Effective: May 25th, 2018.
Last updated: November 8th, 2018.
Rights to access, rectification or erasure, restriction and objection, of processing and to data portability
Subject to any exceptions provided by law, you have the right to access, rectification, erasure (“right to be forgotten”), right to restriction of processing of your personal data, right to data portability and right to object.
- Right to rectification: Users can rectify any inaccurate personal data concerning him or her at any time on their Account. Moreover, Luffa allows its users to edit automated transcripts as soon as they are created.
- Right to erasure: Users can erase Captures by clicking on the Capture their want to erase in their Spaces tab (“Spaces”), then “More Actions” and then “Delete” or by deleting their Account. Users can also delete personal information from their Account manually. When users delete items from their Account or Spaces, they are permanently deleted from your Luffa Account. Users can also direct their erasure requests to Luffa’s Data Protection Officer (“DPO”) at email@example.com, who will respond to your request within one calendar month.
- Right to restriction: Users may restrict the processing of their personal data where the situations listed in Article 18 (1) applies. To request data restriction, users may direct their requests to Luffa’s DPO at firstname.lastname@example.org, who will respond to your request within one calendar month.
- Right to object: You may object to Luffa processing their data for direct marketing purposes at any time by clicking by clicking on the “Notification” button in their Account or in the link provided to that effect in Luffa’s direct marketing communications.
- Right to data portability: Users may obtain their personal data he or she has provided to Luffa by clicking on the “Data” button in their Account.
You may also direct us any requests concerning your above-mentioned rights to Luffa’s DPO at email@example.com.
Personal information about Users and Attendees
Luffa is used by Users and Attendees. The information we receive from Users and Attendees and how we handle it differs, as set out below.
When Users and Attendees Capture a meeting, they may provide personal information or data. Please note that Luffa is not responsible for the content of the individual Captures. Users are responsible to disclose to Attendees when they are starting a Capture.
As a User, we collect information relating to you and your use of our Services from a variety of sources:
i. Personal information collected by Luffa
- Registration information: Information you provide to us when you register an account – email address, full name, organization name, password, avatar, OAuth credentials.
- Account settings: You can view and edit various preferences and personal details on your Account settings, such as your registered email, password, avatar picture, notifications preferences, calendars, invitations to other users, users in your organization, organization, single sign-on configuration, subscription details, webhooks information, integrations details and Captures retention details.
Captures data: We collect and store the following captures data:
- When users start a capture or join an ongoing capture.
- Visual artifacts Users add to their captures, such as photos and videos of whiteboards, post-its and screenshots.
- “Flagged Moments”, which are sections of the conversation that the User deemed important or interesting, plus a moment type (insight, task, action, etc.), plus optional written notes.
- Automated conversation transcripts and edits made by Users, specifically, the output of the conversion of the captured audio into text, as generated by Luffa's speech-to-text engines and/or Third-Party Services speech-to-text engines.
- Participation metadata, which is collected when users interact with Captures (starting, joining, flagging moments, capturing media, editing transcripts, and other links between the user and the capture.
- Onboarding metadata, which is collected when Users capture their first session, when they share their first capture with the organization, when they connect their first calendar, if they saw the most recent product announcement, and whether they last saw the in-app satisfaction survey.
- Billing metadata: We collect and store a state identifier (a string) that keeps track of whether the User’s organization is trialling, subscribed, delinquent or churned, plus an optional subscription ID provided by the third-party payment processor. The User’s billing information never reaches Luffa. It is handled by Stripe, a PCI DSS compliant processor.
- Help requests: We collect and store help requests made by Users when they submit a help request via the in-app Help form.
- Feature requests: We collect and store feature requests when Users ask for features or improvements to be implemented in Luffa.
- Calendar events: We collect and store calendar events information (event title, description, time, ids, link to the calendar application, and whether they are recurring) if Users connect their calendars to their Luffa accounts.
- User interviews feedback:We collect and store interview feedback chats manually during, and when reviewing, User’s interview sessions captured in Luffa.
- Other data you want to share: We may collect your personal information or data if you submit it to us in other contexts. For example, if you provide us with a testimonial, or when running a contest with Luffa.
ii. Information we collect about the user indirectly or passively when interacting with us
- IP Address: We collect and store your IP Address in server logs.
