Privacy Policy

Lighthouse Privacy Policy

1. Our Commitment

Lighthouse (referred to as “We, “Our,” or “Us”) is committed to protecting the privacy and security of your personal information. We take care to protect the privacy of our customers and users of our products, websites, and social media platforms, as well as event attendees and those that contact us through email or over the phone.

We have therefore developed this Lighthouse Privacy Notice to inform you of the data we collect, what we do with your information, and what we do to keep it secure, as well as the rights and choices you have over your personal information.

Lighthouse is the controller for the personal information we process as identified in this privacy notice. In some circumstances, Lighthouse will provide services on behalf of other organisations (e.g. our customers). In such circumstances, the other organisation will be the controller and so you should refer to their privacy notices for details of how your data is processed.

Lighthouse is based in the USA and UK. Our UK office is registered with the Information Commissioner’s Office (the ICO) with registration number ZA500797.

Throughout this Lighthouse Privacy Notice, we refer to Data Protection Legislation, which may vary depending on the jurisdiction in which you are based, you are a resident or where your personal data is processed. For example, in the UK this means the Data Protection Act (DPA) 2018, United Kingdom General Data Protection Regulation (UK GDPR), the Privacy and Electronic Communications (EC Directive) Regulations 2003, and any legislation implemented in connection with the aforementioned legislation. For the European Union, this includes the EU General Data Protection Regulation (EU GDPR). Where data is processed by a controller or processor established in California or comprises the data of California consumers, it also includes the California Consumer Privacy Act – please see section 13.

1.1 Data Protection Officer   

We have appointed a Data Protection Officer (DPO) to help us monitor internal compliance, inform, and advise on data protection obligations, and act as a point of contact for you and relevant supervisory authorities.  

Our DPO forms part of the wider Lighthouse Data Privacy Team. If you would like to exercise one of your rights, or you have a question or a complaint about this statement or the way your personal information is processed, you can contact the DPO and the Data Privacy Team at: privacy@lighthouseglobal.com.  

1.2 EU Representative  

As per our requirements under the EU GDPR, we have appointed a European Representative. If you are based in the European Economic Area, you can contact our representative through the following channels: 

Postal Address: Friedrichstrabe 88,Excellent Business Centre, Berlin,10117, Germany 
Phone Number: +49 304 0817 3000 
Email: eurep@lighthouse.com 

Lighthouse is the controller for the personal information we collect, unless otherwise stated. You can contact us either by email or post.

2. The Information We Collect

We only collect personal information that we know we will genuinely use and in accordance with the Data Protection Legislation. The type of personal information that we will collect, and that you voluntarily provide to us on this website may include the following:

• Contact Data: Name, Address, Telephone Number, Email Address.
• Online Identifiers: IP Address and other limited information collected via cookies and similar technologies. We also collect unique identifiers such as client ID and session ID, which are used to analyze website usage, track sessions, and understand user interactions to help improve our services. For more information on how we manage cookies and similar technologies, please see our Cookie Policy.

• Commercial Information: Services used, subscriptions, agreements, and payment transactions.
• Communications Data: Records of conversations (including call recordings), information you submit via surveys or contact forms.

You are under no statutory or contractual requirement or obligation to provide us with your personal information; however, we require at least the information above to interact with you as a prospect or service user in an efficient and effective manner.

3. How We Collect and Use You Information

In most instances we collect personal information directly from you via our website or through other communications that we have with you. In other instances, we may collect personal information from your employer (if you are working for one of our customers), public forums (e.g., social media), at events to which we are affiliated, and so on.

Our website is not intended for or targeted at children, and we do not knowingly or intentionally collect personal data about children. If you believe that this website has collected data about a child, please contact us, so that we may delete the personal data.

We will only process your personal information when the law allows us to do so. Most commonly, we will use your personal information either:

• With your consent;
• To perform a contract with you;
• To fulfill our legal obligations; or
• To fulfill our legitimate business interests.

