LatchLoop

Privacy Policy

Privacy Policy

Last Updated: May 18, 2025

Velora Studios, LLC (“Velora,” “we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use the LatchLoop application and related services (the “Service”). It also describes your rights and choices regarding your personal information. Velora Studios, LLC is a Delaware, USA company (business address: 16192 Coastal Highway, Lewes, Delaware 19958, United States).

By using LatchLoop, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, please discontinue use of the Service.

1. Information We Collect

We collect various types of information from and about users of our Service, including:

  • Account Information: When you register for LatchLoop, we collect personal identifiers such as your name, email address, and password. If you sign up via a third-party OAuth provider (e.g. GitHub), we receive your name and email and an authentication token from that provider.

  • Profile Data: You may provide additional information like a display name or profile details. We also store settings and preferences (e.g. theme selection) associated with your account.

  • Project and Task Data: The Service allows you to create projects and tasks, which may include content entered by you (such as task descriptions, notes, attachments, or code snippets). This data is stored to provide the Service’s core functionality.

  • Third-Party Integration Data: If you choose to integrate your ClickUp or GitHub account with LatchLoop, we will collect data from those services on your behalf. For example:

    • GitHub Integration: We may access your repository information, file structure, and content (including code) in read-only fashion to analyze code structure and associate commits with tasks. We store your GitHub OAuth token and repository selections securely.
    • ClickUp Integration: We store the API key you provide for ClickUp and retrieve task information (such as task names, statuses, and content) from your ClickUp workspace to display and link within LatchLoop. ClickUp webhook payloads (task updates) are received via our proxy and forwarded to our backend for processing.

  • Payment Information: If you subscribe to a paid plan, our third-party payment processor (Stripe) will collect and process your payment card information. Velora itself does not store your full credit card details. We do keep records of your subscription status, plan, and transaction history (e.g. that a payment was made, amount, and date) for billing and account management.

  • Usage Data: We automatically collect information about how you access and use the Service:

    • Device and Log Data: When you use LatchLoop, our systems and third-party analytics (PostHog) may collect technical data such as your IP address, browser type, device type, operating system, referring URLs, and timestamps of access. We also log certain actions you take in the app (e.g. login events, task creation) for security, auditing, and analytics purposes.
    • Analytics Data: We use PostHog (an analytics tool) to gather data on feature usage, page views, button clicks, and other interaction events. This helps us understand user engagement and improve the product. Analytics data is typically aggregated and does not include personally identifying details beyond possibly user IDs or hashed identifiers.

  • Cookies and Similar Technologies: We use cookies and local storage in the client application to provide and personalize the Service:

    • Essential cookies/local storage are used to maintain your login session (e.g. storing an authentication token provided by our backend) and to remember preferences (such as UI theme or other settings).
    • Analytics cookies (or local storage tokens) are used by our analytics provider (PostHog) to distinguish unique users and track usage over time. These may assign a random identifier to your browser. No third-party advertising cookies are used, and we do not use cookies for advertising purposes.

You can control or delete cookies through your browser settings. However, note that core functionality (like staying logged in) may require these technologies, and disabling them may affect your experience.

2. How We Use Your Information

We use the collected information for the following purposes:

  • Providing and Improving the Service: We process your personal data to create your account, authenticate you, and operate the LatchLoop platform’s features. For example, we use your task and project data to display and organize your projects, and your integration data to fetch and show relevant external information (like GitHub repository file trees or ClickUp tasks). We also analyze usage data and user feedback to improve Service functionality, performance, and UI/UX.
  • AI Feature Operation: LatchLoop includes AI-powered features (such as code analysis or task suggestions) which send certain data to OpenAI (or Azure OpenAI) for processing. For instance, when you invoke an “AI analysis” on a code snippet or task, the relevant content (e.g., code or text) is sent securely to the AI API, and the AI’s response is returned to the app. We use your data in this context solely to provide the requested AI functionality. (See Third-Party Services below for more on how AI providers handle this data).
  • Payment Processing and Account Management: If you are a subscriber, we use information like your Stripe customer ID, subscription plan and status to manage billing. Personal data is used to send you invoices, receipts, or notifications about your subscription. (All sensitive payment details are handled by Stripe on our behalf).
  • Communication: We may use your contact information (email address) to send essential Service-related communications. These include confirmations (e.g., email verification, password reset links), transactional emails (billing receipts, changes to our terms or policies), and important announcements about security or performance issues. We do not send marketing or promotional emails unrelated to the Service without consent.
  • Customer Support: If you contact us for support, we will use the information you provide (which may include your contact info and the content of your inquiry) to assist you and resolve issues. We may also review relevant account and usage information to troubleshoot problems.
  • Security and Fraud Prevention: Personal data (especially usage and log data) is used to monitor for suspicious or unauthorized activities. This includes detecting fraudulent logins or abuse of the Service (for example, excessive API usage or content that violates our policies). We use automated tools and manual review to maintain the security and integrity of our platform. If necessary, we may use data like IP addresses or account activity to block malicious behavior and protect our infrastructure.
  • Legal Compliance: We may process and retain personal information as needed to comply with legal obligations, such as financial record-keeping laws, tax requirements, or responding to lawful requests by public authorities. For example, transaction records are kept for accounting and auditing, and we might retain data if required by law enforcement or regulators (subject to proper process).

