Privacy Statement
PRIVACY POLICY
LEIDA TECH
Business ID: 3538835-9
Email: info@leida.ai
Last updated: January 15, 2026
1. INTRODUCTION
1.1 Purpose of this Privacy Policy
This Privacy Policy explains how LEIDA TECH ("we", "us", "our", "LEIDA") collects, uses, stores, and protects personal data when you:
visit our website (www.leida.ai);
use our Service (the LEIDA cloud-based SaaS platform);
communicate with us;
interact with our marketing materials.
1.2 Data Controller
LEIDA TECH is the data controller responsible for the processing of your personal data under this Privacy Policy.
Contact details:
Email: info@leida.ai
Data Protection Officer: laura@leida.ai
Business ID: 3538835-9
1.3 Scope
This Privacy Policy applies to:
Website visitors: Individuals who visit www.leida.ai
Service users: Individuals who use the LEIDA Service through their employer or organization
Prospective customers: Individuals who request information or demos
Newsletter subscribers: Individuals who subscribe to our communications
1.4 Customer Data
This Privacy Policy does not apply to personal data that our customers upload to the Service as part of their use of the platform ("Customer Data"). For Customer Data, our customers are the data controllers and LEIDA acts as a data processor. The processing of Customer Data is governed by our Data Processing Agreement (DPA).
2. LEGAL BASIS FOR PROCESSING
We process personal data only where we have a legal basis under the GDPR. The legal bases we rely on are:
| Purpose | Legal Basis |
|---|---|
| Providing the Service to customers | Performance of contract (Article 6(1)(b) GDPR) |
| Account creation and management | Performance of contract (Article 6(1)(b) GDPR) |
| Customer support | Performance of contract (Article 6(1)(b) GDPR) |
| Payment processing | Performance of contract (Article 6(1)(b) GDPR) |
| Marketing communications (with consent) | Consent (Article 6(1)(a) GDPR) |
| Marketing to existing customers | Legitimate interest (Article 6(1)(f) GDPR) |
| Website analytics and improvement | Legitimate interest (Article 6(1)(f) GDPR) |
| Security and fraud prevention | Legitimate interest (Article 6(1)(f) GDPR) |
| Compliance with legal obligations | Legal obligation (Article 6(1)(c) GDPR) |
Where we rely on legitimate interest, we have balanced our interests against your rights and freedoms and determined that processing is necessary and proportionate.
Where we rely on consent, you have the right to withdraw consent at any time.
3. PERSONAL DATA WE COLLECT
3.1 Information You Provide Directly
Account and Registration Data:
Full name
Email address
Job title and role
Company/organization name
Phone number (optional)
Password (stored in hashed form)
Payment and Billing Data:
Billing address
Company VAT number
Payment method information (processed by third-party payment processors)
Communications Data:
Support requests and correspondence
Feedback and survey responses
Chat messages with customer support
Email communications
Service Usage Data:
Content you create, upload, or store in the Service
Project data, regulatory documentation, and compliance records
User preferences and settings
3.2 Information Collected Automatically
Technical and Usage Data:
IP address
Browser type and version
Device type and operating system
Referring website
Pages visited and time spent
Features used within the Service
Error logs and diagnostic data
Cookies and Tracking Technologies:
Session cookies (essential for Service functionality)
Analytics cookies (with consent where required)
Preference cookies (to remember your settings)
See Section 9 for detailed information about cookies.