‍

3.1 Purposes of Our Processing

We may use your data in the following ways:

4. With Whom We May Share This Information

We will not share your information with any third parties for the purposes of direct marketing.

We may share your personal data with other organizations in the following circumstances:

• If the law or a public authority says we must share the personal data;
• If we need to share personal data to establish, exercise, or defend our legal rights (this includes providing personal data to others for the purposes of preventing fraud and reducing credit risk);
• If we need to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements;
• From time to time, to employ the services of other parties for dealing with certain processes necessary for the operation of the website. However, all the information we share will be collected and anonymized, so neither you nor any of your devices can be identified from it.
• We use data processors who are third parties who provide elements of services for us. This could include data storage and analytics companies, technology support and services (Email, web hosting, marketing and advertising providers, etc.) We will have Data Processor Agreements in place with our data processors prior to disclosure of your personal data. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organization apart from us or further sub-processors who must comply with our Data Processor Agreement. They will securely hold your personal data and retain it for the period we instruct.
• We may share your information with our parent, affiliates, and subsidiaries for operational purposes (i.e., to ensure that we can fulfill our services to you accurately and efficiently), as well as for marketing purposes, notification about events, or recruiting purposes. We will have Intra-Company Data Processor Agreements, including “standard contracting clauses” in place between our parent, affiliates, and subsidiaries prior to disclosure of your personal data.

5. How We Protect the Transfer of Your Data

Your personal data may be stored in your region or in any other country where we, or our service providers, have facilities. We may also allow employees and service providers located around the world to access personal data as provided in this notice. If you are in the UK or the EU, we will ensure your legal rights and protections travel with any such “transfer” of your personal data outside the UK/European Economic Area (EEA). We do this by signing our certification to the Data Privacy Framework (see 5.1 below) and “standard contractual clauses” that give personal data the same protection it has in the UK/EEA.

5.1 Data Privacy Framework

Lighthouse complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Lighthouse has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Lighthouse has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S.DPF. If there is any conflict between the terms in this privacy notice and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Lighthouse commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK individuals and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact Lighthouse using the contact information in this privacy notice.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Lighthouse commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to BBB National Programs, an alternative dispute resolution provider based in  the United States, the European Union, the United Kingdom, and/or Switzerland (as applicable) If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit Data Privacy Framework Services - For Consumers (https://bbbprograms.org/programs/all-programs/dpf-consumers.) for more information or to file a complaint. The services of BBB National Programs are provided at no cost to you.

• With respect to personal data received or transferred pursuant to the Data Privacy Frameworks, Lighthouse is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.
• Lighthouse’s accountability for personal data that it receives in the United States under the DPF and subsequently transfers to a third party is described in the DPF Principles. In particular, Lighthouse remains responsible and liable under the DPF Principles if third-party agents that it engages to process personal data on its behalf do so in a manner inconsistent with the DPF Principles, unless Lighthouse proves that it is not responsible for the event giving rise to the damage.
• We will provide an individual opt-out choice, or opt-in for sensitive data, before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information, please submit a written request to Lighthouse.
• If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. Read more information on this process.

In the Lighthouse privacy policy (lighthouseglobal.com/privacy-policy), your organization must:

• Inform individuals about the U.S. entities or U.S. subsidiaries of your organization also adhering to the DPF Principles.

Lighthouse Document Technologies is the Parent company for the following fully owned U.S. subsidiaries who adhere to the EU-U.S. DPF Principles, including as applicable under the UK extension to the EE-U.S. DPF Principles and are covered under our DPF certification:

• Liffey Thames Group, LLC, d/b/a Discovia
• Please contact BBB IRM services, our alternative dispute resolution provider free of charge to address any complaints.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Lighthouse commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF in the context of the employment relationship.

6. How We Keep You Updated on Our Products and Services

We will send you relevant news about our products and services in a number of ways including by email, but only if you have previously consented to receive these marketing communications or, in some jurisdictions, where we have a legitimate interest to send them. When you register with us, we will ask if you would like to receive marketing communications, and you can change your marketing choices online or in writing at any time.

