Privacy Policy

Welcome to Letaria. This Privacy Policy explains how the operators of Letaria ("Letaria", "we", "us", or "our") collect, use, disclose, and safeguard your information when you use our AI-powered test case generation service ("Service").

We are committed to protecting your privacy and handling your data in accordance with applicable data protection laws, including:

**Asia-Pacific (APAC):** • Singapore Personal Data Protection Act 2012 (PDPA) • Japan Act on Protection of Personal Information (APPI) • Australia Privacy Act 1988 and Privacy Amendment (Notifiable Data Breaches) Act 2017

**Middle East:** • United Arab Emirates Federal Decree-Law No. 45/2021 (UAE PDPL) • Saudi Arabia Personal Data Protection Law (KSA PDPL)

**European Union:** • General Data Protection Regulation (GDPR)

This Privacy Policy applies to all users of the Service, regardless of their geographic location. By using the Service, you consent to the data practices described in this policy.

**Data Controller:** Letaria Singapore

**Data Protection Officer (DPO):** Email: dpo@letaria.app

For users in the European Union, our DPO serves as your primary contact for data protection matters.

**Regional Representatives:**

For users in the European Union, you may contact our EU representative at: Email: eu-representative@letaria.app

For users in the United Kingdom, you may contact our UK representative at: Email: uk-representative@letaria.app

**Contact for Privacy Inquiries:** Email: privacy@letaria.app Response Time: Within 30 days (or sooner where required by law)

We collect information in the following categories:

**3.1 Information You Provide Directly:**

**Account Information:** • Full name and email address • Password (stored in encrypted form) • Company/organization name • Job title and department • Profile preferences

**Content Data (Inputs and Outputs):** **Inputs** - Content you provide to the Service: • Requirements documents you upload (PDF, DOCX, TXT, Markdown) • JIRA issues and Azure DevOps work items you import • Comments, annotations, and feedback you provide • Custom configurations and settings

**Outputs** - Content generated by the Service: • AI-generated test cases, scenarios, and suggestions • Explainability data (citations, rationale, confidence scores)

**Payment Information:** • Billing name and address • Payment method details (processed securely by our payment provider) • Transaction history

**Communications:** • Support requests and correspondence • Survey responses and feedback • Marketing preferences

**3.2 Information Collected Automatically:**

**Device and Technical Information:** • IP address and approximate location • Browser type and version • Operating system • Device identifiers • Screen resolution and timezone

**Usage Data:** • Pages and features accessed • Time spent on the Service • Actions taken within the Service • Error logs and performance data • Referring URLs and exit pages

Note: Usage Data is technical and analytics data about how you interact with the Service. It does NOT include your Content (Inputs or Outputs)

**3.3 Information from Third Parties:**

**Authentication Providers:** • OAuth data from Google, GitHub, or other identity providers you use to sign in • Name, email, and profile picture from these providers

**Integrated Services:** • JIRA Cloud: Issues, projects, and metadata you choose to import • Azure DevOps: Work items and project data you choose to import • These integrations only access data you explicitly authorize

**3.4 Sensitive Personal Data:**

We do not intentionally collect sensitive personal data (also known as "special category data" under GDPR), including: • Racial or ethnic origin • Political opinions • Religious or philosophical beliefs • Trade union membership • Genetic or biometric data • Health information • Sexual orientation

If you upload documents containing sensitive data, you are responsible for ensuring you have the appropriate legal basis to process such data.

We process your personal data based on the following legal grounds:

**4.1 Contract Performance (GDPR Art. 6(1)(b)):** Processing necessary to provide the Service you have requested: • Account creation and management • AI-powered test case generation • Integration with third-party tools • Export and download functionality • Customer support

**4.2 Legitimate Interests (GDPR Art. 6(1)(f)):** Processing based on our legitimate business interests, balanced against your rights: • Service improvement and feature development • Security monitoring and fraud prevention • Analytics to understand usage patterns • Communication about Service updates

**4.3 Legal Obligations (GDPR Art. 6(1)(c)):** Processing required to comply with applicable laws: • Tax and financial reporting • Response to legal requests • Data breach notifications • Regulatory compliance

**4.4 Consent (GDPR Art. 6(1)(a)):** Where you have provided explicit consent: • Marketing communications • Optional analytics and tracking • Use of non-essential cookies • Participation in research or surveys

