Effective Date:
June 11, 2025
Last Updated:
June 11, 2025
Version:
1.0 (Enhanced for GDPR Compliance)
1. Introduction & Legal Basis
This Privacy Policy ("Policy") describes how
lucViS
, operated by SERGEI SKOREDIN PR BEOGRAD, a sole proprietorship registered in
Serbia
with planned operations in Germany (PIB: 67132068), collects, uses, stores, and discloses data obtained via marketplace APIs, integrated services, and user interactions.
Data Controller/Processor Relationship:
You (the business user) act as the
data controller
and we act as your
data processor
under GDPR Article 28. We process personal data solely according to your documented instructions and for the purpose of providing analytics services.
Legal Basis for Processing:
Our processing of your business data is based on the performance of our contract with you. For any personal data of EU residents, processing is based on legitimate interests (business analytics) with appropriate safeguards.
3. How We Use Your Data
Permitted Uses:
-
Providing analytics dashboards (price trends, inventory alerts)
-
Generating AI-based insights and custom reports
-
Storing and displaying historical data for your products
-
Account authentication and access control
-
Service optimization and performance improvement
Prohibited Uses:
We do
not
and will
never
:
-
Aggregate identifiable data across multiple users
-
Use your data for competitor targeting
-
Target customers for marketing purposes
-
Combine your data with external data services without consent
-
Resell, redistribute, or share your data with unauthorized third parties
-
Use data for advertising, profiling, or benchmarking across users without explicit permission
4. Data Sources & Collection Methods
Authorized Sources Only:
-
E-commerce Platform APIs:
With your explicit OAuth consent and authorization (Amazon, eBay, etc.)
-
Integrated Services:
Marketplaces, retail platforms, and other data sources you choose to connect
-
User-Provided Data:
Account information, preferences, uploaded files
No Web Scraping:
We do
not
scrape data from any platform. All data collection is performed through official APIs with proper authorization.
5. Data Retention & Automatic Deletion
Retention Periods:
-
Personally Identifiable Information:
Maximum 30 days post-delivery (automatically deleted)
-
Business Analytics Data:
Retained while your account is active
-
OAuth Tokens:
Until revoked or account termination
-
Security Logs:
90 days
Account Termination:
Upon token revocation or account deletion, all data is permanently removed within
30 days
, with deletion confirmation provided upon request.
Right to Deletion:
You may request immediate data deletion at any time via [email protected] or through your dashboard.
6. Security Measures
We implement industry-leading security measures to protect your data:
AES-256 Encryption
TLS 1.2+ Transit
Multi-Factor Auth
Annual Penetration Testing
180-Day Vulnerability Scans
Network Segmentation
Detailed Security Controls:
-
Data at Rest:
AES-256 encryption with annual key rotation
-
Data in Transit:
TLS 1.2+ encryption for all communications
-
Access Control:
Role-based access with multi-factor authentication
-
Monitoring:
24/7 intrusion detection and activity logging
-
Testing:
Annual penetration testing by certified professionals
-
Vulnerability Management:
Scanning every 180 days with immediate patching
-
Incident Response:
24-hour breach notification protocol
7. GDPR Rights & Data Subject Support
Your Rights Under GDPR:
-
Right of Access:
Receive copy of your data within 30 days
-
Right to Rectification:
Correct inaccurate or incomplete data
-
Right to Erasure:
Request deletion of your personal data
-
Right to Restrict Processing:
Limit how we process your data
-
Right to Data Portability:
Receive data in machine-readable format
-
Right to Object:
Object to processing based on legitimate interests
-
Right to Withdraw Consent:
Revoke authorization at any time
-
Right to Lodge Complaints:
Contact supervisory authorities
Response Time:
We will respond to all rights requests within
72 hours
and fulfill valid requests within
30 days
.