3.3 Information from Third Parties
We may receive personal data from:
Payment processors: Transaction confirmation and payment status
Authentication providers: If you use single sign-on (SSO) services
Public sources: Publicly available business contact information for B2B marketing
Your employer: If your organization provides us with user lists for account provisioning
4. HOW WE USE PERSONAL DATA
We use personal data for the following purposes:
4.1 Service Provision
Create and manage user accounts
Provide access to the LEIDA platform
Process and store your data within the Service
Generate AI-powered regulatory roadmaps and compliance documentation
Provide regulatory intelligence and monitoring
Enable collaboration features
4.2 Customer Support
Respond to support requests
Troubleshoot technical issues
Provide guidance on Service features
Investigate and resolve complaints
4.3 Service Improvement and Development
Analyze usage patterns to improve features
Develop new functionalities
Conduct research and development
Test and optimize AI models (using anonymized or aggregated data)
Ensure Service security and stability
4.4 Communication
Send transactional emails (account notifications, password resets, service updates)
Send administrative communications (billing, subscription changes)
Provide customer support responses
Send marketing communications (with consent or legitimate interest)
Conduct customer satisfaction surveys
4.5 Marketing and Business Development
Send newsletters and product updates (with consent)
Promote new features and services
Conduct targeted B2B marketing
Organize webinars and events
Analyze marketing effectiveness
4.6 Legal and Compliance
Comply with legal obligations (tax, accounting, regulatory reporting)
Enforce our Terms and Conditions
Protect against fraud and security threats
Respond to legal requests and court orders
Exercise or defend legal claims
4.7 Analytics and Performance
Monitor Service performance and uptime
Analyze user behavior and engagement
Generate aggregated statistics and reports
Conduct A/B testing and optimization
5. DATA SHARING AND DISCLOSURE
5.1 General Principle
We do not sell, rent, or trade your personal data. We share personal data only as described in this Privacy Policy.
5.2 Service Providers (Data Processors)
We engage third-party service providers to support our operations. These providers process personal data on our behalf and are bound by data processing agreements:
| Category | Purpose | Examples |
|---|---|---|
| Cloud Infrastructure | Hosting and data storage | AWS, Google Cloud, Microsoft Azure |
| AI and ML Services | AI model processing | OpenAI, Anthropic, or similar providers |
| Payment Processing | Payment and billing | Stripe, PayPal, or similar |
| Email Services | Transactional and marketing emails | SendGrid, Mailchimp, or similar |
| Analytics | Website and Service analytics | Google Analytics, Mixpanel, or similar |
| Customer Support | Support ticketing and chat | Intercom, Zendesk, or similar |
| Security and Monitoring | Security monitoring and incident response | Cloudflare, Sentry, or similar |
A complete list of sub-processors is available in our Data Processing Agreement (Annex 3) and upon request.
5.3 Business Transfers
In the event of a merger, acquisition, reorganization, or sale of assets, personal data may be transferred to the acquiring entity. We will notify you of any such change and your rights regarding your personal data.
5.4 Legal Requirements
We may disclose personal data if required to:
Comply with applicable laws, regulations, or legal processes
Respond to lawful requests from public authorities (e.g., court orders, subpoenas)
Protect our rights, property, or safety, or that of our users or the public
Detect, prevent, or address fraud, security, or technical issues
5.5 With Your Consent
We may share personal data with third parties where you have given explicit consent.
5.6 Aggregated and Anonymized Data
We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you, for research, marketing, or other purposes.
6. INTERNATIONAL DATA TRANSFERS
6.1 Transfers Outside the EEA
LEIDA is based in Finland (European Economic Area). However, some of our service providers may be located outside the EEA, including in the United States.
6.2 Safeguards for International Transfers
When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place:
Adequacy Decisions: Transfers to countries recognized by the European Commission as providing adequate protection (e.g., UK, Switzerland, countries under the EU-US Data Privacy Framework)
Standard Contractual Clauses (SCCs): We use EU Commission-approved Standard Contractual Clauses (2021/914) with service providers in third countries
Supplementary Measures: In addition to SCCs, we implement technical and organizational measures such as:
Encryption of data in transit and at rest
Pseudonymization where feasible
Access controls and authentication
Regular security audits
6.3 Your Rights
You may request:
Information about countries to which your data is transferred
Copies of the safeguards in place (e.g., SCCs)
Details of supplementary measures implemented
Contact us at info@leida.ai for such requests.
