The last update of this Privacy Policy was made on 06 October, 2025
This Privacy Policy describes the privacy practices for the website lasta.app (hereinafter “Website”), and Lasta mobile application (hereinafter “Mobile App”) and the services provided through them (together, “Service” or “Lasta”) operated by Lasta Inc, a legal entity incorporated under the laws of Delaware with offices located at 8480 Honeycutt Road, Suite 200, Raleigh NC 27615 (hereinafter “we”, “us”, “our”, “Company”) and how the Website and Mobile App, operated by the Company, collect and use the personal data you provide to the Company, with the purpose to access and use the Service. It also describes your choices regarding our use of your personal data and how you can access, update and delete this data.
The use of the Website is possible without any indication of personal data. However, if you want to use the Lasta, collecting and processing personal data could become necessary. If the processing of personal data is necessary, we generally obtain your consent, except when personal data processing is available under other legal grounds.The processing of personal data is in line with the General Data Protection Regulation (GDPR) and under the country-specific data protection regulations applicable to the Company.
By means of this Privacy Policy, we would like to inform the general public of the nature, scope, and purpose of the personal data we collect, use and process. Furthermore, data subjects (users) are informed, by means of this Privacy Policy, of the rights to which they are entitled.
This Privacy Policy is an integral part of the Terms of Use.
DEFINITIONS
Personal data means any information relating to an identified or identifiable natural person (hereinafter “data subject/user”). An identifiable natural person can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Controller means a person who determines the purposes and means of processing. For the purpose of this Privacy Policy, the Company is the controller of personal data. As the controller, we have implemented numerous technical and organizational measures to ensure the complete protection of personal data processed through the Service.
Processing is any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data subject/user is any identified or identifiable natural person whose personal data is processed by the controller responsible for the processing; a user of the Lasta.
Consent of the data subject/user is any freely given, specific, informed and unambiguous indication of the data subject/user wishes by which they, by a statement or by an explicit affirmative action, signify agreement to the processing of personal data relating to them.
WHY WE PROCESS YOUR PERSONAL DATA
The purpose of processing your personal data by the Company and collection of information about you are as follows (the "Purpose"):
1. To provide you with access to the Lasta;
2. The performance of a contract to which you are a party, in accordance with Article 6.1.b of the GDPR and the collected data is necessary to identify and charge your bank card number;
3. To verify your identity and provide customer care service and assistance;
4. To analyze your use of the Lasta to better understand how it is used so we can improve our Services and the user experience and engage and retain users.
We may use your personal data to:
1. Improve your browsing experience by personalizing the Service and improve the Lasta;
2. Send information to you by email regarding registration status, password, and payment confirmation;
3. Send you communications relating to your use of the Lasta; and
4. Provide our partners with statistical information about our users by secured channels under data processing agreements (DPA); (e) send you marketing and promotional materials and messages.
As you are willing to use the Lasta, you are required to provide your personal data (to register an account and purchase the Lasta), thus becoming a Lasta user.
Based upon the personal data you provide us when registering an account, we may send you a welcoming email to verify your login and send a password.
You may enter your account on our Website and/or Mobile App under login and password sent to your email. All your activity in your account is password-protected, and you should keep and take all necessary measures to protect the secrecy of your password.
We will also communicate with you in response to your inquiries regarding any information or services you request.
Please be aware that you are not obliged to provide us with your personal data. However, if you do not provide us with your email address and payment information, you may be unable to create an account to log into and purchase the Lasta.
HOW WE COLLECT PERSONAL DATA
We collect certain personal data when you:
- Insert the user's information to register an account and access the Lasta;
- Make purchases;
- Visit and interact with the Website and Mobile App;
- Contact and interact with our support.
