Privacy Policy

February 7, 2026

1. INTRODUCTION

Welcome to Labtree. This Privacy Policy describes how Labtree, Inc., a Delaware corporation ("Labtree", "we", "our", or "us"), collects, uses, shares, and protects personal information obtained through our AI-powered scientific research platform (the "Platform"), website, and related services (collectively, the "Services").

This Privacy Policy applies to all users of our Services, including research institutions, biotechnology companies, individual researchers, and other entities ("Customer", "you", or "your"). We are committed to protecting your privacy and handling your research data with the highest standards of security and confidentiality.

This Privacy Policy is designed to comply with applicable data protection laws, including the EU General Data Protection Regulation ("GDPR"), the UK GDPR, the California Consumer Privacy Act ("CCPA"), and other relevant privacy regulations.

2. DATA CONTROLLER AND CONTACT INFORMATION

For purposes of the GDPR and other applicable data protection laws, the data controller is:

Labtree, Inc.

1111B South Governors Avenue

Dover, Delaware 19904

United States

Email: privacy@labtree.io

3. DEFINITIONS

For purposes of this Privacy Policy:

  • Personal Data means any information relating to an identified or identifiable natural person that is processed by Labtree on behalf of Customer in connection with the Services.

  • Research Data means scientific data, experimental results, protocols, documents, images, manuscripts, and other research-related content uploaded or generated by Customer through the Platform.

  • Usage Data means data collected automatically about how users interact with the Services, including analytics and performance information.

  • Data Protection Laws means all applicable laws and regulations relating to the processing of Personal Data, including GDPR, UK GDPR, CCPA, and other relevant privacy regulations.

  • Sub-processor means any third party appointed by Labtree to process Personal Data on behalf of Labtree in connection with the Services.

4. INFORMATION WE COLLECT

4.1 Personal Information You Provide

We collect the following categories of personal information that you voluntarily provide when registering for or using our Services:

  • Account Information: Name, email address, job title, organization name, and password.

  • Billing Information: When you subscribe to paid plans, our payment processor (Stripe) collects payment information. We do not store full credit card numbers.

  • Communications: Information you provide when you contact us for support, provide feedback, or communicate with us.

  • Profile Information: Optional information such as research interests, institutional affiliation, and professional background.

4.2 Research Data

You upload and generate Research Data through the Platform, which may include scientific documents, experimental protocols, laboratory notes, images, datasets, manuscripts, literature references, and other research-related content. Your Research Data is confidential and private to you. We do not access, use, or disclose your Research Data except as necessary to provide the Services, for technical support (with your permission), or as required by law.

4.3 Automatically Collected Information

We automatically collect certain information when you use our Services:

  • Usage Data: Information about your interactions with the Platform, including features accessed, time spent, actions taken, and search queries.

  • Device Information: IP address, browser type and version, operating system, device identifiers, and hardware specifications.

  • Log Data: Server logs, including access times, pages viewed, error messages, and system activity.

  • Analytics Data: Performance metrics, error tracking data, and aggregated usage patterns collected through analytics tools.

4.4 Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect information about your browsing activities. Cookies are small data files stored on your device that help us:

  • Maintain your login session and authentication

  • Remember your preferences and settings

  • Understand how you use the Services and improve functionality

  • Analyze usage patterns and platform performance

Types of Cookies We Use:

  • Essential Cookies: Required for authentication, security, and core platform functionality. These cannot be disabled.

  • Analytics Cookies: Used to understand platform usage, improve features, and track performance through PostHog and similar analytics services.

You can manage cookie preferences through your browser settings. However, disabling essential cookies may affect platform functionality. Most web browsers accept cookies by default, but you can modify your browser settings to decline cookies if you prefer.

5. HOW WE USE YOUR INFORMATION

We process your information for the following purposes and on the legal bases described:

5.1 To Provide and Maintain the Services

Legal Basis: Performance of contract with you

  • Create and manage your account

  • Process and store your Research Data

  • Provide AI-powered research assistance and analysis

  • Enable collaboration features within your organization

  • Deliver customer support and respond to your inquiries

5.2 To Process Payments

Legal Basis: Performance of contract, legal obligations

Process subscription payments through our payment processor, Stripe, and maintain billing records in accordance with tax and accounting requirements.

