Introduction
This Privacy Notice describes how Lette ("Lette", "we", "us", or "our"), an AI-native platform helping institutional residential property operators automate leasing, maintenance, tenant operations, and back-office workflows through agentic AI and integrated property management systems, collects, uses, discloses, and protects personal information when you use our website at https://lette.ai and related online services.
This notice applies to personal information we process in connection with our public websites, marketing activities, sales outreach, events, and other interactions with individuals outside our organisation (collectively, the "Services"). It is intended for customers, prospective customers, end-users of our Services, visitors to our websites, and other external individuals whose personal information we may process.
This document is a general description of our privacy practices. Specific agreements with customers or other parties may contain additional terms that govern the processing of personal information in those contexts. If there is a conflict between this notice and a specific agreement, the agreement usually controls for the relevant relationship.
2. Scope and Roles
This Privacy Notice covers personal information processed by Lette in the following capacities:
As a data controller for personal information we collect and decide how and why to process, such as information about website visitors, prospects, business contacts, and our own customers' representatives.
As a data processor when we process personal information on behalf of our customers in connection with their use of our platform to support leasing, maintenance, tenant operations, and back-office workflows.
When we act as a processor for our customers, our processing of personal information is governed primarily by our contracts with those customers and their own privacy notices. In those cases, you should review the relevant customer's privacy notice for details about how your personal information is handled, and you should usually contact them to exercise your privacy rights.
3. What Data We Collect and Why
Website and contact details
Data elements: Name, business email, business phone, job title, company, message content.
Source: You, via forms on https://lette.ai, demo bookings, subscriptions, or direct contact.
Purpose: Responding to requests, scheduling demos, managing relationships, providing information about Services.
Lawful basis (GDPR): Contract performance (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)).
Account and usage information
Data elements: Account identifiers, login details, role/permissions, settings, feature usage, support interactions.
Source: You or your organisation when using Services or support.
Purpose: Providing and securing Services, enabling features, troubleshooting, user support, improvement.
Lawful basis (GDPR): Contract performance (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)).
Customer PII (processed on behalf of customers)
Data elements: Tenant/prospective tenant contact details, lease information, maintenance requests, communication history.
Source: Institutional residential property operator customers and authorised users.
Purpose: Operating the AI platform and integrated workflows per customer instructions.
Lawful basis (GDPR): Lawful basis determined by customer as controller; Lette acts as processor under Art. 28 GDPR.
Technical and device information
Data elements: IP address, browser type/version, OS, device identifiers, location inferred from IP, pages viewed, timestamps, clickstream/log data.
Source: Collected automatically via log files, cookies, and similar technologies.
Purpose: Operating and securing websites/Services, performance measurement, abuse detection, usage analysis.
Lawful basis (GDPR): Legitimate interests (Art. 6(1)(f)); consent (Art. 6(1)(a)) for non-essential cookies.
Marketing and events information
Data elements: Contact details, company/role, communication preferences, email/campaign interactions, event registrations.
Source: You, via sign-ups; business partners; publicly available sources where permitted.
Purpose: Sending updates, managing event registrations, understanding communication effectiveness.
Lawful basis (GDPR): Consent (Art. 6(1)(a)) where required; legitimate interests (Art. 6(1)(f)) in B2B context.
4. How We Use Personal Information
We use personal information for the following purposes, in line with Section 3 above and applicable law:
Providing and operating the Services, including delivering our AI-native platform and integrated workflows to institutional residential property operators and their authorised users.
Managing customer accounts and relationships, including onboarding, contract administration, billing, and customer support.
Improving, maintaining, and securing our Services and underlying infrastructure, including monitoring performance, troubleshooting issues, and developing new features and functionalities.
Enabling AI and automation capabilities within our platform, such as automating leasing, maintenance, tenant operations, and back-office workflows, in line with customer configuration and instructions.
Communicating with you, including responding to enquiries, providing technical or operational notices, and sending administrative messages related to the Services.
Conducting analytics, research, and service enhancement activities (for example, understanding how our platform is used, measuring engagement, and identifying opportunities to improve user experience), using de-identified or aggregated information where appropriate.
Sending marketing and promotional communications about our Services, events, or related offerings, where permitted by law and according to your communication preferences. You can opt out of marketing communications at any time by following the unsubscribe link in emails or contacting us.
Complying with legal and regulatory obligations, responding to lawful requests from public authorities, and establishing, exercising, or defending legal claims.
Protecting the security, integrity, and availability of our systems, Services, and users, including detecting, preventing, and investigating security incidents, fraud, or other misuse.
