Privacy Policy

1. Who We Are

This Privacy Policy describes the personal-data practices of Lattot ("Lattot", "we", "us", "our"), the operator of lattot.com and the associated household-resilience service (the "Service"). For the purposes of the EU and UK General Data Protection Regulations and equivalent statutes, Lattot is the data controller of personal data collected through the Service, except where this Policy expressly states otherwise.

Lattot is in the process of formal corporate registration. Upon completion, the trading entity, registered office, company number and tax identifier will be added to this section. Until then, all data-protection enquiries are received and processed by the founding team at the address below.

Primary contact for all privacy matters

Email	privacy@lattot.com
General	hello@lattot.com
Web	lattot.com/contact
Response window	30 days (GDPR / UK GDPR / LGPD / PIPEDA) · 45 days (CCPA/CPRA) · statutory periods elsewhere

2. Scope of This Policy

This Policy applies to personal data we process when you:

• visit lattot.com or any sub-page;
• subscribe to a newsletter, the Field Brief, or any mailing list operated by Lattot;
• complete the Readiness Assessment;
• submit a Founding 100 application or any other application or enquiry;
• contact us by email, web form, or any other channel;
• are admitted as a member, advisor, specialist, vendor, or partner; or
• otherwise engage with Lattot's content or services.

This Policy does not apply to third-party websites or services linked from Lattot, even where co-branded. Those operators are independent controllers under their own policies.

3. Definitions

Capitalised terms not defined elsewhere have the meaning given by Regulation (EU) 2016/679 (GDPR). Briefly:

• Personal data — any information relating to an identified or identifiable natural person.
• Processing — any operation performed on personal data (collection, storage, use, disclosure, deletion, etc.).
• Controller — the entity that determines the purposes and means of processing.
• Processor / Sub-processor — an entity that processes personal data on behalf of the controller.
• Data subject — the individual to whom personal data relates.
• Special-category / Sensitive data — categories afforded higher protection under applicable law (e.g., health, biometrics, race, political opinions, sexual orientation).

4. Categories of Personal Data We Collect

We collect only what is necessary for the purposes stated in Section 6. The categories below are exhaustive.

Category	Examples	Source
Identity	Name, salutation	You — provided in forms
Contact	Email address, optionally phone	You
Location (general)	City and country of primary residence	You — provided in forms
Financial bracket	Self-declared annual household-income range (e.g., $150K–$300K)	You — Founding 100 application
Free-text answers	Readiness Assessment responses; "what keeps you up at night"; trigger event; recent actions	You
Household composition	Spouse / partner alignment status; advisor profile (wealth manager, estate attorney, etc.)	You
Communications	Emails you send us; replies; meeting notes if you opt to speak with us	You
Technical	IP address, browser type, operating system, referrer, request timestamps	Automatic — server logs
Analytics (aggregated)	Page views, country (country level only), browser, device class — without cookies and without individual identification	Automatic — Plausible Analytics
Membership records	Audit notes, layer status, checkpoint entries (created only if you become a member)	You and us, jointly

We do not collect: government identification numbers; passport numbers; bank account numbers; payment card numbers (paid via processor — see Section 9); biometric data; precise geolocation; data about minors; cookies for tracking; advertising IDs; cross-site fingerprints.

5. How We Collect Personal Data

• Directly from you — when you complete a form, write to us, or speak with us.
• Automatically — through server logs and cookieless analytics, as described in Sections 4 and 15.
• From your devices — only the minimum technical metadata necessary to serve the page (e.g., IP address, browser identifier).
• From third parties (limited) — only if you ask us to verify a referral, or if a specialist or advisor in our network introduces you. Where this occurs, we will record the source and tell you on first contact.

We never purchase email lists. We never scrape public profiles to build prospect databases without your knowledge.

6. Purposes and Legal Bases for Processing

The following table sets out, for each purpose, the legal basis under GDPR Article 6 (and where relevant Article 9) and equivalent provisions in other jurisdictions.

