Privacy Policy

1. Introduction

Lokvio (“Lokvio”, “we”, “us”, or “our”) is a cloud-based operations management platform designed to help businesses manage locations, staff checklists, incidents, announcements, and handover notes across multiple sites. This Privacy Policy explains how we collect, use, disclose, and protect personal data when you use our web application and related services (collectively, the “Service”).

This policy applies to all users of the Service, including account owners, administrators, managers, and staff members. By accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy.

We are committed to protecting your privacy and complying with applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), Thailand’s Personal Data Protection Act (PDPA), South Africa’s Protection of Personal Information Act (POPIA), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), Brazil’s Lei Geral de Proteção de Dados (LGPD), Australia’s Privacy Act 1988 (Cth), and the UAE Federal Decree-Law No. 45/2021 on Personal Data Protection.

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us at privacy@lokvio.com.

2. Information We Collect

We collect personal data that you provide directly to us, data that is generated through your use of the Service, and certain technical data collected automatically. The categories of data we collect are as follows:

2.1 Account Data

When you register for an account or are invited to join an organisation on Lokvio, we collect personal data necessary to create and manage your account. This includes your full name, email address, business or organisation name, and your role within the organisation (e.g., Owner, Manager, Staff). You may optionally provide a profile photo or other identifying information.

2.2 Usage Data

We collect information about how you interact with the Service, including the pages and features you visit, the actions you take (such as completing checklist items, creating incidents, or posting announcements), and the timestamps associated with those actions. This data helps us understand how the Service is used and to improve it for all users.

2.3 Location Operation Data

As part of providing the Service, we store operational data that you and your team generate. This includes checklist completion records, incident reports and associated photos or attachments, announcements, handover notes, and any notes or comments added to location records. This data may contain personal references to staff members or third parties (e.g., a customer name mentioned in an incident report). You are responsible for ensuring that any personal data included in operational content is collected and processed in accordance with applicable law.

2.4 Technical Data

We automatically collect certain technical information when you access the Service, including your IP address, browser type and version, operating system, device type, screen resolution, referring URL, and general geographic location derived from your IP address (country or city level only). We also collect information about your session, such as session duration and pages visited, via cookies and similar technologies. Please refer to our Cookie Policy for more information.

2.5 Payment Data

When you subscribe to a paid plan, payment processing is handled by our third-party payment processors, Polar. We do not collect, transmit, or store your full credit card number, CVV, or other sensitive payment card details on our systems. Our payment processors handle all payment card data in accordance with the Payment Card Industry Data Security Standard (PCI DSS). We may receive and store limited billing information such as the last four digits of your card, card type, billing name, billing address, and transaction history for our records and for customer support purposes.

3. How We Use Your Information

We use the personal data we collect for the following purposes:

• Providing and operating the Service: To create and manage your account, authenticate you, process your subscription, and deliver all features of the platform including checklists, incident tracking, announcements, and reporting.
• Transactional communications: To send you essential account notifications such as password reset emails, invitation emails for new team members, verification emails, billing confirmations, and subscription renewal reminders.
• Automated reports: To generate and deliver automated weekly operational summary reports to account owners and designated managers.
• Product improvement: To analyse aggregate usage patterns and understand how users interact with the Service in order to improve existing features, develop new features, fix bugs, and enhance the overall user experience.
• Customer support: To respond to your support requests, troubleshoot issues, and communicate with you about your account or the Service.
• Security and fraud prevention: To detect, investigate, and prevent fraudulent transactions, abuse, and other illegal activities, and to protect the security of our systems and users.
• Legal compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests, and to enforce our Terms of Service and other agreements.

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects without your explicit consent. We do not use your operational data (checklists, incidents, notes) for any purpose other than providing the Service to you.

