Privacy Policy

Last updated: 19 June 2026

Lightfast Pty Ltd ABN 35 690 889 984 ("Lightfast", "we", "us", "our") is an Australian AI research lab.

This Privacy Policy explains how we collect, use, disclose, and protect personal information when you visit lightfast.ai, join a waitlist, subscribe to our newsletter, or communicate with us (together, the "Site").

Lightfast is based in Australia and is open to people around the world. We use the Australian Privacy Principles under the Privacy Act 1988 (Cth) as our baseline for handling personal information. Depending on where you live, additional privacy or data protection rights may also apply.

Lightfast currently operates this public website, waitlist, newsletter, and related communications. If we later offer apps, APIs, hosted services, or private previews, we may update this policy or provide additional privacy notices.

1. Information We Collect

1.1 Information You Provide

We collect personal information you choose to provide, including:

Waitlist information: email address, waitlist status, timestamps, invitation status, and related metadata. We use Clerk to manage waitlist entries.
Newsletter information: email address, subscription status, preferences, unsubscribe status, and email delivery metadata. We use Resend to send email.
Communications: name, email address, social handle, organisation, role, message content, and any other information you include when contacting us.
Feedback: comments, ideas, screenshots, bug reports, or other materials you send us.

Waitlist signup and newsletter subscription are separate choices. Joining the waitlist does not automatically subscribe you to the newsletter.

1.2 Information Collected Automatically

When you use the Site, we and our service providers may collect:

Hosting and security data: IP address, user agent, request URL, referrer, timestamps, headers, approximate location, device and browser information, and server logs.
Vercel Analytics and Speed Insights data: page views, routes, referrers, filtered query parameters, device type, browser, operating system, approximate geography, and performance metrics such as Core Web Vitals.
Vercel Observability data: traffic, performance, function, routing, and error information used to monitor the Site.
Sentry diagnostics data: error messages, stack traces, performance traces, browser and device details, request context, logs, IP address, user context where available, and sampled session replays. We configure Sentry session replay to mask all text and block media.
PostHog analytics data: page views, navigation events, referrers, device and browser information, approximate location, anonymous or pseudonymous identifiers, and other website analytics events. Our PostHog integration is designed for first-party analytics and uses a Lightfast /ingest proxy to PostHog's US cloud endpoints.

We do not use analytics tools for third-party advertising.

1.3 Cookies and Similar Technologies

The Site may use cookies, local storage, pixels, or similar technologies for:

Essential site operation, security, and fraud prevention.
Analytics and performance measurement.
Error tracking and diagnostics.
Remembering privacy or communication preferences.

Vercel Web Analytics is designed to work without third-party cookies and uses aggregated statistics. PostHog may use cookies or local storage depending on how it is configured. Where practical, we configure analytics to minimise personal information and respect consent or opt-out requirements that apply in your location.

1.4 Sensitive Information

We do not intentionally collect sensitive personal information through the Site, waitlist, or newsletter. Please do not send us sensitive information unless we specifically ask for it and explain why.

If we ever ask you to provide sensitive information, we will explain why and seek consent where required.

1.5 No Product Workspace Data

Because Lightfast is not currently operating a public product, we do not currently collect production workspace data, organisation data, API payloads, prompts, files, messages, or agent outputs through a public Lightfast app.

2. How We Use Information

We use personal information to:

Operate, secure, monitor, and improve the Site.
Manage waitlist entries and early access communications.
Send newsletter emails if you subscribe.
Respond to messages, questions, feedback, and requests.
Send research updates, technical writing, and related communications where you have asked to receive them.
Understand how people discover and use the Site.
Debug errors, measure performance, and protect against abuse.
Maintain records of consent, unsubscribe requests, and privacy requests.
Comply with legal obligations and protect our rights, users, and the public.

We do not sell personal information.

We do not use personal information collected through the Site, waitlist, newsletter, or direct communications to train general-purpose AI models.

We do not use personal information to make automated decisions that we expect to have legal or similarly significant effects on individuals. If this changes, we will update this policy.

3. Direct Marketing and Email

We may send marketing or newsletter emails only where we have consent or are otherwise permitted by law. Each marketing email will identify Lightfast and include a way to unsubscribe.

For Australian recipients, we aim to comply with the Spam Act 2003 (Cth), including by making unsubscribe instructions clear and honouring unsubscribe requests within the required timeframe.

Unsubscribing from marketing emails may not stop non-marketing messages, such as waitlist confirmations, administrative messages, security notices, or direct replies to messages you send us.

