Privacy Policy

Lattice ("we," "us," or "our") is a campus talent and collaboration platform currently serving students and faculty at University of Florida. We connect students with research opportunities, team roles, and collaborations through a single professional profile.

This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights regarding that data. By creating an account or using Lattice, you agree to the practices described in this policy.

Account information

• Name, email address, and password (hashed with bcrypt — never stored in plain text)
• University affiliation and domain (e.g., ufl.edu)
• Role: student, professor, or admin
• Profile details you choose to add: major, graduation year, GPA (optional and hideable), bio, skills, interests
• Social links (LinkedIn, GitHub, portfolio) — only if you provide them
• Profile photo — only if you upload one (max 3 MB, stored on our servers)
• Resume — only if you upload one (private; only visible to opportunity posters you apply to)
• Username — optional, publicly visible as part of your profile URL

Application data

• Applications you submit: cover notes, answers to custom questions, uploaded files
• Application status history — every status change is logged with a timestamp
• Application materials you submit are visible only to the person who posted the opportunity
• AI screening data — when an opportunity poster has opted in to AI screening, your written responses, resume content, major, GPA (if you have chosen to share it), and listed skills are processed by an AI model to generate a relevance score and summary for the poster. You are shown a disclosure notice before submitting to any AI-screened post. This score is never shown to you and is not the sole basis for any hiring decision. See Section 10 for full details.

Usage data

• Pages visited and features used (to improve the product)
• IP address and browser user-agent (for rate limiting and security)
• Profile view counts (who viewed your profile — visible to Premium users)
• Audit logs of significant actions: post creation, application submission, login events, username changes

Payment data

• We use Stripe to process all payments. We do not store your card number, CVC, or full card details.
• We store your Stripe Customer ID and a record of transactions (amount, type, date) for billing history.

Saved / bookmarked posts

• When you bookmark (star) an opportunity, we store a record linking your account to that post along with the timestamp of when you saved it
• Saved posts are private — other users and opportunity posters cannot see your saved list
• Saved posts with deadlines appear in your personal deadline calendar and dashboard widget for your convenience
• You can unsave a post at any time; the saved record is permanently deleted immediately

Communications

• Messages you send to other users through the Lattice messaging system
• In-platform notifications generated by the platform (application updates, team activity)
• Emails we send you: OTP verification codes, application status updates, weekly digest (if opted in)

We do not sell your personal data. We share data only with:

• Stripe — payment processing. Stripe is PCI-DSS Level 1 certified.
• Neon — our database provider (PostgreSQL cloud). Data is stored in US data centers.
• Vercel — our hosting provider. Server logs may include IP addresses.
• Anthropic — when you submit an application to a post that has AI screening enabled, a portion of your application data (written responses, resume text, major, GPA if shared, skills) is sent to Anthropic's Claude API solely for the purpose of generating a relevance score for the opportunity poster. You are shown a disclosure notice before submitting to any AI-screened post. Anthropic processes this data as a data processor under our agreement with them. Your data is not used to train Anthropic's models. For Anthropic's privacy practices, see anthropic.com/privacy.
• Other users on the platform — your public profile (name, major, skills, bio) is visible to other logged-in users. Your email is never shown publicly.
• Opportunity posters — when you apply, the poster receives your submitted application materials and can view your profile.
• Law enforcement — only when required by law or court order, and only to the extent required.

You control what others can see on Lattice:

• GPA — you can hide your GPA from your public profile. It defaults to hidden.
• Public profile URL — your /u/username profile is accessible without login. To restrict it, do not set a public username.
• Resume — your resume is never publicly accessible. It is only shared with opportunity posters you explicitly apply to.
• Profile views — you can disable profile view tracking in Settings.

