Respectlytics Respect lytics
Menu

Privacy Policy

Last updated: December 12, 2025

1. Introduction and Scope

This Privacy Policy describes how Loheden AI Solutions AB, a company registered in Sweden ("Company", "we", "us", or "our"), collects, uses, processes, and protects information in connection with the Respectlytics analytics platform and related services (collectively, the "Service"). This policy applies to all users of the Service, including account holders who access the dashboard and end users of applications that integrate with our analytics API.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with any part of this policy, you must not use the Service.

We reserve the right to modify this Privacy Policy at any time. Material changes will be communicated through the Service or via email. Your continued use of the Service after such modifications constitutes acceptance of the updated policy.

This Privacy Policy is provided for informational purposes and does not constitute legal advice. Privacy regulations vary by jurisdiction and change over time. We recommend consulting with your legal team to determine the specific requirements that apply to your situation.

2. Data Controller Information

The data controller responsible for your personal data is Loheden AI Solutions AB. Our contact information is provided at the end of this document.

All data processing activities described in this Privacy Policy are conducted within the European Union. Our infrastructure, including servers and databases, is located exclusively within EU member states.

3. Categories of Data We Collect

3.1 Account Data

When you create an account to access the Service dashboard, we collect the following information:

  • Email address, used for account verification, authentication, service communications, and password recovery
  • Password, stored using industry-standard cryptographic hashing algorithms and never stored in plaintext
  • Application names and identifiers that you create within the Service
  • Configuration preferences you set within the dashboard

3.2 Analytics Event Data

When applications integrated with our SDK submit analytics events, we collect and process only the following data fields. Our API is designed with a strict allowlist architecture that rejects any data fields not explicitly listed below:

  • Event name: a string identifier describing the action or occurrence being tracked
  • Session identifier: a randomly generated, ephemeral identifier created client-side that exists only in device memory
  • Timestamp: the date and time when the event occurred
  • Platform: the operating system type such as iOS, Android, or web
  • Application version: the version string of the application sending the event
  • Locale: the language and region preference setting
  • Device type: general device category information
  • Operating system version: the version of the device operating system
  • Screen name: an optional identifier for the current screen or view
  • Country: derived from IP address geolocation, stored as a two-letter ISO code
  • Region: derived from IP address geolocation, stored as a state or province name

The Service is architecturally designed to reject any data fields beyond those explicitly listed above. This strict allowlist approach is a core privacy protection mechanism.

3.3 Session-Based Analytics Architecture

The Service implements session-based analytics with the following privacy characteristics:

  • Session identifiers are generated client-side and stored in the client application's memory (browser or app runtime) and are not persisted to device storage such as cookies, localStorage, or files. On the server side, session data exists only transiently during request processing.
  • Session identifiers rotate automatically after two hours of continuous use or upon application restart
  • No persistent user identifiers are collected, stored, or processed
  • No device identifiers such as IDFA, IDFV, Android Advertising ID, or similar identifiers are collected
  • No device fingerprinting techniques are employed
  • Cross-session tracking is not possible by design

Note: While session identifiers are anonymized and cannot be linked to specific individuals by Respectlytics, customers integrating our SDK should assess whether their specific use case involves personal data processing under applicable regulations in their jurisdiction.

3.4 Geographic Data Processing

IP addresses are processed transiently for the sole purpose of deriving approximate geographic location at the country and region level. IP addresses are processed in memory during the API request and are immediately discarded after geolocation lookup. IP addresses are never stored in our databases, logged, or retained in any form.

3.5 Payment and Billing Data

Payment processing is handled by Stripe, Inc., a third-party payment processor. We store only the following payment-related information:

  • Stripe customer identifier, a reference ID used to link your account to your Stripe payment profile
  • Stripe subscription identifier, a reference ID for your subscription status
  • Subscription plan type and status
  • Billing period dates

We do not store credit card numbers, bank account details, or other sensitive payment information. All payment data is processed and stored by Stripe in accordance with their privacy policy and PCI-DSS compliance requirements.

3.6 Website Analytics

We use Simple Analytics to understand how visitors use our website. This service does not install any cookies on your browser, does not track visitors across websites, and does not collect personally identifiable information.

