CCPA Notice

Last Updated: December 28, 2022

This notice supplements the LiveKit Privacy Policy as well as any other agreement Customer has with LiveKit, such as the LiveKit Terms of Service, or other agreement for the use of the Services. Any terms used in this notice that aren't defined here will have their meanings given in those agreements.

Our Privacy Policy defines Customer Account Data, Customer Usage Data, and Customer Content. Taken together, these terms constitute Customer's personal information. Personal information is defined in the California Consumer Privacy Act, or “CCPA," and used here.

Other terms referenced here, such as "consumer," "business," “service provider,” “business purpose,” or “commercial purpose,” also have their definitions set out in the CCPA.

CCPA definitions for “sale,” or “selling,” personal information are used as well. This means LiveKit does not sell, rent, or otherwise disclose Customer's personal information in exchange for money or something else of value.

The LiveKit Privacy Policy describes “controllers” and “processors,” and discusses the purposes for which LiveKit processes personal information in Customer Account Data, Customer Usage Data, and Customer Content. For the purposes of the CCPA, in the same way LiveKit acts as a processor of Customer Content, LiveKit acts as a service provider for Customer Content. For Customer Account Data and Customer Usage Data, LiveKit acts as a business, which means LiveKit may use this data for its own business purposes. Regardless of whether LiveKit is acting as a business or a service provider, LiveKit processes, retains, uses, and discloses personal information only as necessary to provide the Services.. LiveKit will not:

• sell Customer's personal information or Customer's end users' personal information;
• process Customer's personal information for any commercial purpose other than providing the Services; or
• retain, use, or disclose your personal information outside of the scope of the Agreement.

LiveKit is not receiving any of Customer's personal information or Customer's end users' personal information as consideration for providing the Services.

We understand our obligations under the CCPA and will comply with them. Customer is alsoresponsible for ensuring that Customer has complied, and Customer will continue to comply, with the requirements of the CCPA in Customer's use of the Services and Customer's own processing of personal information.

LiveKit will ensure that any person we authorize to process Customer Content has agreed to protect personal information consistent with our confidentiality obligations under the Agreement.

LiveKit uses third party service providers to fulfill its obligations under the Agreement and for its own business purposes. When LiveKit uses service providers, it has entered into a written contract that includes terms substantially similar to this notice. LiveKit conducts appropriate due diligence on itsservice providers and LiveKit will remain liable for any breach of this notice that is caused by an act, error, or omission of its service providers.

As part of the Services, LiveKit provides Customer with self-service features at no additional cost, including the ability to delete, retrieve, or restrict access to Customer Content, which Customer may use in complying with its obligations under the CCPA with respect to responding to requests from consumers. If Customer needs more assistance than that, contact our Customer Support team know. LiveKit will provide reasonable additional and timely assistance to assist Customer in complying with Customer's obligations with respect to consumer access and deletion requests under the CCPA. If additional assistance requires going above and beyond what Support can provide, further assistance may be at Customer's expense.

In the event that LiveKit receives any request, complaint, or other communication from a verifiable consumer, regulatory authority, or third party in connection with its processing of Customer Content, we will promptly inform Customer and provide details, to the extent legally permitted. Unless legally obligated to do so, LiveKit will not respond to any such request, inquiry or complaint without Customer's prior consent except to confirm that the request relates to Customer.

If LiveKit's agreement with Customer terminates, LiveKit will give Customer thirty days after the termination effective date to obtain a copy of Customer Content via the Services. LiveKit will automatically delete any stored Customer Content thirty days after the termination effective date, and automatically delete any stored Customer Content on its back-up systems sixty days after the termination effective date. During that time, if any Customer Content is archived on LiveKit's back-up systems, LiveKit will securely isolate that data and protect it from any further processing, except as otherwise required by applicable law.

Upon termination of LiveKit's agreement with Customer, LiveKit may retain Customer Content in storage for the periods described in this section, provided that LiveKit will ensure that Customer Content is processed only as necessary for the purpose specified in this notice and no other purpose. Also, at all times, LiveKit ensures that it will protect Customer Content as it has promised to, and as the law requires it to.

If LiveKit is required by law to retain any portion of Customer Content, it may do so, regardless of the requirements of this section. If LiveKit must do so, it will ensure it maintains the same security protections on Customer Content.

LiveKit will implement and maintain reasonable security procedures and practices to protect Customer Content from a security breach. You may read more about those in our Security Overview.

As part of the services, Customer may elect to use certain features and functionalities of the Services that impact the security of the data processed, such as, but not limited to, end-to-end encryption or egress. Customer is responsible for reviewing the information LiveKit makes available regarding its data security, including LiveKit's audit reports, and making an independent determination as to whether the Services meet Customer's requirements and legal obligations. Customer is also responsible for properly configuring the Services and using available features and functionalities to maintain appropriate security in light of the nature of the data Customer is processing.

In the event that LiveKit becomes aware of a security breach that involves Customer Content, it will, to the extent permitted by law, notify Customer without undue delay via email address(es) designated by Customer in Customer's account. LiveKit will make reasonable efforts to identify and, to the extent any security incident is caused by its violation of the requirements of this notice, remediate the cause of the security incident. LiveKit will provide reasonable assistance to Customer in the event that Customer is required by law to notify a regulatory authority or any individuals of a security incident.

LiveKit may modify this notice where required, such as due to a material change in its business practices with respect to Customer's personal information or due to a material change in the CCPA. If this happens, LiveKit will notify Customer before such modifications take effect.