Privacy Policy

Version 1.6

Last updated: 20251126

We are committed to protecting your privacy and ensuring transparency about how we collect and use personal data. This Privacy Policy explains how Easycolor Platforms AB (“Lyftio”), with corporate registration number 559509-8137, processes information when you use our A/B testing and experimentation platform (“Services”), visit our website, or communicate with us.

1. Who We Are

We provide tools for A/B testing, experimentation, feature flagging, and analytics that help Customers run experiments, deliver variations, and measure performance on their websites and applications. Because our platform processes different categories of personal data, our responsibilities vary under applicable data protection legislation, including Regulation (EU) 2016/679 (the General Data Protection Regulation, “GDPR”) and the UK GDPR.

This Privacy Policy explains how we collect, use, store, and protect personal data when:

  • You create and use an account
  • You visit our website
  • You interact with us (e.g., support or sales)
  • Our script or SDK runs on a Customer’s website or application

If you have any questions, you can contact us at: privacy@lyftio.com

2. Our Role as Controller and Processor

Because our platform handles different types of information, we take on different roles under applicable data protection laws, including the EU GDPR and UK GDPR.

2.1 When We Act as a Controller

We act as the data controller when we collect and process personal data about:

  • Customers (the organizations that use our platform)
  • Authorized Users (people who log into an account)
  • Website visitors who interact with our marketing site
  • Individuals communicating with us, such as support or demo requests

As a Controller, we determine the purposes and legal bases for processing this information.

Examples include:

  • Account creation and management
  • Authentication and security
  • Billing and subscriptions
  • Support and communication
  • Service improvement and diagnostics
  • Compliance with legal obligations

2.2 When We Act as a Processor

We act as a data processor when our script or SDK runs on a Customer’s website or application. In that context, we process pseudonymous End User data (e.g., visitor_id, country, experiment and variation IDs, event data) only on behalf of the Customer.

For this processing:

  • The Customer is the Controller
  • The Customer determines the lawful basis (e.g., legitimate interests or consent)
  • We process the data strictly according to the Customer’s instructions
  • We do not use End User data for our own purposes
  • We do not share End User data with third parties unless the Customer enables an integration
  • We do not collect identifiable End User information such as names, emails, cookies, advertising IDs, or cross-site tracking data

2.3 How to Know Whom to Contact

  • If you are a Customer or Authorized User, contact us directly for privacy-related requests.
  • If you are an End User of a website that uses our platform, please contact the website
    • owner (the Controller).

We assist Controllers in responding to End User requests as required by GDPR.

3. Personal Data We Collect and How We Use It

We collect only the personal data necessary to operate our A/B testing and experimentation platform. What we collect and how we use it depends on whether you are a Customer / Authorized User of our Service or an End User visiting a Customer’s website.

3.1 Customer and Authorized User Data (Controller Role)

We collect only the information needed to create and manage accounts, deliver the Services, communicate with Customers, process billing, and maintain the security and stability of the platform. This includes basic account information (such as name, email, locale), authentication and security data, subscription information, and communications with us.

We process this data to:

  • Provide the Services
  • Respond to requests and provide support
  • Prevent abuse and maintain service reliability
  • Comply with our legal obligations

Types of Personal Data

Data type Purpose Provided Retention
Name Only used for communication with customers and authorized users Provided by the customer in dashboard or signup process Deleted when customer deletes account
Email address Only used for communication with customers and authorized users Provided by the customer in signup process Deleted when customer deletes account
Phone number Only used for communication with customers and authorized users Provided by the customer in dashboard or signup process Deleted when customer deletes account
Locale Used for communication with customers and authorized users Provided by the customer in dashboard (overrides default) Deleted when customer deletes account
Subscription & billing details Used for payments for the service Provided by the customer in dashboard Must be kept at retention cycle compliant with Swedish laws

3.2 End User Data (Processor Role)

When our A/B testing script or SDK runs on a Customer’s website or application, we process a small amount of pseudonymous data to operate experiments. This includes a visitor identifier, country, referrer, experiment IDs, variation IDs, and basic event data (e.g., conversions or clicks). We do not collect cookies, names, emails, device fingerprints, advertising identifiers, or any data that directly identifies End Users. We process this data solely on behalf of the Customer, who is the Controller and determines the appropriate legal basis.

