1. Information You Provide Directly

Account Information:

- Email address (required)
- Full name (optional)
- Password (stored securely and encrypted by our authentication provider)

User-Generated Content:

- Stash item details (name, description, category, quantity, color, brand, fiber content, weight, location, purchase information, notes, tags)
- Project information (name, description, status, progress, dates, notes, tags)
- Pattern details (name, designer, craft type, difficulty, URL, tool sizes, gauge, materials, finished size, notes, tags)
- Project todos and task lists- Custom categories and organization preferences
- Photos of your stash items, projects, and patterns

Payment Information:

- Subscription plan selected (Free or Pro)
- Subscription status (active, expired, canceled)
- Payment transaction records (processed securely through Apple In-App Purchases)
- Purchase receipts and transaction IDs (stored for verification and tax compliance)
- Payment method information is processed by Apple and NOT stored by us

Settings and Preferences:

- Currency preference
- Measurement system (metric/imperial)
- Default category settings
- Notification preferences
- Export format preferences
- Theme preferences (light/dark mode)

Usage Information:

- Error reports and crash logs
- App performance data
- Feature usage patterns (through error tracking only, no behavioral analytics currently implemented)

Photos and Camera Access:

- Error reports and crash logs
- App performance data
- Feature usage patterns (through error tracking only, no behavioral analytics currently implemented)

App Improvements:

- Monitoring app performance and stability
- Diagnosing and fixing technical issues and bugs
- Understanding feature usage to prioritize improvements

Legal Compliance:

- Complying with legal obligations (tax records, financial regulations)
- Enforcing our Terms of Service
- Protecting against fraud and unauthorized access

‍

How We Share Your Information

We do NOT sell, rent, or trade your personal information to third parties for marketing purposes.

Third-Party Service Providers

We share limited information with the following trusted service providers who help us operate the App:

Supabase (Backend & Database)
‍- Purpose: Database hosting, user authentication, file storage
- Data Shared: All user account data, stash items, projects, patterns, photos, payment records
- Privacy Policy: https://supabase.com/privacy
- Data Location: United States

Sentry (Error Tracking)
- Purpose: Monitoring app crashes, errors, and performance issues
‍- Data Shared: User ID, email, error logs, device information, app activity breadcrumbs
‍- Privacy Policy: https://sentry.io/privacy/
‍- Data Retention: 90 days
‍- Note: Access tokens and sensitive credentials are automatically filtered from error reports

Apple (Payment Processing)
- Purpose: Processing in-app subscription purchases (iOS)
- Data Shared: Purchase receipts, transaction IDs, payment processing
- Privacy Policy: https://www.apple.com/legal/privacy/
- Note: Apple processes payment information; we only receive transaction confirmation

Expo (Development Framework)
- Purpose: App development, building, and deployment infrastructure
- Privacy Policy: https://expo.dev/privacy-explained

‍

Active Accounts

We retain your personal information for as long as your account remains active and you continue to use our services.

Account Deletion

You may delete your account at any time through the App settings (Settings → Account Actions → Delete Account). Upon deletion:

Immediate Deletion:
- Profile information (email, name)
- All stash items and associated data
- All projects and patterns
- All project todos
- All photos from Supabase Storage servers
- User settings and preferences
- Custom categories

Anonymized Retention (Legal Compliance):
- Payment transaction records are anonymized but retained for 7 years to comply with tax regulations and legal requirements (GDPR Article 6(1)(c))
- Anonymized records retain transaction amounts, dates, and status but remove personally identifiable information (name, email, descriptions)

System Data:
- Error logs and crash reports may remain in Sentry for up to 90 days
- Database backups containing your data may persist for up to 90 days after deletion

Inactive Accounts

If you do not use your account for 2 years, we may delete your account and associated data after providing you with advance notice via email.

‍

All Users

Access: View and export your data through the App (Pro feature)
Correction: Update your profile information, stash items, projects, and patterns at any time
Deletion: Delete your account and all associated data
Portability: Export your data in CSV or JSON format (Pro feature)

GDPR Rights (EEA, UK, Switzerland Users)

Right to Object: Object to processing based on legitimate interests
Right to Restrict Processing: Request limitation of processing in certain circumstances
Right to Withdraw Consent: Withdraw consent for optional data processing
Right to Lodge a Complaint: File a complaint with your local data protection authority

To exercise your GDPR rights, contact us at: hello@craftwithlattice.com

CCPA/CPRA Rights (California Users)

California residents have the following rights:

Right to Know: Request information about the categories and specific pieces of personal information we collect
Right to Delete: Request deletion of your personal information
Right to Opt-Out: Opt-out of the sale of personal information (Note: We do NOT sell personal information)
Right to Non-Discrimination: Receive equal service and pricing regardless of exercising privacy rights
Right to Correct: Request correction of inaccurate personal information
Right to Limit Use of Sensitive Information: Limit use of sensitive personal information

