Privacy Policy
Last updated February 15, 2026
This Privacy Policy explains how Lato Tec Inc. (“Lato,” “we,” “us,” or “our”) handles your data when you use the Lato Excel Add-in and our website at https://www.latotec.io.
Contact: legal@latotec.io | Lato Tec Inc., 251 Little Falls Drive, Wilmington, DE 19808, United States
Summary
- Conversation history (your prompts, AI responses, and referenced spreadsheet data) is stored to enable conversation continuity.
- Your data is not used to train AI models. Our AI provider (Anthropic) is contractually prohibited from using API data for model training.
- All connections are encrypted using HTTPS/TLS. Data at rest is encrypted with AES-256 by our infrastructure provider.
- We do not sell your data or share it for advertising.
- You can delete your data at any time by deleting conversations or requesting full account deletion.
1. Data we collect
- Account information: Email address used to create your account.
- Conversation content: Your messages, AI responses, spreadsheet data read for AI context, and any files you upload or the AI generates.
- Support requests: Communications when you contact us for help.
- Website analytics: Page views, feature usage, and user flows on our website and add-in via Vercel Analytics.
- Application monitoring: Error logs, performance data, and HTTP request traces via Logfire, when enabled. Monitoring data is used solely for debugging and reliability.
2. How we use your data
| Purpose | Details | Legal basis (GDPR) |
|---|
| AI processing | Process your prompts and conversation context through our AI provider to generate responses and complete tasks | Contract performance |
| Conversation continuity | Store conversation history so you can continue previous sessions | Contract performance |
| Account management | Maintain your account and authenticate your sessions | Contract performance |
| Analytics | Measure website and add-in usage to improve the product | Legitimate interest (product improvement) |
| Debugging and reliability | Use error logs and performance data to fix issues and improve stability | Legitimate interest (service reliability) |
| Legal compliance | Meet regulatory requirements and respond to legal requests | Legal obligation |
Providing your account information is necessary to use the service. If you do not provide it, we cannot create your account or deliver the service.
3. Data storage and retention
| Data | Storage | Retention |
|---|
| Account information | Supabase | While your account is active |
| Conversation history (messages, attachments, and AI-generated files) | Supabase | While your account is active, or until you delete a conversation |
- You can delete individual conversations at any time, which removes the conversation and all associated messages and files.
- You can request full account deletion by emailing legal@latotec.io. We will delete all your data from our systems within 30 days.
4. Third-party services (subprocessors)
We share your data with the following service providers, solely to operate the Lato service:
| Provider | Purpose | Data shared | Retention by provider |
|---|
| Anthropic (Claude API) | AI processing | Conversation content | Retained up to 30 days for safety and abuse prevention, then automatically deleted. Not used for model training. |
| Supabase | Database, authentication, file storage | Account data, conversation history | Customer-controlled (we control deletion) |
| Railway | Backend hosting | API requests, session data | Infrastructure provider. Data passes through but is not independently stored by Railway. |
| E2B | Sandboxed code execution | Code and data passed to Python execution | Ephemeral. Sandbox destroyed after use (max 24 hours). |
| Vercel | Website and add-in hosting, analytics | Page views, feature usage | Per Vercel’s retention policy |
| Logfire | Application monitoring | Error logs, performance traces | Per Logfire’s retention policy |
All providers are bound by data processing agreements.
5. Security and data location
- Infrastructure location: Our servers and database are hosted in the European Union. Data sent to our AI provider (Anthropic) for processing is transferred to the United States under Standard Contractual Clauses included in Anthropic’s data processing agreement. A copy can be requested by contacting legal@latotec.io.
- Encryption in transit: All data transmitted between your browser, the add-in, and our servers uses HTTPS/TLS.
- Encryption at rest: Our database provider (Supabase) encrypts all data at rest using AES-256.
- Access isolation: Row-level security policies ensure users can only access their own data.
- File access controls: Conversation files are stored in isolated per-user paths with time-limited signed URLs.
- Authentication: Secure token-based authentication.
6. Your rights
- Access: Request a copy of your personal data.
- Correction: Request correction of inaccurate data.
- Deletion: Delete conversations yourself, or request full account deletion via legal@latotec.io.
- Restrict processing of your data.
- Data portability: Request your data in a portable format.
- Object to processing based on legitimate interests.
- Lodge a complaint with your data protection authority (EU/UK residents).
7. Children’s privacy
Lato is not intended for anyone under 16. We do not knowingly collect data from minors. If you believe we have, contact us at legal@latotec.io.
8. Changes to this policy
We may update this policy to reflect changes in our practices or legal requirements. We will notify you by updating the “Last updated” date at the top of this page.