Privacy Policy

Originally Published: July 27, 2025

Last Updated: November 13, 2025

1. Introduction and Scope

1.1 Who We Are

This Privacy Policy describes how Lacesse ("we," "us," "our"), a global technology company with principal operations in Kenya, collects, uses, discloses, and protects your personal information when you access or use our Services.

1.2 Services Covered

This Privacy Policy applies to all Lacesse websites, applications, platforms, and services, including but not limited to:

• Lacesse One: Our flagship productivity and collaboration platform
• Akia AI: Artificial intelligence assistant and automation platform
• Haraka PM: Project management and task coordination tools
• Lacesse Chat: Real-time messaging and communication services
• Lacesse Sandbox: Development and testing environment
• Lacesse AI: AI-powered content generation and analysis tools
• Lacesse Partner Program: Partner portal and collaboration platform
• Any future products, features, or services we may introduce

1.3 Commitment to Compliance

We are committed to protecting your privacy in accordance with:

• Kenya Data Protection Act, 2019
• European Union General Data Protection Regulation (GDPR)
• Singapore Personal Data Protection Act (PDPA)
• Swiss Federal Act on Data Protection (FADP)
• South Korean Personal Information Protection Act (PIPA)
• California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
• Other applicable data protection and privacy laws worldwide

1.4 Acceptance

By using our Services, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your personal information as described herein. If you do not agree with this Privacy Policy, please do not use our Services.

2. Data Controller Information

2.1 Data Controller

Lacesse is the data controller responsible for your personal information collected through the Services. Our contact details are provided in Section 22 of this Privacy Policy.

2.2 Representative (Where Applicable)

For users in the European Union, we will appoint an EU representative as required by Article 27 of the GDPR. Contact details for our EU representative will be published on our website once appointed.

2.3 Data Protection Officer

For data protection inquiries, you may contact our Privacy Office at privacy@lacesse.app.

3. What Personal Data We Collect

3.1 Account and Profile Information

• Full name
• Email address
• Phone number (optional)
• Postal address (for billing or delivery)
• Username and password
• Profile picture and bio
• Professional information (company, job title, industry)
• Account preferences and settings

3.2 Payment and Billing Information

• Payment card information (processed securely by Paystack; we do not store full card details)
• Billing address
• Transaction history and invoices
• Tax identification numbers (where required)
• Purchase and subscription records

3.3 Student Verification Information

• Student identification number
• Educational institution name
• Enrollment status documentation
• Verification dates and status
• Note: Student ID information is retained for a maximum of 7 days or until verification is complete, whichever comes first (see Section 6)

3.4 User Content and Communications

• Content you create, upload, or share through the Services (documents, files, images, videos)
• Messages, comments, and communications with other users
• Support requests, feedback, and inquiries sent to us
• Survey responses and testimonials
• AI prompts and interactions with Akia AI and Lacesse AI

3.5 Technical and Usage Data

• IP address and geolocation data (city/country level)
• Device information (type, model, operating system, browser type and version)
• Unique device identifiers and advertising IDs
• Log files and access times
• Pages visited, features used, and actions taken
• Referral sources and exit pages
• Performance data and error reports
• Click patterns and heatmaps

3.6 Cookies and Tracking Data

• Session cookies and persistent cookies
• Analytics cookies (Google Analytics, Cloudflare Analytics)
• Preference cookies (language, theme, settings)
• Marketing cookies (where consent is provided)
• Local storage and session storage data

3.7 Information from Third Parties

• Social media profile information (if you connect accounts)
• Payment confirmation from Paystack
• Publicly available information from business directories or social networks
• Data from partners participating in the Lacesse Partner Program

4. How We Collect Your Data

4.1 Information You Provide Directly

• When you create an account or update your profile
• When you subscribe to paid services or make purchases
• When you upload content or use Service features
• When you contact customer support or communicate with us
• When you participate in surveys, contests, or promotions
• When you apply for student verification or the Partner Program

