Applies to Latte's website, hosted platform, integrations, and institutional agentic AI services.
Table of Contents
- 1. Who We Are
- 2. Scope and Our Role
- 3. Information We Collect
- 4. How We Use Information
- 5. AI and Automated Functionality
- 6. FERPA, Education Records, and Institutional Use
- 7. Children, Minors, and COPPA
- 8. Legal Bases for Processing
- 9. When We Disclose Information
- 10. Data Processing Addendum and Subprocessor Transparency
- 11. Cookies and Similar Technologies
- 12. Data Retention
- 13. Data Residency and Cross-Border Processing
- 14. Security, Incident Response, and Breach Notification
- 15. Additional Information for Canada
- 16. U.S. State Privacy Rights and Profiling
- 17. Changes to This Privacy Policy
- 18. Contact Us
1. Who We Are
Latte provides AI-powered software and workflow automation tools for institutions and organizations. Depending on the deployment, our Services may help customers analyze records, summarize notes, draft communications, recommend next steps, route cases, support operations, and assist staff with human-in-the-loop workflows.
2. Scope and Our Role
This Privacy Policy applies when you visit our website, request a demo, contact us, interact with our support or sales teams, or use Latte through a school, nonprofit, employer, or other organization.
When an institution or organization deploys Latte for its staff, students, alumni, applicants, mentors, mentees, volunteers, donors, or community members, that organization may control the purposes and means of processing. In those cases, Latte generally acts as a service provider, processor, or equivalent role under applicable law.
When you interact with Latte directly through our website, events, sales process, or support channels, Latte generally acts as the controller of that information.
If you use Latte through an institution or organization, please contact that institution or organization first with questions about your data, since it may control the account, permissions, connected systems, retention settings, and customer-specific configuration.
3. Information We Collect
We may collect information you provide directly, including your name, email address, phone number, organization name, job title, account and login information, files, prompts, support messages, meeting notes, and other communications you send to us.
We may also receive information from institutional customers or connected systems, such as directory and profile information, student, alumni, applicant, mentor, mentee, donor, volunteer, or staff records, engagement history, event data, case notes, communication history, survey responses, and metadata from CRM, SIS, advancement, career services, or related operational systems.
When you use the Services, we may automatically collect technical information such as IP address, device and browser information, operating system, timestamps, session data, log and diagnostic information, security signals, and basic website or product analytics.
Depending on the Services enabled, we may process uploaded files and documents, text notes and messages, voice notes or recordings submitted for transcription or summarization, prompts and AI outputs, and workflow approvals, comments, and audit log entries.
Some deployments may involve information that is considered sensitive or regulated under applicable law, including student information or other institution-managed records. We process such information only as permitted by contract, customer instructions, and applicable law.
4. How We Use Information
We may use personal information to:
- Provide, operate, maintain, support, secure, and improve the Services
- Authenticate users and manage accounts
- Configure customer environments and integrations
- Process prompts, files, and workflow requests
- Generate summaries, recommendations, classifications, or draft outputs
- Support human review, approval, and auditability
- Provide onboarding, support, and training
- Detect and prevent fraud, abuse, and unauthorized access
- Comply with legal obligations
- Communicate about the Services, including updates, support, and administrative notices
Where permitted by law and contract, we may also use de-identified, aggregated, or operational telemetry data to improve the reliability, safety, security, and functionality of the Services.
5. AI and Automated Functionality
Our Services may use artificial intelligence, machine learning, natural language processing, and similar technologies to:
- Summarize notes, records, or files
- Generate draft communications or structured outputs
- Extract fields from unstructured content
- Recommend next steps or workflows
- Identify incomplete records or data gaps
- Support routing, prioritization, and operational decision support
AI-generated outputs are intended to assist users and may require human review. Depending on the deployment, customer workflows may be configured so that certain actions are not executed unless reviewed or approved by an authorized human user.
Latte does not use customer data, customer content, or personal information processed on behalf of customers to train general-purpose AI models.
Latte does not operate offer walls, ad-reward systems, or virtual-currency advertising features in its institutional Services, does not sell personal information, and does not disclose customer personal information to third parties for their own targeted advertising purposes.
6. FERPA, Education Records, and Institutional Use
Where Latte processes education records or other institution-managed student data on behalf of a U.S. school, college, or university, Latte is intended to operate as a "school official" or comparable outsourced institutional service provider under applicable law and written agreement, with legitimate educational interests and subject to the institution's direct control.
Latte uses education records and other customer-controlled student data only for authorized institutional purposes and not for unrelated advertising or non-educational commercial profiling.
Requests relating to education records, student access rights, corrections, or disclosures should generally be directed to the relevant institution first.
7. Children, Minors, and COPPA
Latte provides Services primarily to institutions and organizations. Our Services are not directed to children under 13 for independent consumer use.
If an institution authorizes a deployment involving children under 13 or other minors, Latte processes such information only on behalf of and under the direction of the institution, parent, guardian, or other authorized party, as applicable, and in accordance with applicable law, including COPPA where applicable.
If you believe we have collected personal information from a child or minor in a manner not authorized by the relevant institution, parent or guardian, or applicable law, please contact us and we will investigate.
8. Legal Bases for Processing
Where required by applicable law, we process personal information only where we have a valid legal basis to do so. Depending on the circumstances, this may include performance of a contract, compliance with legal obligations, legitimate interests such as securing and improving the Services, and consent where required.
