Privacy Policy.

1. Introduction

This Privacy Policy explains how LevirAI ApS (“Levir.AI”, “we”, “us”, “our”) collects, uses, and protects personal data when you visit our website, contact us, or use our services.

We are committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR) and Danish data protection law.

2. Who we are (Data Controller)

LevirAI ApS is the Data Controller responsible for the personal data described in this policy.

LevirAI ApS
CVR: 46451333
Email: hello@levir.ai

If you have questions about this policy, or want to exercise your rights, contact us at the email above.

3. What personal data we collect

We collect personal data in the following situations.

When you visit our website, we may collect:

• IP address (anonymized)
• Browser type and version
• Device type
• Pages visited and time spent on each page
• Referring website
• Approximate location, at country or city level

When you contact us, we collect:

• Name
• Email address
• Phone number, if provided
• Company name and role
• The content of your message

When you book a call with us, we collect:

• Name
• Email address
• Company name
• Date and time of the meeting
• Any information you provide in the booking form

When you become a client, we collect:

• Business contact details
• Billing information, including name, address, and VAT number
• Information related to the service we provide
• Any data your team shares with us during the engagement

What we don't collect. We do not collect sensitive personal data, such as health information, religious beliefs, or political opinions, unless a project explicitly requires it, in which case we will ask for specific consent first. We also don't collect payment card details, these are handled directly by our payment provider.

4. Why we collect this data and the legal basis

We only process personal data when we have a lawful basis to do so under Article 6 of the GDPR:

• Operating the website and providing our services. Legitimate interest (Article 6(1)(f)).
• Responding to enquiries and managing client relationships. Performance of a contract, or steps taken before entering into one (Article 6(1)(b)).
• Sending invoices and managing payments. Legal obligation (Article 6(1)(c)).
• Sending marketing emails, only if you've subscribed. Consent (Article 6(1)(a)).
• Improving our website and services. Legitimate interest (Article 6(1)(f)).
• Complying with tax and accounting law. Legal obligation (Article 6(1)(c)).

Where consent is the basis for processing, you can withdraw it at any time.

5. Cookies and tracking

Essential cookies. Required for the website to function. These don't require consent.

Analytics. We use Google Analytics to understand how visitors use our website. The version we run is privacy-friendly and doesn't use cookies that identify individuals, so no personal data is collected for analytics purposes.

Embedded content. When you book a call, we use Cal.com, which may set its own cookies. See their privacy policy for details.

You can block or delete cookies through your browser settings at any time.

6. Who we share your data with (Sub-processors)

We don't sell your data. We share it only with trusted service providers (sub-processors) who help us deliver our services. Each is bound by a GDPR-compliant data processing agreement.

Our current sub-processors:

• Anthropic, PBC (Claude), AI processing, United States with EU endpoints available
• Celonis SE (Make.com), workflow orchestration, EU
• Hostinger, website hosting, EU
• Google Workspace, business email, EU
• Cal.com, meeting booking, EU
• Google Analytics, website analytics, EU
• Dinero / Billy, invoicing and accounting, EU

When we engage a new sub-processor, we update this list. Active clients are notified in advance of any material change.

7. International data transfers

Some of our sub-processors are based outside the European Economic Area (EEA), particularly in the United States. Where personal data is transferred outside the EEA, we make sure it stays protected through:

• The European Commission's Standard Contractual Clauses (SCCs)
• The EU-US Data Privacy Framework, where applicable
• Additional safeguards where needed

For clients with strict data residency requirements, we configure our stack to keep data within EU regions where possible.

8. How long we keep your data

We keep personal data only as long as necessary for the purpose it was collected:

• Website analytics. 12 months.
• Contact form submissions. 24 months.
• Client records (active clients). Duration of the engagement, plus 5 years.
• Invoicing and accounting records. 5 years, as required under Danish bookkeeping law.
• Marketing email subscribers. Until you unsubscribe.
• Backup data. Up to 30 days after deletion from our primary systems.

When a retention period ends, the data is deleted or anonymized.

9. Your rights under GDPR

You have the following rights regarding your personal data:

• Right of access. Request a copy of the personal data we hold about you.
• Right to rectification. Ask us to correct inaccurate or incomplete data.
• Right to erasure (the “right to be forgotten”). Ask us to delete your data, subject to our legal retention obligations.
• Right to restrict processing. Ask us to limit how we use your data.
• Right to data portability. Receive your data in a structured, machine-readable format.
• Right to object. Object to processing based on legitimate interest, including for direct marketing.
• Right to withdraw consent. Where processing is based on consent, withdraw it at any time.
• Right to lodge a complaint. Complain to the Danish Data Protection Authority (Datatilsynet) at datatilsynet.dk.

To exercise any of these rights, email us at hello@levir.ai. We will respond within 30 days.

10. How we protect your data

We apply appropriate technical and organisational measures, including:

• OAuth-based authentication for third-party tool access, so we never store your passwords
• Encrypted data transmission (HTTPS/TLS)
• Access to client data limited to the founders
• Sub-processors chosen for their security and GDPR compliance
• No long-term storage of client business data outside the client's own tools

No system is completely secure, but we apply industry-standard practices and review our security posture regularly.

11. Data breaches

If a personal data breach occurs that poses a risk to your rights and freedoms, we will:

• Notify the Danish Data Protection Authority (Datatilsynet) within 72 hours, as required by GDPR
• Notify affected individuals without undue delay if the breach is high-risk
• Document all breaches internally, regardless of severity

12. Children's privacy

Our services are intended for businesses, not individuals under 18. We do not knowingly collect personal data from children. If we become aware that we have, we will delete it.

13. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email to active clients and posted prominently on our website at least 30 days before they take effect.

The “Last updated” date at the top of this policy shows when it was most recently revised.

14. Contact and complaints

For any questions, requests, or complaints about your personal data, contact:

LevirAI ApS
Email: hello@levir.ai

If you're not satisfied with our response, you have the right to lodge a complaint with:

Datatilsynet
Carl Jacobsens Vej 35
2500 Valby, Denmark
Website: datatilsynet.dk
Phone: +45 33 19 32 00