Privacy Policy
Last updated: July 13, 2026 · Version 3
Contents
- Overview
- Data Controller & Contact
- What Personal Data We Collect
- Why We Process Your Data (Lawful Basis)
- Third-Party Services (Data Processors)
- Where Your Data Is Stored
- Your Rights
- Data Retention
- AI & Automated Decision-Making
- Security Measures
- Cookies & Tracking
- Age Requirement
- Changes to This Policy
1. Overview
This platform ("we", "us", "our") is Lataamo's event application, an AI-powered event platform operated by Lataamo Group Oy.
This privacy policy explains what data we process and how you can control it.
We process personal data strictly on documented instructions from the event organizer (data controller).
2. Data Controller & Contact
The data controller for your personal data is the event organizer who engaged Lataamo Group Oy to provide the event platform. Lataamo Group Oy acts as the data processor, operating the platform on behalf of the event organizer.
For privacy inquiries, data access requests, or to exercise any of your rights, please contact the event organizer.
3. What Personal Data We Collect
Account Data
When you create an account, we collect your email address, LinkedIn ID (if you sign in via LinkedIn), account creation date, and last active timestamp.
Event Profile Data
For each event you participate in, you create an event profile. This may include your display name, pronouns, job title, company, company size, bio, profile photo, and networking goals.
AI-Generated Data
Our AI creates derived data from your profile and event activity to power the event experience. This includes profile descriptions, match recommendations with explanations ("Why You Matched"), personalized content (such as session summaries and daily digests), and other event-specific insights. All AI-generated content is labeled as such.
Interaction Data
When you interact with other attendees, we store conversation memory (topics discussed, key points), follow-up items, and connection strength ratings.
Communication Data
We store chat messages, wave (connection) requests, and notification history.
Cross-Event Data (Opt-in)
If you opt in, we maintain an account-level profile aggregated across events, including your connection graph and event history.
Sensitive data such as email addresses, voice recordings, and authentication credentials are subject to strict access controls.
4. Why We Process Your Data (Lawful Basis)
Under the GDPR, the event organizer must determine a lawful basis for processing your personal data. Here is how each category of data maps to a lawful basis:
| Data Category | Lawful Basis | Notes |
|---|---|---|
| Core service features (profiles, AI matching, personalized content, messaging, notifications, session analysis) | Contract — Art. 6(1)(b) | Necessary to deliver the AI-powered event service you registered for |
| Optional features (voice recording, behavioral learning, emotional reactions (Pulse), cross-event data) | Explicit consent — Art. 6(1)(a) | Available only where the event organizer enables the feature; each requires separate opt-in and is withdrawable at any time |
| Organizer lead insights | Legitimate interest — Art. 6(1)(f) | Lead scoring from organizer-directed engagement signals (see section 9); the optional AI evidence summary requires your consent; object via the organizer |
| Security monitoring | Legitimate interest — Art. 6(1)(f) | Fraud prevention and account protection |
| Compliance records | Legal obligation — Art. 6(1)(c) | Admin audit logs (retention in section 8) |
5. Third-Party Services (Data Processors)
We use the following third-party services to operate the platform:
Data Processors
| Service | Purpose | Data Sent | Region |
|---|---|---|---|
| Vercel | Application hosting | HTTP requests, IP addresses | EU (function region); US (DDoS protection — DPF) |
| Google Cloud | Database, authentication, storage, compute, AI processing (Gemini Enterprise Agent Platform) | All user data | EU — primary region europe-north1 (Finland) |
| Mistral AI | AI processing (fallback provider) | Profile text, messages, transcriptions | EU (Paris, France) |
| Deepgram | Voice transcription | Voice recordings | EU |
| Resend | Transactional email | Email addresses, notification content | US (EU SCCs + DPF) |
| Upstash Redis | Rate limiting | Hashed IP addresses, request counts | EU |
| OAuth login | Profile data (user-initiated) | US (standard OAuth) | |
| Cloudflare | CDN, video storage | HTTP requests, session videos | Global |
| Sentry | Application error monitoring | Technical error reports (personal data scrubbed before send; no IP addresses stored) | EU (Frankfurt — error data); US (account and organization metadata, DPF + SCCs) |
We maintain Data Processing Agreements (GDPR Art. 28) with all third-party processors. Where data is transferred outside the EU, we rely on EU Standard Contractual Clauses (SCCs) and/or the EU-US Data Privacy Framework to ensure adequate protection.
The current sub-processor list, AI processing regions, and how changes are announced are maintained in our Sub-processor list, published with a full version history.
6. Where Your Data Is Stored
Your personal data at rest is stored in the European Union, primarily in the europe-north1 (Finland) region of Google Cloud. This includes database records, file storage, authentication data, and backend processing.
Some services involve limited data transfers outside the EU as described in the third-party services section above (email delivery, DDoS protection, CDN). These transfers are covered by appropriate legal mechanisms (EU Standard Contractual Clauses and/or EU-US Data Privacy Framework).
7. Your Rights
Under the GDPR, you have the following rights regarding your personal data. We have implemented all six core rights:
Right of Access (Art. 15)
You can export all data we hold about you as a machine-readable JSON file. Go to Account → AI Transparency → Data Export to download your data.
Right to Rectification (Art. 16)
You can edit your profile information at any time through your account settings. Changes take effect immediately.
