Privacy Policy
Last updated: December 9, 2025
This version replaces all previous versions of the Lightwave Privacy Policy.
We take your privacy extremely seriously.
This policy explains (in plain English) exactly what data we collect, why we collect it, how we use it (spoiler: barely at all), and what control you have.
1. The short version
- You own all of your notes, files, and ideas: always.
- We never read your private documents (unless you explicitly grant temporary support access, or if we are legally required to investigate abuse, security threats, or harmful content).
- We never sell your data.
- We never use your content to train AI or for advertising.
- We collect the absolute minimum needed to make Lightwave fast, reliable, and collaborative.
- You can delete everything permanently whenever you want (except where retention is legally required).
2. Who is responsible for your data
JV Multimedia, Inc. (Trading as Lightwave)
Moorpark, California, USA
hello@lightwave.so
3. What personal data we collect
| Data category | Legal basis (GDPR) |
|---|---|
| Account data | Contract performance |
| Billing data | Contract performance, legal obligation |
| Your content | Contract performance |
| Usage metadata | Legitimate interest |
| Real-time collaboration data | Contract performance |
| Guest / public link data | Legitimate interest |
| Cookies & local storage | Strictly necessary |
Account data
- Email address, encrypted password, name (optional), profile picture
- Needed so you can log in and we can reach you if necessary
- Kept until you delete your account. Deleted content and account data are removed from active systems immediately and permanently deleted from all backups within 30 days.
Billing data
- Handled 100 % by Paddle; we only receive a customer ID and subscription status
- Needed for charging and plan management
- Kept only as long as required by U.S. tax law for paid subscriptions (currently 7 years for paid accounts; free accounts have no long-term billing records retained).
Your content
- Everything you write, upload, or organise (documents, images, attachments, etc.)
- Needed to store it, sync it, and show it to people you explicitly share with
- Kept as long as you want, you can delete it forever anytime. Deleted content is removed from active systems immediately and from backups within 30 days.
Usage metadata
- Workspace/project/document IDs, timestamps, IP address, browser/device info
- Needed for security, abuse prevention, debugging, and performance improvements
- Server logs (including IP addresses): retained 90 days, then permanently deleted
- Aggregated, anonymised analytics: up to 12 months
Real-time collaboration data
- Who's currently viewing or editing, cursor positions, temporary editing locks (stored in Redis)
- Needed to show live cursors and prevent edit conflicts
- This data is never written to permanent storage and is not linked to long-term analytics
Guest / public link data
- Temporary guest session token, IP address, which public document was accessed
- Needed to allow access to documents you chose to share publicly
- Deleted immediately when the session ends
Cookies & local storage
- Authentication tokens, UI preferences, IndexedDB (your full offline copy)
- Needed so you stay logged in and the app works instantly
- Kept until you log out or clear your browser data
- We only use strictly necessary cookies; no consent banner is required
4. Version history
Lightwave stores version histories of your documents so you can go back to earlier revisions at any time. These versions are treated as part of Your Content, not as backups.
- We keep your document version history for as long as your account exists, unless you manually delete a document.
- When you delete a document, all of its versions are permanently deleted.
- When you delete your entire account, all of your documents and all associated version histories are permanently deleted from active systems, and removed from backups within 30 days.
Version history is never used for analytics or shared with any third parties. It exists solely so you can restore previous versions of your own work.
5. What we do NOT collect
- We do not collect or store your payment card details (Paddle handles that in a PCI-compliant way).
- We do not run cross-site tracking, fingerprinting, or advertising IDs.
- No employee or contractor can access your private documents for any reason unless (1) you explicitly grant temporary support access in writing, or (2) we are legally required to investigate security threats, abuse, or harmful/illegal content. In all other cases, your documents remain fully private and are never accessed.
6. How we use your data
Only to run the service, handle billing, keep everything secure, fix bugs, and occasionally send you important account emails.
7. Third parties we share data with (sub-processors)
- Paddle - Payment processing & tax compliance (United Kingdom, Ireland)
- Backblaze B2 - Image & attachment storage (USA)
- Amazon Web Services - Servers, databases, Redis, WebSockets (USA – us-west-2)
- Laravel Reverb - Real-time infrastructure (runs on AWS)
- Postmark / Mailgun - Transactional emails (USA)
- Sentry - Error monitoring (anonymised stack traces only, USA)
We review and publicly update this sub-processor list within 30 days any time we add, remove, or change a vendor.
All transfers are protected by the EU-US Data Privacy Framework, UK Extension, Swiss-US DPF, and Standard Contractual Clauses.
We only share the minimum amount of data required for these providers to perform their services, and each sub-processor is bound by a Data Processing Agreement (DPA) that ensures GDPR-level protection.
8. International data transfers
Lightwave is hosted in the United States. Transfers from the EU/UK/Switzerland are covered by the mechanisms listed above.
9. Security
- All data is encrypted in transit (TLS 1.3) and at rest (AES-256). This includes all backups.
- The production environment is only accessible by core engineers using hardware-bound 2FA keys.
- Regular third-party penetration tests and security audits.
- Public vulnerability disclosure policy - if you find something, email hello@lightwave.so and we'll fix it fast (and thank you).
- In the unlikely event of a data breach affecting your personal information, we will notify you and the relevant authorities within 72 hours as required by law.
10. Your rights
You have the right to access, correct, export, delete, object to, and restrict the processing of your personal data. Just email us and we'll take care of it (usually same day).
You can also export all your documents and projects at any time from within Lightwave.
Lightwave does not use automated decision-making or profiling that produces legal or significant effects on you.
If you're in the EU/UK/Switzerland and believe we haven't adequately addressed your concerns, you have the right to lodge a complaint with your local data protection supervisory authority.
California residents: we do not sell and do not “share” your personal information for cross-contextual advertising.
11. Children
Lightwave is not for anyone under 18. We've chosen this threshold to keep things simple and because our product is designed for professional use.
12. Public links
If you make something public, anyone with the link can see or edit it. That choice is yours alone. You can revoke a public link at any time, immediately removing access.
13. Changes to this policy
We'll give you 30 days notice by email + in-app for any material change.
14. Contact us
hello@lightwave.so - real humans.
☀
Thank you for trusting us with your ideas.
We will never betray that trust.
The Lightwave team
JV Multimedia, Inc.