4.2 Information Collected Automatically

• Through cookies, web beacons, and similar tracking technologies
• Via server logs and analytics tools
• Through your interactions with emails we send
• From your use of API integrations and third-party connections

4.3 Information from Third-Party Sources

• Payment processors (Paystack) confirming transactions
• Social media platforms (if you choose to link accounts)
• Public databases and data enrichment services
• Partners and affiliates in the Lacesse ecosystem

5. Purposes and Legal Basis for Processing

5.1 Purposes of Processing

We process your personal data for the following purposes:

5.2 Legitimate Interests

Where we process data based on legitimate interests, our interests include:

• Operating and improving our business and Services
• Maintaining security and preventing fraud
• Understanding how users interact with our Services
• Developing new products and features
• Protecting our legal rights and property
• Providing efficient customer support

5.3 Consent

Where processing is based on your consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

6. Student Verification Data

6.1 Purpose of Collection

We collect student identification information solely to verify eligibility for student discounts and special pricing available in select markets.

6.2 Strict Data Retention Limits

6.3 What We Retain

After deletion of your student ID, we retain only:

• Verification status (approved/denied)
• Eligibility start and end dates
• Educational institution name (without identifying details)

6.4 Geographic Availability

Student verification and associated discounts are available only in select markets. Availability may change without notice based on regional eligibility criteria and business decisions.

6.5 Security of Student Data

During the retention period, student ID information is encrypted at rest and in transit, stored in secure, access-controlled systems, and accessible only to authorized verification personnel.

7. AI and Automated Processing

7.1 AI Services

When you use Akia AI, Lacesse AI, or other AI-powered features, your inputs (prompts, queries, content) are processed by artificial intelligence and machine learning models provided by third-party services including:

• Groq: Primary large language model (LLM) inference
• Google Gemini AI Studio: Backup AI model services

7.2 Data Shared with AI Providers

• We share only the specific prompts, queries, or content you submit to AI features
• We do not share your account information, payment details, or unrelated personal data with AI providers
• AI providers may process data in accordance with their own privacy policies

7.3 AI Training and Improvement

• We may use aggregated, anonymized data from AI interactions to improve model performance and accuracy
• Your specific prompts and outputs are not used for third-party AI training without your explicit consent
• You can opt out of having your AI interaction data used for improvement purposes by contacting privacy@lacesse.app

7.4 Automated Decision-Making

We do not make legally significant decisions about you based solely on automated processing, including AI outputs, without human review. AI-generated content is provided for informational purposes and should not be relied upon as professional advice.

7.5 AI Output Ownership

You retain ownership of content you create using AI Services, but AI-generated outputs may not be unique and similar outputs may be generated for other users.

8. Data Storage and Infrastructure

8.1 Primary Hosting and Infrastructure

• Hosting Provider: Render (servers located in Frankfurt, Germany)
• Application Data: Core services, databases, and application logic hosted on Render infrastructure in Frankfurt
• Jurisdiction: Germany (European Union)

8.2 Database Storage

• Database Provider: Neon (PostgreSQL database service)
• Location: Frankfurt, Germany (European Union)
• Data Stored: User accounts, profiles, application data, structured information

8.3 Media and File Storage

• Media Provider: Cloudinary
• Location: United States
• Data Stored: Images, videos, documents, and other media files uploaded by users
• Note: Media stored in the US is subject to appropriate safeguards as described in Section 11

8.4 Backup and Disaster Recovery

• We maintain encrypted backups of critical data in geographically distributed locations
• Backups are retained for disaster recovery and business continuity purposes
• Backup data is subject to the same security and retention policies as primary data

8.5 Content Delivery and Security

• CDN Provider: Cloudflare
• Services: Content delivery network, DDoS protection, SSL/TLS termination, security services
• Data Processing: Cloudflare processes limited technical data (IP addresses, request headers) to provide these services