7. DATA RETENTION
7.1 Retention Principles
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law.
7.2 Retention Periods
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Account data (active users) | Duration of subscription + 30 days | Contract performance |
| Account data (inactive/deleted) | 30 days after account deletion | Legitimate interest (recovery period) |
| Billing and payment records | 6 years after transaction | Legal obligation (accounting laws) |
| Customer support records | 3 years after last interaction | Legitimate interest (quality assurance) |
| Marketing consent records | Until consent is withdrawn + 1 year | Legal obligation (proof of consent) |
| Website analytics data | 26 months | Legitimate interest (analytics) |
| Security logs | 12 months | Legitimate interest (security) |
| Legal claims data | Duration of claim + applicable limitation period | Legal obligation |
7.3 Deletion
After the retention period expires, we securely delete or anonymize personal data. Deletion is performed using industry-standard methods to prevent recovery.
7.4 Legal Holds
We may retain personal data beyond the standard retention period if required by law, legal proceedings, or regulatory investigations.
8. YOUR RIGHTS UNDER GDPR
As a data subject in the European Economic Area, you have the following rights:
8.1 Right of Access (Article 15 GDPR)
You have the right to obtain:
Confirmation of whether we process your personal data
A copy of your personal data
Information about the processing (purposes, categories, recipients, retention periods)
8.2 Right to Rectification (Article 16 GDPR)
You have the right to request correction of inaccurate or incomplete personal data.
8.3 Right to Erasure / "Right to be Forgotten" (Article 17 GDPR)
You have the right to request deletion of your personal data where:
The data is no longer necessary for the purposes for which it was collected
You withdraw consent (where processing is based on consent)
You object to processing and there are no overriding legitimate grounds
The data has been unlawfully processed
Deletion is required to comply with a legal obligation
Exceptions: We may refuse erasure where processing is necessary for:
Compliance with legal obligations
Establishment, exercise, or defense of legal claims
Archiving purposes in the public interest
8.4 Right to Restriction of Processing (Article 18 GDPR)
You have the right to request restriction of processing where:
You contest the accuracy of the data (during verification)
Processing is unlawful but you oppose erasure
We no longer need the data but you need it for legal claims
You have objected to processing (pending verification of legitimate grounds)
8.5 Right to Data Portability (Article 20 GDPR)
You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller, where:
Processing is based on consent or contract
Processing is carried out by automated means
8.6 Right to Object (Article 21 GDPR)
You have the right to object to processing based on legitimate interests or for direct marketing purposes.
Direct marketing: You may object at any time, and we will stop processing for that purpose.
Legitimate interests: You may object on grounds relating to your particular situation. We will stop processing unless we demonstrate compelling legitimate grounds that override your interests.
8.7 Right to Withdraw Consent (Article 7(3) GDPR)
Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
8.8 Right to Lodge a Complaint (Article 77 GDPR)
You have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of alleged infringement.
Finnish Data Protection Ombudsman (Tietosuojavaltuutettu):
Website: https://tietosuoja.fi
Email: tietosuoja@om.fi
Address: P.O. Box 1, 00131 Helsinki, Finland
8.9 Automated Decision-Making and Profiling (Article 22 GDPR)
We do not make decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect you.
The AI features in our Service are decision-support tools. Final decisions remain with the user.
9. EXERCISING YOUR RIGHTS
9.1 How to Submit a Request
To exercise your rights, contact us at:
Email: info@leida.ai
Subject line: "Data Subject Rights Request"
Include: Your full name, email address, and description of your request
9.2 Verification
To protect your privacy, we may request additional information to verify your identity before processing your request.
9.3 Response Time
We will respond to your request within one (1) month of receipt. In complex cases, we may extend this period by two additional months and will inform you of the extension and reasons.
