Privacy Policy

Last updated: February 2026

1. Data Controller

Lab 191 (“we,” “our,” or “us”) is the data controller responsible for your personal data. For data protection inquiries, contact us via our contact page.

2. Data We Collect

Data Purpose Legal Basis
Name, email, company Lead management, order fulfillment Legitimate interest / Contract
Job title, role Lead qualification Legitimate interest
SBOM / dependency lists Service delivery Contract performance
Invoice/payment details Transaction processing Contract performance
IP address, page views Analytics (Plausible — cookieless) Legitimate interest
Cookies (GA4) Analytics (optional) Consent

3. Data Processors

Processor Purpose Location
Google Apps Script Form submission processing US
Stripe Invoicing/payments (off-site) US/EU
Cloudflare Pages Website hosting Global (edge)
Plausible Analytics (cookieless) EU
Google Analytics (GA4) Analytics (consent-gated) US

4. Cookies & Consent

We categorize cookies into three groups:

  • Necessary: Always active. Session management, CSRF protection.
  • Analytics: Opt-in. Google Analytics (GA4) loads only after explicit consent.
  • Marketing: Opt-in. Ad remarketing pixels, if enabled.

Plausible Analytics runs without cookies and does not require consent. A cookie consent banner is displayed on first visit. You can manage preferences at any time via the “Manage Cookie Preferences” link in the site footer.

5. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion of your personal data
  • Portability: Request your data in a machine-readable format
  • Objection: Object to processing based on legitimate interest
  • Withdraw Consent: Withdraw consent for analytics/marketing cookies at any time

To exercise any of these rights, contact us via our contact page.

6. Data Retention

  • Lead data: 24 months after last interaction, then anonymized
  • Order data: Retained per tax/accounting requirements (typically 7 years)
  • Analytics: Plausible retains no personal data; GA4 per Google's retention policies

7. International Transfers

Data may be processed in the United States by our service providers (Google, Stripe, Cloudflare). These transfers are protected by Standard Contractual Clauses (SCCs) or applicable adequacy decisions.

8. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via a notice on our website. The "Last updated" date at the top reflects the most recent revision.

Questions about privacy? Contact us.