5. Legal Bases for Processing (GDPR and UK GDPR)
When the GDPR or UK GDPR applies, we rely on one or more of the following legal bases to process personal information as controller:
Performance of a contract (Article 6(1)(b)): When processing is needed to provide the Services or perform our contractual obligations to you or the organisation you represent.
Legitimate interests (Article 6(1)(f)): When processing supports our legitimate business interests or those of a third party, and those interests are not overridden by your interests or fundamental rights and freedoms. This includes securing and improving our Services and communicating with you in a business-to-business context.
Consent (Article 6(1)(a)): When you give consent for a specific purpose, such as certain marketing activities or the use of non-essential cookies where required by law. You can withdraw your consent at any time as described in this notice.
Legal obligation (Article 6(1)(c)): When processing is needed to comply with a legal or regulatory obligation.
When we act as a processor for our customers, they are responsible for identifying and communicating the appropriate legal bases for processing the personal information they control.
6. How We Share Personal Information
We share personal information only as needed for the purposes described in this notice and in line with applicable law:
Customers and their authorised users: When we process personal information on behalf of institutional residential property operators, we share relevant data with those customers and their designated users, according to their configuration and instructions.
Service providers: Carefully selected third parties that provide services like cloud infrastructure, data storage, analytics, communications tooling, and customer support. These providers act under contract, can only use personal information to provide services to us, and are required to protect it appropriately.
Professional advisors: Legal, accounting, or other professional advisors when needed to support our business, subject to confidentiality obligations.
Business transfers: Relevant third parties in connection with a merger, acquisition, reorganisation, financing, or sale of all or part of our business or assets, subject to appropriate safeguards and applicable law.
Legal and regulatory authorities: Government authorities, regulators, courts, or law enforcement agencies where we are required or allowed to do so by law or legal process, or to protect our rights, property, or safety or that of others.
We do not sell personal information as that term is defined under the California Consumer Privacy Act (CCPA) or other applicable privacy laws, and we do not share personal information for cross-context behavioural advertising in a way that requires a specific opt-out mechanism, except as disclosed and in line with applicable law.
7. International Data Transfers
We process personal information primarily using infrastructure hosted on Amazon Web Services (AWS) in the EU West 1 (Ireland) region. We may also use Google Cloud Platform (GCP) for certain processing activities within the European Union.
Personal information may be stored and processed in any jurisdiction where we or our service providers maintain facilities. When personal information is transferred from the European Economic Area (EEA), the United Kingdom, or Switzerland to countries that do not provide an equivalent level of data protection, we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs, or other lawful transfer mechanisms under the GDPR and UK GDPR.
You can contact our Data Protection Officer for more information about these safeguards where required by law.
8. Data Security
We use technical and organisational measures designed to protect personal information against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures take into account the nature of our Services, the types of personal information we handle (including customer PII), and the risks associated with our processing activities.
Examples include access controls, encryption or pseudonymisation where appropriate, logging and monitoring, secure development and deployment practices for our AWS and GCP environments, and protections applied to our use of business tools such as Google Workspace, Linear, GitHub, Figma, Notion, and Slack.
No system or method of transmission over the internet or electronic storage is completely secure, so we cannot guarantee absolute security of personal information.
9. Data Retention
We keep personal information only for as long as needed to fulfil the purposes described in this Privacy Notice, or for longer if required or allowed by law, including to meet legal, regulatory, tax, accounting, or reporting obligations.
When deciding how long to keep data, we consider the amount, nature, and sensitivity of the personal information, the risk of harm from unauthorised use or disclosure, the purposes for which we process it and whether we can achieve those purposes in other ways, and applicable legal requirements.
When we act as processor, we retain customer PII in line with our agreements with customers and their instructions. We delete or return such data at the end of the services or as those agreements require, subject to any legal obligations to retain certain data.
10. Your Privacy Rights
10.1 Rights under GDPR and UK GDPR
When the GDPR or UK GDPR applies, you have the following rights in relation to your personal information, subject to conditions and limitations in those laws:
Access: You have the right to request access to personal information we hold about you and to get information about how we use it.
Rectification: You have the right to ask us to correct inaccurate or incomplete personal information about you.
Erasure: You have the right to ask us to delete your personal information in certain situations (for example, when we no longer need it or when you withdraw consent and there is no other legal basis).
Restriction: You have the right to ask us to restrict the processing of your personal information in certain circumstances.
Portability: You have the right to ask us to provide certain personal information to you or to a third party in a structured, commonly used, machine-readable format, where technically feasible and required by law.
