Privacy Policy

1. Quick Summary

• We collect information you provide directly (such as contact details and engagement information), information collected automatically (such as device and usage data), and information from third parties (such as payment processors and analytics providers).
• We use Personal Information to provide and operate the Services, communicate with you, process payments, deliver consulting and AI-related work, comply with legal obligations, protect our legal rights, and improve our offerings.
• We do not sell Personal Information for monetary value. We may share Personal Information with service providers, partners, professional advisors, regulators, and successors in interest, in each case under appropriate contractual or legal protections.
• You have rights under applicable laws to access, correct, delete, port, or restrict the processing of your Personal Information, and to opt out of certain disclosures. Section 14 explains how to exercise these rights.
• We retain Personal Information only as long as necessary for the purposes described in this Privacy Policy, then delete or de-identify it.

2. Who We Are; Scope

Light-Brands AI is a consulting and AI-infrastructure company that provides strategic, technical, and creative services to enterprise and growth-stage clients, including the development of AI-native products, marketing and growth services, capital-formation support, and partnership engagements. References to “Services” in this Privacy Policy include all of the foregoing as well as any successor or sibling offerings.

This Privacy Policy applies to Personal Information processed by Light-Brands as a controller (the entity that determines the purposes and means of processing). Where Light-Brands processes Personal Information on behalf of a client (for example, in connection with a paid engagement that involves the client’s end-user data), Light-Brands acts as a processor and the client’s privacy notice governs the processing of that data; the corresponding terms are set forth in our data-processing agreement with the client.

This Privacy Policy does not apply to information collected by third parties, including websites, services, applications, or content that may link to, or be accessible from, our Services. We are not responsible for the privacy practices of those third parties.

3. Personal Information We Collect

We collect Personal Information in the following categories:

3.1 Information You Provide Directly

• Identity and contact information: name, email address, telephone number, mailing address, company name, and job title.
• Account credentials: usernames, passwords (stored as one-way hashes), and authentication tokens for any authenticated portion of the Services.
• Engagement information: information you provide about your business, capital plans, fundraising stage, product, technical stack, and related context that you submit through forms, intake interviews, or assessment tools.
• Payment information: billing details and payment-instrument metadata (we do not store full payment-card numbers or full bank-account numbers; payments are processed by Stripe, see Section 6).
• Communications: messages, requests, feedback, and information you provide when you contact us by email, phone, chat, or other channels.
• Event and meeting information: calendar invitations, meeting recordings (with notice), and meeting notes when you attend a session with our team.
• Survey, application, and content submissions: responses to surveys or applications, written content, code samples, documents, or other materials you choose to share.

3.2 Information Collected Automatically

• Device information: IP address, operating system, browser type and version, device identifiers, language and locale settings, screen size, and similar technical data.
• Usage information: pages and content you view, links you click, referring URLs, timestamps, the path you take through the Services, and approximate location derived from IP address.
• Cookies and similar technologies: see Section 10 for details.
• Server logs: standard request logs maintained for security, fraud prevention, and operational debugging.

3.3 Information from Third Parties

• Payment processors: transaction confirmations, refunds, disputes, and risk-screening signals from Stripe.
• Analytics and observability providers: aggregated and event-level usage data from PostHog, Sentry, and similar tools.
• Identity and authentication providers: profile information from third-party authentication providers (such as Google) when you sign in using those services.
• Marketing and lead-generation partners: contact information you have authorized those partners to share with us.
• Public sources: publicly available information about you or your company (websites, public filings, professional networking profiles).
• Referrals and introductions: information shared by your colleagues, advisors, investors, or partners when introducing you to us.

