Last updated: May 2023

  1. Introduction
    Lepaya takes your privacy very seriously and will process and store your data in a safe manner and environment. This privacy policy (the “Privacy Policy”) informs you about how Lepaya collects and processes the personal data that you, or your employer on your behalf, submit to us. We process your personal data in accordance with the applicable European Union (“EU”) and Member State regulations on data protection, in particular the General Data Protection Regulation No 2016/679 (the “GDPR”) 
  2. Who are we?
    Lepaya provides learning journeys consisting of Power Skill Trainings by offering more than 80 Soft and Hard Skill training modules to employers. Lepaya’s Power Skill Trainings upskill the workforce of employers and enable employees to be more effective in their work and enjoy more happiness in life. The Lepaya platform can be accessed through one of the Lepaya apps, e.g. the Lepaya mobile app, the desktop app through ‘’ and/or the Lepaya Learning app for MS Teams (together all apps will be referred to as the “Lepaya Apps”). 
  3. How and why do we use Personal Data?
    Lepaya processes personal data as supplied by you or your employer (hereinafter called “Personal Data”), so we can provide our services and deliver our training modules. We will always process your Personal Data based on one of the legal bases provided for in the GDPR (see article 5). We do not process any sensitive Personal Data, such as ethnic origin, political opinions, religious or philosophical beliefs. The Personal Data necessary to sign you up for the Lepaya Apps as a user are as follows: first name, last name and email address. 
  4. Lepaya acts as Data Processor
    Lepaya is considered a data processor as defined in Article 28 of the GDPR when it comes to processing your Personal Data. This means that Lepaya acts on behalf of its given instructions and will only process Personal Data in line with these instructions. Lepaya does not determine the purpose and means by which your Personal Data is processed. 
  5. On which legal basis will your Personal Data be processed?
    The processing of your Personal Data is necessary for the performance of a contract as defined in Article 6(1)(b) of the GDPR. We process your Personal Data for the performance or preparation of an agreement with our client, your employer. We process your Personal Data that we receive from your employer so that we can provide our services to your employer, and ultimately to you. Without processing this data, it is not possible to provide our services and offer you our (virtual) learning via the Lepaya Apps. 
  6. Which Personal Data is collected and processed?
    We collect information that is provided to us by you, or by your employer, so we have the necessary information to sign you up for the Lepaya Apps. The following data is collected and processed by us: 

    6.1. Personal information that is disclosed to us
    The personal information that we collect depends on your interactions with us and the Lepaya Apps, the choices you make and the products and features you use. The personal information we collect can include the following:
    (i) Personal information provided by your employer: we collect the following Personal Data in order to run the Lepaya Apps properly: first name, last name, e-mail address and (optionally) job title.
    (ii) Information provided by you (by using the Lepaya Apps): we collect your app usage and data collected from surveys. You can also (optionally) provide us with a profile picture for display in the app. When using the AI Coach module, we also process video material provided by you. This video material will only be used internally for the functioning of the relevant module.
    (iii) Credentials: we collect passwords, password hints, and similar security information used for authentication. 

    6.2 Information automatically collected
    We automatically collect certain information when you visit, use or navigate the Lepaya Apps. This information may include device and usage information, such as your IP address, browser and/or device characteristics, operating system, language preferences, and referring URLs. This information is needed to maintain the security and operation of the Lepaya Apps, since this information gives us a better understanding of the usage of the Lepaya Apps in various different aspects and we need to consider all relevant aspects in the case that we need to release a new feature or deprecate an old version of the app. Furthermore, it is important that we are aware of any impact that new features might cause to users if they are not using the latest devices. 

    6.3 Information collected through our Lepaya Apps
    If you use our Lepaya Apps, we may also collect the following information:
    (i) Mobile Device Access (optional): we may request access or permission to certain features from your mobile device, including your mobile device’s camera and other features.
    (ii) Mobile Device Data: we may automatically collect device information (such as your mobile device ID, model and manufacturer), operating system, and version information. We collect this information to maintain the security and operation of the Lepaya Apps. More information on this can be found in clause 6.2.
    (iii) Push Notifications: we may request to send you push notifications regarding your account or the Lepaya Apps. If you wish to opt-out from receiving these notifications, you may turn them off in your device’s settings. 

    6.4 Third party providers and subcontractors
    We may share your Personal Data within the Lepaya Group and with third parties in accordance with the GDPR. The Lepaya Group is based in the following countries: The Netherlands, Germany, Sweden, the United Kingdom (the “UK”). Your Personal Data can be safely transferred to the UK since the GDPR is virtually implemented in the UK in the Data Protection Act 2018 and the same guidelines and rules apply.

