PRIVACY POLICY
– For Users of the Liverse Music Mobile Application and Web Platform–
Effective date: 1 August 2025
Last updated: Initial version – no prior updates.
TARTALOMJEGYZÉK
1. Purpose and Scope of this Policy
2. Data Controller and Contact Information
3. Detailed Overview of Data Processing Activities by Functions
4. Data Processors and Data Transfers
5. Rights of Data Subjects and How to Exercise Them
6. Use of Cookies and Similar Technologies
7. Principles of Data Security and Technical Measures
8. Final Provisions
1. PURPOSE AND SCOPE OF THIS POLICY
1.1. The purpose of this Privacy Policy (hereinafter: Policy) is to provide a clear and detailed overview
of how LiveBrothers Korlátolt Felelősségű Társaság (registered seat: Hámory Imre utca 18., 2051
Biatorbágy, Hungary; company registration number: 13-09-234045; tax number: 32429145-2-13; e-
mail: privacy@liverse.app; hereinafter: Service Provider or Data Controller) processes personal data
in connection with the operation of the Liverse Music digital service (hereinafter: Service). This Policy
explains what personal data is processed, for what purposes and on what legal basis, for how long, and
how the protection of such data is ensured. It also sets out the rights of data subjects and the available
legal remedies.
1.2. Within the scope of the Service, the platform provided by the Service Provider includes a mobile
application downloadable for iOS and Android operating systems (hereinafter: Application), as well as
a related web-based platform with limited functionality, primarily intended for content submission
(hereinafter: Web Platform).This Policy applies to all personal data processing activities carried out by
the Service Provider—as Data Controller—or by data processors acting on its behalf, in connection
with the use of both the Application and the Web Platform. The scope of this Policy does not extend to
any personal data processing performed by third parties—such as other Users, external websites, or
third-party service providers—acting as independent data controllers under their own terms, conditions,
or privacy policies (e.g. links to social media platforms, ticketing services, or external promotional sites).
1.3. The various features of the Service involve different types of personal data processing. The scope
of personal data processed, as well as the purpose, legal basis, and duration of processing, may vary
depending on the specific feature; these are detailed in Chapter 3 of this Policy. In all cases, the Data
Controller adheres to the principles of data minimisation and purpose limitation, meaning that it
only processes such data, and for such duration, as is strictly necessary to provide the relevant
functionality of the Service.
1.4. The Data Controller designs its data processing practices in accordance with the applicable data
protection laws at all times, with particular regard to Regulation (EU) 2016/679 of the European
Parliament and of the Council (GDPR), Act CXII of 2011 on the Right of Informational Self-
Determination and on Freedom of Information (Infotv.), as well as the relevant data protection
requirements set out in the Apple App Store Review Guidelines and the Google Play Developer
Policy.
1.5. The Service is not specifically designed for children and is intended solely for natural persons who
are at least 16 years old and legally competent. The Data Controller does not target individuals under
the age of 16 and does not knowingly collect personal data from minors. The Data Controller does not
perform age verification and is not legally obliged to automatically verify the existence of parental or
guardian consent; however, it reserves the right to suspend or delete a User Account if there is a suspicion
of unauthorized use.
1.6. Terms capitalized in this Privacy Policy — including but not limited to User Account, Profile
Administrator, and Official Profile — shall have the same meaning as defined and used in the Liverse
Music Terms and Conditions. For the purposes of this Policy, such terms shall always be interpreted
in accordance with the provisions of the Terms and Conditions.
2. DATA CONTROLLER AND CONTACT INFORMATION
• Name of the Data Controller: LiveBrothers Korlátolt Felelősségű Társaság (Limited Liability
Company)
• Registered Seat: 2051 Biatorbágy, Hámory Imre utca 18.
• Company Registration Number: 13-09-234045
• Tax Number: 32429145-2-13
• EU VAT number: HU32429145
• Represented by: Spiriev Teodor Kristóf és Spiriev Artemon Bendegúz managing directors,
each acting with sole signatory right
• Email: office@liverse.app
• Website: https://liverse.app
The Service Provider has not appointed a Data Protection Officer, as it is not required to do so under
Article 37 of the GDPR. Given the nature, scope, and level of risk of the data processing involved, such
appointment is not deemed necessary in light of the reasonable data protection risks associated with the
operation of the Service.