Objection: You have the right to object to certain types of processing, including processing based on our legitimate interests and processing for direct marketing. If you object to marketing, we stop using your personal information for that purpose.
If you are in the EEA, you have the right to lodge a complaint with your local data protection authority. If you are in the United Kingdom, you may lodge a complaint with the Information Commissioner's Office (ICO) at https://ico.org.uk. If you are in Switzerland, you may contact the Federal Data Protection and Information Commissioner (FDPIC). We encourage you to contact us first so we can try to resolve your concerns.
We aim to respond to data subject access requests and other rights requests within 30 days of receipt. This period may be extended by up to two further months where requests are complex or numerous, in which case we will inform you of the extension and the reasons for it.
10.2 Rights under U.S. State Privacy Laws (Including CCPA/CPRA)
If you are a resident of California or another U.S. state with applicable consumer privacy legislation, you may have additional rights depending on your state of residence, including the right to know what personal information we collect and how we use it, the right to request deletion of your personal information, and the right to opt out of the sale or sharing of your personal information (though we do not sell personal information). To exercise these rights, contact us using the details in Section 16 below.
10.3 Processor Relationships
When we process personal information as a processor for our customers, you should usually contact the relevant customer (for example, the institutional residential property operator that manages your tenancy) to exercise your rights. We support our customers in responding to such requests as required by our agreements and applicable law.
11. Children's Privacy
Our website and Services are designed for institutional residential property operators and other business users. They are not directed to children, and we do not knowingly collect personal information from children in our role as controller. If you believe we have collected personal information from a child in a way that is not allowed by law, contact us so we can review and address the situation.
12. Cookies and Similar Technologies
We use cookies, web beacons, and similar technologies to collect information about how you use https://lette.ai, to help the site function, to improve performance, and to support security features.
Where law requires it (including under the ePrivacy Directive and UK PECR), we obtain your consent before placing non-essential cookies or similar technologies on your device. You can manage your cookie preferences through the cookie consent tool on our website, or through your browser settings.
We maintain a separate Cookie Policy, accessible from our website, which provides details on the specific cookies we use, their purposes, durations, and whether they are first-party or third-party. If you disable certain cookies, parts of the website or Services may not work as intended.
13. Third-Party Links and Services
Our website or Services may include links to third-party websites, services, or applications that we do not operate or control. This may include integrations with third-party tools or property management systems used by our customers. This Privacy Notice does not apply to those third-party properties, and we are not responsible for how they handle personal information. You should review the privacy notices of any third-party services you access or use.
14. How We Use AI and Automation in Our Services
Lette is an AI-native platform that uses agentic AI and automation to help institutional residential property operators manage leasing, maintenance, tenant operations, and back-office workflows. Our Services may use automated processing of data provided by or on behalf of our customers to help route requests, generate responses, analyse operational data, and support decision-making.
Lette's AI features function as a co-worker and assistive tool. Our AI does not make autonomous decisions that produce legal effects or similarly significant effects on individuals within the meaning of Article 22 of the GDPR or UK GDPR. All decisions with material impact on tenants or other individuals remain subject to human oversight and review by our customers and their authorised users. Accordingly, the automated decision-making provisions of Article 22 GDPR do not apply to Lette's current Services.
When we process personal information using AI or automation on behalf of customers, we follow their configuration and instructions and our contractual obligations. Customers are responsible for making sure their use of our AI-enabled Services complies with applicable laws, including providing appropriate notices and obtaining any required consents from individuals whose personal information is processed.
15. Changes to This Notice
We may update this Privacy Notice from time to time to reflect changes in our practices, Services, or applicable law. When we make material changes, we will notify you by posting the updated notice on our website with a revised "Last Updated" date. Where required by law, we will provide additional notice (such as by email) or seek your consent before changes take effect.
We encourage you to review this notice periodically to stay informed about how we protect your personal information.
16. Data Protection Officer
We have appointed a Data Protection Officer (DPO) to oversee our data protection practices and ensure compliance with the GDPR, UK GDPR, and other applicable data protection laws.
Data Protection Officer: Jakub Rajek
Email: jakub@lette.ai
You may contact the DPO for any questions about this Privacy Notice, our data protection practices, or to exercise your privacy rights.
17. Contact
If you have questions about this Privacy Notice, want more information about our data protection practices, or want to exercise your privacy rights, you can contact us:
General enquiries: info@lette.ai
Data protection matters: jakub@lette.ai
Website: https://lette.ai
When you contact us, include enough information for us to understand your question or request and, where relevant, to identify you. We may ask for additional information to confirm your identity before we act on certain requests, as allowed by law.
