Skip to main content
All legal documents

Privacy Policy

Last updated: July 13, 2026 · Version 3

Contents

  1. Overview
  2. Data Controller & Contact
  3. What Personal Data We Collect
  4. Why We Process Your Data (Lawful Basis)
  5. Third-Party Services (Data Processors)
  6. Where Your Data Is Stored
  7. Your Rights
  8. Data Retention
  9. AI & Automated Decision-Making
  10. Security Measures
  11. Cookies & Tracking
  12. Age Requirement
  13. Changes to This Policy

1. Overview

This platform ("we", "us", "our") is Lataamo's event application, an AI-powered event platform operated by Lataamo Group Oy.

This privacy policy explains what data we process and how you can control it.

We process personal data strictly on documented instructions from the event organizer (data controller).

2. Data Controller & Contact

The data controller for your personal data is the event organizer who engaged Lataamo Group Oy to provide the event platform. Lataamo Group Oy acts as the data processor, operating the platform on behalf of the event organizer.

For privacy inquiries, data access requests, or to exercise any of your rights, please contact the event organizer.

3. What Personal Data We Collect

Account Data

When you create an account, we collect your email address, LinkedIn ID (if you sign in via LinkedIn), account creation date, and last active timestamp.

Event Profile Data

For each event you participate in, you create an event profile. This may include your display name, pronouns, job title, company, company size, bio, profile photo, and networking goals.

AI-Generated Data

Our AI creates derived data from your profile and event activity to power the event experience. This includes profile descriptions, match recommendations with explanations ("Why You Matched"), personalized content (such as session summaries and daily digests), and other event-specific insights. All AI-generated content is labeled as such.

Interaction Data

When you interact with other attendees, we store conversation memory (topics discussed, key points), follow-up items, and connection strength ratings.

Communication Data

We store chat messages, wave (connection) requests, and notification history.

Cross-Event Data (Opt-in)

If you opt in, we maintain an account-level profile aggregated across events, including your connection graph and event history.

Sensitive data such as email addresses, voice recordings, and authentication credentials are subject to strict access controls.

4. Why We Process Your Data (Lawful Basis)

Under the GDPR, the event organizer must determine a lawful basis for processing your personal data. Here is how each category of data maps to a lawful basis:

Data CategoryLawful BasisNotes
Core service features (profiles, AI matching, personalized content, messaging, notifications, session analysis)Contract — Art. 6(1)(b)Necessary to deliver the AI-powered event service you registered for
Optional features (voice recording, behavioral learning, emotional reactions (Pulse), cross-event data)Explicit consent — Art. 6(1)(a)Available only where the event organizer enables the feature; each requires separate opt-in and is withdrawable at any time
Organizer lead insightsLegitimate interest — Art. 6(1)(f)Lead scoring from organizer-directed engagement signals (see section 9); the optional AI evidence summary requires your consent; object via the organizer
Security monitoringLegitimate interest — Art. 6(1)(f)Fraud prevention and account protection
Compliance recordsLegal obligation — Art. 6(1)(c)Admin audit logs (retention in section 8)

5. Third-Party Services (Data Processors)

We use the following third-party services to operate the platform:

Data Processors

ServicePurposeData SentRegion
VercelApplication hostingHTTP requests, IP addressesEU (function region); US (DDoS protection — DPF)
Google CloudDatabase, authentication, storage, compute, AI processing (Gemini Enterprise Agent Platform)All user dataEU — primary region europe-north1 (Finland)
Mistral AIAI processing (fallback provider)Profile text, messages, transcriptionsEU (Paris, France)
DeepgramVoice transcriptionVoice recordingsEU
ResendTransactional emailEmail addresses, notification contentUS (EU SCCs + DPF)
Upstash RedisRate limitingHashed IP addresses, request countsEU
LinkedInOAuth loginProfile data (user-initiated)US (standard OAuth)
CloudflareCDN, video storageHTTP requests, session videosGlobal
SentryApplication error monitoringTechnical error reports (personal data scrubbed before send; no IP addresses stored)EU (Frankfurt — error data); US (account and organization metadata, DPF + SCCs)

We maintain Data Processing Agreements (GDPR Art. 28) with all third-party processors. Where data is transferred outside the EU, we rely on EU Standard Contractual Clauses (SCCs) and/or the EU-US Data Privacy Framework to ensure adequate protection.

The current sub-processor list, AI processing regions, and how changes are announced are maintained in our Sub-processor list, published with a full version history.

6. Where Your Data Is Stored

Your personal data at rest is stored in the European Union, primarily in the europe-north1 (Finland) region of Google Cloud. This includes database records, file storage, authentication data, and backend processing.

Some services involve limited data transfers outside the EU as described in the third-party services section above (email delivery, DDoS protection, CDN). These transfers are covered by appropriate legal mechanisms (EU Standard Contractual Clauses and/or EU-US Data Privacy Framework).

7. Your Rights

Under the GDPR, you have the following rights regarding your personal data. We have implemented all six core rights:

Right of Access (Art. 15)

You can export all data we hold about you as a machine-readable JSON file. Go to Account → AI Transparency → Data Export to download your data.

Right to Rectification (Art. 16)

You can edit your profile information at any time through your account settings. Changes take effect immediately.

