Privacy Policy

Last updated: 2026-03-26

1. Introduction

At Lastribe, your privacy is not an afterthought — it is a founding principle. This Privacy Policy explains how EnableUnion SASU ("Lastribe", "we", "us", "our") collects, uses, stores, and protects your personal data when you use our website, mobile application, and related services (the "Service").

We are committed to full compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the French Loi Informatique et Libertés (Law No. 78-17), and all applicable European data protection laws.

This policy applies to all users of the Lastribe website (www.lastribe.eu), our mobile application (iOS and Android), and any related services we operate.

2. Data Controller

3. Data Protection Officer (DPO) Statement

Under GDPR Article 37, a Data Protection Officer (DPO) appointment is mandatory when an organization’s core activities involve large-scale processing of special categories of data or large-scale regular and systematic monitoring of individuals. As a small company (fewer than 250 employees) that does not process special category data at scale, we are not required to appoint a DPO.

All data protection inquiries are handled by our data protection contact: privacy@lastribe.eu.

We maintain the same level of accountability, documentation, and responsiveness as if a DPO were formally appointed.

4. Data We Collect

4.1 Waitlist Data (Pre-Launch)

During the pre-launch phase, we collect only:

• Email address
• Preferred language

Nothing else. No tracking, no cookies, no analytics.

4.2 Account Data

• Email address
• Password (stored as a salted one-way hash — never in plaintext)
• Display name
• Date of birth (for age verification — 18+ only)
• Preferred language (English or French)

4.3 Profile Data (Optional)

• Profile photo
• Bio / personal description
• City or region (city-level only — never precise GPS outside events)
• Household information
• Skills and interests

4.4 Preparedness Data

• Inventory items (name, quantity, category, expiry date)
• PrepScore data (composite preparedness score)
• Course progress and quiz results
• Event participation and evidence submissions (photos, videos, GPS coordinates, checklists)
• Badges earned and experience points (XP)

4.5 Community Data

• Messages within Tribes (private community groups)
• Posts and comments
• Membership status and role information

4.6 Payment Data

All payment processing is handled by Stripe. We do NOT store your card numbers, CVC codes, or banking details on our servers.

We receive from Stripe:

• Stripe customer ID
• Subscription status and plan details
• Payment history (amounts, dates, status)
• Card last four digits and brand (for display purposes only)

4.7 Technical & Usage Data

• Device type and operating system
• App version
• Browser type (web only)
• IP address (truncated and anonymized)
• Feature usage patterns
• Crash reports and error data
• Push notification interaction data

5. How We Collect Data

We collect data through three channels:

• Directly from you: When you register an account, fill in your profile, manage inventory, complete courses, participate in events, or interact with the community.
• Automatically: Through PostHog analytics (EU-hosted, Frankfurt), Sentry error tracking, and server access logs.
• From third parties: Stripe provides payment status information only. We do not purchase data from data brokers. We do not use social login providers.

6. Legal Bases for Processing (GDPR Art. 6)

7. Legitimate Interest Details (Art. 13(1)(d))

Where we rely on legitimate interest as the legal basis for processing, the specific interests are:

• Product analytics: Understand feature adoption patterns to improve the Service and prioritize development. We use PostHog (EU-hosted, Frankfurt) with anonymized data.
• Error monitoring: Detect and fix bugs, crashes, and performance issues to maintain service quality. We use Sentry with truncated IP addresses.
• Security: Prevent fraud, abuse, unauthorized access, and protect platform integrity.
• AI model improvement: Improve accuracy of news classification and risk scoring using anonymized, aggregated user feedback (votes, corrections). Individual users are never identifiable in training data.

We have conducted balancing tests for each legitimate interest to ensure our interests do not override your fundamental rights and freedoms. You may request documentation of these assessments by contacting privacy@lastribe.eu. You may object to any legitimate-interest processing at any time (see Section 14).

8. How We Use Your Data

We use the data we collect to:

• Create and manage your account
• Provide, operate, and improve the Service features
• Compute your PrepScore and award badges/XP
• Process payments and manage subscriptions
• Send transactional emails (account verification, password reset, subscription updates)
• Deliver push notifications (with your consent)
• Monitor, diagnose, and fix technical issues
• Analyze usage patterns to improve the product
• Detect and prevent fraud or misuse
• Comply with legal obligations

9. Data Sharing & Third Parties

We share data only with the following service providers, all bound by Data Processing Agreements (DPAs):

For US-based providers (Expo), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate data protection.

We may also disclose your data if required by law, court order, or to protect the rights, safety, or property of Lastribe, our users, or the public.

10. Sub-Processor List

We will update this list if sub-processors change and notify you of any material changes.

