Documents

Privacy Policy

On This Page

Privacy Policy

Last Update: July 10, 2025

Live Elements Ecosystem S.L. ("we", "us", "our") is the data controller for the personal data described in this Privacy Policy, except where stated otherwise.

This Privacy Policy for Live Elements Ecosystem S.L. ("we," "us," or "our"), describes how and why we might access, collect, store, use, and/or share ("process") your personal information when you use:

  • our Sites and communications, including liveelements.io and any subdomains that link to this policy
  • Live Elements Studio: our content management software and related SDKs/APIs; and
  • Live Elements Ecosystem Console: our customer account portal for licensing, billing, subscription management, and support

Related Documents:

1. Definitions

  • "CMS": our content management software and related SDKs/APIs/plugins we provide.
  • "Console": our customer account portal for licensing, billing, user/admin management, and support.
  • "Sites": our websites and web pages that link to this Privacy Policy.
  • "Personal data": any information that identifies or relates to an identified/identifiable person.
  • "Service Data": content and data that your organization ingests, stores, or generates in the CMS (e.g., page content, media metadata, end-user info you configure your CMS to capture).
  • "Account/Console Data": data about your organization’s account and users (e.g., admin names, emails, billing details, role assignments, support tickets).
  • "Technical/Usage Data": device, log, telemetry, diagnostics, performance, and security events generated by the CMS, Console, or Sites.
  • "End Users": individuals who interact with a site or application that you build with the CMS.
  • "Process(ing)": any operation performed on personal data (collect, use, store, disclose, delete, etc.).
  • "Controller/Processor" (EEA/UK GDPR): the controller determines "why/how" data are processed; the processor processes on the controller’s documented instructions.

2. Our roles at a glance

  • Controller: We act as controller for Account/Console Data, most Technical/Usage Data from our Sites and Console, and for our own marketing and business operations.
  • Processor / Service Provider: We act as processor for Service Data that your organization submits to or hosts in the CMS, processing it under your documented instructions and our Data Processing Addendum (DPA).
  • Sub-processors: When acting as your processor, we may engage vetted sub-processors (e.g., hosting, support, observability) as listed in our Sub-processor List and subject to the DPA.

3. What we collect

3.1. Information you provide to us

We collect information you submit directly to us, for example when you create an account, manage an organization, configure projects, request support, or communicate with us.

3.1.1. Account & organization data (Console)

  • Names, business email addresses, passwords or SSO identifiers, organization name, role/permissions, team memberships.
  • Billing contacts and preferences, license tier, subscription status.
  • Support interactions (ticket content, attachments/logs you choose to share), survey responses, and other communications.

3.1.2. Configuration & content (CMS) "Service Data"

  • Content types/schemas you define, page/content entries, media metadata, and any end-user information you choose to collect through your CMS implementation (e.g., form fields).
  • Deployment note: If you host the CMS, we generally do not access Service Data except as instructed (e.g., support). If we host the CMS, we process Service Data to operate the service under your instructions (see DPA).

3.1.3. Payments

  • We collect purchase details such as plan, invoice and transaction metadata, and billing address. We do not collect or store full payment card numbers; payments are handled by your chosen processor (see Payments & Billing).

3.1.4. Optional uploads & communications

  • Files/logs you attach to tickets, screenshots, crash dumps, or CVs if you contact us about roles (if recruitment is covered by a separate notice, that will apply).

Please avoid sending sensitive personal data (e.g., health, biometric, precise geolocation, government IDs) in tickets or free-text fields unless we specifically request it and you have a lawful basis.

3.2. Information we collect automatically

When you use the CMS, Console, or Sites, we automatically collect certain information to provide, secure, and improve the services. See Cookies, Tracking & Analytics for details on cookies/SDKs.

3.2.1. Device & session data

  • IP address, device and browser type/version, operating system, language, user agent, time zone.

