Organization: LTHS, Inc. (Litehouse)
Version: 3.0
Last Updated: April 2026
Applicable Frameworks: GDPR (EU Regulation 2016/679), UK GDPR and Data Protection Act 2018, EU-US Data Privacy Framework (DPF), UK-US Data Bridge, Standard Contractual Clauses (EU Commission Decision 2021/914), UK International Data Transfer Agreement (IDTA) / UK Addendum to EU SCCs, SOC 2 Type II.
LTHS, Inc. is a software company incorporated in the United States. We provide an enterprise data and analytics platform used by venue operators, live event businesses, and hospitality organisations.
This Privacy Policy explains how Litehouse collects, uses, and protects personal data in the context of operating and delivering our platform to enterprise clients, managing accounts, authentication, and platform access, and corporate activities including marketing, communications, and recruitment.
This Policy applies to personal data for which Litehouse acts as a data controller. Where Litehouse processes personal data on behalf of enterprise clients under their instruction, those clients are the data controllers and their own privacy policies apply to end-user data.
| Field | Details |
|---|---|
| Legal entity | LTHS, Inc. |
| Trading name | Litehouse |
| Registered address | 2753 Camino Capistrano, San Clemente, CA 92672 |
| privacy@litehou.se | |
| Website | litehou.se |
As a US-based organisation subject to EU GDPR, Litehouse has appointed GDPRLocal as its EU representative under Article 27 of Regulation (EU) 2016/679.
| Field | Details |
|---|---|
| Organisation | GDPRLocal Ltd |
| Address | Office 2, 12A Lower Main Street, Lucan Co. Dublin, K78 X5P8, Ireland |
| contact@gdprlocal.com | |
| Reference | LTHS, Inc. / Litehouse |
Litehouse has also appointed GDPRLocal as its UK representative under Article 27 of the UK GDPR.
| Field | Details |
|---|---|
| Organisation | GDPRLocal Ltd |
| Address | 1st Floor Front Suite, 27-29 North Street, Brighton, England, BN1 1EB |
| contact@gdprlocal.com | |
| Reference | LTHS, Inc. / Litehouse |
Litehouse is in the process of formally designating a Data Protection Officer. Until that appointment is complete, privacy-related enquiries should be directed to privacy@litehou.se.
This policy will be updated with DPO contact details upon appointment.
| Role | Context and Obligations |
|---|---|
| Data Controller | Litehouse acts as controller for personal data it collects and processes for its own purposes, including account management, Auth0 authentication, security monitoring, analytics, marketing communications, and corporate operations. |
| Data Processor | When processing personal data within customer-configured environments on behalf of enterprise clients, Litehouse acts under client instruction. The client is the data controller and Litehouse obligations are governed by the applicable Data Processing Agreement (DPA). |
Litehouse does not collect or control end-customer personal data processed within client-configured Customer Data Planes. That data is processed by Litehouse only as processor under client instruction.
| Purpose | Lawful Basis |
|---|---|
| Provisioning and managing platform access accounts | Contract |
| Auth0 authentication and session management | Contract |
| System operation, monitoring, and performance | Legitimate Interest |
| Security monitoring and incident response | Legitimate Interest |
| Audit logging for compliance and oversight | Legal Obligation / Legitimate Interest |
| Responding to enquiries and support requests | Contract / Legitimate Interest |
| Marketing communications to business contacts | Legitimate Interest (opt-out available at any time) |
| Compliance with legal obligations | Legal Obligation |
| Internal analytics to improve platform features | Legitimate Interest |
Where Litehouse relies on Legitimate Interest, a Legitimate Interest Assessment (LIA) has been or will be documented and is available on request.
In the course of the activities described above, Litehouse may disclose personal data to the following categories of third parties for the purposes indicated:
| Category of Recipient | Purpose of Disclosure |
|---|---|
| Cloud infrastructure provider (Microsoft Azure) | Hosting and operating the Litehouse platform, including data storage and compute services |
| Identity and authentication provider (Auth0 / Okta) | Processing authentication credentials and session management for platform access |
| Observability provider (Datadog EU1) | Processing platform performance telemetry and error logs (PII redacted at ingestion) |
| EU and UK Representative (GDPRLocal Ltd) | Receiving and forwarding data subject enquiries and supervisory authority communications on Litehouse's behalf |
| Professional advisors (legal counsel, auditors) | Providing legal advice, audit, and compliance services where disclosure is necessary |
| Marketing and communications tools | Sending marketing communications and managing contact preferences, where applicable and with appropriate consent |
| Law enforcement or regulatory authorities | Responding to lawful requests, court orders, or regulatory obligations |
Litehouse does not sell personal data. We require all third-party recipients to protect personal data in accordance with applicable data protection law and our contractual obligations.
LTHS, Inc. (Litehouse) complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce. Litehouse has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. DPF Principles with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. If there is any conflict between this policy and the EU-U.S. DPF Principles, the Principles govern.
To learn more about the Data Privacy Framework Program and to view our certification, visit dataprivacyframework.gov.