3. DETAILED OVERVIEW OF DATA PROCESSING ACTIVITIES BY FUNCTIONS
3.1. Registration and Login
Function
Data Processed
Purpose of Data
Processing
Legal Basis
Retention
Period
Creating a User
Account
(email/password
)
Email address, password,
username (mandatory fields)
Creating the
account, login,
user
authentication
GDPR Article
6(1)(b) –
performance
of a contract
Until the
account is
deleted. The
Service
Provider
Note: The Service Provider has no access to the User’s password in any form. Passwords are stored
using the bcrypt algorithm, which applies one-way, irreversible hashing and built-in salting, in
accordance with modern industry standards. In the case of registration via external providers (Apple or
Google), authentication is token-based, and passwords are never handled or stored by the Service
Provider.
Important exception: During the “forgot password” process, a system-generated temporary password
— which is sent via email — may, for technical reasons, appear briefly in the system’s log files. This
applies exclusively to the generated password and not to any password entered by the User. In line with
the Terms of Use, the Service Provider strongly recommends that Users immediately change the
generated password to enhance account security.
3.2. Official Profiles and Their Administration; Event Creation
Function
Data Processed
Purpose of Data
Processing
Legal Basis
Retention
Period
reserves the
right to delete
long-inactive
accounts after
prior notice, in
line with data
minimization
and system
maintenance
principles.
Registration /
login via
external
providers
(Apple, Google)
Token (used only for
retrieval, not stored), external
ID, name, email address (if
authorized by the user)
Enabling login via
external
authentication
GDPR Article
6(1)(b) –
performance
of a contract
The login token
is not stored.
Only extracted
data (external
ID, name,
email) is stored.
Name and email
become part of
the User
Account (see
above).
Use of Apple’s
“Hide My
Email” feature
Proxy email address (e.g.,
abc@privaterelay.appleid.co
m) – also used for
notifications
Enabling contact
without
disclosing the
actual email
address
GDPR Article
6(1)(b) –
performance
of a contract
The proxy email
becomes part of
the account. It
can be changed
at any time by
the user.
Function
Processed Data
Purpose of Data Processing
Legal Basis
Storage Period
Creation
of Official
Profile
(Artist /
Venue)
Name, email
address, and
account ID of the
Profile
Administrator
To enable administration of the
Official Profile and manage
related permissions
GDPR Article
6(1)(b) –
performance of a
contract
As long as the
Official Profile
and administrative
rights exist. Data
is deleted or
anonymised upon
deletion or
removal of admin
rights.
Public
data
linked to
the
Official
Profile
Profile name,
description, public
image, genre
categories (some of
which may qualify
as personal data,
e.g. if they contain
a name)
Public visibility in the
Application/Web Platform
GDPR Article
6(1)(b) –
performance of a
contract
As long as the
Profile is active
and public. Upon
deletion, personal
elements are
permanently
removed from the
archive.
Event
creation
Creator’s ID
(Profile Admin ID),
event metadata
(e.g. time, location,
description). While
metadata alone is
not personal data, it
may become such
when linked to the
creator.
Active events: Displaying the
event upon the User’s request,
managing it, linking it to the
Official Profile
GDPR Article
6(1)(b) –
performance of
a contract
Event data
remains publicly
available in the
Application for as
long as needed
for display.
In the event of
deletion, the
event may still
appear as
“Cancelled” in
accordance with
the provisions of
the Terms and
Conditions,
strictly for
archival and
informational
Note: If the User deletes their account, the admin data associated with any Profile they have created will
also be deleted, unless the Profile has additional Profile Administrators. In such cases, the admin rights
will be transferred to another Profile Administrator, in accordance with the provisions set out in the
Terms and Conditions.
3.3. In-App Purchases (Highlight, Ad-Free Experience)
Function
Processed Data
Purpose of Data
Processing
Legal Basis
Storage Period
Purchase of digital
services (highlight,
ad-free
experience)
Transaction
metadata (e.g.
purchase
timestamp,
transaction ID,
User Account ID),
Activation and
administration of the
purchased digital
service (highlighting,
ad-free experience), and
providing the “My
GDPR Article
6(1)(b) –
performance
of a contract
The transaction
metadata (e.g. purchase
timestamp, product
type) is stored as long
as the User Account
exists, since it is part of
Function
Processed Data
Purpose of Data Processing
Legal Basis
Storage Period
Cancelled/Deleted events:
Ensuring traceability, integrity,
and handling of disputes
GDPR Article
6(1)(f) –
legitimate
interest
purposes. The
personal data
associated with
such an event are
processed by the
Service Provider
based on its
legitimate interest
in preserving
service integrity,
traceability, and
the prevention of
potential legal
disputes
(pursuant to
Article 6(1)(f) of
the GDPR), for a
maximum of 5
years.