3.2.2. Service usage & event data

  • Authentication and admin actions, feature usage, timestamps, referral URLs, page views, clickstream, and in-product UI events in the Console.
  • CMS runtime telemetry (depending on configuration): request/response logs, error and crash reports, performance metrics (e.g., latency), job/queue events, and security/audit logs.

3.2.3. Diagnostics & security

  • System logs, debug information, and signals used to detect abuse, prevent fraud, and maintain service integrity (e.g., rate-limit triggers, failed logins).

We may collect these via our own logs/SDKs as well as service providers operating on our behalf.

3.3. Information we receive from third parties

  • Single sign-on/identity providers: If you sign in with a third-party IdP (e.g., Google, GitHub, Azure AD), we receive identifiers such as your name, email, and IdP user ID according to your IdP’s settings.
  • Payment processors: We receive limited transaction metadata (e.g., payment status, last-4 digits token, billing address) to reconcile accounts and prevent fraud.
  • Service providers & partners: Hosting, support, analytics, and distribution partners may provide information needed to operate or troubleshoot the service (subject to our agreements).
  • Public and commercial sources: Business contact details or firmographics to maintain accurate records and communicate with organizations already using our products.

3.4. What we don’t intentionally collect (and your responsibilities)

  • We do not intentionally collect special categories of personal data (e.g., health, biometric, union membership) or children’s data through our Console/Sites.
  • CMS responsibility: You control what your CMS captures about your end users and for ensuring that such collection, processing, and storage comply with applicable laws, including data protection and privacy laws. You acknowledge and agree that, unless expressly stated otherwise in an Order or Documentation, the Services are not designed to meet heightened security requirements for regulated or sensitive data (such as HIPAA, PCI DSS, or classified government information). If you choose to process such data through the Services in violation of these Terms, you do so at your own risk you are solely responsible for any resulting consequences, losses, liabilities, or claims, and we shall have no liability in connection therewith.

3.5. Prohibited Data

Unless expressly permitted in writing by us in an applicable Order Form or Documentation, you shall not submit to, process, or store in the Services any Prohibited Data, including:

  • (i) Special Categories of Personal Data (as defined under GDPR or equivalent laws) - such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a natural person’s sex life or sexual orientation.
  • (ii) Regulated Data including but not limited to:

You acknowledge and agree that:

  • the Services are not designed for the storage or processing of Prohibited Data;
  • the Provider has no obligation to detect the presence of Prohibited Data; and
  • if you store or process Prohibited Data in violation of this Agreement, you do so at your own risk and sole responsibility, and we shall have no liability for any resulting consequences, losses, liabilities, or claims.

4. Cookies & Similar Technologies

We and our service providers use cookies and similar technologies (collectively, "Cookies") to run and secure the CMS (SaaS), the Console, and our Sites, and to understand how they’re used. These include cookies,local/session storage, SDKs, and tags.

4.1. How we use them (categories)

  • Strictly necessary: required to sign in, route traffic, keep sessions secure, and prevent fraud.
  • Functional: remember preferences (e.g., language, region) and enhance features.
  • Analytics: measure and improve performance and usability.

When we act as your processor for Service Data in the CMS, Cookie-based processing is limited to operating and securing the service under your instructions and our DPA.

  • EEA/UK and similar jurisdictions: We seek opt-in consent for non-essential Cookies via our banner or settings; you can change choices anytime in Cookie Settings.
  • US state privacy laws: You may opt out of Cookie uses that constitute "sale," "sharing," or "targeted advertising" via Cookie Settings and GPC (see 4.4).
  • Browser controls: You can block/delete Cookies in your browser (strictly necessary Cookies are required for core functions).

Cookie Notice: https://ecosystem.liveelements.io/documents/cookie-policy (lists specific Cookies, providers, and durations).

5. Global Privacy Control (GPC) and "Do Not Track" (DNT)

  • We honor Global Privacy Control (GPC) signals globally and treat them as a request to opt out of sale/sharing/targeted advertising on our Sites and Console. Your Cookie Settings will reflect that choice.
  • "Do Not Track" is not standardized; we do not respond to DNT. Please use Cookie Settings and GPC.

