Privacy Policy
This policy explains how Lightr.ai (“we,” “us,” “our”) collects, uses, stores, shares, and protects personal information when you use our marketing automation platform and related services (the “Service”). It complies with the EU General Data Protection Regulation (“GDPR”), the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), and other applicable data protection laws.
By using the Service, you agree to these practices. This policy should be read alongside our Terms of Service, Website Terms, and Data Processing Addendum.
I. Data Controller
Controller: Lightr.ai, Inc., 1111 South Governors Avenue #45445, Dover, DE 19904, United States.
EU Representative (GDPR Art. 27): Kylence SAS, 8 rue Honoré de Balzac, 35700 Rennes, France.
Contact: privacy@lightr.ai
II. Information We Collect
1. Information You Provide
- Account Data: Name, email address, and password.
- Billing Data: Payment information processed by Stripe (PCI-compliant). We do not store full card numbers.
- Communication Data: Support requests, survey responses, and feedback.
- Business Profile Data: Company name, industry, marketing goals, and other business information you configure.
2. Third-Party Platform Data (API Integrations)
When you connect a platform, we access only the data necessary to perform the functions you have configured.
| Platform | Data Accessed | Purpose |
|---|---|---|
| Authenticated member profile data (name, headline, photo); organization page data; post and engagement metrics; ad account data (campaign performance, conversion attribution); audience insights (aggregate demographic/firmographic data); Lead Gen Form response data | Content publishing and scheduling; post performance analytics; ad campaign management and reporting; conversion tracking; audience insights | |
| WhatsApp Business | Business profile, contact lists, message content | Broadcast management, automated response routing |
| Page info, post engagement metrics, Messenger content | Campaign performance tracking, audience interaction analysis | |
| Business handle, audience insights, DM content | Engagement automation, audience analysis | |
| X (Twitter) | Handle, bio, follower/following metadata, DM content | Social listening, content engagement |
| TikTok | Channel statistics, video metadata | Growth metrics, performance analytics |
| YouTube | Channel statistics, video metadata | Content performance analytics |
| Google (Business Profile, Ads, Analytics) | Business Profile info, reviews metadata, Ads campaign metrics, Analytics site/app data (as authorized via OAuth) | Reputation management, ad campaign performance tracking, audience and traffic analytics |
Message content: Lightr.ai analyzes incoming messages on supported platforms to generate AI-powered suggested replies. Not all platforms provide message content access — availability depends on each platform’s API capabilities. For example, LinkedIn does not include private message access. Message content is processed in real time solely for generating reply suggestions and is never used for advertising, profiling, or AI model training. See retention limits in Section VII.
3. Automatically Collected Information
- Log and Device Data: IP address, browser type, device type, OS, referring URL, pages visited, timestamps.
- Cookies: We use strictly necessary, functional, and analytics cookies. We do not use marketing or advertising cookies. See our Cookie Policy for details.
III. Legal Bases for Processing (GDPR)
| Processing Activity | Legal Basis |
|---|---|
| Service delivery (account management, automation features) | Contract (Art. 6(1)(b)) |
| Third-party platform metadata access | Contract (Art. 6(1)(b)) |
| Message content analysis for suggested replies | Contract (Art. 6(1)(b)) |
| Analytics and service improvement | Legitimate interest (Art. 6(1)(f)) |
| Administrative and transactional emails | Contract (Art. 6(1)(b)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
| Legal obligations | Legal obligation (Art. 6(1)(c)) |
| Payment processing | Contract (Art. 6(1)(b)) |
Where we rely on legitimate interest, we have conducted a balancing assessment. Request a copy at privacy@lightr.ai.
IV. Advertising and Cross-Device Tracking
When you use Lightr.ai’s advertising features to run campaigns on third-party platforms, those platforms may use cookies, pixels, and device identifiers to track interactions across devices and websites for ad targeting, conversion attribution, retargeting, and audience insights.
Lightr.ai does not independently perform cross-device tracking. The connected platform’s advertising terms and privacy policy govern how it collects and uses data for ad targeting. You are responsible for ensuring compliance with applicable laws, including obtaining required consent for cookie-based tracking under the ePrivacy Directive, GDPR, or equivalent regulations.
Audience Data (such as hashed contact lists or conversion events) transferred to advertising platforms through Lightr.ai is transferred at your direction and under your legal responsibility. Lightr.ai does not target ads based on sensitive data categories.
V. How We Use Your Information
- Service Delivery: Operating automation features, executing campaigns, managing platform connections.