We will not use your personal data for purposes incompatible with those above without asking for your consent. In particular, we do not sell your personal information or use it for third-party advertising. We do not use any content you provide (including code or task descriptions) to train our own or third-party machine learning models, aside from sending it to the integrated AI service to fulfill your specific requests.

3. How We Share and Disclose Information

We share your information with third parties only in the following circumstances:

  • Subprocessors (Service Providers): We use trusted third-party vendors to operate or support aspects of our Service. These subprocessors process data under our instructions and in compliance with this Privacy Policy. Key subprocessors include:

    • Supabase: Provides our primary application infrastructure – the database that stores your account, tasks/projects, and integration tokens, as well as authentication and serverless functions. Supabase has access to data you store in our databases for hosting and backup purposes.
    • Vercel: Hosts our frontend web application and an API proxy. Data (including ClickUp webhook payloads and some user usage data) may transit through Vercel’s servers as part of normal operation. Vercel may process certain technical and log information for deployment and content delivery.
    • Stripe: Processes all payments and subscription billing information. When you enter payment details, those are transmitted directly to Stripe. Stripe may receive personal identifiers (name, email) and payment information to process transactions on our behalf. We share minimal data with Stripe as needed (e.g., your user ID or email to associate payments).
    • OpenAI (and Azure OpenAI): Provides the AI engine for LatchLoop’s AI features. Content you choose to send for AI processing (such as code or text prompts) will be relayed to OpenAI’s API servers (or to Microsoft Azure servers if using Azure OpenAI). OpenAI will process that data and return a result. OpenAI represents that customer API data is not used to train their models and is stored on U.S. servers. If Azure OpenAI is used, data is stored and processed in the Microsoft Azure region configured for our account (which may be in the US or EU). These providers act as processors for the content we send; they do not get any more of your personal info than necessary to fulfill the AI request.
    • PostHog: We use PostHog for product analytics. PostHog collects usage event data (as described in Usage Data) on our behalf. This may involve storing cookies or identifiers in your browser and sending analytics data to PostHog’s servers. Our PostHog instance is currently hosted in the United States (AWS US data center), so usage data (which may include pseudonymous user IDs or IP address) is processed in the US. PostHog does not share this data and only we can access it for analysis.
    • GitHub: If you connect GitHub, we integrate with GitHub’s API to retrieve your data. We use the GitHub OAuth service to authenticate you – this will send you to GitHub to log in and authorize our app. Upon authorization, GitHub provides us with your basic profile info (name, email, GitHub username) and an API token. We store that token to fetch repository and code information. GitHub may independently collect some data (such as that you authorized our app). We treat GitHub as a service provider in that we use their API to process your data, but note that GitHub is a separate platform with its own privacy practices.
    • ClickUp: If you use our ClickUp integration, we act as an intermediary between you and ClickUp. We store your ClickUp API key and preferences. ClickUp sends task update events (webhooks) to our proxy (hosted on Vercel) which we then forward to our backend on Supabase. In this process, ClickUp will process and transmit content from your tasks to us. ClickUp stores your task data on their servers per their own privacy policy, and we do not control ClickUp’s use of data. We only store the portions of ClickUp data needed for the integration (e.g., selected ClickUp Task IDs, team and project IDs for linking) and the latest webhook payload for processing. ClickUp’s customer data is hosted on AWS and can reside in different regions depending on your ClickUp workspace settings (e.g., US or EU).

    We have Data Processing Agreements in place with relevant subprocessors as required by law (for example, with Stripe and others). These vendors are authorized to use your data only as necessary to provide their services to us. They are not permitted to use your data for their own marketing or other purposes.

