Privacy Policy

Effective date: May 17, 2026

Data controller: Lovex AB, a Swedish aktiebolag, with principal place of business in Sweden.

Contact for privacy matters: privacy@lovex.dev. We do not have a designated Data Protection Officer because the thresholds in GDPR Article 37 (250+ employees, large-scale systematic monitoring, or special-category processing as a core activity) do not apply to us today. Privacy oversight rests with the CEO until they do.

Plain summary

We collect the minimum we need to run our products, host your data in the European Union by default, do not sell your data, do not train AI models on your content, and let you export or delete your account at any time. The detailed sections below are written to satisfy GDPR Articles 13 and 14 — they describe what we do, why, how long we keep it, and how to exercise your rights. If anything below is unclear, write to privacy@lovex.dev.

When we act as controller vs processor

For most of the data described below, Lovex AB is the controller — we decide what to collect and why (e.g. your account data, our analytics, our marketing). For data your team or organization submits to our products as part of a workspace (tasks, projects, comments, AI chat), our role is processor — we process it on documented instructions from the customer organization that controls it. Our processor obligations are set out in the Data Processing Agreement.

Where data is stored and transferred

Primary application data — accounts, workspace content, billing records, audit logs — is stored in the European Union. Some sub-processors operate in the United States (AI inference, edge hosting, transactional email). Those transfers are covered by the EU-U.S. Data Privacy Framework at the recipient plus Standard Contractual Clauses with supplementary measures per the Schrems II judgment. The current sub-processor list, each one’s jurisdiction, and the transfer safeguard for each is published at /subprocessors.

What we collect, why, and how long we keep it

The sections below mirror our internal Article 30 Records of Processing Activities. Each section identifies the category of data, the lawful basis under Article 6 GDPR, and the retention period.

Account identity and authentication

What. Name, email address, hashed authentication tokens, OAuth-provider identifiers if you sign in via Google or GitHub, IP address at sign-in, user agent. Why. Performance of contract — we cannot provide an account without these. Lawful basis. Article 6(1)(b). Retention. While your account is active. Deleted immediately on your erasure request via the in-product flow described below.

Profile and preferences

What. Display name, avatar, notification preferences, locale, time zone, saved views. Why. Personalize the product for you. Lawful basis. Article 6(1)(b). Retention. While your account is active; included in account deletion.

Workspace content (when you use Lova or our other products)

What. Tasks, projects, comments, AI chat messages, attachments, automations, and the metadata around them. Why. To deliver the product to you and to your team. Lawful basis. Article 6(1)(b). When you are using the product as part of a team owned by another organization, we are the processor and they are the controller — see DPA. Retention. While the team is active. On team deletion, content is deleted on a cascade and you are notified.

Billing

What. Billing name, billing email, billing address, VAT number, country, last four digits of card, transaction history. We do not store full card numbers — payment processing flows through a PCI-DSS Level 1 certified payment sub-processor. Why. Process payments, issue invoices, collect moms (VAT), comply with Swedish bookkeeping law. Lawful basis. Article 6(1)(b) for the service contract, Article 6(1)(c) for the bookkeeping obligation. Retention. Seven years after the end of the fiscal year, per Bokföringslagen (1999:1078). This is a legal floor that overrides erasure requests for the billing records specifically.

Product analytics

What. Pseudonymous event stream — page views, button clicks, in-product feature use, session identifier, country (derived from IP; the IP itself is not stored). Why. Understand how the product is used so we can improve it. Lawful basis. Consent for the cookie-based identifier; legitimate interest for server-side aggregated metrics that do not identify individuals. Retention. Event-level: 12 months. Aggregated metrics: indefinite. No analytics fire until you accept cookies — see /cookie-policy.

Transactional email

What.Recipient email address, the email’s subject and body, delivery status. Why. Sign-in links, invitations, receipts, system notifications. Lawful basis. Article 6(1)(b). Retention.Provider-side delivery logs typically retained 7-30 days per the sub-processor’s policy.

Operational telemetry and error monitoring

What. Stack trace, request URL, your user account identifier (not name or email), HTTP method, anonymized IP. User-submitted content is redacted before transmission to the error monitoring sub-processor. Why. Detect, diagnose, and resolve application errors and abuse. Lawful basis. Article 6(1)(f) — legitimate interest in service security and proper functioning. Retention. 90 days for routine events; security-investigation-relevant logs may be retained longer with documented reason.

Support requests

What. Email address, name if provided, the content of the support thread, anything you voluntarily submit. Why. Respond to your question or report. Lawful basis. Article 6(1)(b) for product support; Article 6(1)(f) for security and abuse reports. Retention. Two years from the last activity on the thread.

Outbound contact (our sales outreach)

We sometimes contact people at organizations we think would benefit from our products (B2B outreach). When that happens we process the following about you: What. Your work email and work title, your name, the public details of the company you work for, and any engagement events (whether you opened or clicked our messages). Why. Reach out about a relevant product fit. Lawful basis. Article 6(1)(f) — legitimate interest in marketing our products to identifiable individuals at target organizations, balanced against your right to object. Source (Article 14). Public business directories and enrichment providers; never from a third party that does not have a lawful basis to share it. Your rights. You can opt out at any time by clicking the unsubscribe link in any message we send you, or by writing to privacy@lovex.dev. We honor opt-outs within one business day and add your email to a permanent suppression list so we will not contact you again. Retention. Active prospects: while you are engaging. Opted-out / do-not-contact entries: indefinite, for the express purpose of not contacting you again.