- Location data: We collect and store location data when Users create a capture are created in their Spaces.
- Usage data: We collect usage data about Users whenever they interact with our Services, including information they have elected to make publicly available.
- Device and application data: We collect data from the device and application the User uses to access our Services.
- Referral data: If Users arrives at our Site from an external source (such as a link on another website or in an email), we record information about the source that referred the User to us. Anonymized user data is gathered through Google Ads, Google Analytics, and Firebase. This data is used to understand the performance of Luffa ads as well as to help understand usage statistics.
- Information from Third parties: When Users start a Capture, we send the audio data to third-party speech-to-text engines (such as IBM and Google), which send us back the capture’s audio transcript. We collect and store the User’s Captures transcripts and transcripts metadata (timestamps and confidence score).
- Information from cookies and pages tags: We use third-party tracking services to employ cookies and page tags to collect aggregated anonymized data about visitors to our Site. This data may include usage and User statistics.
Attendees assisting to recorded meetings (not a user)
As an Attendee, when you assist to a meeting Captured by Luffa Users, we collect data that could potentially identify you, such as your voice and what you say, and/or name if it is mentioned during Capture. We may also collect your picture if a User adds a picture of you in its Capture. The User is responsible for that data and manages it.
If you don’t want Luffa to collect and store your interventions during Captured meetings, you can ask the User to mute the Capture the Capture when you intervene. If you change your mind, you can also ask Users to mute your interventions or your name manually after the meeting is Captured, or to delete the Capture.
Luffa’s obligations to Users as data controller and to Attendees as data processor when processing Attendee’s information on behalf of Users
When Luffa is processing Attendee’s data on behalf of Users, the User who creates the Capture is the Data Controller in relation with the data of Attendees attending meetings, and Luffa is the Data Processor of such Attendee’s data. As Data Controllers, Users undertake to remain compliant with the law, which includes but not limited to the obligations set forth below.
For the processing of Users data and Attendees’ data on behalf of the User, Luffa undertakes to fulfil the following obligations:
a) To treat the personal data only to carry the provisions of the contracted Services at any time (unless there is a legal rule that requires complementary processing, in such a case, Luffa will inform the User of that legal requirement prior to the processing, unless the law prohibits it on public interest grounds)
b) To maintain the duty of secrecy with respect to the personal data to which Luffa has access, even after the termination of the contractual relationship, and to ensure that our employees and third-party processors have committed in writing to maintain the confidentiality of the personal data processed.
c) To ensure, taking into account the available technology, the costs of implementation, and the nature, scope, context and purposes of the processing, as well as the risks varying probability and severity for the rights and freedoms of natural persons, that we apply adequate technical and organizational measures to ensure a level of security appropriate to the risk, including, where appropriate, among other things:
· Pseudonymization and encryption of personal data;
· The ability of ensuring the continued confidentiality, integrity, availability and resilience of the systems and services;
· The ability of restoring the availability and access to personal data quickly and resilience of the systems and services;
· Process of regular verification, evaluation and assessment of the effectiveness of the technical and organizational measures to ensure safety of the processing.
When evaluating the adequacy of the security level, special account shall be taken of the risks presented by data processing, in particular as a consequence of the destruction, loss or accidental or unlawful alteration of the personal data transmitted, stored or otherwise processed, or the communication or unauthorized access to such data.
However, we may authorize, expressly and in writing, third party processors, whose full company name and jurisdiction and subcontracted services are listed in article 8 below. We will inform you of any change envisaged the aforementioned list.
In any case, access to the data made by natural persons who render services to Luffa, acting within the organizational framework of the latter by a commercial non-labour relationship and having agreed in writing to maintain the confidentiality of the personal data processed is authorized. In addition, access to the data is granted to compagnies or professionals that Luffa hires in its internal organizational framework to provide general maintenance services (computer, services, consulting, audits, etc.).
e) To delete or return to Users, at their choice, all personal data to which we have access in order to provide the Services. Likewise, the Users undertake to delete existing copies at the Attendees’ request, unless there is a legal rule that requires the preservation of personal data. However, employees and other personnel working for Users are entitled to access Users and Attendees data as required to carry out their obligations under the terms of their contract.
f) To notify the Users, without delay, of any personal security breaches of which we are aware, giving support to Users in the notification to the competent control authority and, if applicable, to the interested parties of the security breaches that occur, as well as to provide support, when necessary, in the carrying out of privacy impact assessments and in the prior consultation to the control authority, where appropriate, as well as to assist the Users so they can fulfil the obligation of responding the requests to exercise certain rights.
