Privacy Policy

1. Scope

This policy applies to personal information we process in connection with the Services. It does not govern third-party websites, decentralized applications (“dApps”), wallet extensions from other providers, or public blockchain networks — those are governed by their own terms and policies.

If you install an official Latch browser extension, the same policy applies to information processed through that extension when it communicates with our APIs and website, in addition to the extension-specific disclosures in Section 8.

2. Definitions

• Personal information means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked with a particular consumer or household, as well as similar terms like “personal data” under applicable law.
• On-chain data means data recorded on a public blockchain (for example Stellar / Soroban ledger entries, contract addresses, transaction payloads, and wallet addresses). On-chain data is typically public, permanent, and outside our control once submitted.
• Off-chain data means data processed on our servers or infrastructure providers (for example database rows, HTTP logs, and session cookies).

3. Information we collect

We collect only the information reasonably necessary to operate, secure, and improve the Services. Categories depend on which features you use (for example passkey registration vs. delegated signing).

3.1 Account, session, and device context

• Session cookie. We set an HTTP-only session cookie (named sid) to associate your browser or extension with a server-side session. In production, this cookie may use SameSite=None and Secure so that credentialed requests from an allowed browser extension origin can complete WebAuthn and API flows without dropping the session.
• Session lifetime. Server-side sessions are created and renewed with a rolling expiration window of approximately thirty (30) days of activity unless ended earlier (for example by cookie clearance or security measures).
• Identifiers we generate. We assign internal identifiers to users and sessions stored in our database; these are not necessarily meaningful outside our systems.

3.2 WebAuthn / passkey registration and authentication

• Credential and key material. When you register a passkey, we store WebAuthn credential identifiers and public-key material (including COSE-encoded and raw P-256 public keys) needed to verify future assertions. We store a signature counter and optional metadata such as transports, authenticator device type, and backup state when reported by your device.
• Challenges. We issue short-lived cryptographic challenges for registration and sign-in. These records include the challenge bytes, relying party id, and requesting web origin. Challenges are designed to expire approximately five (5) minutes after creation and are deleted after successful completion of the ceremony when the protocol flow finishes.
• What we do not receive from WebAuthn. Your biometric samples (such as fingerprints or face geometry) stay on your device; we receive only cryptographic proofs your authenticator releases under the WebAuthn standard.

3.3 Smart Accounts and signers

• Smart account linkage. We store data needed to associate your passkeys and policies with Stellar smart account addresses you create or manage through the Services, including deployment status and cryptographic salts or key material our application uses in accordance with our technical design.
• Account signers. We may store records of additional or alternate signers (for example delegated signers, recovery-related signer types, or labels you provide) linked to your smart account so the product can enforce your chosen authorization model.

3.4 Transactions and Stellar / Soroban activity

• Transaction payloads. When you request transaction building, simulation, submission, or related endpoints, our servers process transaction and authorization data you send (for example XDR-encoded transactions and authorization entries, signer addresses, and signed payloads) to perform the requested operation.
• RPC and ledger visibility. Submitted transactions become part of the public ledger. We also send RPC requests (for example to simulate or submit transactions) to the Soroban / Stellar RPC endpoint configured for the deployment. Those network operators process requests under their own privacy policies.

3.5 Third-party wallets you connect

If you connect a third-party wallet (for example Phantom, MetaMask, Freighter, or Lobstr), that wallet provider processes information under its own privacy policy. We may receive public addresses and signatures you approve for transmission to our APIs or to the network, but we do not control the wallet’s local storage or analytics.

3.6 Server and security logs

Like most hosted services, our infrastructure may automatically collect diagnostic and security information such as IP address, approximate location derived from IP, user agent, timestamps, request paths, HTTP status codes, and similar telemetry in server or platform logs. We use this information to operate, secure, and debug the Services.

3.7 Analytics

We do not currently load third-party marketing analytics scripts in the application code shipped from this repository. If we enable optional analytics (for example product analytics on Vercel or another provider), we will update this policy and, where required, provide appropriate consent or opt-out mechanisms before turning them on in production.

4. What we do not intend to collect

• We do not ask you to upload a Stellar seed phrase to our servers as part of the product flows described in our documentation, and you should never paste a seed phrase into any Latch-controlled form.
• We do not custody your third-party wallet’s private keys; signing with those wallets happens through the wallet provider’s software on your device unless you explicitly choose to share a derived key or signature with us as part of a transaction flow.

If you believe you have transmitted highly sensitive data to us by mistake, contact us immediately using the details in Section 16 so we can assist with mitigation steps available to us.

5. How we use information

• Provide, maintain, and improve the Services (including onboarding, authentication, and transaction flows).
• Detect, prevent, and respond to fraud, abuse, and security incidents.
• Comply with law and enforce our terms.
• Communicate with you about the Services when you contact us or when notices are required.

