Privacy Policy

Privacy Policy – Latch‑X

Effective date: 2025‑11‑23
Business name: Peter Kováč – Latch‑X
Company ID (IČO): 57092753
Address: Pri vinohradoch 269/G, 83106 Bratislava, Slovakia
Contact: support@latch-x.com

1. What Data We Collect

We may collect the following personal data:

• Account data: email address, name, billing details (via Lemon Squeezy)
• Usage data: YAML models submitted, simulations run, time spent
• Technical data: browser type, IP address, device information

We do not collect sensitive personal data (e.g. health, biometric, or special category data).

2. How We Collect It

• You provide data when signing up or uploading models
• Lemon Squeezy provides billing/subscription details
• Logs and analytics may be generated automatically by our backend systems

3. Why We Collect It (Legal Bases)

We process your data to:

• Provide access to Latch‑X (Art. 6(1)(b) – contractual necessity)
• Manage subscriptions and licensing (Art. 6(1)(b))
• Analyze usage and improve the service (Art. 6(1)(f) – legitimate interest)
• Comply with tax and legal obligations (Art. 6(1)(c))
• Send optional updates or newsletters (if opted in) (Art. 6(1)(a) – consent)

4. Data Sharing & Processors

We may share your data with trusted service providers (“subprocessors”) who support the delivery of the Latch‑X service (e.g., billing, authentication, hosting, email delivery, logging/metrics, and security/CDN).

Our current list of subprocessors, including their roles and change history, is maintained at /legal/subprocessors.html.

OpenAI — AI assistant (on-demand only). When you use the assistant, we send your prompt and any content you explicitly include, plus minimal technical metadata (timestamps, request ID), to generate a response. We do not invoke the assistant or transmit your content in the background. Legal basis: Art. 6(1)(b) GDPR (performance of a contract — providing the requested feature). Retention: We do not persist prompts server-side beyond what’s necessary to return the result and operate the service; limited operational logs may exist for reliability and abuse prevention for a short period. See also Subprocessors.

We never sell or rent your data.

5. International Transfers

Some of our service providers are based outside the EU/EEA (e.g., Lemon Squeezy, Fly.io).

Transfers are based on Standard Contractual Clauses (EU 2021/914) or other legal safeguards to ensure your data is protected under EU law.

6. Your Rights (GDPR)

You have the right to:

• Access your personal data
• Request correction or deletion
• Object to or restrict processing
• Request data portability
• Withdraw consent at any time (e.g., for emails)
• Lodge a complaint with a supervisory authority

We will respond to any request within 30 days.

You may contact:

• Úrad na ochranu osobných údajov SR
• Hraničná 12, 820 07 Bratislava 27, Slovakia
• https://dataprotection.gov.sk

Residents of the EU may also raise concerns with their local supervisory authority.

7. Data Retention

• Account and billing data is kept while your account is active and for up to 10 years for tax purposes
• Simulation logs and temporary model data are auto-deleted after 60 days unless saved as part of a project
• Backups are purged within 60 days of deletion
• Operational logs (application, access, and error logs) are retained for a maximum of 60 days for security and troubleshooting, unless legally required otherwise.

8. Security Measures

We protect your data using:

• TLS-encrypted traffic (HTTPS)
• Encrypted data at rest
• Role-based access controls and audit logging
• Daily backups and monitored infrastructure
• Limited data access by design (least privilege)

9. Data Breach Notification

In the event of a personal data breach, we will notify the Slovak DPA and affected users within 72 hours, in accordance with Articles 33–34 GDPR, if legally required.

10. Cookies

We use only strictly necessary (essential) cookies required for the proper operation of the Latch-X website and application. These cookies do not require your consent and cannot be disabled without affecting the service’s functionality.

Types of essential cookies we use:

• Session cookies (Latch-X app) – e.g., latch-x_session, csrf_token; keep you logged in and protect against CSRF attacks (expire at the end of the session, or up to 24h if “remember me” is used).
• Cloudflare cookies – used to protect the website from attacks and ensure availability:
  • __cf_bm – bot management (approx. 30 minutes)
  • cf_clearance – remembers a successful security challenge pass (duration depends on Cloudflare settings)
  • __cfruid – rate limiting (session cookie)

These cookies are not used to track user behaviour and do not contain personal data beyond the technical identifiers required for operation.

We do not use analytics, marketing, or profiling cookies.

11. Changes to This Policy

We may update this Privacy Policy to reflect legal, technical, or operational changes.

You will be notified if changes significantly affect your rights or the use of your data.

12. Contact for Privacy Matters

For any questions, please email privacy@latch-x.com. We will respond within 30 days.

13. Change Log

– Updated retention windows to 60 days for temporary data, backups, and operational logs. 2025-11-23.

– Added Google Workspace (email hosting/communications) and replaced the in-document processor list with a link to the Subprocessors page. 2025-10-26.

– Initial release 2025-08-31.