6. Product analytics & Advertising

  • We use analytics on our Sites and Console to help improve performance (e.g., page load times, feature adoption, error rates). In the SaaS CMS, telemetry and logs are used to operate, secure, and troubleshoot the service; any optional analytics beyond what’s necessary will be off by default and enabled only with the appropriate legal basis (e.g., consent).
  • We do not analyze your Service Data content for marketing. Access to telemetry that may incidentally include personal data is restricted to authorized personnel for the purposes above.
  • Where required, analytics load only after consent; elsewhere you can disable them in Cookie Settings at any time. (Optional provider disclosure, if you want it now or later)

6.1. Advertising & remarketing

Current status. We do not currently use advertising or remarketing Cookies on our Sites or Console. If enabled in the future: we may use Cookies to measure campaign performance and reduce repetitive ads. We will

  • update this Policy and our Cookie Notice,
  • obtain any required consents, and
  • provide opt-out options via Cookie Settings and GPC.

We will not permit third-party advertising tags on Console or CMS admin pages that display or handle sensitive account data.

7. Payments & Billing

You can purchase and manage subscriptions to the CMS through the Console. We use third-party payment service providers to process payments securely. We do not collect or store full payment card numbers or security codes; those are handled directly by our payment provider(s).

7.1. What we collect for billing

  • Billing & account details: organization name, billing contact name, business email, billing address, country, tax/VAT ID (if applicable), purchase history, plan/tier, renewal date, and coupon or referral codes.
  • Transaction metadata: payment status, timestamps, amount, currency, invoice/receipt numbers, last-4 digits and card brand or a masked bank account identifier (when returned by the provider), and payment method type (e.g., card, SEPA/ACH).
  • Fraud/verification signals: IP address, device/browser information, and 3-D Secure/SCA results (where required by law) to prevent fraud and comply with PSD2/other regulations.
  • Support for billing issues: information you provide in billing tickets (e.g., screenshots, error messages).

We keep billing records for as long as your account is active and as necessary to meet legal, tax, and accounting requirements. After that, we retain only what’s needed to resolve disputes or comply with law, then securely delete or anonymize the data.

7.2. How we use billing information

  • Provide and manage the service: set up your subscription, calculate charges, issue invoices/receipts, manage renewals, proration, refunds, and chargebacks.
  • Compliance: maintain accurate accounting records; comply with tax, audit, and regulatory obligations.
  • Fraud prevention and security: detect and prevent fraudulent or abusive transactions.
  • Communications: send transactional emails (e.g., invoices, payment confirmations, dunning/renewal notices). Marketing opt-outs do not affect these transactional messages.

7.3. Payment processors and security

We use Stripe to process payments. We receive only the minimal information needed to reconcile payments and manage your subscription. See their privacy/security documentation linked in our Cookie Notice or Sub-processor List.

8. How We Use Personal Data

When we process Service Data in the CMS, we act as your processor/service provider and handle it only on your instructions and the DPA. For everything else (e.g., Sites/Console/account data), we act as controller.

We use personal data to:

  • Provide, operate, and improve the CMS, Console, and Sites, including system administration, security, and developing new features.
  • Manage accounts, subscriptions, and billing, and send related transactional messages (e.g., confirmations, invoices, security alerts).
  • Respond to support requests and other communications.
  • Monitor and analyze usage, performance, and trends to maintain and enhance the services.
  • Detect, investigate, and prevent fraud, abuse, and security incidents; enforce terms; and comply with law.
  • Personalize experiences (e.g., preferences, in-product guidance) and communicate about updates, features, events, and surveys—with consent where required and opt-out available at any time (see Cookie Settings/GPC).
  • Administer surveys, promotions, events, or similar activities.
  • Carry out the purpose for which the information was provided.
  • We may create aggregated or de-identified data from the information we process. We may use and share such data for legitimate purposes (e.g., research, benchmarks, capacity planning) so long as it does not identify you or your organization.
  • We do not use Service Data for advertising or cross-context behavioral advertising. If we introduce ads/remarketing or optional analytics, we will obtain any required consent and honor your Cookie Settings and Global Privacy Control preferences.

