Why Lano?

Pricing

Book a demo

Why Lano?

Pricing

Book a demoEOR & PayrollContractor Management

Privacy Policy

This privacy policy sets out how Lano Software GmbH uses and protects your personal data. This privacy policy is provided in a layered format so you can click through to the specific areas set out below.

1. Important information and who we are

Lano Software GmbH (“Lano”, “we”, “us” or “our”) operates a SaaS web-based workforce management platform designed to enable clients to hire, manage, and/or pay employees across the globe (the “Platform”). Lano provides payroll management, employer-of-record solutions, payroll payment services, consolidated payroll services, and contractor management services (collectively referred to as "Services”) through a partnership network of local experts (termed "In-Country Partners” or “ICPs”). The Services offered by Lano enable its clients to focus on growth while effectively addressing the complexities of hiring an international workforce and managing operations across multiple global locations. 

We commit to protecting all personal information and data shared with us. We respect your rights, and we will apply the highest standards for data protection and privacy. 

This Privacy Policy describes the type of data we gather (the “Personal Data”) and how we protect, share, and use Personal Data. 

This Privacy Policy applies to the Platform Users (as defined in the Lano Platform Terms) and Clients that have engaged Lano for any Service who have a contractual relationship with us, including, but not limited to: Clients’ representatives, Clients’ employees, Employer-of-Record Workers, payroll employees; Affiliates; Partners; visitors to the Lano website (the “Website”) who do not have a contractual relationship with us; subscribers to Lano’s newsletter (these and any others with whom we interact and with respect to whom we collect Personal Data shall collectively be referred to as the “Data Subjects” or “you”). Please read this Privacy Policy thoroughly to fully understand our practices related to processing your personal data and how we will handle it. 

The Website and Platform are not intended for children and we do not knowingly collect data relating to children.

We have appointed a data protection officer (DPO) who is responsible for overseeing questions in relation to this privacy policy. If you have any questions about this privacy policy, including any requests to exercise your legal rights (9), please contact us using the information set out in the contact details section (10).

Our role

Under the EU 2016/679 General Data Protection Regulation (“GDPR”) applicable to us, we process Personal Data both as a Controller and a Processor, depending on the context of the processing activity. This Privacy Policy applies to Personal Data we collect and process for our own purposes and where we act as Controllers. Where we process Personal Data on behalf of our clients, we act as a Processor. For these cases, the responsibility to inform Data Subjects about the processing of their Personal Data lies with the respective client as Controller (Articles 13 and 14 GDPR). Lano supports its clients in fulfilling these obligations by providing the necessary information under Article 28(3)(h) GDPR.


Controller

Lano acts as a data controller (“Controller”) under GDPR for the Personal Data it processes for its own purposes, including data of our clients and prospective clients (limited to their representatives and employees), partners, affiliates (including ICP representatives), Platform users who have a direct relationship with Lano, and visitors to the Lano website. This applies, in particular, to the operation of our website and platform, user account management, client communication, product administration, analytics, marketing activities, compliance and financial operations. In these cases, Lano independently decides how and why personal data is processed and is responsible for ensuring compliance with applicable data protection law.

Where Lano and a client jointly determine the purposes and means of certain processing activities, the parties will enter into a joint controllership arrangement pursuant to Article 26 GDPR, setting out their respective responsibilities for compliance.


Processor

Lano acts as a data processor (“Processor”) under GDPR when providing its platform and related services to clients, for example in connection with payroll management, employer-of-record solutions, consolidated payroll services, and contractor management. In these cases, our clients determine the purposes and means of processing, while Lano processes the data strictly in accordance with their documented instructions and subject to a data processing agreement (DPA) concluded with each client.

If you are an employee, contractor or worker of a Lano client, your personal data is processed on behalf of your employer or contracting entity. In such cases, your employer or contracting entity is the data controller and the main contact point for any requests regarding your data protection rights.

In specific constellations, such as where third-party payroll or service partners use the Lano Platform to deliver payroll, payment or related HR services to their own customers, Lano acts as a Subprocessor within the meaning of Article 28(2) GDPR. In these cases, the respective payroll partner acts as a processor on behalf of its customer (typically an employer), while Lano provides the underlying technical infrastructure and processes data solely on the documented instructions of that partner. The payroll partner or its customer remains the Controller in these cases.