Purpose of Processing

  • Assign visitors to experiment variations
  • Ensure consistent variation assignment
  • Measure experiment results
  • Provide aggregated analytics
  • Maintain service reliability and prevent abuse

3.3 Website Visitors and Marketing Communications

We process personal data provided by visitors to our website or through marketing interactions to:

  • Respond to inquiries and support requests
  • Provide demos, onboarding, and product information
  • Send optional newsletters or updates
  • Manage event registrations or promotional activities

Categories of Personal Data

  • Respond to inquiries and support requests
  • Provide demos, onboarding, and product information
  • Send optional newsletters or updates
  • Manage event registrations or promotional activities

Legal Basis

  • Legitimate interests in communicating with prospective customers and providing requested information
  • Consent for subscription-based marketing where legally required

3.4 Aggregated and Anonymous Data

We may process aggregated or anonymized data to:

  • Improve our Service
  • Analyze overall usage trends
  • Enhance platform performance and reliability

    • Aggregated and anonymized data does not identify individuals and is not considered personal data under GDPR.

4. How We Store and Protect Information

Personal data processed by our Service is hosted on Amazon Web Services (AWS) in the EU/UK by default. Data may be transferred outside these regions only when necessary to provide specific features and only where appropriate safeguards (such as Standard Contractual Clauses) are in place.

4.1 Storage and Hosting

Personal data processed by our Service is hosted on Amazon Web Services (AWS) in the EU/UK by default. Data may be transferred outside these regions only when necessary to provide specific features and only where appropriate safeguards (such as Standard Contractual Clauses) are in place.

4.2 Technical Measures

We apply industry-standard security practices including:

  • Encryption of data in transit and at rest
  • Access controls and authentication mechanisms
  • Network and infrastructure protections
  • Monitoring and logging of system activity
  • Regular security reviews and testing

4.3 Organizational Measures

We apply organizational safeguards including:

  • Least-privilege access policies
  • Employee confidentiality obligations
  • Security and privacy training
  • Vendor and risk assessments
  • Documented incident response procedures

4.4 Incident Response

If a data breach occurs, we will:

  • Investigate promptly
  • Take steps to contain and remediate the issue
  • Notify Customers and supervisory authorities where legally required
  • Assist Customers with their own obligations as Controllers

For more detailed information about our security measures, see our Security Overview.

5. How We Share Data

We only share personal data when it is necessary to provide the Services or when required by law. We do not sell personal data, and we do not share End User data with advertisers or data brokers. Because we collect and store as little information as possible—especially for End Users— the amount of data shared with third parties is extremely limited.

You can find the full, current list of our sub-processors on our Sub-processors page.

5.1 Sharing with Our Sub-processors

We use a small number of trusted service providers (“sub-processors”) to host our platform, deliver emails, process billing, or support optional features. These companies process personal data strictly on our instructions and only for the purposes of providing the Services.

5.2 Sharing with Your Website or Application (End User Data)

For End Users interacting with your website or application where experiments run:

  • We act as a Processor
  • You, the Customer, act as the Controller
  • We do not share End User data with any party other than you or services operating under your instructions

End User data is not sent to any marketing platforms. It stays within our infrastructure (AWS), unless you explicitly enable an optional integration.

5.3 Legal Requirements

We may disclose information if required to do so by:

  • Law enforcement
  • Government requests
  • Court orders
  • Applicable laws or regulations

Any such disclosure is limited to what is strictly necessary.

5.4 No Unnecessary Sharing

We do not:

  • Share data for advertising
  • Use data for profiling
  • Allow third-party cookies or trackers
  • Sell, rent, or trade personal data

We operate with a privacy-minimal design, processing only the data necessary for A/B testing and variation delivery.

5.5 Mergers or Business Transfers

If we are involved in a merger, acquisition, or similar event, personal data may be transferred as part of the transaction. We will notify Customers before such changes take effect.

6. International Transfers

We host and process Customer Data and End User data primarily in the EU/UK, and we aim to keep processing within these regions wherever possible.

In some cases, limited personal data may be transferred outside the EU/UK—typically when using sub-processors that operate globally (e.g., Stripe or OpenAI). When such transfers occur, we ensure that an adequate level of protection is in place in accordance with applicable data protection laws.

6.1 Safeguards for International Transfers

Any transfer of personal data outside the EU/UK is protected using one or more of the following mechanisms:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • UK Addendum / International Data Transfer Agreement (IDTA) where required
  • Supplementary technical and organizational measures such as encryption and access
    • controls
  • Transfers only to recipients offering an adequate level of data protection as defined under GDPR

We review our sub-processors regularly to ensure ongoing compliance with international transfer rules.

6.2 End User Data Transfers

End User data (which consists only of pseudonymous identifiers such as visitor_id, country, referrer, and experiment information) is not transferred outside the EU/UK unless:

  • It is necessary to provide an optional feature selected by the Customer; and
  • Appropriate safeguards (such as SCCs) are in place.

By default, all End User data remains within our EU/UK hosting environment.

6.3 Customer Data Transfers

Certain Customer Data may be processed by sub-processors outside the EU/UK (e.g., Stripe for billing or OpenAI for optional features). These sub-processors operate under binding contractual commitments that guarantee a lawful transfer mechanism and equivalent data protection.

