FAQ
      Back to home
      1. Home
      2. End user Guide
      3. FAQ

      LightOn and GDPR Compliance

      At LightOn, protecting your data is not just a legal requirement it is a product principle. Our platform has been designed to respect the GDPR and to give customers and end-users full control over their information.

      rgpd

      This page explains, in simple terms, how LightOn ensures GDPR compliance in practice. For official legal details, please refer to our Privacy Policy or contact our Data Protection team.

      Total Data Control

      Users and/or the customer who created their account maintain complete control over all data.

      LightOn functions solely as a data processor within Paradigm, meaning we do not process personal data for our own purposes. 

      All personal data processed within Paradigm is provided by the customer or a user whose account was created on their behalf. Data, particularly from documents and conversations, is strictly used only for its agreed-upon purpose and is never utilized to train or fine-tune LightOn's Large Language Models (LLMs), unless a customer specifically requests such training or fine-tuning for an LLM used by Paradigm.

      User Rights and Transparency

      User Rights

      With LightOn, every user can easily exercise their GDPR rights:

      • Download your data: At any time, you can export the information linked to your account (documents, prompts, logs).
      • Delete your account: You can erase your account and all associated data instantly and permanently.
      • Update your details: First name, last name, and language can be changed directly in your profile.
      • Contact our GDPR support: A dedicated contact is available to handle GDPR-related requests within the required timelines.

      We also support the right to restrict or object to processing (for example, by archiving sessions), and the right to portability (by providing data exports in reusable formats).

      Transparency

      We provide numerous resources and features to help customers meet their transparency obligations. For example, Paradigm's administration interface is designed to allow the customer to integrate terms of use and privacy policies that users must accept in order to use the interface. These documents can use certain sections of the templates or generic documents we provide for this purpose.

      This makes it easy for the customer to comply with their transparency obligations.

      Control Over What You Share

      Our platform does not require (sensitive) personal data to function. Because the service is conversational, users remain free to type any content into the chat and to provide any document to be analyzed and taken into account. These conversations and documents can contain personal data, although we recommend to make sure that only the required data is processed in Paradigm. To ensure protection, we have implemented safeguards:

      1. Obfuscation by default: All sessions and documents are hidden from LightOn staff. If our support team needs to access them, a request for authorization is sent to the user, who decides whether to allow it. Without user approval, no one can view the data.
      2. Ephemeral mode: Users can enable a privacy mode where sessions and conversations are automatically deleted after 15 minutes of inactivity. This ensures full control over short-lived or sensitive exchanges.

      Data Retention

      Data is never kept longer than necessary:

      • By default, sessions are stored for up to 180 days (configurable by your administrator).
      • In SaaS, technical logs and usage data are retained for a few months maximum as required for service continuity and security.
      • On-premise deployments follow your organization’s own retention policies.

      After the retention period, data is permanently deleted.

      On-Premise vs SaaS

      • On-Premise: For most enterprise clients, LightOn runs entirely within your infrastructure. LightOn has no access to your data.

      • SaaS: When using our hosted platform, data is stored securely within the EU or with subcontractors providing GDPR-level guarantees. In both cases, the same user rights (download, deletion, portability) and transparency features apply.

      Security and Access Governance

      LightOn embeds privacy by design and by default into its platform:

      • Encryption: All data is encrypted in transit (TLS) and at rest.
      • Access control: Only authorized personnel, under strict conditions, may access operational data — and only with user approval.
      • Auditability: Access requests, support interventions, and user actions are logged.
      • Incident response: In the unlikely event of a breach, we notify users and regulators in accordance with GDPR.

      Subcontractors and Hosting

      In SaaS mode, some services (e.g., hosting or email delivery) may be operated by trusted subcontractors. LightOn only works with providers offering sufficient guarantees of GDPR compliance. If data is transferred outside the EU, it is covered by recognized legal frameworks (e.g., Standard Contractual Clauses).

      Conclusion

      LightOn ensures GDPR compliance not just by meeting legal obligations but by acting only on customers’ instructions and embedding transparency, user control, and data minimization into the product itself. Whether deployed on-premise or in SaaS, our platform gives organizations and their users confidence that data is secure, private, and fully under their control.