9. Data Sharing and Disclosure

9.1 No Sale of Personal Data

9.2 Sharing with Service Providers

We share personal data with trusted third-party service providers who assist us in operating the Services, subject to strict confidentiality obligations. These providers include:

• Cloud hosting and infrastructure providers (Render, Neon)
• Media storage and delivery services (Cloudinary, Cloudflare)
• Payment processors (Paystack)
• AI and machine learning providers (Groq, Google Gemini AI)
• Email delivery services (Gmail SMTP)
• Analytics and performance monitoring tools
• Customer support platforms
• Security and fraud prevention services

9.3 Legal and Compliance Disclosures

We may disclose your personal data when required by law or when we believe in good faith that disclosure is necessary to:

• Comply with legal obligations, court orders, or valid legal processes
• Respond to lawful requests from public authorities (law enforcement, regulators)
• Enforce our Terms of Use and other agreements
• Protect the rights, property, or safety of Lacesse, our users, or the public
• Detect, prevent, or address fraud, security, or technical issues
• Prevent harm or illegal activity

9.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your personal data may be transferred to the acquiring entity. We will notify you of any such change and any choices you may have regarding your personal data.

9.5 Partner Program Participants

If you participate in the Lacesse Partner Program, certain information (company name, contact details, performance metrics) may be shared with other program participants or displayed publicly in accordance with Partner Program Terms.

9.6 Aggregated and Anonymized Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you. Such data may be used for research, analytics, industry reports, or other business purposes without restriction.

9.7 With Your Consent

We may share your personal data with third parties when you have explicitly consented to such sharing, such as when you authorize integrations with third-party services or participate in co-marketing initiatives.

10. Third-Party Services and Processors

10.1 Overview

To deliver and improve our Services, Lacesse engages carefully selected third-party partners and service providers ("Processors"). These partners help us host, secure, analyze, and support our products. We only share the minimum personal data necessary for them to perform their functions, and all are bound by strict confidentiality and data protection obligations.

10.2 Complete List of Third-Party Processors

10.3 Data Processing Agreements

We maintain data processing agreements (DPAs) or similar contractual arrangements with all processors that handle personal data on our behalf. These agreements require processors to:

• Process data only according to our documented instructions
• Implement appropriate security measures
• Maintain confidentiality
• Assist with data subject requests and breach notifications
• Delete or return data upon termination of services
• Comply with applicable data protection laws

10.4 Updates to Third-Party Services

We regularly review our service providers and may add, remove, or replace processors as needed to improve our Services. This Privacy Policy will be updated whenever we add or remove a significant processor.

10.5 Third-Party Privacy Policies

Each third-party processor operates under its own privacy policy and terms of service. While we require our processors to protect your data, we encourage you to review their policies:

• Paystack: paystack.com/privacy
• Cloudflare: cloudflare.com/privacypolicy
• Cloudinary: cloudinary.com/privacy
• Google: policies.google.com/privacy

11. International Data Transfers

11.1 Cross-Border Data Flows

As a global technology company, we process and store data in multiple jurisdictions. Your personal data may be transferred to and processed in countries other than your country of residence, including:

• Germany (European Union) - Primary hosting and database storage
• United States - Media storage (Cloudinary), AI processing (Groq, Google), email services (Gmail)
• Kenya - Business operations and legal entity location
• Other countries where our service providers maintain infrastructure

11.2 Safeguards for International Transfers

When transferring personal data outside your jurisdiction, we implement appropriate safeguards including:

• Standard Contractual Clauses (SCCs): We use European Commission-approved Standard Contractual Clauses for transfers from the EU/EEA to third countries
• Adequacy Decisions: We rely on adequacy decisions by competent authorities where available (e.g., EU-approved countries)
• Data Processing Agreements: Contractual obligations requiring processors to implement appropriate technical and organizational measures
• Encryption: Data encryption in transit and at rest
• Access Controls: Strict limitations on who can access personal data
• Your Consent: In some cases, we obtain your explicit consent for specific data transfers

11.3 EU-US and Swiss-US Data Transfers

For data transfers to the United States, we implement supplementary measures in addition to Standard Contractual Clauses to ensure an adequate level of protection in accordance with GDPR requirements and guidance from European data protection authorities.

