Privacy Policy

LabProtocol.co ("we", "us", "our") is committed to protecting your privacy. This policy explains what data we collect, how we use it, and your rights regarding that data. This policy applies to all users of labprotocol.co and our related services.

Account Data: Email address, name, and profile information you provide during registration.

Protocol Data: Input parameters, generated protocols, and associated metadata (technique, timestamps, version history).

Usage Data: Pages visited, features used, protocol generation counts, and performance metrics collected via PostHog analytics.

Payment Data: Billing information processed securely by Stripe. We do not store credit card numbers on our servers.

Support Data: Messages submitted through our contact form or support widget.

We use your data to: provide and improve the Service; generate protocols based on your inputs; process payments; send transactional emails (welcome, protocol ready, billing); analyze usage patterns to improve the product; respond to support requests; comply with legal obligations.

We use the following third-party services that may process your data:

Supabase — Authentication and database hosting (EU/US regions). Supabase stores your account and protocol data.

Stripe — Payment processing. Stripe handles all payment data under their own privacy policy.

OpenAI— Protocol generation. Your input parameters are sent to OpenAI's API to generate protocols. We do not send personally identifiable information to OpenAI. OpenAI's data usage policy applies to API inputs.

PostHog — Product analytics. We collect anonymized usage data to understand how the product is used.

Resend — Transactional email delivery.

Vercel — Application hosting and CDN.

We use essential cookies for authentication and session management. PostHog may set analytics cookies to track usage patterns. You can disable non-essential cookies through your browser settings. We do not use advertising cookies or sell data to advertisers.

Account data is retained while your account is active and for 30 days after deletion. Protocol data is retained while your account is active and available for export for 30 days after account deletion. Usage analytics are retained in anonymized form for up to 2 years. Payment records are retained as required by tax and accounting regulations.

If you are in the EU/EEA, you have the right to:

• Access — Request a copy of your personal data
• Rectification — Correct inaccurate personal data
• Erasure — Request deletion of your personal data
• Portability — Export your data in a machine-readable format
• Restriction — Restrict processing of your data
• Objection — Object to processing based on legitimate interests

To exercise these rights, contact us at privacy@labprotocol.co. We will respond within 30 days.

We use industry-standard security measures including: encryption in transit (TLS) and at rest; row-level security in our database; regular security audits; minimal data collection principles. While we take reasonable precautions, no system is 100% secure.

The Service is not intended for children under 13. We do not knowingly collect data from children under 13. If you believe we have collected such data, contact us immediately.

We may update this policy from time to time. We will notify you of material changes via email or in-app notification at least 30 days before they take effect.

For privacy inquiries, contact us at privacy@labprotocol.co.