• Account data is retained for as long as your account is active.
• Deleting your account removes your personal information within 30 days, except where we are legally required to retain records (e.g., payment records for tax purposes — retained for 7 years).
• Application data is retained for 2 years after the application closes, then purged.
• Audit logs are retained for 1 year for security purposes.
• Messages are retained indefinitely while both parties have active accounts. They are deleted within 30 days of account deletion.

• Passwords are hashed using bcrypt (cost factor 12) — we cannot retrieve your password
• All data in transit is encrypted via TLS (HTTPS)
• Database is encrypted at rest
• Rate limiting is applied to all sensitive endpoints (login, registration, OTP resend)
• Sessions use signed, HttpOnly JWT cookies with 7-day expiry
• File uploads are restricted by type (JPEG/PNG/WebP/PDF) and size (3 MB) and stored in isolated paths

If you discover a security vulnerability, please report it responsibly to privacy@joinlattice.app.

Depending on your location, you have the right to:

• Access — request a copy of the personal data we hold about you
• Correction — update incorrect data (most fields are editable in your profile)
• Deletion — request that we delete your account and personal data
• Portability — receive your data in a machine-readable format
• Objection — object to processing based on legitimate interests
• Withdraw consent — where processing is based on consent (e.g., digest emails), you may withdraw at any time from Settings

To exercise any of these rights, email privacy@joinlattice.app. We will respond within 30 days.

We use the following cookies:

• Session cookie — required for authentication. HttpOnly, Secure, SameSite=Lax. Expires after 7 days or on sign-out.
• CSRF token — required to protect form submissions. Session-scoped.
• Theme preference — stored in localStorage (not a cookie). No personal data.

We do not use advertising cookies or third-party tracking pixels.

Lattice offers an opt-in AI screening feature that uses Anthropic Claude to help opportunity posters triage applications. This section explains exactly how it works and your rights regarding it.

How opt-in works

• AI screening is off by default on every post
• Only the opportunity poster can enable it, on a per-post basis, when creating or editing a post
• Posters can disable AI screening at any time via their post settings
• If a post has AI screening enabled, you will see a clear disclosure notice before you submit your application
• Screening applies to all post types: Research, Team Roles, and Collaborate

Monthly usage limits

Poster access to AI screening is subject to monthly quotas based on their subscription plan. When a poster's quota is exhausted, your application is still accepted normally without AI scoring for the remainder of that month.

What is screened

When a post has AI screening enabled and the poster has remaining quota:

• Your written responses to application questions
• Text extracted from your uploaded resume (if provided)
• Your declared major and listed skills from your profile
• Your GPA — only if you have enabled "Show GPA" in your profile settings. If GPA is hidden, it is not sent.

Your name, email, and contact details are never sent to the AI model.

What the AI produces

• A relevance score (0–100) based on how well your responses and background match the opportunity
• A tier classification: Strong Fit, Possible, or Low Fit
• A one-sentence summary visible only to the opportunity poster
• Sub-scores for response relevance, response effort, and resume relevance

What the AI score does NOT do

• The AI score is a sorting and triage tool only — it does not make or recommend hiring decisions
• The score is never shown to the applicant
• Posters remain fully responsible for all acceptance or rejection decisions
• The AI does not access any data beyond what you explicitly submit in your application

Your right to opt out

If a post has AI screening enabled and you do not wish your application to be AI-processed, you may choose not to apply to that post. If you have concerns, contact us at privacy@joinlattice.app before submitting.

Data minimization and retention

• Only the minimum data necessary to score the application is sent to Anthropic
• Resume text is truncated to 3,000 characters before transmission
• The AI score, tier, and summary are stored alongside your application and deleted per our standard retention period (2 years after the application closes)
• Anthropic does not retain your data beyond the duration of the API request under our data processing agreement

We may update this policy as the product evolves. We will notify you of material changes via email or an in-app notification at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of Lattice after changes take effect constitutes acceptance of the updated policy.

For any privacy-related questions, requests, or concerns, contact us at: privacy@joinlattice.app

Lattice — University of Florida Campus Platform