SCOPE AND CATEGORIES OF PERSONAL DATA, LAWFUL BASIS FOR PERSONAL DATA PROCESSING AND DATA SUBJECT CATEGORIES
We strive to be compliant with GDPR, follow data minimization principles and we process your personal data as follows:
No. | Scope and categories of personal data | Data subject categories | Processing purpose | Lawful basis for personal data processing |
1 | Name | Lasta users | To provide the Service | Performance of a contract |
2 | Lasta users | To provide the Service; To send marketing communications | Performance of a contract; Consent / Legitimate interest | |
3 | User IDs | Lasta users | To provide the Service | Performance of a contract |
4 | General health- and fitness-related data, including fitness level, body type, food preferences, diet preferences, etc. | Lasta users | To personalize the experience and provide the Service | Performance of a contract |
5 | Personal health-related data, including age, gender and data on physical characteristics: height and weight | Lasta users | To personalize the experience and provide the Service | Consent |
6 | Photos | Lasta users | To personalize the experience and provide the Service | Consent |
7 | Automatically collected data (cookies and similar technologies, device and connection data) | Lasta users, non-registered Lasta visitors | To provide the features of the Website and Lasta | Performance of a contract / Consent |
8 | Mobile App interactions; In-app search history; Crash logs; Recording the user's screen in the Lasta | Mobile App users | To analyze and improve the Service | Legitimate interest / Consent |
9 | Device or other IDs | Lasta users | To analyze and improve the Service | Legitimate interest |
10 | Payment information | Lasta users | To provide the Service | Performance of a contract / Legitimate interest |
11 | Voluntarily provided personal data, including, but not limited to, personal documents, request description, email, etc. | Lasta users, non-registered Lasta visitors | To provide support assistance | Performance of a contract / Legitimate interest |
12 | Health data and activity metrics from third-party health-related apps | Lasta users | To personalize the experience and provide the Service | Consent |
WE USE TRACKING TECHNOLOGIES AND COOKIES
We also collect and store information that is generated automatically as you navigate through our Service to enhance your experience by using tracking technologies such as Cookies, Log Files and Pixel tags.
As you navigate our Service, we automatically collect information in Log Files about your device’s connection to the Internet, the length of time spent on the Service, and the pages accessed during each visit to the Service. We use this information to analyze trends, administer the Service, track user movement on the Service, and gather broad statistical information for aggregate use.
Cookies are text files stored in a computer system via an Internet browser. Cookies are small files your web browser places on your hard drive for record-keeping purposes. By showing how and when visitors use the Website, Cookies help us track user trends and patterns. They also prevent you from re-entering your preferences on certain areas of the Website where you have entered preference information. Cookies contain a so-called Cookie ID. A Cookie ID is a unique identifier of the Cookie. It consists of a character string through which Internet pages and can be assigned to the specific Internet browser in which the Cookie was stored. This allows visited Internet sites and servers to differentiate the individual browser of the data subject from other Internet browsers that contain other Cookies. A specific Internet browser can be recognized and identified using the unique Cookie ID.
Through the use of Cookies, we can provide users with more user-friendly services that would not be possible without them. By means of Cookies, the information and offers on our Website can be optimized.
You may, at any time, prevent the setting of Cookies through the Website by means of a corresponding setting of the Internet browser used and may thus permanently deny the setting of Cookies. Cookies that are already set may be deleted anytime via an Internet browser or other software. If you deactivate the settings of Cookies in the Internet browser, not all functions of our Website may be entirely usable.
If you do not wish to receive Cookies, you may be able to refuse them by adjusting your browser settings to reject Cookies. If you do so, we may be unable to offer you some of our functionalities, services or support. If you have previously visited our Website, you may also have to delete any existing Cookies from your browser.
Also, we may use Pixel tags (single-pixel image files, also known as transparent GIFs, clear GIFs or web beacons) to access Cookies and to count users who visit the Website or open our HTML-formatted email messages.
Learn more in our Cookie Policy.
MARKETING OFFERINGS AND UPDATES
Based on your separate consent, we may send you the following marketing emails:
- Product updates (info about new version releases, new features, or about some issues, or requests to help us make our product better by taking the survey);
- Tips and tricks (getting started emails, how to get the most out of the Lasta, educational content);
- Exclusive deals (promo, discounts, upsells and cross-sells);
- Newsletters (announcements and news);
- Digests (we may send emails containing information about the Company, popular blog posts, customer reviews, etc.);
Activation reminders (welcome emails).
You may always opt out (unsubscribe) from any marketing communication in your account (if available) or via our support at any time, as instructed at the end of this Privacy Policy.
HOW WE SHARE YOUR PERSONAL DATA
We do not authorize the use of your personal data by any third party (only under the conditions described below).
The personal data is not transferred to third parties, except in cases when:
- It is necessary to provide the Lasta;
- It is necessary to fulfil our legitimate interests;
- It is necessary to comply with our lawful obligation;
- We have received your consent.