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, we are required to identify a lawful basis for each processing activity involving your personal data under the GDPR and UK GDPR. The legal bases we rely on are as follows:

• Contractual necessity (Article 6(1)(b) GDPR): Most of our processing is necessary for the performance of the contract we have with you (our Terms of Service). This includes creating your account, authenticating you, storing your operational data, processing payments, and sending transactional emails.
• Legitimate interests (Article 6(1)(f) GDPR): We process certain data on the basis of our legitimate business interests, provided these are not overridden by your rights and interests. This includes using analytics to improve the Service, preventing fraud and abuse, and ensuring the security of our platform. We have conducted legitimate interests assessments (LIAs) for these processing activities.
• Consent (Article 6(1)(a) GDPR): Where we rely on consent for processing (such as for non-essential cookies or optional marketing communications), you may withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
• Legal obligation (Article 6(1)(c) GDPR): We may process your data where we are required to do so by law, such as retaining financial records for tax and accounting purposes, or responding to lawful requests from public authorities.

5. Data Sharing and Third Parties

We do not sell, rent, or trade your personal data to any third party for their own marketing or commercial purposes. We share your data only as necessary to provide the Service, as required by law, or with your explicit consent. Our current sub-processors and third-party service providers are listed below. Each has executed a Data Processing Agreement (DPA) with us and implements appropriate technical and organisational security measures.

We may also disclose your personal data to law enforcement agencies, courts, regulators, government authorities, or other third parties where we are required to do so by applicable law or regulation, or where we believe disclosure is necessary to protect the rights, property, or safety of Lokvio, our users, or the public.

In the event of a merger, acquisition, reorganisation, or sale of all or substantially all of our assets, your personal data may be transferred to the acquiring entity, provided that the acquiring entity agrees to process your personal data in accordance with this Privacy Policy or provides you with equivalent or greater protections.

6. International Data Transfers

Lokvio operates globally, and as a result, your personal data may be transferred to and processed in countries outside of your country of residence, including countries that may not provide the same level of data protection as your home country.

For transfers of personal data from the European Economic Area (EEA) or the United Kingdom to third countries, we rely on the following safeguards:

• Standard Contractual Clauses (SCCs):We use the European Commission’s approved Standard Contractual Clauses for transfers to countries that do not benefit from an adequacy decision, including the United States. UK users benefit from equivalent protections via the UK’s International Data Transfer Agreement (IDTA).
• Adequacy decisions:Where the European Commission or UK Information Commissioner’s Office has issued an adequacy decision for a recipient country, we rely on that decision as the transfer mechanism.
• Sub-processor DPAs: All of our sub-processors have executed Data Processing Agreements that include appropriate transfer mechanisms and comply with applicable data protection laws.

For transfers involving users in Thailand, Brazil, South Africa, Canada, Australia, and the UAE, we take reasonable steps to ensure that personal data is processed in accordance with the standards required by the applicable local data protection law, including by entering into appropriate contractual arrangements with sub-processors and implementing technical safeguards such as encryption and access controls.

You may request a copy of the transfer mechanisms we rely on by contacting us at privacy@lokvio.com.

7. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including satisfying any legal, accounting, or reporting obligations. Our retention periods are as follows:

• Active accounts: We retain all account data and operational data (checklists, incidents, announcements, notes, reports) for the duration of your active subscription. Data is also retained for 30 days following the expiry or cancellation of your subscription to allow for reactivation or data export.
• After account deletion: When you request deletion of your account, we will mark your account and associated data for deletion. The data will be permanently and irreversibly deleted from our production systems and backups within 90 days of the deletion request, except where we are required to retain it by law.
• Financial and billing records: Transaction records, invoices, and billing history are retained for a minimum of 7 years from the date of the transaction to comply with tax, accounting, and legal obligations in the jurisdictions in which we operate.
• Support records: Records of support interactions are retained for 3 years from the date of the interaction to enable continuity of support and for quality assurance purposes.
• Security logs: System access logs and security event logs are retained for up to 12 months to support security monitoring, fraud investigation, and incident response.

Where we are required by law to retain data for longer periods, we will do so in compliance with that legal obligation, and we will restrict access to the data to the minimum necessary personnel.

8. Your Rights

Depending on your location, you may have specific legal rights regarding your personal data. We are committed to honouring these rights and have processes in place to handle requests promptly. To exercise any of the rights below, please contact us at privacy@lokvio.com. We will respond within 30 days of receipt of your request, or within any shorter timeframe required by applicable law.