Change in
Profile
admin
rights (e.g.
removal of
admin)
Admin ID,
permission status
Updating administrative
connections linked to the profile
GDPR Article
6(1)(b) –
performance of a
contract
Until the rights are
revoked.
Thereafter,
admin-related
data is
automatically
deleted from the
system.
Function
Processed Data
Purpose of Data
Processing
Legal Basis
Storage Period
as well as the
purchase
confirmation
(“receipt”)
provided by
Google/Apple for
the transaction
Highlights” feature for
the User, allowing
access to previous
purchases
the “My Highlights”
feature. The purchase
receipt is retained
temporarily for
technical debugging
purposes only, for a
maximum of 1 year,
after which it is
deleted. Payments are
processed by Google
Play and Apple App
Store. The Service
Provider has no access
to credit card data,
billing information, or
any other payment
details, and does not
process financial
transactions directly.
Apple App Store and
Google Play terms and
privacy policies also
apply to purchases.
Note: During the confirmation of the purchase, the Service Provider validates the transaction through the
verification channels provided by Apple or Google. The system only receives the confirmation of a
successful purchase and the associated technical metadata. The purchase confirmation (“receipt”) is
retained exclusively for debugging purposes, for a maximum of 1 year, after which it is permanently
deleted.
3.4. User Reports, Complaints, and Moderation Measures
In line with Section 9 of the Terms and Conditions:
• Report: A submission made via the “Report” button in the Application, which may only be used
in cases involving abuse, rule violations, or legal infringements related to Content or Official
Profiles. Although all reports are ultimately reviewed by human moderators, the Service
Provider may also apply automated pre-screening tools (e.g., filtering of prohibited words).
• Complaint: A submission concerning the technical operation, features, digital purchases, or
customer service of the Service, which may be filed by the User via the official communication
channels defined in Section 9 of the Terms and Conditions (e.g., email or postal mail).
Complaints are reviewed by the Service Provider through a dedicated procedure.
Function
Processed Data
Purpose of Data
Processing
Legal Basis
Storage Period
Submitting a user
report
Identifier of the
reporting user
(username or
technical ID), content
of the report (free
text), identifier of the
reported content or
profile
Investigation of the
report, enforcement
of rules, ensuring
compliance with
community
guidelines and the
Terms and
Conditions
GDPR Article
6(1)(f) –
legitimate
interest (safe
operation of
the platform,
handling of
abuse)
5 years from the
conclusion of the
investigation, then
deletion or
anonymization
Documentation
and execution of
moderation
measures
Manually recorded
notes from the
investigation,
decision, related user
IDs, modified
technical statuses
(e.g., suspended,
hidden)
Post-hoc
verifiability,
complaint handling,
registration of
violations,
regulation of
visibility
GDPR Article
6(1)(f) –
legitimate
interest
Also 5 years, in line
with the report data
Submitting an
official complaint
Name (if provided),
email address,
message content,
description of error or
request, technical
data (e.g., device type
if included), possible
attachments
Substantive
investigation of
complaints,
customer service
responses,
improving service
quality
GDPR Article
6(1)(f) –
legitimate
interest
(operation of
customer
support))
1 year from the
conclusion of the
complaint
procedure, or until
the end of the
complaint resolution
process
Note: The data generated during the handling of reports and complaints will not be made accessible to
third parties by the Service Provider, unless required by law or an official procedure.
3.5. Contact and Customer Support
Function
Processed Data
Purpose of Data
Processing
Legal Basis
Storage Period
Handling user
inquiries (via
email –
technical
issues or
general
questions)
Name (if provided),
email address,
message content,
error or request
description,
technical details
(e.g., device type if
included in the
message)
Communication,
user support,
technical assistance
GDPR Article
6(1)(b) –
performance of a
contract, if the
inquiry relates to the
use of the Service;
GDPR Article
6(1)(f) – legitimate
1 year after the
inquiry is closed,
then deletion or
anonymization
Function
Processed Data
Purpose of Data
Processing
Legal Basis
Storage Period
interest, in all other
cases
Data used for
phone or
postal
inquiries)
Phone number,
postal address (only
if voluntarily
provided by the
User)
Ensuring a response
through the method
requested by the
User
GDPR Article
6(1)(f) – legitimate
interest
1 year after the
inquiry is closed,
then deletion or
anonymization
Note: The Service Provider only uses the data strictly necessary to respond to the inquiry. If the User
voluntarily provides additional contact details (e.g., phone number, postal address), the Service Provider
will use such data exclusively to respond and will not store or use it for any other purpose.