You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

**4.5 Regional Legal Bases:**

**Singapore (PDPA):** • Consent for collection, use, and disclosure • Deemed consent where appropriate • Legitimate business purposes • Legal obligations

**Japan (APPI):** • Consent for specified purposes • Necessary for contract performance • Public interest • Legal obligations

**Australia (Privacy Act):** • Consent • Necessary for primary purpose • Related secondary purposes • Required by law

**UAE (PDPL):** • Consent of data subject • Contractual necessity • Legal obligations • Legitimate interests

**Saudi Arabia (PDPL):** • Explicit consent • Contractual necessity • Legal requirements • Vital interests

We use your information for the following purposes:

**5.1 Service Delivery:** • Create and manage your account • Process and generate test cases from your requirements using AI • Enable integrations with JIRA, Azure DevOps, and other tools • Provide export and download functionality • Process payments and manage subscriptions • Provide customer support and respond to inquiries

**5.2 Service Improvement:** • Analyze usage patterns to improve features • Debug issues and fix errors • Develop new functionality based on user needs • Optimize performance and user experience • Conduct internal research and analysis

**5.3 AI Processing:** • Your Inputs (requirements documents, JIRA issues, Azure DevOps work items) are processed by AI models to generate Outputs (test cases, scenarios, suggestions) • AI processing includes analysis, scenario generation, and explainability features • Outputs are generated fresh for each request

**AI TRAINING POLICY:** LETARIA WILL NOT USE YOUR CONTENT (INPUTS OR OUTPUTS) TO TRAIN, OR ALLOW ANY THIRD PARTY TO TRAIN, ANY AI OR MACHINE LEARNING MODELS, UNLESS YOU HAVE EXPLICITLY OPTED IN TO SUCH USE THROUGH YOUR ACCOUNT SETTINGS OR A SEPARATE WRITTEN AGREEMENT.

We may use Usage Data (which does not include your Content) for security, analytics, and to improve the Service. We may only disclose Usage Data to third parties in an aggregated and/or de-identified form

**5.4 Communication:** • Send transactional emails (account confirmations, receipts, password resets) • Notify you of Service updates, changes, or maintenance • Send marketing communications (only with your consent) • Respond to support requests and inquiries

**5.5 Security and Compliance:** • Protect against fraud, abuse, and security threats • Monitor for unauthorized access or suspicious activity • Comply with legal obligations and regulatory requirements • Enforce our Terms of Service

**5.6 Analytics:** • Generate aggregate usage statistics • Understand user behavior and preferences • Measure feature adoption and effectiveness • Create anonymized benchmarks and reports

We may share your personal data in the following circumstances:

**6.1 Service Providers (Data Processors):** We engage trusted third-party service providers who process data on our behalf:

**Authentication:** • Clerk - User authentication and identity management • Location: United States • Data shared: Name, email, authentication tokens

**Infrastructure:** • Vercel - Hosting and content delivery • Location: Global (edge network) • Data shared: Usage data, IP addresses

**Database:** • Supabase - Database and backend services • Location: Configurable by region • Data shared: All Service data

**AI Processing:** • Google AI (Gemini) - Test case generation • Location: United States • Data shared: Requirements documents for processing

**Payment Processing:** • Stripe - Payment processing • Location: United States • Data shared: Payment information, billing details

**Analytics:** • Usage analytics services • Location: Various • Data shared: Anonymized usage data

All service providers are bound by data processing agreements and are required to protect your data in accordance with this Privacy Policy and applicable laws.

**6.2 Business Transfers:** In connection with a merger, acquisition, reorganization, or sale of assets, your data may be transferred to the acquiring entity. We will notify you before your data is transferred and becomes subject to a different privacy policy.

**6.3 Legal Requirements:** We may disclose your data when required by law or in response to: • Court orders or legal process • Government or regulatory requests • To protect our rights, privacy, safety, or property • To enforce our Terms of Service

**6.4 With Your Consent:** We may share your data with third parties when you have given explicit consent.

**6.5 Aggregated and Anonymized Data:** We may share aggregated or anonymized data that cannot reasonably be used to identify you.

**6.6 No Sale of Personal Data:** We do NOT sell your personal data to third parties. This commitment applies globally, including compliance with: • California Consumer Privacy Act (CCPA) • Virginia Consumer Data Protection Act (VCDPA) • Other applicable privacy laws

As a global service, your personal data may be transferred to and processed in countries other than your country of residence.