8.1 EU and UK (GDPR / UK GDPR)

• Right of access: You have the right to request a copy of the personal data we hold about you.
• Right to rectification: You have the right to request that we correct inaccurate or incomplete personal data.
• Right to erasure (‘right to be forgotten’): You have the right to request that we delete your personal data in certain circumstances.
• Right to restriction of processing: You have the right to request that we restrict processing of your data in certain circumstances (e.g., while you contest the accuracy of the data).
• Right to data portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.
• Right to object: You have the right to object to processing of your data on the basis of legitimate interests or for direct marketing purposes.
• Right to withdraw consent: Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority.

8.2 California (CCPA / CPRA)

• Right to know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months.
• Right to delete: You have the right to request deletion of personal information we have collected from you, subject to certain exceptions.
• Right to opt-out of sale or sharing: We do not sell your personal information or share it for cross-context behavioural advertising. No opt-out is required, but you may contact us to confirm this.
• Right to non-discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.
• Right to correct: You have the right to request correction of inaccurate personal information we maintain about you.
• Right to limit use of sensitive personal information: Where applicable, you have the right to limit our use of sensitive personal information to specific permitted purposes.

8.3 Canada (PIPEDA)

• Right of access: You have the right to request access to the personal information we hold about you and information about how it is used and disclosed.
• Right to correction: You have the right to challenge the accuracy and completeness of your personal information and request correction where appropriate.
• Right to withdraw consent: Subject to legal and contractual restrictions, you may withdraw consent to our collection, use, or disclosure of your personal information.
• Right to complain: You have the right to file a complaint with the Office of the Privacy Commissioner of Canada.

8.4 Australia (Privacy Act 1988)

• Right of access: You have the right to request access to the personal information we hold about you under Australian Privacy Principle 12.
• Right to correction: You have the right to request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading under Australian Privacy Principle 13.
• Right to complain: You have the right to make a complaint to the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the Australian Privacy Principles.

8.5 South Africa (POPIA)

• Right of access: You have the right to request access to records containing your personal information.
• Right to correction or deletion: You have the right to request correction or deletion of personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully.
• Right to object: You have the right to object to the processing of your personal information on reasonable grounds.
• Right to complain: You have the right to submit a complaint to the Information Regulator of South Africa.

8.6 Brazil (LGPD)

• Right of access: You have the right to confirm and access the personal data we process about you.
• Right to rectification: You have the right to request correction of incomplete, inaccurate, or outdated personal data.
• Right to anonymisation, blocking, or deletion: You have the right to request anonymisation, blocking, or deletion of unnecessary, excessive, or non-compliant data.
• Right to data portability: You have the right to request portability of your data to another service provider.
• Right to deletion of data processed with consent: You have the right to request deletion of personal data processed on the basis of consent.
• Right to information: You have the right to information about the public and private entities with which we have shared your data.
• Right to object: You have the right to object to processing carried out on grounds other than your consent.
• Right to withdraw consent: You have the right to withdraw consent at any time.

8.7 Thailand (PDPA)

• Right of access: You have the right to request access to and a copy of your personal data.
• Right to rectification: You have the right to request correction of inaccurate or incomplete personal data.
• Right to data portability: You have the right to request that your personal data be transferred to you or to another data controller in a commonly used electronic format.
• Right to erasure: You have the right to request deletion or destruction of your personal data in certain circumstances.
• Right to restriction: You have the right to request restriction of the processing of your personal data in certain circumstances.
• Right to object: You have the right to object to the processing of your personal data where it is carried out for legitimate interests.
• Right to withdraw consent: You have the right to withdraw consent to the processing of your personal data at any time.

8.8 UAE (Federal Decree-Law No. 45/2021)

• Right of access: You have the right to request a copy of the personal data we hold about you, in accordance with Article 13 of Federal Decree-Law No. 45/2021.
• Right to correction: You have the right to request correction of inaccurate or incomplete personal data.
• Right to erasure: You have the right to request deletion of your personal data where the grounds for processing no longer exist.
• Right to complain: You have the right to file a complaint with the UAE Data Office.