3.6. Statistical Data Collection (Cookies and Analytics Tools)
The Service Provider collects data for statistical purposes regarding the use of the Website and the
Application, in order to analyse traffic and improve the performance and user experience of the Service.
Within the Application, only non-personalized advertisements are displayed, and the Service Provider
does not use remarketing, behaviour-based advertising profiles, or collect data for targeted advertising
purposes.
3.6.1. Cookies Used on the Website
The Website uses cookies to enable essential technical functions required for its operation and — based
on the User’s prior consent — for statistical measurement via the Google Analytics service.
Type of Cookie
Data Processed
Purpose of Data
Processing
Legal Basis
Retention
Period
Technically
Necessary
Cookie
Session ID,
language settings
Ensuring the
operation of the
Website (e.g.
language
settings, secure
connection)
GDPR Article
6(1)(f) –
Legitimate
Interest
Until the end of
the session
Google
Analytics 4
cookie
Truncated IP
address, cookie
ID, device and
browser data, time
and duration of
visits
Analysing
website usage,
generating
visitor statistics
GDPR Article
6(1)(a) –
Consent
2 years (as per
Google’s
settings)
The Google Analytics service is provided by Google LLC (1600 Amphitheatre Parkway, Mountain
View, CA, USA) as a data processor. Data transfers between the EU and the USA are based on the
European Commission’s approved Standard Contractual Clauses (SCC). The system uses IP
anonymization, which ensures that recorded IP addresses cannot be used to identify Users. For more
detailed information about the cookies used on the Website and their management, please refer to the
separate Cookie Policy available in the Website footer.
3.6.2. Data Collection in the Application (Advertising and Statistics)
Only non-personalized ads are displayed within the Application, served via Google AdMob
technology. AdMob does not use remarketing or advertising profiles, and the Service Provider has no
access to user-specific data.
In addition, the Apple App Store and Google Play Console provide the Service Provider with general
statistical reports (e.g., number of downloads, crash data), which do not allow for the identification
of data subjects and are used solely for technical purposes.
Technology /
Source
Data
Processed
Purpose of Data
Processing
Legal Basis
Retention
Period
Google AdMob
IP address,
device and app
usage data,
advertising ID
(AdID)
Filling ad slots
within the
Application;
displaying non-
personalized
advertisements
GDPR Article
6(1)(f) – legitimate
interest (ensuring
free access to the
Application through
ad revenue)
Up to 13
months (as per
Google’s
technical
settings)
App Store / Play
Console
Device type,
operating
system, error
types, version
number (not
personal data)
Displaying
aggregated
statistical data
(e.g., downloads,
crash reports)
GDPR Article
6(1)(f) – legitimate
interest
For the
duration of
platform-
provided
access, which
is outside the
Service
Provider’s
control
Note: The Application does not use third-party statistical SDKs (e.g., Firebase Analytics) and does not
collect user-level analytical data for behavioural tracking. The Service Provider does not build
advertising profiles, does not serve targeted ads, and does not use remarketing technologies.
3.7. Use of Location Data (Location-Based Services)
Function
Data Processed
Purpose of Data
Processing
Legal
Basis
Retention
Period
Processing of
location data
(GPS, WiFi, cell
data)
The device's
geographical location
(GPS coordinates or
approximate location)
Displaying nearby events,
operating map-based
features, providing the
“Events Near Me” service
GDPR
Article
6(1)(a) –
consent
Not stored;
processed only
during the
specific query
Megjegyzés: The Service does not log or store location data on a long-term basis. The User’s current
position is used solely to deliver the relevant functionality at the moment of use; no movement profiles
are created, and Users are not visible to others based on their location.
The Application accesses location data only when the User first activates a function that requires it (e.g.,
“Events Near Me”). Once permission is granted, the Application may use the authorized location data
during active use, but it does not access location data in the background. Location data is not stored in
the main database; however, it may appear in certain technical log files for performance optimization
purposes only.
Location determination is performed via the native APIs of Android and iOS systems (based on GPS,
WiFi, or mobile cell data). Access to location data requires permission at the mobile operating system
level, and consent can be withdrawn at any time via the device settings.