We do NOT:
‍- Sell or share personal information for cross-context behavioral advertising
- Process sensitive personal information beyond what is necessary to provide our services To exercise your CCPA/CPRA rights, contact us at:  hello@craftwithlattice.com
Response Time: We will respond to rights requests within 30 days (GDPR) or 45 days (CCPA).
‍

Data Security

We implement industry-standard security measures to protect your information:

Encryption:
‍- All data transmitted between your device and our servers uses TLS/SSL encryption
- Passwords are hashed and encrypted by Supabase Auth
- Database access is protected by row-level security policies

Access Controls:
‍- Your data is only accessible to you via authenticated API calls
- Database row-level security ensures users can only access their own data
- Service provider access is limited to what's necessary for service operation

Storage Security:
‍- Photos are stored in secure Supabase Storage buckets with access controls
- Database backups are encrypted at rest

Authentication:
‍- Secure password requirements (minimum 6 characters)
- Session management with automatic token refresh
- Password reset via secure email verification

Despite our security measures, no system is 100% secure. We cannot guarantee absolute security, but we are committed to protecting your data using reasonable industry practices.
‍

Children's Privacy (COPPA Compliance)

Lattice is not intended for children under 13 years of age (or 16 in the EEA/UK). We do not knowingly collect personal information from children under these ages.

If you are under 13 (or 16 in the EEA/UK), you may not use this App or provide any personal information.

If we discover that we have collected information from a child under the applicable age, we will delete that information immediately. If you believe we have collected information from a child, please contact us at hello@craftwithlattice.com
‍

International Data Transfers

Lattice is operated from the United States. If you are located outside the United States, your information will be transferred to, stored, and processed in the United States and other countries where our service providers operate.

For EEA/UK/Swiss Users:
- We rely on Standard Contractual Clauses (SCCs) approved by the European Commission for data transfers
- Our service providers (Supabase, Sentry, Apple, Expo) comply with GDPR requirements for international transfers
- You have the right to request information about safeguards in place for your data

By using Lattice, you consent to the transfer of your information to countries outside your country of residence, which may have different data protection laws.
‍

Cookies and Tracking Technologies

We do NOT use:
- Cookies for tracking or advertising
- Third-party analytics (Google Analytics, etc.) - currently
- Remarketing or advertising pixels
- Behavioral tracking for advertising purposes

We DO use:
- Local device storage (AsyncStorage) to maintain your login session and app preferences
- Session tokens for authentication (stored securely on your device)
- Error tracking via Sentry (non-advertising purposes only)
‍

Future Changes to Data Collection

We are committed to transparency. We plan to implement analytics tracking in the future to better understand how users interact with the App and improve the user experience.

Before implementing analytics, we will:
1. Update this Privacy Policy to disclose the analytics provider and data collected
2. Notify you via email and in-app notification
3. Provide an option to opt-out or manage analytics preferences
4. Request your consent where required by law (GDPR, CCPA)

You can choose not to use the App after such changes if you do not agree with the updated practices.
‍

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or App features.
‍
When we make changes:
- We will update the "Last Updated" date at the top of this policy
- For material changes, we will notify you via email or in-app notification
- We will provide a reasonable notice period before changes take effect (typically 30 days)
- Continued use of the App after changes take effect constitutes acceptance of the updated policy

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.
‍

Data Breach Notification

In the event of a data breach that affects your personal information, we will:

- Notify you via email within 72 hours of discovering the breach (where required by law)
- Describe the nature of the breach and the types of personal information affected
- Provide steps you can take to protect yourself and mitigate potential harm
- Report the breach to relevant data protection authorities as required by law (e.g., EU supervisory authorities for GDPR compliance)
- Investigate the cause of the breach and implement measures to prevent future incidents

We take data security seriously and maintain incident response procedures to quickly identify, contain, and remediate any security incidents.
‍

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
‍
Email: hello@craftwithlattice.com
‍
For GDPR-related inquiries:
Data Protection Officer: Cora Tabor, hello@craftwithlattice.com
‍
For CCPA-related inquiries:
California Privacy Rights: hello@craftwithlattice.com
‍
Response Time: We aim to respond to all inquiries within 5-7 business days.
‍

Summary of Key Points

What We Collect:
Email, name, stash items, projects, patterns, photos, payment info, error logs

Why We Collect It:
To provide app functionality, process payments, fix bugs, comply with laws

Who We Share With:
Supabase (database), Sentry (errors), Apple (payments), Expo (framework)

Your Rights:
Access, correct, delete, export your data; opt-out of future analytics