6.4 Your Control Over Transfers

Customers may request:

  • A list of all international transfer mechanisms in use
  • A copy of the SCCs / UK Addendum (redacted for confidentiality)
  • Additional information on technical safeguards

We will provide this information upon request.

7. How Long We Keep Data

We keep personal data only for as long as it is needed for the purposes described in this Privacy Policy, or for as long as we are legally required to retain it. Retention periods differ depending on whether we act as a Controller (Customer and Authorized User data) or a Processor (End User data).

7.1 Customer and Authorized User Data (Controller Role)

We retain account information such as names, emails, phone numbers, locale, authentication logs, and billing-related records:

  • For as long as your account is active and necessary to provide the Services
  • To comply with legal and financial obligations, including tax, accounting, and commercial record-keeping requirements
  • To support legitimate business purposes, such as maintaining service history and security logs, unless you object to such processing
  • Until you withdraw consent, where consent is the legal basis
  • As needed to establish, exercise, or defend legal claims, in which case certain information may be retained for longer periods permitted by law

Billing records may be retained up to 6–10 years as required by financial regulations.

7.2 End User Data (Processor Role)

We store only pseudonymous End User data used for experimentation and analytics (visitor_id UUID, country, referrer, experiment and variation IDs, event data, timestamps). This data is retained for limited durations and deleted automatically unless the Customer chooses shorter retention.:

  • Raw event and experiment data: kept for 30–180 days
  • Aggregated analytics: retained longer because it no longer contains personal data
  • Upon Customer request: deleted promptly
  • Upon account termination: all End User data is deleted within 30 days, including from backups by natural expiration

We do not collect sensitive data, cookie identifiers, cross-site identifiers, or any data that requires long-term retention.

7.3 Backups and Logs

Backups created for business continuity purposes are kept for 7–30 days and then deleted automatically. Backup data is encrypted and not restored unless necessary for recovery from an incident.

7.4 Local Storage in Browsers

Local storage values (visitor_id UUID and country) are stored on the End User’s own device and remain until:

  • The End User clears their browser data
  • The browser automatically removes old storage
  • The Customer stops using our script

This data is never stored server-side as a persistent identifier beyond the event logs described above.

7.5 Deletion Upon Request

Customers and Authorized Users may request deletion of their personal data at any time. For End User data, we act only based on Customer instructions. See our full Data Retention Policy for more detail.

  • The End User clears their browser data
  • The browser automatically removes old storage
  • The Customer stops using our script

This data is never stored server-side as a persistent identifier beyond the event logs described above.

8. Your Rights

If you are a Customer or Authorized User, you have the following rights regarding the personal data we process as a Controller:

  • Access – request a copy of your data
  • Correction – update inaccurate or incomplete information
  • Deletion – request removal of your data
  • Restriction – ask us to limit how your data is used
  • Portability – receive your data in a structured, machine-readable format
  • Objection – object to certain types of processing
  • Withdrawal of consent – where processing is based on consent

You may exercise these rights at any time by contacting: privacy@lyftio.com

8.1 Identity Verification

To protect your information, we will take reasonable steps to verify your identity before fulfilling a rights request. This may include:

  • Matching the information you provide with the data we already hold
  • Confirming control of the relevant email address
  • Requesting limited additional information if needed to confirm your identity

We will not fulfill requests that are:

  • Manifestly unfounded or excessive
  • Fraudulent or abusive
  • Submitted by unauthorized third parties
  • Not required under applicable law

8.2 End User Rights (Where We Act as Processor)

If you are an End User interacting with a website or application that uses our A/B testing script or SDK, please contact the website or app owner directly. We act as a Processor for End User data and can only fulfill End User requests when instructed by our Customer (the Controller). We will assist the Customer as required under the GDPR.

8.3 Response Time

We aim to respond to all valid requests within 30 days, and will inform you if additional time is needed due to complexity or volume.

9. Cookies and Tracking

We do not use cookies in our experimentation product. We rely solely on local storage to maintain a consistent visitor experience during experiments.

Local Storage Use (Clarification)

We store only two values in local storage:

  • Visitor random identifier
  • Country

These values:

  • Are stored only on the user’s device
  • Are not shared with third parties
  • Cannot be accessed by other websites
  • Are not used for advertising or cross-site tracking
  • Are used solely to ensure a stable and functional experiment experience (e.g., keeping a user in the same variation)

Local storage does not create cross-site identifiers and does not expose data to external parties.

10. Under-age Privacy

Our Services are not directed to children under 16, and we do not knowingly collect data from children.

11. Changes to This Policy

We may update this policy from time to time. Significant changes will be communicated in advance.

12. Contact Us

Questions? Contact: privacy@lyftio.com