3.8. Push Notifications
Function
Data Processed
Purpose of Data
Processing
Legal
Basis
Retention Period
Sending push
notifications
from the
Application
Device push token
(generated by
OneSignal), notification
settings (e.g.
subscriptions), content of
notifications (e.g. event
reminders)
Informing the User
about events,
statuses, and settings
related to the Service
— even when the
Application is not
active
GDPR
Article
6(1)(a) –
Consent
Until the consent is
withdrawn or push
notifications are
disabled. The tokens
are managed and
deleted exclusively by
OneSignal.
Megjegyzés: The Service Provider uses an external provider called OneSignal to send push
notifications. OneSignal acts as a technical intermediary, connecting to the native notification
infrastructures of iOS and Android systems (such as Apple Push Notification Service – APNs and
Firebase Cloud Messaging – FCM), and processes only the technical data required for delivering the
notifications (e.g., device push token, message content). The data is transmitted through encrypted
channels. The Service Provider does not store push tokens in its own systems; token management is
handled entirely by OneSignal.
The Service Provider sends only functional notifications related to the Service, such as:
• event reminders,
• status updates,
• notifications about new events based on the User’s previously selected favourites.
Such notifications require consent granted at the mobile operating system level, which can be
withdrawn at any time via the device settings or within the Application’s notification settings.
Certain notifications — such as automatically generated “Weekly Top Events” notifications related
to Highlights — are not directly triggered by the User’s activity and are therefore sent only based on
prior consent. This consent can be withdrawn at any time in the Application’s settings.
The Service Provider does not send marketing notifications without the User’s explicit consent and
does not disclose notification-related data to third parties.
3.9. User Preferences and Interactions (Favourites, “I’ll Be There” Feature)
Function
Data Processed
Purpose of Data
Processing
Legal Basis
Retention Period
Marking
artists or
venues as
"Favourite"
Artist/Venue ID,
User ID who
marked it as
favourite,
timestamp of the
action
Providing a
personalised list for
the User; enabling
functionality (e.g.
quick access,
notifications about
new events)
GDPR Article
6(1)(b) –
performance of
a contract
As long as the User
keeps it in their
favourites. Immediate
data deletion upon
removal.
Using the “I’ll
Be There”
feature
Event ID, User
ID, attendance
status, timestamp
Recording attendance
intent, providing a
personal event list,
aggregated statistical
feedback to the
organiser (not by
name)
GDPR Article
6(1)(b) –
performance of
a contract
Until the event occurs or
the indication is
withdrawn. Automatic
deletion after the event,
unless further retention
is necessary for legal
interest (max. 1 year).
Note: User preferences and participation indications are not publicly visible to other Users. These
functions are only activated through the User’s explicit actions – data is not collected automatically and
is not shared with any third party. The related information is displayed solely within the User’s own
Account.
Based on the “I’ll Be There” indications, in certain cases an aggregated attendance count may be
shown on the event’s detail page in the Application (e.g., “34 people indicated participation”). This
information is displayed in a uniform manner for all Users and is strictly aggregated, containing no
names or personally identifiable information. If the attendance number is not displayed, the
underlying data remains inaccessible both to other Users and to Profile Administrators.
All such data is permanently deleted when the User Account is deleted.
4. DATA PROCESSORS AND DATA TRANSFERS
4.1. Use of Data Processors
The Service Provider engages data processors in the course of operating and developing the Service.
The following table contains key information regarding each data processor:
Name of Data
Processor
Role in Data Processing
Scope of
Processed Data
Legal Basis
Location of
Data Processing
PeakBit Kft.
(1106 Budapest,
Fehér út 10.)
Technical operation and
support of the Service:
including VPS provision,
maintenance, resource
usage monitoring, system
supervision, database
management, and
development
Technical storage
and availability of
all data generated
during the
operation of the
Service
GDPR Article
6(1)(b) and (f);
GDPR Article 28
– based on data
processing
agreement
Hungary – own
servers with
physical
protection
Name of Data
Processor
Role in Data Processing
Scope of
Processed Data
Legal Basis
Location of
Data Processing
OneSignal Inc.
(2850 S
Delaware St
Suite 201, San
Mateo, CA
94403, USA)
Delivery of push
notifications; technical
mediation with the
notification
infrastructures of iOS
and Android systems
(APNs, FCM)
Push token, device
identifier, type and
content of
notification
GDPR Article
6(1)(a)
USA – SCC
(Standard
Contractual
Clauses)
Google LLC
(1600
Amphitheatre
Parkway,
Mountain View,
CA, USA)
Web analytics (GA4), ad
measurement (Google
Ads), delivery of push
notifications on Android
(FCM), “Sign in with
Google” (one-time name
and email retrieval)
Cookie ID, IP
address
(anonymized),
browser data, push
token, device data,
one-time name and
email (upon
Google login)
GDPR Article
6(1)(a) – consent
(cookies, login,
push);
Article 6(1)(f) –
legitimate
interest
(technical
delivery of
notifications)
USA – SCC
(Standard
Contractual
Clauses)
Note: The
Firebase SDK is
not active in the
Application; it is
only used in the
infrastructure
required for push
notifications
(FCM).
