Data Policy

Light Strategy LLC — Dealership Suite Platform & Marketing Services  ·  Effective Date: May 15, 2026

This Data Policy explains how Light Strategy LLC ("Light Strategy," "we," "our," "us") handles information stored and processed on the Dealership Suite platform. This includes dealership data, lead information, user accounts, analytics, and communication logs.

1 What Data We Store

  • Account data: dealership profiles, user accounts, permissions, and subscription information.
  • Lead data: customer contact details, inquiry history, communication logs, vehicle interest, trade-in details, and follow-up status.
  • Inventory data: vehicle listings, pricing, photos, and availability information provided by or collected for the dealership.
  • Communication data: inbound and outbound texts, emails, call metadata, and, if enabled, AI-generated responses.
  • Website data: for dealership website customers, page content, brand assets, blog posts, and visitor analytics.
  • Usage data: device information, IP address, dashboard activity, and performance metrics.
  • Automation data: n8n workflow events, webhook triggers, and related metadata.
  • Third-party integration data: data received from connected platforms — including Meta/Facebook Lead Ad submissions, Page information, advertising performance data, Google Analytics, and Google Search Console — limited to what is necessary to deliver the requested service.

2 How Data Is Used

We use stored data to provide, maintain, and improve the Dealership Suite platform. This includes:

  • Routing and managing leads for dealerships.
  • Generating diagnostics, performance insights, and reporting.
  • Sending requested communications such as appointment reminders and follow-ups.
  • Powering AI features including chat, lead scoring, sentiment analysis, and response suggestions.
  • Syncing with integrated services like email providers, advertising platforms, and analytics tools.
  • Preventing fraud, abuse, and security threats.
  • We do not use data from Meta or other third-party integrations for advertising, profiling, or any purpose beyond the specific service requested by the dealership.

3 Where Data Is Stored

  • Primary hosting: servers located in the United States (Hetzner).
  • Database: MariaDB datastore with restricted access credentials.
  • Storage: AWS S3 for attachments, logs, and email files.
  • Email: Amazon SES for outbound messaging infrastructure.
  • Automations: n8n automation server hosted on a secured environment.
  • Telephony: Twilio infrastructure for SMS and calling services.
  • AI processing: OpenAI API for AI-generated content, with data processed in accordance with OpenAI's enterprise data policies.
  • CDN and DNS: Cloudflare for content delivery and DNS management.

f Facebook, Instagram, and Meta Data Storage

Meta Integration
When a dealership connects their Facebook Page and/or Instagram Business account to Dealership Suite, we store the following Meta-sourced data in our database on U.S.-based servers: Facebook Page ID, Instagram Business account ID, Lead Ad form submissions (mapped to our leads table), advertising performance metrics, post engagement metrics, post records for content the dealership has published through our platform, and an encrypted OAuth access token.
  • Access tokens are stored in encrypted form using industry-standard AES-256-GCM encryption. They are never stored in plain text.
  • Meta-sourced lead data is stored in the same leads table as all other leads, scoped to the dealership's account and never shared across dealerships.
  • Advertising performance data (spend, impressions, CTR) is stored temporarily for dashboard display and is refreshed on each session.
  • Content publishing records: we store records of posts the dealership has drafted, scheduled, or published through Dealership Suite to their Facebook Page or Instagram account. This includes caption text, hashtags, media references, scheduled time, published time, platform post IDs, and engagement metrics returned by Meta. These records exist solely to display the dealership's own publishing history within our platform.
  • We do not transfer Meta user data to data brokers, ad networks, or any party outside of the dealership's direct service.
  • Our use of Meta data complies with Meta's Platform Terms and Developer Policies.
  • Dealerships may disconnect their Facebook Page or Instagram account at any time. Upon disconnection, we stop collecting new Meta data and stop publishing on their behalf. To request deletion of existing Meta-sourced data, see the Data Deletion Requests section below.

3b Google and YouTube Data Storage

When a dealership connects their Google account to Dealership Suite, we store the following Google-sourced data based on the scopes they authorize: Google Analytics 4 property ID and aggregated daily metrics, Google Search Console site URL and query performance data, YouTube channel ID and uploaded video records, and encrypted OAuth access and refresh tokens.
  • Access tokens and refresh tokens are stored encrypted using AES-256-GCM. They are never stored in plain text.
  • Analytics data: we store aggregated daily totals (sessions, users, pageviews, conversions, traffic source breakdowns) and top page / top query summaries per dealership. We do not store individual visitor identifiers or raw event-level data from Google Analytics.
  • Search Console data: we store daily impression, click, position, and CTR aggregates along with top query and top page summaries.
  • YouTube publishing records: we store records of Shorts uploaded through Dealership Suite, including the source video reference, caption, scheduled time, published time, returned YouTube video ID, and engagement metrics returned by YouTube.
  • We do not use Google user data to train machine learning or AI models, do not sell or transfer Google data to third parties, and do not use Google data to serve advertisements.
  • Dealership Suite's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
  • Dealerships may revoke Google access at any time from within Dealership Suite or directly at myaccount.google.com/permissions. Upon revocation, we stop collecting new Google data and stop publishing on their behalf.

