1. Controller and contacts
| Controller | Registered address | Privacy contacts |
|---|---|---|
| The Lucky Lighthouse | 14400 Addison St Sherman Oaks, California 91423 USA | Privacy: Owners@theluckylighthouse.com DPO: same as above EU/UK Representative: same as above |
2. Information we collect
- Identifiers and account records. Email address, hashed password or sign-in provider identifier, profile details, and related account metadata.
- Billing and transaction data. Where you purchase a paid plan, limited transaction records (we do not store full card numbers; payments are processed by our payment provider).
- Workspace content. Clients, research items, tasks, notes, and related data you create, scoped to your account.
- Device and usage data. IP address, user agent, request paths, timestamps, approximate location derived from IP, and similar server log data used to operate, secure, and debug the Services.
- Communications. Messages you send to support, feedback, and survey responses.
- Professional information and inferences. Limited professional details you choose to provide and inferences drawn from your use of the Services to operate and improve them.
We do not knowingly collect special-category or other sensitive personal data. If we begin doing so, this policy will be updated.
3. Sources of information
We collect information directly from users; from customers and administrators where an organization invites you to a workspace; from your devices and browsers; from service providers and integrations acting on our behalf; from public sources; and from analytics or marketing partners where applicable.
4. How we use information
- Service delivery, account management, and customer support.
- Analytics, personalization, and improvement of the Services.
- Security, logging, fraud prevention, and platform integrity.
- Legal compliance and enforcement of our Terms.
- Marketing communications where permitted by law.
We do not sell your personal information for money, and we do not use your workspace content to train machine-learning models. Certain analytics or advertising activity may nonetheless be considered a “sale,” “sharing,” or “targeted advertising” under U.S. state law — see the U.S. State Privacy Notice below.
5. How we share information
- Processors and service providers. Hosting, databases, email and authentication providers, customer support tools, and similar providers, bound by contract to use information only to provide services to us.
- Integrations and business partners. Where you connect a third-party integration, data necessary to operate that integration is shared with the provider you selected.
- Analytics and advertising partners. Where used, subject to consent where required.
- Corporate transactions. Counterparties in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets.
- Legal and safety recipients. Where required by law, legal process, or to protect rights, safety, or the integrity of the Services.
6. Retention
We retain personal information only as long as is reasonably necessary for the purposes described above, to comply with legal obligations, resolve disputes, meet audit needs, and enforce our agreements. When you delete your account, we will delete or de-identify your personal information within a reasonable period, except where retention is required.
7. International transfers
Lighthouse is operated from the United States. Where the GDPR or UK GDPR applies, we rely on appropriate safeguards for international transfers, including the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, adequacy decisions, or other valid transfer mechanisms.
8. GDPR lawful bases
| Purpose | Data categories | Lawful basis |
|---|---|---|
| Account creation and service delivery | Identifiers, account data, transaction records | Contract |
| Security, logging, fraud prevention, support | Identifiers, technical data, communications | Legitimate interests / legal obligation |
| Marketing, analytics, personalization, cookies | Contact details, usage data, online identifiers | Consent where required; otherwise legitimate interests |
9. Your rights
Depending on where you live, you may have the right to access, correct, delete, port, object to, or restrict the processing of your personal information; to withdraw consent; to appeal a decision on a rights request; and to be free from discrimination for exercising these rights. To exercise any of these rights, contact us by email at Owners@theluckylighthouse.com or by mail at the registered address above. We will respond within the time required by applicable law.