Google Ireland
Limited
(Gordon House,
Barrow Street,
Dublin 4,
Ireland)
European headquarters
for services provided by
Google LLC, acting as a
data processor
Same as for
Google LLC
GDPR Article
6(1)(a) / (f);
Article 28 – data
processing
agreement
EU – Ireland (not
considered a
third country)
Apple Inc. (One
Apple Park
Way, Cupertino,
CA, USA)
Push notification service
for iOS devices (APNs);
“Sign in with Apple”
login (one-time data
transfer to the Service
Provider, if permitted)
Device Token (for
push
notifications), one-
time name and
email address
(during Apple
login, if
authorized)
GDPR Article
6(1)(a) – consent
(push, login)
USA – based on
SCC and the EU-
U.S. Data
Privacy
Framework
Brevo SAS
(106 boulevard
Haussmann,
75008 Paris,
France)
Delivery of newsletters,
transactional emails, and
system messages (e.g.
registration confirmation,
password reset, status
notifications) via email.
The Service Provider
uses Brevo’s SMTP
service: the content of
the emails is created by
the Service Provider,
while Brevo only
delivers them,
Email address,
name (if
provided),
message content,
sending metadata
(timestamp,
status), IP address
(at log level)
GDPR Article
6(1)(b) –
performance of
contract; Article
6(1)(f) –
legitimate
interest (delivery
of security-
related system
messages)
EU – France
(data processing
within the EU,
no international
data transfer)
Name of Data
Processor
Role in Data Processing
Scope of
Processed Data
Legal Basis
Location of
Data Processing
technically on behalf of
the domain liverse.app.
Functional
Software, Inc.
(Sentry) (45
Fremont Street,
8th Floor, San
Francisco, CA
94105, USA)
Automatic logging of
technical errors and
operational anomalies for
developer-level
debugging. Provides tools
to analyse issues
occurring during the
operation of the Service.
Technical
metadata, logged
error messages; in
some cases, IP
address and device
or browser data
may appear in the
logs (if a client-
side error occurs).
GDPR Article
6(1)(f) –
legitimate
interest (error
handling, system
security)
USA – based on
SCC
4.2. Data Transfers to Third Countries
The Service Provider primarily processes personal data within the European Economic Area (EEA).
However, certain technical operations (especially the delivery of push notifications, analytics and
advertising measurement services, login functions, and developer error reporting) may necessitate the
transfer of data to the United States, involving the following service providers:
• OneSignal Inc. (for transmitting push notifications via APNs and FCM),
• Google LLC (for web analytics – Google Analytics 4, advertising measurement – Google Ads,
push delivery – FCM, and the “Sign in with Google” function),
• Apple Inc. (Apple Push Notification Service – APNs, and “Sign in with Apple” function),
• Sentry (Functional Software, Inc.) (for automatic reporting of technical errors from the
Application, used for developer monitoring purposes).
These service providers:
• apply the Standard Contractual Clauses (SCCs) approved by the European Commission),
• and/or participate in the EU–U.S. Data Privacy Framework (DPF),
• and implement additional safeguards, such as IP anonymization, encryption, and data
minimization, to ensure an adequate level of protection for personal data.
The Service Provider does not transfer data to any other third country and only engages partners who
guarantee a level of security compliant with the GDPR.
4.3. External Authentication Providers (Independent Data Controllers)
During login, the User may choose to use external authentication services provided by Apple Inc. ("Sign
in with Apple") or Google LLC ("Sign in with Google").
During the authentication process, the Service Provider receives only the minimal set of data necessary
for identification, including:
• a unique authentication token,
• the User’s name (if available and shared),
• and the email address (if shared).
The data processing carried out during authentication is governed by the respective privacy policies of
the external providers:
• Apple Inc.: https://www.apple.com/legal/privacy/
• Google LLC: https://policies.google.com/privacy
By using these services, the User acknowledges that Apple or Google, as independent data controllers,
process the authentication data on their own legal basis, for which the Service Provider assumes no
responsibility.