Purpose	Categories used	Legal basis (GDPR Art. 6)	Equivalent elsewhere
Deliver the Service you requested	Identity, Contact, Free-text answers	6(1)(b) Contract / pre-contract	Necessity · PDPA s.13 · LGPD Art. 7-V
Send the newsletter or Field Brief	Identity, Contact	6(1)(a) Consent	CCPA opt-in equiv. · CASL · LGPD Art. 7-I
Evaluate Founding 100 applications	All except Technical	6(1)(b) Pre-contract	LGPD Art. 7-V · PIPEDA 4.3
Operate the membership	All categories	6(1)(b) Contract	Equivalent everywhere
Security, abuse prevention, fraud detection	Technical, Communications	6(1)(f) Legitimate interest	CCPA "security" · LGPD Art. 7-IX
Aggregated anonymous analytics	Technical (transient)	6(1)(f) Legitimate interest	Statistical purposes · LGPD Art. 7-IV
Comply with legal obligations	As required	6(1)(c) Legal obligation	Equivalent everywhere
Establish, exercise or defend legal claims	As required	6(1)(f) Legitimate interest	Equivalent everywhere

Where we rely on legitimate interest, we have conducted a balancing test and concluded our interests do not override your rights and freedoms. You may object to legitimate-interest processing at any time (Section 17).

7. Sensitive / Special-Category Data

Lattot does not intentionally collect special-category personal data as defined by GDPR Article 9 (racial or ethnic origin; political opinions; religious or philosophical beliefs; trade-union membership; genetic data; biometric data for unique identification; health data; sex life; sexual orientation), or equivalent categories under other laws.

If you voluntarily disclose such information in a free-text field, we process it solely to respond to you, limit access to the minimum necessary personnel, and do not use it for any other purpose. You may ask us to delete such disclosures at any time.

For California residents, we treat the contents of communications you send us as "Sensitive Personal Information" under CPRA where they reveal sensitive content. We use this information only to provide the service you requested and do not use or disclose it for purposes that would trigger the CPRA "limit use" right.

8. Children's Personal Data

Lattot is intended exclusively for adults. We do not direct the Service to children and we do not knowingly collect personal data from any person under sixteen (16) years of age (or the equivalent age of digital consent in your jurisdiction, where higher — e.g., Germany 16; France 15; Quebec 14; US COPPA 13).

If you believe we hold personal data of a minor, please contact privacy@lattot.com and we will verify and delete it without undue delay.

9. Disclosure to Third Parties

We disclose personal data only in the following circumstances:

1. To service providers (processors) acting on our written instructions, under data-processing agreements that meet GDPR Article 28 requirements (or local equivalent). See Section 10.
2. To advisors and specialists in our network, only where you asked us to refer you and consented to the referral.
3. To professional advisors (lawyers, accountants, insurers, auditors) bound by confidentiality, where reasonably necessary.
4. In connection with a corporate transaction (merger, acquisition, asset transfer, insolvency) — we will notify you and require the recipient to honour this Policy.
5. To comply with law — including valid court orders or regulatory requests, or to protect rights, property or safety of Lattot, members, or the public. We resist over-broad requests and notify affected individuals where lawful.

We do not sell personal data, share it for cross-context behavioural advertising, or transfer it for any third-party marketing purpose. This statement is made expressly for the purposes of the CCPA/CPRA, Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA, Oregon OCPA, and other US-state laws using equivalent definitions.

10. Sub-Processors

The following service providers process personal data on our behalf. Each is bound by a written data-processing agreement and provides appropriate technical and organisational measures.

Provider	Purpose	Location	Transfer mechanism
Netlify, Inc.	Website hosting + form submissions	United States	EU SCCs (2021/914) + UK Addendum + supplementary measures
Plausible Analytics	Cookieless aggregated analytics	EU (Germany)	Intra-EEA (no transfer)
Google Workspace (Gmail)	Outbound transactional + member email	US / global	SCCs + Google DPA
Google Apps Script	Automated reply delivery	Same as above	Same as above
Notion Labs, Inc. (planned)	Members portal after admission	United States	SCCs + Notion DPA
Payment processor (TBC: Stripe / Wise / GoCardless)	Membership fee processing	Multiple	SCCs + processor DPA. Card data never reaches Lattot.
Google Fonts	Web typography delivery (Source Serif 4, Inter, JetBrains Mono)	United States / global	SCCs. No cookie set on lattot.com; Google may log the IP address of the font request. We plan to migrate to self-hosted fonts to eliminate this disclosure.

11. International Data Transfers

Personal data may be transferred to and processed in countries other than your country of residence — including the United States and other jurisdictions whose data-protection laws may differ from those of the EEA, the United Kingdom, Switzerland, Brazil, Quebec or your own jurisdiction.

