Policies pertaining to acceptable uses of LiveKit's cloud-managed service.
Last Updated: 01/16/2023
Visit our website at https://livekit.io, or any website of ours that links to this Policy
Engage with us in other related ways ― including any sales, marketing, or events
Questions or concerns? Reading this Policy will help you understand your privacy rights and choices. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at [email protected].
If there are any capitalized terms in this Policy that are not defined, then those terms will have the meaning defined in your agreement with us.
How LiveKit Processes Your Personal Information
“Personal information” or “personal data” includes a broad range of information. Data protection laws around the world define this concept in different ways, but in general, we interpret it to mean any information that relates to an identifiable, living individual person.
Some data protection laws and privacy laws in certain jurisdictions differentiate between “controllers” and “processors” of personal information. A controller decides why and how to process personal information. A processor does not make decisions about personal information; it only processes personal information on behalf of a controller based on the controller's instructions.
If you are a customer of LiveKit, we process your personal information in different ways when you use our Services:
We process your personal information as a customer of LiveKit's Services — information that we refer to as Customer Account Data (e.g., your contact information) — when you visit LiveKit's public-facing website like https://livekit.io; reach out to our Sales or Support teams; or sign up for a LiveKit Cloud account at https://cloud.livekit.io and use our Services.
We process the personal information of your end users who use or interact with your application that you've built on LiveKit's platform, like the people you communicate with by way of that application. This includes information we use to route audio and video calls and metadata about media streams — we refer to this information as “Customer Usage Data” — and it also includes the contents of communications, which we refer to as your “Customer Content”. You can see a more detailed definition of Customer Content in our Data Processing Addendum, which is part of our agreement with you.
LiveKit processes these categories of personal information differently because the direct relationship we have with you, our customer, is different from the indirect relationship we have with your end users.
When LiveKit processes your Customer Account Data and your Customer Usage Data, LiveKit is acting as a controller. When LiveKit processes your Customer Content, we are acting as a processor.
If you are a visitor to our website (by which we mean any website that links back to this Policy in its footer, such as to livekit.io), we collect a minimal amount of data about you (depending on how much you've chosen to share with us). This might be as little as an IP address or a cookie, and it might be your contact information. We also consider this Customer Account Data.
Data about our customers
In short, LiveKit requires the minimal amount of data necessary to provide Services to you, and the amount or type of data we collect depends on the product or service you choose or how you use it. If you choose to share additional information with us so that we can better customize your account and our Services, we'll process that with the same care and respect. We do not sell your personal information and we do not share your information with third parties for those third parties' own business interests. This Policy describes the data we collect from our customers at a high level, but you can always learn more by reading our API docs.
We use the information we collect and share it with our service providers primarily to provide the Services you've requested from us, and as needed for our operational purposes (e.g., to do the things we need to do to function as a business, such as to collect payment). In addition, we may use data about our customers to detect, prevent, or investigate security incidents, fraud, or abuse and misuse of our platform and Services.
Data we process during account creation and account usage
When you sign up for an account with us, we ask for certain information like your contact details and billing information to facilitate payment and communication. We also collect some information automatically, like your IP address, when you log in to your account or when your software application built on LiveKit makes requests to our APIs. We use this to understand who is using our Services and how, and to detect, prevent and investigate fraud, abuse, or security incidents.
Information You Share Directly:
Name and contact information. When you sign up for a LiveKit Cloud account with us, you authenticate using your Google or GitHub account. In doing so, we receive certain profile information about you from your selected authentication provider. The profile information we receive may vary depending on the authentication provider concerned, but will often include your email address and name. We collect this information so we know who you are — this helps us communicate with you about your account(s), recognize you when you communicate with us through the account portal ("cloud dashboard") or otherwise, bill you correctly, and provide other Services.
Personalization details. When you create a LiveKit Cloud project, we may ask you to complete an optional survey by providing details about yourself, your company (if applicable), your intended use of the product, and your reasons for choosing LiveKit. We may use this information for the purpose of determining eligibility for these products, improving our internal processes and Services or to train our team members.
Information We Generate or Collect Automatically:
Subdomains and API Keys. When you create a project with LiveKit Cloud, we'll automatically assign your project a unique subdomain and generate an API keypair for it. These are used like a username and password to make API requests. Instead of using these API tokens, you can provision API keys and use your API keys for authentication when making requests to our APIs. We keep a record of these credentials so we know it is you making the requests when your application makes requests to our API using these credentials.