If you wish to amend your marketing preferences, you can do so by clicking on this link.

7. Your Rights Over Your Information

You have a number of rights over how we manage your personal information. If you would like to exercise any of these rights, please contact our Data Privacy Team using the contact details in this notice. We may ask you for information to confirm your identity when responding to any such requests. We will typically respond to your requests within one month from the confirmation of your identity, unless we require additional time and are entitled to this as per Data Protection Legislation.

Under certain circumstances, by law you have the right to: 

7.1 Right to Be Informed About Our Collection and Use of Personal Data

You have the right to be informed about the collection and use of your personal data. We ensure we do this through this privacy notice and our internal data protection policies.

7.2 Right to Access Your Personal Information

You have the right to access the personal information that we hold about you in many circumstances, by making a request. This is sometimes termed ‘Subject Access Request.’

7.3 Right to Rectify Your Personal Information

If any of the personal information about you that we hold is inaccurate, incomplete, or out of date, you may ask us to correct it.

7.4 Right to Stop or Limit Our Processing of Your Data

You have the right to object to us processing your personal information for particular purposes, to have your information deleted if we are keeping it too long, or to have its processing restricted in certain circumstances.

7.5 Right to Erasure

You have the right to have your personal data erased. This is also known as the ‘right to be forgotten.’ The right is not absolute and only applies in certain circumstances.

7.6 Right to Portability

The right to portability gives you the right to receive personal data that you have provided to a controller in a structured, commonly used, and machine-readable format. It also gives you the right to request that a controller transmits this data directly to another controller.

7.7 Rights in Relation to Automated Processing

An automated decision is one that is made by systems rather than a person. Under Data Protection Legislation, you have the right to express your concerns and object to a decision taken by purely automated means. You also have a right to request that a person review that decision. This right is unlikely to apply to Lighthouse’s use of your data, as any automated processing we carry out is unlikely to make decisions and would include human intervention. If you would like to discuss this in further detail, please contact us as set out above.

7.8 For More Information About Your Privacy Rights in the UK and the EU

For more information regarding your rights please contact us using the contact information provided in this notice. You can obtain additional information from supervisory authorities. For example, the ICO regulates data protection and privacy matters in the UK. They make a lot of information accessible to consumers on their website: https://ico.org.uk/for-the-public. If you are based anywhere else within the EU (or EEA), a list of supervisory authorities can be found here: https://edpb.europa.eu/about-edpb/board/members_en.

You can make a complaint to a supervisory authority at any time about the way we use your information. However, we hope that you would consider raising any issue or complaint you have with us first. Your satisfaction is extremely important to us, and we will always do our very best to solve any problems you may have.

8. How Long We Keep Your Information

We retain a record of your personal information in to provide you with a high-quality and consistent service. We will always retain your personal information in accordance with the Data Protection Legislation and will never retain your information for longer than is necessary.

To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means.

9. Giving Your Review and Sharing Your Thoughts

When using our websites, you may be able to share information through social networks like Facebook, LinkedIn, and Twitter. For example, when you ‘like,’ ‘share,’ or review our services. When doing this, your personal information may be visible to the providers of those social networks and/or their other users. Please remember it is your responsibility to set appropriate privacy settings on your social network accounts so you are comfortable with how your information is used and shared on them.

10. Security

Data security is of great importance to us, and to protect your data we have put in place suitable physical, electronic, and administrative controls to safeguard and secure your collected data. 

We take security measures to protect your information, including:

• Limiting access to our buildings to those that we have determined are entitled to be there (by use of passes, key card access, and other related technologies)
• Implementing access controls to our information technology
• Using appropriate procedures and technical security measures to safeguard your information across all our computer systems, networks, websites and offices
• Certification to security frameworks in place across our organizational network, including SOC2 and ISO 27001.