4. How We Use Personal Information

We use Personal Information for the following purposes, in each case in accordance with the legal bases described in Section 5:

• Provide and operate the Services: deliver the consulting, technical, marketing, and capital-formation services we have agreed to provide; manage accounts; process transactions; provide customer support.
• Communicate with you: respond to inquiries, send transactional notices (such as billing receipts and security alerts), share project updates, and provide reasonable scheduling and logistics communications.
• Process payments: bill and collect amounts owed; issue refunds where applicable; investigate and prevent fraudulent transactions, unauthorized access, and other illegal activities.
• AI-assisted service delivery: use Personal Information you submit (such as engagement materials, code samples, or documents) as inputs to AI processing necessary to deliver the Services. See Section 12 for details on automated decision-making and AI processing.
• Marketing and communications: send newsletters, event invitations, and information about our offerings (you may opt out at any time, see Section 11).
• Personalize content: tailor what you see based on your role, stage, or stated interests.
• Analytics and improvement: understand how the Services are used; develop new features and offerings; improve quality, performance, and user experience.
• Security and fraud prevention: detect, investigate, and respond to security incidents, fraud, and abuse; verify identities; protect our rights, property, and Services and those of our clients and users.
• Legal and compliance: comply with legal obligations, respond to lawful requests from public authorities, enforce our terms, and assert or defend legal claims.
• Corporate transactions: evaluate, negotiate, and complete a merger, acquisition, financing, sale of assets, or similar transaction (see Section 6.2).

5. Legal Bases for Processing (EU/UK Users)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we process your Personal Information on one or more of the following legal bases under GDPR Article 6(1):

• Contract performance. Processing necessary to perform a contract with you or to take steps at your request prior to entering a contract (for example, providing the Services and processing payments).
• Legitimate interests. Processing necessary for our legitimate interests, balanced against your interests and fundamental rights (for example, securing the Services, preventing fraud, conducting analytics, communicating with prospective clients, exercising our rights, and growing our business).
• Consent. Processing based on your specific, informed consent (for example, certain marketing communications, optional cookies, or processing of special-category data). You may withdraw consent at any time.
• Legal obligation. Processing necessary to comply with a legal obligation to which we are subject (for example, tax, accounting, sanctions screening, or court orders).
• Vital interests / public interest. Where applicable in narrow circumstances such as emergencies.

If you have questions about the legal basis for any specific processing, contact us at privacy@lightbrands.ai.

6. How We Disclose Personal Information

We disclose Personal Information in the following circumstances:

6.1 Service Providers and Sub-Processors

We share Personal Information with vendors, contractors, and service providers who perform services on our behalf and are bound by written confidentiality and data-protection obligations. Our key service providers include:

• Cloud hosting and infrastructure: Vercel, Inc. (web hosting and serverless functions); Amazon Web Services, Inc. (compute, storage, and AI inference via Amazon Bedrock).
• Database and authentication: Supabase, Inc. (Postgres database, authentication, file storage).
• Payments: Stripe, Inc. (payment processing, billing, subscription management, fraud prevention).
• AI and large-language-model providers: Anthropic, PBC; OpenAI, OpenAI Ireland Limited; Mistral AI; OpenRouter, Inc.; Helicone, Inc. (observability across AI calls). When you provide content as part of the Services, that content may be processed by one or more of these providers under data-processing terms that prohibit training on customer data unless you have explicitly opted in.
• Analytics and observability: PostHog, Inc.; Sentry (Functional Software, Inc.); Vercel Analytics.
• Communications and marketing operations: Google Workspace (email, calendar, documents); HighLevel, Inc. (CRM and marketing automation); Slack Technologies, LLC; SignNow (electronic signature).
• Voice and media services: ElevenLabs, Inc.; OpenAI Realtime API (where applicable to a specific Service).
• Professional advisors: attorneys, accountants, auditors, insurers, and consultants bound by professional confidentiality obligations.

An updated list of sub-processors is available upon written request to privacy@lightbrands.ai. We may engage additional sub-processors as the Services evolve and will update this list accordingly.