Furthermore, if such third-party processors are based in countries, which do not have legislation on data protection, which is equivalent to the EU legislation (“Third Countries”), Luffa shall establish all safeguards required by the EU in order to comply with all obligations arising from transfers of data to Third Countries.
Purposes and legitimate basis of the use and sharing information
We use the following information for:
- Email address: to let Users sign in to their Accounts, validate that the Users belong to a specific organization, send email notifications if the notification settings are enabled by Users, send communications, let Users find co-workers by their “@handle”.
- Full name: to let co-workers identify others by name in shared spaces and in the organization timeline, let co-workers identify who have invited them to a space, or to an organization, by name, let Luffa’s UX team address Users personally in communications.
- Organization name: to let Users know which organization they are currently signed in to, provide context in the organization timeline and in organization-level communications.
- Password: to let Users authenticate securely.
- Avatar: to let Users visually identify coworkers in Luffa.
- OAuth credentials: OAuth credentials: to authenticate Luffa on behalf of Users in third-party applications, and automate workflows.
- IP address: for security purposes. Logs are rotated regularly and discarded after a week from collection.
- Location data: to let Users find Captured conversations and artifacts based on where they took place, detect proximity to other devices with ongoing Captures in “Spaces” the Users have access to.
- Captured audio/video: to let Users re-play their conversations later, and let Users share conversations, or parts of them, with co-workers.
- Captured visual artifacts: to let Users contextualize the conversation with visual elements, and let Users easily find artifacts using metadata-based search filters (location, time, language, etc.)
- “Flagged moments”: let Users revisit only the important conversation moments, let Users take notes, let Users capture actions and decisions in third-party systems that they connect to their Luffa Account.
- Automated conversation transcript: to let Users take less notes during meetings, let Users find past conversation based on things that were discussed.
- Transcript edits: to display a corrected version of the automatic (and imperfect) speech-to-text conversion.
- Participation metadata: to let Users find Captures based on participation.
- Onboarding metadata: to let Luffa trigger lifecycle email notifications (offering assistance) only when needed.
- Billing metadata: to provide Users with accurate billing information, send reminders (ex. “You card is about to expire”) and other payment related notifications.
- Help requests: to let Luffa’s Customer Experience team follow up with the Users via the Help page.
- Feature requests: to let Luffa’s Customer Experience team reach out to Users in person and thank them once the feature is deployed, or when it needs testing or validation.
- Calendar events: to let Users receive push notifications to start or join Captures in one tap, let Users receive daily morning email notifications showing “you day at a glance”, let Users see upcoming events in their profile page.
- User interviews feedback: to let Luffa improve its Services.
- We also use your information to review, investigate and analyse how to improve the services provided. We also collect and analyse your data to monitor, maintain and improve our services and features.
- We may internally perform statistical and other analysis on information we collect (technical and meta data) to analyze and measure Users trends, to understand how Users use our Services, to improve and optimize our performance of such services, and to monitor, troubleshoot and improve our Services, including to help us evaluate or devise new features.
- We may use your information for internal purposes designed to keep our Services secure and operational, such as testing purposes, troubleshooting, to prevent abusive activity (i.e. fraud, spam, phishing activities), and for service improvement, research and development purposes.
- We can send you Luffa product intro, tips and inspirational use cases and User stories by any means, including email and similar means of electronic communication like personalised advertisements as part of providing relevant content helpful to use our Services effectively. To customize such information and commercial communication as much as possible, Luffa may use statistical techniques that allow the creation of User profiles and data segmentation.
- Your data is not disclosed to any third party except (i) for providing the Services you requested and for which Luffa collaborates with third parties, (ii) when we have your permission, (iii) when it’s required by a competent authority in the exercise of its duties (ex. to investigate, prevent or take action regarding illegal activities), or (iv) as otherwise required by law.
- A cookie is a small string of information that the website you visit transfers to your computer for identification purposes. Cookies can be used to follow your activities throughout the Luffa Services and that information help us to understand your preferences and improve your experience.
