Skip to content

Privacy policy

Last updated: May 24, 2026. Short version: we take your data very seriously. Long version: here is exactly what we do, how and why.

📌 In 30 seconds

  • Encryption AES-256-GCM on all sensitive fields (IBAN, ID number, social security numbers, SMTP passwords).
  • European hosting (Neon Postgres eu-west-3 Paris · Cloudflare R2 EU · Vercel EU). No transfer to the United States.
  • Legal compliance: GDPR (EU) · INPDP law 2004-63 (Tunisia) · CNDP law 09-08 (Morocco) · ANPDP law 18-07 (Algeria) · CNIL (France).
  • Biometric data (GDPR Art. 9): no template leaves the time clocks. Levia only stores a reference "member X enrolled on device Y". Written consent required before any enrollment.
  • To exercise your rights (access, rectification, deletion, portability, opposition): <email/> · reply within 30 days.

1. Who are we?

Levia (“we”, “our service”) is a multi-tenant HR management SaaS published from Tunis, targeting the Maghreb (Tunisia, Algeria, Morocco, Libya) and France. The data controller within the meaning of GDPR is Levia SAS (corporate name to be confirmed at registration), registered office in Tunis, Tunisia.

GDPR contact: <email1/> · External DPO: <email2/>.

2. What data do we collect?

2.1 Data provided by the client organization

When an organization subscribes to Levia, it shares with us about its employees:

  • Identity: last name, first name, email, phone, date of birth, profile photo (optional), ID number/passport.
  • Professional profile: position, department, manager, start date, contract type.
  • Payroll: base salary, IBAN, BIC, social security number, number of dependents, allowances, deductions. IBAN, BIC and ID number are encrypted in the database via AES-256-GCM.
  • Time tracking: clock-in/clock-out timestamps, geolocation (only with employee consent), selfies (only if enabled by admin), biometric references (not templates, see §6).
  • Leave and absences: types, dates, reasons (optional), medical certificates encrypted at the application level (GDPR Art. 9 · health data).
  • Performance and training: objectives, KRs, reviews, declared skills, training enrollments.

2.2 Data provided by prospects (contact form)

If you fill out a form on our marketing site, we collect: name, business email, phone (optional), company (optional), estimated headcount, current solution, free-form message, conversion source. See §10 for lead retention.

2.3 Technical data (logs and cookies)

  • Server logs: IP address, user-agent, visited pages, timestamps · retained 90 days for attack detection and debugging.
  • Session cookies: an encrypted authentication cookie (Better-Auth) to maintain the connection. Strictly necessary · no banner required (CNIL).
  • Language cookie (levia-locale): saves your FR/AR/EN choice. Duration 1 year. Non-sensitive.
  • No third-party tracking cookies (Google Analytics, Meta Pixel, etc.) · see cookies policy.

3. Why do we process this data?

GDPR Art. 6 legal basis:

  • Contract performance (Art. 6.1.b): provide the Levia service subscribed by the organization. Most processing falls under this basis.
  • Legal obligation (Art. 6.1.c): generation of payslips, CNSS/DSN declarations, retention of employment contracts.
  • Legitimate interest (Art. 6.1.f): service security, fraud prevention (time tracking anti-fraud), anonymized product improvement.
  • Explicit consent (Art. 6.1.a + Art. 9): biometric data, health data (sick leave, medical certificates), employee geolocation.

4. Who has access to your data?

  • The employee: their own data via their space.
  • Their direct manager: data needed for management (attendance, leave, performance).
  • HR/ORG administrators of their organization: full access to the organization's HR data.
  • The Levia team: strictly limited access for support engineers, on explicit client request (access procedure via signed ticket). All accesses are audited.
  • Subprocessors: see §5.

Data is never sold, rented or shared with third parties for commercial purposes.

5. Subprocessors (GDPR Art. 28)

SubprocessorRoleLocationCompliance
Vercel Inc.Application hostingEurope (Paris)DPA · ISO 27001 · SOC 2
Neon Inc.Postgres databaseeu-west-3 (Paris)DPA · SOC 2 Type II
CloudflareFile storage (R2) + CDNEuropeDPA · ISO 27001
ResendTransactional email deliveryEuropeDPA
StripeBilling (paying customers)IrelandDPA · PCI-DSS Level 1
Anthropic (Claude)AI assistantEU (Frankfurt region)DPA · SOC 2 · no training
InngestAsync jobsEuropeDPA

All subprocessors have signed a Data Processing Agreement with Levia in accordance with Article 28 of GDPR.

6. Biometric data (GDPR Art. 9)

Levia stores no biometric template (fingerprints, faces, iris). Templates remain on the client's physical time clocks (ZKTeco, Suprema, Hikvision, etc.).