4. Data We Do Not Collect

The following categories of data are never collected, processed, or stored by the mobile analytics Service:

  • IP addresses are not stored or logged
  • Device identifiers including IDFA, IDFV, Android ID, or advertising identifiers are not accepted by our API
  • User identifiers or account IDs that could enable cross-session tracking are not accepted
  • Names, phone numbers, physical addresses, or other directly identifying personal information
  • Precise geolocation coordinates
  • Financial information beyond subscription management references
  • Health, biometric, or other sensitive personal data categories
  • Third-party tracking data or advertising identifiers

5. Purposes of Processing

We process the data described above for the following purposes:

  • Providing the analytics service: aggregating events and generating usage statistics, trends, and insights for your applications
  • Account management: authenticating users, managing subscriptions, and providing customer support
  • Service communications: sending transactional emails including account verification, password reset, billing notifications, and service alerts
  • Service improvement: analyzing aggregate usage patterns to improve the Service, fix issues, and develop new features
  • Security: detecting and preventing fraud, abuse, and unauthorized access
  • Legal compliance: fulfilling our legal obligations and responding to lawful requests from authorities

5.1 Email Communications

We send emails to account holders in the following categories:

Transactional Emails (Always Sent)

These emails are essential for account operation and are sent regardless of your preferences:

  • Account verification and password reset
  • Payment confirmations, invoices, and billing issues
  • Security alerts (unusual login activity, API key changes)
  • Critical service disruptions or security incidents
  • Legal notices and Terms of Service updates

Important Updates (Default: Enabled)

These emails help you manage your account effectively. They are enabled by default but you may opt out in your account settings:

  • Quota warnings when approaching usage limits
  • Trial expiry notifications
  • Significant product changes that may affect your integration

Product News (Default: Disabled)

These marketing emails are disabled by default and require your explicit opt-in:

  • New feature announcements
  • Tips and best practices
  • Product updates and improvements

You can manage your email preferences at any time in your account settings. Unsubscribe links are included in all non-transactional emails.

6. Legal Basis for Processing

We process personal data based on the following legal grounds, which are recognized by privacy regulations in many jurisdictions:

  • Performance of a contract: processing necessary to provide the Service you have requested and to fulfill our contractual obligations to you
  • Legitimate interests: processing necessary for our legitimate business interests, including security, fraud prevention, service improvement, and direct marketing to existing customers, provided these interests are not overridden by your fundamental rights
  • Legal obligation: processing necessary to comply with applicable laws, regulations, or legal proceedings
  • Consent: where you have provided explicit consent for specific processing activities, which you may withdraw at any time

Where we rely on legitimate interests as a legal basis, we have assessed that our interests in providing analytics services do not override your fundamental rights and freedoms, particularly given our privacy-by-design architecture that minimizes data collection, uses ephemeral session identifiers, processes IP addresses only transiently, and does not enable cross-session tracking of individuals.

7. Data Retention

We retain data for the following periods:

  • Account data: retained for the duration of your account's existence and deleted within thirty days of account closure, except where longer retention is required by law
  • Analytics event data: retained for a maximum of twenty-four months from the date of collection, after which it is automatically and permanently deleted. This retention period is the minimum necessary to enable year-over-year comparisons and long-term trend analysis, which are core analytics purposes of the Service.
  • Session identifiers: ephemeral by design and cannot be linked across sessions or time periods
  • Payment references: retained as required for tax, accounting, and legal compliance purposes
  • Legal compliance records: retained for the period required by applicable law

Upon account termination, we delete or anonymize your data in accordance with the timeframes stated above, unless retention is required for legal compliance, dispute resolution, or enforcement of our agreements.

8. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data to third parties. We may share data only in the following circumstances:

  • Service providers: we engage third-party service providers who process data on our behalf to operate the Service, including infrastructure providers, payment processors, and email delivery services. These providers are contractually bound to process data only as instructed by us and to maintain appropriate security measures.
  • Legal requirements: we may disclose data when required by law, regulation, legal process, or governmental request, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
  • Business transfers: in the event of a merger, acquisition, reorganization, or sale of assets, your data may be transferred as part of that transaction. We will notify you of any such transfer and any choices you may have regarding your data.
  • With your consent: we may share data with third parties when you have given us explicit permission to do so.

9. Third-Party Services

The Service integrates with or relies upon the following third-party services:

  • DigitalOcean, LLC: infrastructure provider operating EU-based data centers. Our servers and databases are deployed exclusively within DigitalOcean's EU regions. DigitalOcean is certified under SOC 2 Type II and ISO 27001.
  • Stripe, Inc.: payment processing and subscription management. Stripe processes payment data in accordance with their privacy policy and PCI-DSS standards. We share only your email address and subscription details with Stripe as necessary to process payments.
  • Resend, Inc.: email delivery service for transactional and marketing communications. We share your email address and relevant account information as necessary to deliver these communications. Resend processes data in accordance with their privacy policy.
  • MaxMind GeoLite2: IP geolocation database used locally within our infrastructure. No data is transmitted to MaxMind; we use their database files to perform geolocation lookups entirely within our own systems.
  • Simple Analytics: website analytics for our marketing website. This service operates without cookies and without collecting personal data.

