Your privacy matters to us. This Privacy Policy explains how Perseus Enterprises Inc. ("Lookio," "we," "us," or "our") collects, uses, discloses, and protects personal information when you use the Lookio HR platform. We are committed to complying with the Personal Information Protection and Electronic Documents Act (PIPEDA), the General Data Protection Regulation (GDPR), and other applicable privacy legislation.
Section 1
Information We Collect
We collect information in the following categories:
Account Information: When you create an account, we collect your name, email address, company name, job title, and password credentials. If you sign in through Microsoft Entra ID (SSO), we receive your identity claims from your organization's identity provider.
Employee Data (Processed on Behalf of Customer): As a data processor, we store employee data that your organization enters into Lookio, including names, contact information, employment details, compensation history, time-off records, performance reviews, emergency contacts, and custom fields. This data is owned by your organization (the data controller).
Billing Information: Payment details (credit card numbers, billing addresses) are collected and processed directly by our payment processor, Stripe. We store only the last four digits of your card, card brand, and billing history.
Usage Data: We automatically collect information about how you interact with the Service, including IP addresses, browser type, pages visited, features used, timestamps, and API call metadata.
Cookies and Similar Technologies: We use cookies as described in Section 8 of this policy.
Section 2
How We Use Your Information
We use the information we collect to:
- Provide, operate, and maintain the Lookio HR platform
- Authenticate users and enforce access controls
- Process billing transactions and generate invoices
- Synchronize employee data with integrated third-party systems (e.g., Microsoft Dynamics 365 Business Central) at your direction
- Provision and deprovision identity accounts (e.g., Microsoft Entra ID) at your direction
- Send transactional emails (OTP codes, onboarding invitations, password resets, billing receipts)
- Send product updates and service announcements (with opt-out)
- Monitor system performance, detect security threats, and prevent abuse
- Generate anonymized, aggregated analytics to improve the Service
- Comply with legal obligations and respond to lawful requests
Section 3
Legal Basis for Processing (GDPR)
For individuals in the European Economic Area (EEA) and United Kingdom, we process personal data under the following legal bases:
- Contract Performance: Processing necessary to provide the Service you subscribed to
- Legitimate Interests: System security, fraud prevention, service improvement, and aggregated analytics
- Legal Obligation: Compliance with applicable laws, tax requirements, and lawful government requests
- Consent: Marketing communications and optional analytics cookies (you may withdraw consent at any time)
For employee data processed on behalf of your organization, your organization is the data controller and Lookio acts as a data processor under a Data Processing Agreement (DPA).
Section 4
Data Sharing and Disclosure
We do not sell, rent, or trade personal information. We share data only in the following circumstances:
- Service Providers: We use third-party processors to operate the Service, including Microsoft Azure (hosting, database, storage), Stripe (payments), and Azure Communication Services (email delivery). These providers are contractually bound to process data only on our instructions.
- At Customer Direction: We sync data with third-party systems (e.g., Business Central, Entra ID) only when explicitly configured and initiated by the Customer.
- Legal Requirements: We may disclose information if required by law, subpoena, court order, or government request, or if we believe disclosure is necessary to protect rights, safety, or property.
- Business Transfers: In the event of a merger, acquisition, or asset sale, personal data may be transferred to the successor entity, subject to the same privacy commitments.
Section 5
Data Security
We implement enterprise-grade security measures to protect your data:
- Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher
- Encryption at Rest: All data stored in our databases and file storage is encrypted using AES-256 via Azure Transparent Data Encryption
- Tenant Isolation: Each customer's data is logically isolated using row-level security with automatic query filters
- Access Controls: Role-based access control (RBAC) with 38 granular permission codes, SSO, and OTP multi-factor authentication
- Audit Logging: All data access and administrative actions are logged for SOC 2 compliance
- Web Application Firewall: Azure Front Door WAF with OWASP protection, bot detection, and rate limiting
- Secret Management: All credentials and keys stored in Azure Key Vault with managed identity access
For more details, see our Security & Compliance page.
Section 6
Data Retention
We retain personal data only for as long as necessary to fulfill the purposes described in this policy:
- Active Accounts: Data is retained for the duration of the Customer's subscription
- Post-Termination: Customer data is retained for 30 days after account termination to allow for export, after which it is permanently deleted
- Billing Records: Transaction and invoice records are retained for 7 years to comply with tax and financial reporting obligations
- Audit Logs: Security and access logs are retained for 2 years for SOC 2 compliance
- Backups: Encrypted backups are retained for 30 days and automatically purged
Customers may request early deletion of their data by contacting us at privacy@lookio.com.
Section 7
Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate or incomplete data
- Deletion: Request deletion of your personal data ("right to be forgotten")
- Portability: Request your data in a structured, machine-readable format
- Restriction: Request that we restrict processing of your data in certain circumstances
- Objection: Object to processing based on legitimate interests or for direct marketing
- Withdraw Consent: Withdraw consent at any time where processing is based on consent
For employee data, requests should be directed to your employer (the data controller), who may then instruct us to fulfill the request. Account administrators can export and delete employee data directly within Lookio.
To exercise your rights, contact us at privacy@lookio.com. We will respond within 30 days (or sooner where required by law).
Section 8
Cookies and Tracking Technologies
Our marketing website (lookio.com) uses cookies as follows:
- Required Cookies: Essential for website functionality (always active). Includes session management and cookie consent preferences.
- Functional Cookies: Remember your preferences such as language selection. Can be disabled via our cookie banner.
- Analytics Cookies: Help us understand how visitors use our website to improve the experience. Can be disabled via our cookie banner.
The Lookio application (app.lookio.com) uses only strictly necessary cookies for authentication session management. No tracking or analytics cookies are used within the application.
You can manage your cookie preferences at any time using the cookie banner on our website, or by adjusting your browser settings.
Section 9
International Data Transfers
Lookio is hosted on Microsoft Azure in Canada (Canada Central region). If you access the Service from outside Canada, your data will be transferred to and processed in Canada.
For transfers from the EEA/UK, we rely on adequacy decisions (Canada is recognized by the European Commission as providing adequate data protection) and, where applicable, Standard Contractual Clauses (SCCs).
Our sub-processors (Microsoft Azure, Stripe) maintain their own data transfer mechanisms and certifications for international data flows.
Section 10
Children's Privacy
Lookio is a business-to-business HR platform and is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 16, we will promptly delete it.
Section 11
Third-Party Links
Our website and Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing personal information.
Section 12
Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will provide at least thirty (30) days' advance notice of material changes by posting the revised policy on our website and, where practical, notifying affected users by email. The "Effective Date" at the top of this page indicates when the current version took effect.
Continued use of the Service after the effective date of any change constitutes your acceptance of the revised policy.
Section 13
Contact Information
If you have questions about this Privacy Policy, wish to exercise your data rights, or need to report a privacy concern, please contact:
If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Privacy Commissioner of Canada (OPC) or your local data protection authority.