11. What Happens if Our Business Changes Hands

We may, from time to time, expand or reduce our business, and this may involve the sale and/or the transfer of control of all or part of our business. Any personal data that you have provided will, where it is relevant to any part of our business that is being transferred, be transferred along with that part; and the new owner or newly controlling party will, under the terms of this Lighthouse Privacy Notice, be permitted to use that data only for the purposes for which it was originally collected by us.

12. Changes to Our Lighthouse Notice

We may change this Lighthouse Privacy Notice from time to time (for example, if the law changes). We recommend that you check this Lighthouse Privacy Notice regularly to keep up-to-date.

13. Consumer Privacy Act

States that have signed privacy legislation that are either currently in effect or slated for everyone to be in compliance/full effect in the next two years. Below is a list that is up to date as of (March 20, 2024).

1. California
2. Colorado
3. Connecticut
4. Delaware
5. Indiana
6. Iowa
7. Montana
8. New Hampshire
9. New Jersey
10. Oregon
11. Tennessee
12. Texas
13. Utah
14. Virginia

To stay up to date on US State Privacy Legislation, visit the IAPP Tracker (iapp.org)

13.1 Your California Rights

This section applies only to California consumers. It describes how we collect, use, and share California consumers' Personal Information in our role as a business, and the rights applicable to such residents. The California Consumer Privacy Act ("CCPA") requires businesses to disclose whether they sell Personal Data. Lighthouse is a business, it and does not sell Personal Data. We may share Personal Data with third parties if those third parties are authorized service providers or business partners who have agreed to our contractual limitations as to the irretention, use, and disclosure of such Personal Data. If you are unable to access this Privacy Policy due to a disability or any physical or mental impairment, please contact us and we will arrange to supply you with the information you need in an alternative format that you can access.

For purposes of this section "personal information" has the meaning given in the CCPA.  

13.1.1 How We Collect, Use, and Share Your Personal Information

We may have collected the following statutory categories of Personal Information in the past twelve (12) months:

• Your name
• Address
• Telephone number(s)
• Email address
• Survey responses
• IP address
• Browsing and search history for pages you visit on our websites

The business purposes for which we collect this information are described in Section 1 of this Privacy Policy. The categories of third parties to whom we disclose this information for a business purpose are described in Section 2 of this Privacy Policy.

13.1.2 Right to Access Your Personal Information

You have the right to access the personal information that we hold about you in many circumstances, by making a request. If we agree that we are obliged to provide personal information to you (or someone else on your behalf), we will provide it to you free of charge.

13.1.3 Right to Deletion

You have the right to have personal data deleted. The right is not absolute and only applies in certain circumstances.

If you would like to exercise this right, please contact us as set out in Section 12.

13.1.4 Right to Non-discrimination

The right to non-discrimination means that you will not receive any discriminatory treatment when you exercise one of your privacy rights.

13.2 How to Exercise Your California Rights

You can exercise your rights yourself or you can alternatively designate an authorized agent to exercise these rights on your behalf. Please note that to protect your personal information, we will verify your identity by a method appropriate to the type of request you are making. We may also request that your authorized agent have written permission from you to make requests on your behalf, and we may also need to verify your authorized agent's identity to protect your personal information. To contact us to exercise your rights, please see Section 14.

Processor Compliance Statement

Lighthouse (referred to as “We, “Our,” or “Us”) is committed to ongoing compliance with the principles of the General Data Protection Regulation (GDPR) and upholding our obligations under the Data Protection Act 2018 and any other relevant data protection legislation or regulations (“Data Protection Law”) that apply to our processing of personal data when acting on behalf of our clients.

For further details regarding how we manage our own data protection requirements as a controller, please see our Privacy Policy.

1. Our Commitment to Data Protection as a Processor

Lighthouse is dedicated to ensuring the protection and security of the personal data we are directed to process on behalf of our clients at all times. We have established an effective framework for monitoring compliance and implementing best practices across all of our processing functions.

The purpose of this statement is to inform our clients of the actions we have undertaken and measures we have put in place to ensure we uphold our responsibilities as a processor.

