Privacy Policy
Last updated: June 9, 2026
1. Who We Are and What This Covers
Headlight ("Headlight," "we," "us," or "our") provides AI-powered client software for advisory firms, law firms, family offices, and other professional services firms (the "Service"). This Privacy Policy describes how we collect, use, and share personal information when you visit our website at withheadlight.com, use the Service, or otherwise interact with us.
Headlight plays two distinct roles with respect to personal information, and it is important to understand the difference:
- Headlight as a data controller. We decide how and why to process certain information, such as the account information of the professionals who use the Service, billing records, website visitor data, and communications with us. This Privacy Policy applies fully to that information.
- Headlight as a data processor (service provider). The documents, client records, and related information that our customers upload to or create in the Service ("Customer Content") are controlled by the customer firm, not by Headlight. We process Customer Content only on the customer's behalf and under the customer's instructions, as set out in our agreement with the customer. If your personal information appears in Customer Content (for example, because you are a client of an advisory firm that uses Headlight), the firm's own privacy practices govern that information, and you should direct privacy requests to that firm. Section 4 describes how we handle Customer Content.
2. Information We Collect
When we act as a data controller, we collect the following categories of information:
- Account information. Name, work email address, role, and organization details for the users our customers authorize to access the Service. Authentication is handled by our identity provider, WorkOS; we do not store passwords.
- Billing information. Organization name, subscription status, plan details, and usage metering. Payments are processed by Stripe; Headlight does not receive or store full payment card numbers.
- Communications. Messages you send us, including support requests, sales inquiries, and emails to our published addresses.
- Usage and device data. Log data generated when you use the Service or visit our website, such as IP address, browser type, pages viewed, timestamps, and error and performance diagnostics. We use this data for security, debugging, and operating the Service. Our website does not use third-party advertising trackers or third-party analytics cookies.
- Portal and link recipients. If a Headlight customer sends you a secure portal link (for example, to upload requested documents or to view records as an outside trustee), we collect the information needed to deliver and secure that experience, such as your email address, access events, and the content you submit. The content you submit becomes Customer Content controlled by the firm that requested it.
3. How We Use Information
We use the information described in Section 2 to:
- Provide, maintain, secure, and improve the Service;
- Authenticate users and enforce role-based access controls;
- Process subscriptions, billing, and usage metering;
- Send transactional communications such as invitations, notifications, document request emails, and account digests;
- Respond to support requests and other inquiries;
- Monitor for, investigate, and prevent security incidents, fraud, and abuse;
- Maintain audit logs of sensitive actions taken in the Service; and
- Comply with legal obligations.
We do not sell personal information, and we do not share personal information for cross-context behavioral advertising.
4. Customer Content We Process on Behalf of Customers
The core of the Service is helping firms organize and understand their client records. Customer Content may include documents (such as wills, trusts, tax returns, account statements, and operating agreements) and structured records about the people, households, trusts, entities, and transactions described in those documents. Customer Content may contain sensitive personal information, including names, contact details, dates of birth, family relationships, government identifiers, financial account details, and tax information.
With respect to Customer Content:
- We process it only to provide the Service to the customer and as instructed by the customer under our agreement with them;
- It is logically isolated per customer using database row-level security, encrypted at rest, and protected with additional field-level encryption for the most sensitive values (see Section 8);
- We do not use it to train AI models (see Section 5);
- We do not sell it or share it for advertising purposes; and
- We delete or return it in accordance with our agreement with the customer and Section 9 of this policy.
For customers that are financial institutions subject to the Gramm-Leach-Bliley Act, SEC Regulation S-P, or similar rules, we act as a service provider with respect to nonpublic personal information contained in Customer Content and handle it in accordance with our agreement with the customer.
5. AI Processing
The Service uses artificial intelligence to read documents, extract structured information, and answer questions grounded in a customer's own records. We designed this processing to keep Customer Content within our controlled infrastructure:
- Model inference runs in AWS. Document text and prompts are processed using foundation models through Amazon Bedrock within our AWS environment. Under AWS's service terms, content processed through Amazon Bedrock is not used to train or improve the underlying models and is not shared with model providers.
- No training on Customer Content. We do not use Customer Content to train, fine-tune, or improve any AI models, whether ours or a third party's.
- AI observability stays in our infrastructure. We monitor AI quality and performance using tooling hosted within our own AWS environment, not a third-party SaaS endpoint.
- Human review. AI-extracted information is presented to the customer's authorized users for review before it is committed to the client record. Authorized Headlight personnel may access Customer Content only when necessary to provide support, investigate security incidents, or as required by law, and such access is logged.
- Public reference search. If a user asks our assistant a question that requires public sources (for example, IRS guidance), the search query text is sent to a web search provider (Brave Search) to retrieve public results. Documents and client records are not sent to the search provider.