Device information and IP addresses. When you use our cloud dashboard, we collect your IP address and other data through tracking technologies like cookies, web beacons, and similar technologies. We also collect IP addresses when you make requests to our APIs and in our server logs. We use this information to understand how customers are using our platform, who those customers are (if they are a company and the IP address is associated with that company), what country they are logging in from (for analytics and export control purposes), and to help improve the navigation experience. You can learn more about cookies in the section titled “Cookies and Tracking Technologies” below.
When you use our cloud dashboard, we also collect information about your device, such as your computer or mobile device operating system type and version number, manufacturer and model, browser type, screen resolution and general location information such as city or town. We do not collect precise geographical information.
Data we process from our website and interactions
When you visit our website we collect information automatically using tracking technologies, like cookies, and through web forms where you type in your information. We collect this information to provide you with what you request through the web form, to learn more about who is interested in our Services, and to improve navigation experience on our pages. You can learn more about cookies in the section titled "Cookies and Tracking Technologies" below.
Information You Share Directly:
On certain parts of our public-facing websites, you can fill out forms to request contact from our Sales team, sign up for newsletters, or participate in surveys. The personal information requested on these forms will vary depending on the purpose of the form. We will ask for information that is necessary to fulfill your request, such as your email address if you want to receive a newsletter or your phone number if you want to be contacted by a member of our Sales team. We may also ask for additional information to better understand our customers, such as your use case for LiveKit, your company name, or your job title. If you opt in to receive ongoing marketing communications from LiveKit, such as a newsletter, you can always choose to unsubscribe through a preferences page or by contacting our Customer Support team. This option will be included in any marketing emails you receive from LiveKit.
Our Sales and Customer Support teams keep a record of all communication with customers, including contact information and any other details shared during the conversation. This information is used to help us improve our Services, provide training to our team members, and manage our ongoing relationships with customers. It is important to be mindful of what information you share with these teams, as we store a record of these communications. To protect your privacy, it is best to avoid sharing sensitive personal information unless it is necessary for the teams to assist you. We will take appropriate measures to protect any sensitive information that is shared with us.
Information We Collect Automatically:
We use your email address to send you information about other LiveKit Services or events in which we think you may be interested. You can opt out of receiving marketing communications from us at any time through your marketing preferences page by clicking the “unsubscribe” link at the bottom of any marketing email you receive from LiveKit. You can also contact our Customer Support team to communicate your choice to opt out. Please note that it may take up to three days to remove your contact information from our marketing communications lists, so you may receive correspondence from us for a short time after you make your request. You will not be able to opt out of service emails from us, such as password reset emails, billing emails, or notifications of updates to our terms, unless you delete your account.
We may also use publicly-available information about you that we have gathered through services like LinkedIn, or we may obtain information about you or your company from third-party providers. We use this information to help us understand our customer base better, such as your industry, the size of your company, and your company's website URL. We also use this information to reach out to potential candidates for roles at LiveKit.
How Long We Store Your Customer Account Data
LiveKit will store your Customer Account Data as long as needed to provide you with our Services and to operate our business. If you ask LiveKit to delete specific personal information from your Customer Account Data (see 'Choices About Your Customer Account Data' below), we will honor this request unless deleting that information prevents us from carrying out necessary business functions, such as billing for our Services, calculating taxes, or conducting required audits.
More specifically, within 30 days following closure of your account, we will either delete other Customer Account Data or transform it such that it can no longer be used to identify you, with the following exceptions, depending on and in accordance with applicable law:
Customer Account Data is stored for up to 30 days following closure of your account. However, we may retain invoice records, including their digital equivalent, for longer periods for accounting, tax, and audit purposes.
We may retain your communications with LiveKit's Customer Support team for up to one year after your account is closed.
We may need to retain data due to special circumstances (such as due to an open investigation, audit, or other legal matter).
Data about our customers' end users
What Customer Usage Data and Customer Content LiveKit Processes and Why
We use Customer Usage Data and Customer Content to provide Services to you and to carry out necessary functions of our business as a communications service provider. We do not sell your end users' personal information and we do not share your end users' information with third parties for those third parties' own business interests.
End user personal information LiveKit processes when you, our customer, use our Services generally consists of audio, video, text message, and IP address information. The specific information and other end user personal information LiveKit processes and the reasons LiveKit processes it, depends on how you use our Services and which LiveKit Services you use. For that reason, our API docs are the best place to find information about our processing of personal information when you use that LiveKit product and service.
