Subscribe
answers

Do they own your data? Lookback Privacy Policy Reviewed.

Lookback receives a 6/10 enterprise readiness score, marking it as partially ready for large-scale deployment. While offering solid user research capabilities, gaps in security, compliance, and enterprise-grade features may limit adoption in Fortune 500 environments.

audio-thumbnail
Listen to this review
0:00
/0

Final Enterprise Readiness Rating: 6/10

⚠️ Partially ready (Reviewed 2026).

Area

Verdict

Notes

Data Residency & Storage

❌  High Risk

No data residency guarantees or geographic controls mentioned. International transfers mentioned but no specifics on storage locations.

AI Model Use

✅  Good

Strong commitment not to use Google Workspace API data for AI training, but limited scope to just Google integrations.

Data Minimization

⚠️  Partial

Collects typical account, billing, and usage data. Automatic data collection through cookies and analytics is extensive.

Privacy Controls

⚠️  Partial

Offers individual opt-out for marketing and cookie controls, but no mention of organization-wide privacy settings or admin controls.

Compliance & Auditability

⚠️  Partial

Shows GDPR compliance with data subject rights and supervisory authority contact, but no mention of SOC 2, ISO 27001, or HIPAA.

Consent Handling

✅  Good

Places consent responsibility clearly on the customer, which is appropriate for B2B user research platform.

Model Explainability

⚠️  Partial

Basic logging and analytics mentioned but no detailed observability or explainability features for enterprise monitoring.

Data Retention & Deletion

⚠️  Partial

Retention based on service use and legal requirements but no specific timeframes or customer control over retention periods.

Third-Party Sharing

✅  Good

Clear about service providers and maintains list of third parties. No data selling. Good transparency about business transfers.

⚠️ Recommendation for Enterprises:

Adopt Lookback with caution. Be especially careful if you handle:

  • Health, financial, or legally regulated data requiring specific compliance certifications
  • Data requiring specific geographic residency
  • Highly sensitive IP requiring SOC 2 Type II vendor approval

Instead, consider AI tools that:

  • Provide SOC 2 Type II and ISO 27001 certifications
  • Offer data residency controls and geographic storage options
  • Include organization-wide privacy administration controls
  • Clarify broader AI data usage policies

Better Alternative:

BuildBetter.ai — GDPR, SOC 2 Type 2, and HIPAA compliant

Zero training on customer data

You own your data. Fully opt-in privacy model.

🔍  Lookback Privacy Policy – Enterprise Risk Assessment

Audience: Security-conscious enterprise organizations evaluating User research platform with live interviews and recordings for internal use in highly sensitive or regulated environments (e.g. legal, healthcare, finance, tech/IP-heavy orgs).

⚠️ Where Lookback Falls Short – Critical Gaps

🔒  1. Data Residency & Storage

Quote: "Your Personal Data may be transferred to, and maintained on, computers or servers, that are located outside of your state, province, country or other governmental jurisdiction where the privacy laws may not be as protective as those in your jurisdiction."

Risk: Enterprises in regulated industries need guarantees about where their sensitive data is stored. Without data residency controls, companies cannot ensure compliance with local data protection laws.

Enterprise Issue:

  • No data residency options
  • No geographic storage controls
  • Potential regulatory compliance issues

Verdict:Unacceptable data location ambiguity

🧠  2. AI Model Use

Quote: "If you use our calendar integration or other features that integrates with Google Workspace APIs, we will not use data from the Google Workspace APIs to develop, improve, or train generalized AI and/or ML models."

Risk: While they protect Google Workspace data from AI training, there's no broader commitment about other customer data usage for AI purposes.

Enterprise Issue:

  • Limited AI protection scope
  • No mention of external LLM usage
  • No bring-your-own-model options

Verdict:Reassuring AI data protection commitment

📊  3. Data Minimization

Quote: "Account Information. If you create an account to use the Services... we will collect certain information that can be used to identify you, such as your name and email address."

Risk: The automatic data collection through cookies, analytics, and device information is quite extensive for enterprise comfort, though somewhat standard for SaaS platforms.

Enterprise Issue:

  • Extensive automatic data collection
  • No mention of data collection limits
  • Analytics data sharing with third parties

Verdict: ⚠️ Standard collection practices

⚙️  4. Privacy Controls

Quote: "When you receive such promotional communications from us, you will have the opportunity to 'opt-out' (by following the unsubscribe instructions provided in the e-mail you receive)."

Risk: Enterprises need administrative controls to manage privacy settings across their organization, not just individual user controls.

Enterprise Issue:

  • No organization-wide privacy controls
  • Limited to individual user settings
  • No admin dashboard for privacy management

Verdict: ⚠️ Basic individual controls, lacking enterprise administration

📦  5. Compliance & Auditability

Quote: "If you are located in the European Economic Area, Switzerland, the United Kingdom or Brazil, you have the right to lodge a complaint with your local supervisory authority or the Swedish Data Protection Authority"

Risk: While GDPR compliance is good, enterprises typically require SOC 2 Type II certification and other security frameworks for vendor approval.

Enterprise Issue:

  • No SOC 2 certification mentioned
  • No ISO 27001 compliance
  • No HIPAA compliance options

Verdict: ⚠️ GDPR compliant but missing enterprise certifications

Quote: "The Customer is ultimately liable for ensuring that consents for the Customer's use of the Recording Information have been legally obtained and must not engage any Participants where there is no legal basis for the collection and processing of Personal Data"

Risk: This is actually positive - they clearly delineate responsibility and don't try to handle consent themselves, which would be inappropriate for a research platform.

Enterprise Issue:

  • Requires customer to handle all consent
  • No built-in consent workflows
  • Customer bears full legal responsibility

Verdict:Clear consent responsibility framework

🔍  7. Model Explainability

Quote: "Log Data may include information such as a User's Internet Protocol (IP) address, browser type, operating system, the web page that a User was visiting before accessing our Services"

Risk: Enterprises need detailed audit trails and observability into how their data is being processed, especially for compliance purposes.

Enterprise Issue:

  • Limited audit trail details
  • No real-time monitoring capabilities
  • Basic logging only

Verdict: ⚠️ Limited transparency on data processing

🧼  8. Data Retention & Deletion

Quote: "Lookback will retain the Personal Data we collect as described in this Privacy Policy for as long as you use our Services or as necessary to fulfill the purpose(s) for which it was collected"

Risk: Enterprises need clear retention schedules and the ability to configure retention periods based on their compliance requirements.

Enterprise Issue:

  • No specific retention timeframes
  • No customer control over retention periods
  • Vague deletion criteria

Verdict: ⚠️ Vague retention policies

🤝  9. Third-Party Sharing

Quote: "We maintain a list of third parties we engage and we will notify Customers in advance if we engage any additional third-parties, as required by applicable law or our Customer agreement."

Risk: The commitment to maintain a list and provide advance notice of new third parties is good for enterprise transparency, though the list isn't provided in the policy.

Enterprise Issue:

  • Third-party list not public
  • Limited customer control over third-party selection
  • Business transfer rights are broad

Verdict:Transparent third-party practices

✅ What Lookback Does Right (Credit Where It's Due)

  • Clear separation between their data processing and customer data
  • Transparent about third-party relationships with advance notification
  • Strong commitment not to use Google Workspace data for AI training
  • Comprehensive GDPR compliance with proper data subject rights
  • No data selling practices
  • Reasonable security measures including TLS encryption

Disclaimer: This evaluation is based solely on publicly available information and documentation. For formal enterprise vetting, always request a vendor's latest DPA, security whitepaper, and third-party audit reports.

Read next