Right to Erasure (Art. 17)

You can permanently delete your account and all associated data. Go to Account → AI Transparency → Delete Account. This process includes multi-step confirmation and deletes your associated data including profiles, matches, messages, voice recordings, and AI-generated data.

Right to Data Portability (Art. 20)

The data export feature provides your data in structured, machine-readable JSON format, suitable for transferring to another service.

Right to Restriction of Processing (Art. 18)

You can restrict how your data is used through visibility controls. You can set your profile visibility for other attendees and hide specific profile fields.

Right to Object (Art. 21)

You can object to data processing through several mechanisms:

  • Behavioral learning — Toggle off to prevent AI from learning from your interaction patterns
  • Notifications — Per-category notification controls. Emails include unsubscribe links.
  • Organizer lead insights — Object by contacting the event organizer (see section 9)

To exercise these controls, go to Account → AI Transparency in the app.

How to Exercise Your Rights

Most rights can be exercised directly through the app. For any inquiries you can reach out to the event organizer.

Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority. The relevant authority is the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto): tietosuoja.fi

8. Data Retention

Event related data is kept for 90 days. The full retention schedule:

DataRetainedAfter expiry
Event profiles and attendance90 days after the event endsDeleted
Voice recordings and transcriptions90 days after creationDeleted
Chat messages365 days after creationAnonymized (sender identity removed)
Account dataUntil you delete your accountDeleted
AI-generated dataTied to its source dataDeleted with the source
AI operation logs30 daysDeleted
Security logs2 yearsDeleted
Admin audit logs7 years (Finnish Accounting Act)Deleted
Consent recordsUntil account deletionDeleted

Retention is enforced by an automated daily process. Account deletion removes all personal data across all categories, including stored files; security and admin audit logs are retained for their stated periods as required above.

9. AI & Automated Decision-Making

The platform uses AI across the entire event lifecycle to enhance your experience. AI processes your profile data, event activity, and session content to generate personalized insights and recommendations.

Core AI Features (part of the service)

  • Intelligent matching — your profile and goals are analyzed to recommend relevant connections, with explanations ("Why You Matched")
  • Session intelligence — recorded event sessions are analyzed to produce summaries and key moments
  • Personalized content — session summaries, daily digests, meeting briefings, conversation topics, and goal progress tailored to your profile and goals

AI outputs are recommendations only. No decisions with legal or similarly significant effects are made solely by automated processing. You always decide what to act on.

AI Transparency

You can see exactly what AI knows about you by visiting the AI Transparency page in your account settings. This shows your AI understanding, connected data sources, privacy settings, and allows you to export all AI-generated data.

By default, AI processing is routed to EU-based endpoints; regions and governance are described in the Sub-processor list.

Organizer Lead Insights

Where the event organizer enables it, we combine organizer-directed engagement signals into a lead score with supporting evidence, shown only to the organizer (the data controller) to help them decide who to follow up with. The signals that feed it:

  • Calls-to-action and links you open in the event
  • QR scans ("met in person")

Session reactions ("Pulse"), connection requests, peer meetings, and interaction patterns are not used for lead scoring.

The score is advisory only: it is not shown to you, does not affect your access, and is not used for any decision with legal or similarly significant effects. The legal basis is the organizer's legitimate interest; you can object at any time by contacting the event organizer.

Where the organizer additionally enables an AI-generated evidence summary, it is produced only with your consent, withdrawable at any time in Account → AI Transparency.

10. Security Measures

We protect your data with multiple layers of security:

  • Encryption — Data encrypted at rest (AES-256) and in transit (TLS 1.2+)
  • Authentication — Secure login via magic links or LinkedIn
  • Access control — Role-based permissions ensuring you can only access data you are authorized to see

11. Cookies & Tracking

We use only essential cookies and functional browser storage required for the application to function. The complete inventory — every cookie we set, its purpose and lifetime, and the browser storage technologies we use — is maintained in our dedicated Cookie Policy.

No marketing, analytics, or third-party tracking cookies are used. No ad pixels or retargeting technologies are integrated.

12. Age Requirement

This platform is designed for professional event networking. You must be at least 16 years old to use the service. By using the platform, you confirm that you meet this age requirement. We do not knowingly collect personal data from individuals under 16. If you believe someone under 16 has provided us with personal data, please contact us at info@lataamo.fi and we will promptly delete it.

13. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. When we make material changes, we will notify you through the application or by email. Every revision is published with its effective date, a plain-language change summary, and a full version history; all changes also appear in the combined changelog.

Questions? Contact us at info@lataamo.fi

Version history

Compare versions
  • Version 3Current

    Effective July 13, 2026

    Corrected the organizer lead-insights description to the current signal set (session reactions and interaction patterns no longer feed lead scores), completed the data-retention table for all data categories, removed references to cross-event matching, and simplified wording throughout.

  • Version 2

    Effective July 2, 2026

    Added Sentry (application error monitoring, EU-hosted) to the third-party processors; the cookies section now defers to the dedicated Cookie Policy for the full cookie inventory.

  • Version 1

    Effective June 16, 2026

    Initial published version — imported unchanged from the previous privacy policy page.