4.4. Data Transfers to Other Data Controllers
The Service Provider does not transfer personal data to other data controllers, except in the
following expressly regulated cases:
a) Data transfer based on legal obligation
• If a legally authorized authority or court submits a valid request (e.g. in the context of a criminal
investigation or court proceedings),
• the data transfer is limited strictly to the requested information, to the necessary extent, and is
carried out in a secure manner.
b) Data transfer based on explicit consent
• Such transfer may only occur if the User has given clear, prior, and documented consent (e.g. in
the context of a future partner program or cooperation for marketing purposes),
• in such cases, the Service Provider provides specific information regarding the data transfer and
ensures that the User may withdraw consent at any time.
5. RIGHTS OF DATA SUBJECTS AND HOW TO EXERCISE THEM
The Service Provider ensures that all data subjects are able to exercise the rights granted to them
under the GDPR in relation to the processing of their personal data. These rights apply to any
natural person whose personal data is processed by the Service Provider.
5.1. Rights of Data Subjects
Name of the
Right
Description
Legal
Basis
Right of access
The data subject has the right to obtain confirmation as to whether the
Controller processes personal data concerning them, and, if so, to
access those personal data and receive information regarding the
circumstances of the processing.
Article 15
of the
GDPR
Right to
rectification
The data subject has the right to request the rectification of inaccurate
personal data concerning them and the completion of incomplete data.
Article 16
of the
GDPR
Name of the
Right
Description
Legal
Basis
Right to erasure
(“right to be
forgotten”)
The data subject has the right to request the erasure of their personal
data if it is no longer needed for the purpose for which it was collected,
or if the processing was unlawful.
Article 17
of the
GDPR
Right to
restriction of
processing
The data subject has the right to request the restriction of processing,
for example if they contest the accuracy of the personal data or if the
processing is unlawful but they do not wish the data to be erased.
Article 18
of the
GDPR
Right to data
portability
The data subject has the right to receive the personal data they have
provided to the Controller, which is processed based on consent or
contract, in a structured, commonly used, and machine-readable
format, or to request the direct transmission of such data to another
controller.
Article 20
of the
GDPR
Right to object
The data subject has the right to object to the processing of their
personal data if the processing is based on the Controller’s legitimate
interest. In such cases, the Controller shall cease the processing unless
it demonstrates compelling legitimate grounds that override the
interests, rights, and freedoms of the data subject.
Article 21
of the
GDPR
Right to
withdraw
consent
The data subject has the right to withdraw their consent to data
processing at any time if the processing is based on consent. The
withdrawal does not affect the lawfulness of processing based on
consent before its withdrawal.
Article
7(3) of the
GDPR
5.2. Exercise of Rights
The exercise of data subject rights is free of charge and may be initiated through the following
channels:
• By electronic means: via a written request sent to the email address [office@liverse.app]. To
ensure identification, it is recommended to include the registered email address or username.
• By post: via a letter sent to the Service Provider’s registered office (2051 Biatorbágy, Hámory
Imre utca 18., Hungary).
• Within the Service (self-service): where technically available, the data subject may modify
certain data (e.g., in profile settings) or delete their account, thereby exercising the right to
rectification or erasure.
The Service Provider shall respond to any submitted request without undue delay, but no later than
within one month of receipt. In justified cases, this deadline may be extended by an additional two
months, in which case the Service Provider shall inform the data subject within the first month,
providing the reasons for the delay.
If the Service Provider is unable to fulfil the request (e.g., the data has already been deleted, or the
request is unfounded), the data subject shall be informed in writing, including the reason for the
rejection.
5.3. Lodging a Complaint and Legal Remedies
If a Data Subject believes that the Service Provider has violated applicable data protection laws
in the course of processing personal data, they are entitled to lodge a complaint with the competent
supervisory authority or seek judicial remedy.
a) Supervisory Authority
Hungarian National Authority for Data Protection and Freedom of Information (NAIH)
Address: 1055 Budapest, Falk Miksa utca 9–11., Hungary
Mailing address: 1363 Budapest, Pf. 9.
Phone: +36 (1) 391-1400
Email: ugyfelszolgalat@naih.hu
Website: https://www.naih.hu
Complaints may also be submitted to another supervisory authority competent under the Data Subject’s
habitual residence or place of stay within the European Union.
b) Judicial Remedy
The Data Subject may also bring a civil action before a court if they consider that a violation of their
rights has occurred in relation to the processing of their personal data. The action may be initiated before
the court having jurisdiction over the Service Provider’s registered seat or the court competent based on
the Data Subject’s place of residence or habitual residence.
