uselatch

Cookie Policy

This policy explains how Latch uses cookies and similar technologies when you visit our website or use our platform. We believe in full transparency about the data we store on your device.

Last updated: 13 May 2026

What Are Cookies and Similar Technologies

Cookies are small text files placed on your device by a website when you visit it. They are widely used to make websites work efficiently, to provide information to site operators, and to improve your browsing experience.

In addition to cookies, modern web applications may use other browser storage mechanisms:

  • Local Storage: Persistent data stored in your browser that remains until explicitly cleared. Used for preferences and settings that should survive between sessions
  • Session Storage: Temporary data stored in your browser that is automatically cleared when you close the browser tab. Used for short-lived session information

This policy covers all of these technologies. We categorise them as follows:

  • Strictly Necessary:Required for the platform to function. Without these, core features such as authentication and account management will not work. Under the Privacy and Electronic Communications Regulations 2003 (PECR), these do not require consent. This category also covers data we are legally required to set under HMRC’s mandatory fraud-prevention header specification for Making Tax Digital software (anchored on the PECR Reg 6(4)(b) exemption for storage strictly necessary to comply with a legal obligation).
  • Functional: Enable enhanced functionality and personalisation, such as remembering your display preferences or onboarding progress. The platform will function without them, but your experience may be degraded.

We do not currently set any non-essential cookies. Latch does not use marketing, advertising, or third-party analytics cookies. The only third-party cookies that may be set on your device come from features you actively use (Stripe for payments, Plaid for bank linking, Google/Microsoft/HMRC for OAuth flows), and they are limited to security and session purposes for those specific flows. Our own analytics is cookieless and operates server-side — see “Analytics and Performance Monitoring” below.

Cookies We Set

The following cookies are set directly by Latch (first-party cookies). All are classified as strictly necessary for the operation of the Service.

CookiePurposeExpiryCategory
sb-*-auth-tokenAuthentication session token set by Supabase. Maintains your logged-in session and contains an encrypted session identifier. Required for the Service to function.Session (auto-refreshed)Strictly Necessary
sb-*-auth-token-code-verifierPKCE (Proof Key for Code Exchange) code verifier used during the authentication flow to prevent authorisation code interception attacks.Short-lived (authentication flow only)Strictly Necessary
cookie-consentStores your cookie consent preference (accepted or declined) so we do not repeatedly display the cookie banner.365 daysStrictly Necessary
active_account_idIdentifies which account is currently active for users who belong to multiple accounts (multi-tenancy).SessionStrictly Necessary
viewing_as_member_idUsed by account administrators to view the platform as a specific team member for support and troubleshooting purposes.SessionStrictly Necessary
site_passwordUsed only when the site is in a restricted-access (locked) state. Stores the access password to avoid repeated entry.SessionStrictly Necessary
hmrc_stateStores a randomly generated state parameter during the HMRC OAuth authorisation flow to prevent cross-site request forgery (CSRF) attacks. Set when you initiate an HMRC connection and automatically deleted after authorisation completes.10 minutesStrictly Necessary
hmrc_code_verifierStores the PKCE (Proof Key for Code Exchange) code verifier during the HMRC OAuth authorisation flow to prevent authorisation code interception. Set when you initiate an HMRC connection and automatically deleted after authorisation completes.10 minutesStrictly Necessary
hmrc_owner_profile_idStores the selected owner-profile identifier across the HMRC OAuth redirect so the resulting HMRC connection is bound to the correct co-ownership profile after callback. Set only when an owner-profile ID is passed to the connect endpoint, and automatically deleted on callback.10 minutesStrictly Necessary

Third-Party Cookies

Certain features of the Service rely on third-party providers that may set their own cookies on your device. These cookies are governed by the respective provider's privacy and cookie policies, not ours. They are only activated when you use the relevant feature.

Payment Processing (Stripe)

When you make a payment or manage your subscription, Stripe may set cookies for fraud detection and payment security. These are necessary for the safe processing of payments under PCI DSS requirements.

CookiePurposeProvider
__stripe_sidSession identifier used by Stripe for fraud prevention during payment processing.Stripe, Inc.
__stripe_midDevice identifier used by Stripe to detect fraudulent payment activity across sessions.Stripe, Inc.

For more information, see Stripe's Privacy Policy.

Bank Account Linking (Plaid)

When you connect a bank account through our Open Banking integration, Plaid Inc. (our PSD2-licensed provider in the United States) sets session cookies on its own domain during the Plaid Link flow. These cookies are necessary for secure bank account connectivity, are scoped to the Plaid Link session only, and are not accessible to Latch. For more information, see Plaid's legal centre.

