GDPR
Light Company ApS is a Danish company, headquartered in Copenhagen. The GDPR isn't something we retrofitted onto the product, it's the law we've operated under since day one.
Last updated: 10-07-2026
The General Data Protection Regulation (GDPR) governs how personal data is collected, processed, and stored across the EU. Light Company ApS (CVR no. 43523503) acts as a data processor for the customer data you put into Light, under the terms of our Data Processing Agreement, and as a data controller for the data we collect through our own website and marketing, under our Privacy Policy. This page summarizes how that works in practice; the DPA and Privacy Policy remain the governing legal documents.
Company
Light Company ApS, Copenhagen, Denmark (EU)
Breach notification
Customers notified without undue delay, no later than 36 hours after discovery
Data retention
Customer data deleted 90 days after contract termination, unless a longer period is legally required
Sub-processors
Engaged only under Article 28-compliant terms, with 30 days' notice before any change
International transfers
Handled in compliance with GDPR Chapter V, only on documented customer instructions
Security baseline
Covered by our SOC 2 Type II report and EU-hosted infrastructure
Our sub-processors
Light uses a small number of sub-processors to deliver the service, all based in the EU or EEA. This list is kept current here and in Exhibit 3 of the DPA.
Your rights as a data subject
Under GDPR Chapter III, you have the right to access, correct, and request erasure of your personal data, to object to certain processing, and to receive your data in a portable format. To exercise any of these rights, or to raise a question, contact us at help@light.inc. Full detail on each right, and the legal basis for each type of processing, is set out in our Privacy Policy. You can also lodge a complaint directly with the Danish Data Protection Agency at datatilsynet.dk.
Security
Article 32 of the GDPR requires processors to implement appropriate technical and organizational measures to protect personal data. Light's infrastructure runs on EU-hosted AWS, with encryption in transit and at rest, role-based access controls, and authentication handled by Auth0. These measures are independently examined as part of our SOC 2 Type II report; more detail is available on our Security page.