Privacy Policy

Effective: December 2025

1. Introduction

This Privacy Policy explains how Bright Machine Ltd ("we", "us", "our"), trading as LightFAQ, collects, uses, and protects your personal information when you use our FAQ management platform and related services (the "Service").

Bright Machine Ltd is the data controller responsible for your personal data. We are registered in England and Wales with company number 7611291, and our registered address is Market, 133a Rye Lane, London, England, SE15 4BQ. Our VAT number is 130801753.

We are committed to protecting your privacy and handling your data in an open and transparent manner in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Information We Collect

We collect the following categories of information:

Account Information

When you create an account, we collect your name, email address, and password (stored in encrypted form). If you sign up using Google OAuth, we receive your name and email address from Google.

Team and Organisation Data

If you create or join a team, we collect team names, member roles, and invitation details.

FAQ Content

We store the FAQ content you create, including questions, answers, sections, and any associated metadata such as creation dates and authorship.

Usage and Analytics Data

We collect information about how you and your visitors use the Service, including search queries entered on your FAQ pages, page views, feature usage, and technical information such as browser type and device information.

Payment Information

Payment processing is handled by Stripe. We do not store your full credit card details. We receive and store only limited payment information from Stripe, such as the last four digits of your card, card type, and billing address for invoicing purposes.

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Process your subscription payments and manage your account
  • Enable AI-powered features such as semantic search and content suggestions
  • Send you service-related communications (e.g., account verification, billing notifications, security alerts)
  • Respond to your enquiries and provide customer support
  • Analyse usage patterns to improve and develop new features
  • Detect, prevent, and address technical issues and security threats
  • Comply with legal obligations

4. AI and Automated Processing

LightFAQ uses artificial intelligence to enhance the Service. This section explains how we process your data using AI:

Semantic Search

Your FAQ content (questions and answers) is processed by OpenAI's embedding models to create mathematical representations (embeddings) that enable intelligent search functionality. This allows your visitors to find relevant answers even when they use different words than those in your FAQ.

AI-Powered Suggestions (Paid Plans)

For paid plan subscribers, we analyse search queries that don't return results to suggest new FAQ content you might want to add. This processing uses OpenAI's language models.

Data Handling by AI Providers

When we send data to OpenAI for processing, it is transmitted securely and processed in accordance with OpenAI's data usage policies. OpenAI does not use data submitted through their API to train their models. We only send the minimum data necessary to provide the AI features.

6. Data Sharing and Third Parties

We share your personal data with the following categories of third parties:

Service Providers

  • Stripe: Payment processing. Stripe handles all payment transactions and stores payment card details in accordance with PCI-DSS standards.
  • OpenAI: AI processing for semantic search and content suggestions.
  • Amazon Web Services (AWS): Cloud infrastructure hosting via Laravel Cloud, with servers located in the EU-West (London) region.

Legal Requirements

We may disclose your information if required to do so by law, or if we believe in good faith that such action is necessary to comply with legal obligations, protect our rights or property, or ensure the safety of our users.

7. International Data Transfers

Our primary data storage is in the United Kingdom (AWS EU-West London region). However, some of our service providers, including Stripe and OpenAI, may process data in the United States.

Where we transfer personal data outside the UK, we ensure appropriate safeguards are in place, such as standard contractual clauses approved by the UK Information Commissioner's Office (ICO), or transfers to countries with adequate data protection laws.

8. Data Retention

We retain your personal data for as long as necessary to fulfil the purposes for which it was collected:

  • Account Data: Retained for the duration of your account. When you cancel your subscription or delete your account, you have 30 days to export your data before it is permanently deleted.
  • FAQ Content: Retained for the duration of your account and deleted within 30 days of account closure.
  • Analytics Data: Search query analytics are retained for up to 90 days for active accounts.
  • Billing Records: Retained for 7 years after the end of the financial year in which the transaction occurred, as required by UK tax law.

9. Your Rights

Under the UK GDPR, you have the following rights regarding your personal data:

  • Right of Access: You can request a copy of the personal data we hold about you.
  • Right to Rectification: You can ask us to correct inaccurate or incomplete data.
  • Right to Erasure: You can request deletion of your personal data in certain circumstances.
  • Right to Restrict Processing: You can ask us to limit how we use your data.
  • Right to Data Portability: You can request your data in a structured, commonly used, machine-readable format.
  • Right to Object: You can object to processing based on legitimate interests.
  • Right to Withdraw Consent: Where processing is based on consent, you can withdraw it at any time.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within one month.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection. You can contact the ICO at ico.org.uk or by calling 0303 123 1113.

10. Cookies

We use cookies and similar technologies to operate the Service. Cookies are small text files stored on your device.

Essential Cookies

These cookies are necessary for the Service to function and cannot be disabled. They include session cookies for authentication and security, and cookies that remember your preferences.

Managing Cookies

You can control cookies through your browser settings. However, disabling essential cookies may affect the functionality of the Service.

11. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit using TLS/SSL
  • Encryption of data at rest
  • Secure password hashing
  • Regular security assessments and updates
  • Access controls limiting data access to authorised personnel

12. Children

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately at [email protected] and we will take steps to delete such information.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a prominent notice on the Service prior to the change becoming effective. We encourage you to review this page periodically for the latest information on our privacy practices.

14. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

Bright Machine Ltd

Market, 133a Rye Lane
London, England, SE15 4BQ

Email: [email protected]

Company Number: 7611291
VAT Number: 130801753