Containment and Assessment:

Livappy will quickly contain the breach to prevent further data leakage (for example, by isolating affected systems, revoking compromised credentials, or shutting down specific functions). We then investigate the incident to determine the nature and scope of the breach, what data and individuals are impacted, and the potential risks to data subjects. As part of this assessment, we evaluate the likelihood and severity of any harm that may result.

Notification of Authorities (72 Hours):

If the breach is likely to result in a risk to the rights and freedoms of individuals, Livappy will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach14. As Livappy is based in Estonia, our lead supervisory authority is likely the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), unless the breach affects data subjects in multiple EU countries (in which case we will coordinate with the lead authority under the one-stop-shop mechanism).

Our breach notification to authorities will include all required information (nature of the breach, categories and approximate number of data subjects and records concerned, likely consequences, measures taken or proposed to address the breach, etc.). If we are unable to provide all details within 72 hours, we will provide the information in phases as permitted, with an explanation for the delay15,16.

Notification of Affected Individuals:

If the breach is likely to result in a high risk to the personal data or privacy of individuals, we will also communicate the breach to the affected data subjects without undue delay17. This communication will be done in clear and plain language, describing the nature of the breach and providing recommendations for the individuals to mitigate potential adverse effects (for example, we might advise resetting passwords or being vigilant against phishing if credentials were exposed). We will not notify individuals if, due to effective technical measures (like encrypted data) or other factors, the breached data is unintelligible or the risk is low, unless authorities instruct us to do so.

Remediation and Future Prevention:

Livappy will immediately take steps to remediate the cause of the breach. This may involve fixing software vulnerabilities, tightening access controls, improving encryption, or other corrective actions to ensure a similar incident does not recur. We will also document lessons learned and update our security policies and training accordingly. Senior management is informed of all breaches and remediation progress, ensuring accountability and support for necessary improvements.

Documentation:

In compliance with GDPR Article 33(5), Livappy documents all data breaches, regardless of whether they require notification. This internal breach register records the facts relating to the breach, its effects, and the remedial actions taken. Such documentation allows supervisory authorities to verify our compliance and helps us continually refine our security incident response. Even for minor incidents, we keep a record as part of our accountability obligations18.

By following this structured approach, Livappy ensures that any data breach is handled swiftly and transparently, with the ultimate aim of protecting our users' data and rights. Our 24/7 incident response preparedness and commitment to the 72-hour notification window reflect the seriousness with which we treat the security of personal data and our GDPR duties.

Data Processing Agreements

Livappy relies on certain trusted third-party service providers (processors) to support our services – for example, cloud infrastructure providers, identity verification services, and analytics platforms. In accordance with GDPR requirements, Livappy signs Data Processing Agreements (DPAs) with all external processors that handle personal data on our behalf20. These DPAs are formal contracts that ensure each processor is committed to GDPR compliance and protects personal data to the same high standards that we do. Key aspects of our approach to DPAs include:

Mandatory DPAs with All Processors:

We have a policy that no personal data will be shared with or entrusted to a third-party processor unless a GDPR-compliant DPA is in place. This includes major partners such as Amazon Web Services (AWS) for cloud hosting, Veriff for identity verification services, Google for cloud-based tools or analytics, and any other vendor or contractor processing data. Each of these processors has contractually agreed to abide by GDPR's requirements, to only process data on Livappy's documented instructions, and to implement appropriate security measures.

Assurances and Sufficient Guarantees:

In line with Article 28 and Recital 81 of the GDPR, Livappy only engages processors that provide sufficient guarantees of their capability to protect personal data21. Our Data Processing Agreements stipulate that processors must implement all appropriate technical and organizational measures to safeguard data (e.g., encryption, access controls, confidentiality obligations) and assist Livappy in fulfilling data subject requests and breach notifications as needed22. We carefully vet new suppliers for their data protection practices and reputation before onboarding them as processors.