6.2 Affiliates and Successors

We may share Personal Information with our affiliates (entities under common ownership or control) for the purposes described in this Privacy Policy. We may also disclose Personal Information in connection with, or during negotiations of, a merger, acquisition, financing, asset sale, reorganization, bankruptcy, or similar corporate transaction. We will provide notice and apply this Privacy Policy (or a substantially similar one) to the transferred information.

6.3 Legal, Safety, and Compliance

We may disclose Personal Information when we believe in good faith that disclosure is necessary to:

• Comply with applicable law, regulation, court order, subpoena, or other legal process or governmental request;
• Enforce our terms of service, this Privacy Policy, or other agreements, including investigation of potential violations;
• Detect, prevent, or otherwise address fraud, security, or technical issues;
• Protect our rights, property, or safety, or those of our users, clients, or others;
• Cooperate with law enforcement and government authorities, including requests for information related to suspected unlawful conduct.

6.4 With Your Direction or Consent

We may share Personal Information at your direction or with your consent, including when you choose to share content publicly or through third-party integrations.

6.5 Aggregated and De-Identified Information

We may share aggregated, de-identified, or anonymized information that cannot reasonably be used to identify you for any purpose, including research, marketing, and product development.

6.6 No Sale or Sharing for Cross-Context Behavioral Advertising

We do not “sell” Personal Information for monetary consideration as that term is defined under the CCPA/CPRA, and we do not “share” Personal Information for cross-context behavioral advertising as defined under the CCPA/CPRA. We have not done so in the preceding twelve (12) months.

7. International Data Transfers

Light-Brands is headquartered in the United States, and Personal Information we collect may be transferred to, stored at, or processed in countries other than the country in which you reside, including the United States. The data-protection laws in these countries may differ from the laws of your country.

When we transfer Personal Information out of the European Economic Area, the United Kingdom, or Switzerland, we use appropriate safeguards required by applicable law, including Standard Contractual Clauses approved by the European Commission, the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs, and equivalent mechanisms for Swiss data. Where applicable, we also rely on the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework principles administered by the U.S. Department of Commerce, in each case to the extent applicable to a given transfer and our certifications thereunder.

You may request a copy of the relevant transfer mechanism by emailing privacy@lightbrands.ai.

8. Data Retention

We retain Personal Information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. Specific retention periods include:

• Account and engagement records: for the duration of your relationship with us, plus seven (7) years thereafter for tax, accounting, audit, and legal-defense purposes.
• Billing and transaction records: seven (7) years from the date of the transaction.
• Communications: generally three (3) years from the date of last interaction, longer if associated with an active engagement or a legal hold.
• Marketing contacts: until you opt out, plus a reasonable suppression-list retention period to honor your opt-out.
• Server logs and security data: generally up to thirteen (13) months.
• Backups: generally up to ninety (90) days, after which deletion requests are propagated to backups in the ordinary course.

When we no longer have an ongoing legitimate business need to process Personal Information, we will delete or de-identify it, or, if not possible (for example, because Personal Information has been stored in backup archives), securely store the information and isolate it from any further processing until deletion is possible.

9. Information Security

We implement and maintain administrative, technical, and physical safeguards designed to protect Personal Information against unauthorized access, disclosure, alteration, or destruction. These safeguards include:

• Encryption in transit (TLS) and at rest where applicable;
• Access controls based on least privilege and role-based authorization;
• Multi-factor authentication for production systems and administrative accounts;
• Logging, monitoring, and alerting on production systems;
• Regular dependency vulnerability scanning and security review;
• Vendor security review prior to engaging sub-processors;
• Employee and contractor confidentiality obligations and security training.

No security program is impenetrable. We cannot guarantee that unauthorized third parties will never be able to defeat our safeguards. You acknowledge that you provide Personal Information at your own risk.

In the event of a personal-data breach affecting your Personal Information, we will notify you and applicable supervisory authorities as required by law.

