Legal

Cookie & Tracking Policy

Effective date: 1 July 2026 · Last updated: 1 July 2026

This Cookie & Tracking Policy explains how the lab.ai Identity Platform uses cookies and similar technologies, and how you control them. It sits alongside our Privacy Policy: the Privacy Policy governs personal data generally, while this document focuses on the client-side technologies that set or read identifiers in your browser.

Where this applies

This policy covers the lab.ai marketing website and app.lab.ai, the authenticated dashboard where subscribers manage their identities. It does not cover customer-controlled subdomains (for example john.lab.ai), which are operated by our subscribers rather than by us.

What cookies and similar technologies are

Cookies are small text files a website stores in your browser. They let a site remember actions and preferences — for example, that you are signed in — across pages and visits.

For consent purposes we treat the following the same way as cookies:

  • Local and session storage — browser storage used by our app and by vendor SDKs to persist identifiers and state.
  • Pixels and tags — tiny requests that report an event to a third party and can set or read identifiers.
  • SDKs — vendor JavaScript loaded into the page that may use any of the above.

Throughout this policy, "cookie" and "tracker" are used interchangeably to mean all of these. First-party trackers are set by lab.ai itself; third-party trackers are set by external vendors whose scripts run on our pages, and those vendors may combine the data with information they hold from other sites under their own policies.

The categories we use

We group trackers into three categories. Only the Essential category loads without consent. Analytics and Advertising trackers are blocked until you opt in.

CategoryConsentExamplesPurposeTypical duration
Essential
(strictly necessary)
No consent needed Sign-in session and authentication tokens; anti-forgery token; traffic routing; the record of your own cookie choice Authenticate you, keep you signed in, protect forms, route traffic, and remember your cookie choices. The site cannot function without these. Session-based up to long-lived, per our authentication provider's defaults
Analytics
(product & web analytics)
Consent required Product analytics (PostHog) and web analytics (Google Analytics 4) Understand how the site and dashboard are used, which features are adopted, and where users drop off, so we can improve the product. Aggregated and pseudonymous where possible. Up to roughly 13 months
Advertising
(marketing & remarketing)
Consent required Google Ads conversion and remarketing tags, typically delivered via Google Tag Manager Measure ad-campaign conversions and build remarketing audiences so we can show relevant lab.ai ads to prior visitors. Up to roughly 2 years, depending on the specific cookie

Google Tag Manager is a loader rather than a tracker in itself, but because it can inject analytics and advertising tags, our consent controls gate it so that it does not fire non-essential tags before you consent. The vendor list above reflects the technologies we currently use; if we add materially new vendors or purposes, we will update this policy and re-request consent.

Why we distinguish "essential" from the rest

Essential trackers are exempt from consent because they are strictly necessary to deliver a service you have actively requested — signing in, keeping a session, and security. This includes the small record of your own consent choice: we need to remember that you said "no" without asking you to consent to remembering it.

Analytics and Advertising trackers are not strictly necessary. They exist for our insight and marketing, not to deliver the core service, so they require your prior, informed, opt-in consent.

How consent works

  • Off by default. On your first visit, non-essential trackers are blocked. Nothing in the Analytics or Advertising categories loads until you make a choice.
  • Granular choice. You can accept or reject by category. Essential is always on and shown as such; Analytics and Advertising are independently toggleable. "Reject all" and "Accept all" are given equal prominence — rejecting is never harder than accepting.
  • Informed. The consent banner links to this policy so your choice is informed before you make it.
  • We record the choice. Your decision, per category, is stored with a timestamp and policy version so we can honor it on later visits and evidence it if asked. This record is itself an essential item.
  • We re-prompt on change. If we add a materially new tracker or purpose, we update the policy version and ask again; prior consent does not carry over to new purposes.

Managing or withdrawing consent

  • Change your mind anytime. A persistent "Cookie settings" control reopens the preference panel so you can grant or withdraw consent per category at any time.
  • Withdrawal is as easy as granting. Withdrawing consent stops future loading of the affected trackers. For access or deletion of data already collected, use the data-rights process in our Privacy Policy.
  • Browser controls. You can also block or delete cookies through your browser settings and use browser or operating-system tracking protections. Blocking essential cookies may break sign-in and core dashboard functions.

Third-party providers

The third parties whose trackers may run on our sites, subject to your consent, operate under their own privacy and cookie terms:

Some of these vendors are based outside your jurisdiction and may transfer data internationally. Where that occurs, transfers are made using the safeguards described in our Privacy Policy and required by applicable law.

Contact

Questions about this policy or your cookie choices? Email legal@lab.ai.