11.4 Consent to International Transfers

By using our Services, you acknowledge and consent to the transfer of your personal data to countries outside your jurisdiction as described in this Privacy Policy, subject to the safeguards outlined above.

12. Data Retention Periods

12.1 General Retention Principles

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements.

12.2 Specific Retention Periods

12.3 Account Deletion

• When you delete your account, we delete or anonymize your personal data within 90 days
• Data may persist in backup systems for up to an additional 90 days
• Some data must be retained longer to comply with legal obligations (e.g., financial records for tax purposes)
• Aggregated, anonymized data may be retained indefinitely

12.4 Extended Retention

We may retain personal data for longer periods when:

• Required by law (e.g., tax records, legal proceedings)
• Necessary to protect our legal rights or defend against claims
• You have specifically requested extended retention
• The data has been anonymized and can no longer identify you

13. Security Measures

13.1 Our Security Commitment

We take the security of your personal data seriously and implement comprehensive technical and organizational measures to protect against unauthorized access, alteration, disclosure, or destruction.

13.2 Technical Security Measures

• Encryption:
  • All data transmitted to and from our Services uses TLS 1.2 or higher encryption
  • Sensitive data at rest is encrypted using industry-standard encryption algorithms (AES-256)
  • Database connections use encrypted channels
• Access Controls:
  • Role-based access control (RBAC) for internal systems
  • Multi-factor authentication (MFA) for administrative access
  • Principle of least privilege - employees access only data necessary for their role
  • Regular access reviews and audit logs
• Network Security:
  • Firewall protection on all infrastructure
  • DDoS protection via Cloudflare
  • Intrusion detection and prevention systems
  • Regular security scanning and penetration testing
• Application Security:
  • Secure coding practices and code reviews
  • Input validation and sanitization
  • Protection against common vulnerabilities (OWASP Top 10)
  • Regular security updates and patches

13.3 Organizational Security Measures

• Employee security awareness training
• Confidentiality agreements for all staff and contractors
• Background checks for employees with access to sensitive data
• Documented security policies and procedures
• Incident response plan and security breach procedures
• Regular security audits and risk assessments

13.4 Data Breach Notification

In the event of a data breach that affects your personal data, we will:

• Notify affected users without undue delay and, where feasible, within 72 hours of becoming aware of the breach
• Notify relevant supervisory authorities as required by applicable law
• Provide information about the nature of the breach, affected data categories, likely consequences, and measures taken
• Offer guidance on steps you can take to protect yourself
• Investigate the breach and implement measures to prevent recurrence

13.5 Your Security Responsibilities

You play an important role in keeping your data secure:

• Use strong, unique passwords for your Lacesse account
• Enable multi-factor authentication when available
• Keep your login credentials confidential
• Log out of shared or public devices
• Report suspicious activity immediately to security@lacesse.app
• Keep your devices and software updated with security patches

13.6 Limitations

While we implement robust security measures, no system can be 100% secure. We cannot guarantee absolute security of your personal data. You use the Services at your own risk.