Where personal data is transferred outside the EEA, UK or Switzerland, we rely on:

• Adequacy decisions by the European Commission, the UK Government, or the Swiss FDPIC (incl. EU-US Data Privacy Framework for certified US recipients).
• Standard Contractual Clauses — Module 2 of Commission Implementing Decision 2021/914, with the UK International Data Transfer Addendum and Swiss FDPIC adaptation.
• Supplementary technical, contractual and organisational measures per EDPB Recommendations 01/2020, including encryption in transit and at rest.
• Derogations under GDPR Article 49 in narrow exceptional circumstances.

For Brazilian (LGPD), Quebec (Law 25), Chinese (PIPL), Korean (PIPA), Indian (DPDPA) and Saudi/UAE (PDPL) transfers, we apply the analogous mechanism required by the relevant law.

12. Data Retention

We retain personal data only as long as necessary to fulfil the purpose for which it was collected, plus what is required by law.

Data type	Retention period
Newsletter / Field Brief subscribers	Until unsubscribed, then deleted within 30 days (hashed suppression list kept to honour opt-out)
Contact-form messages	Up to 24 months from last interaction, then deleted
Readiness Assessment answers (anonymous)	Aggregated statistics retained indefinitely; raw responses purged within 12 months
Founding 100 applications (not admitted)	12 months from decision, then deleted
Member records (admitted)	Duration of membership + 7 years
Server access logs	Up to 90 days
Financial records	Per applicable tax law (typically 7–10 years)
Backups	Encrypted, rolling 90-day window

13. Information Security

We implement appropriate technical and organisational measures, including:

• TLS 1.2+ encryption for all data in transit;
• encryption at rest on all storage layers operated by our sub-processors;
• access controls following least privilege, with multi-factor authentication;
• hardware security keys (FIDO2) for founder and operator accounts;
• audit logging for material actions on member data;
• regular vulnerability scanning of public surfaces;
• secure development practices with secrets management and code review;
• vendor-risk review of every sub-processor before engagement;
• incident-response procedures aligned with GDPR Article 33 (72-hour notification).

No system is perfectly secure. If we become aware of a breach affecting your personal data, we will notify you and the relevant supervisory authority as required by law (Section 21).

14. Automated Decision-Making and Profiling

Lattot does not use solely automated decision-making (including profiling) producing legal or similarly significant effects on you, within the meaning of GDPR Article 22 or LGPD Article 20.

The Readiness Assessment produces a category (F0–F5) based on your responses; this is informational only and does not by itself determine eligibility or pricing. All Founding 100 admission decisions are made by a human operator. If you wish to know how a specific decision affecting you was made, contact us.

15. Cookies and Similar Technologies

Lattot does not set tracking cookies, advertising cookies, social-media cookies, or device-fingerprinting beacons. We do not embed third-party advertising tags or marketing pixels.

We use Plausible Analytics, which is cookieless and processes data on aggregated, anonymous basis. If we ever introduce a cookie, we will update the Cookie Policy, display a consent banner where required (ePrivacy in EEA, PECR in UK, Quebec Law 25), and obtain prior opt-in for any non-strictly-necessary cookie.

We honour the Global Privacy Control (GPC) signal as a valid opt-out preference where applicable law treats it as such (incl. CPRA and Colorado CPA).

16. Marketing Communications

We will send you marketing emails only where you have given informed, freely given consent (double opt-in where required). Every marketing email includes a one-click unsubscribe link. We honour unsubscribe requests within 72 hours and add the hashed address to a suppression list.

Transactional and service messages (e.g., acknowledging your enquiry, response to your application, member communications) are sent on the basis of contract performance and are not "marketing" — but we still keep them minimal.

We respect the consent and unsubscribe rules of CAN-SPAM (US), CASL (Canada), GDPR/ePrivacy, and the Australian Spam Act in all marketing communications.

17. Your Rights — General

Subject to local law, you have the following rights in respect of your personal data:

• Access — obtain confirmation of, and a copy of, the personal data we hold about you.
• Rectification / Correction — have inaccurate or incomplete data corrected.
• Erasure / Deletion — have your data deleted in defined circumstances.
• Restriction — have processing restricted in defined circumstances.
• Portability — receive your data in a structured, machine-readable format.
• Objection — object at any time to processing based on legitimate interest, and to direct marketing absolutely.
• Withdraw consent — at any time, without affecting prior lawful processing.
• Not be subject to automated decision-making producing legal or similarly significant effects (Section 14).
• Non-discrimination — we will not penalise or treat you differently for exercising any right under this Policy.
• Complain — to a competent supervisory authority (Section 24).