Data Protection Officer:
For complex privacy matters, contact our DPO at [email protected]
8. International Data Transfers & Safeguards
Transfer Mechanisms:
Data transfers from EU to Serbia (and future Germany) are safeguarded through:
-
Standard Contractual Clauses (SCCs):
EU Commission approved 2021 version
-
Technical Safeguards:
End-to-end encryption and access controls
-
Transfer Impact Assessment:
Regular reviews of transfer risks
-
Data Localization:
EU customer data can remain within EU upon request
Future Germany Operations:
Upon establishment of German operations, EU data may be processed within Germany under equivalent protection standards.
9. Data Breach Notification
Breach Response Protocol:
-
Detection to Notification:
24 hours maximum
-
Detailed Report:
Within 48 hours including affected data categories
-
Regulatory Notification:
Support for 72-hour GDPR reporting requirement
-
Remediation:
Immediate security measures and prevention steps
10. Sub-Processors & Third Parties
Current Sub-Processors:
-
Cloud Infrastructure:
DigitalOcean
-
Database Services:
MongoDB Atlas
-
Email Services:
SendGrid for transactional communications
-
Analytics:
Sentry for system performance monitoring (anonymized data only)
-
AI Processing:
OpenAI and Anthropic for data analysis and insights generation
-
Payment Processing:
Stripe
-
Authentication:
Auth0 with Google OAuth2
-
Customer Support:
Crisp
Sub-Processor Changes:
We will notify you 30 days before engaging new sub-processors affecting your data.
11. Policy Updates & Notifications
Material changes to this Policy will be communicated
30 days in advance
via:
-
Email notification to your registered address
-
Platform dashboard notification
-
Updated effective date on this page
Continued use of the service after the effective date constitutes acceptance of updated terms.
12. AI-Based Analysis & Processing
lucViS
utilizes artificial intelligence technologies, including large language models (LLMs) from OpenAI (ChatGPT) and Anthropic (Claude), to analyze data, generate insights, and provide business recommendations.
Data Protection Notice:
We never transmit personally identifiable information (PII) to language model providers. All data is anonymized and stripped of any user identifiers before processing through AI systems.
Categories of Data Processed by AI:
-
Anonymized product metadata (names, descriptions, categories)
-
Numerical metrics in aggregated form (price ranges, ratings)
-
Statistical market trends and patterns
-
General analytical queries without user identifiers
Data Protection Measures for AI Processing:
-
Strict Anonymization:
Removal of all direct and indirect identifiers
-
Data Minimization:
Transmission of only necessary data for specific analytical tasks
-
Transit Encryption:
Secure connections when exchanging data with AI services
-
No Long-term Storage:
Data is not retained in AI systems after processing is complete
-
Regular Audit:
Periodic review of all AI interactions and data flows
AI Data Anonymization Process:
-
Identifier Removal:
All user identifiers, including name, contacts, and account ID are completely removed
-
Numerical Data Aggregation:
Exact numerical metrics are replaced with ranges or percentage ratios
-
Metadata Generalization:
Specific product characteristics are generalized to prevent identification
-
PII Verification:
Automated and manual verification of data for absence of personal information
-
Data Volume Control:
Transmission of only the minimum necessary volume of data for a specific analytical request
Legal Basis for Processing:
AI processing of data is conducted based on our legitimate interests in providing analytical services (Article 6(1)(f) GDPR), as well as for the performance of our contract with you (Article 6(1)(b) GDPR).
Limitation of Liability:
AI-generated analytics are provided for informational purposes only. Users are responsible for independently verifying and validating any insights generated by AI systems.
Opt-Out Option:
If you prefer not to use AI-based analysis, you may request exclusion by contacting [email protected]. This will not affect the core functionality of the service.
14. Data Categories and Processing Logic
lucViS
processes two types of data:
-
User-provided data:
such as email address, password hash (if applicable), and preferences. This is stored securely and is never sold or shared without consent.
-
Marketplace data:
publicly available trends and product information from various e-commerce platforms. No personal seller data is required to view these trends.
Anonymous Usage:
Any data used for analytics or display is fully anonymized before database storage. We do not retain personally identifiable information (PII) unless strictly necessary for account management or legal compliance.