PRIVACY POLICY | LEPAYA
External Privacy Policy LTD Group B.V. and subsidiaries (trading as Lepaya)
1. INTRODUCTION
This External Lepaya Privacy Policy (also referred to as the ‘Privacy Policy’) provides information on the collection, use, and sharing (collectively referred to ‘processing’ or ‘process’) of personal information by Lepaya and its affiliates(“Lepaya”, “we” or “us”) in connection with your use of the Lepaya website(s), (mobile) applications, and social media pages that link to this Privacy Policy, your interactions with Lepaya during in-person meetings or at Lepaya events, and in the context of other online or offline sales and marketing activities. This Privacy Policy also explains the privacy rights you have in relation to these processing activities.
This Privacy Policy was last updated on the date mentioned above. However, the Privacy Policy can change over time, for example to comply with legal requirements or to meet changing business needs. The most up-to-date version can be found on our website. In case there is an important change that we want to highlight to you, we will also inform you in another appropriate way (for example via a pop-up notice or statement of changes on our website).
As used in this Privacy Policy, ‘personal information’ or ‘personal data’ means information that relates to an identified individual or to an identifiable individual. For example, this could include among other things your name, address, email address, business contact details, or information gathered through your interactions with us via our websites, (mobile)applications, in-person meetings or at events. Personal information is also referred to as ‘information about you. This Privacy Policy applies to you if you or the company you work for have entered into an agreement with Lepaya, where you or the company you work for may enter into an agreement with Lepaya and furthermore in every situation where Lepaya processes data that identifies you or may be used to identify you with.
Lepaya and/or its affiliated entities are responsible for the processing of your personal data as described in this PrivacyPolicy, unless specified otherwise, and act as the data controller (also referred to as the ‘controller’) of such personal data. We are not responsible for the privacy or data security practices of our clients, which may differ from those explained in this Privacy Policy
2. WHY THIS PRIVACY POLICY?
In order to enable you to take control of your personal data, we have created this Privacy Policy, meant to inform you on the processing and the handling of your personal data by us. The collection and processing of personal data is done in accordance with European data protection laws, in particular the General Data Protection Regulation (“GDPR”).
By submitting personal information to us, you agree to the use of such information, including any disclosures, processing, and transfers of your information to third parties by Lepaya, in accordance with this Privacy Policy. If you do not accept this Privacy Policy, then you should not submit any personal information to Lepaya through our (mobile) applications, websites or other websites we operate, or in connection with any services.
3. WHO ARE WE?
Lepaya is an international L&D Technology and Power Skill training provider dedicated to training employees to upskill the workforce of employers and enable employees to be more effective in their work and enjoy more happiness in life. With a blend of online, offline, virtual reality, and AI-powered training approaches we enable fully globally distributed teams to grow confidence in navigating organizational change.
For further information about our commitment to your privacy, please contact us by:
Email: legal@lepaya.com
Address: Stephensonstraat 19, 1097 BA Amsterdam, the Netherlands
Telephone: +31 85 107 1244
Website: www.lepaya.com
4. WHICH INFORMATION DO WE COLLECT AND WHY?
Lepaya will only collect the personal data we need and are legally allowed to possess. The data that we process and the purpose/use of the same is as follows:
5. WE ARE A DATA CONTROLLER
The GDPR makes a distinction between, primarily, the roles of controller and processor. These definitions are functional as in that they depend on the allocated responsibilities according to the actual role of the parties and are, as such, not negotiable. The controller is the entity that “determines the purposes and means of the processing of personal data”. In other words, for which aim the personal data is processed and how the personal data is being processed (e.g. via the Lepaya platform). For these reasons, Lepaya acts as a (independent) controller.
With regard to the processing activities as mentioned in article 4 of this Privacy Policy, it is Lepaya that ultimately decides on the purpose and means of the processing activity, hence, Lepaya acts as an independent controller.
6. ON WHAT LEGAL GROUNDS DO WE PROCESS PERSONAL DATA?
We process personal data for the purposes described in this policy, based on the following legal grounds:
● The processing is necessary for the performance of a contract to your business, your employer or any party that has arranged our services to be provided is a party or in order to take steps prior to entering into an agreement;
● The processing is necessary for compliance with a legal obligation to which Lepaya is subject;
● The processing is necessary for the purposes of legitimate interests pursued by Lepaya, i.e. the commercial interest to perform its business activities, such as but not limited to the performance of the agreement as entered into with your business, your employer or any party that has arranged our services to be provided to you on your behalf, and in addition our legitimate interest to promote our services to prospective clients, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data;
● Where necessary, Lepaya will request consent for the processing of personal data.