For LiveKit's customers, our Data Processing Addendum describes more about how we process Customer Content in accordance with your instructions. That Data Processing Addendum is a part of your agreement with us by default.
How Long We Store Customer Usage Data and Customer Content
Details regarding how long your end user personal information may be stored on LiveKit systems will depend on which LiveKit Services you are using and how you are using them. For that reason, our API docs are the best place to find more detailed information about managing end user data collected and stored in connection with your use of our Services.
As a LiveKit customer, if the LiveKit product or service you use enables you to store records of your usage on LiveKit, including personal information contained within those records, and you choose to do so, then LiveKit will retain these records for as long as you instruct, up until termination of your account. Please note that it may take up to 30 days for the data to be completely removed from all systems.
How LiveKit shares personal information
We do not sell your personal information or the personal information of your end users. We also do not allow any personal information to be used by third parties for their own marketing purposes. However, we do need to share personal data in order to provide our Services to you, such as to route a call you send through us or to store data you ask us to store. Below are the different scenarios under which we may share your data with third parties:
|Third-party service providers or consultants.||LiveKit engages certain third-party vendors and service providers to carry out certain data processing functions on our behalf. These providers are limited to only accessing or using this data to provide services to us and must provide reasonable assurances they will appropriately safeguard the data.|
|Sub-processors.||A sub-processor is a vendor that is permitted to process data for which we are a processor — in other words, Customer Content. We share Customer Content with sub-processors who assist in providing the LiveKit Services, like our infrastructure provider, or as necessary to provide optional functionality like transcriptions. An up-to-date list of LiveKit sub-processors is located.|
|Plug-in partners.||“Plug-ins” are additional features, functionality or services offered by LiveKit's Plug-in partners (who are third parties not affiliated with LiveKit). LiveKit may make Plug-ins available through the LiveKit Cloud Marketplace, where applicable. Some Plug-ins may need to access or collect some of your information, including personal information. If you choose to use a Plug-in, LiveKit may share your information with the Plug-in partner so you can use the Plug-in. LiveKit does not control Plug-in partners' use of your information and their use of your information will be in accordance with their own policies. If you do not want your information to be shared with a Plug-in partner, then you should not use the Plug-in.|
|Compliance with Legal Obligations.||We may disclose your or your end users' personal information to a third party if (i) we reasonably believe that disclosure is compelled by applicable law, regulation, legal process, or a government request (including to meet national security, emergency services, or law enforcement requirements), (ii) to enforce our agreements and policies, (iii) to protect the security or integrity of our Services, (iv) to protect ourselves, our other customers, or the public from harm or illegal activities, or (v) to respond to an emergency which we believe in good faith requires us to disclose data to assist in preventing a death or serious bodily injury. If LiveKit is required by law to disclose any personal information of you or your end user, we will notify you of the disclosure requirement, unless we are prohibited by law. Further, we object to requests we do not believe were issued properly.|
|Business transfers.||If we go through a corporate sale, merger, reorganization, dissolution or similar event, data we gather from you may be part of the assets transferred or shared in connection with the due diligence for any such transaction. In that situation, and that situation only, we might transfer your data in a way that constitutes a sale under applicable law. If we do, we'll let you know ahead of time, and we will require any acquirer or successor of LiveKit to continue to process data consistent with this Policy.|
|Aggregated or de-identified data.||We might also share data about our customers with third parties if the data has been de-identified or aggregated in a way so it cannot be used to identify you or your end users.|
How to make choices about your data
Choices About Your Customer Account Data
Accessing and Controlling Account Data. As part of the Services we provide to our customers, we provide you with a number of self-service features at no additional cost within the cloud dashboard itself, including the ability to access your data, update any incorrect data, restrict the use of your data, or delete your data. You can make various choices about your Customer Account Data through the cloud dashboard when you log into your LiveKit account. Any other requests about your data you cannot make through these self-service tools, you can request by contacting Customer Support.
Closing Your Account and Deletion. To request closure or deletion of your LiveKit account, you can use our self-service tool available in the cloud dashboard or contact Customer Support. Please be aware that closure or deletion of your LiveKit account will result in you permanently losing access to your account and the data in the account. After closure of your account, certain information associated with your account may remain on LiveKit's servers in an aggregated form that does not identify you or your end users. Similarly, after you close your account, we will retain data — including personal information — associated with your account that we are required to maintain for legal purposes or for necessary business operations (see "How Long We Store Your Customer Account Data" section above) until it's no longer needed.