We disclose personal information only as needed for the purposes in this policy.

4.1 Service Providers

We use service providers to operate the Site, manage communications, and monitor reliability. These providers process information on our behalf or as otherwise described in their terms.

Provider	Purpose	Information Processed	Likely Processing Locations
Clerk	Waitlist management and future access control	Email address, waitlist status, identifiers, timestamps, invitation metadata	United States and other locations used by Clerk
Resend	Email delivery for waitlist, transactional, and newsletter emails	Email addresses, message content, delivery metadata, unsubscribe events	United States and other locations used by Resend
Vercel	Hosting, deployments, Web Analytics, Speed Insights, Observability, logs	Request data, page views, performance metrics, logs, approximate location, device and browser data	United States, European Union, and global infrastructure locations
Sentry	Error tracking, performance monitoring, logs, session replay	Error data, stack traces, request context, device and browser data, IP address, masked session replays	United States, European Union, and other locations used by Sentry
PostHog	Website analytics	Page views, events, referrers, identifiers, device and browser data, approximate location	United States by current configuration, or European Union if later configured
Better Stack / Logtail	Application logging and observability	Application logs, request context, operational metadata	United States, European Union, or configured data location

4.2 Legal, Safety, and Security

We may disclose information if we reasonably believe disclosure is necessary to:

Comply with law, regulation, legal process, or a government request.
Protect the rights, property, or safety of Lightfast, users, or the public.
Detect, prevent, or address fraud, abuse, security incidents, or technical issues.
Enforce our Terms of Use.

4.3 Business Transfers

If Lightfast is involved in a merger, acquisition, financing, restructuring, or sale of assets, personal information may be transferred as part of that transaction. We will take reasonable steps to ensure the information remains protected.

5. International Transfers

Lightfast is an Australian company. Our service providers may process information in Australia, the United States, the European Union, and other countries.

Where Australian privacy law applies to an overseas disclosure, we take reasonable steps designed to ensure overseas recipients handle personal information consistently with the Australian Privacy Principles. Where other privacy laws apply, we use appropriate safeguards where required.

Different countries may have privacy laws that are not equivalent to those in your location.

6. Security

We use technical and organisational measures designed to protect personal information, including:

TLS encryption for data transmitted to the Site.
Access controls for systems that store personal information.
Limited access to service provider dashboards.
Logging and monitoring for reliability and security.
Session replay masking for Sentry, with text masked and media blocked.
Data minimisation where practical.

No method of transmission or storage is completely secure. If we become aware of a data breach that is likely to result in serious harm and the Notifiable Data Breaches scheme applies, we will notify affected individuals and the Office of the Australian Information Commissioner as required.

7. Retention

We keep personal information only for as long as reasonably needed for the purposes described in this policy, unless a longer period is required or permitted by law.

In general:

Waitlist information is retained while the waitlist or early access process remains active, unless you ask us to delete it earlier and we are able to do so.
Newsletter information is retained while you remain subscribed. If you unsubscribe, we may keep limited information on a suppression list to avoid emailing you again.
Communications are retained while needed to respond, maintain business records, resolve disputes, or protect our rights.
Analytics, logs, diagnostics, and observability data are retained according to our settings and provider retention periods.

8. Your Choices and Rights

You may ask us to:

Access personal information we hold about you.
Correct inaccurate or incomplete personal information.
Delete personal information where we are able or required to do so.
Opt out of newsletter or marketing communications.
Withdraw consent where processing is based on consent.
Make a privacy complaint.

Depending on where you live, you may have additional rights under local privacy laws, such as rights to access, correct, delete, object to, restrict, or receive a copy of personal information. We will respond to requests as required by applicable law. We do not sell personal information or use it for third-party advertising.

To exercise privacy rights, contact legal@lightfast.ai. We may need to verify your identity before responding.

If you are in Australia and are not satisfied with our response to a privacy complaint, you may contact the Office of the Australian Information Commissioner.

9. Third-Party Links

The Site may contain links to third-party websites, communities, repositories, or services. We are not responsible for the privacy practices of those third parties. Review their privacy policies before providing them with personal information.

10. Children's Privacy

The Site is not directed to children under 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, contact us and we will take reasonable steps to delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will update the "Last updated" date and may provide additional notice where appropriate.

12. Contact

For questions, privacy requests, or complaints, contact:

Lightfast Pty Ltd Email: legal@lightfast.ai Website: lightfast.ai