10. Cookie Notice
We use cookies, pixels, SDKs, local storage, and similar technologies for service operation, preference memory, analytics, attribution, and advertising where permitted. Non-essential technologies are subject to consent where required by law. You can manage your choices through our cookie banner when it appears, open cookie preferences to toggle each category (Functional, Analytics, Advertising) independently, configure your browser to block non-essential cookies, or email Owners@theluckylighthouse.com.
| Category | Typical disclosure | Vendors / tools | Consent? |
|---|---|---|---|
| Strictly necessary | Authentication, security, load balancing, session integrity | First-party session storage only | No |
| Functional | Preferences, remembered settings, localization | None currently in use | Usually yes |
| Analytics | Traffic and usage measurement | None currently in use | Yes |
| Advertising | Attribution, remarketing, audience building, pixels/SDKs | None currently in use | Yes |
If we add a new category or a materially new vendor inside an existing category, we bump our internal consent policy version. The cookie banner then re-appears on your next visit so you can confirm or change your choices — your previous per-category selections are pre-filled as defaults, and no script in the new scope runs until you actively confirm.
We automatically honor Global Privacy Control (GPC) signals. When your browser sends navigator.globalPrivacyControl = true, the site detects it on every page load and forces the Analytics and Advertising cookie categories off for that browser — even if the visitor previously accepted them — without requiring any action in the cookie banner. The cookie preferences panel reflects this by locking those categories off and displaying a notice. Third party cookies set by integrations and analytics providers are disclosed by those providers; see also our “Do Not Sell or Share” options below.
Our backend honors GPC the same way. Every request to our API server is inspected for the standard Sec-GPC: 1 request header (and, for the opt-out form, an equivalent gpcSignal body flag). When that signal is present, the server skips any non-essential server-side analytics, attribution, or third-party “share” events for that request. Strictly necessary processing — authentication, security logging, request delivery, and persisting the actual submission you sent — still runs, since GPC does not opt out of the service itself. Do Not Sell or Share submissions received with a GPC signal are flagged in our internal record so the privacy team can confirm GPC was honored end-to-end.
11. U.S. State Privacy Notice
Certain advertising, analytics, or cross-context behavioral advertising disclosures may be considered a “sale,” “sharing,” or “targeted advertising” under applicable U.S. state law (including in California, Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, and others) even where no money changes hands.
The categories of personal information that may be involved include:
- Identifiers and online identifiers.
- Device data and internet or network activity.
- Approximate geolocation derived from IP.
- Inferences drawn from the categories above.
You may opt out of any such activity by submitting a request on our Do Not Sell or Share My Personal Information page, by emailing Owners@theluckylighthouse.com, by declining non-essential cookies in our cookie banner when it appears, or by sending a recognized browser opt-out signal such as Global Privacy Control, which we honor automatically as an opt-out of sale/sharing for that browser. We do not knowingly sell or share the personal information of consumers under 16 years of age. We honor authorized agent requests, provide a method to appeal denials, and will not discriminate against you for exercising your rights.
12. Data Processing Addendum
The Lucky Lighthouse offers a Data Processing Addendum (“DPA”) for customers requiring controller-to-processor terms. The DPA covers the scope of processing, confidentiality, subprocessors, security measures, assistance with data-subject requests, incident notification, deletion or return of data, audit rights subject to reasonable limits, and international transfer mechanisms including Standard Contractual Clauses where applicable.
Our current list of subprocessors is published at /subprocessors and includes each provider’s name, purpose, and hosting region. To request the DPA or an executed version, contact Owners@theluckylighthouse.com. Where we process customer data on behalf of an organization, please contact that organization first; we will direct your request accordingly.
13. Security
We use industry-standard safeguards to protect data in transit (HTTPS) and at rest, and we scope all workspace data to its owning account at the database layer. No system is perfectly secure, but we work to reduce risk and respond promptly to issues.
14. Children
Lighthouse is intended for professional use and is not directed to children under 16. We do not knowingly collect personal information from children under 16.
15. Changes to this policy
We may update this policy from time to time. When we do, we will revise the “Last updated” date above and, for material changes, provide additional notice (for example, by email or an in-product notice).
16. Contact
Questions about this policy or our practices? Reach out at Owners@theluckylighthouse.com or by mail at 14400 Addison St, Sherman Oaks, California 91423, USA.