Legal

Privacy Policy

Last updated: 22 March 2026 · Effective: 22 March 2026

1. Introduction

Liceo ("we", "our", "us") is committed to protecting the privacy of the organisations and individuals who use our SaaS licence management platform. This Privacy Policy explains what data we collect, how we use it, how we protect it, and your rights in relation to it.

By accessing or using Liceo (available at liceo.io and its subdomains), you agree to the practices described in this policy. If you do not agree, please discontinue use of the platform.

2. Who We Are

Liceo is operated as a software-as-a-service platform designed to help organisations manage software licences, track usage, and control SaaS spend. Our registered contact email is privacy@liceo.io.

3. Data We Collect

3.1 Account & Organisation Data

  • Organisation name, industry, and type
  • Administrator name and work email address
  • Hashed password (we never store passwords in plain text)
  • Account creation date and activity timestamps

3.2 User Directory Data (via Integrations)

When you connect Liceo to Microsoft Entra ID or Google Workspace, we read and store:

  • Employee names and work email addresses
  • Department and job title (where available)
  • Account status (active/suspended)
  • Last login timestamps (used for usage analytics)

We request only read-only scopes and do not store identity provider passwords or authentication credentials.

3.3 Licence & Contract Data

  • Vendor names, application names, licence types, seat counts
  • Contract terms, renewal dates, pricing information
  • Licence assignments (which user holds which seat)
  • Usage records and activity data

3.4 Usage & Technical Data

  • Browser type and version, operating system
  • IP address (used for rate limiting and security, not profiling)
  • Pages visited within Liceo and session duration
  • Error logs and performance metrics

4. How We Use Your Data

  • To deliver the service: Displaying your licence inventory, generating usage reports, sending renewal alerts, and processing software requests.
  • To send transactional communications: Renewal reminders, approval notifications, invite emails, and password resets. We do not send unsolicited marketing emails.
  • To maintain security: Rate limiting, fraud detection, and audit logging of all user actions.
  • To improve the platform: Aggregated, anonymised usage patterns help us understand which features deliver the most value.
  • To comply with legal obligations: Where required by applicable law.

We do not sell your data. We do not use your data for advertising. We do not share your data with third parties except as necessary to operate the service (see Section 6).

5. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA) and United Kingdom, we process personal data on the following legal bases:

  • Contract performance: Processing necessary to deliver the services described in our Subscription Agreement.
  • Legitimate interests: Security monitoring, fraud prevention, and service improvement.
  • Legal obligation: Where processing is required by applicable law or regulation.
  • Consent: For any optional communications you explicitly opt into.

6. Third-Party Processors

We use the following sub-processors to operate Liceo. All are bound by data processing agreements consistent with this policy:

ProviderPurposeLocation
VercelApplication hosting & edge networkUSA / EU
Neon (PostgreSQL)Database hostingEU / USA
Upstash (Redis)Rate limiting & cachingEU / USA
ResendTransactional email deliveryUSA

7. Data Retention

We retain your data for as long as your organisation account is active. When an account is cancelled:

  • We provide a full data export upon request.
  • Account data is deleted within 30 days of account closure.
  • Audit logs may be retained for up to 12 months for legal and compliance purposes.
  • Backup copies are purged within 90 days.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access: Request a copy of the personal data we hold about you or your organisation.
  • Rectification: Correct inaccurate or incomplete data.
  • Erasure: Request deletion of your personal data (subject to legal retention requirements).
  • Portability: Receive your data in a structured, machine-readable format.
  • Restriction: Request that we limit how we process your data.
  • Objection: Object to processing based on legitimate interests.

To exercise any of these rights, email privacy@liceo.io. We will respond within 30 days.

9. Security

We implement appropriate technical and organisational measures to protect your data, including:

  • All data in transit encrypted with TLS 1.2 or higher
  • All data at rest encrypted with AES-256
  • OAuth tokens encrypted before storage using AES-256-GCM
  • Role-based access control within the platform
  • Full audit logging of all data access and mutations
  • Regular security reviews and dependency updates

For more detail, please see our Security & Compliance page.

10. Cookies

Liceo uses a minimal set of cookies necessary to operate the service:

  • Session cookie: Maintains your authenticated session. Expires when you close the browser or after 30 days.
  • CSRF token: Protects against cross-site request forgery.

We do not use advertising cookies, third-party tracking cookies, or analytics cookies.

11. International Transfers

Our infrastructure operates across the EU and USA. For data transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) with our processors to ensure adequate protection.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify account administrators by email of material changes at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

13. Contact

For any privacy-related questions or requests:

Liceo Privacy Team

Email: privacy@liceo.io

Website: liceo.io