Key DPA Terms:

Each DPA that Livappy signs contains all required clauses as per GDPR Article 28(3). These include, among others: the processor will process personal data only on Livappy's instructions; personnel processing the data are bound by confidentiality; the processor will help ensure compliance with security requirements and assist with data subject rights and DPIAs; sub-processors cannot be engaged without our authorization and must be bound by the same obligations; the processor will return or delete personal data at the end of the engagement; and the processor must submit to audits and provide evidence of compliance22. These contractual terms give Livappy and our users confidence that personal data remains protected even when handled by third parties.

Monitoring and Enforcement:

Livappy maintains an inventory of all current data processors and the status of our agreements with them. We monitor our processors' compliance – for example, by reviewing their security certifications, audit reports, or adherence to codes of conduct. If a processor fails to meet their data protection obligations, we take prompt action which could include requiring remediation, suspending data processing, or even terminating the contract. Additionally, our DPAs hold processors liable for protecting the data, meaning they must indemnify Livappy (and ultimately our users) for any damage caused by their processing that doesn't meet GDPR standards.

Sub-processors:

Where our processors further subcontract any processing (for instance, if AWS uses subcontractors in maintaining data centers), those sub-processors are required by our DPAs to be held to the same standards. Livappy's contracts ensure there is a chain of GDPR-compliant obligations down through all levels of data processing.

Note: Livappy has entered into a Data Processing Agreement (DPA) with Google Ireland Limited for the provision of Google Workspace services (email, calendar, cloud). Google acts as a data processor on behalf of Livappy, and all processing complies with the GDPR, including Standard Contractual Clauses (SCCs) where data may be transferred outside the EU.

By maintaining rigorous Data Processing Agreements, Livappy fulfills its duty as a data controller to only work with processors that can guarantee the protection of personal data23. This contractual diligence is a fundamental part of our GDPR compliance program and provides assurance to our customers and users that their data will be handled safely not just by Livappy, but also by any partner or supplier involved in delivering our services. We regularly review and update our DPAs in line with legal developments and ensure all new partnerships begin with a solid data protection contract in place.

Contact Information

Contact email: info@livappy.com

Effective date: September 10, 2025

Operator: Livappy OÜ (registrikood 17298558)
Harju maakond, Tallinn, Kesklinna linnaosa, Sakala tn 7-2, 10141, Estonia
Registered with Tartu County Court Registry Department, commercial register card no. 1

Effective Date and Review

This GDPR Compliance Policy is effective as of the date of publication and is approved by Livappy's management. We will review the policy at least annually, and additionally as needed to reflect any changes in our practices or in the law. Updates will be published to ensure that employees, customers, and partners remain informed about how Livappy upholds its commitment to GDPR compliance.

References

1,12 GDPR - Amazon Web Services (AWS) - https://aws.amazon.com/compliance/gdpr-center/

2,3 EU General Data Protection Regulation Compliance Policy | Policy Library - https://www.policylibrary.gatech.edu/legal/eu-general-data-protection-regulation-compliance-policy

4,5,6,7 Respect individuals' rights | European Data Protection Board - https://www.edpb.europa.eu/sme-data-protection-guide/respect-individuals-rights_en

8,9,10 Privacy by Design & by Default: What You Need To Know - https://www.datagrail.io/blog/data-privacy/privacy-by-design-privacy-by-default/

11,20,21,22 What is a GDPR data processing agreement? - GDPR.eu - https://gdpr.eu/what-is-data-processing-agreement/

13 Data protection by design and by default | ICO - https://ico.org.uk/for-organisations/law-enforcement/guide-to-le-processing/accountability-and-governance/data-protection-by-design-and-by-default/

14,15,16,17,18 Personal data breaches: a guide | ICO - https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/personal-data-breaches-a-guide/

19 Does my company/organisation need to have a Data Protection Officer (DPO)? - European Commission - https://commission.europa.eu/law/law-topic/data-protection/rules-business-and-organisations/obligations/data-protection-officers/does-my-companyorganisation-need-have-data-protection-officer-dpo_en

23 GDPR Compliance Statement - Free Privacy Policy - https://www.freeprivacypolicy.com/blog/gdpr-compliance-statement/

© 2025 livappy.com. All rights reserved.