Depending on your jurisdiction, we rely on a mix of legal bases such as performance of a contract, legitimate interests that are not overridden by your rights, compliance with legal obligations, and consent where required. The basis that applies to a specific activity can vary; where the law requires us to identify it, we do so in our internal records and notices at collection when applicable.

6. How we share information

We share personal information only as described in this policy or with your direction.

• Infrastructure providers (“subprocessors”). We use cloud hosting and database providers to run the Services. They process data on our instructions and under contractual safeguards.
• Public blockchains. When you submit transactions, information contained in those transactions is replicated across the network and may be indexed by third-party explorers.
• Legal and safety. We may disclose information if we believe in good faith that disclosure is required by law, subpoena, or legal process, or to protect the rights, safety, and security of users, the public, or ourselves.
• Business transfers. If we are involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction, subject to standard confidentiality arrangements.

7. Cookies and similar technologies

We use strictly necessary cookies to maintain your session. We do not use advertising cookies in the current implementation described in Section 3.7. You can control cookies through your browser settings; disabling strictly necessary cookies may prevent sign-in or passkey flows from working.

8. Latch browser extensions

When we distribute an official Latch extension in the Chrome Web Store or another browser gallery, that extension is part of the Services covered by this policy. The canonical URL of this Privacy Policy will be linked from the store listing and from in-extension legal links (for example the options or about surface) so you always have a single up-to-date document.

8.1 How the extension talks to Latch

• The extension may call our APIs with browser fetch using credentials so the HTTP-only session cookie is included, similar to a website origin calling our APIs.
• Our servers may validate an allowlisted browser extension origin (for example chrome-extension://…) when operators configure cross-origin access. We do not open credentialed cross-origin access to arbitrary origins.
• For WebAuthn ceremonies initiated inside an extension context, we may validate an allowlisted Chrome extension identifier and compare it to the WebAuthn client data origin, and we may accept an explicit extension id header when some proxies omit the Origin header. This reduces confusion between different extensions and protects passkey ceremonies from unexpected callers.

8.2 Extension permissions and local storage

Browser extensions declare permissions in a manifest (for example storage, alarms, host access, or script injection). The exact permission list for each Latch extension build will be summarized in the Chrome Web Store listing and in release notes when the extension ships. This Privacy Policy does not replace that technical disclosure — read both together.

9. Retention

• Sessions: rolling thirty (30) day activity window as described in Section 3.1.
• WebAuthn challenges: short-lived (on the order of five (5) minutes) and removed after successful completion where the application deletes the challenge record.
• Account records: retained while your account is active and for a reasonable period afterward for legal, security, and dispute-resolution purposes unless a shorter period is required by law.
• Server logs: retained according to our hosting provider’s rotation and our internal retention schedule.

10. Security

We implement administrative, technical, and organizational measures appropriate to the risk, including TLS for data in transit, access controls on production infrastructure, HTTP-only session cookies, and allowlisted cross-origin access for extension integrations. No method of transmission or storage is completely secure; we encourage you to use device passcodes, hardware security keys where available, and reputable wallet software.

11. International users and transfers

We may process and store information in the United States and other countries where we or our subprocessors operate. Those countries may have different data protection laws than your own. Where required, we will rely on appropriate safeguards for international transfers (for example Standard Contractual Clauses for data from the European Economic Area, and UK-approved transfer mechanisms where applicable).

12. Your privacy rights

Depending on where you live, you may have rights to access, correct, delete, or export personal information, or to object to or restrict certain processing. We do not currently provide a self-service account deletion control in the product; to exercise these rights, contact us at privacy@latch.so and we will respond in line with applicable law. You may also have the right to lodge a complaint with a data protection authority.

13. United States (California and other states)

If you are a California resident, the California Consumer Privacy Act (“CCPA”) may grant you additional rights regarding personal information, including rights to know, delete, and correct, and to opt out of certain “sales” or “sharing” of personal information. We do not sell personal information for money and we do not share it for cross-context behavioral advertising as part of the implementation described in this policy. If our practices change, we will update this disclosure.

14. European Economic Area, United Kingdom, and Switzerland

If GDPR or UK GDPR applies, we act as a controller for the processing described here unless we agree in writing to act as a processor on behalf of an organization you represent. This policy is intended to provide the transparency required by Articles 13–14 at a high level; regulators may require additional detail in records of processing activities maintained separately from this document.

15. Children

The Services are not directed to children under the age where they may not lawfully provide consent in their jurisdiction (for example 13 in the United States or 16 in parts of the EU for certain services). We do not knowingly collect personal information from children. If you believe we have collected information from a child, contact us and we will take appropriate steps to investigate and delete it where required by law.

16. Contact

Questions about this Privacy Policy or our practices: privacy@latch.so.

17. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version on this page and revise the “Last updated” date above. If changes are material, we will provide additional notice as required by law (for example a banner in the Services or email where we have contact details).