Right to Erasure (Art. 17)
You can permanently delete your account and all associated data. Go to Account → AI Transparency → Delete Account. This process includes multi-step confirmation and deletes your associated data including profiles, matches, messages, voice recordings, and AI-generated data.
Right to Data Portability (Art. 20)
The data export feature provides your data in structured, machine-readable JSON format, suitable for transferring to another service.
Right to Restriction of Processing (Art. 18)
You can restrict how your data is used through visibility controls. You can set your profile visibility for other attendees and hide specific profile fields.
Right to Object (Art. 21)
You can object to data processing through several mechanisms:
- Behavioral learning — Toggle off to prevent AI from learning from your interaction patterns
- Notifications — Per-category notification controls. Emails include unsubscribe links.
- Organizer lead insights — Object by contacting the event organizer (see section 9)
To exercise these controls, go to Account → AI Transparency in the app.
How to Exercise Your Rights
Most rights can be exercised directly through the app. For any inquiries you can reach out to the event organizer.
Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority. The relevant authority is the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto): tietosuoja.fi
8. Data Retention
Event related data is kept for 90 days. The full retention schedule:
| Data | Retained | After expiry |
|---|---|---|
| Event profiles and attendance | 90 days after the event ends | Deleted |
| Voice recordings and transcriptions | 90 days after creation | Deleted |
| Chat messages | 365 days after creation | Anonymized (sender identity removed) |
| Account data | Until you delete your account | Deleted |
| AI-generated data | Tied to its source data | Deleted with the source |
| AI operation logs | 30 days | Deleted |
| Security logs | 2 years | Deleted |
| Admin audit logs | 7 years (Finnish Accounting Act) | Deleted |
| Consent records | Until account deletion | Deleted |
Retention is enforced by an automated daily process. Account deletion removes all personal data across all categories, including stored files; security and admin audit logs are retained for their stated periods as required above.
9. AI & Automated Decision-Making
The platform uses AI across the entire event lifecycle to enhance your experience. AI processes your profile data, event activity, and session content to generate personalized insights and recommendations.
Core AI Features (part of the service)
- Intelligent matching — your profile and goals are analyzed to recommend relevant connections, with explanations ("Why You Matched")
- Session intelligence — recorded event sessions are analyzed to produce summaries and key moments
- Personalized content — session summaries, daily digests, meeting briefings, conversation topics, and goal progress tailored to your profile and goals
AI outputs are recommendations only. No decisions with legal or similarly significant effects are made solely by automated processing. You always decide what to act on.
AI Transparency
You can see exactly what AI knows about you by visiting the AI Transparency page in your account settings. This shows your AI understanding, connected data sources, privacy settings, and allows you to export all AI-generated data.
By default, AI processing is routed to EU-based endpoints; regions and governance are described in the Sub-processor list.
Organizer Lead Insights
Where the event organizer enables it, we combine organizer-directed engagement signals into a lead score with supporting evidence, shown only to the organizer (the data controller) to help them decide who to follow up with. The signals that feed it:
- Calls-to-action and links you open in the event
- QR scans ("met in person")
Session reactions ("Pulse"), connection requests, peer meetings, and interaction patterns are not used for lead scoring.
The score is advisory only: it is not shown to you, does not affect your access, and is not used for any decision with legal or similarly significant effects. The legal basis is the organizer's legitimate interest; you can object at any time by contacting the event organizer.
Where the organizer additionally enables an AI-generated evidence summary, it is produced only with your consent, withdrawable at any time in Account → AI Transparency.
10. Security Measures
We protect your data with multiple layers of security:
- Encryption — Data encrypted at rest (AES-256) and in transit (TLS 1.2+)
- Authentication — Secure login via magic links or LinkedIn
- Access control — Role-based permissions ensuring you can only access data you are authorized to see
11. Cookies & Tracking
We use only essential cookies and functional browser storage required for the application to function. The complete inventory — every cookie we set, its purpose and lifetime, and the browser storage technologies we use — is maintained in our dedicated Cookie Policy.
No marketing, analytics, or third-party tracking cookies are used. No ad pixels or retargeting technologies are integrated.
12. Age Requirement
This platform is designed for professional event networking. You must be at least 16 years old to use the service. By using the platform, you confirm that you meet this age requirement. We do not knowingly collect personal data from individuals under 16. If you believe someone under 16 has provided us with personal data, please contact us at info@lataamo.fi and we will promptly delete it.
13. Changes to This Policy
We may update this privacy policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. When we make material changes, we will notify you through the application or by email. Every revision is published with its effective date, a plain-language change summary, and a full version history; all changes also appear in the combined changelog.
Questions? Contact us at info@lataamo.fi
Version history
Compare versionsVersion 3Current
Effective July 13, 2026
Corrected the organizer lead-insights description to the current signal set (session reactions and interaction patterns no longer feed lead scores), completed the data-retention table for all data categories, removed references to cross-event matching, and simplified wording throughout.
Version 2
Effective July 2, 2026
Added Sentry (application error monitoring, EU-hosted) to the third-party processors; the cookies section now defers to the dedicated Cookie Policy for the full cookie inventory.
Version 1
Effective June 16, 2026
Initial published version — imported unchanged from the previous privacy policy page.