LightOn and GDPR Compliance

At LightOn, Protecting data is not just a legal requirement it is a product principle. The platform has been designed to respect the GDPR and to give customers and end-users full control over their information.

This page explains, in simple terms, how LightOn ensures GDPR compliance in practice. For official legal details, please refer to our Privacy Policy or contact our Data Protection team.

Principles Common to All Services

Whether Paradigm is used in SaaS mode or deployed on-premise, the same fundamental rules apply:

• Processor role: LightOn acts solely as a data processor, never using data for its own purposes.

• User rights: Every user can exercise GDPR rights easily:

  • Export personal data (documents, prompts, logs).

  • Delete an account and all associated data.

  • Update profile details directly (first name, last name, language).

  • Contact GDPR support to handle requests within legal timelines.

• Transparency: Paradigm allows administrators to integrate custom terms of use and privacy policies, ensuring users are informed and protected.

• Privacy by design: Encryption in transit and at rest, strict access governance, full audit logs, and incident response procedures.

Principles Common to All Services

Whether Paradigm is used in SaaS mode or deployed on-premise, the same fundamental rules apply:

• Processor role: LightOn acts solely as a data processor, never using data for its own purposes.

• User rights: Every user can exercise GDPR rights easily:

  • Export personal data (documents, prompts, logs).

  • Delete an account and all associated data.

  • Update profile details directly (first name, last name, language).

  • Contact GDPR support to handle requests within legal timelines.

• Transparency: Paradigm allows administrators to integrate custom terms of use and privacy policies, ensuring users are informed and protected.

• Privacy by design: Encryption in transit and at rest, strict access governance, full audit logs, and incident response procedures.

Paradigm SaaS

When the hosted platform is used, additional GDPR measures ensure security and compliance:

• Data location: All data is stored securely within the EU or with subcontractors offering GDPR-level guarantees.

• Retention:

  • Sessions are stored for up to 180 days (configurable).

  • Technical logs and usage data are kept only for a few months, strictly for continuity and security.

• Ephemeral mode: Users can activate a mode where sessions and conversations are automatically deleted after 15 minutes of inactivity.

• Access requests: By default, sessions and documents are invisible to LightOn staff. Support can only view data with explicit user authorization.

• Subcontractors: When subcontractors are involved (e.g. hosting, email delivery), only providers offering sufficient GDPR guarantees are selected. Any transfer outside the EU is covered by recognized legal frameworks (such as Standard Contractual Clauses).

Paradigm On-Premise

For enterprise clients choosing on-premise deployment, GDPR compliance is ensured by design:

• Full data sovereignty: Paradigm runs entirely within the customer’s infrastructure. LightOn has no access to data.

• Retention policies: The organization defines and enforces its own data retention rules.

• Same user rights: Export, deletion, and portability features remain available to all users.

Comparison: SaaS vs On-Premise

Conclusion

GDPR compliance is ensured not just by meeting legal obligations, but by embedding transparency, user control, and data minimization into the product itself.

• In SaaS, strong guarantees of security, EU-based storage, and strict governance of access are provided.

• In On-premise, organizations keep complete sovereignty and control.

Whichever deployment is chosen, data remains secure, private, and fully under user control.