**7.1 Transfer Destinations:** Your data may be transferred to: • Singapore (our headquarters) • United States (cloud infrastructure, AI processing) • Other countries where our service providers operate

**7.2 Transfer Safeguards:**

**For transfers from the European Economic Area (EEA):** • Adequacy decisions: Transfers to countries recognized by the European Commission • Standard Contractual Clauses (SCCs): Latest EU-approved SCCs for transfers to non-adequate countries • Supplementary measures: Additional technical and organizational safeguards where required

**For transfers from Singapore:** • Compliance with PDPA Section 26 transfer requirements • Contractual arrangements ensuring comparable protection • Binding corporate rules where applicable

**For transfers from Japan:** • Compliance with APPI Article 28 requirements • Personal information protection systems in recipient countries • Contractual guarantees with data recipients

**For transfers from Australia:** • Australian Privacy Principles (APP 8) compliance • Reasonable steps to ensure overseas recipients comply • Contractual obligations on overseas recipients

**For transfers from Saudi Arabia:** • SDAIA approval where required by PDPL • Compliance with cross-border transfer restrictions • Adequate safeguards and contractual protections

**For transfers from UAE:** • Compliance with PDPL transfer requirements • Adequate protection measures in destination countries • UAE Data Office guidance followed

**7.3 Your Rights:** You may request information about the safeguards we use for international transfers by contacting privacy@letaria.app.

We implement comprehensive security measures to protect your personal data:

**8.1 Technical Measures:** • Encryption in transit using TLS 1.3 • Encryption at rest using AES-256 • Secure key management practices • Regular security patching and updates • Firewalls and intrusion detection systems • DDoS protection and mitigation

**8.2 Organizational Measures:** • Role-based access controls (principle of least privilege) • Employee security training and awareness • Background checks for employees with data access • Confidentiality agreements with all personnel • Vendor security assessments

**8.3 Operational Measures:** • Regular security audits and vulnerability assessments • Penetration testing by independent third parties • Security incident response procedures • Business continuity and disaster recovery planning • Regular backup procedures

**8.4 Compliance:** We maintain compliance with industry security standards and regularly review our security practices.

**8.5 Your Responsibilities:** You are responsible for: • Maintaining the confidentiality of your account credentials • Using strong, unique passwords • Reporting any suspected unauthorized access • Ensuring your own systems and devices are secure

**8.6 Security Limitations:** While we implement robust security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but will notify you promptly of any breach affecting your data.

In the event of a personal data breach that affects your data, we will take the following actions:

**9.1 Internal Response:** • Immediately activate our incident response team • Contain and assess the breach • Document all aspects of the incident • Implement remediation measures

**9.2 Regulatory Notifications:** We will report breaches to relevant supervisory authorities as required by law:

**European Union (GDPR):** • Notify relevant Data Protection Authority within 72 hours • Notification includes nature of breach, categories and number of data subjects affected, likely consequences, and measures taken

**Singapore (PDPA):** • Notify PDPC within 3 calendar days of determining the breach is notifiable • Breaches are notifiable if they result in significant harm or are of significant scale

**Japan (APPI):** • Preliminary report to PPC within 3-5 days • Final report within 30 days (60 days for cyberattacks)

**Australia (Privacy Act):** • Notify OAIC and affected individuals as soon as practicable • Applies to eligible data breaches likely to result in serious harm

**Saudi Arabia (PDPL):** • Notify SDAIA as per PDPL requirements • Include all required details about the breach

**UAE (PDPL):** • Notify UAE Data Office immediately upon becoming aware • Include description of nature, form, reasons, and potential effects

**9.3 User Notifications:** Where a breach is likely to result in a risk to your rights and freedoms, we will: • Notify you without undue delay • Provide clear description of the breach • Explain likely consequences • Describe measures we have taken or propose to take • Provide recommendations for protective actions you can take

**9.4 Contact:** If you believe your data has been compromised, contact us immediately at: security@letaria.app

We retain your personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required by law.