Where the GDPR/UK GDPR applies, we process personal data on these legal bases:

  • Contract: to provide the CMS, Console, and Sites and to perform our agreements with you (e.g., account administration, billing, support).
  • Legitimate interests: to keep the services secure; prevent fraud/abuse; understand and improve performance; and communicate service updates. We balance these interests against your rights and expectations.
  • Consent: for non-essential cookies/SDKs, certain marketing communications, and any other use where we ask for consent. You may withdraw consent at any time in Cookie Settings or via the unsubscribe link.
  • Legal obligations: to meet tax, accounting, and regulatory duties and to respond to lawful requests.
  • Vital interests: only if needed to protect someone’s life or safety.

10. Sharing & Disclosures

We disclose limited data to service providers (e.g., hosting/CDN, support/email, payments/MoR, observability/analytics where enabled) and affiliates under appropriate safeguards; as required for legal/compliance and safety; and in business transfers (e.g., merger/acquisition), with continued protection and notice where required.

When we act as your processor (CMS Service Data), we may engage vetted sub-processors under our DPA (see the current list: https://ecosystem.liveelements.io/documents/subprocessors-list ). We disclose Service Data only on your documented instructions or where legally required (we’ll notify you unless prohibited).

If you connect identity providers, plugins, or other integrations, their handling of data is governed by their terms and privacy notices.

Our Sites may include third-party links or social widgets that collect limited data (e.g., IP, page viewed). Their policies apply.

Content posted in community spaces, like public forums/chats may be read by others and indexed by search engines. Don’t share sensitive data there.

11. International Data Transfers

Personal data may be processed in EU and the United States, and in other countries where our service providers/sub-processors operate (see our Sub-processor List).

When personal data is transferred from the EEA/UK/Switzerland to countries that do not provide an adequate level of protection, we use appropriate safeguards, including:

  • the EU Standard Contractual Clauses (SCCs);
  • the UK Addendum/International Data Transfer Agreement (IDTA); and
  • the Swiss addendum/clauses where applicable.

We implement technical and organizational measures—including encryption in transit and at rest, access controls, and least-privilege permissions—and conduct transfer impact assessments (TIAs) for relevant transfers.

If we receive a legally binding request for personal data from a public authority, we will:

  • review and challenge requests we consider unlawful or overbroad,
  • limit disclosures to what is legally required, and
  • notify the customer/controller where legally permitted.

12. Data Retention & Deletion

We retain personal data only as long as necessary for the purposes in this Policy, to operate the CMS/Console, to comply with legal/tax/accounting duties, to resolve disputes, and to enforce agreements. Where feasible, we anonymize or aggregate data instead of keeping it in identifiable form.

12.1. Default retention (guideposts — adjust to your needs)

  • Account/Console data (admin profiles, org settings): kept while the account is active, then deleted or anonymized within 60 days of closure, unless law requires longer.
  • Billing/transaction records (invoices, tax evidence): retained 6 years (jurisdiction-dependent).
  • Support tickets/communications: kept for 12 after resolution to improve support and defend against claims.
  • Product telemetry & logs (security/audit/performance): typically 30 days, longer where needed for security or legal reasons.
  • Marketing preferences & suppression lists: we keep minimal data to honor opt-out requests.

For Service Data in the CMS (where we act as processor), you control retention via settings and instructions in the DPA.

12.2. Deletion on request or closure

  • Self-service. Where available, you can delete projects, content, or users in the Console/CMS.
  • Requests. You may request deletion of Account/Console data (see Your Rights & Choices). We’ll comply unless retention is required by law or necessary to establish, exercise, or defend legal claims.
  • Post-closure. After account closure, we queue remaining deletions and anonymize or purge residual personal data on a rolling schedule per the periods above.