2. The types of personal data we collect about you

Personal data refers to any information that can be used to identify an individual. 

We may collect, use, store and transfer different kinds of personal data about you, which we have grouped together as follows:

  • Identity Data includes first name, last name, username or similar identifier, title, date of birth and gender.

  • Contact Data includes billing address, delivery address, email address and telephone numbers.

  • Financial Data includes bank account and payment card details.

  • Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us.

  • Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, device ID and other technology on the devices you use to access this website. 

  • Profile Data includes your username and password, requests made by you, your interests, preferences, feedback and responses.  

  • Usage Data includes information about how you interact with and use our website, products and services, and user or tracking information from cookies and similar technologies like local storage on the device. 

  • Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.

We also collect, use and share aggregated data such as statistical data which is not personal data as it does not directly (or indirectly) reveal your identity. For example, we may aggregate individuals' Usage Data to calculate the percentage of users accessing a specific website feature in order to analyse general trends in how users are interacting with our Website to help improve the website and our service offering.

3. How is your personal data collected? 

We use different methods to collect data from and about you, including through:

Your interactions with our website. You may provide personal data by interacting with elements on our website. This typically includes Identity and Contact Data and may be provided when you:

  • request information via chat;

  • subscribe to our newsletter;

  • request marketing materials;

  • request a demo;

  • contact us or provide feedback;

  • create an account on our Platform;

  • use our Services.


Third-party technologies. As you interact with our website, we may also collect additional data and store or access information on the device using cookies and similar technologies like local storage, pixel or tags. This includes information from:

  • necessary tools, e.g. for consent management;

  • analytics tools, e.g. for analysis of user behaviour and to track conversions;

  • advertising tools, e.g. to create user profiles and display personalised advertising;

  • external content and media, e.g. to embed videos;

  • customer relationship and marketing platforms; and

  • chat and communication tools.

These third-party tools may collect Technical and Usage Data, which we especially use to better understand your interests and tailor our communications and marketing efforts. Please see our cookie policy for more details regarding the specific tools, providers, purposes, data processed, legal basis, recipients, transfer to third countries, and the information stored on your device, including cookies, local and session storage.The cookie- and tracking-based tools listed in our Cookie Policy are used exclusively for our Website. These tools are not used within the Lano Platform or in the context of our client-facing Services and therefore do not constitute Subprocessors under Article 28 GDPR.


For more information about the cookies we use and how to change your cookie preferences, please see https://www.lano.io/cookie-consent

4. How we use your personal data

Legal basis

The law requires us to have a legal basis for collecting and using your personal data. We rely on one or more of the following legal bases:

  • Consent (Art. 6(1)(a) GDPR): We rely on your consent only where we have obtained your active agreement to use your personal data for a specific purpose, for example when you subscribe to our email newsletter, accept optional tools in our consent banner, or register on our platform.

  • Performance of a contract or pre-contractual measures (Art. 6(1)(b) GDPR): We process your personal data when it is necessary to perform a contract we are about to enter into or have already entered into with you, or to take steps at your request prior to entering into such a contract.

  • Compliance with legal obligations (Art. 6(1)(c) GDPR): We may process your personal data where it is necessary to comply with a legal obligation to which we are subject. Where applicable, we will identify the relevant obligation.

  • Legitimate interests (Art. 6(1)(f) GDPR): We may process your personal data where it is necessary for our legitimate business interests, for example to prevent fraud or to ensure the best and most secure customer experience. Before relying on this basis, we carefully balance our interests against your rights and freedoms. We do not process your personal data where our interests are overridden by the impact on you, unless we have your consent or are otherwise required or permitted by law.

Purposes for which we will use your personal data 

We have set out below a description of the purposes for which we process your personal data, the legal bases we rely on, and, where applicable, our legitimate interests:

  • Registration: Creation and maintenance of customer accounts and contracts (Art. 6(1)(b), (f) GDPR).

  • Payment processing and debt collection: Processing of financial information to fulfil payments or collect debts (Art. 6(1)(b) GDPR).