Details of transfers to third country and safeguards
- You can find a list of Luffa third party service providers and business partners to whom we may disclose your data, together with the purpose of disclosure and type of information disclosed.
Canceling your account, opting out of email, and modifying personal information
- You may cancel your account and you may opt out of receiving any email from Luffa at any time by changing the setting in your Account settings page. Deleting your account will cause all the Captures in the Account to be permanently deleted from our systems within a reasonable time period, as permitted by law and will disable your access to any other services that require a Luffa account. We will respond to any such request, and any appropriate request to access, correct, update or delete your personal information within the time period specified in the law (if applicable) or without excessive delay. We will promptly fulfill requests to delete personal data unless the request is not technically feasible, or such data is required to be retained by law (in which case we will block access to such data, if required by law).
- You may modify your personal information by logging in and visiting your Account settings at “Settings” page. You can also ask for instructions by sending us a message on our “Help” page.
- We encourage you promptly to update your personal information when it changes. Information concerning your past behavior with the Services may be retained by Luffa as long as necessary for the purposes set out below.
Retention of your information
- Users may delete at any time Captures or items in their Spaces. When Users delete Captures or items from their Spaces, they are permanently deleted from their Luffa Account.
How to contact us
You can send a request via https://okluffa.com/help/. Type your question, feedback, complaints or feature request in the “How can I help box”. You can also attach a screenshot.
Data Protection Officer (DPO)
You can send an email to our DPO at firstname.lastname@example.org or direct any request at our registered address 600-3981 boul. Saint-Laurent Montréal (Québec) H2W1Y5 Canada.
You can contact our DPO at email@example.com.
If you consider that any use of your data might breach any of your rights, you can lodge a complaint at any time by contacting our DPO at firstname.lastname@example.org. Alternatively, you can file a complaint before the Information Commissioner’s Office at https://ico.org.uk/.
Note: this version is not legally binding. We created this plain English version to ensure that your privacy information is clear and understandable for our users. Refer to our “Legal version” to read the wording we will apply legally.
Who we are and when does this policy apply?
You know us by our nickname, Luffa, but our real name is Luffa Technologies Inc. We go by both, but we prefer Luffa.
By user, we mean someone who has a Luffa account and uses our services. By attendee, we mean someone who does not have a Luffa account but assists to meetings where users capture conversations audio, video and/or photos using Luffa.
Ok, Luffa, but what if I don’t agree to your terms?
It’s ok, we will not take it personally. We will not ask you for any information unless you want to use our services that require it.
Can you change this policy?
We live in a world in constant evolution. This is why we might change this policy from time to time.
Can I see, correct or delete my personal data? Can I oppose or restrict access to it? Can I receive my personal data you process?
Absolutely. You have the right to request access to your information, as well as to update, delete or correct this information.
We commit to only send you content that will spark joy. Although, we understand, we all go through a digital decluttering phase at some point. Therefore, you can unsubscribe from our direct marketing communications at any time.
In general, you can do this using the settings and tools provided in your account or in our communications.
You can also request a copy all the personal data you provided to Luffa by clicking on the Data button in your Account settings.
If you can not use the settings and tools in your account or if you don’t have a Luffa’s account, you can always contact our Data Protection Officer at email@example.com for additional access and assistance.
What data do you collect from me?
We are committed to securing your captures. However, please note that everything you say during a meeting is voluntary. We are not responsible for the content of individual captures. Therefore, if you do not wish Luffa or third-party processors to process some information you want to disclose during a meeting, we invite you to mute the capture or ask the user to do so. We’re deaf to muted captures!
Users are responsible to disclose to attendees that they will record the meeting with Luffa.
At Luffa, we take pride in collecting only the data necessary to optimize your experience with us (no Orwellian stuff, we promise). We collect and store the following data:
- Your account registration information.
- Your account settings (such as your registered email, password, avatar picture, notifications preferences, subscription details, etc.).
- Your captures data (audio, text, photos, videos, flagged moments, etc.).
- Billing metadata (Metadata is data that describes and gives information about other data. Your billing info never reaches us. It’s handled by Stripe. Metadata allows us to track whether your organization is trialling, subscribed, delinquent or churned).
- Help and features requests.
- Calendar events.
- User interviews feedback.
- Other information you want to share. For example, you might provide us with a testimonial (on how Luffa forever changed your life, we hope!).
