GDPR Article 30 register, public summary version. Companion to /privacy, /dpa, and /dpia.

Controller of record: Lovex AB, Sweden (EU).
Last reviewed: 2026-05-17.
Privacy contact: privacy@lovex.dev.

1. What this page is

GDPR Article 30 requires controllers (and processors, under Article 30(2)) to maintain a written Record of Processing Activities. We do — internally. This page is the public summary: enough for an enterprise procurement reviewer or customer DPO to understand what we process and why, without the vendor-specific detail that lives in our internal register and on /subprocessors. The full internal register is available to enterprise customers and EU supervisory authorities under NDA at privacy@lovex.dev.

2. Data Protection Officer

We have not formally appointed a DPO. Article 37(1) thresholds — 250+ employees / large-scale systematic monitoring / special-category processing as a core activity — are not currently met. Privacy oversight rests with the CEO until those thresholds are reached, at which point a DPO is appointed and named here. This is the honest answer; we do not stage a fictional DPO role.

3. Controller activities

We are the controller for these activities — we determine the purposes and means. Article 30(1) applies.

CA-1Account identity and authentication

Purpose: Allow individuals to sign up, sign in, and maintain a personal account.
Lawful basis: Performance of contract (Art. 6(1)(b))
Data subjects: End users
Data categories: Name, email, hashed authentication tokens, OAuth-provider identifiers, IP at sign-in, user-agent.
Retention: While account active; deleted on Article 17 request via /api/account/delete (immediate).
Transfers: None for primary data. OAuth-provider lookups transit provider region (US, DPF + SCCs).

CA-2Account profile and preferences

Purpose: Personalize the product — display name, avatar, notifications, time zone.
Lawful basis: Performance of contract (Art. 6(1)(b))
Data subjects: End users
Data categories: Display name, avatar, notification preferences, locale, time zone.
Retention: While account active; included in account deletion.
Transfers: None.

CA-3Billing (paid customers)

Purpose: Process payments, issue invoices, collect VAT, manage subscriptions.
Lawful basis: Performance of contract (Art. 6(1)(b)); legal obligation for accounting records (Art. 6(1)(c) — Swedish Bokföringslagen)
Data subjects: Paying customers (account holder or billing contact)
Data categories: Billing name, email, address, VAT number, country, last four digits of card, transaction history. Full card data never reaches our systems.
Retention: 7 years after end of fiscal year (Swedish bookkeeping law). This legal floor overrides GDPR deletion requests for billing data specifically.
Transfers: Payment processor: global under SCCs (PCI-DSS Level 1). Accounting: EU.

CA-4Product analytics

Purpose: Measure feature usage, retention, funnel performance to improve the product.
Lawful basis: Consent (Art. 6(1)(a)) for cookie-based identifiers; legitimate interest (Art. 6(1)(f)) for aggregated metrics.
Data subjects: End users who have consented
Data categories: Pseudonymous event stream (page views, clicks, feature use), session ID, user-agent, country.
Retention: Event-level: 12 months. Aggregated metrics: indefinite.
Transfers: None in normal operation (EU-hosted provider).

CA-5Transactional email

Purpose: Send sign-in links, invitations, receipts, system notifications.
Lawful basis: Performance of contract (Art. 6(1)(b))
Data subjects: End users
Data categories: Recipient email, message content, delivery status.
Retention: Provider-side delivery logs per provider policy (typically 7-30 days).
Transfers: US-region delivery under DPF + SCCs by recipient location.

CA-6Operational telemetry and error monitoring

Purpose: Detect, diagnose, and resolve application errors and abuse.
Lawful basis: Legitimate interest (Art. 6(1)(f)) — ensuring the security and proper functioning of the Service.
Data subjects: End users (active session at error time)
Data categories: Stack trace, request URL, user account ID (not name/email), HTTP method, anonymized IP. User-submitted content redacted before transmission.
Retention: 90 days for error events; security-investigation-relevant logs may be retained longer with documented reason.
Transfers: None (EU-hosted).

CA-7Support requests

Purpose: Respond to customer questions, bug reports, account requests, security disclosures.
Lawful basis: Performance of contract / legitimate interest depending on context.
Data subjects: End users, prospective customers, security researchers
Data categories: Email, name, content of the support thread, data the user voluntarily submits.
Retention: 2 years from last activity on the thread.
Transfers: Per CA-5.