10. Cookies and Similar Technologies

We and our service providers use cookies, web beacons, pixels, local storage, and similar technologies (collectively, “cookies”) to operate the Services, remember your preferences, secure your sessions, perform analytics, and deliver communications. We use the following categories of cookies:

• Strictly necessary cookies: required for the Services to function, including for security and load balancing. These cookies cannot be disabled.
• Functional cookies: remember your preferences and settings, such as language and theme.
• Analytics cookies: help us understand how the Services are used.
• Marketing cookies: used to measure the effectiveness of campaigns and, where consent is required, to personalize content.

Most browsers allow you to control cookies through their settings, including by deleting existing cookies and refusing new cookies. If you disable cookies, some features of the Services may not function properly.

Global Privacy Control. We honor browser-based opt-out signals such as the Global Privacy Control (GPC) where required by applicable law.

Do Not Track. Our Services do not respond to traditional Do Not Track (DNT) browser signals because no industry standard for DNT has been adopted. Where the law requires us to honor browser-based opt-out signals (such as GPC), we do so as described above.

11. Marketing Communications

You may opt out of receiving promotional emails from us at any time by following the unsubscribe instructions in those emails or by emailing privacy@lightbrands.ai. Even after you opt out of promotional emails, we may still send you transactional or service-related communications (such as billing receipts, security alerts, or notices about changes to this Privacy Policy or our terms).

For text messages, you may opt out by replying STOP to any text message we send. Standard message and data rates may apply.

12. Automated Decision-Making and AI Processing

The Services include features that use artificial intelligence and large language models (LLMs) to generate text, code, recommendations, summaries, drafts, and other outputs. As part of delivering the Services, we may process Personal Information you provide (or that you instruct us to process) using AI tools provided by Light-Brands and by third-party AI providers identified in Section 6.

• No solely-automated decisions with legal effect. We do not use AI to make decisions about you that produce legal or similarly significant effects without meaningful human review. To the extent we ever do, we will provide notice and provide the rights required by applicable law (including the right to obtain human review).
• Training on customer data. By default, we configure our AI processing relationships so that customer data is not used to train third-party foundation models. Where a specific provider’s default behavior includes training, we configure to opt out where the option is available.
• Output limitations. AI-generated outputs may be inaccurate, incomplete, or otherwise unsuitable for a particular purpose. You are responsible for reviewing and validating any output before relying on it. AI-generated output is not professional, legal, financial, medical, or fiduciary advice.
• Sensitive inputs. Please do not submit Personal Information of children under 13, government-issued identifiers, full payment-card details, or special-category personal data (such as health data) into our AI tools unless we have specifically agreed in writing to handle such data under additional safeguards.

13. Children’s Privacy

The Services are not directed to, and we do not knowingly collect Personal Information from, children under the age of 13 (or 16 where required by applicable law). If we become aware that we have inadvertently collected Personal Information from a child under the applicable age, we will promptly delete that information. Parents or guardians who believe their child has provided us with Personal Information should contact us at privacy@lightbrands.ai.

14. Your Privacy Rights

Depending on where you live, you may have the following rights with respect to your Personal Information:

• Access / Know: request a copy of, or information about, the Personal Information we hold about you.
• Correction / Rectification: request that we correct inaccurate or incomplete Personal Information.
• Deletion / Erasure: request that we delete Personal Information about you, subject to legal exceptions.
• Portability: request a copy of certain Personal Information in a structured, commonly used, machine-readable format.
• Restriction: request that we restrict certain processing of your Personal Information.
• Objection: object to processing based on legitimate interests, direct marketing, or scientific or historical research.
• Withdraw consent: withdraw consent for processing that is based on consent, without affecting the lawfulness of processing carried out before withdrawal.
• Opt out of sale or sharing: opt out of any “sale” or “sharing” of Personal Information (we do not currently engage in these activities).
• Limit use of sensitive Personal Information: direct us to limit the use of certain sensitive Personal Information.
• Non-discrimination: exercise any of these rights without discriminatory treatment.
• Lodge a complaint: lodge a complaint with a supervisory authority in your country of residence.