Google Services (OAuth)

If you connect your Gmail or Google Calendar account to Latch, Google may set authentication cookies during the OAuth authorisation flow. These are only set when you explicitly choose to connect a Google service. For more information, see Google's Privacy Policy.

Microsoft Services (OAuth)

If you connect your Outlook Calendar to Latch, Microsoft may set authentication cookies during the OAuth authorisation flow. These are only set when you explicitly choose to connect an Outlook service. For more information, see Microsoft's Privacy Statement.

HMRC Services (OAuth)

If you connect your HMRC account to Latch for Making Tax Digital submissions, HMRC may set authentication cookies during the OAuth authorisation flow on the HMRC Government Gateway domain (tax.service.gov.uk). These cookies are set by HMRC, not by Latch, and are governed by HMRC’s own cookie policy. They are only set when you explicitly choose to authorise the connection. For more information, see HMRC's Cookie Policy.

Font Delivery (Google Fonts)

We use Google Fonts to deliver typefaces used across the platform. Google may log font requests and associated metadata (such as your IP address). No marketing or tracking cookies are set by Google Fonts. For more information, see Google Fonts Privacy FAQ.

Google Maps Platform (Address Services)

When you use address autocomplete for property locations, the Google Maps JavaScript API may set cookies for API authentication, session management, and abuse prevention. These cookies are governed by Google's privacy policy and are only active when the address autocomplete feature is in use. For more information, see Google's Privacy Policy.

Local Storage and Session Storage

In addition to cookies, Latch uses browser local storage and session storage to improve your experience. These are not transmitted to our servers with each request (unlike cookies) but are stored locally on your device.

Local Storage

KeyPurposeCategory
color-themeStores your preferred UI colour theme so it persists between visits.Functional
ui-scaleStores your preferred interface scale (small, medium, or large) for accessibility.Functional
latch:guided-tour:v1Tracks which onboarding tours you have completed or dismissed, so they are not shown again.Functional
latch:tutorial:*:v1Stores per-page tutorial progress for the tenant portal, including whether you have opted out of tutorials.Functional
analytics_sidA randomly generated session identifier used for first-party page view analytics. Contains no personal information.Functional
bank_feeds_processing_queueTemporarily stores transaction IDs during bank feed processing so the operation can resume if you navigate away.Functional
propertyos_recent_reportsStores a list of recently accessed reports for quick retrieval.Functional
Chat message cacheCaches your AI assistant conversation history locally so messages persist between page loads.Functional
hmrc_device_idA randomly generated unique device identifier (UUIDv4) required by HMRC for fraud prevention purposes. Generated on first use of the MTD integration and persisted to identify your device across MTD API requests as the Gov-Client-Device-ID header. Persists indefinitely until you clear browser storage; signing out does not remove it. Lawful basis: legal obligation (UK GDPR Art. 6(1)(c)) under HMRC’s MTD Fraud Prevention Headers specification. Contains no personal information beyond the UUID itself. See the Privacy Policy for the complete list of fraud-prevention signals transmitted to HMRC; most are computed per-request and are not stored on your device.Strictly Necessary
esig_signing_*Stores temporary session data during the e-signature signing flow, including the current signing step, signer token validation status, and document viewing progress. Cleared automatically when the signing session is completed or expires. Multiple keys prefixed with esig_signing_ may exist simultaneously. Duration: session (cleared on signing completion or after 24 hours of inactivity).Functional

Session Storage

Session storage data is automatically cleared when you close the browser tab.

KeyPurposeCategory
analytics_sidA randomly generated session identifier used for first-party page view analytics within the current browser tab.Functional
latch_visitor_idA randomly generated visitor identifier used for real-time session presence tracking, including active user counts, device type detection (desktop/tablet/mobile), and current page path monitoring. Contains no personal information and is not linked to your user account.Functional
latch:tutorial-*-countedA flag that tracks whether a tutorial has been displayed during the current session to avoid repeated display.Functional

Analytics and Performance Monitoring

We do not use Google Analytics, Facebook Pixel, Hotjar, or any other third-party analytics or advertising service. All analytics data is collected, processed, and stored by Latch on our own infrastructure. No analytics data is shared with or transmitted to any third party.

What We Collect

Our first-party analytics system records the following data to help us understand platform usage and improve the Service:

  • Page views: Which pages are visited, how long you spend on each page, and the order of navigation
  • Session identifiers: Randomly generated anonymous IDs (not linked to your user account on public pages) to group page views into sessions
  • Referrer URL: The page or website that directed you to Latch, if any
  • Device information: Browser user agent string and screen dimensions, used to optimise the platform for different devices
  • Presence heartbeat: An anonymous signal sent approximately every 30 seconds while you are actively using the platform, used to display real-time active user counts

AI Feature Usage

We record which AI-powered features you use (such as document analysis, lease review, or expense classification) at the account level. This data helps us understand feature adoption and plan future development. It does not include the content of your queries or documents.