Litehouse is US-incorporated. Personal data of EU and UK individuals may be transferred to and processed in the United States for operations, engineering and security support, and platform management.
| Mechanism | Application |
|---|---|
| EU-US Data Privacy Framework (DPF) | Litehouse participates in the EU-US DPF and is listed on the US Department of Commerce DPF Registry. |
| UK Extension to the DPF (UK Data Bridge) | DPF participation extends to UK personal data under the UK-US Data Bridge. |
| Standard Contractual Clauses (SCCs) | Where DPF coverage does not apply (or as supplementary protection), Litehouse uses the European Commission approved SCCs (2021/914). |
| UK IDTA / UK Addendum | For UK transfers not covered by the Data Bridge, Litehouse uses ICO-approved IDTA or the UK Addendum to EU SCCs. |
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Litehouse commits to refer unresolved complaints concerning our handling of personal data received in reliance on these frameworks to JAMS, an alternative dispute resolution provider based in the United States.
If you do not receive timely acknowledgment of your complaint, or if your complaint is not addressed to your satisfaction, visit jamsadr.com/DPF-Dispute-Resolution for more information or to file a complaint. JAMS services are provided at no cost to you.
If your DPF Principles-related complaint cannot be resolved through these channels, you may be eligible to invoke binding arbitration under the DPF Annex I arbitral mechanism. More information is available at dataprivacyframework.gov. Litehouse is subject to the investigatory and enforcement powers of the US Federal Trade Commission (FTC) with respect to DPF compliance.
For EU and UK customer deployments, personal data in Customer Data Planes is stored and processed in-region (EU or UK). Corporate support access is governed by zero-standing-access controls, JIT elevation, and full audit logging.
In cases of onward transfer of personal data received pursuant to the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Litehouse is potentially liable under the DPF Principles if third-party agents processing personal data on our behalf do so in a manner inconsistent with the DPF Principles, unless Litehouse proves it is not responsible for the event giving rise to the damage.
Litehouse enters into written agreements with third-party agents that receive personal data transferred under the DPF, requiring them to provide the same level of protection as the DPF Principles and notify Litehouse if they can no longer meet that obligation.
| Data Category | Retention Period |
|---|---|
| Platform account and authentication data | Duration of the client contract plus 12 months following termination |
| Platform usage and audit logs | 24 months from creation, unless longer retention is required by law or client DPA |
| Security and incident logs | 12 months from creation (or longer for active investigation or legal hold) |
| Marketing and communications data | Until consent is withdrawn or opt-out exercised, plus 6 months for suppression records |
| Correspondence and support tickets | 3 years from last communication |
| Legal compliance records | As required by law (typically 6-7 years) |
At the end of each retention period, data is securely deleted or anonymised according to Litehouse deletion procedures. Clients may request earlier deletion in accordance with their DPA.
| Right | What It Means |
|---|---|
| Access (Art. 15) | Request confirmation whether your data is processed and obtain a copy with usage information. |
| Rectification (Art. 16) | Request correction of inaccurate or incomplete data. |
| Erasure / Right to be Forgotten (Art. 17) | Request deletion where data is no longer necessary, consent is withdrawn, objection is upheld, or processing was unlawful. |
| Restriction of Processing (Art. 18) | Request restricted use while retaining data in limited circumstances. |
| Data Portability (Art. 20) | Receive personal data in a structured machine-readable format and transmit it to another controller, where applicable. |
| Object (Art. 21) | Object to processing based on legitimate interests; objection to direct marketing is absolute. |
| Withdraw Consent | Withdraw consent at any time where processing is consent-based. |
Contact privacy@litehou.se, or contact the EU/UK representative listed in Section 2. Litehouse responds within one calendar month, with a possible extension of up to two additional months for complex requests.
No fee is charged unless requests are manifestly unfounded or excessive.
For personal data held within a client deployment where that client is the data controller, rights should be exercised through the relevant client organisation. Litehouse assists clients as required by DPAs.
| Jurisdiction | Supervisory Authority |
|---|---|
| European Union | Competent EU Data Protection Authority in the Member State of residence, work, or alleged infringement (see edpb.europa.eu). |
| United Kingdom | Information Commissioner's Office (ICO): ico.org.uk, Tel: 0303 123 1113 |
| United States (DPF matters) | US Federal Trade Commission (FTC) - ftc.gov, or JAMS (see Section 6.2) |
Litehouse welcomes the opportunity to address concerns directly before a supervisory authority is contacted.
Litehouse implements appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction, including:
Security practices are subject to ongoing review and third-party audit. SOC 2 Type II certification is in progress.
The Litehouse public website at litehou.se may use cookies and similar tracking technologies. The platform, accessed through Auth0, uses strictly necessary cookies for session management and authentication.
Where non-essential cookies are used on the public website, Litehouse requests consent before placement. Consent can be withdrawn at any time via the cookie preference centre in the website footer.
A full Cookie Policy is available at litehou.se/cookies.
As a processor, Litehouse engages sub-processors to assist in platform delivery. Sub-processors are bound by contractual obligations equivalent to client DPA terms and are assessed for GDPR compliance.
Key sub-processors include:
A current sub-processor register is available to clients on request as part of their DPA process.
Litehouse may update this Privacy Policy from time to time to reflect changes in practices, legal obligations, or regulatory guidance. The Last Updated date at the top of this page indicates the most recent revision.
Material changes are communicated through appropriate channels. You are encouraged to review this Policy periodically.
| Contact Route | Details |
|---|---|
| General privacy enquiries | privacy@litehou.se |
| EU data subjects / EU supervisory authorities | contact@gdprlocal.com |
| UK data subjects / ICO | contact@gdprlocal.com |
| DPF complaints (JAMS) | jamsadr.com/DPF-Dispute-Resolution |
LTHS, Inc. (Litehouse) | privacy@litehou.se | litehou.se
Privacy Policy v3.0 - April 2026