Open app

Legal

Lateroo Privacy Policy

Effective Date: 09.06.2026

This Privacy Policy explains how Served.ch GmbH processes personal data when you use Lateroo.

This Privacy Policy explains how Served.ch GmbH ("we", "us", "our") processes personal data when you use Lateroo.

1. Controller

Served.ch GmbH
Company number: CHE-383.329.924
Chemin du Pélard 13
1197 Prangins
Switzerland
Email: hello@lateroo.app

We have not appointed a formal data protection officer. Privacy questions and data-subject requests may be sent to the contact address above.

2. Scope

This Privacy Policy applies to Lateroo websites, applications, and related services.

Lateroo is operated from Switzerland. Where the EU General Data Protection Regulation (GDPR), the Swiss Federal Act on Data Protection (FADP), the UK GDPR, or other mandatory privacy laws apply, we process personal data in accordance with those laws.

3. Data We Process

Account Data

We process:

  • email address;
  • authentication identifiers;
  • language preferences;
  • subscription status;
  • account timestamps.

We do not require users to connect a bank account, grant inbox access, or provide payment account credentials to use Lateroo.

Billing Data

We process:

  • customer identifiers;
  • subscription identifiers;
  • billing status information.
  • subscription renewal, cancellation, and payment-failure information.

Payment card information is processed directly by Paddle and is not stored by Lateroo.

Forwarded Email Data

When you intentionally forward an email to Lateroo, we process:

  • recipient forwarding address;
  • sender name;
  • sender email address;
  • subject line;
  • a preview containing up to the first 500 characters;
  • attachment metadata;
  • provider metadata such as message identifiers and webhook timestamps;
  • timestamps.

The full email body is processed temporarily for extraction purposes and is not permanently stored.

Forwarded emails may contain personal data about other people, such as household members, merchants, senders, or account contacts. You should only forward emails where you are authorized to do so, and you should avoid forwarding information that is not needed for reminders.

Lateroo is not designed to process sensitive personal data, such as health, religious, political, biometric, genetic, criminal, or social-assistance information. Please do not intentionally forward such information unless it is strictly necessary for the reminder you request.

Obligation Data

We process:

  • merchant names;
  • amounts;
  • currencies;
  • due dates;
  • installment information;
  • reference numbers;
  • notes you create;
  • status information.

Attachments

Attachment metadata is stored for all users.

Actual attachment files are stored only for Premium users.

Attachment downloads and previews are provided through short-lived private links where available.

Technical Data

We may process:

  • IP addresses;
  • browser information;
  • device and request metadata;
  • logs necessary for security and abuse prevention.

4. Purposes and Legal Bases

Contract Performance

We process data to:

  • provide the Service;
  • authenticate users;
  • create reminders;
  • send notifications;
  • manage subscriptions.

Legal basis: GDPR Article 6(1)(b).

Legitimate Interests

We process data for:

  • fraud prevention;
  • duplicate detection;
  • abuse prevention;
  • troubleshooting;
  • maintaining service reliability;
  • service security.

Legal basis: GDPR Article 6(1)(f).

Legal Obligations

We may process information to comply with legal requirements.

Legal basis: GDPR Article 6(1)(c).

Data Required to Provide the Service

Account data is required to create and operate your Lateroo account. Forwarded email data is required only when you choose to use Lateroo for a reminder. Billing data is required only if you choose a Premium subscription.

If you do not provide the data required for a specific feature, that feature may not be available.

No Sale of Personal Data

We do not sell personal data. We also do not use forwarded payment emails for advertising profiles or cross-context behavioral advertising.

5. Email Processing

Lateroo never accesses your mailbox.

Emails are processed only when you intentionally forward them.

You should only forward emails and attachments that you are authorized to share.

Automated Extraction

Lateroo automatically extracts likely payment information, such as amounts, due dates, providers, and references, from forwarded emails. This extraction is used to create reminders and does not produce legal or similarly significant automated decisions about you. You remain able to review, correct, dismiss, or delete extracted obligations.

6. Service Emails

Reminder emails and system notifications are service communications necessary to provide the Service and are not marketing emails.

If we introduce newsletters, promotional emails, or other marketing communications, we will use a separate legal basis where required and provide an unsubscribe option.

7. Cookies and Similar Technologies

Authentication providers and payment providers may use cookies or similar technologies necessary for login sessions, fraud prevention, and subscription management.

The public website is intended to function without advertising or cross-context behavioral tracking cookies. If we introduce analytics, advertising, or other non-essential tracking technologies, we will provide any consent mechanism required by applicable law.

Disabling these technologies may impair functionality.

8. Service Providers

We use selected service providers to operate Lateroo. Some providers act as processors for us, while others act as independent controllers for specific activities such as payment processing, tax handling, fraud prevention, or account administration.