14. Your Privacy Rights

14.1 Overview

Depending on your jurisdiction, you have various rights regarding your personal data. These rights may include:

14.2 Right of Access

• You have the right to request a copy of the personal data we hold about you
• We will provide this information in a commonly used electronic format
• First request is free; we may charge a reasonable fee for additional copies

14.3 Right to Rectification

• You can request correction of inaccurate or incomplete personal data
• You can update most information directly through your account settings
• Contact us at privacy@lacesse.app for assistance

14.4 Right to Erasure ("Right to Be Forgotten")

• You can request deletion of your personal data in certain circumstances:
  • Data no longer necessary for the purposes it was collected
  • You withdraw consent (where processing was based on consent)
  • You object to processing and there are no overriding legitimate grounds
  • Data has been unlawfully processed
  • Deletion is required by law
• We may retain certain data where required by law or for legitimate purposes (e.g., legal claims, financial records)

14.5 Right to Restriction of Processing

• You can request that we limit how we use your personal data in certain circumstances:
  • You contest the accuracy of the data
  • Processing is unlawful but you don't want deletion
  • We no longer need the data but you need it for legal claims
  • You have objected to processing pending verification of our legitimate grounds

14.6 Right to Data Portability

• You can request your personal data in a structured, commonly used, machine-readable format
• You can request that we transmit this data directly to another controller where technically feasible
• This right applies where processing is based on consent or contract and is carried out by automated means

14.7 Right to Object

• You can object to processing based on legitimate interests or for direct marketing purposes
• For direct marketing: You can object at any time and we will stop processing for that purpose
• For legitimate interests: We will stop unless we demonstrate compelling legitimate grounds that override your interests

14.8 Right to Withdraw Consent

• Where processing is based on consent, you can withdraw consent at any time
• Withdrawal does not affect the lawfulness of processing before withdrawal
• You can withdraw consent through account settings or by contacting us

14.9 Right to Lodge a Complaint

• You have the right to lodge a complaint with a supervisory authority in your jurisdiction
• Kenya: Office of the Data Protection Commissioner (ODPC) - odpc.go.ke
• EU/EEA: Your national data protection authority
• Other jurisdictions: Your local privacy or data protection regulator

14.10 Automated Decision-Making Rights

• You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects
• You can request human review of automated decisions
• You can express your point of view and contest the decision

14.11 How to Exercise Your Rights

To exercise any of these rights, please:

• Email us at privacy@lacesse.app with your request
• Include your name, email address, and specific right(s) you wish to exercise
• Provide information to help us verify your identity
• Specify what data or action you are requesting

14.12 Response Timeline

• We will respond to your request within 30 days (or as required by applicable law)
• If we need more time, we will notify you and provide a reason for the delay
• We may request additional information to verify your identity before processing certain requests

14.13 No Discrimination

We will not discriminate against you for exercising your privacy rights. You will not receive discriminatory treatment or a different level of service for making a privacy request.

15. Cookies and Tracking Technologies

15.1 What Are Cookies

Cookies are small text files stored on your device when you visit our Services. We also use similar technologies such as web beacons, pixels, and local storage.

15.2 Types of Cookies We Use

15.3 Third-Party Cookies

Some cookies are placed by third-party services we use:

• Cloudflare: Security and performance optimization
• Analytics providers: Usage statistics and behavior analysis
• Payment processors: Secure payment processing (Paystack)

15.4 Managing Cookies

• Most browsers allow you to refuse or delete cookies through settings
• You can set your browser to notify you when cookies are sent
• Disabling cookies may affect functionality of the Services
• Essential cookies cannot be disabled as they are required for the Services to function

15.5 Browser Settings

To manage cookies in popular browsers:

• Chrome: Settings → Privacy and security → Cookies and other site data
• Firefox: Options → Privacy & Security → Cookies and Site Data
• Safari: Preferences → Privacy → Cookies and website data
• Edge: Settings → Cookies and site permissions → Cookies and site data

15.6 Do Not Track

Some browsers support a "Do Not Track" (DNT) signal. Currently, there is no industry standard for how to respond to DNT signals. We do not currently respond to DNT signals but honor opt-out preferences you set in your account.

15.7 Analytics and Measurement

We use analytics tools to understand how users interact with our Services. This helps us improve functionality, identify issues, and develop new features. Analytics data is typically aggregated and anonymized.

