top of page

Privacy Policy 

Effective date: 01 January 2026 
Controller: LIGHT AND SHADOWS – 22 quai Gallieni, 92150 Suresnes, France 
VAT: FR88510539414 – SIREN: 510539414 
Representative: Bertrand PIQUARD (CEO) 
DPO / privacy contact: dpo@ls-group.fr 
Website: https://www.ls-vdesign.fr 

1. Scope 

This policy explains how LIGHT AND SHADOWS (“we”, “us”) processes personal data on our corporate website and in the context of our B2B activities worldwide. The site targets business users; no minimum age requirement applies. 

2. Roles (Controller vs. Processor) 

  • Controller (we act as controller): relationship management, invoicing, marketing/prospecting, website forms, webinars, support. 

  • Processor (we act on our clients’ documented instructions): performance of services for clients (processing the client’s employees’ contact details as needed to deliver the services). If a client does not specify retention durations, we retain client data 12 months after contract end and then erase, keeping evidence of deletion. 

 

3. Data We Collect 

Depending on your interactions: 

  • Identity & contact: name, surname, email, telephone, company, job title, postal address. 

  • Contract & billing: invoicing data, contractual data, litigation-related data (B2B). 

  • Communications: messages via Contact and Request a demo forms, email exchanges, support tickets. 

  • Prospecting (B2B): business contact details of employees/contacts. 

  • Navigation (with consent): IP address, pages viewed, device/browser identifiers, cookie IDs (analytics only if you opt in). 

  • Events/Webinars: registration details (name, email, company), participation; recordings only with consent. 

  • Data enrichment (B2B): professional information (role, company, contact) from Zeliq and public sources. 

No sensitive data (health, biometrics, political opinions, etc.) are processed. 
 

4. Sources of Data 

  • Directly from you (forms, emails, support). 

  • Our commercial team and CRM entries (Sellsy). 

  • Event tools (Zoom, Microsoft Teams). 

  • Public/professional sources and enrichment (Zeliq). 

  • Website analytics and cookies (with consent). 
     

5. Purposes, Legal Bases, and Retention 

  • Execute services for clients 

  • Legal basis: performance of a contract (Art. 6(1)(b) GDPR) for contractual contacts; legitimate interest (Art. 6(1)(f)) for other involved employees. 

  • Retention: for the contract term; by default 12 months post-contract if not otherwise specified by the client. 
     

  • Contract management & billing 

  • Legal basis: contract + legal obligation (accounting/tax). 

  • Retention: contract records 5 years; accounting records typically 10 years (France). 
     

  • Prospecting (B2B) 

  • Legal basis: legitimate interest (Art. 6(1)(f)) for business outreach; easy optout. 

  • Retention: 3 years from last interaction. 
     

  • Forms (Contact / Request a demo) 

  • Legal basis: legitimate interest (responding to requests) or precontractual measures. 

  • Retention: 3 years for prospects; longer if converted to client (per above). 
     

  • Support & ticketing (Freshdesk) 

  • Legal basis: contract (clients) / legitimate interest (other inquiries). 

  • Retention: 12 months for noncontractual tickets; contract + up to 5 years for critical traces. 
     

  • Webinars / events (Zoom/Teams) 

  • Legal basis: legitimate interest (B2B enablement); consent if recording or marketing followups requiring optin. 

  • Retention: 12 months for attendee lists; recordings per consent and purpose. 
     

  • Analytics (GA4 via GTM) 

  • Legal basis: consent for nonessential cookies/analytics (via Wix CMP). 

  • Retention: GA4 cookies typically 6–26 months (depending on configuration). 
     

  • Server logs (site) 

  • Retention: typically 12 months. 
     

6. Cookies & Tracking 

  • Consent manager: Wix CMP (cookie banner). 
     

  • Categories:  

  • Essential (necessary): Wix cookies for site security and operation (legitimate interest). 

  • Analytics: Google Analytics 4 via GTM (consent required). We collect IP, pages, device/browser only after you consent. 

  • Marketing/ads: none currently; Google Ads may be added in the future (will require consent via CMP). 
     

  • You can change your choices anytime via the Cookie settings link provided by Wix CMP. 
     

7. Subprocessors and Recipients 

We use vetted providers to deliver the site and services: 

  • Wix (EU West): website hosting, forms, CMP. 

  • Microsoft Azure (EU West Europe): hosting services (occasionally). 

  • AWS (EUParis): storage, backups, project and technical logs. 

  • Gandi (EU): DNS/domain. 

  • Sellsy (EU/France): CRM, prospecting, emailing, optout tracking. 

  • Airtable (US by default): specific project tracking (limited scope). Uses SCC/DPA for international transfers. 

  • Zeliq (EU; enrichment): professional contact enrichment (legitimate interest; optout available). 

  • Freshdesk: support/ticketing (EU data center if enabled; otherwise SCC/DPA for transfers). 

  • Zoom / Microsoft Teams: webinars/meetings (EU data center when configured; otherwise SCC/DPA). 

  • Calendly (US by default): scheduling via external link (no widget on site). Uses SCC/DPA. 
     

We may share data with professional advisers (accountants, lawyers) and authorities where legally required. 
 

8. International Transfers 

We primarily host data in the EU (Wix, Azure, AWS EUParis, Sellsy, Gandi). 
For tools that may store/process data outside the EU (e.g., Airtable, Calendly, and certain configurations of Zoom/Freshdesk), we rely on Standard Contractual Clauses (SCC) and appropriate safeguards. We apply proportionate technical and organizational measures consistent with GDPR. 
 

9. Security & Breach Notification 

We implement appropriate technical and organizational measures to ensure confidentiality, integrity, availability, and resilience of processing systems; we maintain and update these measures over time. 
In case of a personal data breach, we will notify the client/controller without undue delay, assist with information required by GDPR Art. 33–34, and cooperate with authorities. We will propose remedial actions to identify, limit, or neutralize consequences. 
 

10. Your Rights 

Subject to GDPR conditions, you can request: 
 

  • Access, rectification, erasure, restriction, portability, and objection (including to B2B marketing). 

  • Withdraw consent at any time for analytics/marketing cookies. 

  • Lodge a complaint with the CNIL (France) or your local authority. 
     

How to exercise: email dpo@ls-group.fr
We aim to respond within 30 days and may verify your identity. 
 

11. Retention & Deletion 

We keep data only as long as necessary for the stated purposes or legal obligations: 

  • Prospects (forms/demo): 3 years from last contact. 

  • Contract/billing: 5 years (contract) / 10 years (accounting). 

  • Support (noncontractual): 12 months. 

  • Server logs: 12 months. 

  • Client data processed as processor: contract term; by default 12 months postcontract if no client instruction, then erasure (with evidence).
     

12. Subprocessor Management 

We may engage new or replacement subprocessors. For processing of personal data on behalf of a client, we provide prior notice and the client may object for just cause. We remain responsible for our subprocessors’ compliance. 
 

13. Updates 

We may update this policy to reflect operational or legal changes. We will indicate the effective date and, where material changes occur, inform users appropriately. 

Contact (privacy): dpo@ls-group.fr 

bottom of page