  • Customer Relationship Management:

    • Notification of changes to terms and conditions or privacy policies for contract performance (Art. 6(1)(b) GDPR) and to maintain customer loyalty (Art. 6(1)(f) GDPR).

    • Handling inquiries, complaints, and queries to maintain customer loyalty (Art. 6(1)(f) GDPR).

    • Provision of customer support to ensure service quality and customer loyalty (Art. 6(1)(f), (b) GDPR).

    • Handling of data subject rights requests to comply with legal obligations (Art. 6(1)(c) GDPR).

  • Administration and protection of the company, platform, and website: Including troubleshooting, data analysis, testing, system maintenance, support, reporting, and data hosting, for IT security, functionality, fraud prevention, and traceability of system events (Art. 6(1)(f) GDPR).

  • Online advertising and effectiveness measurement: Processing technical and usage data to display advertising, measure its effectiveness, improve products and services, and optimize marketing strategies (Art. 6(1)(a), (f) GDPR, depending on whether cookies or third-party tools are used).

  • Data analysis: To improve our website and services (e.g. ensuring content is up-to-date and relevant), strengthen customer relationships (e.g. identifying target groups for our products and services), and enhance the effectiveness of customer communications (e.g. measurement of open rates, click rates, and conversion rates) (Art. 6(1)(a), (f) GDPR, depending on whether cookies or third-party tools are used).

  • Marketing:

    • Marketing communications and personalized recommendations, e.g. newsletters, based on consent (Art. 6(1)(a) GDPR).

    • Direct marketing to existing customers in order to maintain customer loyalty and grow our business, based on legitimate interests (Art. 6(1)(f) GDPR in conjunction with § 7(3) Act Against Unfair Competition (UWG)).

Special requirements for the marketing process

(1) Direct marketing 

You may receive marketing communications from us if you have requested information or purchased services and have not objected to receiving such communications. We may also analyse your identity, contact, technical, usage, and profile data to better understand your interests and send you relevant communications.

(2) Online advertising and effectiveness measurement

We also use online advertising and measure its effectiveness. For this purpose, we process technical and usage data to improve our products, services, and marketing strategies. Where third-party tools or cookies are involved, this requires your prior consent.

(3) Third-party marketing 

We will only share your personal data with third parties for their own marketing purposes if you have given us explicit consent.

(4) Withdrawing consent vs. objecting to direct marketing 

  • Withdrawal of consent: If you have given consent to the use of third-party marketing, cookies or other tracking technologies for optional services including those for marketing and analytics purposes, or to receive newsletters, you may withdraw your consent at any time. You can do this by updating your preferences in our cookie banner, via our cookie consent page at https://www.lano.io/cookie-consent or - if it concerns newsletters—by following the unsubscribe link included in any marketing email we send. You may also contact us directly at privacy@lano.io


  • Objection to direct marketing: you have the right to object to receiving marketing communications at any time. You can do so by following the unsubscribe link included in any marketing email we send, or by contacting us directly at privacy@lano.io.

Please note that even if you withdraw consent or object to marketing communications, we may still contact you regarding administrative or service-related matters, such as changes to our terms or privacy policy.

5. Disclosures of your personal data

We will generally only disclose the data we collect if

  • you have given your express consent pursuant to Art. 6(1)(a) GDPR.

  • disclosure pursuant to Art. 6(1)(f) of the GDPR is necessary in order to assert, exercise, or defend legal claims and there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data.

  • we are legally obliged to disclose it pursuant to Art. 6(1)(c) GDPR.

  • this is legally permissible and, pursuant to Art. 6(1)(b) GDPR, is necessary for the processing of contractual relationships with you or for steps prior to entering into a contract carried out at your request.

Your data will be forwarded especially to the recipients mentioned in our cookie policy and hereafter:

  • LeadFeeder: Liidio Oy, Mikonkatu 17 C, Helsinki 00100, Finland (for lead generation by the allocation of IP addresses to publicly available company information).

  • Calendly LLC, 1315 Peachtree St NE, Atlanta, GA 30309, USA (for online demo appointments).

  • Mixpanel, Inc., 405 Howard St., CA 94105 San Francisco, USA (for further processing of website analysis data).