  • Affiliates: Velora Studios, LLC may share data with our affiliated companies (under common ownership) if any exist in the future, but any such entity will adhere to this Privacy Policy. (Currently, Velora does not have any corporate affiliates processing user data).

  • Business Transfers: If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, your information may be disclosed to an acquiring entity or its advisors. We will ensure any such entity is bound by confidentiality and will honor the commitments of this Privacy Policy regarding your personal data.

  • Legal and Safety Disclosures: We may disclose your information if required to do so by law or in the good faith belief that such action is necessary to: (a) comply with a legal obligation, such as a subpoena, court order, or government demand; (b) protect and defend our rights or property, or the rights, property, or safety of our users or others; (c) investigate fraud, security, or technical issues; or (d) enforce our Terms of Service and other agreements or to respond to claims regarding content violation of third-party rights.

  • With Your Consent: We may share your personal data with third parties for purposes other than those listed above if you give us explicit consent to do so. For example, if you opt-in to a new integration that requires data sharing or you request us to share data with a third-party service, we will do so only with your authorization.

We do not sell personal information to third parties. We do not share your personally identifiable information with advertisers or unrelated third parties for their own marketing purposes.

Our Service contains integrations or links to third-party services that are not operated by Velora. If you click a link to an external site or authorize a third-party integration, any data you provide to those external services is governed by their privacy policies, not ours. For example:

  • GitHub and ClickUp: When you connect these services, you will interact with their systems (e.g., OAuth pages) directly. Any information those platforms collect from you (such as your login credentials or any data on their side) is subject to GitHub’s and ClickUp’s own privacy policies. We recommend reviewing GitHub’s Privacy Statement and ClickUp’s Privacy Policy before enabling these integrations.
  • OpenAI API: The content sent to the OpenAI or Azure OpenAI API is subject to OpenAI’s API data usage policies. OpenAI’s policy states that API data is not used for training without consent and is retained only for a limited time for abuse monitoring. However, if you use the AI features, you are allowing us to send your data to this external service for processing.
  • Stripe Checkout: For payments, you may be redirected to Stripe’s hosted checkout or payment pages. Personal and payment information entered on those pages is collected directly by Stripe under their Privacy Policy.
  • External Links: Our website or app might include links to external websites (for example, a “Help Center” or documentation site, or blog content). If you follow a link to a third-party site, that site’s privacy practices apply.

Velora is not responsible for the privacy practices of third parties. We encourage you to read the privacy statements of any third-party services you use in connection with LatchLoop.

5. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes we collected it for, including to satisfy any legal, accounting, or reporting requirements:

  • Account Data: Information associated with your account (profile, projects, tasks, etc.) is kept until you delete your account. If you choose to delete your account, we will delete or anonymize personal data within a reasonable period, except for information we are required to retain by law or for legitimate business purposes. Note that data you provided to third-party integrations (like tasks still stored in ClickUp, or code in GitHub) will remain on those external services under their control even after your account with us is deleted.
  • Transactional Data: Subscription and payment records are retained for the duration of your subscription and a period thereafter (at least 5 years) in accordance with financial regulations and our accounting needs.
  • Logs and Analytics: Application logs (which may include IP addresses and usage events) are generally retained for 90 days for security analysis and then securely deleted or anonymized, unless we need to retain them longer to investigate specific incidents. Analytics data collected via PostHog is retained in aggregate form to allow product improvement analyses. We periodically review and purge identifiable analytics data, and we honor deletion requests (see Your Rights below) that include analytics identifiers.
  • Backup copies: Our database (hosted on Supabase) performs backups which are retained for a short duration (generally less than 30 days) before automatic rotation. If you delete data from the Service, it may remain in encrypted backups temporarily until those backups expire, but it will not be active in the production system.
  • AI Query Data: Content sent to the AI API is not stored on our servers beyond any ephemeral caching needed for the feature. However, such content might be stored by OpenAI for a short period (OpenAI’s policy is to retain API data for 30 days for abuse monitoring unless you have a special enterprise arrangement). We do not separately log the contents of your AI prompts in a way that identifies you, aside from transient logs for debugging which are periodically cleared.

When we have no ongoing legitimate business need to process your personal information, we will delete it or anonymize it. If deletion is not immediately feasible (for example, because the data is stored in backups), we will securely store and isolate it from further use until deletion is possible.