Other Choices About Your Customer Account Data. In addition, you can express other choices about your Customer Account Data (e.g., accessing it, deleting it, restricting its use, or exporting it) by contacting Customer Support.
Choices About Your End Users' Data
Your ability to make choices about end user data, namely Customer Usage Data and Customer Content, depends on the LiveKit product or service you use and how you use the product or service. For that reason, our API docs are the best place to find more detailed information about managing end user data collected and stored in connection with your use of our Services.
In some cases, we may retain a copy of your usage records, including the personal information contained in them, to carry out necessary functions like billing, invoice reconciliation, troubleshooting, along with detecting, preventing, and investigating spam, fraudulent activity, and network exploits and abuse. Sometimes legal matters arise that also require us to preserve records, including those containing personal information. These matters include litigation, law enforcement requests, or government investigations. If we have to do this, we will delete the impacted records when we are no longer legally obligated to retain them. We may, however, retain or use records after they have been anonymized, if the law allows.
Cookies and Tracking Technologies
LiveKit may use common information-gathering tools such as cookies, web beacons, pixels and other similar tracking technologies to automatically collect information as you navigate our websites, your account or when you interact with emails we send to you.
A cookie is a small piece of data stored on your device when you visit a website. Cookies allow LiveKit to identify your device as you navigate our websites or your account. This makes navigating and interacting with our websites or your account more efficient, easy and meaningful for you.
By themselves, cookies do not identify you specifically. Rather, they recognize your web browser. So, unless you identify yourself specifically to LiveKit, like signing into your account, we don't know who you are just because you visited our website. LiveKit uses both session and persistent cookies. Session cookies are cookies that disappear from your computer or browser when you turn off your computer. Persistent cookies stay on your computer even after you've turned it off. These cookies enable core functionality such as security, network management, and accessibility and are necessary for LiveKit's websites to function properly.
LiveKit also uses web beacons to gather data about your use of our websites, your account, and how you interact with emails we have sent to you. Web beacons are clear electronic images that can recognize certain types of data on your computer, like when you view a particular website tied to the web beacon, and a description of a website tied to the web beacon. Additionally, we may put web beacons in marketing emails that notify us when you click on a link in the email that directs you to a LiveKit website. We use web beacons to operate and improve our websites and email communications to you.
Global Privacy Compliance at LiveKit
LiveKit is a global company with customers and employees all around the world. As such, our approach to privacy compliance is a global one. No matter where you are located, whether in the United States, the European Economic Area (EEA), the United Kingdom (UK), Latin America, or the Asia-Pacific region, we remain committed to abiding by all applicable data protection laws.
Regions Requiring a Legal Basis for Processing Personal Information
If you are from a region that requires a legal basis for processing personal data (such as the EEA or the UK), our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it.
However, we will normally collect personal information from you only where we need the personal information to perform a contract with you, or where the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms, or where we have your consent to do so. In some cases, we may also have a legal obligation to collect personal information from you or may otherwise need the personal information to protect your vital interests or those of another person, such as in the case where we request personal information from you in the context of a government audit or in response to a request from law enforcement.
If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us using the contact information provided below.
Broadly speaking, we use Customer Account Data to further our legitimate interests to:
- understand who our customers and potential customers are and their interests in LiveKit's Services;
- manage our relationship with you and other customers;
- carry out core business operations such as accounting, filing taxes, and fulfilling regulatory obligations; and
- help detect, prevent, or investigate security incidents, fraud and other abuse or misuse of our Services.
California Consumer Access and Deletion Rights
For those customers that would like more information about our use of Customer Account Data or Customer Usage Data, you have the ability to request:
- that we provide details about the categories of personal information that we collect about you, including how we collect and share it;
- that we provide you access to the personal information we collect about you; and
- that we delete the personal information we have about you.
Please be aware that when you ask us for these things, we will take steps to verify that you are authorized to make the request. You must be a resident of California to make this request.
The California Code of Regulations defines a "resident" as:
- every individual who is in the State of California for other than a temporary or transitory purpose and
- every individual who is domiciled in the State of California who is outside the State of California for a temporary or transitory purpose
We have collected the following categories of personal information in the past twelve (12) months:
- personal information listed in the California Customer Records statute
- geolocation data
- Internet or other similar network activity
For more information on how we process, retain, use, and disclose personal information, see our CCPA Notice.