7. WEBSITE AND EMAIL COMMUNICATION
The website is controlled by Lepaya. Therefore, the relevant controller under the GDPR for the processing of personal data via the website is Lepaya. On the website, personal data is automatically processed via cookies and similar techniques. The website employs cookies to analyze usage and provide a better online experience.
We display a cookie banner on our website(s) to inform visitors that we use cookies to personalize content we show based on their preferences and analyze our websites’ performance. From our cookie banner the visitor can choose which cookies to turn on or off, or decline all cookies. Some cookies are required for the basic website functionality and cannot be turned off. If you don’t accept our cookies, you may not be able to fully experience some of our websites’ functionality. You can find more information on the specific cookies we use in our cookie policy.
In addition, we provide a newsletter to people who are interested. In some of our newsletters and other email communications, we may monitor recipient actions such as email open rates through embedded links within the messages. We collect this information to gauge interest and to enhance future visitor experiences. If you do not wish us to confirm whether you have opened, clicked on, or forwarded our email communications, you will need to unsubscribe, as it is not possible for us to send these emails without tracking enabled. Registered subscribers can update their communication preferences at any time by following the instructions in the individual email communications.
8. FOR HOW LONG WILL WE STORE PERSONAL DATA?
Lepaya minimizes the personal data it processes as much as possible. In the cases we process personal data, we will store your data for as long as it is necessary for the purpose for which it was collected/provided. If you would like to request your personal data to be deleted, please send a message to info@lepaya.com. We will service your request as soon as possible, but within four weeks at most. You can unsubscribe from our newsletters and marketing messages at any time.
We keep your information for as long as it’s necessary or legally required. If you request to receive no further contact from us, we’ll keep some basic information about you on our suppression list to avoid sending you unwanted materials in the future. Such information will be minimized to ensure we only keep what is necessary. When your information is no longer required we will ensure that it is disposed of in a secure manner.
The following table explains the retention periods per data type:
9. THIRD PARTIES
Lepaya may transfer your personal data to third parties and recipients, being:
● Suppliers: when such is necessary to enable the performance of services we may transfer your personal data to suppliers, subcontractors and business partners, such as but not limited to our digital agencies and partners in the field of assessments and further evaluation services.
● Partners: at times Lepaya will organize lectures, webinars, meetings or other marketing events together with a partner. For such events, Lepaya will share the contact details of persons registering for the event (i.e. name, email address and job title) with the partner.
● Group companies: we may provide personal data to other companies within the Lepaya group of companies, if this is necessary for compliance, internal reporting, auditing or security purposes.
● Law enforcement agencies: we may be under an obligation to provide your information to law enforcement, regulators, courts or other public authorities in relation to an official (court) order. In addition we may provide your data to law enforcement agencies, regulators, courts or otherwise in order to exercise our rights.
We do not simply provide personal data to others. We may only do this if the data subjects have given us permission todo so, if we are obliged to do so by law, if it is necessary for the execution of an agreement in which you are involved, or if we have a legitimate interest in doing so.
10. TRANSFER OF PERSONAL DATA
Lepaya processes most of its personal data solely within the borders of the EEA. However, personal data will be shared with Lepaya entities outside of the EEA, in particular in the United Kingdom. In some cases, Lepaya uses a third party that is located outside of the EEA. In the case that Lepaya processes personal data outside of the EEA, Lepaya ensures all necessary contractual measures have been taken in order to provide the same level of data protection as if the personal data were processed within the EEA.
11. ARTIFICIAL INTELLIGENCE
To increase the impact of the training and ensure employees apply what they have learned, Lepaya has incorporated artificial intelligence (“AI”) in its learning approach. The training modules that are offered include several modules that incorporate the use of AI. These AI modules upskill learners on presentation- and communication skills by having AI systems analyze the input and determine which concrete steps learners can take to improve their skills. AI modules are only used in case the client purchases such modules. Learners do not have independent access to AI modules. In addition, AI is being used to analyze data in the Lepaya Training Portal, the online platform on which the client can plan training modules and find all information on training details and training progress.
The data that is being collected is processed by either internal AI systems that we execute on our own servers, or by external AI systems within the API platform of OpenAI. The data that is being processed is solely used for the functioning of the AI systems and providing the training modules and is in no way used for the purpose of identifying a natural person. The personal data that is being collected by using external AI systems is expressly not being used to train the AI systems within the OpenAI API platform. Lepaya uses the AI systems in compliance with the EU AI Act by informing learners in a transparent and explicit manner that they are interacting with an AI system, in which way the AI system operates and that the content that learners are exposed to has been artificially generated or manipulated.
