Privacy Policy

1.0 Introduction

Lattix Technologies Corp ("Lattix," "we," "us," or "our") is committed to protecting the privacy and security of personal information. This Privacy Policy describes how Lattix collects, uses, stores, shares, and protects personal information in connection with our website (lattix.io), platform, products, APIs, professional services, and related offerings (collectively, the "Services").

This Privacy Policy applies to all individuals who access or use our Services, including customers, prospective customers, website visitors, authorized users, API consumers, and individuals whose data is processed through the Services on behalf of our customers.

By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy. If you are a customer using Lattix to process personal data on behalf of your organization, this Privacy Policy supplements, but does not replace, any Data Processing Agreement ("DPA") or similar contractual terms between Lattix and your organization.

2.0 Information We Collect

2.1 Information You Provide Directly

We collect information that you voluntarily provide to us, including:

• Account registration information: name, email address, job title, organization name, phone number, and billing information.
• Communications: information provided when you contact us for support, submit inquiries, request demonstrations, or provide feedback.
• Contract and procurement information: information required to establish and administer customer accounts, subscription agreements, and government contract vehicles.
• Professional services engagement data: information shared during consulting, implementation, or advisory engagements.
• Event and marketing interactions: information provided when registering for webinars, conferences, or other events.

2.2 Information Collected Automatically

When you access our website or platform, we automatically collect certain technical and usage information, including:

• Device and browser information: IP address, browser type, operating system, device identifiers, and screen resolution.
• Usage data: pages visited, features accessed, actions performed, session duration, timestamps, and clickstream data.
• Log data: server logs, error reports, API call metadata, and authentication events.
• Cookies and similar technologies: as described in Section 8 of this Privacy Policy.

2.3 Customer Data

In its role as a data processor, Lattix processes data that customers upload, submit, or transmit through the platform ("Customer Data"). Customer Data is processed solely in accordance with the customer's instructions, applicable subscription agreement, and any executed Data Processing Agreement. Lattix does not access Customer Data for its own purposes except as necessary to provide, maintain, or secure the Services.

2.4 Third-Party Sources

We may receive information from third-party sources, including business intelligence providers, publicly available databases, government contract databases (e.g., SAM.gov, FPDS), and referral partners. This information is used to support business development, verify account information, and comply with legal obligations.

3.0 How We Use Your Information

Lattix uses collected information for the following purposes:

• Service delivery: to provide, operate, maintain, and improve the Services, including account provisioning, feature access, platform performance, and technical support.
• Security and integrity: to detect, prevent, and respond to security threats, fraud, unauthorized access, and platform abuse, and to maintain the integrity of the Services.
• Communications: to send transactional communications (account confirmations, security alerts, service notifications), and, where permitted, marketing communications about products, services, and events.
• Compliance: to comply with applicable laws, regulations, government requests, subpoenas, court orders, and contractual obligations, including obligations under government contracts.
• Analytics: to analyze usage patterns, platform performance, and business metrics to improve the Services and develop new features.
• Contract administration: to process payments, manage subscriptions, and administer customer accounts and government contract vehicles.
• Legal purposes: to establish, exercise, or defend legal claims, and to protect the rights, safety, and property of Lattix, our customers, and the public.

4.0 Legal Bases for Processing

Lattix processes personal information on the following legal bases, as applicable under the General Data Protection Regulation ("GDPR") and other data protection laws:

• Performance of a contract: processing necessary to perform our contractual obligations to you, including providing the Services and fulfilling subscription terms.
• Legitimate interests: processing necessary for our legitimate business interests, including platform security, fraud prevention, service improvement, and direct marketing, where such interests are not overridden by your fundamental rights and freedoms.
• Consent: where you have provided explicit consent to specific processing activities, such as marketing communications or participation in research programs. You may withdraw consent at any time.
• Legal obligation: processing necessary to comply with applicable laws, regulations, or government orders.
• Processor obligations: when processing Customer Data on behalf of customers, the customer is the data controller and determines the legal basis for processing. Lattix acts as the data processor.

5.0 Information Sharing and Disclosure

Lattix does not sell personal information. We share personal information only in the following circumstances:

5.1 Service Providers

We share information with trusted third-party service providers who perform services on our behalf, including cloud infrastructure providers, payment processors, analytics services, and customer support platforms. These providers are contractually required to protect personal information and use it only for the purposes for which it was disclosed.

5.2 Business Partners

We may share information with authorized resellers, channel partners, and integration partners to facilitate service delivery and support, subject to confidentiality obligations.

5.3 Legal and Regulatory Requirements

We may disclose information when required by law, regulation, legal process, or government request, including requests from law enforcement, national security agencies, or other government authorities. We may also disclose information to protect the rights, property, or safety of Lattix, our customers, or the public.

5.4 Corporate Transactions

In connection with a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, personal information may be transferred to the successor entity, subject to applicable law and the commitments in this Privacy Policy.

5.5 Government Contract Compliance

For Services provided under U.S. Government contracts, information may be shared with government agencies, prime contractors, or subcontractors as required by contract terms, flow-down clauses, or applicable regulations, including DFARS, FAR, and CUI handling requirements.

6.0 International Data Transfers

Lattix is headquartered in the United States. If you access the Services from outside the United States, your personal information may be transferred to, stored, and processed in the United States or other jurisdictions where Lattix or its service providers operate.