Some data processing may be carried out by our service providers. In addition to the service providers mentioned in this privacy policy, these may include 

  • data centres that store our website and databases, 

  • IT service providers that maintain our systems, 

  • consulting firms;

  • our Data Protection Officer. 

Should we disclose data to our service providers, they may use it solely to fulfil their tasks. We have carefully selected and commissioned the service providers. They are contractually bound by our instructions, have appropriate technical and organisational measures in place to protect the rights of data subjects, and are regularly monitored by us.

Furthermore, we may transfer your personal data to other recipients who process your personal data under their own responsibility. These may include the following in particular:

  • Postal service providers;

  • Credit institutions and payment service providers;

  • Tax consultants, lawyers or auditors; Public bodies such as authorities and courts.

6. Third country transfers

We make use of services offered by providers that may be located in “third countries” (e.g. the US, namely outside the EU/EEA), i.e. countries that do not have a level of data protection comparable to that in the European Union. Where this is the case and where the European Commission has not adopted an adequacy decision (under Art. 45 GDPR), we have taken precautions to ensure an adequate level of data protection for any transfers of data. These include but are not limited to conclusion of the European Union’s standard contractual clauses and binding corporate rules. 

In the case of the data transfer to the US, the adequacy decision under Art. 45 GDPR only applies if the US recipient has certified itself for the EU-US Data Privacy Framework. If data is transferred to US providers of third-party tools, you will be informed in our cookie policy when they are certified for the EU-US Data Privacy Framework.

Where this is not possible, we use as the legal basis for data transfers the derogations set out in Art. 49 GDPR, in particular your explicit consent or the necessity of the transfer for the performance of a contract.

If data is to be transferred to a third country and neither an adequacy decision nor other suitable guarantees are available, there exists the possibility and risk that authorities in the third country (e.g. secret services) may obtain access to the transferred data for the purpose of collecting and analysing it, and that your rights as a data subject may not be enforceable. 

7. Data retention

  • How long will you use my personal data for?

In principle, we store personal data for only as long as is necessary to fulfil the contractual or statutory obligations for which we have collected the data. We then delete the data immediately, unless we need the data until the end of the statutory limitation period for purposes of evidence for civil claims or due to statutory retention obligations.

For evidence purposes, we must retain contract data for a further three years beyond the end of the year in which our business relationship with you is terminated. Any claims become statute-barred at the earliest after the statutory period of limitation.

Even after this time, we still need to store some of your data for accounting purposes. We are obliged to do so on the basis of statutory documentation obligations that may arise from the German Commercial Code, the German Fiscal Code, the German Banking Act, the German Money Laundering Act and the German Securities Trading Act. The periods they stipulate for the retention of documents range from two to ten years.

Your data will be stored especially for the following periods:

  • Registration (Customer Accounts & Contracts):
    Stored for the duration of the contract/account. After termination:
    – contractual data for the duration of statutory limitation periods (generally 3 years, § 195 BGB),
    – business correspondence 6 years (§ 257 (1) Nos. 2, 3 HGB; § 257 (4) HGB),
    – commercial and tax-relevant documents (e.g. invoices, accounting vouchers) 10 years (§ 147 (1) Nos. 1, 4 AO; § 147 (3) AO; § 257 (1) Nos. 1, 4 HGB).

  • Payment Processing and Payroll (customer data processed on behalf):
    Stored only for the duration of the contractual relationship with the customer and in accordance with the customer’s instructions (Art. 28 (3) GDPR).
    Note: Statutory retention obligations under AO/HGB apply to the customer as controller, not to us as processor.

  • Debt Collection (own claims):
    Stored until payment has been made or until expiry of statutory limitation periods (generally 3 years, § 195 BGB; up to 30 years for enforceable claims).

  • Customer Relationship Management (CRM):
    – Notifications about changes to terms/privacy: for the duration of the contractual relationship and for statutory limitation periods (generally 3 years, § 195 BGB).
    – Inquiries, complaints, support tickets: generally 3 years after the last contact (§ 195 BGB).
    – Customer history (support): for the duration of the customer relationship; deleted or anonymised upon expiry of statutory limitation periods (generally 3 years, § 195 BGB).