    When we share your Personal Data with a third party data processor, we will put the appropriate legal framework in place in order to cover such transfer and processing, in accordance with Articles 26, 28, 29 and 44(f) GDPR. Lepaya has engaged Amazon Web Services (“AWS”) as a subcontractor in Frankfurt, Germany. All  data is encrypted in rest and transit (including HTTPS encryption and Application Layer and Transport encryption). 

    6.5 Legal Compliance and Security
    It may be necessary for us – by law, legal process, litigation and/or requests from public and governmental authorities within or outside your country of residence – to disclose your Personal Data. We may disclose your Personal Data if we determine that disclosure is reasonably necessary following the above situations. 

  7. For which purposes will your data be used?
    We may collect and process your Personal Data for the purposes detailed below to provide you with adequate services and products. The specific purposes can be one or more of the following:
    (i) To grant access to all functions of the Lepaya App and the Lepaya App;
    (ii) To set up and manage a personal profile, from which you can use the Lepaya App;
    (iii) To send you information about the Lepaya App, Lepaya and our services (excluding marketing or promotion);
    (iv) To draw up anonymous statistical data and to make the Lepaya App safer;
    (v) To provide your information to third parties based on legal obligations;
    (vi) In order to adapt and improve the Lepaya App. 
  8. How do we protect your Personal Data?
    We process your Personal Data in a manner that ensures their appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction or damage. We use appropriate technical or organizational measures to achieve this level of protection (Article 25(1) and 32 GDPR). 
  9. How long will we keep your Personal Data?
    Lepaya will keep your Personal Data for as long as it is necessary to fulfill the purposes outlined in this Privacy Policy, or if longer for us to comply with our legal obligations in accordance with Article 5 and 25(2) GDPR. Your Personal Data is deleted at most one year after last login or upon request. You can also delete your Personal Data yourself through the Lepaya Apps. However, no later than 1 year after your last login, we will manually trigger the same protocol ourselves. 
  10. Where is your Personal Data stored?
    We process all Personal Data only within the EU/EEA, since all data is stored with AWS in Frankfurt, Germany. Any transfer of Personal Data to a third country or to an international organization shall only take place if the conditions laid down in the GDPR are complied with. 
  11. Our Records of Data Processes
    We handle records of all processing of Personal Data in accordance with the obligations established by the GDPR, particularly in Article 30(2). In these records, we reflect all the information necessary in order to comply with the GDPR and cooperate with the supervisory authorities as required (Article 31 GDPR). 
  12. Notification of Data Breaches to the Competent Supervisory Authorities
    In case of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed, we have the mechanisms and policies in place in order to identify it and assess it promptly. We will inform the Data Controller, your employer, immediately to discuss the breach of security and we will discuss any necessary further steps. 
  13. Your rights
    Every data subject has:
    (i) the Right of Access pursuant to Art. 15 GDPR;
    (ii) the Right to Rectification pursuant to Art. 16 GDPR;
    (iii) the Right to Erasure (“right to be forgotten”) pursuant to Art. 17 GDPR;
    (iv) the Right to Restriction of Processing pursuant to Art. 18 GDPR;
    (v) the Right to Data Portability pursuant to Art. 20 GDPR; and
    (vi) the Right to Object pursuant to Art. 21 GDOR.

    With regard to the Right of Access and the Right to Erasure, the restrictions pursuant to Articles 34 and 35 GDPR apply. In addition, data subjects have the right to lodge a complaint with a data protection supervisory authority in accordance with Art. 77 GDPR. To assert these rights, you should contact the company responsible for your Personal Data. If the above rights are asserted directly against Lepaya, Lepaya shall immediately refer the data subject to the client and await the client’s instructions. 
  14. How far does Lepaya’s responsibility reach?
    This Privacy Policy solely applies to Personal Data that has been obtained via Lepaya Apps and services. The Lepaya App may contain links to other websites of third parties. We do not control the content that appears on these websites and we are not responsible for practices employed by websites linked to or from our Lepaya App. 
  15. Can this privacy statement be altered?
    This Privacy Policy can be altered. The changes are publicly made available on the Lepaya Apps and/or our website. When we make significant changes, we will also send our users a notification. If material changes are made to Article 6, you will be asked to accept our new policy before you can continue using the Lepaya App. 
  16. Thank you
    Thank you for reading this Privacy Policy. If you have any questions about our Privacy Policy you can always contact us via

LTD GROUP B.V. and subsidiaries, 25 May 2023