- Service Improvement: Analyzing usage patterns, diagnosing issues, improving performance.
- Communication: Transactional notifications and product updates. Marketing communications only with your consent.
- Security: Monitoring for unauthorized access and protecting system integrity.
- Legal Compliance: Meeting obligations under applicable laws.
We do not sell, trade, or rent your personal information or data retrieved from third-party APIs to data brokers, advertisers, or other third parties.
VI. Sharing with Third Parties
We share personal information only as described in this policy:
Sub-Processors
We use the following service providers, each contractually bound to process data only on our instructions:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Amazon Web Services | Cloud hosting and infrastructure | EU / US |
| Stripe | Payment processing | US (PCI-DSS) |
| Supabase | Database and authentication | EU / US |
| Vercel | Frontend hosting | Global CDN |
| Google Cloud Platform | AI/ML services, API integrations | US / Global |
| Anthropic | Language model API | US |
| OpenAI | Language model API | US |
We notify users by email at least 30 days before adding a new sub-processor.
Business Transfers
In a merger, acquisition, or sale of assets, user data may transfer to the acquiring entity. We provide at least 30 days’ notice.
Legal Requirements
We may disclose personal information when required by law, regulation, or enforceable governmental request.
VII. Data Retention
- Account Data: Duration of active account. Deleted or anonymized within 30 days of account termination.
- Platform Metadata: Duration of active account. Purged within 30 days of disconnecting a platform or account termination.
- Message Content: Maximum 7 days, then permanently deleted.
- Billing Data: 7 years (US tax/commercial law).
- Log and Device Data: 12 months, then anonymized or deleted.
Where a platform’s API terms impose more restrictive retention or caching limits, those limits take precedence and we comply with the more restrictive requirement. This includes shorter caching windows for member profile data and social activity data, and prompt deletion upon member request or revocation of OAuth authorization. The shortest permitted duration governs.
VIII. International Data Transfers
Lightr.ai operates from the United States. When personal data of EEA, UK, or Swiss residents is transferred outside the EEA, we rely on Standard Contractual Clauses, the EU-US Data Privacy Framework, or adequacy decisions as appropriate. Contact privacy@lightr.ai for a copy of applicable safeguards.
IX. Data Security
We maintain administrative, physical, and technical safeguards including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256).
- Role-based access controls and least-privilege principles.
- Regular security assessments.
- Breach notification to affected customers within 48 hours and supervisory authorities within 72 hours (GDPR Art. 33).
No system is perfectly secure. We promptly address any vulnerabilities or incidents.
X. Your Rights
Regardless of location, you may: access, correct, or delete your personal data; request a portable copy; object to or restrict processing; and withdraw consent at any time without affecting prior processing. For platform-specific data, disconnect the integration from your account settings. You may also request deletion through the data deletion controls within the Service.
Contact: privacy@lightr.ai. We respond within 30 days (GDPR) or 45 days (CCPA/CPRA).
EEA/UK/Swiss residents may lodge a complaint with their supervisory authority (France: CNIL at cnil.fr).
California residents: We do not sell personal information as defined by CCPA/CPRA. We do not share personal information for cross-context behavioral advertising. We will not discriminate against you for exercising your privacy rights. Categories collected in the past 12 months: identifiers, commercial information, internet activity, and professional information. Sources: directly from you, third-party platform APIs (with your authorization), and automatic collection via cookies.
XI. Platform Connections and Controls
When you connect a platform, Lightr.ai requests authorization through the platform’s OAuth flow. You control which platforms are connected and may revoke any connection at any time.
For each platform, you may configure:
- Whether metadata access is enabled (default: on).
- Whether message content access is enabled for suggested replies (where supported; default: on).
- Where supported, whether advertising account access is enabled for campaign management.
Revoking a connection triggers immediate cessation of data access and deletion of associated data within 30 days.
XII. Age Restrictions
The Service is designed for business use and is not directed at individuals under 16. We do not knowingly collect information from anyone under 16. Contact privacy@lightr.ai if you believe a child has provided us with personal information.
XIII. Third-Party Services
This policy applies only to data processed by Lightr.ai. Connected platforms are governed by their own privacy policies.
XIV. Changes to This Policy
We notify you of material changes by email at least 30 days before they take effect. Continued use after the effective date constitutes acceptance.
XV. Contact Us
Lightr.ai Privacy Team
Lightr.ai, Inc. (Delaware)
Email: privacy@lightr.ai
Address: 1111 South Governors Avenue #45445, Dover, DE 19904, United States