# Legitimate Interest Assessment (LIA)

**SnapSell AI**
**Data Controller:** Nova AI Ventures
**Assessment Date:** January 2025
**Next Review:** January 2026

---

## 1. Introduction

This document records Legitimate Interest Assessments (LIAs) conducted by SnapSell AI for processing activities that rely on Article 6(1)(f) of the GDPR as their legal basis.

A legitimate interest assessment involves three tests:
1. **Purpose Test** - Is there a legitimate interest behind the processing?
2. **Necessity Test** - Is the processing necessary for that purpose?
3. **Balancing Test** - Do the individual's interests override the legitimate interest?

---

## 2. LIA Summary

| ID | Processing Activity | Legitimate Interest | Assessment Result |
|----|---------------------|---------------------|-------------------|
| LIA-001 | Security & Fraud Prevention | Protect platform and users | ✅ Approved |
| LIA-002 | AI Model Improvement | Improve service quality | ✅ Approved (with opt-out) |
| LIA-003 | Bug Fixing & Error Logging | Maintain service quality | ✅ Approved |
| LIA-004 | Service Analytics | Business improvement | ❌ Consent required |

---

## 3. LIA-001: Security & Fraud Prevention

### 3.1 Processing Description

| Field | Details |
|-------|---------|
| **Processing Activity** | Monitoring platform activity, logging access events, detecting suspicious behavior |
| **Data Processed** | IP addresses, access timestamps, authentication events, behavioral patterns |
| **Data Subjects** | All platform users |
| **Automated Processing** | Yes - automated anomaly detection |

### 3.2 Purpose Test

**What is the legitimate interest?**

Protecting the platform, users, and their data from:
- Unauthorized access attempts
- Fraudulent account creation
- Payment fraud
- Platform abuse (spam, fake listings)
- Security breaches

**Is this interest legitimate?**

Yes. Security and fraud prevention are recognized legitimate interests under:
- GDPR Recital 47: "processing...strictly necessary for the purposes of preventing fraud"
- GDPR Recital 49: "processing...strictly necessary...for ensuring network and information security"

**Is there a benefit to the controller?**

Yes - protects business operations and reputation.

**Is there a benefit to third parties or society?**

Yes - protects legitimate users from fraud and creates a trustworthy marketplace.

### 3.3 Necessity Test

**Is the processing necessary?**

Yes. Without security monitoring:
- Fraudulent accounts could proliferate
- Payment fraud would increase
- User data could be compromised
- Platform integrity would suffer

**Are there less intrusive alternatives?**

| Alternative | Assessment |
|-------------|------------|
| No monitoring | Not viable - leaves platform vulnerable |
| Post-incident only | Insufficient - damage already done |
| Consent-based | Not appropriate for security functions |
| Anonymized only | Insufficient for investigating specific threats |

**Conclusion:** Current processing is the minimum necessary for effective security.

### 3.4 Balancing Test

**Impact on Data Subjects:**

| Factor | Assessment |
|--------|------------|
| Nature of data | Technical data, not sensitive content |
| Expectations | Users expect platform to be secure |
| Relationship | Direct relationship as registered users |
| Vulnerability | No special vulnerability considerations |
| Volume | Moderate - logs and events, not content |

**Mitigating Measures:**

| Measure | Implementation |
|---------|----------------|
| Data minimization | Only security-relevant data collected |
| Retention limits | 90 days for logs, 1 year for audit trails |
| Access controls | Security team only, logged access |
| Transparency | Disclosed in Privacy Policy |

**Balancing Conclusion:**

The legitimate interest in security **OUTWEIGHS** individual interests because:
1. Processing is expected by users (everyone wants a secure platform)
2. Data is technical/operational, not personal communications or content
3. Short retention periods limit exposure
4. Strong access controls protect against misuse
5. Without this processing, users would face greater risks

### 3.5 Assessment Decision

| Decision | ✅ APPROVED |
|----------|-------------|
| Legal Basis | Article 6(1)(f) - Legitimate Interest |
| Opt-Out Available | No (security is essential) |
| Review Date | January 2026 |