4 Security Practices

  • Encrypted transport for all dashboards, APIs, and webhooks (HTTPS/TLS).
  • Access controls and authentication for dealership users including session-based auth with secure cookies.
  • Two-factor authentication (TOTP) required for administrative platform access.
  • API key restrictions for automation and integration endpoints.
  • Database access limited to specific internal servers behind UFW firewall (ports 22, 80, 443 only).
  • Third-party OAuth tokens (including Meta and Google access tokens) stored in encrypted form (AES-256-GCM).
  • Regular monitoring for abnormal API or inbound message activity.
  • Audit logging for sensitive actions including impersonation, role changes, and account modifications.

5 Data Sharing

  • Dealerships: data is shared only with the specific dealership that owns the lead or account.
  • Service providers: infrastructure vendors such as hosting servers, email delivery services, SMS/telephony providers, and workflow systems — under written contract and limited to what is needed to deliver the service.
  • Legal compliance: information shared when required by law.
✓ We do not sell data to third parties.
Mobile phone numbers collected for SMS purposes are never shared with third parties or affiliates for marketing or promotional purposes. This restriction applies to all categories of SMS opt-in data.

6 Data Retention

  • Lead data is retained as long as the dealership remains active or until deletion is requested.
  • Communication records are retained for diagnostic and proof-of-delivery purposes.
  • Meta-sourced lead data follows the same retention schedule as all other lead data.
  • Encrypted Meta access tokens are deleted upon dealership disconnection or upon request.
  • Encrypted Google access and refresh tokens are deleted upon dealership disconnection or upon request.
  • Backups and logs may persist for a limited period for security and continuity.
  • Upon account termination, dealership data is retained for 30 days to allow export, then permanently deleted.

7 Your Rights and Choices

  • Request access, correction, or deletion of your data where applicable.
  • Opt out of text messages by replying STOP and request help by replying HELP.
  • Ask for account deletion or data export from your dealership's admin contact.
  • Request deletion of Meta-sourced data — see the section below for full instructions.
  • Request deletion of Google-sourced data (Analytics, Search Console, YouTube) — see the section below for full instructions.

Data Deletion Requests

How to Request Deletion of Your Data

If you have connected a Facebook, Instagram, or Google account to Dealership Suite and would like us to delete the data associated with that connection, follow the steps below. We will process all verified deletion requests within 30 days.

To request deletion of your data:

1

Send an email to info@lightstrategy.com with the subject line: "Data Deletion Request — Dealership Suite"

2

Include the following in your message: your dealership name, the email address associated with your Dealership Suite account, and the specific connection(s) you want deleted (Facebook Page name or ID, Instagram account handle, or the Google account email).

3

We will confirm receipt within 2 business days and complete the deletion within 30 days. We will send a confirmation email once deletion is complete.

What gets deleted upon request:

  • Your Facebook Page or Instagram account connection record and encrypted Meta access token stored in Dealership Suite.
  • Your Google account connection record and encrypted Google access and refresh tokens.
  • Any lead records in Dealership Suite that were sourced exclusively from your Meta Lead Ad forms (records with source = "Meta AIA").
  • Associated ad performance data cached from your Meta account.
  • Google Analytics, Search Console, and YouTube data cached from your Google account.
  • Social posting records (Facebook, Instagram, YouTube) published through Dealership Suite.

What is not deleted: leads that were entered manually or came from other sources, even if they overlap with Meta leads, and dealership account data not sourced from third-party platforms, remain unless you request full account deletion.

You can also disconnect any third-party account at any time from within your Dealership Suite account settings (Social Connections for Meta and Google, or Settings for analytics integrations). Disconnecting stops all future data collection from that provider but does not delete historical data already stored. To delete historical data, follow the steps above.

8 Processing Data for Dealerships

Light Strategy acts as a service provider or processor. The dealership controls the lead and customer information stored on the platform. We process that data based on the dealership's instructions and applicable agreements.

9 Updates to This Policy

We may update this Data Policy. Changes will be posted on this page with an updated effective date.

10 Contact

Questions about this policy can be sent to info@lightstrategy.com.

Effective Date: May 12, 2026  ·  Previous version: March 17, 2026  ·  Changes: Rebranded LeadOps to Dealership Suite; added website data category; added Twilio-required SMS data sharing language; updated infrastructure references.