Yes, we also collect the following indirect or passive data, such as:
- IP Address.
- Location data when you create a capture in your Spaces.
- Usage data whenever you interact with our website, app or any other services.
- Anonymized referral data and usage statistics.
- The device you use to access our services and related data such as browser type.
- If you come to our website from external sources (ex. Your friend recommended our services to you in an email and you click on the link), we keep information about the source.
- When you capture a meeting, we send the audio to speech-to-text engines (such as IBM and Google) and they send us back the transcript. We keep the transcripts and metadata (timestamps and confidence score).
I’m not a user, I just assist to meetings where other people record. What data do you collect from me?
Not much. We collect what you say during captured meetings, the sound of your voice and your name if someone pronounce it during the meeting.
We may also collect your picture if it’s added to a capture.
If you don’t want Luffa to collect and store your interventions during a meeting, you can ask the user to mute the recording when you intervene. If you want a capture to be muted or deleted after the meeting has taken place, or modify a capture, you can contact the user that captured the meeting.
I’m a Luffa user. What are your obligations when it comes to my data? Do I have obligations about the data I collect during meetings?
You capture meeting and get some data from other people in the meeting, which are not Luffa users. This makes you a “data controller”. In this situation, our role is to deliver that data, so we are both data processors (for attendees which are not users) and data controllers (for you). As a data controller, you undertake to respect the same obligations as Luffa.
We have the following obligations as data controllers:
- Only use the data to fulfil our contracted services. If we are legally obliged to process data in any other way, we’ll let you know (unless the law tells us we can’t).
- Keep the data we have secret. That applies even after you end your contract with us.
Apply technical and organizational measures to make sure the level of security matches any risk. This includes among other things:
- Pseudonymization and encryption of personal data.
- Ensuring the confidentiality, integrity, availability, and resilience of our systems.
- Getting access to personal data in the event of a technical incident.
- Verifying, evaluating and assessing the effectiveness of what we’re doing.
- We take particular care when it comes to the risks surrounding data processing. We look at the potential consequences of destruction, loss, accidental or unlawful changing of personal data, and unauthorized access to personal data.
- Never share data with people unrelated to the service we provide. But we may authorize other data processors (subcontractors) to help us provide you our services. You can find a list of our subcontractors here. We’ll let you know if ever this list changes. All our subcontractors are under exactly the same obligations we’re laying out here. They’ll need to show us they plan to take appropriate security measures. Once contracted, they – and their employees – can access the same data we can, as long as they themselves don’t subcontract with another party.
- Delete or give back all data you’ve given us when requested. We’d also delete any copies of that data – unless the law tells us not to.
- Tell you if there’s a security breach. We support you to identify what’s been breached, contact data protection authorities, and tell any other relevant parties about the breach. We’ll help carry out privacy impact assessments.
- Cooperate with the data protection authorities or any other authorized body.
- Show you how we’ve met the obligations in this policy.
If ever we need to increase our security measures, we’ll add them to this list.
If we (or any of our subcontractors) break this agreement, we (or the subcontractor) will be held responsible. If the subcontractor is based in a country that doesn’t have data protection legislation matching that of the EU, we’ll set up safeguards when we transfer data to that country. We’ll tell you about those safeguards.
Why do you need my data?
It can be boiled down to: to deliver our services. But here is a list of the data we collect and why we need it:
- Email address: to let you sign in to your Account, validate that the you belong to a specific organization, send you email notifications if you enable the notification settings, send you other communications, let you find co-workers by their “@handle”.
- Full name: to let you identify co-workers by name in your shared Spaces and in the organization timeline, let you identify co-workers who have invited you to a space, or to an organization, by name, let Luffa’s Customer Experience team address you personally in communications.
- Organization name: to let you know which organization you are currently signed in to, provide context in the organization timeline and in organization-level communications.
- Password: to let you authenticate securely.
- Avatar: to let you visually identify coworkers in Luffa, let you identify coworkers visually.
- OAuth credentials: to authenticate Luffa on your behalf in third-party applications and automate workflows.
- IP address: for security purposes (logs are rotated regularly and discarded after a week from collection).
- Location data: to let you find captured conversations and artifacts based on where they took place, detect proximity to other devices with ongoing Captures in “Spaces” you have access to.