---

## 4. LIA-002: AI Model Improvement

### 4.1 Processing Description

| Field | Details |
|-------|---------|
| **Processing Activity** | Using anonymized and aggregated data from photo processing to improve AI enhancement quality |
| **Data Processed** | Anonymized photo characteristics, enhancement quality metrics, aggregated usage patterns |
| **Data Subjects** | Users who use AI features and have not opted out |
| **Automated Processing** | Yes - automated data aggregation and model training |

### 4.2 Purpose Test

**What is the legitimate interest?**

Improving the quality of AI photo enhancement services for all users by:
- Learning from enhancement patterns
- Identifying quality issues
- Optimizing algorithms
- Providing better results

**Is this interest legitimate?**

Yes. Continuous improvement of services is a recognized legitimate interest under Recital 47. This benefits all users through better service quality.

**Benefits:**
- Controller: Competitive advantage, better product
- Users: Improved photo enhancement results
- Society: Advancement of AI technology

### 4.3 Necessity Test

**Is the processing necessary?**

Yes, for meaningful AI improvement. AI models require training data to improve.

**Less intrusive alternatives:**

| Alternative | Assessment |
|-------------|------------|
| No improvement | Viable but degrades service over time |
| Synthetic data only | Insufficient - doesn't reflect real-world usage |
| Consent-only | Viable alternative - but would significantly limit data available |
| Anonymized + opt-out | ✅ **SELECTED** - balanced approach |

**Conclusion:** Anonymized processing with opt-out is the proportionate approach.

### 4.4 Balancing Test

**Impact on Data Subjects:**

| Factor | Assessment |
|--------|------------|
| Nature of data | Product photos (anonymized), not personal content |
| Expectations | Users may expect photos to be used privately |
| Sensitivity | Low - product photos, not personal images |
| Volume | Individual photos are not stored; only derived metrics |

**Privacy Concerns:**
- Users may not expect their photos to contribute to training
- Some users may be selling unique/valuable items
- Possible (though low) risk of re-identification

**Mitigating Measures:**

| Measure | Implementation |
|---------|----------------|
| Anonymization | Photos not stored; only derived characteristics |
| Aggregation | Data combined across many users |
| Opt-out | Easy opt-out in Privacy Settings |
| Transparency | Clearly disclosed in Privacy Policy |
| No re-identification | Technical measures prevent linking back |

**Balancing Conclusion:**

The legitimate interest **OUTWEIGHS** individual interests **WITH SAFEGUARDS** because:
1. Data is anonymized before use
2. Individual photos are not stored or identifiable
3. Easy opt-out respects user choice
4. Benefit flows back to users through better service
5. Processing is transparent and disclosed

**However**, due to some user expectations that photos remain private, an **opt-out mechanism is required**.

### 4.5 Assessment Decision

| Decision | ✅ APPROVED WITH CONDITIONS |
|----------|------------------------------|
| Legal Basis | Article 6(1)(f) - Legitimate Interest |
| Conditions | Must provide easy opt-out mechanism |
| Opt-Out Available | Yes - in Privacy Settings |
| Default State | Opted in (with clear disclosure) |
| Review Date | January 2026 |

---

## 5. LIA-003: Bug Fixing & Error Logging

### 5.1 Processing Description

| Field | Details |
|-------|---------|
| **Processing Activity** | Collecting error logs and crash reports to identify and fix bugs |
| **Data Processed** | Error messages, stack traces, device information, user IDs (for context), action sequences |
| **Data Subjects** | Users who encounter errors |
| **Retention** | 90 days |

### 5.2 Purpose Test

**What is the legitimate interest?**

Maintaining service quality and reliability by:
- Identifying bugs quickly
- Understanding error context
- Prioritizing fixes
- Preventing recurrence

**Is this interest legitimate?**

Yes. Providing a functional, reliable service is essential to contract performance and business operation.