If Canadian law applies, we may rely on express or implied consent where appropriate, subject to applicable legal requirements.
9. When We Disclose Information
We may disclose personal information to service providers and subprocessors that help us provide the Services, such as hosting, infrastructure, authentication, communications, support, transcription, analytics, and AI providers, subject to appropriate contractual restrictions.
If an institution deploys Latte, information may be accessible to that institution's authorized administrators, operators, and users in accordance with its configuration, permissions, and instructions.
Where enabled by the customer, we may transmit information to or from authorized integrations, such as CRM systems, student systems, advancement platforms, email systems, event tools, or related operational software.
We may also disclose information where reasonably necessary to:
- Comply with law, regulation, subpoena, court order, or lawful request
- Protect the rights, property, or safety of Latte, our customers, users, or others
- Detect, investigate, or prevent fraud, abuse, security incidents, or technical issues
- Support a merger, acquisition, financing, reorganization, sale of assets, bankruptcy, or similar transaction, subject to appropriate confidentiality and legal safeguards
10. Data Processing Addendum and Subprocessor Transparency
For institutional deployments, Latte offers a data processing addendum or similar data-protection terms upon request or as part of the customer contracting process.
Latte maintains a current list of material subprocessors and will make that list available to customers or prospective institutional customers upon request.
11. Cookies and Similar Technologies
We may use cookies, local storage, pixels, and similar technologies to keep users signed in, remember preferences, maintain security, measure usage and performance, and support core website and product functionality.
Where required by law, we will provide appropriate notice and choices regarding cookies and similar technologies. We generally distinguish between essential cookies necessary for core site and service functions and analytics cookies used to understand performance and usage. Browser settings and available cookie controls may also allow you to manage certain cookies.
12. Data Retention
We retain personal information for as long as reasonably necessary to provide the Services, fulfill the purposes described in this Privacy Policy, comply with contractual and legal obligations, resolve disputes, and enforce agreements.
Unless a different schedule is required by contract, customer configuration, or law, our general retention approach is typically as follows:
| Data Category | Retention Period |
|---|---|
| Account and customer configuration data | Duration of customer relationship plus a limited wind-down period |
| Security and audit logs | Up to 12 months |
| Support records | Up to 24 months after closure |
| Backups | Rolling cycle, generally deleted or overwritten within approximately 35 days |
For customer-managed deployments, retention may be determined by the applicable customer contract and the customer's instructions.
13. Data Residency and Cross-Border Processing
Latte may process personal information in the United States, Canada, or other jurisdictions where we or our service providers operate, subject to applicable law and contractual commitments.
For eligible institutional deployments, Latte may offer customer environments or storage configurations designed to support Canadian data residency requirements. Even where customer content is stored in Canada, limited operational metadata, support access, or subprocessor activity may involve cross-border access as permitted by contract and law.
If personal information is transferred across borders, we take steps designed to provide an appropriate level of protection and to comply with applicable legal and contractual requirements.
14. Security, Incident Response, and Breach Notification
We use administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, loss, misuse, alteration, or disclosure. These measures may include access controls, encryption in transit, role-based permissions, logging, monitoring, and vendor due diligence.
No method of transmission over the internet or method of storage is completely secure, and we cannot guarantee absolute security.
In the event of a confirmed security incident involving customer personal information, Latte will notify the affected institutional customer without unreasonable delay, as required by law or contract, and will reasonably cooperate with the customer's investigation, remediation, and applicable notification obligations.
15. Additional Information for Canada
If Canadian privacy law applies, you may have rights to access and request correction of your personal information, and to withdraw consent in certain circumstances, subject to legal and contractual limitations.
For Canadian public-sector, university, or other institutional customers, Latte may support customer privacy impact assessments and related due-diligence processes where required by law or procurement policy.
For Ontario institutions or other organizations subject to provincial breach-reporting or privacy-governance obligations, Latte will reasonably cooperate with customer requests relating to incident investigation, documentation, and notification or reporting processes.
You may direct privacy questions or complaints to us using the contact information below. If you are not satisfied with our response, you may have the right to contact the Office of the Privacy Commissioner of Canada or the appropriate provincial regulator, including the Information and Privacy Commissioner of Ontario where applicable.
16. U.S. State Privacy Rights and Profiling
Residents of certain U.S. states may have specific privacy rights under applicable law, subject to exceptions and limitations. These rights may include the right to confirm whether we process personal information, access personal information, correct inaccuracies, delete personal information, obtain a copy of personal information, and opt out of certain profiling, sales, or targeted advertising practices.
Latte does not sell personal information and does not use customer personal information for targeted advertising in its institutional Services.
To the extent Latte provides recommendations, routing, prioritization, or similar decision-support functionality, those outputs are intended to support institutional workflows and may be subject to human review.
17. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we do, we will revise the "Last Updated" date above and, where required by law, provide additional notice.
Prior versions of this Privacy Policy may be made available upon request.
18. Contact Us
If you have questions about this Privacy Policy or our privacy practices, you may contact us at:
Latte Works Inc.
16192 Coastal Hwy
Lewes, DE 19958
United States
Privacy Contact / Data Protection Lead
Email: support@latteconnect.com