Levia only stores:

  • A reference "employee X is enrolled on device Y" to link clock-ins
  • The clock-in timestamp
  • The written consent signed by the employee (PDF in encrypted R2 storage)

Before any biometric enrollment, the client must have the employee sign an explicit consent form (automatically generated by Levia). For Tunisia, a declaration to INPDP is recommended beyond 100 enrolled employees.

7. Health data (GDPR Art. 9)

Medical certificates uploaded by employees (sick leave) are stored encrypted and accessible only to:

  • The employee
  • Their direct manager (for leave validation)
  • HR_ADMIN and ORG_ADMIN of their organization

HTTP cache: private, no-store · never cached by an intermediate proxy.

8. Your rights (GDPR Art. 15-22 + local laws)

  • Right of access: copy of your data in a structured format (CSV, JSON).
  • Right of rectification: correction of inaccurate data (accessible directly in /settings/profile).
  • privacyPage.right3
  • Right to portability: full export in CSV/JSON format within 30 days.
  • Right to object: marketing, profiling. Unsubscribe in one click.
  • Right to restriction of processing: possible in case of dispute.

To exercise these rights: <email/>. Reply within 30 days as per Art. 12 GDPR.

You may lodge a complaint with:

  • 🇹🇳 INPDP (Tunisia): inpdp.nat.tn
  • 🇫🇷 CNIL (France): cnil.fr
  • 🇲🇦 CNDP (Morocco): cndp.ma
  • 🇩🇿 ANPDP (Algeria): authority being structured (law 18-07 of June 10, 2018)

9. Security

  • Encryption at-rest: encrypted disks (Neon, R2). Sensitive fields additionally encrypted at the application level via AES-256-GCM.
  • Encryption in-transit: TLS 1.2+ required on all routes. HSTS enabled.
  • MFA: required for HR_ADMIN, PAYROLL_ADMIN, ORG_ADMIN, Platform Owner roles. TOTP via Google Authenticator/Microsoft Authenticator.
  • Audit log: every sensitive action (payroll validation, IBAN modification, biometric access) is logged with automatic masking of encrypted data in payloads.
  • Penetration testing: annual (starting 2026, by external firm).
  • Secret rotation: application encryption keys rotated annually with data migration.
  • Backups: daily, retained 30 days. Restorable within 4 hours.

10. Retention periods

Data typeDurationReason
Active user accountAs long as the client is subscribedContract performance
Deleted user account90 days then purgeRecovery possibility
Payslips5 yearsTN/FR legal obligations
Employment contracts5 years after contract endLabor code
Audit log3 yearsGDPR + security compliance
Backups30 days rollingIncident recovery
Server logs90 daysIntrusion detection
Marketing leads (form)3 years after last contactSales follow-up
Biometric data (references)As long as employee is active + 30 daysHistorical anti-fraud

11. International transfers

All our subprocessors host data in Europe (Paris, Frankfurt, Dublin). No transfer to the United States or China is performed as part of the Levia service.

Exception: if you are based outside Europe and use the AI assistant, requests to Anthropic Claude transit through Anthropic's EU infrastructure (Frankfurt region). Anthropic does not reuse client data to train its models (contractual clause).

12. Minors

Levia is not intended for minors under 16. If an employed minor is registered (apprentice for example), parental consent is required for biometric enrollment in accordance with Art. 8 GDPR.

13. Modifications to this policy

We may modify this policy. In case of substantial change, we notify client organizations by email 30 days in advance. The current version is always dated at the top of this page.

14. Contact

Levia SAS · Tunis, Tunisia
Email: <email1/> · DPO: <email2/>
Reply within 30 days.

Note: this policy is an evolving legal document. For client organizations, a specific DPA addendum may be signed on request at legal@leviahr.com. For individuals, you may exercise your rights at any time.

Made in Tunisia
Green Vitest test suite
AES-256-GCM
9 sector agreements
6 payroll countries
75 AI tools
GDPR · INPDP · CNDP · CNIL
MFA step-up mandatory
Ramadan auto-adjust
100% isolated multi-tenant
Made in Tunisia
Green Vitest test suite
AES-256-GCM
9 sector agreements
6 payroll countries
75 AI tools
GDPR · INPDP · CNDP · CNIL
MFA step-up mandatory
Ramadan auto-adjust
100% isolated multi-tenant
Next.js 15.5
Postgres 16 · Neon
Prisma 6.19
Anthropic Claude
Better-Auth 1.6
Vercel Edge · Cloudflare R2
Stripe · Inngest
TypeScript strict
@react-pdf/renderer
Vitest · Playwright
Next.js 15.5
Postgres 16 · Neon
Prisma 6.19
Anthropic Claude
Better-Auth 1.6
Vercel Edge · Cloudflare R2
Stripe · Inngest
TypeScript strict
@react-pdf/renderer
Vitest · Playwright
Privacy Policy · Levia · Levia