CA-8Outbound marketing and prospect research (Saga)

Purpose: Identify and contact prospective B2B customers; route inbound chat conversations.
Lawful basis: Legitimate interest (Art. 6(1)(f)) for cold business outreach; consent for any consumer-facing marketing.
Data subjects: Prospective B2B customers
Data categories: Name, work email, work title, company, public profile information, email engagement events.
Retention: Active prospects: while engagement continues. Suppression list (opted-out, bounced): indefinite for the purpose of NOT contacting again.
Transfers: US enrichment under DPF + SCCs.

CA-9AI inference

Purpose: Generate AI-assisted content (chat responses, board suggestions, proposal drafts) inside the products.
Lawful basis: Performance of contract (Art. 6(1)(b))
Data subjects: End users; counterparties named in user-submitted content
Data categories: Whatever the user submits to AI features — typically workspace content, task descriptions, chat messages. May incidentally include personal data the user chose to write.
Retention: In-transit only at our infrastructure. Provider-side: per provider policy, typically up to 30 days for abuse monitoring, then deleted. No use for model training.
Transfers: US under DPF + SCCs with contractual zero-retention-for-training.

CA-10Audit logging (Lova)

Purpose: Maintain an immutable record of administrative actions on customer tenants for security investigation and customer-requested audit.
Lawful basis: Legitimate interest (Art. 6(1)(f)); contractual commitment under DPA Annex B and Article 32.
Data subjects: End users (actors performing actions)
Data categories: Actor user ID, action, resource affected, IP, user-agent, timestamp, structured metadata.
Retention: 365 days default; configurable per Enterprise Order Form.
Transfers: None.

4. Processor activities

When customers use our products to process their own users’ personal data, we act on the customer’s documented instructions per the DPA at /dpa. The customer is the controller; we are the processor. Article 30(2) applies.

PA-1Customer workspace content

Purpose: Host and process the customer's project boards, tasks, chats, attachments, automations.
Lawful basis: Processor — customer (controller) determines lawful basis.
Data subjects: The controller's personnel, contractors, and end users
Data categories: Whatever the controller and its end users submit. Categorically: identifiers (names, emails), workspace content (task descriptions, chat messages, comments, file uploads). Special-category data contractually forbidden unless expressly agreed.
Retention: While the customer is active + 30-day recovery window after termination, then deletion per DPA §11.
Transfers: Per /subprocessors.

PA-2Customer-initiated AI features

Purpose: Provide AI assistance inside the customer's workspace (chat, suggestions, drafts).
Lawful basis: Processor — customer determines lawful basis.
Data subjects: The controller's personnel and end users
Data categories: Content the controller's users submit to AI features.
Retention: In-transit only at our infrastructure; provider-side per provider policy, up to 30 days for abuse monitoring.
Transfers: US under DPF + SCCs, zero-retention for model training.

5. Cross-cutting safeguards

Applied across every activity above and described in detail at /trust:

TLS 1.2+ in transit; AES-256 at rest via managed providers.
RLS at database; least-privilege access for personnel; MFA mandatory on administrative access.
Automated, encrypted backups of production databases with periodic restore tests.
Confidentiality obligations on personnel; data-protection training on onboarding; prompt access revocation on departure.
Every sub-processor processing personal data is bound by a written DPA aligned to Article 28 GDPR. Public sub-processor list with 30-day change notice and machine-readable RSS at feed.xml.
Data subject self-service at /api/account/export (Art. 15 + 20) and /api/account/delete (Art. 17).
Breach notification within 72 hours per Articles 33 and 34 GDPR.

6. Retired activities

No processing activities have been retired since the initial RoPA was created on 2026-05-17. When an activity is retired, it moves to a separate section here with the date and the status of any residual data.

7. Review cadence

Internal review at least quarterly, on any material change to processing, and on any change to a sub-processor. This summary page is regenerated from the internal source on each review.

8. Contact

Article 30 inquiries, request for the full internal register under NDA, or supervisory-authority correspondence: privacy@lovex.dev.

Record of Processing Activities summary