**10.1 Retention Periods:**

**Account Data:** • Active accounts: Retained while account is active • Inactive accounts: May be deleted after 2 years of inactivity • Deleted accounts: Data deleted within 30 days of account deletion

**Content Data (uploaded documents, generated test cases):** • Active projects: Retained while project exists • Deleted projects: Permanently deleted within 30 days • Export downloads: Available for 7 days, then deleted

**Transaction and Billing Data:** • Payment records: Retained for 7 years for tax and legal compliance • Invoices: Retained for 7 years

**Usage and Log Data:** • System logs: Retained for 90 days • Analytics data: Retained for 24 months in aggregated form • Security logs: Retained for 12 months

**Communication Records:** • Support tickets: Retained for 3 years after resolution • Marketing preferences: Retained until consent is withdrawn

**10.2 Backup Retention:** • Backups are retained for disaster recovery purposes • Deleted data is purged from backups within 90 days

**10.3 Legal Holds:** We may retain data longer if: • Required by applicable law or regulation • Subject to ongoing litigation or legal proceedings • Necessary for audit purposes • Required for fraud prevention

**10.4 Anonymization:** Where possible, we anonymize data that is no longer needed in identifiable form but may still be useful for analytics or research.

Depending on your location, you have various rights regarding your personal data. We respect and honor these rights regardless of where you are located.

**11.1 Rights Available to All Users:**

**Right of Access:** • Request a copy of your personal data • Receive information about how we process your data • Obtain a copy in a commonly used electronic format

**Right to Rectification:** • Request correction of inaccurate data • Complete incomplete data • Update outdated information

**Right to Erasure ("Right to be Forgotten"):** • Request deletion of your personal data • Subject to legal retention requirements • Does not apply where data is necessary for legal compliance

**Right to Data Portability:** • Receive your data in a structured, machine-readable format • Transfer your data to another service provider • Applies to data you provided based on consent or contract

**Right to Withdraw Consent:** • Withdraw consent at any time for processing based on consent • Does not affect lawfulness of processing before withdrawal

**Right to Object:** • Object to processing based on legitimate interests • Object to direct marketing at any time • Object to automated decision-making

**11.2 Additional Rights by Region:**

**European Union (GDPR):** • Right to restriction of processing • Right to lodge a complaint with a supervisory authority • Right not to be subject to solely automated decision-making

**Singapore (PDPA):** • Right to access and correct personal data • Right to withdraw consent • Right to be informed of purposes

**Japan (APPI):** • Right to request disclosure of retained personal data • Right to request correction, addition, or deletion • Right to request cessation of use or erasure • Right to request cessation of provision to third parties

**Australia (Privacy Act):** • Right to access personal information • Right to request correction • Right to complain to the OAIC

**Saudi Arabia (PDPL):** • Right to access personal data • Right to request correction or update • Right to request destruction • Right to data portability

**UAE (PDPL):** • Right to access personal data • Right to rectification • Right to erasure • Right to data portability

**California (CCPA/CPRA):** • Right to know what personal information is collected • Right to delete personal information • Right to opt-out of sale (we do not sell data) • Right to non-discrimination

**11.3 How to Exercise Your Rights:** To exercise any of these rights, contact us at: • Email: privacy@letaria.app • Subject line: "Privacy Rights Request - [Your Right]" • Include: Your name, email, and specific request

**Response Time:** • We will acknowledge your request within 5 business days • We will respond within 30 days (or sooner where required by law) • Complex requests may take up to 60 days with prior notice

**11.4 Verification:** We may need to verify your identity before processing your request. This helps protect your data from unauthorized access.

**12.1 Age Restrictions:** The Service is not intended for children under 18 years of age (or the age of majority in your jurisdiction). We do not knowingly collect personal information from children.

**12.2 Singapore PDPA - Advisory Guidelines on Children's Personal Data:** In accordance with Singapore's PDPC Advisory Guidelines (effective March 28, 2024): • For children aged 13-17: We present policies in age-appropriate language • Parental/guardian consent may be required for certain processing • We implement appropriate safeguards for any children's data

**12.3 Parental Rights:** If you are a parent or guardian and believe your child has provided us with personal information: • Contact us immediately at privacy@letaria.app • We will verify the claim and delete the information • We will not knowingly use or disclose child data

**12.4 Accidental Collection:** If we discover that we have collected personal information from a child under the applicable age without appropriate consent: • We will delete that information as quickly as possible • We will notify relevant authorities if required • We will implement measures to prevent future occurrences

**12.5 Educational Use:** If the Service is used in educational settings: • Educational institutions are responsible for obtaining appropriate consents • Institutions must comply with applicable student privacy laws • We offer data processing agreements for educational institutions