### 5.3 Necessity Test

**Is the processing necessary?**

Yes. Without error logging:
- Bugs go undetected
- User-reported issues lack context
- Development is blind to problems
- Service quality degrades

**Less intrusive alternatives:**

| Alternative | Assessment |
|-------------|------------|
| No logging | Not viable - cannot maintain quality |
| User reports only | Insufficient - many errors unreported |
| Fully anonymized | Insufficient - cannot investigate specific issues |
| Pseudonymized + short retention | ✅ **SELECTED** |

### 5.4 Balancing Test

**Impact on Data Subjects:**

- Technical data, not personal communications
- Users expect service to work correctly
- Error context helps fix issues faster
- 90-day retention is proportionate

**Mitigating Measures:**
- Short retention (90 days)
- Access limited to development team
- No profiling or secondary use
- Transparent disclosure

**Conclusion:** Legitimate interest **OUTWEIGHS** individual interests.

### 5.5 Assessment Decision

| Decision | ✅ APPROVED |
|----------|-------------|
| Legal Basis | Article 6(1)(f) - Legitimate Interest |
| Opt-Out Available | No (essential for service) |
| Review Date | January 2026 |

---

## 6. LIA-004: Service Analytics (Website Usage)

### 6.1 Processing Description

| Field | Details |
|-------|---------|
| **Processing Activity** | Tracking website usage patterns, page views, and user journeys |
| **Data Processed** | IP addresses, device info, pages visited, time on site, referrer |
| **Data Subjects** | All website visitors |
| **Tool** | Google Analytics |

### 6.2 Purpose Test

**What is the legitimate interest?**

Understanding how users interact with the platform to improve design and features.

**Is this interest legitimate?**

Yes, but it's primarily a business optimization interest rather than essential to service delivery.

### 6.3 Necessity Test

**Is the processing necessary?**

Partially. Business can operate without detailed analytics, though improvement would be slower.

**Less intrusive alternatives:**

| Alternative | Assessment |
|-------------|------------|
| No analytics | Viable - can operate without |
| Aggregated only | Partially effective |
| First-party analytics | More privacy-friendly |
| Consent-based GA | ✅ **SELECTED** |

### 6.4 Balancing Test

**Impact on Data Subjects:**
- Tracking across sessions
- Data shared with third party (Google)
- Not strictly necessary for service
- Users may not expect tracking

**Conclusion:** Individual interests may **OUTWEIGH** legitimate interest for tracking analytics.

### 6.5 Assessment Decision

| Decision | ❌ LEGITIMATE INTEREST NOT APPROVED |
|----------|--------------------------------------|
| Reason | Third-party tracking without necessity tilts balance toward data subjects |
| Alternative Legal Basis | Article 6(1)(a) - Consent |
| Implementation | Analytics cookies require opt-in consent via cookie banner |
| Review Date | January 2026 |

---

## 7. Summary of Approved Legitimate Interests

| Processing | Legal Basis | Opt-Out | Safeguards |
|------------|-------------|---------|------------|
| Security & Fraud Prevention | Art. 6(1)(f) | No | Short retention, access controls |
| AI Model Improvement | Art. 6(1)(f) | Yes | Anonymization, easy opt-out |
| Bug Fixing & Error Logging | Art. 6(1)(f) | No | 90-day retention, dev team only |
| Service Analytics | Art. 6(1)(a) | N/A | Requires consent |

---

## 8. Review & Updates

This LIA document is reviewed:
- **Annually:** Full review of all assessments
- **On Change:** When processing activities change
- **On Request:** When concerns are raised

---

## 9. Contact

Questions about legitimate interest processing:

**Email:** privacy@snap-sell.app

**Data Controller:**
SnapSell AI
Operated by Nova AI Ventures
Registered in Poland

**Supervisory Authority:**
PUODO - President of the Personal Data Protection Office

---

*This Legitimate Interest Assessment is part of SnapSell AI's GDPR compliance documentation.*