Privacy Policy
Policy Owner: Data Protection Officer
Effective Date: 23 January 2026
1.
Introduction
1.1
2.
Who We Are
2.1
2.2
Contact Information:
Company: LightWork Holding
Email: contact@lightwork.co
Address: 83 Victoria Street, London, SW1H 0HW
2.2
Data Protection Officer:
Our Data Protection Officer oversees our data protection programme and serves as your primary contact for privacy matters:
Name: James Wilson
Email: james@lightwork.blue
Phone: 020 3585 4135
3.
What Personal Data We Collect
2
We may collect and process the following categories of personal data:
3.1
Information You Provide Directly
3.1
Account Information: Name, email address, username, password
Contact Details: Telephone number, postal address, company name, job title
Communications: Messages, enquiries, feedback, and support requests you send to us
Marketing Preferences: Your consent choices for receiving marketing communications
Payment Information: Billing details, though payment card details are processed by our secure payment processors
3.2
Information We Collect Automatically
3.2
Technical Data: IP address, browser type and version, operating system, device identifiers
Usage Data: Information about how you use our website and services, including pages visited, time spent, and features used
Analytics Data: Website performance data, user behaviour patterns, and service usage statistics
Location Data: General location information derived from your IP address
3.3
Cookies and Similar Technologies
3.2
We use cookies, web beacons, and similar tracking technologies to enhance your experience and collect information about your interactions with our services. Please see our Cookie Policy for detailed information
3.4
Information from Third Parties
3.2
We may receive information about you from third-party sources, such as:
3.2
Social media platforms (if you connect your accounts)
Analytics providers
Marketing partners
Public databases and directories
4.
Lawful Bases for Processing Personal Data
4.1
We only process your personal data when we have a lawful basis to do so. Our lawful bases include:
4.1
Contractual Necessity
4.1
To perform our contract with you, including:
Providing our AI services
Managing your account
Processing payments
Providing customer support
4.2
Legitimate Interests
4.3
For our legitimate business interests, such as:
Improving and developing our services
Network and information security
Preventing fraud and abuse
Analytics and service optimisation
Internal administration
4.3
Legal Obligation
4.3
To comply with legal requirements, including:
Regulatory compliance
Responding to legal requests
Maintaining records as required by law
4.4
Consent
4.3
Where you have given specific consent, such as for:
Marketing communications
Optional cookies and tracking
Special categories of data (if applicable)
4.5
Vital Interests
4.3
In rare circumstances where processing is necessary to protect life or health.
5.
How We Use Your Personal Data
4.1
We use your personal data for the following purposes:
5.1
Service Provision
4.1
Delivering our AI services and applications
Managing your account and subscriptions
Processing transactions and payments
Providing customer support and technical assistance
5.2
Communication
4.1
Responding to your enquiries and requests
Sending service-related notifications and updates
Providing information about changes to our services or policies
5.3
Marketing (with your consent)
4.1
Sending promotional emails about our services
Personalising marketing content
Conducting market research and surveys
5.4
Analytics and Improvement
4.1
Analysing usage patterns to improve our services
Conducting research and development
Monitoring service performance and reliability
5.5
Security and Compliance
4.1
Protecting against fraud, abuse, and security threats
Complying with legal and regulatory requirements
Maintaining audit trails and records
6.
How We Share Your Personal Data
4.1
We may share your personal data in the following circumstances
6.1
Service Providers and Business Partners
4.1
We work with trusted third-party service providers who process personal data on our behalf, including:
Cloud hosting and infrastructure providers
Customer support platforms
Analytics and marketing services
Payment processors
Professional advisors (lawyers, accountants, auditors)
All service providers are contractually required to:
Process data only for the purposes we specify
Maintain appropriate security measures
Return or delete data when requested
Comply with data protection obligations
6.2
Legal Requirements and Protection of Rights
4.1
We may disclose personal data when we believe it is necessary to:
Comply with applicable laws, regulations, or legal processes
Respond to requests from public authorities
Protect our rights, property, or safety
Protect the rights, property, or safety of others
Prevent or investigate suspected fraud or illegal activities
6.3
Business Transfers
4.1
In the event of a merger, acquisition, reorganisation, or sale of assets, personal data may be transferred as part of the transaction, subject to appropriate safeguards.
