Privacy Policy

1. Introduction

This Privacy Policy explains how LevirAI ApS ("LevirAI", "we", "us", "our") collects, uses, and protects personal data when you visit our website (levir.ai), contact us, or use our services.

We are committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR) and Danish data protection law.

2. Who we are (Data Controller)

LevirAI ApS is the Data Controller responsible for the personal data described in this policy.

Contact: LevirAI ApS - CVR: 46451333 - Email: hello@levir.ai

If you have questions about this policy or wish to exercise your rights, contact us at the email above.

3. What personal data we collect

We collect personal data in the following situations:

When you visit our website:

• IP address (anonymized)
• Browser type and version
• Device type
• Pages visited and time spent on each page
• Referring website
• Approximate location (country/city level)

When you contact us:

• Name
• Email address
• Phone number (if provided)
• Company name and role
• The content of your message

When you book a call with us:

• Name
• Email address
• Company name
• Date and time of the meeting
• Any information you provide in the booking form

When you become a client:

• Business contact details
• Billing information (name, address, VAT number)
• Information related to the service we provide
• Any data your team shares with us during the engagement

We do NOT collect:

• Sensitive personal data (health, religious beliefs, political opinions, etc.) unless explicitly required for a project, in which case we will obtain specific consent
• Payment card details (handled directly by our payment provider)

4. Why we collect this data and the legal basis

We process personal data only when we have a lawful basis to do so under GDPR Article 6:

• Operating the website and providing services. Legitimate interest (Art. 6(1)(f)).
• Responding to inquiries and managing client relationships. Performance of a contract (Art. 6(1)(b)) or pre-contract steps.
• Sending invoices and managing payments. Legal obligation (Art. 6(1)(c)).
• Sending marketing emails (only if you've subscribed). Consent (Art. 6(1)(a)).
• Improving our website and services. Legitimate interest (Art. 6(1)(f)).
• Complying with tax and accounting laws. Legal obligation (Art. 6(1)(c)).

You can withdraw consent at any time where consent is the basis for processing.

5. Cookies and tracking

Our website uses a limited number of cookies and similar technologies.

Essential cookies:

Required for the website to function. These do not require consent.

Analytics:

We use Google Analytics to understand how visitors use our website. This tool is privacy-friendly and does not use cookies that identify individuals. No personal data is collected for analytics purposes.

Embedded content:

When you book a call, we use Cal.com, which may set its own cookies. See their privacy policy for details.

You can block or delete cookies through your browser settings at any time.

6. Who we share your data with (Sub-processors)

We do not sell your data. We share it only with trusted service providers ("sub-processors") that help us deliver our services. Each is bound by GDPR-compliant data processing agreements.

Our current sub-processors:

• Anthropic PBC – Claude AI processing – USA (with EU endpoints available)
• Celonis SE (Make.com) – Workflow orchestration – EU
• Hostinger – Website hosting – EU
• Google Workspace – Business email – EU
• Cal.com – Meeting booking – EU
• Google Analytics – Website analytics – EU
• Dinero / Billy – Invoicing and accounting – EU

When we engage a new sub-processor, we update this list. Active clients are notified in advance of any material change.

7. International data transfers

Some of our sub-processors are based outside the European Economic Area (EEA), particularly in the United States. When personal data is transferred outside the EEA, we ensure adequate protection through:

• The European Commission's Standard Contractual Clauses (SCCs)
• The EU-US Data Privacy Framework, where applicable
• Additional safeguards as needed

For clients with strict data residency requirements, we configure our stack to keep data within EU regions where possible.

8. How long we keep your data

We keep personal data only as long as necessary for the purposes described:

• Website analytics: 12 months.
• Contact form submissions: 24 months.
• Client records (active clients): Duration of the engagement + 5 years.
• Invoicing and accounting records: 5 years (Danish bookkeeping law)
• Marketing email subscribers: Until you unsubscribe
• Backup data: Up to 30 days after deletion from primary systems

When the retention period ends, data is deleted or anonymized.

9. Your rights under GDPR

You have the following rights regarding your personal data:

Right of access

Request a copy of the personal data we hold about you.

Right to rectification

Ask us to correct inaccurate or incomplete data.

Right to erasure ("right to be forgotten")

Ask us to delete your data, subject to legal retention obligations.

Right to restrict processing

Ask us to limit how we use your data.

Right to data portability

Receive your data in a structured, machine-readable format.

Right to object

Object to processing based on legitimate interest, including for direct marketing.

Right to withdraw consent

Where processing is based on consent, you can withdraw it at any time.

Right to lodge a complaint

You can complain to the Danish Data Protection Authority (Datatilsynet) at datatilsynet.dk.

To exercise any of these rights, email us at hello@levir.ai. We will respond within 30 days.

10. How we protect your data

We take security seriously and apply appropriate technical and organizational measures, including:

• OAuth-based authentication for third-party tool access (we don't store your passwords)
• Encrypted data transmission (HTTPS/TLS)
• Limited access to client data, restricted to the founders
• Sub-processors selected for their security and GDPR compliance
• No long-term storage of client business data outside the client's own tools

While no system is 100% secure, we apply industry-standard practices and continuously review our security posture.

11. Data breaches

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the Danish Data Protection Authority within 72 hours, as required by GDPR
• Notify affected individuals without undue delay if the breach is high-risk
• Document all breaches internally, regardless of severity

12. Children's privacy

Our services are intended for businesses, not individuals under 18. We do not knowingly collect personal data from children. If we become aware that we have, we will delete it.

13. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to active clients and posted prominently on our website at least 30 days before taking effect.

The "Last updated" date at the top of this policy indicates when it was most recently revised.

14. Contact and complaints

For any questions, requests, or complaints regarding your personal data:

Email: hello@levir.ai

If you are not satisfied with our response, you have the right to lodge a complaint with the Danish Data Protection Authority:

Datatilsynet
Carl Jacobsens Vej 35
2500 Valby, Denmark
Website: datatilsynet.dk
Phone: +45 33 19 32 00