6. Data Security

We implement a variety of technical and organizational security measures to protect your personal data:

  • Encryption: All network communication with our Service (website and APIs) is encrypted via TLS (HTTPS). Sensitive data (such as passwords and API keys) are stored encrypted or hashed. For instance, passwords are hashed using a strong hashing algorithm and never stored in plain text. Integration tokens and secret keys are encrypted at rest in our database.
  • Access Controls: Access to user data within Velora is restricted to authorized personnel who need to access it for their job duties (e.g., technical support or engineering). Our team members are bound by confidentiality obligations. We follow the principle of least privilege and use role-based access controls for our systems.
  • Secure Infrastructure: We rely on reputable cloud providers (Supabase/AWS, Vercel) that maintain robust physical and network security. These providers are SOC 2 Type II certified or equivalent and provide secure data centers. We utilize firewalls, network segmentation, and monitoring tools provided by these platforms to prevent unauthorized access.
  • Development Practices: We conduct code reviews and testing to identify and fix security vulnerabilities. We keep our software frameworks and dependencies up to date with security patches. We also utilize environment isolation (separate development and production environments) and secrets management to safeguard production data.
  • Monitoring and Logging: Our systems are monitored for unusual activity. Administrative access to key systems is logged. We utilize security alerts from our subprocessors (e.g., Supabase and Vercel) to know of any suspicious access. In the event of any data breach or security incident affecting your personal data, we will notify affected users and the appropriate authorities as required by law.
  • User Responsibilities: You also play a role in keeping your data safe. Please maintain a strong, unique password for LatchLoop and do not share it. Notify us immediately if you suspect any unauthorized access to your account.

No method of transmission over the internet or electronic storage is 100% secure, so while we strive to protect your data, we cannot guarantee absolute security. However, we continuously work to update and improve our security measures to handle new threats as they arise.

7. International Data Transfers

Velora is based in the United States, and our Service is primarily operated and hosted in the U.S. If you are located outside the United States, be aware that your personal information will be transferred to and stored in the United States and possibly other jurisdictions. These countries may have data protection laws that are different from (and potentially less stringent than) the laws of your country.

When we transfer personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to the U.S. or other countries, we take steps to ensure appropriate safeguards are in place to protect your information as required by applicable law. These measures include:

  • Standard Contractual Clauses: We have executed EU Standard Contractual Clauses (SCCs) with our non-EU subprocessors where applicable, to contractually require that your data receives an adequate level of protection.
  • Data Privacy Framework: Our company or certain subprocessors may participate in the EU-U.S. Data Privacy Framework or similar schemes once applicable (we will update this policy accordingly if we join such frameworks).
  • Explicit Consent: In certain cases, we rely on your explicit consent for cross-border data transfers when other legal mechanisms are not available.

By using the Service or providing us with information, you consent to the transfer of your personal data to the United States and other jurisdictions as described in this Policy.

If you are an EU/EEA user, you have the right to request details of the safeguards we use for such transfers. Please contact us if you require more information.

8. Your Rights and Choices

Depending on your jurisdiction, you have certain rights regarding your personal data. We are committed to honoring your rights and providing you control over your information. These rights may include:

  • Access and Portability: You have the right to request a copy of the personal data we hold about you and to obtain it in a commonly used electronic format. Most of your account data can be viewed directly by logging into your LatchLoop account. For any additional data or a comprehensive export, you can contact us.
  • Rectification: If any of your personal information is inaccurate or incomplete, you have the right to ask us to correct it. You can update your basic account information (like your name or email) through your profile settings. For other corrections, contact our support.
  • Deletion: You have the right to request deletion of your personal data. You can delete projects or tasks individually at any time. To delete your entire account and associated data, you may use any provided account deletion function in the app or contact us at the email below. We will proceed to erase your data, except for information we are required or permitted to retain (see Data Retention above). Keep in mind that deletion is permanent and you will lose access to the Service.
  • Objection to Processing: You may have the right to object to certain processing activities or ask us to restrict processing. For example, you can opt out of analytics tracking by enabling a “Do Not Track” setting or contacting us to set an internal flag to exclude your data from PostHog analytics. You can also object to any direct marketing (though we currently do not use your data for marketing without consent).
  • Withdraw Consent: If we rely on your consent for any specific processing (e.g., integration with a third-party or optional data collection), you can withdraw that consent at any time. For instance, you can disconnect a third-party integration (GitHub, ClickUp) via the settings; this will stop our access to new data from that service. Withdrawing consent will not affect the lawfulness of processing based on consent before its withdrawal.
  • Automated Decision-Making: LatchLoop does not make any legally significant decisions about you purely by automated means. If that changes, you would have the right to human review of such decisions.