6. USE OF COOKIES AND SIMILAR TECHNOLOGIES
The use, types, functionality, and data processing of cookies on the Web Platform are governed by
Section 3.6.1 and the separate Cookie Policy, which is accessible via the footer of the Web Platform.
7. PRINCIPLES OF DATA SECURITY AND TECHNICAL MEASURES
7.1. The Service Provider takes all reasonable technical and organizational measures to ensure that the
processing of personal data complies with the data security requirements set out in Article 32 of the
GDPR. The purpose of these measures is to guarantee the confidentiality, integrity, and availability of
the data, and to prevent unauthorized access, alteration, transmission, disclosure, deletion, or
destruction.
7.2. The IT infrastructure of the Service operates within an environment managed by PeakBit Kft. on
behalf of the Service Provider. The databases containing personal data are hosted in a TIER III certified
data center provided by PeakBit, located in Hungary. This facility is protected by both physical and IT
security measures, including armed security and 24/7 monitoring.
7.3. The data security measures implemented by the appointed data processor include, in particular:
• Encrypted storage of data at rest on SSD storage devices within the data center;
• Redundant data storage in three replicas, ensuring data backup and recoverability;
• Continuous maintenance of VPS-based infrastructure security settings, including component
isolation and access restrictions through role-based permissions;
• Monitoring and alerting systems, enabling automatic detection of resource usage anomalies and
system failures;
• Regular backups, including backups every 4 hours and both daily and weekly archival cycles.
7.4. The above data security measures apply to the data processor appointed by the Service Provider
(PeakBit Kft.) and the backend infrastructure operated by them. External technology partners – in
particular Google, Apple, OneSignal, and Brevo – operate their own IT infrastructure and implement
their own data security mechanisms, over which the Service Provider has no direct control.
7.5. The Service Provider promptly investigates any data protection incident that comes to its attention.
If the incident is likely to result in a high risk to the rights and freedoms of data subjects, the Service
Provider shall:
• notify the National Authority for Data Protection and Freedom of Information (NAIH) without
undue delay, in accordance with Article 33 of the GDPR;
• and – if necessary – inform the affected data subjects in accordance with Article 34 of the GDPR.
Regardless of whether a notification to the authority is required, the Service Provider documents all data
protection incidents in an internal registry.
7.6. The Service Provider draws the User’s attention to the fact that data security also depends, in part,
on the User’s cooperation. The User is obliged to:
• keep their account information (e.g., password) confidential;
• adequately secure their devices (e.g., screen lock, up-to-date operating system, antivirus
protection);
• notify the Service Provider without delay if they detect any unauthorized access or misuse.
The Service Provider shall not be liable for any damages resulting from the User’s negligence,
carelessness, or failure to comply with security measures.
8. FINAL PROVISIONS
8.1. This Privacy Policy enters into force on August 1, 2025, and remains valid until revoked or
amended. The Service Provider reserves the right to unilaterally amend this Policy at any time,
particularly in the following cases:
• if there are changes in the operation or functionalities of the Service (e.g., introduction of new
data processing activities, discontinuation of existing ones);
• if required by legal provisions or binding decisions of authorities or courts;
• if the Service Provider’s data processing practices are expanded or clarified (e.g., engagement
of a new data processor, change in data retention periods).
8.2. The Service Provider shall notify the User of any amendments through appropriate means, using
at least one of the following channels:
• by displaying a notification within the Application or Web Platform (e.g., a pop-up window),
• by sending an electronic message to the registered e-mail address.
The notification shall include the essential content of the amendment and its effective date. The
amendment shall apply from the specified date. If the User continues to use the Service after the
amendment has taken effect, such continued use shall be deemed as acceptance of the amended Privacy
Policy.
8.3. This Privacy Policy has been prepared in both Hungarian and English. Both language versions
shall be considered official; however, in the event of any discrepancy or difference in interpretation,
the Hungarian version shall prevail.
8.4. The interpretation of this Policy and any matters not expressly regulated herein shall be governed
by Hungarian law, in particular Regulation (EU) 2016/679 of the European Parliament and of the
Council (GDPR), and Act CXII of 2011 on the Right of Informational Self-Determination and
Freedom of Information (Infotv.).
8.5. The current Privacy Policy is always available:
• in the main menu of the Application;
• in the footer and/or a dedicated menu section of the Web Platform.
The Service Provider also provides access to previous versions upon request.
Dated: 1 August 2025
Service Provider: LiveBrothers Korlátolt Felelősségű Társaság (Limited Liability Company)
