GDPR & Data Protection

What GDPR means in practice when you use livestep.

What does GDPR mean in practical terms when you use livestep? Clear roles, transparent processing, and documented decisions. Everything your compliance team needs on one page.

Book a call Secure early access

Roles

In commissioned data processing, there are two clearly separated roles: as controller, you decide purpose and scope of processing. livestep provides the platform and supports technical and organizational execution.

Your company

Lawfulness and legitimacy of processing (purpose limitation)
Fulfilment of data subject rights (access, deletion, rectification, ...)
Informing data subjects and collecting consent where required
Instructions to the processor and verification of compliance

livestep

Provision and security of the platform (availability, access control, segregation)
Implementation of agreed technical and organizational measures (TOMs)
Support with platform-related inquiries where applicable
Documentation and updates of the Data Processing Agreement (DPA)

01
Data Processing

Your DPA - directly in the platform. One click.

The Data Processing Agreement under Art. 28 GDPR defines how we process data on your behalf as processor. You can access the current version in your account at any time.

Fast availability - no postal exchange, no manual chasing
Version traceability for your compliance team
Aligned with your actual platform usage

02
Record of Processing Activities

What should be entered in your RoPA?

For livestep usage, a RoPA entry for market and competitor analysis plus target-group and persona development is typically appropriate if you use these functions. Adapt wording and detail level to your company and data categories.

Document purposes of processing and categories of data subjects
Add retention periods and deletion concepts based on your internal processes
Reference your DPA with livestep and any additional processors

03
Data Subject Rights

Data subject requests - how livestep supports you

Data subjects assert their rights towards you as controller. Where a request concerns data stored on our platform, we support you in providing structured information or implementing deletions technically, within contractual scope and your instructions.

Access: overview of which data about a person exists in the platform
Deletion: support with technical deletion where no legal retention applies
Rectification / Restriction: updates based on your binding instruction
Data portability: provide exports where technically and contractually supported

04
Legal Bases

Which legal basis applies to your processing?

The legal basis depends on your specific use case - not on technology alone. The most common cases under Art. 6(1) GDPR are:

Consent (lit. a): e.g. newsletters, certain tracking scenarios, or voluntary contact requests
Contract / pre-contractual measures (lit. b): when processing is required to fulfil a contract with the data subject
Legitimate interest (lit. f): e.g. B2B market analysis and non-sensitive insights after balancing interests and rights

What happens to my data after cancellation?

After account cancellation, your data is deleted completely and irrevocably within 30 days. You receive confirmation in advance.

Do you use subprocessors?

Yes. livestep uses subservice providers, especially AWS for hosting and infrastructure and AI providers for model processing - all within the EU. A current list of subprocessors is documented in the DPA.

Is a Data Protection Impact Assessment (DPIA) required?

A DPIA is usually required when highly sensitive data is processed or systematic profiling occurs. For typical livestep use - market analysis and anonymized target-group development - a DPIA is usually not required. We recommend an individual review by your data protection officer.

Still open questions about GDPR compliance?

We help you classify your setup correctly - personal, practical, and without pressure.