Law Enforcement

1. Introduction and Purpose

Lana Commerce, Inc. ("Lana," "We," "Us," "Our") is committed to protecting the privacy and security of our Merchants and their customers' data while complying with our legal obligations. This Law Enforcement Information Request Policy ("Policy") outlines the procedures and principles Lana follows when responding to requests for information from domestic and international government and law enforcement agencies ("Law Enforcement Agencies" or "LEAs").

This Policy is intended to provide guidance to Law Enforcement Agencies seeking information from Lana and to inform our Merchants about how we handle such requests.

2. Scope of Policy

This Policy applies to all data held by Lana in connection with the provision of our headless commerce platform and related services ("Services"). This may include:

• Merchant Information: Information provided by Merchants when they sign up for and use our Services, such as Account Owner details, Staff Account information, billing information, and communication records with Lana.
• Merchant Content: Data uploaded or managed by Merchants on the Lana platform, excluding End Customer Data (as defined below).
• End Customer Data: Personal information of a Merchant's customers that Lana processes on behalf of the Merchant in its capacity as a Data Processor or service provider. Requests for End Customer Data raise specific considerations outlined in Section 7 (Merchant Notification and End Customer Data).
• Usage Data: Information related to the use of Lana's Services, such as IP addresses, access logs, and other metadata, to the extent maintained by Lana.

3. Principles for Responding to Law Enforcement Requests

Lana adheres to the following principles when responding to Law Enforcement Requests:

• Legality: Lana will only disclose data when required by applicable law, served with valid and binding legal process, or in exigent circumstances as described in Section 9 (Emergency Requests).
• Specificity: Requests must be specific, narrowly tailored, and identify the legal basis for the request. Lana will challenge overly broad, vague, or otherwise improper requests.
• Transparency: Lana believes in transparency and will notify Merchants of Law Enforcement Requests for their data or their customers' data whenever legally permissible (see Section 7).
• Data Minimization: Lana will only disclose the data specifically required by the legal request and for the purposes stated in the request.
• User Privacy: Lana is committed to protecting the privacy of its Merchants and their customers.

4. Types of Legal Requests Recognized

Lana is a U.S. company headquartered in San Francisco, California. We require valid legal process issued under U.S. law to compel the disclosure of data. The type of legal process required depends on the nature of the information sought:

• Non-Content Data (e.g., basic subscriber information, IP logs): We generally require a valid subpoena, administrative order, or court order issued in accordance with U.S. law.
• Content Data (e.g., Merchant Content, communications): We generally require a valid U.S. search warrant issued upon a showing of probable cause, or an equivalent court order under U.S. law.

5. Requirements for Law Enforcement Requests

To ensure timely and accurate processing, all Law Enforcement Requests must:

• Be in writing and addressed to Lana Commerce, Inc. (see Section 12 for contact details).
• Be issued by an authorized Law Enforcement Agency and signed by an authorized official.
• Clearly identify the specific Merchant Account(s) or user(s) whose information is sought (e.g., by store ID, email address, Account Owner name).
• Specify the category of information requested and its relationship to the investigation.
• State the legal authority (e.g., relevant statute, court order number) under which the request is made.
• Include the name, title, badge/ID number, and direct contact information (email address and phone number) of the responsible law enforcement agent.
• Specify a reasonable deadline for response.

Lana reserves the right to seek clarification or object to requests that do not meet these requirements or are otherwise legally deficient.

6. Verification of Requests

Lana will take steps to verify the legitimacy of each Law Enforcement Request prior to responding. This may include confirming the identity and authority of the requesting agency and official.

7. Merchant Notification and End Customer Data

• Merchant Notification: It is Lana's policy to notify our Merchants of any Law Enforcement Request for their Merchant Information or End Customer Data before disclosure, unless we are legally prohibited from doing so (e.g., by a non-disclosure order under 18 U.S.C. § 2705(b) or similar legal authority) or in exigent circumstances (see Section 9). If we receive a non-disclosure order, we will attempt to notify the Merchant once the order expires.
• End Customer Data: Lana processes End Customer Data as a Data Processor on behalf of our Merchants (who are the Data Controllers). If Lana receives a Law Enforcement Request for End Customer Data, we will, where legally permissible and appropriate, redirect the Law Enforcement Agency to request the data directly from the relevant Merchant. If we are compelled to disclose End Customer Data directly, we will notify the affected Merchant as outlined above, unless prohibited. Merchants are responsible for notifying their end customers if required by law or their own policies.

8. International Law Enforcement Requests

Lana is a U.S. company and adheres to U.S. law. Law Enforcement Agencies outside the United States seeking data from Lana should generally use appropriate international legal assistance processes, such as Mutual Legal Assistance Treaties (MLATs) or letters rogatory, directed through the U.S. Department of Justice or other appropriate U.S. authorities.

Australian Law Enforcement Agencies seeking data should be aware that requests will typically need to be made through these formal government-to-government channels.

9. Emergency Requests (Exigent Circumstances)

Lana may disclose information to Law Enforcement Agencies in exigent circumstances where we believe in good faith that an emergency involving imminent danger of death or serious physical injury to any person requires disclosure without delay.

Emergency requests must be submitted in writing (preferably via email to the contact address in Section 12) by a sworn law enforcement official and must include:

• A detailed description of the emergency and the imminent danger.
• A description of the information sought and how it relates to the emergency.
• An explanation of why formal legal process cannot be obtained in time.
• The signature of a sworn law enforcement official.
• Full contact details of the requesting official and agency.

Lana will evaluate emergency requests on a case-by-case basis. If information is disclosed in an emergency, the Law Enforcement Agency must follow up with appropriate legal process in a timely manner.

10. Data Retention

Lana retains data in accordance with its Privacy Policy, Data Processing Addendum, and internal data retention schedules, and as required by applicable law. Data is generally retained for as long as necessary to provide the Services and for legitimate business or legal purposes.

11. Cost Reimbursement

Lana reserves the right to seek reimbursement for reasonable costs associated with responding to Law Enforcement Requests, where permitted by law (e.g., under 18 U.S.C. § 2706).

12. Contact Information for Law Enforcement Requests

All Law Enforcement Requests should be directed to Lana's Legal Department:

Lana Commerce, Inc. Attn: Legal Department – Law Enforcement Requests 548 Market St Suite #35443 San Francisco, California 94104, US Email: hello@lana.dev.

Law Enforcement Requests should be directed to this online form: Submit Law Enforcement Request.

13. Policy Updates

Lana may update this Policy from time to time. The "Last Updated" date at the top of this Policy indicates when it was last revised. We encourage Law Enforcement Agencies and Merchants to review this Policy periodically.