Audit log (in-product)

What. Records of mutating administrative actions on a team — actor user ID, action, resource affected, IP, user agent, timestamp. Why. Security investigation and customer-requested audit, per the DPA and Article 32 GDPR. Lawful basis. Article 6(1)(f) — legitimate interest in service security; contractual commitment. Retention. 365 days by default; configurable per Enterprise Order Form.

AI processing

We use third-party large language model providers (listed by category at /subprocessors) to power AI features — chat, board shaping, suggestions, narrations, automations. The following commitments apply to all AI features:

• We do not use your content to train our own models. Ever.
• Our AI providers do not use customer content to train their general-purpose models where they offer that contractual commitment. We rely on zero-retention-for-training clauses with every AI sub-processor.
• Provider-side abuse-monitoring retentionis typically up to 30 days, then deleted. We do not extend that retention; we accept the sub-processor’s shortest available window.
• AI Output is a draft. You accept, edit, or reject everything an AI feature produces. No AI feature produces a decision with legal or significant effect on you in the sense of GDPR Article 22 — outputs are inputs to your decision, not substitutes for it.
• Workspace AI opt-out. A Lead may disable AI features for their team (rollout in progress per /trustroadmap). While disabled, no AI inference is performed on that team’s content.

Cookies

We use a small set of cookies. The full breakdown is at /cookie-policy. Essential cookies (your authentication session, the cookie consent decision itself) are strictly necessary and do not require consent under Article 6(1)(f) and the ePrivacy Directive. Non-essential cookies (analytics) do not run until you accept them on the banner. The banner offers Accept and Reject with equal prominence, per IMY guidance. You can change your mind at any time via the “Cookie settings” link in the footer.

Data subjects we collect data about

Most often: people who sign up for an account directly. Two more cases worth calling out:

• Invited team members. When you are invited into a workspace by a colleague, your email address is processed before you sign up. The inviting organization is the controller for that data; we are the processor. See the DPA.
• People mentioned in workspace content.If a team member writes about someone (e.g. a task assigned to a non-user, a contact named in a comment), that person’s data is processed by us at our customer’s instruction. The customer organization is the controller for that data.
• Prospects we reach out to.See “Outbound contact” above.

Children

The Service is intended for users 16 years of age or older (or the higher minimum age applicable under the local national law transposing GDPR Article 8). If you are below the applicable minimum age, do not create an account.

Your rights under the GDPR

As an EU/EEA resident (and many other jurisdictions with similar laws), you have the following rights. To exercise any of them, use the in-product flow where one exists or write to privacy@lovex.dev. We acknowledge within one business day and respond substantively within 30 days (extendable to 60 days for complex requests, per Article 12 GDPR).

• Access and portability (Articles 15, 20). Export everything we hold about you as machine-readable JSON via /api/account/export, or request by email.
• Rectification (Article 16). Edit your profile and authored content directly in the product.
• Erasure / right to be forgotten (Article 17). Delete your account from account settings or via /api/account/delete. The deletion is immediate — there is no user-facing recovery window. Personal-data tables are hard-deleted via FK cascade; authored content in shared workspaces is anonymized by setting user_id to NULL so teammates are not left with confusing gaps. Backups containing personal data are overwritten by the backup rotation typically within 30 days. Accounting records subject to Swedish bookkeeping law are excluded from erasure for the 7-year retention period.
• Restriction of processing (Article 18). Request that we stop processing your data in specific ways while a dispute is resolved.
• Object to processing (Article 21). Object to processing based on legitimate interest, including our B2B outreach. We will stop unless we demonstrate compelling legitimate grounds that override your interests.
• Withdraw consent (Article 7). Where processing is based on consent (cookies, optional features), withdraw it at any time without affecting the lawfulness of processing before withdrawal.
• Not be subject to automated decision-making (Article 22). Our AI features produce drafts that you accept, edit, or reject. We do not make automated decisions about you with legal or significant effect on you.
• Lodge a complaint. The Swedish supervisory authority is Integritetsskyddsmyndigheten (IMY). You may also lodge a complaint with the supervisory authority of your habitual residence.

How we secure your data

Technical and organizational measures appropriate to the risk, reviewed at least annually. The headline list:

• TLS 1.2+ in transit; AES-256 at rest via managed providers.
• Row-level security at the database layer plus application-layer tenant isolation.
• MFA mandatory on administrative access; least-privilege role-based access.
• Continuous dependency scanning in CI; coordinated disclosure at security@lovex.dev.
• Audit log of administrative actions, lead-readable, immutable.
• Incident response runbook with 72-hour customer notification per Article 33 GDPR.

Full description at /trust; the controls list mirrors Annex B of the DPA.

Sharing data

We share data only with the sub-processors listed at /subprocessors for the purposes described above; we do not sell data; we do not share data with advertising networks; we do not use your data for purposes outside what this policy describes. We disclose data to public authorities only when legally required and, where permitted, we notify you first.

Changes to this policy

We update this page when our processing changes, when we add or replace a sub-processor, when a new product comes online, or after a quarterly review against our internal Article 30 record. Material changes are announced at least 30 days in advance for paying customers and at the time of publication for free-tier users. The effective date at the top of the page reflects the last update.

Contact

Privacy and data-subject requests: privacy@lovex.dev. Security and vulnerability disclosure: security@lovex.dev. General: hello@lovex.dev.