For transfers of personal data from the European Economic Area ("EEA"), United Kingdom ("UK"), or Switzerland to the United States, Lattix relies on appropriate transfer mechanisms, including Standard Contractual Clauses approved by the European Commission, and any applicable adequacy decisions. Lattix will implement supplementary measures as necessary to ensure that transferred data receives an adequate level of protection.

Customers requiring specific data residency arrangements may negotiate data localization terms as part of their subscription agreement or DPA.

7.0 Data Retention

Lattix retains personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, comply with legal obligations, resolve disputes, and enforce agreements. Specific retention periods vary based on the nature of the data and the context of processing:

• Account information: retained for the duration of the customer relationship and for a period of three (3) years following termination, unless a longer retention period is required by law.
• Usage and log data: retained for up to twenty-four (24) months for security, analytics, and operational purposes.
• Customer Data:retained and deleted in accordance with the customer's instructions, applicable subscription agreement, and DPA. Upon contract termination, Customer Data is made available for export for thirty (30) days, after which it is securely deleted.
• Marketing data: retained until you withdraw consent or opt out, or for a period of three (3) years from your last interaction, whichever is earlier.
• Government contract records: retained in accordance with applicable FAR, DFARS, and agency-specific record retention requirements, which may require extended retention periods.

8.0 Cookies and Tracking Technologies

Lattix uses cookies and similar technologies on its website and platform. Cookie categories:

You may manage cookie preferences through your browser settings or through any cookie consent mechanism provided on our website. Disabling essential cookies may impair platform functionality.

Lattix does not respond to "Do Not Track" browser signals at this time. However, we honor opt-out requests submitted through the mechanisms described in Section 9.

9.0 Your Rights and Choices

9.1 General Rights

Depending on your jurisdiction, you may have the following rights with respect to your personal information:

• Access: the right to request a copy of the personal information we hold about you.
• Correction: the right to request correction of inaccurate or incomplete personal information.
• Deletion: the right to request deletion of your personal information, subject to legal retention requirements.
• Portability: the right to receive your personal information in a structured, commonly used, machine-readable format.
• Restriction: the right to request that we restrict processing of your personal information in certain circumstances.
• Objection: the right to object to processing based on legitimate interests or for direct marketing purposes.
• Withdrawal of consent: where processing is based on consent, the right to withdraw consent at any time.

9.2 U.S. State Privacy Rights

Residents of California, Virginia, Colorado, Connecticut, Utah, and other states with comprehensive privacy laws may have additional rights, including the right to opt out of the sale or sharing of personal information, the right to limit the use of sensitive personal information, and the right to non-discrimination for exercising privacy rights. Lattix does not sell personal information as defined under applicable state laws.

9.3 GDPR Rights

If you are located in the EEA, UK, or Switzerland, you have rights under the GDPR and applicable local laws, including the rights described in Section 9.1. You also have the right to lodge a complaint with your local supervisory authority. For processing carried out by Lattix as a data processor on behalf of customers, data subject requests should be directed to the relevant customer (data controller), who will coordinate with Lattix as necessary.

9.4 How to Exercise Your Rights

To exercise any privacy right, submit a request to privacy@lattix.io. We will verify your identity before processing your request and respond within the timeframes required by applicable law (generally within thirty (30) days for GDPR requests and forty-five (45) days for U.S. state privacy requests, with extensions as permitted by law).

10.0 Data Security

Lattix implements administrative, technical, and organizational measures designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data at rest and in transit using industry-standard and post-quantum cryptographic protocols.
• Attribute-based access controls (ABAC) enforcing least-privilege access to systems and data.
• Continuous monitoring, audit logging, and anomaly detection.
• Regular vulnerability assessments, penetration testing, and security audits.
• Employee security awareness training and background checks for personnel with access to personal information.
• Incident response procedures with defined notification timelines.

No method of transmission or storage is completely secure. While Lattix implements commercially reasonable safeguards, we cannot guarantee absolute security. In the event of a data breach affecting personal information, Lattix will notify affected individuals and relevant authorities in accordance with applicable law.

11.0 Children's Privacy

The Services are not directed to individuals under the age of sixteen (16), or under the age of thirteen (13) where COPPA applies. Lattix does not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete such information promptly. If you believe we have collected information from a child, please contact us at privacy@lattix.io.

12.0 Third-Party Links and Services

The Services may contain links to third-party websites, applications, or services that are not operated by Lattix. This Privacy Policy does not apply to such third-party services. We encourage you to review the privacy policies of any third-party service before providing personal information.

13.0 Changes to This Privacy Policy

Lattix may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable law. We will post the revised Privacy Policy on our website with an updated "Effective Date." Material changes will be communicated to registered users via email or in-platform notification no less than thirty (30) days before taking effect. Continued use of the Services after such notice constitutes acceptance of the revised Privacy Policy.

14.0 Data Processing Agreement

Enterprise and government customers may request execution of a Data Processing Agreement ("DPA") that supplements this Privacy Policy with additional terms governing Lattix's processing of personal data on behalf of the customer. The DPA addresses sub-processor management, data subject request handling, breach notification procedures, audit rights, and data deletion obligations. To request a DPA, contact privacy@lattix.io.

15.0 Contact Information

For questions, requests, or complaints regarding this Privacy Policy or Lattix's data processing practices, contact:

Lattix Technologies Corp
Attn: Privacy Officer
Email: privacy@lattix.io
Web: lattix.io

For data subject access requests, submit your request to privacy@lattix.io with the subject line "Data Subject Request."

If you are located in the EEA and believe that Lattix has not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local data protection supervisory authority.