5.3 To Improve and Develop the Services

Legal Basis: Legitimate interests (improving our Services)

  • Analyze usage patterns to enhance platform features and performance

  • Identify and fix technical issues and bugs

  • Develop new features and functionality

  • Conduct research and analytics to improve our AI models and algorithms

5.4 To Communicate with You

Legal Basis: Performance of contract, legitimate interests, consent (for marketing)

  • Send service-related notifications (account updates, security alerts, changes to terms)

  • Respond to your inquiries and provide customer support

  • Send product updates, newsletters, and promotional materials (with your consent, which you may withdraw at any time)

5.5 To Ensure Security and Prevent Fraud

Legal Basis: Legitimate interests (security), legal obligations

  • Monitor and analyze security incidents

  • Detect and prevent unauthorized access, fraud, and abuse

  • Enforce our Terms of Service and protect our legal rights

5.6 To Comply with Legal Obligations

Legal Basis: Legal obligations, legitimate interests

Comply with applicable laws, regulations, legal processes, and governmental requests, including responding to subpoenas, court orders, and law enforcement requests.

6. ARTIFICIAL INTELLIGENCE AND RESEARCH DATA PROTECTION

We recognize that protecting the confidentiality of scientific research data is paramount. Our AI-powered platform is designed with strict controls to safeguard your Research Data.

6.1 No Training on Customer Research Data

Labtree does NOT use your Research Data to train, fine-tune, or improve our proprietary AI models. Your experimental data, protocols, manuscripts, and other research content remain confidential and are never used for model training purposes.

6.2 Third-Party AI Providers

We utilize third-party AI services to power certain platform features. We have implemented the following safeguards:

  • Amazon Web Services (AWS) Bedrock: Primary infrastructure for AI model inference. Data is processed in EU regions and is not used for training.

  • Anthropic: We access Anthropic's AI models via API with data training opt-out. Your data is not used to train their models.

All AI providers we use are bound by strict data processing agreements that prohibit the use of your Research Data for training purposes.

6.3 Data Minimization

We employ data minimization techniques to ensure that only necessary information is processed by AI systems. We anonymize or pseudonymize data where possible to provide additional protection.

7. HOW WE SHARE YOUR INFORMATION

We do not sell your Personal Data or Research Data. We share information only in the limited circumstances described below:

7.1 Service Providers and Sub-processors

We engage trusted third-party service providers to perform functions on our behalf. These Sub-processors have access to Personal Data only to perform specific tasks and are obligated to protect your information. We may update our list of Sub-processors from time to time. We will notify you of any material changes to our Sub-processors and provide you with an opportunity to object.

7.2 Business Transfers

In the event of a merger, acquisition, reorganization, sale of assets, or bankruptcy, your information may be transferred to a successor entity. We will notify you of any such change and provide information about your choices regarding your data.

7.3 Legal Requirements

We may disclose your information if required by law, regulation, legal process, or governmental request, or where we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

7.4 With Your Consent

We may share your information with third parties when you have given us explicit consent to do so.

8. INTERNATIONAL DATA TRANSFERS

Our primary servers and infrastructure are located in the European Union. However, some of our Sub-processors may be located in the United States or other countries outside the EU/EEA.

8.1 Data Transfer Mechanisms

When we transfer Personal Data from the EU/EEA or UK to countries that do not provide an adequate level of data protection as determined by the European Commission, we implement appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs): We use EU Commission-approved Standard Contractual Clauses with our Sub-processors to ensure adequate protection of Personal Data.

  • Data Privacy Framework: For certain US-based processors, we rely on the EU-U.S. Data Privacy Framework and UK Extension to the EU-U.S. Data Privacy Framework.

8.2 EU Representative

In accordance with Article 27 of the GDPR, Labtree has designated an EU Representative.

Email: privacy@labtree.io

The EU Representative serves as a contact point for EU supervisory authorities and data subjects regarding data protection matters. Inquiries may be directed to the EU Representative or directly to Labtree at privacy@labtree.io.

9. DATA RETENTION

We retain your Personal Data and Research Data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements.

9.1 Active Accounts

While your account is active, we retain your Personal Data and Research Data to provide you with the Services and comply with our contractual obligations.

9.2 Account Deletion

Upon termination or deletion of your account, we will:

  • Delete your Research Data and Personal Data from active production systems within 30 days of your deletion request.

  • Retain certain information in backup systems for up to 90 days for disaster recovery purposes, after which it will be permanently deleted.

  • Retain billing records and transactional data for 3 years to comply with tax, accounting, and legal requirements.

