Privacy Policy
Effective July 10, 2026
This policy describes what personal data [COMPANY LEGAL NAME] ("Lattice", "we", "us") collects when you use the Lattice platform, why we collect it, how long we keep it, and the choices you have. We collect the minimum we need to run the Service, and we do not sell personal data.
1. Data we collect
Account data. Your email address and a hashed password (or your identity provider reference), plus the organizations and projects you belong to.
Device telemetry. Metric values your devices publish, with device identifiers and timestamps. What those metrics contain is up to you — see the Terms for your responsibilities when telemetry includes personal data.
Storefront buyer data. When someone places an order on a public storefront we collect the name and email address they enter, and share them with the seller whose storefront it is. While checkout is in demo mode, no payment details are collected anywhere on the Service.
Operational logs. Request logs (IP address, user agent, timestamps) kept for security and debugging, and privacy-respecting page analytics (aggregate page views via Vercel Analytics — no cross-site tracking cookies).
2. How we use data
- to operate the Service: authentication, ingest, dashboards, rules, alerts, storefronts;
- to send transactional email (confirmation links, alert notifications you configure);
- to secure the Service: abuse detection, rate limiting, incident investigation;
- to understand aggregate usage of the marketing pages.
We do not use your telemetry or designs to train models, and we do not send marketing email without your consent.
3. Retention
Telemetry is retained for the period defined by your plan — 30 days on Free, 90 on Pro, 365 on Scale — and deleted on a rolling basis. Account, organization, design and storefront data are kept while your account exists. Operational logs are kept for up to 90 days. Deleted resources are removed from live systems immediately and from backups as the backup rotation expires.
4. Deletion and your rights
You can delete devices, designs, projects and organizations from the app at any time. To delete your entire account and its data, ask us — we will complete deletion within 30 days, keeping only what the law requires us to keep. Depending on where you live, you may also have rights to access, correct, export, or restrict processing of your personal data; we honor these requests regardless of jurisdiction where practicable.
Storefront buyers: order records belong to the seller you bought from; contact them first, and contact us if you need help reaching them or want your data removed from the platform.
5. Subprocessors
We use a small set of infrastructure providers to run the Service:
- Vercel — application hosting, edge network, and aggregate page analytics;
- Supabase — database, authentication, and storage.
We will update this list before adding a subprocessor that processes personal data.
6. Cookies
The Service uses cookies only for authentication sessions. There are no advertising or cross-site tracking cookies.
7. Security
All traffic is encrypted in transit (TLS). Tenant data is isolated with row-level security at the database, device credentials are scoped to a single device, and access to production systems is restricted to the operator. No system is perfectly secure — if a breach affects your personal data, we will notify you without undue delay.
8. Children
The Service is not directed at children and may not be used by anyone under 16 (or the minimum age in your jurisdiction).
9. Changes
We may update this policy from time to time. For material changes we will give at least 14 days' notice by email or in-app notice. The effective date at the top always reflects the current version.
10. Contact
Privacy questions and deletion requests: contact the operator via the email address published on the Service. ([COMPANY LEGAL NAME], [JURISDICTION].)