9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies (such as local storage and session storage) to operate and improve the Service, maintain your authentication session, remember your preferences, and collect analytics data. Essential cookies are required for the Service to function and cannot be disabled. For non-essential cookies, we obtain your consent in accordance with applicable law, including the EU ePrivacy Directive, UK PECR, and equivalent national implementations.

We use Vercel Analytics for privacy-preserving analytics. Vercel Analytics does not store IP addresses, does not use cross-site tracking cookies, and is designed to be compliant with GDPR and CCPA requirements without requiring user consent for analytics purposes. For full details about the cookies we use, their purposes, and how to manage your cookie preferences, please review our Cookie Policy.

10. Children’s Privacy

The Service is intended for business use by adults and is not directed to individuals under the age of 16 (or the applicable minimum age in your jurisdiction). We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe that your child has provided us with personal data without your consent, please contact us immediately at privacy@lokvio.com. If we become aware that we have collected personal data from a child under 16, we will take prompt steps to delete that data from our systems.

Account owners are responsible for ensuring that any staff members they invite to use the Service are of the minimum required age. By inviting a user to join your organisation on Lokvio, you represent and warrant that the invited individual is at least 16 years of age.

11. Security

We take the security of your personal data seriously and implement a range of technical and organisational measures to protect it against unauthorised access, disclosure, alteration, or destruction. Our security measures include, but are not limited to:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS (Transport Layer Security) 1.2 or higher.
• Encryption at rest: Data stored in our database and file storage systems is encrypted using AES-256 encryption.
• Row-level security: Our database is configured with row-level security (RLS) policies to ensure that users can only access data belonging to their own organisation, preventing unauthorised cross-tenant data access.
• SOC 2-grade infrastructure: Our primary database and authentication provider (Supabase) and hosting provider (Vercel) operate on infrastructure that meets SOC 2 Type II compliance standards.
• Access controls: Access to production systems and personal data is restricted to authorised personnel on a need-to-know basis, and all access is logged and audited.
• Regular security reviews: We conduct regular security reviews of our codebase, infrastructure, and third-party dependencies to identify and remediate vulnerabilities.
• Incident response: We maintain an incident response plan and will notify affected users and relevant supervisory authorities of any data breach in accordance with applicable legal requirements (e.g., within 72 hours under GDPR).

While we implement robust security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents. You are responsible for maintaining the security of your account credentials and for promptly notifying us of any unauthorised access to your account.

12. Contact and Data Protection Officer

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact our privacy team:

EU Representative: As required by Article 27 of the GDPR, we are in the process of appointing an EU representative to act on our behalf in relation to our obligations under the GDPR. Details of our EU representative will be published here upon appointment. In the meantime, EU users may direct enquiries to privacy@lokvio.com.

Supervisory authority complaints:If you are not satisfied with our response to your privacy request, or if you believe we are processing your personal data in violation of applicable law, you have the right to lodge a complaint with the data protection supervisory authority in your country of residence. For EU users, this is the lead supervisory authority in the EU member state in which you reside. For UK users, this is the Information Commissioner’s Office (ICO). For Australian users, this is the Office of the Australian Information Commissioner (OAIC). For South African users, this is the Information Regulator. For Canadian users, this is the Office of the Privacy Commissioner of Canada. For Brazilian users, this is the Autoridade Nacional de Proteção de Dados (ANPD). For Thai users, this is the Personal Data Protection Committee (PDPC). For UAE users, this is the UAE Data Office.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or the features of our Service. When we make material changes to this policy, we will notify you by email at least 30 days before the changes take effect, using the email address associated with your account. We will also update the “Last updated” date at the top of this page.

For non-material changes (such as corrections of typographical errors or clarifications that do not alter the substance of our practices), we will update the policy without prior notice. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal data.

Your continued use of the Service after the effective date of any changes to this Privacy Policy constitutes your acceptance of the updated policy. If you do not agree to the updated policy, you should stop using the Service and request deletion of your account.