We aim to delete or anonymize Account/Console personal data within 60 days of account closure (except where longer retention is required by law or necessary to establish, exercise, or defend legal claims). Backups expire on their normal cycle; when restored for DR, we re-apply deletions as soon as practicable.

12.3. Backups & disaster recovery

Backups are encrypted and kept only for business continuity. When you delete data, it is removed from active systems; it may persist in backup archives until those archives expire and are overwritten on their normal cycle. We don’t restore backups except for disaster recovery or to address significant security/operational issues; if Service Data re-appears after a restore, we re-apply deletion as soon as practicable.

12.4. Exceptions we may need to apply

We may retain certain limited personal information for a longer period where reasonably necessary to:

  • (a) comply with applicable laws and regulations;
  • (b) respond to lawful requests from courts, law enforcement, or other competent authorities;
  • (c) prevent, detect, or investigate fraud, abuse, security incidents, or other harmful activity; or
  • (d) establish, exercise, or defend legal claims and enforce our agreements.

We will minimize the data we retain for these purposes, restrict access to authorized personnel only, and securely delete or anonymize the data once it is no longer needed for the purpose for which it was retained

13. Children’s Privacy

Our CMS, Console, and Sites are not directed to children. We do not knowingly collect personal data from anyone under 16 in the EEA/UK (or the higher age where your jurisdiction requires it) or under 13 in the U.S. If you believe a child has provided personal data, contact us and we will delete it.

14. Your rights & choices

Depending on your location, you may have the right to access, correct, delete, restrict or object to processing, and port your data; and to withdraw consent where processing is based on consent.

  • How to exercise: Contact us at security@liveelements.io or use our web form (subject: "Privacy Request"). We may ask for information to verify your identity or authority.
  • Appeals: If we decline your request, you may appeal by replying to our decision (subject: "Privacy Appeal"). We will review and respond to appeals in accordance with applicable law.
  • Supervisory authorities: EEA/UK residents may lodge a complaint with their data protection authority; we encourage contacting us first so we can resolve issues quickly

Account Self Service: You can update organization, user, and billing details anytime via the Console. You may also remove users and delete projects where available.

15. Privacy rights for United States residents

Some U.S. state laws grant residents specific rights, including to know/access, correct, delete, obtain a copy, opt out of certain processing (e.g., "sale," "sharing," or targeted advertising), and appeal denials.

We do not sell or share personal data for cross-context behavioral advertising and do not use advertising/remarketing cookies on our Sites or Console. If this changes, we will update this Policy, honor GPC signals, and provide opt-out controls in Cookie Settings. We do not intentionally collect sensitive personal data via Console/Sites.

15.1. Request/verification/authorized agents

Submit via security@liveelements.io or our web form; we verify identity using account information and may request additional details. You may authorize an agent; we may require proof of authorization. If we deny your request, you can appeal as described above; if still unsatisfied, you may contact your state attorney general.

15.2. California Shine the Light

California residents may request information regarding our disclosures of certain categories of personal information to third parties for their direct marketing purposes during the prior calendar year.

Such requests may be submitted once per calendar year by contacting us at:

We will provide the required information in accordance with California Civil Code § 1798.83.

16. Changes to this Policy

We may update this Policy from time to time. We will post the new effective date and, for material changes, provide a prominent notice (e.g., in-product banner or email) 7 days before they take effect, or obtain consent where required by law. Older versions may be available in our version history/changelog.

17. How to Contact Us

Primary contact (all requests): security@liveelements.io

• Privacy requests & questions: use the subject "Privacy Request" (e.g., access, deletion, objection). • Security/vulnerability reports: use the subject "Security" (please avoid including secrets; we’ll reply with a secure channel if needed).

If you are in the EEA/UK, you may also lodge a complaint with your supervisory authority. We encourage you to contact us first so we can try to resolve your concern quickly.