How to exercise your rights. To exercise your rights, email privacy@lightbrands.ai with your request. We will respond within the timeframes required by applicable law, generally within 45 days. We may need to verify your identity before processing your request, including by asking you to confirm information already on file or to provide a verifiable declaration. We will not discriminate against you for exercising your rights.

You may use an authorized agent to make a request on your behalf. We may require the agent to provide proof of authorization and may require you to verify your identity directly.

15. Additional Information for California Residents

This section supplements the information above and applies solely to California residents. Defined terms have the meaning given in the CCPA/CPRA.

15.1 Categories of Personal Information We Collect

In the preceding twelve (12) months, we have collected the following categories of Personal Information about California residents (with examples):

• Identifiers: name, email, phone, postal address, IP address, account identifiers.
• Customer records (Cal. Civ. Code § 1798.80(e)): contact information, billing information.
• Commercial information: records of services purchased, transaction histories.
• Internet or other electronic network activity: browsing and interaction data on the Services.
• Geolocation: general location derived from IP address (we do not collect precise geolocation).
• Audio and visual information: recordings of meetings or calls (with notice and consent).
• Professional or employment information: job title, employer, professional context.
• Inferences: inferences drawn from the foregoing to characterize preferences and likely needs.

We do not knowingly collect Sensitive Personal Information beyond account credentials. We do not use or disclose Sensitive Personal Information for purposes that require providing a “Right to Limit” under CPRA.

15.2 Sources, Purposes, and Disclosures

The sources from which we collect this information, the business purposes for which we collect and use it, and the categories of third parties to whom we disclose it for business purposes are described in Sections 3, 4, and 6 of this Privacy Policy.

15.3 Sale and Sharing

We do not sell Personal Information for monetary consideration, and we do not share Personal Information for cross-context behavioral advertising. We have not done so in the preceding twelve (12) months and do not anticipate doing so in the next twelve (12) months. We do not sell or share the personal information of consumers under the age of 16.

15.4 Retention

See Section 8 for our retention practices.

15.5 Your California Rights and How to Exercise Them

California residents have the rights described in Section 14, which include the right to know, correct, delete, port, opt out of sale or sharing, and limit the use of sensitive Personal Information. To exercise these rights, email privacy@lightbrands.ai. We may require you to verify your identity before fulfilling your request. You may also designate an authorized agent (see Section 14).

15.6 Shine the Light

California Civil Code § 1798.83 permits California residents to request information about disclosures of Personal Information to third parties for the third parties’ direct marketing purposes. We do not disclose Personal Information to third parties for their own direct marketing purposes.

16. Other U.S. State Privacy Rights

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other U.S. states with comparable laws have rights similar to those described in Section 14, including rights of access, correction, deletion, portability, and opt-out of certain processing (such as targeted advertising and the sale of personal data, neither of which we engage in). To exercise these rights, contact privacy@lightbrands.ai. If we deny your request, you may have a right to appeal; we will respond to appeals within the timeframes required by your state’s law.

17. Links to Other Sites

The Services may contain links to third-party websites and services. This Privacy Policy does not apply to those websites or services, and we are not responsible for their privacy practices. We encourage you to review their privacy policies before providing them with any Personal Information.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we update the Privacy Policy, we will revise the “Last Updated” date at the top of this page and, if the changes are material, provide additional notice (such as by email or by prominent notice on the Services). Your continued use of the Services after the effective date of the updated Privacy Policy constitutes your acceptance of the updated terms.

19. Contact Information

If you have questions or concerns about this Privacy Policy or our privacy practices, or wish to exercise any of your rights, contact us:

• Privacy email: privacy@lightbrands.ai
• General contact: hello@lightbrand.ai
• Mailing address: 1654 Calle Tulipán, Ste 100, San Juan, PR 00927-6242
• EU/UK representative: [CONFIRM: appoint EU and UK representatives if you regularly process data of EU/UK individuals at scale; otherwise omit this line]