6.4
With Your Consent
4.1
We may share personal data for other purposes with your explicit consent
7.
International Data Transfers
4.1
Some of our service providers are located outside the UK. When we transfer personal data internationally, we ensure appropriate safeguards are in place:
7.1
Adequacy Decisions
4.1
We may transfer data to countries that have been deemed to provide adequate protection by UK authorities.
7.2
UK Standard Contractual Clauses
4.1
For transfers to countries without adequacy decisions, we use UK Standard Contractual Clauses or equivalent approved transfer mechanisms
7.3
Additional Safeguards We implement additional technical and organisational measures to protect data during international transfers, including:
4.1
Encryption in transit and at rest
Access controls and authentication
Regular security assessments
Data processing agreements with clear limitations
8.
Your Data Protection Right
4.1
Under UK data protection law, you have the following rights:
8.1
Right of Access
4.1
You can request a copy of the personal data we hold about you, along with information about how we process it
8.2
Right of Rectification
4.1
You can ask us to correct or update personal data that is inaccurate or incomplete.
8.3
Right to Erasure (Right to be Forgotten)
4.1
You can request deletion of your personal data in certain circumstances, such as when:
The data is no longer needed for the original purpose
You withdraw consent (where consent was the lawful basis)
The data has been unlawfully processed
Erasure is required for legal compliance
8.4
Right to Restriction of Processing
4.1
You can ask us to limit how we use your personal data in certain situations, such as when:
You contest the accuracy of the data
Processing is unlawful but you prefer restriction over deletion
We no longer need the data but you need it for legal claims
8.5
Right to Object
4.1
You can object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we have compelling legitimate grounds.
8.6
Right to Data Portability
4.1
Where technically feasible, you can request your personal data in a structured, commonly used format, and have it transmitted to another controller.
8.7
Rights Related to Automated Decision-Making
4.1
You have rights regarding decisions made solely by automated means, including profiling, such as the right to human review and to challenge the decision.
8.8
Right to Withdraw Consent
4.1
Where processing is based on consent, you can withdraw your consent at any time without affecting the lawfulness of processing based on consent before withdrawal
9.
How to Excercise Your Rights
8.1
Email: Contact@lightwork.co
Online Form: Available on our website privacy page (https://www.lightwork.co/contact-us)
Post: 83 Victoria Street, London, SW1H 0HW
9.1
Verification Process
8.1
We may need to verify your identity before processing your request to protect your personal data from unauthorised access.
9.2
Response Timeframes
8.1
We will respond to your request without undue delay and within one month of receipt. In complex cases, we may extend this period by up to two months and will inform you of any extension.
9.3
Right to Erasure (Right to be Forgotten)
8.1
To exercise any of your data protection rights:
9.4
No Fee Policy
8.1
We will not charge a fee for processing your request unless it is manifestly unfounded, excessive, or repetitive.
10.
Data Retention Periods
9.1
We retain personal data only for as long as necessary for the purposes outlined in this policy
10.1
Account Data
9.1
Active accounts: Retained while your account remains active
Closed accounts: Deleted within 30 days of account closure, unless legal obligations require longer retention
10.2
Communications
9.1
Customer support records: Retained for 3 years after resolution
Marketing communications data: Until consent is withdrawn or for 2 years of inactivity
10.3
Technical and Usage Data
9.1
Server logs: Retained for 12 months
Analytics data: Aggregated data may be retained indefinitely; personal identifiers deleted after 24 months
10.4
Legal and Compliance
9.1
Financial records: Retained for 7 years as required by UK law
Legal claims: Retained until claims are resolved and any appeal periods expire
10.5
Marketing Data
9.1
Retained until you withdraw consent or we determine it's no longer needed for legitimate business purposes.