We maintain data processing agreements with service providers that process personal data on our behalf, ensuring appropriate safeguards are in place.

10. International Data Transfers

All data processing occurs within the European Union. Our servers, databases, and infrastructure are located exclusively in EU member states.

Some third-party service providers we engage may process data outside the European Economic Area. Where such transfers occur, we use appropriate safeguards recognized under applicable privacy regulations, which may include:

  • Adequacy decisions by relevant authorities
  • Standard contractual clauses
  • Binding corporate rules
  • Other legally recognized transfer mechanisms

11. Data Security

We implement technical and organizational security measures designed to protect your data, including:

  • Encryption of data in transit using TLS/HTTPS
  • Encryption of data at rest in our databases
  • Secure password storage using industry-standard cryptographic hashing
  • Access controls and authentication requirements for system access
  • Rate limiting and abuse prevention mechanisms
  • Regular security reviews and updates
  • Logging and monitoring for security incidents

While we implement these measures, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security of your data and you acknowledge this inherent limitation of data transmission and storage.

12. Cookies and Similar Technologies

The Service uses the following cookies:

  • Session cookie: essential for maintaining your authenticated session when logged into the dashboard. This cookie expires when you close your browser or log out.
  • CSRF token cookie: essential for security purposes to prevent cross-site request forgery attacks.

We do not use tracking cookies, advertising cookies, analytics cookies that track individual users, or third-party cookies for behavioral targeting.

13. Your Data Protection Rights

Depending on your location and applicable privacy regulations, you may have the following rights regarding your personal data:

  • Right of access: you may request a copy of the personal data we hold about you
  • Right to rectification: you may request correction of inaccurate or incomplete personal data
  • Right to erasure: you may request deletion of your personal data, subject to legal retention requirements
  • Right to restriction of processing: you may request that we limit our processing of your personal data in certain circumstances
  • Right to data portability: you may request to receive your personal data in a structured, commonly used, machine-readable format
  • Right to object: you may object to processing based on legitimate interests, including direct marketing
  • Right to withdraw consent: where processing is based on consent, you may withdraw that consent at any time
  • Right to lodge a complaint: you have the right to lodge a complaint with a supervisory authority in your member state

To exercise these rights, please contact us using the information provided at the end of this document. We will respond to your request within the timeframes required by applicable law.

Please note that analytics event data collected through our session-based architecture is generally non-personal and cannot be linked to identifiable individuals. Session identifiers are random, ephemeral, and cannot be used to identify or contact you. As a result, we may not be able to identify your specific data within our analytics datasets.

14. California Privacy Rights

For California residents whose personal information is subject to the California Consumer Privacy Act (CCPA), you have rights to know, delete, and opt-out of sales of your personal information. We do not sell personal information as defined by CCPA.

Note: CCPA applies to our business only if we meet statutory thresholds regarding revenue or data processing volume. To exercise CCPA rights if applicable, you can contact us by sending an email.

15. Children's Privacy

The Service is not directed to children under the age of sixteen, or under the age of digital consent in your jurisdiction, whichever applies. We do not knowingly collect personal data from children under these age thresholds. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us immediately. If we become aware that we have collected personal data from a child without appropriate parental consent where required, we will take steps to delete that information.

16. Do Not Track Signals

Our Service does not respond to Do Not Track (DNT) signals because our session-based analytics architecture does not track users across websites or over time in a manner that would be affected by such signals. Our privacy-by-design approach means we do not engage in the tracking behaviors that DNT signals are intended to prevent.

17. Automated Decision-Making

The Service does not engage in automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you.

18. Data Protection Officer

Given the nature and scale of our data processing activities, we have not appointed a formal Data Protection Officer. For all data protection inquiries, please contact us using the information provided below.

19. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

  • Update the "Last updated" date at the top of this document
  • Notify registered users via email at least thirty days before changes take effect, where practicable
  • Post a notice on our website

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

20. Contact Information

For questions about this Privacy Policy, to exercise your data protection rights, or for any other privacy-related inquiries, please contact us:

Loheden AI Solutions AB
VretavΓ€gen 26
71993 Vintrosa
Sweden

Email: [email protected]