12. IS THE PERSONAL DATA WE PROCESS SECURE?
Lepaya is ISO27001 certified which is the industry standard for the organizational & technical security measures in order to protect your and our personal and client data. We make sure that everything you send to us is safe and secure. Our website and (mobile) applications are hosted on a server located within the EU (Frankfurt, Germany). Lepaya takes appropriate technical and organizational measures to protect your personal data against loss, theft or other forms of unauthorized access / use. We make sure that personal data is only accessible by those who need access to do their job and they are properly trained and authorized. We also ensure that our partners have taken similar organizational and technical measures to protect your data from theft, loss or any kind of use that is not in line with the purposes for which the data was collected.
13. WHO HAS ACCESS TO THE PERSONAL DATA?
Access to your personal data is restricted only to those who require it for the sole purpose of performing their designated duties. Personal data is only accessible to the following:
● Authorized trainers and facilitators: Trainers and facilitators are provided with only the necessary personal data required for the specific training sessions they are conducting. Our certified trainers and facilitators may have access to learner data for the sole purpose of delivering the training programs effectively.
● Administrative and support staff: Selected administrative and support staff may have access to learner data for the purpose of managing and facilitating the training process. Staff members have restricted access to personal data and are only granted permissions necessary for their specific roles.
● Technical support teams: In the event of technical issues or support requests, our technical support teams may need access to learner data to address and resolve such issues. Technical support is conducted under stringent security protocols to prevent unauthorized access or data breaches.
● Data processing partners: Some personal data may be shared with trusted third-party data processing partners to facilitate certain aspects of our training programs. All third-party partners are bound by legally binding agreements ensuring they adhere to GDPR standards and maintain the confidentiality and security of data.
14. RIGHTS OF DATA SUBJECTS
Data protection laws provide the data subjects certain rights. Data subjects have the right to request access to their personal data and have the right to request that their personal data be corrected or erased, object to its processing or have access to it restricted. The GDPR establishes the various rights the data subject has. Every data subject has:
● The Right of Access: you have the right to request access to the personal data we hold about you. Uponreceiving such a request, we will provide you with a copy of the personal data we have collected, along withinformation about how it is processed.
● The Right to Rectification: you have the right to request the correction of inaccurate or incomplete personaldata we hold about you. If you believe that the data we have is incorrect or outdated, please inform us, and wewill promptly update it.
● The Right to Erasure (“right to be forgotten”): you have the right to request the erasure of your personal data in certain circumstances, such as when it is no longer necessary for the purposes for which it was collected or if you withdraw your consent.
● The Right to Restriction of Processing: you can request that we limit the processing of your personal data under specific conditions, for example, while we verify the accuracy of your data or assess the validity of your objection to processing.
● The Right to Data Portability: you have the right to receive the personal data you provided to us in a structured, commonly used, and machine-readable format, and to transmit it to another controller, where technically feasible.
● The Right to Object: you can object to the processing of your personal data, including profiling based on legitimate interests or direct marketing. We will cease processing your data unless we have compelling legitimate grounds for processing that override your interests, rights, and freedoms, or if processing is necessary for the establishment, exercise, or defense of legal claims.
Lepaya does not use automated decision-making processes, including profiling, in any of our services or operations. This means that we do not make decisions solely by automated means that could significantly affect you or your rights. All decisions related to our services are made with human oversight to ensure fairness, accuracy, and accountability.
If you have any questions or would like to know which personal data we process about you, you can always contact us(see the contact details at the top of this Privacy Policy). Please note that you always clearly indicate who you are, so that we can verify that your request/question relates to your own data. We will respond within one month of receiving your request. Depending on the complexity and number of requests, this period may be extended by two months. We will also inform you about this within one month of receipt.
15. DO WE SHARE LEARNER DATA WITH EMPLOYERS?
Individual learner data will never be shared on an individual level with the learners’ employer. The client will only receive an aggregated overview of the way their employees interact with our platform and the training modules they participate in. It is not possible for the employer to recognize individual employees in the data overview we provide.
16. FILING A COMPLAINT
If you have any complaints regarding our compliance with this Privacy Policy, please contact us. We will investigate and attempt to resolve complaints and disputes regarding use and disclosure of personal information in accordance with thisPrivacy Policy and in accordance with applicable law.
17. CHANGES TO THE PRIVACY POLICY
We may periodically revise or update this Privacy Policy to reflect changes in our practices or in the law. If we make any significant changes in the way we treat your personal data, we will make this clear on our website or by contacting you directly. We encourage you to visit this section of the website regularly to review any changes that may have been made.
Download our privacy policy here
Navigate future of work with confidence
Subscribe to our newsletter and receive L&D inspiration, innovative strategies, and practical advice.
Fields marked with (*) are required.
