Privacy Policy

Important: This document is a starting template, not legal advice. Have qualified counsel review and adapt it for your legal entity, jurisdictions, subprocessors, and data practices before relying on it with customers or end users.

Effective date: The date this Privacy Policy is published at this URL (the “Effective Date”).

This Privacy Policy describes how Latern (“we,” “us,” “our”) collects, uses, discloses, and protects information when you use our websites, dashboards, APIs, and related services (collectively, the “Service”). It applies to visitors to our marketing pages, registered users, organization administrators, and API clients that interact with the Service on your behalf.

If you do not agree with this Policy, please do not use the Service.

1. Who is responsible for your information?

Depending on how the Service is deployed, a specific company or individual may act as the data controller (or “business” under U.S. state privacy laws) for personal information described here. Identify that party clearly on your Site—for example, in the footer, on a “Contact” page, or via PINGLINE_SUPPORT_EMAIL when you publish a support address.

For personal information processed only on behalf of your organization (for example, when you use Latern to notify your own customers), your organization may be the controller and we may act as a processor; see our Data Processing Agreement outline where applicable.

2. Information we collect

We collect information in the following categories. Not every category applies to every user or deployment.

2.1 Account and profile information

Identifiers and contact data: Name (if provided), email address, password (stored using one-way hashing—we do not store your plaintext password), and similar account details.
Authentication data: Session tokens, verification links, and security-related events needed to protect your account.

2.2 Organization and workspace data

Workspace metadata: Organization name, slugs, project and topic names, visibility settings, API configuration (such as scoped publish URLs and optional organization keys stored in hashed or secret form where designed), billing plan references, and usage limits you or your administrators configure.
Collaboration data: Organization membership, roles, invitations, and audit-style events the product records for security and administration.

2.3 Content you send through the Service (“Customer Content”)

Notification payloads and related fields: Titles, bodies, custom data, and other content you submit when publishing to topics.
Subscriber and endpoint data: Web Push subscription objects, device or browser identifiers needed to deliver notifications, and similar technical data you or your users register with the Service.

You control what you send. Customer Content may include personal information about your end users or employees. You are responsible for having a lawful basis to process that information and for providing any required notices to those individuals.

2.4 Payment information

If you subscribe to a paid plan, payments are processed by our payment processor (typically Stripe). We receive limited billing information from Stripe (such as subscription status, customer identifiers, and invoice metadata) rather than your full card number, which is handled according to Stripe’s policies.

2.5 Technical, usage, and diagnostic data

Log and operational data: IP addresses, timestamps, request paths, user agents, error reports, rate-limit events, and similar data generated when you use the Site or APIs.
Cookies and similar technologies: Session cookies for login and security, preference cookies where offered, and analytics or marketing cookies only if you enable them (for example, through a consent banner where implemented).

2.6 Communications

Support and correspondence: Emails or in-product messages you send us, including metadata needed to respond.

3. How we use information

We use the information above to:

Provide, operate, maintain, and improve the Service (including topics, HTTP publish APIs, feeds, and push delivery).
Create and manage accounts, organizations, and permissions; process invitations; and enforce acceptable use.
Process transactions, manage subscriptions, and communicate about billing.
Monitor reliability and security; detect, prevent, and respond to fraud, abuse, and technical issues.
Comply with legal obligations and enforce our Terms of Service.
Communicate with you about the Service, including transactional messages (such as verification, password reset, and billing notices) and, where permitted, product updates.

4. Legal bases (where GDPR or similar law applies)

Where European Economic Area, United Kingdom, or Swiss rules require a “legal basis,” we typically rely on:

Contract: Processing necessary to provide the Service you request.
Legitimate interests: Securing the Service, debugging and improving reliability, and preventing abuse—balanced against your rights.
Legal obligation: Where we must retain or disclose information to comply with law.
Consent: Where we ask for optional cookies or marketing, or where required for specific processing.

You may withdraw consent where processing is based on consent, without affecting prior lawful processing.

5. How we share information

We do not sell your personal information. We share information only as follows:

Service providers (subprocessors): Vendors that help us run the Service, such as hosting/infrastructure, email delivery (configured via your MAIL_* settings), payment processing (Stripe), error and performance monitoring (for example Sentry when SENTRY_LARAVEL_DSN or similar is configured), and push notification infrastructure (such as Firebase Cloud Messaging, Apple Push Notification service, or web push libraries), subject to contractual confidentiality and security obligations.
Your organization: Administrators of an organization you belong to may access workspace data consistent with product features.
Legal and safety: When required by law, legal process, or to protect rights, safety, and security.
Business transfers: In connection with a merger, acquisition, or sale of assets, with notice where required by law.

Publish and maintain an up-to-date subprocessor list if you commit to that commercially or under contract.

6. International transfers

If we transfer personal information from the EEA, UK, or Switzerland to countries not deemed adequate by the relevant authority, we use appropriate safeguards such as Standard Contractual Clauses or other mechanisms required by law. You may contact us for more detail on those mechanisms.

7. Retention

We retain personal information as long as necessary for the purposes above, including:

Account data until you delete your account or we delete it in accordance with our retention schedule.
Organization and workspace data until deleted by an administrator or removed when an organization is deleted in Settings, subject to backup and disaster-recovery practices.
Customer Content (messages, payloads) according to product behavior, administrator actions, and deployment configuration—for example, scheduled purge jobs that use a configured retention window (such as PINGLINE_MESSAGE_RETENTION_DAYS when set by the operator). If retention is not configured, messages may be retained until manually deleted or until other product rules apply.
Billing records as required for tax, accounting, and legal compliance.
Security and access logs for a limited period consistent with security and troubleshooting needs.

When retention periods end, we delete or de-identify information where feasible.

8. Security

We implement technical and organizational measures appropriate to the risk, such as encryption in transit (HTTPS), access controls, hashed passwords, and separation between organizations. No method of transmission or storage is completely secure; we encourage you to use strong passwords, protect API keys, and enable organization-level security features offered by the product.

9. Your privacy rights

Depending on where you live, you may have rights to access, correct, delete, port, or restrict certain personal information, or to object to certain processing. You may also have the right to opt out of “sale” or “sharing” for cross-context behavioral advertising under some U.S. state laws—we do not sell personal information as defined by those laws.

To exercise rights, contact us using the channel published on the Site. We may need to verify your request. If you are part of an organization workspace, we may route certain requests through your organization’s administrator where the product architecture requires it.

You may lodge a complaint with a supervisory authority in your country where applicable.

10. Children

The Service is not directed to children under 13 (or the minimum age in your jurisdiction). We do not knowingly collect personal information from children. If you believe we have done so, contact us and we will take appropriate steps to delete it.

11. Automated decision-making

We do not use personal information for solely automated decisions that produce legal or similarly significant effects about you. We may use automated systems for security, spam prevention, and rate limiting.

12. Third-party sites and integrations

The Service may link to third-party websites or allow integrations. Their privacy practices are governed by their policies, not this one.

13. Changes to this Policy

We may update this Privacy Policy from time to time. We will post the updated version on this page and update the Effective date. If changes are material, we will provide additional notice as appropriate (for example, by email or in-product banner). Continued use after the Effective date of changes constitutes acceptance where permitted by law.

14. Contact us

For privacy questions or requests, contact us using the support or privacy contact published on the Site or in the product (for example, the address configured as PINGLINE_SUPPORT_EMAIL when displayed to users).

For EU/UK representatives or a dedicated privacy inbox, add those details here after counsel review.