As we use third-party services to provide the Lasta, we may transfer your personal data internationally under DPA in accordance with GDPR and other applicable data protection laws. We operate and maintain a variety of online security measures to safeguard and keep your personal data private and secure while it is stored and transferred.
The third parties we share personal data with include, in particular:
Categories | Purpose | Name | Privacy Policy |
Data servers | To store and process personal data | AWS | https://aws.amazon.com/privacy/ |
Email marketing | To provide email notifications, and any other marketing notifications related to your use of the Lasta | SmartSender | https://smartsender.com/privacy-policy |
Email marketing | To provide email notifications, and any other marketing notifications related to your use of the Lasta | Customer.io | https://customer.io/legal/privacy-policy |
Email marketing | To provide email notifications, and any other marketing notifications related to your use of the Lasta | ZeroBounce | https://www.zerobounce.net/privacy-policy |
Analytics | To receive statistics and analytics related to your use of the Lasta | Amplitude | https://amplitude.com/privacy |
Analytics | To receive statistics and analytics related to your use of the Lasta | Google (GA4) | https://policies.google.com/privacy |
Analytics | To receive statistics and analytics related to your purchase-related operations | Google (BigQuery) | https://policies.google.com/privacy |
Analytics | To receive statistics and analytics related to your use of the Lasta | Impact | https://impact.com/privacy-policy/ |
Analytics | To optimize tag deployment, troubleshoot configuration errors, and modify tags that are deployed on the Website | Google Tag Manager | https://policies.google.com/privacy/ |
Analytics | To receive statistics and analytics related to your use of the Website | Hotjar | https://www.hotjar.com/legal/policies/privacy/ |
Analytics | To receive statistics and analytics in connection with our marketing campaigns | Microsoft | https://www.microsoft.com/en-us/privacy/privacystatement |
Analytics | To receive statistics and analytics related to your use of the Mobile App | Firebase | https://firebase.google.com/support/privacy |
Analytics | To receive statistics and analytics related to your use of the Website | X | https://x.com/en/privacy |
Analytics | To utilize cookies and tracking technologies | CookieBot | https://www.cookiebot.com/en/privacy-policy/ |
AI | To structure and manage user-related data | OpenAI (API) | https://openai.com/policies/row-privacy-policy/ |
Support | To provide Lasta-related support and assistance | Zendesk | https://www.zendesk.com/company/agreements-and-terms/privacy-notice/ |
Billing | To effectively process and manage payments and subscriptions | FastSpring | https://fastspring.com/privacy/ |
Billing | To effectively process and manage payments and subscriptions | Stripe | https://stripe.com/privacy |
Billing | To effectively process and manage payments and subscriptions | PayPal | https://www.paypal.com/us/legalhub/paypal/privacy-full |
WHERE YOUR PERSONAL DATA IS STORED
Personal data is usually stored on servers in Germany and the Netherlands. Personal data may also be stored outside the EU. We have adopted all necessary security measures for protecting your personal data according to the best practices of security, protection, and confidentiality. If we transfer your personal data to third parties, we will compel each third party to adopt necessary security measures for the protection of your personal data according to applicable data protection agreements and privacy frameworks.
ENCRYPTED DATA
We have put in place security hardware, software and network scanning procedures designed to safeguard and secure the information (including personal data) under our control and follow generally accepted industry standards. We work with third-party service providers and vendors that use encryption and authentication to maintain the confidentiality of your personal data. If stored, we house personal information on systems behind firewalls that are accessible only to limited personnel under DPA.
DATA BREACH SITUATIONS
We shall notify the respective data protection authority within 72 hours after we become aware of the data breach and report the following information:
- The nature of the data breach.
- The name and contact details of our responsible person from whom more information can be obtained.
- The possible consequences of the data breach.
- The measures taken or proposed by us to address the data breach.
If the data breach may lead to a violation of your rights and freedoms or has a high risk of this, we shall immediately inform you of the fact of the data breach and report the following information:
- The nature of the data breach in clear and simple language.
- The name and contact details of the responsible person from whom more information can be obtained.
- The possible consequences of breaching the security of personal data.
- The measures taken or proposed by us to address the data breach.
Useful tips and know-how that can help you in reducing the risks of the data breach.
We do not have to send the notification to you if any of the following conditions are met:
- We have implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the data breach, in particular, those that leave the personal data inaccessible to any person who is not authorized to access it, such as encryption;
- We have taken subsequent measures that ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize; or
It would involve a disproportionate effort to communicate with every data subject concerned. In such a case, there shall instead be public communication or similar measures whereby the data subjects are informed equally effectively.