**13.1 AI-Powered Features:** Our Service uses artificial intelligence to: • Generate test cases from your requirements • Provide confidence scores for generated content • Suggest scenarios based on document analysis • Identify potential gaps in test coverage

**13.2 Human Oversight:** • AI-generated content is provided as suggestions only • You maintain full control over accepting, modifying, or rejecting AI outputs • Approval workflows ensure human review before content is finalized • You are responsible for reviewing all AI-generated content

**13.3 No Solely Automated Decisions with Legal Effects:** We do not make decisions based solely on automated processing that: • Produce legal effects concerning you • Similarly significantly affect you • Determine access to the Service or its features

**13.4 Your Rights:** Under GDPR Article 22, you have the right: • To not be subject to solely automated decision-making • To request human intervention • To express your point of view • To contest automated decisions

**13.5 Transparency:** • AI-generated content includes explainability features (citations, rationale) • Confidence scores indicate the AI's certainty • Assumptions are documented for transparency • You can request explanation of any AI output

We use cookies and similar technologies to enhance your experience on our Service.

**14.1 Types of Cookies We Use:**

**Essential Cookies:** • Required for the Service to function • Maintain your session and authentication • Cannot be disabled without affecting functionality

**Functional Cookies:** • Remember your preferences and settings • Enable personalized features • Improve your experience

**Analytics Cookies:** • Help us understand how you use the Service • Generate usage statistics • Identify areas for improvement

**14.2 Third-Party Cookies:** Some cookies are set by third-party services we use: • Authentication providers (Clerk) • Analytics services • Infrastructure providers

**14.3 Cookie Consent:** • Essential cookies are set automatically (necessary for Service operation) • Non-essential cookies require your consent • You can manage preferences through our cookie settings

**14.4 Browser Controls:** You can control cookies through your browser settings. Note that blocking essential cookies may impact Service functionality.

For detailed information, please refer to our Cookie Policy.

**15.1 Types of Communications:** With your consent, we may send: • Product updates and new features • Tips for using the Service effectively • Industry news and insights • Promotional offers and discounts

**15.2 Consent:** • We only send marketing communications with your explicit opt-in consent • You can provide consent during registration or at any time in your settings • Consent is not required to use the Service

**15.3 Opt-Out:** You can unsubscribe from marketing communications at any time by: • Clicking the "unsubscribe" link in any marketing email • Updating your preferences in account settings • Contacting us at marketing@letaria.app

**15.4 Transactional Communications:** Regardless of marketing preferences, we will send essential communications about: • Account security (password resets, security alerts) • Service changes that affect you • Billing and payment confirmations • Legal notices and policy updates

These are not considered marketing and cannot be opted out of while you have an active account.

**16.1 Updates:** We may update this Privacy Policy from time to time to reflect: • Changes in our data practices • New features or services • Legal or regulatory requirements • Industry best practices

**16.2 Notification of Changes:** We will notify you of material changes by: • Posting the updated policy on our website • Updating the "Last Updated" date • Sending email notification for significant changes • Displaying in-app notification where appropriate

**16.3 Review:** We encourage you to review this Privacy Policy periodically. The current version will always be available at letaria.app/privacy.

**16.4 Continued Use:** Your continued use of the Service after changes take effect constitutes acceptance of the updated Privacy Policy. If you disagree with any changes, you should stop using the Service and may request deletion of your data.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

**General Privacy Inquiries:** Email: privacy@letaria.app

**Data Protection Officer:** Email: dpo@letaria.app

**Support:** Email: support@letaria.app

**Legal:** Email: legal@letaria.app

**Mailing Address:** Letaria Singapore

**Response Time:** We aim to respond to all privacy-related inquiries within 5 business days.

**Supervisory Authorities:** You have the right to lodge a complaint with your local data protection authority:

**Singapore:** Personal Data Protection Commission (PDPC) www.pdpc.gov.sg

**European Union:** Your local Data Protection Authority (Find yours at: edpb.europa.eu/about-edpb/board/members)

**Japan:** Personal Information Protection Commission (PPC) www.ppc.go.jp

**Australia:** Office of the Australian Information Commissioner (OAIC) www.oaic.gov.au

**Saudi Arabia:** Saudi Data & AI Authority (SDAIA) www.sdaia.gov.sa

**UAE:** UAE Data Office (Once operational - check u.ae for updates)

**United Kingdom:** Information Commissioner's Office (ICO) www.ico.org.uk