16. Email Communications and Forwarding

16.1 Email Forwarding System

16.2 Implications of Email Forwarding

• When you send an email to any @lacesse.app address, it is automatically forwarded to our Gmail-based email system
• Your email communications are subject to Google's Privacy Policy in addition to this Privacy Policy
• Google may process metadata (sender, recipient, subject, timestamps) to provide email services
• We maintain confidentiality of all communications in accordance with this Privacy Policy

16.3 SMTP Email Delivery

• We use Gmail SMTP servers to send transactional and service emails to you
• This includes account notifications, password resets, receipts, and support responses
• Google processes email delivery data to provide these services

16.4 Types of Emails We Send

• Transactional Emails: Account creation, password resets, payment confirmations (cannot be unsubscribed)
• Service Updates: Important changes to Services, Terms, or Privacy Policy
• Marketing Emails: Product announcements, promotions, newsletters (requires opt-in, can be unsubscribed)
• Support Communications: Responses to your inquiries and support requests

16.5 Unsubscribing from Marketing Emails

• Every marketing email includes an unsubscribe link
• You can also manage email preferences in your account settings
• Unsubscribe requests are processed within 10 business days
• You will continue to receive transactional and service-related emails even after unsubscribing from marketing

17. Children's Privacy

17.1 Age Restrictions

• Our Services are not intended for use by individuals under the age of 18 (or the age of majority in your jurisdiction)
• We do not knowingly collect personal information from children
• If you are under 18, you may only use the Services with the involvement and consent of a parent or legal guardian

17.2 Parental Notice

If we become aware that we have collected personal information from a child under 18 without parental consent, we will take steps to delete such information promptly. If you believe we have collected information from a child, please contact us immediately at privacy@lacesse.app.

17.3 Educational Use

If the Services are used in an educational setting, the educational institution is responsible for obtaining necessary parental consents and complying with applicable laws regarding children's data (such as COPPA in the United States or similar laws elsewhere).

18. California Privacy Rights

18.1 CCPA/CPRA Rights

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: Request disclosure of categories and specific pieces of personal information collected
• Right to Delete: Request deletion of personal information we have collected
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out: Opt-out of the sale or sharing of personal information (we do not sell personal information)
• Right to Limit: Limit use and disclosure of sensitive personal information
• Right to Non-Discrimination: Not receive discriminatory treatment for exercising your rights

18.2 Categories of Personal Information Collected

In the past 12 months, we have collected the following categories of personal information from California residents:

• Identifiers (name, email, IP address)
• Commercial information (purchase history, payment records)
• Internet activity (browsing history, interactions with Services)
• Geolocation data (approximate location)
• Professional information (company, job title)
• Inferences drawn from the above to create user profiles

18.3 Sale of Personal Information

18.4 Exercising California Rights

To exercise your California privacy rights, contact us at privacy@lacesse.app or call +254-702-794-345. We will verify your identity and respond within 45 days.

18.5 Authorized Agents

You may designate an authorized agent to make requests on your behalf. The agent must provide proof of authorization and we may require you to verify your identity directly.

18.6 Shine the Light

Under California Civil Code Section 1798.83, California residents can request information about disclosure of personal information to third parties for direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.

19. GDPR-Specific Provisions

19.1 Legal Basis for Processing (EU/EEA/UK Residents)

For individuals in the European Union, European Economic Area, or United Kingdom, our legal bases for processing include:

• Contract Performance: Processing necessary to provide Services you have requested
• Legal Obligation: Processing required to comply with legal obligations (e.g., tax laws, law enforcement requests)
• Legitimate Interests: Processing necessary for our legitimate business interests (security, fraud prevention, service improvement) that are not overridden by your rights
• Consent: Where you have provided explicit consent (e.g., marketing communications, certain cookies)
• Vital Interests: Processing necessary to protect your vital interests or those of another person

19.2 Data Protection Officer

For GDPR-related inquiries, contact our Privacy Office at privacy@lacesse.app. We will appoint a formal Data Protection Officer (DPO) if and when required under Article 37 of the GDPR.