If we apply one of the exemptions, we document the circumstances, reason for not informing, and actions taken to meet one of the exemptions.
YOUR RIGHTS
Depending on your personal jurisdiction, you may have the following rights:
- The right to access. You have the right to request an explanation of the personal data we process about you. Also, you can request a copy of your personal data undergoing processing.
- The right to data portability. You have the right to receive the personal data which you have provided to us. You can request to transmit this data directly to another data controller in a structured, commonly used and machine-readable format. We will transmit your data directly to another controller in cases where it is technically feasible.
The right to restrict processing. You have the right to request that we temporarily or permanently stop processing all or some of your personal data.
- The right to rectify. You have the right to request to rectify/correct any inaccurate data about you.
- The right to erase. You have the right to be forgotten which means that we will delete all personal data that you have provided to us. We may retain certain information as required by law and for legitimate business purposes permitted by law.
- The right to object processing. You can, at any time, object to the processing of your personal data on grounds relating to your particular situation. You have the right to object to your personal data being processed for direct marketing purposes.
- The right to lodge complaints. You have the right to lodge complaints in relation to the data processing activities we carry out with the competent data protection authorities.
- The right not to be subject to automated decision-making. You have the right not to be subject to a decision based solely on automated decision-making, including profiling, where the decision would have a legal effect on you or produce a similarly significant effect.
- The right of confirmation. Each data subject shall have the right to obtain confirmation from the controller on whether personal data is being processed.
- The right to withdraw data protection consent. Each data subject shall have the right to withdraw consent to the processing of personal data at any time.
If one of the abovementioned rights applies, you may contact us at any time, as instructed at the end of this Privacy Policy.
We will comply with your request within 1 (one) calendar month. If we need additional time to comply with your request or if we cannot comply with the request, we will inform you of this within the 1 (one) calendar month period.
CALIFORNIA PRIVACY RIGHTS
This section applies only to residents of California, United States.
Subject to certain conditions and limitations, the California Consumer Privacy Act (“CCPA”) provides California consumers with the right to know the categories and specific pieces of personal information we collect, the right to request deletion of personal information, the right to be free from discrimination, the right to opt-out of selling personal information.
The categories of personal data we collect, the sources we use to collect it, the purposes of personal information collection and the categories of third parties with whom we may share personal information are indicated above in this Privacy Policy.
You can direct us not to “sell” your personal information by clicking/tapping on the link “Do Not Sell My Personal Information” and following the instructions or contacting us via the Lasta support. We will verify your request and inform you accordingly. You may also designate an authorized agent to exercise these rights on your behalf.
CHILDREN’S PRIVACY
Provision of the Lasta is generally not aimed at children and is not intended for use by children under the age of 16.
The Company is acting in compliance with COPPA. We do not knowingly collect information from children and minors. We encourage parents and legal guardians to monitor their children’s Internet usage and to help enforce our Privacy Policy by instructing their children to never provide information on our Service without their permission.
Our Service is not directed to, nor do we knowingly collect personal data from children under the age of 13. If we obtain actual knowledge that we have collected personal data from a child, we will comply with industry guidelines and applicable laws and will promptly delete it unless we are legally obligated to retain such data.
DATA STORAGE AND DATA REMOVAL
We process and store personal data only for the period necessary to achieve the purposes of this Privacy Policy, our Terms of Use and as long as this is granted by the applicable laws.
The criteria used to determine the period of storage of personal data is the respective statutory retention period for the purposes of this Privacy Policy and our Terms of Use. After that statutory retention period expires, and when we no longer need personal data, we routinely and securely delete or destroy it.
However, in case of conflict situations in progress, we may store personal data for 180 calendar days or more if the processing is necessary for the establishment, exercise or defense of legal claims and for compliance with a legal obligation which requires processing by applicable laws.
MISCELLANEOUS
We may modify this Privacy Policy at any time and post any changes to the Privacy Policy on the Website and/or Mobile App, so please review it frequently. We indicate the date of the current version of this Privacy Policy above, so you know when it was last updated.
Changes to this Privacy Policy may not affect the personal data we have previously collected from you or after such changes.
If you object to the changes or if you have any questions or propositions, please get in touch with us by the contact form: Lasta support
