Compliance

GDPR

Light Company ApS is a Danish company, headquartered in Copenhagen. The GDPR isn't something we retrofitted onto the product, it's the law we've operated under since day one.

Last updated: 10-07-2026

The General Data Protection Regulation (GDPR) governs how personal data is collected, processed, and stored across the EU. Light Company ApS (CVR no. 43523503) acts as a data processor for the customer data you put into Light, under the terms of our Data Processing Agreement, and as a data controller for the data we collect through our own website and marketing, under our Privacy Policy. This page summarizes how that works in practice; the DPA and Privacy Policy remain the governing legal documents.

Company

Light Company ApS, Copenhagen, Denmark (EU)

Breach notification

Customers notified without undue delay, no later than 36 hours after discovery

Data retention

Customer data deleted 90 days after contract termination, unless a longer period is legally required

Sub-processors

Engaged only under Article 28-compliant terms, with 30 days' notice before any change

International transfers

Handled in compliance with GDPR Chapter V, only on documented customer instructions

Security baseline

Covered by our SOC 2 Type II report and EU-hosted infrastructure

Our sub-processors

Light uses a small number of sub-processors to deliver the service, all based in the EU or EEA. This list is kept current here and in Exhibit 3 of the DPA.

Sub-processorPurposeRegion
Amazon Web ServicesCloud hostingIreland
OpenAI ServicesAI model for invoice documentsEurope
Google Cloud EMEA LimitedAI processing (Vertex AI / Gemini)Ireland
AMC BankingBank integrationDenmark
Adyen BankingVirtual cardsNetherlands

Your rights as a data subject

Under GDPR Chapter III, you have the right to access, correct, and request erasure of your personal data, to object to certain processing, and to receive your data in a portable format. To exercise any of these rights, or to raise a question, contact us at help@light.inc. Full detail on each right, and the legal basis for each type of processing, is set out in our Privacy Policy. You can also lodge a complaint directly with the Danish Data Protection Agency at datatilsynet.dk.

Security

Article 32 of the GDPR requires processors to implement appropriate technical and organizational measures to protect personal data. Light's infrastructure runs on EU-hosted AWS, with encryption in transit and at rest, role-based access controls, and authentication handled by Auth0. These measures are independently examined as part of our SOC 2 Type II report; more detail is available on our Security page.

Book a demo