6. How We Share Information
We share personal information only as described below. We do not sell it or rent it to anyone.
- Service providers (subprocessors). We use a small set of vendors to operate the Service: Amazon Web Services (hosting, storage, encryption key management, transactional email via SES, and AI inference via Amazon Bedrock), WorkOS (authentication and identity), Stripe (billing and payments), Sentry (error and performance monitoring), Inngest (background job orchestration; job payloads are limited to bounded metadata such as record identifiers and counts, not document content), Ably (realtime in-app status updates; ephemeral event signals that may include file names and record display names, never document content), and Brave Search (public web search queries only, as described in Section 5). Each provider is bound by contractual obligations appropriate to the data it handles.
- Integrations you direct. If a customer connects a third-party service such as Box, Dropbox, Google Drive, or Google Calendar, we exchange data with that service as directed by the customer (for example, importing documents the customer selects). Access tokens for connected services are stored encrypted. The third party's own privacy policy governs its handling of data on its platform, and customers can disconnect integrations at any time.
- Within your organization. Information in the Service is visible to other authorized users of your organization according to the roles and permissions your organization configures, and to recipients of links your organization chooses to share.
- Legal and safety. We may disclose information if we believe in good faith that disclosure is required by law or legal process, or is necessary to protect the rights, safety, or property of Headlight, our customers, or others. Where legally permitted, we will notify the affected customer before disclosing Customer Content in response to a legal demand.
- Business transfers. If Headlight is involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction, subject to this policy and to confidentiality protections.
7. Cookies
We use only essential cookies: a session cookie that keeps you signed in and related cookies necessary for security (such as preventing cross-site request forgery). We do not use advertising cookies, and we do not respond differently to browser "Do Not Track" signals because we do not track users across third-party sites in the first place.
8. Security
We build the Service for firms that handle highly sensitive financial and estate information, and our security program reflects that:
- Encryption in transit (TLS) and at rest (AWS KMS) for all customer data;
- Additional application-layer field encryption (AES-256-GCM with KMS-backed keys) for the most sensitive values, such as contact details, extracted document text, and sensitive financial fields;
- Multi-tenant isolation enforced at the database layer with PostgreSQL row-level security;
- Role-based access control and audit logging of sensitive actions;
- API keys stored hashed, never in plaintext;
- Secrets and encryption keys managed in AWS Secrets Manager and KMS with least-privilege access; and
- A SOC 2-aligned control environment, including vendor and risk management.
No system is perfectly secure. If we learn of a breach affecting your personal information, we will notify affected customers and individuals as required by law. Security researchers and others can reach our security team at security@withheadlight.com.
9. Data Retention and Deletion
- Customer data is retained while the customer's account is in good standing, and for at least 30 days after termination so the customer can retrieve it or reactivate.
- Verified deletion requests are honored within 30 days for data that we have no legal or contractual obligation to retain. Deletion covers production systems, including database records, stored documents, and derived data such as extracted text, document chunks, and vector embeddings.
- Deleted data may persist in encrypted, access-controlled backups until those backups expire on our standard schedule; backups are not used to restore individually deleted records.
- Audit logs and security records are retained for at least one year.
To request deletion, contact privacy@withheadlight.com. If your information is part of Customer Content, we may refer your request to the controlling firm, since deleting it is their decision under our agreement with them.
10. Your Rights and Choices
Depending on where you live, you may have rights under state privacy laws (such as the California Consumer Privacy Act) or other applicable laws to access, correct, delete, or obtain a copy of your personal information, and to not be discriminated against for exercising those rights. Because we do not sell personal information or use it for targeted advertising, there is no sale or sharing to opt out of.
To exercise these rights for information that Headlight controls, email privacy@withheadlight.com. We will verify your request and respond within the time required by applicable law. If your request concerns information contained in Customer Content, please contact the firm you work with; we will support that firm in fulfilling your request.
You may also unsubscribe from non-essential emails using the link in those emails. Transactional messages (such as document requests and security notices) are part of the Service and cannot be opted out of while you use it.
11. Data Location
Headlight is based in the United States, and the Service is hosted in AWS data centers in the United States. If you access the Service from outside the United States, you understand that your information will be transferred to and processed in the United States. If we onboard customers subject to the GDPR or similar laws, we will put appropriate transfer mechanisms and data processing terms in place with those customers.
12. Children
The Service is for business use and is not directed to children, and we do not knowingly collect personal information directly from children. Customer Content may include information about minors (for example, as beneficiaries in estate documents); that information is controlled by the customer firm and processed only on its behalf.
13. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify customers through the Service or by email before the changes take effect, and we will update the "Last updated" date above. The current version always lives at this page.
14. Contact Us
Privacy questions and requests: privacy@withheadlight.com
Security: security@withheadlight.com
General: hello@withheadlight.com