Provider Role and purpose Data involved Locations and safeguards Public legal information
Clerk Authentication, identity management, login sessions, account security. Email address, authentication identifiers, session data, device/request metadata, and related account security data. May process data in the United States and other locations. Clerk publishes a DPA, SCCs, Swiss addendum terms, security measures, and Data Privacy Framework information. DPA · Privacy Policy
Paddle Merchant of Record for Premium subscriptions, checkout, payment processing, invoicing, tax, fraud checks, and subscription management. Email address, billing identifiers, transaction data, payment status, billing address where provided to Paddle, tax and fraud-prevention data. Payment card details are processed by Paddle and its payment partners, not stored by Lateroo. Paddle may process data in the United Kingdom, EEA, United States, Canada, and other countries. Paddle publishes privacy terms and describes SCCs and other safeguards for international transfers where required. Privacy Policy · GDPR Information
Mailgun / Sinch Email Inbound email routing, email webhook processing, transactional reminder emails, extraction-failure notices, monthly digest emails, and billing-status emails. Email sender and recipient data, subject lines, message content needed for routing and delivery, email metadata, delivery events, IP/request metadata, and recipient email addresses. We use the EU API endpoint where configured. Mailgun/Sinch publishes DPA terms, SCCs, DPF information for relevant entities, encryption and security measures, and sub-processor information. DPA · Privacy Policy
Scalingo Application hosting, backend infrastructure, managed PostgreSQL database, operational logs, backups, and support. Account data, forwarded email previews and metadata, obligation records, reminder records, attachment metadata, technical logs, IP/request metadata, and database backups. Scalingo publishes DPA terms for hosting and database services and describes French data-center hosting for relevant regions, security measures, breach support, and processor obligations. DPA · Privacy Policy
OVHcloud Object storage for Premium attachment files and related storage infrastructure. Attachment files for Premium users, attachment metadata, object keys, technical logs, and access metadata needed for storage and short-lived download links. We configure object storage for European-region storage where available. OVHcloud provides contractual terms and data-protection documentation for its cloud services; applicable locations and safeguards depend on the selected region and service terms. Personal Data Protection
Vercel Public website and static frontend hosting, content delivery, deployment logs, and request handling. Website and frontend request metadata such as IP address, user agent, headers, visited URLs, deployment logs, and error/security metadata. Vercel's primary processing facilities are in the United States and it may process data globally. Vercel publishes a DPA, SCCs, Swiss terms, security measures, sub-processor information, and Data Privacy Framework information. DPA · Privacy Notice

Public vendor legal pages are provided for transparency. Our operational compliance relies on the applicable contracts, data processing terms, transfer mechanisms, and account settings in force with each provider, not only on public links.

We review service providers before use and aim to limit shared data to what is necessary for the provider's role.

When a provider acts as our processor, we remain responsible for selecting appropriate processors and for instructing them to process personal data only for the agreed service purposes.

9. International Transfers

Personal data may be processed in Switzerland, the European Economic Area, the United Kingdom, the United States, and other countries where our service providers operate.

Switzerland and the EEA may not provide identical transfer rules. Where required by law, transfers are protected through appropriate safeguards such as Standard Contractual Clauses, Swiss addenda, adequacy decisions, or equivalent mechanisms.

Some providers may process data outside Switzerland or the EEA. In those cases, we assess the transfer mechanism offered by the provider and use it where required.

10. Data Retention

We retain personal data only as long as necessary to provide the Service.

Account and obligation data are generally retained while the account exists.

Forwarded email previews, extracted obligations, reminder records, user notes, attachment metadata, and Premium attachment files are generally retained while the account exists, unless you delete the relevant item earlier through the Service.

Following account deletion, personal data in the active application systems is deleted without undue delay, subject to operational processing time and legally required retention.

Security logs, technical logs, and backup copies may be retained for a limited period for security, recovery, and audit purposes before being overwritten or deleted.

Certain billing, accounting, tax, and legal records may be retained for the periods required by applicable law.

If we anonymize data so that it can no longer identify a person, we may use that anonymized data to understand and improve the Service.

11. Your Rights

Depending on applicable law, you may have the right to:

  • access your personal data;
  • correct inaccurate information;
  • request deletion;
  • object to processing;
  • restrict processing;
  • request portability;
  • withdraw consent where consent is used.

Requests may be sent to:

hello@lateroo.app

We may need to verify your identity before responding to a request. We aim to respond within one month where GDPR applies, unless an extension is permitted by law. Under Swiss law, we respond within the legally applicable time limits.

Although no automated export feature currently exists, we will assist with reasonable portability requests where required by law.

These rights may be subject to legal limits, such as protecting the rights of other people, preserving legal claims, complying with accounting obligations, or maintaining security logs.

12. Security

We implement technical and organizational measures designed to protect personal data, including authentication controls, signed webhooks, access restrictions, and short-lived download links.

We restrict access to personal data to people and service providers who need it to operate, secure, support, or improve the Service.

If we become aware of a personal data breach that requires notification, we will notify affected users and competent authorities where required by applicable law.

No method of transmission or storage can guarantee absolute security.

13. Children's Privacy

The Service is not intended for individuals under 18 years of age.

14. California Privacy Rights

Where applicable, California residents may have rights under the California Consumer Privacy Act (CCPA).

Lateroo does not sell personal information.

Lateroo does not share personal information for cross-context behavioral advertising.

15. Swiss and European Rights

Individuals in Switzerland, the EU, and the EEA may lodge complaints with their competent supervisory authority.

For Switzerland, the competent authority is the Federal Data Protection and Information Commissioner (FDPIC).

Served.ch GmbH is established in Switzerland. A Swiss representative under the FADP is not required for a Swiss-established company.

If GDPR Article 27 requires an EU representative for our processing activities, we will appoint and publish the representative's contact details before relying on that processing in the EU/EEA. Until then, privacy requests may be sent directly to Served.ch GmbH at the contact details in this Privacy Policy.

16. Internal Compliance Measures

We aim to maintain internal records of processing activities, vendor safeguards, transfer mechanisms, retention criteria, and security measures where required by applicable law.

We assess whether new processing activities require a data protection impact assessment before launch, especially if a feature could create a high risk for users' rights or freedoms.

Lateroo is designed around data minimization: users manually forward selected emails, we store a short text preview rather than the full email body, and we do not request inbox, bank, open-banking, or payment-execution access.

17. Changes to this Privacy Policy

We may update this Privacy Policy from time to time.

Updated versions become effective when published.

18. Contact

Served.ch GmbH
Company number: CHE-383.329.924
Chemin du Pélard 13
1197 Prangins
Switzerland
Email: hello@lateroo.app