11. International Data Transfers

• Primary storage: France, European Union
• EU-based providers (Stripe Ireland, PostHog Frankfurt): No additional transfer mechanism needed
• US-based providers (Expo): Protected by Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by technical measures including encryption in transit and at rest
• No data is transferred to countries without adequate data protection unless proper safeguards are in place as required by GDPR Chapter V

12. Data Retention

When you delete your account, all personal data is removed within 30 days, except where a longer retention period is required by law (e.g., payment records for tax compliance).

13. Automated Decision-Making & Profiling (Art. 22)

We use automated processing in the following features:

• PrepScore computation: Calculated from your inventory, event participation, course completion, and community activity. This is an informational metric only — it does not affect your access to features or any legal rights.
• Badge awarding & XP: Automatically awarded based on your activities within the platform. This is a gamification element only.
• AI news classification: Automated categorization, relevance scoring, and summary generation for the Risk Radar feature. Outputs are approximations subject to human review by our admin team.
• Content moderation assistance: AI may flag content for human review. No content is automatically removed by AI alone.

None of these automated processes produce legal effects or similarly significant effects on you. You have the right to:

• Request human review of any automated decision
• Express your point of view
• Contest the outcome

Contact privacy@lastribe.eu for any concerns.

14. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights:

14.1 Right of Access (Art. 15)

You can request a copy of all personal data we hold about you, along with information about how we process it. You can export your data directly from account settings in the app or by emailing us.

14.2 Right to Rectification (Art. 16)

You can request correction of inaccurate or incomplete personal data. Most profile information is editable directly in your account settings.

14.3 Right to Erasure (Art. 17)

You can delete your account from the app settings, which triggers automatic deletion of your personal data. Some data may be retained where legally required (see Section 12).

14.4 Right to Restriction of Processing (Art. 18)

You can request that we restrict processing of your data while we verify its accuracy or assess an objection you have raised.

14.5 Right to Data Portability (Art. 20)

You can receive your personal data in a structured, commonly used, and machine-readable format (JSON). Data export is available directly from your account settings or upon request.

14.6 Right to Object (Art. 21)

You can object to processing based on legitimate interest (analytics, AI model improvement). We will cease processing unless we demonstrate compelling legitimate grounds that override your rights.

14.7 Right to Withdraw Consent (Art. 7(3))

Where processing is based on consent (waitlist registration, push notifications), you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

14.8 Right Regarding Automated Decision-Making (Art. 22)

We do not make automated decisions that produce legal or similarly significant effects on you (see Section 13). You have the right to request human review of any automated processing.

15. How to Exercise Your Rights

16. Data Security

We implement comprehensive technical and organizational measures to protect your data:

• Encryption in transit: TLS 1.2+ (HTTPS) for all communications
• Encryption at rest: Database-level encryption; passwords hashed using bcrypt/argon2
• Access control: Role-based access with least-privilege principle; separate admin authentication system
• Infrastructure: Servers located in France with firewalls, automated security updates, and intrusion monitoring
• Input validation: All user input is validated and sanitized against injection attacks
• Regular backups: Automated encrypted backups with tested restore procedures
• Breach response: We notify the CNIL within 72 hours and affected users without undue delay in the event of a data breach (Art. 33–34)

17. Data Breach Notification (Art. 33–34)

In the event of a personal data breach:

1. Assessment: We assess the breach within 24 hours of discovery
2. Authority notification: If the breach is likely to result in a risk to your rights and freedoms, we notify the CNIL within 72 hours (Art. 33)
3. User notification: If the breach is likely to result in a high risk to your rights and freedoms, we notify you without undue delay via email (Art. 34), describing: the nature of the breach, likely consequences, measures taken or proposed, and our contact point
4. Documentation: All breaches are documented in our internal breach register, regardless of severity
5. Remediation: We take immediate measures to contain and remedy the breach and prevent recurrence

18. Privacy by Design & Data Minimization (Art. 25)

Data protection is embedded in Lastribe’s architecture from the ground up:

• EU-first infrastructure: All primary data stored in France
• City-level location: We never store precise GPS coordinates as part of your profile
• Self-hosted AI: Models run on our own EU servers — no data is sent to external AI providers
• Minimal data collection: We only collect data necessary for each feature to function
• Privacy defaults: The most privacy-protective settings are applied by default
• Anonymization: Analytics and AI training data are anonymized before processing

19. Record of Processing Activities (Art. 30)

We maintain a Record of Processing Activities (ROPA) as required by GDPR Article 30. This internal document describes all processing activities, their purposes, legal bases, categories of data subjects, and data flows. It is available to the CNIL upon request.

20. Data Protection Impact Assessment (DPIA)

Given that the Service processes location data and uses AI-based features, we recognize the potential requirement for Data Protection Impact Assessments under GDPR Article 35 and CNIL guidelines. DPIAs covering location data processing and AI model usage will be completed before the public launch of the Service. Results will inform our data protection measures and will be available to the CNIL upon request.

21. Cookies & Tracking

21.1 Landing Page (Pre-Launch)

Our landing page uses NO cookies, tracking pixels, or analytics. Zero data is collected from your visit unless you voluntarily submit the waitlist form.