18. Jurisdiction-Specific Rights

19. How to Exercise Your Rights

To exercise any right:

1. Email privacy@lattot.com with subject "Data Subject Request" and a clear description of the right and data concerned.
2. We verify your identity — usually by replying from the email address on file.
3. We respond within the statutory window (typically 30 days; CCPA 45 days extendable by 45). If we need more time, we will tell you why.
4. Where we decline a request, we explain the lawful basis and your right to complain.
5. Routine requests are free. We may charge a reasonable fee or refuse manifestly unfounded or excessive requests, with reasons.

You may use an authorised agent where local law permits. We verify the agent's authority and your identity before disclosing personal data.

20. Do Not Track and Global Privacy Control

Because Lattot does not use cross-site tracking, browser-based Do Not Track (DNT) signals do not change our processing — there is nothing for them to opt out of. Where applicable laws (CPRA, Colorado CPA, Connecticut CTDPA) treat the Global Privacy Control (GPC) signal as a valid opt-out for sale/share or targeted advertising, we honour it. We do not engage in sale, sharing or targeted advertising regardless.

21. Data Breach Notification

If a personal-data breach is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware of the breach (GDPR Art. 33) and notify affected individuals without undue delay where the risk is high (GDPR Art. 34) — and follow equivalent timelines under UK GDPR, LGPD (Art. 48), CCPA, PIPEDA, Notifiable Data Breach scheme (Australia), POPIA (s.22), PIPL (Art. 57), DPDPA (Section 8(6)) and all other applicable regimes.

Notifications include, as a minimum: the nature of the breach, categories of data and approximate number of records affected, likely consequences, measures taken, and our contact for further information.

22. Third-Party Links

The Service may link to third-party websites, applications or services. This Policy does not apply to them; their privacy practices are governed by their own notices. We encourage you to review those before sharing any personal data with them.

23. Changes to This Policy

We may update this Policy. The current version is identified by the "Last updated" date and version number at the top. For material changes — a new purpose, a new sub-processor in a new country, or a change to your rights — we give reasonable advance notice by:

• posting a prominent notice on the homepage, and
• where we hold your email address, sending direct notification at least 14 days before the change takes effect (or earlier where law requires).

Previous versions are available on request.

24. Supervisory Authorities

You have the right to lodge a complaint with a competent supervisory authority. A non-exhaustive list:

Jurisdiction	Authority
European Union	National DPA in your member state · full list at edpb.europa.eu
United Kingdom	Information Commissioner's Office (ICO) · ico.org.uk
Switzerland	Federal Data Protection and Information Commissioner (FDPIC) · edoeb.admin.ch
USA — California	California Privacy Protection Agency (CPPA); California Attorney General
Canada	Office of the Privacy Commissioner of Canada · priv.gc.ca
Quebec	Commission d'accès à l'information du Québec · cai.gouv.qc.ca
Brazil	Autoridade Nacional de Proteção de Dados (ANPD) · gov.br/anpd
Singapore	Personal Data Protection Commission (PDPC) · pdpc.gov.sg
Australia	Office of the Australian Information Commissioner (OAIC) · oaic.gov.au
Japan	Personal Information Protection Commission (PPC) · ppc.go.jp
South Korea	Personal Information Protection Commission · pipc.go.kr
China	Cyberspace Administration of China (CAC) · cac.gov.cn
India	Data Protection Board of India (DPBI)
South Africa	Information Regulator · inforegulator.org.za
UAE	UAE Data Office; DIFC Commissioner; ADGM Commissioner
Saudi Arabia	Saudi Data & AI Authority (SDAIA) · sdaia.gov.sa
Nigeria	Nigeria Data Protection Commission (NDPC) · ndpc.gov.ng

25. Contact and Data Protection Officer

All privacy enquiries, requests, complaints and notices should be addressed to:

Privacy contact	privacy@lattot.com
Security incidents	security@lattot.com
Legal notices	legal@lattot.com
Data Protection Officer	The DPO role is held collectively by the founding team until formal appointment of a dedicated officer. Reachable at the privacy address above.
Quebec — Person responsible	The person responsible for the protection of personal information under Quebec Law 25 is reachable at the privacy address above.
EEA / UK representative (Article 27)	Where required, we will appoint and disclose EU and UK Article 27 Representatives. Until then, requests may be addressed to the privacy address above and we route them appropriately.
General	hello@lattot.com
Web	lattot.com/contact

If anything in this Policy is unclear, write to us. We will explain it in plain language and, if our wording can be improved, we will revise it.

© 2026 Lattot — All rights reserved · Privacy Policy v2.0 · Issued 25 May 2026