Privacy Policy

For the purposes of the EU General Data Protection Regulation (GDPR), the data controller is LightSpot.ai, contactable at privacy@lightspot.ai.

• Account data: email address, display name, and the authentication provider you used (magic link or Google).
• Audit data: the URLs you submit, the public HTML content fetched at those URLs, the criteria results we compute, and the reports we generate. Reports include scores, issues, fixes, and optionally a competitor analysis.
• Billing data: we do not store credit-card numbers. Stripe stores them on our behalf and shares back a customer ID, subscription status, plan, and invoice history.
• API key metadata: name you give the key, the SHA-256 hash of the key (we never store the key in cleartext), the first 15 characters of the key for UI recognition, the last-used timestamp, and the revocation timestamp.
• GitHub integration: if you connect a repository, we store an OAuth access token and the repos you grant access to. The token is used to clone the repo and open pull requests on your behalf.
• Logs: request method and path, timestamp, response code, and the IP address making the request — kept for security and debugging for up to 30 days.

• Performance of contract (GDPR art. 6(1)(b)) — to provide the Service you signed up for: running audits, storing reports, processing payments.
• Legitimate interest (art. 6(1)(f)) — to keep the Service secure, fight abuse, and improve the methodology with anonymized aggregate metrics.
• Legal obligation (art. 6(1)(c)) — to issue invoices and respond to lawful requests from authorities.

• Account data: until you close your account, then deleted within 30 days.
• Audit reports and crawled HTML snippets: indefinitely while your account is active, deleted within 30 days of account closure unless you delete them sooner.
• API keys: indefinitely while not revoked; revoked keys are kept (hash + metadata) for audit-trail purposes.
• Stripe subscription state: kept as long as the subscription is active and for the legal retention period required for accounting (up to 10 years).
• Server logs: 30 days.

To provide the Service we share data with the following providers, only to the extent necessary for the purpose listed:

We update this list as our infrastructure evolves. Material additions are announced by email at least 30 days before they take effect.

LightSpot uses only strictly-necessary cookies:

• better-auth.session_token — to keep you signed in. Httponly, expires after 7 days.
• Stripe cookies on the checkout page, for payment fraud detection. Set on Stripe's domain only.

We do not use analytics, advertising, or tracking cookies. Because only strictly-necessary cookies are involved, no consent banner is required under the ePrivacy Directive.

Some of our sub-processors (notably Anthropic, OpenAI, Perplexity, Stripe, GitHub) are based in the United States. Transfers rely on Standard Contractual Clauses or, where applicable, the EU-US Data Privacy Framework. We do not transfer data outside the EU/EEA without an adequate legal basis.

If you are a resident of the EU/EEA or UK, you have the right to:

• access the personal data we hold about you;
• request correction of inaccurate data;
• request deletion of your data (subject to our legal retention obligations);
• request a portable copy of your data;
• object to processing based on legitimate interest;
• withdraw consent where processing is based on consent;
• lodge a complaint with the CNIL or your local data protection authority.

To exercise any of these rights, write to privacy@lightspot.ai. We respond within 30 days.

For Business and Enterprise customers using the Service to audit third-party content, a standalone DPA is available on request. Email privacy@lightspot.ai.

We will notify you of material changes by email and dashboard banner at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.