9.3 Aggregated and Anonymized Data

We may retain aggregated, anonymized, or de-identified data for research, analytics, and product improvement purposes indefinitely, as such data cannot be used to identify you personally.

10. DATA SECURITY

We implement appropriate technical and organizational security measures to protect your Personal Data and Research Data against unauthorized access, alteration, disclosure, or destruction. Our security measures include:

  • Encryption: All data is encrypted in transit using TLS 1.3 and at rest using industry-standard AES-256 encryption provided by AWS.

  • Access Controls: Role-based access controls and multi-factor authentication limit access to Personal Data to authorized personnel only.

  • Security Monitoring: We use Oneleet security monitoring and access control systems, along with Sentry for error tracking and security incident detection.

  • Infrastructure Security: Our infrastructure is hosted on AWS, which maintains SOC 2, ISO 27001, and other industry certifications.

  • Regular Audits: We conduct regular security assessments and are working towards SOC 2 Type II and ISO 27001 certification.

  • Incident Response: We maintain an incident response plan to quickly address security incidents and notify affected parties as required by law.

While we implement robust security measures, no system is completely secure. If you become aware of any security vulnerability or incident, please contact us immediately at legal@labtree.io.

11. YOUR PRIVACY RIGHTS

Depending on your location and applicable data protection laws, you have certain rights regarding your Personal Data.

11.1 Rights Under GDPR (EU/EEA/UK Users)

If you are located in the EU, EEA, or UK, you have the following rights under the GDPR:

  • Right of Access: You have the right to request a copy of the Personal Data we hold about you.

  • Right to Rectification: You have the right to request correction of inaccurate or incomplete Personal Data.

  • Right to Erasure (Right to be Forgotten): You have the right to request deletion of your Personal Data under certain circumstances.

  • Right to Restrict Processing: You have the right to request that we limit how we process your Personal Data.

  • Right to Data Portability: You have the right to receive your Personal Data in a structured, commonly used, and machine-readable format and to transmit it to another controller.

  • Right to Object: You have the right to object to our processing of your Personal Data based on legitimate interests.

  • Right to Withdraw Consent: Where we process your Personal Data based on consent, you have the right to withdraw that consent at any time.

11.2 Rights Under CCPA (California Users)

If you are a California resident, you have the following rights under the CCPA:

  • Right to Know: You have the right to request information about the categories and specific pieces of Personal Data we have collected about you.

  • Right to Delete: You have the right to request deletion of your Personal Data, subject to certain exceptions.

  • Right to Non-Discrimination: You have the right not to receive discriminatory treatment for exercising your CCPA rights.

11.3 How to Exercise Your Rights

To exercise any of the rights described above, please contact us at legal@labtree.io with the subject line "Privacy Rights Request." We will respond to your request within the timeframes required by applicable law (typically 30 days for GDPR requests).

We may need to verify your identity before processing your request. We will not discriminate against you for exercising your privacy rights.

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.

12. CHILDREN'S PRIVACY

Our Services are primarily designed for use by research professionals and institutions. We do not knowingly collect Personal Data from children under the age of 16 without verifiable parental or guardian consent.

In cases where educational institutions wish to provide access to students aged 16 or 17, we require that the institution obtains appropriate parental consent and acts as the data controller for such student data. We process student data only as instructed by the educational institution.

If we become aware that we have inadvertently collected Personal Data from a child under 16 without proper consent, we will take steps to delete such information promptly. If you believe we have collected information from a child inappropriately, please contact us at legal@labtree.io.

13. UPDATES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. The "Last Updated" date at the top of this policy indicates when it was most recently revised.

If we make material changes to this Privacy Policy, we will notify you by email (to the address associated with your account) or by posting a notice on our Platform at least 30 days before the changes take effect.

Your continued use of the Services after the effective date of the updated Privacy Policy constitutes your acceptance of the changes. If you do not agree with the updated Privacy Policy, you should discontinue use of the Services and contact us to delete your account.

14. CONTACT INFORMATION

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Labtree, Inc.

Attn: Legal Department / Privacy Officer

1111B South Governors Avenue

Dover, Delaware 19904

United States

Email: privacy@labtree.io

15. GOVERNING LAW AND JURISDICTION

This Privacy Policy is governed by the laws of the State of Delaware, United States, without regard to its conflict of law provisions, except to the extent that Data Protection Laws require the application of different laws.

For EU/EEA/UK users, nothing in this Privacy Policy affects your rights under the GDPR or other applicable Data Protection Laws, including your right to lodge a complaint with your local supervisory authority.