Privacy Policy
Built in the EU, for the EU
Lantern is incorporated in Ireland, operates under EU law, and hosts all data on EU-based servers. Your data never leaves the European Union. We are not subject to US surveillance laws like the CLOUD Act.
Last updated: February 6, 2026
Who We Are
Lantern is operated by Lantern Technologies Limited, a company registered in Ireland under the laws of the European Union.
- Legal Entity: Lantern Technologies Limited
- Jurisdiction: Ireland (EU Member State)
- Data Controller: Lantern Technologies Limited
- Hosting Location: EU data centers (Germany/France)
- Governing Law: Irish law and EU regulations (GDPR)
Data Sovereignty
We take data sovereignty seriously. All customer data is:
- Stored in the EU: We use EU-based hosting providers (Hetzner in Germany, OVH in France)
- Processed in the EU: All data processing happens within EU borders
- Protected by EU law: Your data is governed by GDPR and Irish data protection laws
- Not subject to US law: We are not subject to the US CLOUD Act or other foreign surveillance laws
No US data transfers: We do not transfer, store, or process data in the United States or any non-EU country.
What Data We Collect
From Your Organization (Customer Data)
- Account information: Company name, billing email, admin contact details
- Billing information: Payment details (processed by Stripe, also EU-based)
- Usage data: Login times, feature usage, number of reports received
From Whistleblowers (Report Data)
- Report content: The text and files submitted by whistleblowers
- Conversation codes: Randomly generated codes (no email, no names, no accounts)
- Timestamps: When reports are submitted and viewed
- Metadata stripped: We automatically remove EXIF data from uploaded files
What we do NOT collect:
- Email addresses of whistleblowers
- IP addresses of whistleblowers (we do not log or store them)
- Device fingerprints or tracking identifiers
- Cookies on the reporting portal (only on your admin dashboard)
How We Use Your Data
- Provide the service: Store reports, enable communication, send notifications
- Billing: Process payments and send invoices
- Support: Respond to your questions and troubleshoot issues
- Compliance: Generate audit logs and compliance reports
- Security: Monitor for abuse, prevent fraud, protect against attacks
We do NOT:
- Sell your data to third parties
- Use your data for advertising
- Train AI models on your reports
- Share data with law enforcement without a valid EU legal order
Data Security
We employ industry-standard security measures:
- End-to-end encryption: Files are encrypted before leaving the whistleblower's device
- Zero-knowledge architecture: We cannot decrypt conversation codes or link reports to identities
- Data at rest encryption: All data is encrypted in our databases
- TLS/SSL: All connections use HTTPS with modern TLS protocols
- Regular security audits: Quarterly penetration testing by independent firms
- SOC 2 Type II: (Planned - certification in progress)
Data Retention
- Active reports: Retained while your organization's subscription is active
- Closed reports: Retained for 7 years (EU Whistleblower Directive requirement)
- Account data: Retained while your subscription is active
- After cancellation: Data deleted after 90 days (or immediately upon request)
- Backups: Retained for 30 days, then permanently deleted
Your Rights (GDPR)
Under GDPR, you have the right to:
- Access: Request a copy of your data
- Rectification: Correct inaccurate data
- Erasure: Request deletion of your data ("right to be forgotten")
- Portability: Receive your data in a machine-readable format
- Restriction: Limit how we process your data
- Objection: Object to certain types of processing
- Withdraw consent: Withdraw consent at any time
To exercise these rights, email privacy@lanterneu.com
Third-Party Services
We use the following EU-based or GDPR-compliant services:
- Hosting: Hetzner (Germany) or OVH (France) - EU-based, GDPR-compliant
- Email: Resend (EU infrastructure) - for transactional emails
- Payments: Stripe (EU entity, EU data processing) - we never store card numbers
- Analytics: PostHog (EU cloud, privacy-first) - no third-party tracking
- Support: Plain (EU-hosted) - for customer support tickets
All third-party processors sign Data Processing Agreements (DPAs) with us and comply with GDPR.
Cookies
- Reporting portal: No cookies. Whistleblowers can submit reports without any tracking.
- Admin dashboard: Essential cookies only (session authentication). No advertising or analytics cookies.
- Marketing site: No tracking cookies. Privacy-first analytics (PostHog) with no cross-site tracking.
Data Breach Notification
In the unlikely event of a data breach, we will:
- Notify affected customers within 24 hours
- Report to the Irish Data Protection Commission within 72 hours (GDPR requirement)
- Provide details of the breach, affected data, and remediation steps
International Transfers
We do not transfer data outside the EU. All data stays within EU borders.
If we ever need to transfer data internationally, we will:
- Notify you in advance
- Use EU-approved transfer mechanisms (Standard Contractual Clauses)
- Ensure adequate data protection safeguards
Children's Privacy
Lantern is designed for business use. We do not knowingly collect data from individuals under 16 years of age. If you believe a child has submitted a report, contact us immediately.
Changes to This Policy
We may update this policy from time to time. If we make material changes, we will notify you via email and update the "Last updated" date at the top of this page.
Contact Us
For privacy questions or to exercise your GDPR rights:
- Email: privacy@lanterneu.com
- Data Protection Officer: dpo@lanterneu.com
- Postal Address: Lantern Technologies Limited, [Address], Dublin, Ireland
You also have the right to lodge a complaint with the Irish Data Protection Commission (DPC):
www.dataprotection.ie