Legal
GDPR & Data Subject Rights
This page explains how TinyPrd (“Lattice,” the “Controller”) handles personal data under the EU General Data Protection Regulation (GDPR), the UK GDPR, and similar laws. It supplements our Privacy Policy and applies to users in the European Economic Area, the UK, and Switzerland.
Last updated: June 25, 2026
Who is responsible for your data
Lattice is the data controller, meaning we decide how and why your personal data is processed. You can reach us at support email or our address in Portugal.
Categories of data and sources
We collect data you provide directly (account and study content), data generated by your use of Lattice (review activity, retrievability scores), basic technical data (device, browser, IP), and anonymous attribution data (campaign source and A/B test variant, stored in first-party cookies and never linked to your identity). We may also receive data from integrations you authorize.
Lawful bases for processing
We process your personal data only where we have a lawful basis:
- Contract: to provide the Lattice features you requested.
- Legitimate interests: for anonymous first-party analytics, campaign attribution, A/B testing, and security monitoring. These processes use only pseudonymous or anonymous data (random session identifiers, campaign labels, and experiment variant assignments) that cannot identify you. We have assessed that these activities do not override your rights and freedoms.
- Consent: for optional marketing communications; withdraw anytime.
- Legal obligation: to comply with laws we are subject to.
Your rights
Under the GDPR you have the following rights, subject to certain conditions:
Right of access
You can ask for a copy of the personal data we hold about you.
Right to rectification
You can ask us to correct inaccurate or incomplete data.
Right to erasure (“right to be forgotten”)
You can ask us to delete your data in certain circumstances.
Right to restriction
You can ask us to limit how we use your data in certain cases.
Right to data portability
You can receive data you provided in a structured, machine-readable format and reuse it elsewhere.
Right to object
You can object to processing based on legitimate interests or for direct marketing.
Rights regarding automated decision-making
Lattice generates study aids but does not make solely automated legal or similarly significant decisions about you. You have the right not to be subject to such decisions.
Exercising your rights
Email support email to exercise any right. We will verify your identity and respond within one month, or let you know if we need an extension. There is usually no fee, but we may charge a reasonable fee or refuse clearly unfounded or excessive requests.
Right to complain
You have the right to lodge a complaint with your local data protection authority. You can find EU authorities at the European Data Protection Board website (edpb.europa.eu) and the UK authority at ico.org.uk. We hope you will contact us first so we can help.
International transfers
Where your data is transferred outside the EEA, UK, or Switzerland, we protect it using Standard Contractual Clauses or another valid transfer mechanism, and we monitor whether the destination provides an adequate level of protection.
Sub-processors
We use trusted sub-processors to help operate Lattice (for example, cloud hosting, model inference, and email). Each is bound by a data processing agreement that limits how they use your data. A current list of sub-processor categories is available on request.
Data retention
We keep personal data only as long as needed for the purposes described, or to comply with legal obligations. You can request deletion at any time.
Data Protection Officer / Contact
We have not appointed a statutory Data Protection Officer, but our privacy team handles all data requests. Contact us at support email or our address in Portugal.