9.4 Fees
Requests are generally processed free of charge. We may charge a reasonable fee for:
Manifestly unfounded or excessive requests
Additional copies of data (beyond the first copy)
9.5 Refusal
If we refuse your request, we will explain the reasons and inform you of your right to lodge a complaint with a supervisory authority.
10. COOKIES AND TRACKING TECHNOLOGIES
10.1 What Are Cookies?
Cookies are small text files stored on your device when you visit a website. They enable the website to recognize your device and remember information about your visit.
10.2 Types of Cookies We Use
| Cookie Type | Purpose | Duration | Legal Basis |
|---|---|---|---|
| Strictly Necessary | Essential for Service functionality (login, security, session management) | Session or up to 1 year | Legitimate interest (Article 6(1)(f) GDPR) |
| Functional | Remember your preferences and settings | Up to 1 year | Consent or legitimate interest |
| Analytics | Understand how visitors use our website and Service | Up to 26 months | Consent (where required by ePrivacy Directive) |
| Marketing | Deliver relevant advertisements and measure campaign effectiveness | Up to 13 months | Consent |
10.3 Third-Party Cookies
We use third-party services that may set cookies:
Google Analytics: Website traffic analysis
Intercom / Zendesk: Customer support chat
LinkedIn / Facebook Pixel: Marketing and retargeting (with consent)
10.4 Managing Cookies
You can control cookies through:
Browser settings: Most browsers allow you to:
View and delete cookies
Block all cookies
Block third-party cookies
Receive notifications when cookies are set
Cookie consent tool: When you first visit our website, you can accept or reject non-essential cookies through our cookie banner.
Opt-out links:
Google Analytics: https://tools.google.com/dlpage/gaoptout
LinkedIn: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out
Facebook: https://www.facebook.com/settings?tab=ads
10.5 Do Not Track
Some browsers support "Do Not Track" (DNT) signals. Our website does not currently respond to DNT signals, as there is no industry standard for compliance.
10.6 Consequences of Disabling Cookies
Disabling strictly necessary cookies may prevent you from using certain features of the Service, such as logging in or maintaining session state.
11. SECURITY MEASURES
11.1 Our Commitment to Security
We implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, destruction, alteration, or disclosure.
11.2 Security Measures
Technical measures:
Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
Access controls: Role-based access control (RBAC), multi-factor authentication (MFA)
Network security: Firewalls, intrusion detection/prevention systems
Vulnerability management: Regular security scanning and penetration testing
Secure development: Security-by-design principles, code reviews
Organizational measures:
Employee training: Regular data protection and security awareness training
Confidentiality agreements: All employees sign confidentiality agreements
Access restrictions: Need-to-know and least-privilege principles
Incident response: Documented security incident response plan
Vendor management: Due diligence and contractual safeguards for service providers
11.3 Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
Notify the Finnish Data Protection Ombudsman within 72 hours of becoming aware
Notify affected individuals without undue delay if the breach is likely to result in a high risk
Provide information about the nature of the breach, likely consequences, and measures taken
11.4 Your Responsibility
You are responsible for:
Keeping your login credentials confidential
Using strong, unique passwords
Enabling multi-factor authentication (if available)
Logging out after using shared devices
Reporting suspected security incidents to security@leida.ai
12. CHILDREN'S PRIVACY
12.1 Age Restriction
The Service is intended for business and professional use only. We do not knowingly collect personal data from individuals under the age of 16.
12.2 Parental Consent
If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that information.
12.3 Reporting
If you believe we have collected personal data from a child under 16, please contact us at info@leida.ai.
13. THIRD-PARTY LINKS
13.1 External Websites
Our website and Service may contain links to third-party websites, services, or resources. We are not responsible for the privacy practices of these third parties.
13.2 Your Responsibility
We encourage you to review the privacy policies of any third-party websites you visit.