11.
Security Measures
11.1
We implement comprehensive technical and organisational measures to protect your personal data:
11.1
Technical Safeguards
11.1
Encryption of data in transit using TLS/SSL protocols
Encryption of data at rest using industry-standard algorithms
Multi-factor authentication for system access
Regular security vulnerability assessments
Intrusion detection and prevention systems
Secure backup and recovery procedures
11.2
Organisational Measures
11.1
Regular staff training on data protection
Background checks for personnel with data access
Incident response and breach notification procedures
Access controls based on the principle of least privilege
Data processing agreements with third parties
Regular security audits and assessments
12.
Children's Privacy
12.1
Our services are not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without appropriate consent, we will take steps to delete such information promptly. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately
13.
Automated Decision-Making and Profiling
13.1
Automated Processing
12.1
We may use automated systems to process personal data for purposes such as:
Service personalisation
Fraud detection and prevention
System security monitoring
13.2
Your Rights
12.1
If we make decisions about you using solely automated processing that significantly affects you, you have the right to:
Request human intervention
Express your point of view
Challenge the decision
Request an explanation of the decision-making process
13.2
Safeguards
12.1
We implement appropriate safeguards for automated decision-making, including regular testing for bias and accuracy.
14.
Cookies and Similar Technologies
14.1
We use cookies and similar technologies to enhance your experience on our website and services. These include:
14.1
Essential Cookies
14.1
Necessary for the website to function properly and cannot be disabled.
14.2
Performance Cookies
14.1
Help us understand how visitors interact with our website by collecting and reporting information anonymously.
14.3
Functional Cookies
-
Enable enhanced functionality and personalisation.
14.4
Marketing Cookies
-
Used to deliver relevant advertisements and track advertising campaign effectiveness.
For detailed information about our use of cookies, including how to manage your preferences, please see our separate Cookie Policy.
15.
Third-Party Links and Services
-
Our website may contain links to third-party websites or services. This Privacy Policy does not apply to those external sites. We encourage you to review the privacy policies of any third-party services you access
16.
Data Breach Notification
-
In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay. We will also report qualifying breaches to the Information Commissioner's Office within 72 hours of becoming aware of the breach.
17.
Changes to This Privacy Policy
-
We may update this Privacy Policy periodically to reflect changes in our practices, services, or legal requirements.
We will notify you of material changes by:
Posting the updated policy on our website with a new effective date
Sending email notification to registered users
Providing prominent notice on our website or within our services
We encourage you to review this policy regularly to stay informed about how we protect your personal data.
18.
Contact Information and Complaints
18.1
Contact Us
-
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices:
Privacy Team:
Email: contact@lightwork.co
Address: 83 Victoria Street, London, SW1H 0HW
Data Protection Officer:
Email: james@lightwork.blue
Phone: 020 3585 4135
18.2
Contact Us
-14.1
If you are not satisfied with our response to your privacy concerns, you have the right to lodge a complaint with the UK Information Commissioner's Office ICO
Information Commissioner's Office ICO
Website: ico.org.uk
Phone: 0303 123 1113
Email: casework@ico.org.uk
Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
You can also use the ICO's online reporting tool at ico.org.uk/make-a-complaint/
19
Legal Framework
-
This Privacy Policy is designed to comply with:
UK General Data Protection Regulation UK GDPR
Data Protection Act 2018
Privacy and Electronic Communications Regulations PECR
Other applicable UK privacy and data protection laws
20
Policy Review and Updates
-
We review this Privacy Policy annually to ensure it remains current and effective. The policy may be updated more frequently if required by changes in law, regulation, or business practices
14.1
Next Scheduled Review: 23 January 2027
-
Version | Date | Description | Author | Approved By |
|---|---|---|---|---|
1.0 | 23 January 2026 | Initial Privacy Policy for public website and application | Rameen Sorkhabi | James Wilson |