  • Administration and protection of company, platform and website (troubleshooting, data analysis, testing, maintenance, support, reporting, hosting):
    – for as long as required to fulfil the respective purpose; afterwards the data will be deleted or anonymised,
    – in the event of security incidents: until the investigation has been completed and for the duration of statutory limitation periods (generally 3 years, § 195 BGB),
    – logfiles: typically 7–30 days,
    – security and access logs: 6 months.

  • Online advertising and campaign measurement:
    Stored for long-term campaign analyses, maximum 2 years;
    cookie IDs, IP addresses, user IDs: 6–13 months.

  • Data analysis (service/website improvement, customer relationships, communication effectiveness):
    – for long-term analyses or product development cycles: max. 2 years,
    – open rates, click rates, conversion rates: 6–12 months.

  • Marketing communications (newsletters, personalised recommendations, direct marketing):
    – Newsletters/personalised recommendations: until consent is withdrawn; thereafter retained for statutory limitation periods (generally 3 years, Art. 7 (1) GDPR; § 195 BGB).
    – Direct marketing: until the end of the customer relationship or until objection; thereafter retained for statutory limitation periods (generally 3 years, § 195 BGB).

In some circumstances you can ask us to delete your data: see [9] below for further information.

In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

You can find the specific storage periods of information stored on your device such as cookies and local storage in our cookie policy.

8. Your rights

You have the following rights under data protection laws in relation to your personal data: 

  • access to information about how we process your personal data at any time (Art. 15 GDPR). We will explain our data processing procedures to you and provide you with a summary of the personal data concerning you that we hold. If data we have stored is incorrect or obsolete, you have the right to have this data rectified (Art. 16 GDPR). 

  • request the erasure of your data (Art. 17 GDPR). If, in exceptional cases, erasure is not possible due to other legal regulations, the data will be blocked so that it is only available for this legal purpose. 

  • restrict processing of your personal data if, for example, you have doubts about the accuracy of this data (Art. 18 GDPR). 

  • receive your personal data in a structured, commonly used and machine-readable format (Art. 20 GDPR);withdraw consent once given to us at any time (Art. 7 (3) GDPR). As a result, we will not continue to process data based on this consent in the future. Withdrawal of consent will not affect the lawfulness of the processing carried out on the basis of the consent prior to withdrawal.

  • object to the processing of your data on grounds relating to your particular situation at any time, if we process your data on the basis of legitimate interests or for direct marketing (Art. 21 GDPR). 

  • not to be subject to a decision based solely on automated processing which produces legal effects or similarly significantly affects you, including the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision (Art. 22 GDPR).

  • file a complaint with the data protection supervisory authority (Art. 77 GDPR). You may exercise this right before any EU supervisory authority of your choice, for example, in the Member State in which you are staying, working or in the place of the alleged infringement. In Berlin, where Lano Software GmbH is based, the competent supervisory authority is Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit), Alt-Moabit 59-61, 10555 Berlin, Germany. 

Should you wish to exercise your rights, simply send an informal email to the contact details given in Section 10 Contact Details below.

No fee usually required

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). 

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond

We try to respond to all legitimate requests without undue delay and in any event within one (1) month of receipt of the request. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated. 

9. Contact details

If you have any questions about this privacy policy or about the use of your personal data or you want to exercise your privacy rights, please contact our DPO OR us in the following ways:

DPO

ISiCO GmbH

Am Hamburger Bahnhof 4, 10557 Berlin, Germany

Telephone:  +49 (0)30 213 00 28 0 

Email: info@isico.de

Please note that emails sent to this address will not only be read by the data protection officer. Should you require a confidential exchange with the DPO, please state "To the attention of the data protection officer" in the subject line.


Controller

Lano Software GmbH
Revaler Straße 30, 10245 Berlin, Germany

Telephone: +49 30 5683 9697
Email: privacy@lano.io 

10. Changes to the privacy policy and your duty to inform us of changes

We regularly review our privacy policy, for instance, to update our website or in response to changes in statutory or regulatory requirements.

It is important that the personal data we hold about you is accurate and up to date. Please keep us informed if your personal data changes during your relationship with us, for example, a new address or email address.


Version: 2.0

Last review: 01.01.2026



© Lano Software GmbH 2026