- Captured audio/video: to let you re-play your conversations later, let you share conversations, or parts of them, with co-workers.
- Captured visual artifacts: let you contextualize the conversation with visual elements, let you easily find artifacts using metadata-based search filters (location, time, language, etc.)
- “Flagged moments”: let you revisit only the important conversation moments, let you take notes, let you capture actions and decisions in third-party applications that you connect to your Luffa Account.
- Automated conversation transcript: to let you take less notes during meetings, let you find past conversation based on things that were discussed.
- Transcript edits: to display a corrected version of the automatic (and imperfect) speech-to-text conversion.
- Participation metadata: to let you find Captures based on participation.
- Onboarding metadata: to let Luffa trigger lifecycle email notifications (offering assistance) only when needed.
- Billing metadata: to provide you with accurate billing information, send reminders (ex. “You card is about to expire”) and other payment related notifications.
- Help requests: to let Luffa’s Customer Experience team follow up with you via the Help page.
- Feature requests: to let Luffa’s CX team reach out to you in person and thank you once the feature is deployed, or when it needs testing or validation.
- Calendar events: to let you receive push notifications to start or join Captures in one tap, let you receive daily morning email notifications showing “you day at a glance”, let you see upcoming events in your profile page.
- User interviews feedback: to let Luffa improve its Services.
If you make a request, we use your account data to carry out that request. We also use it to improve our services. We do statistical analysis on info we collect (including usage data, device data, referral data and captures data) to analyse user trends, understand how people use our services, and to monitor, troubleshoot, and improve our services. For example, we use it to decide which new feature to build next.
We might use your info to keep our services secure and operational; testing, troubleshooting, and to prevent naughty abusive activity (such as fraud, spam and phishing).
If you connect your Luffa account with your other productivity tools accounts, we might collect data you make available via that account. Check the privacy settings of your productivity tools for more info on what they share with us.
We use data to answer your questions. We’ll give you a product intro, inspirational cases, and stories from other Luffa users. We may use statistical techniques that let us create user profiles and segment data. If you don’t want to get emails tailored to your profile, whatever form it takes, please let us know why by clicking on Notifications in your account settings.
Do you sell my data to third parties?
No, we don’t. But if we ever decide to do so, it would not be without your permission.
We’re in Canada, but we are compliant with EU privacy laws. Please be aware that your information might be moved, processed, and stored by our services providers in countries outside of the EU. If you agree with these terms, you agree to this practice. If you don’t agree, please don’t use our services.
We don’t share your data with any third parties, except for when:
- You request a service and we need to collaborate with third parties.
- You give us permission.
- An authority obligates us to do so (police, for example).
- The law asks us to do so.
I’ve seen the word “cookies”. What’s that about?
Cookies are small text files that store data made available by your web browser, such as language preference, which is transferred to your computer for identification purposes. Cookies can be used to follow your activities throughout the Luffa Services. This information helps us give you an experience tailored to you.
With which third-party service providers do you share my data?
You can find all our third-party services providers here with the purpose of disclosure, type of information disclosed.
How can I cancel my account and change my information?
You can cancel your account and opt out of marketing email sent by us by going to your Account settings when you’re logged in to Luffa, no hard feelings.
If you delete your account, all your captures and data they contain will be permanently deleted from our systems in a reasonable time period. You won’t be able to access any services that require a Luffa account. We’ll respond to any request as soon as possible, and we’ll always agree to the request, unless it’s not technically doable, or if he law obligates us to keep that data.
You can change your personal information by logging in, going to your Account settings. You can also ask for instructions by sending us a message on our “Help” page.
Please update your personal information when it changes so we can offer you the best experience possible!
Do you keep hold of old information?
You may also at any time delete any captures and items you’ve attached to them. When you do so, they are permanently deleted.
How can I contact you?
You can send a request via https://okluffa.com/help/.
Get in contact with our Data Protection Officer at firstname.lastname@example.org who will be happy to assist you. You can also send your request to our DPO at 600-3981 boul. Saint-Laurent Montréal (Québec) H2W1Y5 Canada.
Our local EU representative
You can contact our DPO at email@example.com.
How do I make a complaint?
Get in contact with our Data Protection Officer at firstname.lastname@example.org who will be happy to assist you. You can also file a complaint with the Information Commissioner’s Office at https://ico.org.uk/