2. Data Protection Management

As part of our commitment to ensuring compliance with Data Protection Law and assisting our clients with any data protection matters, we have appointed a Data Protection Officer who can be contacted via the following means:

Email: advice@dpocentre.com
Telephone: 0203 797 1289

It is the ongoing responsibility of our Data Protection Officer to monitor Lighthouse’s ongoing data protection practices to ensure we meet our obligations to data subjects, our clients, our legal obligations, and our supervisory authority.

With the help of our Data Protection Officer, we maintain a suite of policies, privacy notices, and standard operating procedures we have created to protect the personal data we process on behalf of clients. These policies are available on request. Our staff receive regular training on these policies and are expected to confirm their compliance with them as part of their ongoing job role. Our staff also receive data protection awareness training and will operate under a contractual duty of confidentiality at all times.

We record all of our processing activities undertaken on behalf of clients, and at the end of our contract with you, all personal data will be returned and deleted from our systems within 30 days.

3. Security Accreditations

Globally, Lighthouse operates an Information Security Management System which conforms to the requirements of ISO 27001 and is certified by is certified by A-Lign Assurance LLC. This provides external verification of the measures we have taken to ensure we hold all information – including the personal data that we process on behalf of our clients – securely.

In addition, for our US operations, Lighthouse has achieved SOC 2 compliance, which ensures that we are securely processing and managing the data of our clients, protecting their interests, and respecting the privacy of clients’ customers. For our UK operations, Lighthouse has achieved Cyber Essentials compliance, which ensures that we are protected against the vast majority of common cyber attacks.

4. Technical and Organizational Security Measures

In addition to implementing and maintaining our accreditations, we ensure technical and organizational security measures are in place to meet the requirements of Data Protection Law.

We encrypt all data at rest and in transit using strong encryption, typically AES-128 or higher. We use external data centres which are ISO 27001 accredited.

All servers are protected by industry standard firewalls and access monitoring with IP blocking capabilities.

We restrict access to personal data being processed to only those members of staff who are required in the provision of services to our clients. Access to our production environment is controlled by multi-factor authentication methods and passwords regulated by an automated password policy. Employee logins and network (including cloud systems) access is examined frequently, and abnormal activity is monitored and flagged automatically.

All data held on behalf of our clients is backed up periodically to a secure backup solution and maintained on a 30-day rolling retention period.

5. Breach Management and Assistance

We have created and implemented a detailed Data Protection Policy and Breach Notification Policy which covers our breach identification and reporting procedures to our clients and to our supervisory authority, if required.

Lighthouse maintains an active breach log to record all actual and suspected data breaches of personal data.

6. Transfer of Data and Sub-processors

Lighthouse will only transfer data outside of the EEA/UK when protected by an appropriate safeguard, of which we will inform you as part of our contractual agreement or otherwise prior to the transfer.

We may use a limited number of sub-processors to provide services to you, as outlined in your agreement for services. We will only engage a sub-processor with a written contract which imposes the same data protection obligations as are contained in the agreement between you and Lighthouse. We will only use sub-processors who are able to provide sufficient guarantees that the requirements of the Data Protection Law will be met and the rights of data subjects protected. We will keep you informed about the sub-processors we use. Lighthouse has appropriate written contracts with all of its sub-processors.

7. Your Responsibilities as Data Controller

Clients of Lighthouse will normally act as controllers for any personal data processed by Lighthouse as part of our service to you.

As a controller, it is your responsibility to comply with your obligations under any applicable Data Protection Law. Controllers’ obligations may relate to the main GDPR principles including lawfulness, fairness and transparency, purpose limitation, data minimization, and accuracy, as well as fulfilling data subjects’ rights with respect to their data. Lighthouse will only ever act upon the written instructions of our clients and ensure we inform our clients if we consider that any of these instructions risk compliance with Data Protection Law.

If we receive communications from your customers that relate to your activities as a data controller, we will inform you as soon as possible.