19.3 EU Representative

As a company not established in the EU but offering services to EU data subjects, we will appoint an EU representative pursuant to Article 27 GDPR. Contact details will be published on our website once appointed.

19.4 International Data Transfers from EU

We transfer personal data from the EU to third countries (including the United States and Kenya) using approved transfer mechanisms:

• European Commission Standard Contractual Clauses (SCCs)
• Adequacy decisions where available
• Supplementary measures as recommended by European Data Protection Board (EDPB)

19.5 Supervisory Authority

You have the right to lodge a complaint with your national data protection authority. For a list of EU data protection authorities, visit: edpb.europa.eu

20. Other Jurisdictions

20.1 Singapore (PDPA)

For individuals in Singapore, we comply with the Personal Data Protection Act (PDPA). You have rights to access and correct your personal data. To exercise these rights or withdraw consent, contact privacy@lacesse.app.

20.2 Switzerland (FADP)

For individuals in Switzerland, we comply with the Swiss Federal Act on Data Protection (FADP). You have rights equivalent to those under GDPR, including the right to request data transfer to Switzerland or an EU country.

20.3 South Korea (PIPA)

For individuals in South Korea, we comply with the Personal Information Protection Act (PIPA). You have rights to access, correct, and delete your personal information. We obtain consent before collecting sensitive personal information.

20.4 Kenya (Data Protection Act)

For individuals in Kenya, we comply with the Kenya Data Protection Act, 2019. You can exercise your rights by contacting us at privacy@lacesse.app or lodge a complaint with the Office of the Data Protection Commissioner (ODPC).

20.5 Other Regions

We strive to comply with data protection and privacy laws in all jurisdictions where we operate. If you have questions about how your local laws apply to our Services, please contact our Privacy Office.

21. Changes to This Privacy Policy

21.1 Policy Updates

• We may update this Privacy Policy from time to time to reflect changes in our practices, Services, legal requirements, or for other operational, legal, or regulatory reasons
• When we make material changes, we will notify you by:
  • Updating the "Last Updated" date at the top of this policy
  • Posting a notice on our website or within the Services
  • Sending an email notification to the address associated with your account
  • Requiring you to acknowledge the updated policy upon your next login (for significant changes)

21.2 Advance Notice

For material changes that affect your rights or how we process your data, we will provide at least 30 days' advance notice to paying subscribers. Free users may receive shorter notice periods.

21.3 Continued Use

Your continued use of the Services after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree with the changes, you must discontinue use of the Services and may delete your account.

21.4 Version History

Previous versions of this Privacy Policy are available upon request by contacting privacy@lacesse.app.

22. Contact Information

22.1 Privacy Inquiries

For questions, concerns, or requests related to this Privacy Policy or our data practices, please contact:

22.2 Data Protection Requests

To exercise your privacy rights (access, correction, deletion, etc.), please email privacy@lacesse.app with:

• Your full name and email address associated with your account
• Clear description of your request and which right(s) you are exercising
• Verification information (we may request additional details to confirm your identity)
• Preferred format for data delivery (if requesting data portability)

22.3 Security Issues

To report security vulnerabilities, data breaches, or security concerns:

22.4 General Support

For general questions about the Services:

22.5 Legal and Compliance

For legal notices, compliance matters, or regulatory inquiries:

22.6 Regulatory Authorities

You have the right to contact relevant data protection authorities:

• Kenya: Office of the Data Protection Commissioner (ODPC)
  Website: www.odpc.go.ke
  Email: info@odpc.go.ke
• EU/EEA: Your national data protection authority (find at edpb.europa.eu)
• UK: Information Commissioner's Office (ICO)
  Website: ico.org.uk

Lacesse – Committed to Your Privacy
Last Updated: November 13, 2025
Version 2.0

Home Terms of Use Partner Terms Privacy Inquiries