Some countries, other than the EEA, UK, and United States, also have specific privacy notice requirements, and we address those requirements in our general privacy sections above. If there are specific changes we need to make to our legal language to comply with a country's privacy or data protection laws, you can find those changes in our Data Processing Addendum.
Privacy Compliance for Specific Individuals
Information from Children. We do not knowingly permit children (under the age of 13 in the US and UK or 16, if you live in the EEA) to sign up for a LiveKit account. If we discover someone who is underage has signed up for a LiveKit account, we will take reasonable steps to promptly close that person's account and remove their personal information from our records. If you believe a person who is underage has signed up for a LiveKit account, please contact us at [email protected].
International data transfers
As a global organization, we may need to transfer your personal information to LiveKit affiliates, contractors, service providers, and to third parties in various countries and jurisdictions around the world. In each case, we take care to use appropriate safeguards to ensure your personal information remains protected.
Data transfers to the United States and elsewhere. When you use our cloud dashboard, or our other Services, personal information of you and your end users processed by LiveKit may be transferred to the United States, where our primary processing facilities are located, and possibly to other countries where we or our service providers operate. These transfers will often be made in connection with routing your communications in the most efficient way.
Safeguards for data transfers. LiveKit employs appropriate safeguards for cross-border transfers of personal data, as required by applicable local law. Our Data Processing Addendum, which we provide to all customers, includes more detailed information about our cross-border data transfers.
When transferring personal information outside the EEA, the UK, and Switzerland, we rely on data transfer mechanisms such as the Standard Contractual Clauses and the International Data Transfer Agreement.
Transfers from other countries. When we transfer personal information outside countries other than those in the EEA, the UK, and Switzerland, we strive to comply with the cross-border data transfer rules of those countries, such as by cooperating with that country's data protection authority or providing a written agreement to each customer that meets the data protection requirements of the country.
How We Secure Personal Information
Our security measures. We use appropriate security measures designed to protect the security of your personal information both online and offline. These measures vary based on the sensitivity of the personal information we collect, process and store and the current state of technology. We also take measures to ensure service providers that process personal data on our behalf also have appropriate security controls in place. When we transfer data across borders, we also take supplementary measures to ensure that data is protected. You may read more about our security measures in our Security Overview.
Please note that no service is completely secure. While we strive to protect your data, we cannot guarantee that unauthorized access, hacking, data loss or a data breach will never occur.
Security measures you can take. To protect the confidentiality of your account and protect against unauthorized use of your account, you must keep your project's API keys confidential and not disclose them publicly or to unauthorized individuals — this includes accidentally distributing them in a binary or checking them into source control. Please let us know right away if you think your API keys were compromised or misused. For instructions on provisioning and revoking API keys, click here.
How we use personal information for security purposes
We may collect and use Customer Account Data or Customer Usage Data to detect, prevent, or investigate security incidents, fraud, or abuse and misuse of our platform and Services. In addition, we also use records containing end user personal information to debug, troubleshoot, or investigate security incidents; to detect and prevent spam or fraudulent activity; and to detect and prevent network exploits and abuse. We may anonymize personal information and use it for our legitimate business needs, and, where allowed by law, this may include records containing end user personal information.
If you have a dispute with us relating to our data protection practices, you can raise your concern or dispute by contacting the Data Protection Officer via email at [email protected].
For individuals in the EEA, the UK, or Switzerland, you have additional rights to make a complaint to a competent data protection authority or commence proceedings in a court of competent jurisdiction in accordance with applicable data protection laws.
Other information you may find useful
Automated decision making and machine learning
LiveKit may use automated decision making leveraging a variety of signals derived from records we collect to help monitor, identify, and suspend accounts sending spam or engaging in other abusive or fraudulent activity. Holders of accounts suspended under these circumstances are notified of the suspension and given an opportunity to request human review of the suspension decision.
We may change this Policy from time to time, and if we do, the most current version will be available at https://livekit.io/legal/privacy-policy with the date at the top indicating when it was last updated. These changes might be minor, such as updating an address or fixing a typo, or they might be material, such as making a change that affects your rights. If we make changes that affect your rights, we will provide advance notice to you, such as by posting a message in the cloud dashboard, or we'll send an email via the address we have on file for you. We will comply with applicable law with respect to any changes we make to this Policy and seek your consent to any material changes if this is required by applicable law.