HMRC Fraud Prevention Data

The device identifier, timezone, screen dimensions, and other technical information collected for HMRC fraud prevention purposes (as described above) are notused for analytics or tracking by Latch. This data is collected solely to comply with HMRC’s mandatory fraud prevention requirements and is transmitted to HMRC with each MTD API request. Latch does not analyse or aggregate this data for its own purposes.

Of the fraud-prevention signals HMRC requires us to send, only Gov-Client-Device-ID is persisted on your device (via the hmrc_device_idlocalStorage entry described above). All other signals — browser user-agent, timezone, screen dimensions, window size, MFA verification status — are computed per request and are never stored on your device.

How to Manage Your Preferences

Cookie Banner

Our cookie banner appears on public marketing pages only, after you scroll past 200 pixels. It offers an “Got it” acknowledgement and a link to learn more, with your preference stored in a cookie-consent cookie for 365 days. Authenticated areas of the platform do not show the banner because every cookie set there is strictly necessary.

Because we do not set any non-essential cookies, your acknowledgement does not switch any tracking on or off. The preference is stored only to suppress repeated display of the banner. If we ever introduce non-essential cookies in the future, we will update this policy and seek fresh consent before any such cookie is set.

Browser Settings

Most web browsers allow you to control cookies, local storage, and session storage through their settings. You can typically:

  • View and delete individual cookies and storage entries
  • Block all or specific third-party cookies
  • Set your browser to notify you when a cookie is being set
  • Clear all cookies and site data when you close the browser

For guidance on managing cookies in your specific browser, visit your browser's help documentation or www.aboutcookies.org.

Important Note

If you disable or delete strictly necessary cookies (particularly the authentication session cookies), you will be unable to log in or use the authenticated features of the platform. We are unable to override browser-level cookie settings.

Your Rights

Under the UK General Data Protection Regulation (UK GDPR) and the Privacy and Electronic Communications Regulations 2003 (PECR), you have the following rights in relation to cookies and similar technologies:

  • Right to be informed: You have the right to clear, transparent information about how we use cookies and similar technologies. This policy fulfils that obligation
  • Right to consent: Except for strictly necessary cookies, we will obtain your consent before placing cookies on your device, in accordance with Regulation 6 of PECR
  • Right to withdraw consent: You may withdraw your consent at any time by clearing your cookies through your browser settings or by declining cookies via our cookie banner on your next visit
  • Right of access and erasure: You may request access to or deletion of any personal data we hold about you, including data collected via analytics. Please refer to our Privacy Policy for full details of your data protection rights

Changes to This Policy

We may update this Cookie Policy from time to time to reflect changes in technology, legislation, or our business practices. When we make material changes, we will update the “Last updated” date at the top of this page. We encourage you to review this policy periodically. Where changes are significant, we may also notify you via email or a prominent notice on the platform.

Contact Us

If you have any questions about this Cookie Policy, our use of cookies, or your rights, please contact us:

  • Data Controller: USELATCH LTD
  • Email: [email protected]
  • ICO Registration Number: 02450028338

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data protection rights have been infringed. The ICO can be contacted at ico.org.uk or by telephone on 0303 123 1113.

Material Change History

  • 13 May 2026 (v2.1) — HMRC MTD ITSA compliance pack alignment: documented the hmrc_owner_profile_id OAuth cookie used during HMRC connections that target a specific co-ownership profile (10-minute httpOnly cookie, deleted on callback); clarified that the hmrc_device_idlocalStorage UUID persists indefinitely, that its lawful basis is legal obligation under HMRC’s fraud-prevention spec, and that most other fraud-prevention signals are computed per-request and never stored on the device; anchored the “Strictly Necessary” category on the PECR Reg 6(4)(b) legal-obligation exemption.
  • 5 May 2026 (v2.0)— Replaced “Bank Account Linking (Coming Soon)” with the live Plaid disclosure; removed the “Performance” cookie category since we set no non-essential cookies (analytics identifiers are local-storage only and now categorised as Functional); reworded the “Cookie Banner” subsection to honestly describe what the banner does (the Decline path used to be misleading); added a prominent “essential cookies only” notice in section 1; added the ICO registration number to the contact section.
  • 23 March 2026 (v1.0)— Initial publication.