21.2 Web Application (Post-Launch)

• Essential cookies: Session authentication via Better Auth. Cookie name: better-auth.session_token. Duration: session-based, auto-extending on activity. Strictly necessary — no consent required under ePrivacy Directive Article 5(3).
• Analytics (PostHog): EU-hosted (Frankfurt), IP anonymization enabled. You can opt out from your account settings.
• We do NOT use: advertising cookies, social media trackers, Google Analytics, Facebook Pixel, or any ad network scripts.

21.3 Mobile Application

The mobile app does not use browser cookies. Authentication is managed via Bearer token stored in your device’s secure storage (SecureStore). PostHog analytics (EU-hosted, anonymized) are used for product improvement. You can opt out from the app settings.

22. Photo & Video Evidence

When you submit evidence for preparedness events:

• Who can see: Only Lastribe administrators and event organizers, for verification purposes
• Storage: EU infrastructure (France)
• Retention: Stored for the duration of your account + 30 days. Deleted upon account deletion.
• AI processing: Evidence may be checked for format validity. No facial recognition or biometric analysis is performed.
• GPS metadata: If you submit GPS evidence, coordinates are stored only for that specific event verification and are not added to your profile.

23. Special Categories of Data (Art. 9)

Lastribe does not collect or process:

• Biometric data (no facial recognition, fingerprint analysis, or voice patterns)
• Health or medical data
• Racial or ethnic origin data
• Political opinions, religious beliefs, or philosophical beliefs
• Trade union membership
• Genetic data
• Sexual orientation data

The Service is focused on practical preparedness (inventory, skills, community coordination) and does not require or process any special category data as defined in GDPR Article 9.

24. Offline Mode & Cached Data

The Service includes an offline crisis mode that caches data locally on your device:

• What is cached: Your inventory items, household info, emergency contacts, and relevant preparedness data
• Security: Cached data is protected by your device’s OS-level encryption
• Freshness: Cached data may become outdated; the app displays the last sync timestamp
• Deletion: Cached data is removed when you log out, delete your account, or uninstall the app
• No server access: In offline mode, no data is transmitted to or from our servers

25. Community Content Visibility

When you participate in Tribes (community groups):

• Tribe members can see: your display name, city, PrepScore summary, skills, and messages you post in that Tribe
• Tribe leaders additionally see: join date, activity level, and role within the Tribe
• Administrators (Lastribe team) can access: all community content for moderation and safety purposes
• The public cannot see: your Tribe membership, messages, or community activity. All community features require authentication.
• After leaving a Tribe: your personal data is removed from the Tribe. Messages may be anonymized and retained for community continuity.

26. Push Notifications

• Types: Event reminders, badge awards, community updates, inventory expiry alerts, system announcements
• Consent: Push notifications require your explicit opt-in via your device’s permission system
• Granularity: You can enable or disable notification categories individually from the app settings
• Withdrawal: Disable notifications at any time via device settings (iOS: Settings → Notifications → Lastribe; Android: Settings → Apps → Lastribe → Notifications) or within the app settings
• Data: Only your push token (device identifier) is stored. No notification content is logged on our servers.

27. Location Data

• Profile: City-level only — never precise GPS coordinates
• Event evidence: Voluntary GPS submission with your explicit consent at the time of submission
• Tribe proximity: City-level calculation for geographic matching — not real-time GPS tracking
• No continuous tracking: Your location is never continuously tracked
• No sharing without consent: Location data is never shared with third parties without your explicit consent
• Never sold: Location data is never sold, ever

28. Children & Age Restrictions

Lastribe is intended exclusively for users aged 18 years and older. We do not knowingly collect personal data from anyone under 18.

If we discover that a user is under 18, we will promptly delete their account and all associated data. If you believe we may have collected data from a minor, please contact us at privacy@lastribe.eu.

29. AI & Automated Processing

• Self-hosted within the EU: All AI models run on our own servers using Ollama — no data is sent to external AI providers (OpenAI, Google, etc.)
• Content processing, not personal data: AI processes content data (news articles, risk assessments), not your personal user data
• No legal effects: AI outputs are informational and do not produce legal or similarly significant effects on users
• Admin oversight: All AI behavior is fully controlled and auditable by our admin team
• Training data: Uses anonymized, aggregated user feedback (votes, corrections). No individual user is identifiable in training data.
• Opt-out: Email privacy@lastribe.eu to exclude your feedback from AI training data

30. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes:

• The "Last updated" date at the top of this page will be revised
• For material changes, we will notify you by email at least 15 days before the changes take effect
• Where required by law, we will seek new consent before applying changes that affect the legal basis of processing
• Continued use of the Service after the effective date constitutes acceptance of the updated policy

31. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority:

We encourage you to contact us first at privacy@lastribe.eu so we can attempt to resolve your concern directly.

32. Contact