14. CHANGES TO THIS PRIVACY POLICY
14.1 Updates
We may update this Privacy Policy from time to time to reflect:
Changes in our data processing practices
New legal requirements
Improvements to our Service
Feedback from users or regulators
14.2 Notification
We will notify you of material changes by:
Posting the updated Privacy Policy on our website with a new "Last updated" date
Sending an email notification to registered users (for significant changes)
Displaying a prominent notice on the Service
14.3 Continued Use
Your continued use of the Service after the effective date of changes constitutes acceptance of the updated Privacy Policy.
14.4 Version History
Previous versions of this Privacy Policy are available upon request at info@leida.ai.
15. LEGAL FRAMEWORK AND COMPLIANCE
15.1 Applicable Laws
This Privacy Policy and our data processing practices comply with:
Regulation (EU) 2016/679 (GDPR) – General Data Protection Regulation
Finnish Data Protection Act (1050/2018) – National implementation of GDPR
Directive 2002/58/EC (ePrivacy Directive) – Privacy and electronic communications
Regulation (EU) 2024/1689 (AI Act) – Artificial Intelligence regulation
15.2 AI Act Transparency (Article 50)
The Service is an AI system within the meaning of the AI Act. We inform you that:
You are interacting with an AI system when using certain features of the Service
AI-generated content is marked where technically feasible
The Service is classified as a non-high-risk AI system
The Service is a B2B professional tool, not a consumer-facing chatbot
15.3 NIS2 Directive
We implement appropriate security measures in accordance with Directive (EU) 2022/2555 (NIS2) to ensure the security and resilience of our network and information systems.
16. CONTACT INFORMATION
For questions about this Privacy Policy or our data processing practices:
Email: info@leida.ai
Address: LEIDA TECH, Siltakatu 14 A 4, 33100 Tampere, Finland
17. SPECIFIC PROCESSING ACTIVITIES
17.1 Newsletter and Marketing Communications
Data collected: Email address, name, company, consent timestamp
Purpose: Send product updates, regulatory news, webinars, and promotional content
Legal basis: Consent (Article 6(1)(a) GDPR)
Retention: Until consent is withdrawn + 1 year (proof of consent)
Your rights: Unsubscribe at any time via the link in emails or by contacting info@leida.ai
17.2 Customer Support
Data collected: Name, email, support request content, Service usage data, communication history
Purpose: Provide technical support, troubleshoot issues, improve Service quality
Legal basis: Performance of contract (Article 6(1)(b) GDPR) and legitimate interest (Article 6(1)(f) GDPR)
Retention: 3 years after last interaction
17.3 Website Analytics
Data collected: IP address (anonymized), browser type, pages visited, time spent, referral source
Purpose: Understand website usage, improve user experience, optimize content
Legal basis: Consent (where required by ePrivacy Directive) or legitimate interest
Tools used: Google Analytics (with IP anonymization)
Retention: 26 months
Opt-out: https://tools.google.com/dlpage/gaoptout
17.4 Payment Processing
Data collected: Billing name, address, VAT number, payment method (processed by third-party payment processor)
Purpose: Process subscription payments, issue invoices, comply with tax obligations
Legal basis: Performance of contract (Article 6(1)(b) GDPR) and legal obligation (Article 6(1)(c) GDPR)
Third parties: Stripe, PayPal, or similar payment processors (see their privacy policies)
Retention: 6 years (accounting and tax law requirements)
17.5 AI Model Training
Data used: We do not use Customer Data to train AI models without explicit consent.
Aggregated data: We may use aggregated, anonymized usage statistics to improve AI model performance.
Third-party AI providers: Some AI features use third-party models (e.g., OpenAI). We ensure contractual safeguards prohibit use of your data for model training by third parties.
ACCEPTANCE
By using the Service or our website, you acknowledge that you have read and understood this Privacy Policy and agree to the processing of your personal data as described herein.
If you do not agree with this Privacy Policy, please do not use the Service or our website.
END OF PRIVACY POLICY