The data controller responsible for your personal data is:
Latitude App LLC
A Delaware limited liability company
Email: privacy@latitudelocation.com
Latitude does not currently have a designated EU representative or a formal Data Protection Officer, as it does not meet the thresholds that mandate these appointments under GDPR Article 27 and Article 37. If this changes, this Addendum will be updated accordingly. For all data-related inquiries, contact us at privacy@latitudelocation.com.
We process your personal data only where we have a lawful basis to do so under GDPR Article 6. The table below sets out each processing activity, the data involved, and the applicable legal basis.
| Processing Activity | Data Involved | Legal Basis |
|---|---|---|
| Creating and managing your account | Phone number, name (optional), email (optional), account creation date | Performance of a contract (Art. 6(1)(b)) |
| Sharing your location with approved connections | Location data (latitude, longitude, accuracy, timestamp) | Performance of a contract (Art. 6(1)(b)); Consent (Art. 6(1)(a)) — you explicitly approve each connection |
| Sending real-time access notifications | Device push token (FCM), activity log | Performance of a contract (Art. 6(1)(b)); Legitimate interests — transparency and user safety (Art. 6(1)(f)) |
| Managing subscriptions and billing | Subscription tier, renewal dates, group membership status | Performance of a contract (Art. 6(1)(b)) |
| Security and fraud prevention | Account information, device data | Legitimate interests — protecting our users and platform (Art. 6(1)(f)) |
| Compliance with legal obligations | Minimal billing/transaction records (up to 7 years) | Legal obligation (Art. 6(1)(c)) |
| Responding to lawful legal process | Any data subject to a valid legal request | Legal obligation (Art. 6(1)(c)) |
We do not process any special categories of personal data (GDPR Article 9) and do not make any decisions about you using solely automated processing that produces legal or similarly significant effects (GDPR Article 22).
As an EU/EEA/UK resident, you have the following rights under GDPR Articles 15–22. To exercise any of these rights, contact us at privacy@latitudelocation.com. We will respond within 30 days. In complex cases we may extend this by a further two months; if so, we will notify you within the initial 30-day period.
You have the right to obtain confirmation of whether we process personal data about you and, if so, to receive a copy of that data along with information about how it is used, where it came from, who it is shared with, and how long it is retained.
You have the right to request correction of inaccurate personal data we hold about you, and to have incomplete data completed.
You have the right to request deletion of your personal data where it is no longer necessary for the purpose it was collected, where you withdraw consent (and no other legal basis applies), or where we have processed it unlawfully. You can exercise this right directly by deleting your account in the App. See Section 6 of the Privacy Policy for details on what is deleted and when.
Exceptions apply where we are required to retain data to comply with a legal obligation (e.g., billing records for tax purposes).
You have the right to request that we restrict processing of your personal data in certain circumstances — for example, while you contest its accuracy or while a legitimate interests objection is being assessed.
Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format, and to transmit it to another controller. To request a data export, contact us at privacy@latitudelocation.com.
You have the right to object at any time to processing based on legitimate interests (Art. 6(1)(f)). We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, or the processing is necessary for the establishment, exercise, or defence of legal claims.
Where processing is based on your consent (e.g., sharing your location with a specific connection), you may withdraw that consent at any time through the App without affecting the lawfulness of processing that occurred before withdrawal.
We retain personal data only for as long as necessary to fulfil the purposes described in this Addendum and the Privacy Policy, or as required by law. In summary:
| Data Type | Retention Period |
|---|---|
| Location data | Most recent 2 updates only (foreground + background); automatically overwritten on each update. Data older than 7 days is deleted by daily automated process. |
| Activity log (location access records) | Rolling 50-entry cap per user; entries older than 30 days deleted daily. All deleted upon account deletion. |
| Account information | Retained while account is active; permanently deleted within 30 days of account deletion request. |
| Billing records | Up to 7 years as required by applicable tax and financial regulations. Does not include location data. |
Latitude is a US-based company and our infrastructure is operated by Google Cloud Platform and Firebase (Google LLC), which may process data in the United States and other countries outside the EU/EEA/UK.
Where personal data is transferred from the EU/EEA/UK to a third country without an adequacy decision, we rely on the following safeguards:
Standard Contractual Clauses (SCCs): Transfers to Google LLC are governed by the EU Standard Contractual Clauses (SCCs) as incorporated into Google's Data Processing Addendum, available at cloud.google.com/terms/data-processing-addendum. These SCCs provide appropriate safeguards for the transfer of personal data to countries outside the EU/EEA.
UK International Data Transfers Agreement (IDTA): For transfers from the United Kingdom, we rely on the UK IDTA as incorporated into Google's data transfer arrangements, which provides equivalent protection under UK GDPR.
You may request a copy of the applicable transfer mechanisms by contacting us at privacy@latitudelocation.com.
We use the following sub-processors to operate the Services. Each is bound by a data processing agreement that restricts use of your data to providing services to us.
| Sub-Processor | Purpose | Location |
|---|---|---|
| Google LLC (Google Cloud Platform / Firebase) | Cloud hosting, database (Firestore), authentication, push notifications (FCM) | United States (with global infrastructure) |
| Apple Inc. | App distribution, in-app payment processing, subscription management | United States |
We do not use Firebase Analytics, Crashlytics, or any other Firebase data collection or analytics services. Apple does not receive your location data or activity logs; Apple processes only payment and subscription data related to your App Store purchases.
If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with a supervisory authority. You may do so in the EU/EEA member state of your habitual residence, place of work, or place of the alleged infringement.
A list of EU supervisory authorities is available at: edpb.europa.eu
For UK residents, the relevant authority is the Information Commissioner's Office (ICO): ico.org.uk
We encourage you to contact us directly first at privacy@latitudelocation.com so we have the opportunity to resolve your concern before a formal complaint is filed.
For any questions, requests, or concerns relating to this Addendum or your rights under GDPR, please contact us at: privacy@latitudelocation.com
We will acknowledge your request within 72 hours and respond fully within 30 days.