To exercise any of these rights, please contact us at the contact information provided below. We will verify your identity (to protect your privacy) and respond within the timeframe required by applicable law (for example, within 30 days for EU requests, and 45 days for CCPA requests, with possible extension).

Your California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA:

  • Right to Know: You can request information about the categories of personal information we have collected about you, the categories of sources, the business purpose for collection, the categories of third parties with whom we share personal information, and specific pieces of information we hold about you.
  • Right to Delete: You can request that we delete personal information we have collected from you (subject to certain exceptions similar to those under “Deletion” above).
  • Right to Correct: You can request correction of inaccurate personal information.
  • Right to Opt-Out of Sale/Sharing: We do not sell personal information as defined by CCPA, nor do we share it for cross-context behavioral advertising. Therefore, there is no need to opt out of sale or sharing in our case. We also do not collect or use sensitive personal information for purposes beyond what is necessary to provide the Service (thus we do not offer a limit use of sensitive info, as we only use it for legitimate purposes you expect).
  • Non-Discrimination: We will not discriminate against you for exercising any CCPA rights. For example, we will not deny you service or provide a different level of quality because you made a privacy request.

If you are a California resident and would like to exercise your rights, please contact us with your request (see contact info below). We may need to verify your California residency and identity to process certain requests. If you prefer, you may designate an authorized agent to make requests on your behalf, but we will require proof of the agent’s authority and your identity.

We have provided the categories of personal information we collect and how we use and share them in this Privacy Policy (which serves as our CCPA privacy notice). In summary, we collect identifiers (like name, email, IP), customer records information (for billing), commercial information (subscription details), internet/electronic activity (usage data, logs), and potentially inferences from analytics. These are used for the business purposes described above. We do not “sell” this information under CCPA definitions.

Your GDPR Rights (for EU/EEA, UK, Switzerland)

As an individual in the European Union (or similar jurisdictions like the UK or Switzerland), you are entitled to the rights detailed in the Your Rights and Choices section above (access, correction, deletion, objection, etc.). You also have the right to lodge a complaint with your local Data Protection Authority (DPA) if you believe we have processed your personal data unlawfully or not complied with your data protection rights. We kindly request that you contact us first so we can address your concerns directly.

Our legal bases for processing your data under GDPR are as follows:

  • Contractual Necessity: Most data processing is to provide the Service you requested (Art. 6(1)(b) GDPR). For example, we need your email to create your account, or need to process task data to provide the application’s functionality.
  • Legitimate Interests: We process certain data for our legitimate interests (Art. 6(1)(f)), such as improving the Service (analytics), securing our platform, and providing customer support. We ensure that these interests are balanced with your rights. We do not use legitimate interest as a basis where your privacy rights outweigh our interest.
  • Consent: Where we ask for consent (e.g., optional integrations, sending data to AI services, or certain cookies in jurisdictions where consent is required), the legal basis is your consent (Art. 6(1)(a)). You can withdraw consent at any time as noted.
  • Legal Obligation: Some processing is done to comply with laws (Art. 6(1)(c)), for instance retaining transaction records for tax law, or verifying identity for fraud prevention.

If you have any questions about your rights or our legal bases, you can contact us using the information below.

9. Children’s Privacy

Our Service is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If you are under 13, you should not create an account or use our Service. Additionally, if you are between 13 and 16 years old (or a minor under the laws of your jurisdiction), you must have your parent or guardian’s permission to use LatchLoop, and we recommend that they supervise your use.

If we learn that we have inadvertently collected personal data from a child under 13 (or under 16, where applicable law provides a higher age threshold) without proper consent, we will take steps to delete that information as soon as possible. If you believe we might have any information from or about a minor, please contact us so that we can investigate and address the issue.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes, we will revise the “Last Updated” date at the top of this policy. If the changes are material, we will provide a more prominent notice (such as on our website or via email notification).

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Continued use of the Service after any update to this Privacy Policy will constitute your acceptance of the changes, to the extent permitted by law.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, you can contact us at:

Velora Studios, LLC Attn: Privacy Team 16192 Coastal Highway Lewes, Delaware 19958 United States

Email: [email protected] (Please include “Privacy Inquiry” in the subject line)

We will respond to your inquiries as promptly as possible. Your privacy is important to us, and we welcome your feedback.