Effective date: 1 July 2026 · Last updated: 1 July 2026
This Privacy Policy explains how Apricot Ion Company Limited, operator of the lab.ai Identity Platform (the "Platform", "we", "us"), collects, uses, shares, and protects personal data about you when you visit our website, create an account, purchase and manage an identity (for example john.lab.ai), or otherwise interact with us. It sits alongside our Cookie Policy and the Terms of Service.
1.1 The data controller responsible for your personal data is Apricot Ion Company Limited, a company registered in Thailand under company registration number 0105544108187, with its registered office at 559/67 Thanapat Haus, Nonsi Road, Chongnonsi, Yannawa, Bangkok 10120, Thailand. It is the same entity defined as the "Operator" in the Subscriber Agreement (A.1).
1.2 What we sell. We sell memorable identities under the shared lab.ai domain and provide DNS management for them. We do not provide web hosting, email hosting, or SSL certificate issuance. This matters for privacy: a large part of what happens to your website and email content occurs on third-party services you choose, not on our systems.
1.3 Data protection contact. Privacy questions and requests may be sent to legal@lab.ai (see Section 12).
1.4 EU/UK representative. Where we are required to appoint a representative in the EU/EEA or the UK under Article 27 of the GDPR (or the UK GDPR), we will do so and publish their details here. In the meantime, you may contact us about EU/EEA or UK data-protection matters at legal@lab.ai.
We collect the following categories of personal data. Where a third-party processor is the primary handler of that data, it is noted (see Section 5 for the full processor list).
We do not seek special-category (sensitive) personal data, and we ask you not to place such data in fields where it is not required. We do not store your full payment card details.
3.1 Purposes. We use personal data to:
lab.ai reputation; and3.2 Legal bases (GDPR). Where GDPR applies, we rely on:
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Account creation, authentication, selling & managing identities, DNS management, transactional email | Contract (Art. 6(1)(b)) — necessary to provide the service you purchase |
| Payment processing and renewals | Contract (Art. 6(1)(b)); plus legal obligation (Art. 6(1)(c)) for tax and accounting records |
| Security, fraud prevention, abuse containment, audit logs, protecting the shared domain | Legitimate interests (Art. 6(1)(f)) — securing the Platform and protecting all customers |
| Product analytics and service improvement | Consent (Art. 6(1)(a)) where analytics trackers require it |
| Marketing, advertising, remarketing (Google Ads pixel, GA4 advertising features) | Consent (Art. 6(1)(a)) |
| Compliance with law; legal claims | Legal obligation (Art. 6(1)(c)); legitimate interests (Art. 6(1)(f)) |
3.3 Thailand PDPA. Because Apricot Ion Company Limited is a company registered in Thailand, our processing is subject to the Thailand Personal Data Protection Act B.E. 2562 (2019) (the "PDPA"), and the Personal Data Protection Committee (PDPC) is our supervisory authority. Where the PDPA applies, we rely on analogous lawful bases: performance of a contract, legitimate interest, legal obligation, and consent where required (notably for marketing and certain trackers). Because the PDPA in several respects requires consent more readily than GDPR's legitimate-interests route, cookie and marketing consent and clear notice at collection are treated as the default for data subjects to whom the PDPA applies. The data-subject rights described in Section 8 apply to data subjects under the PDPA, mirroring those listed there.
3.4 Automated decisions. Our abuse and fraud controls involve automated triage, but enforcement decisions with a significant effect on you — such as suspension of an identity — are subject to human review, and you may contest them through the appeal channel in the Subscriber Agreement (A.5).
4.1 We and our analytics and advertising providers use cookies and similar technologies (including pixels, tags, and local storage) for authentication and session management, security, product analytics (PostHog, Google Analytics 4), and advertising and remarketing (Google Ads pixel / remarketing tag).
4.2 Our separate Cookie Policy describes the specific cookies and trackers, their purposes and durations, and how to manage your choices. Where consent is required, non-essential cookies and trackers (analytics and advertising) are set only after you opt in via our consent banner.
4.3 Because lab.ai is (or will be) listed on the Public Suffix List, cookies are scoped per-label (for example to app.lab.ai) and are not shared across customer identities. This is a privacy and isolation benefit.
We share personal data with the service providers below, who process it on our behalf (as processors or sub-processors) or, where noted, as independent controllers for their own purposes. Data is shared only to the extent needed for each function.
| Provider | Function | Data involved |
|---|---|---|
| Google Firebase (Google) | Authentication + Firestore database (core data store) | Account, authentication, identity/DNS, most application data |
| Stripe | Payment processing, saved cards, renewals | Payment-method data (held by Stripe), billing references, transaction records |
| SendGrid (Twilio) | Transactional email delivery | Email address, message content and metadata |
| ClouDNS | DNS record hosting and resolution | DNS record values, identity names (public) |
| PostHog | Product analytics | Usage and event data, IP, device, identifiers |
| Google Analytics 4 (Google) | Web and product analytics | Usage data, IP (may be truncated), identifiers |
| Google Ads (Google) | Advertising pixel / remarketing | Ad-interaction identifiers, cookies |
We maintain this list and will update it if we add materially new providers. We may also disclose personal data: to professional advisers (legal, accounting); to authorities or third parties where required by law, to enforce our terms, or to protect rights, safety, and the integrity of the shared lab.ai domain (including abuse and child-safety reporting under the AUP); and to a successor entity in a merger, acquisition, wind-down, or escrow and continuity event. We do not sell your personal data.
Data processing for business customers (DPA). If you use the Platform as a business customer and we process personal data on your behalf, a Data Processing Addendum (DPA) incorporating the processor terms required by Article 28 of the GDPR (and the equivalent provisions of the PDPA) is available on request — contact legal@lab.ai. The DPA incorporates the sub-processor list set out in this Section 5.
6.1 Our providers (Google/Firebase, Stripe, SendGrid, PostHog, Google) operate globally, so your personal data may be transferred to and processed in countries outside your own, including the United States and other jurisdictions that may not offer the same level of data protection as your home country.
6.2 Where such transfers are subject to GDPR or UK GDPR, we rely on appropriate safeguards — typically the European Commission's Standard Contractual Clauses (and the UK IDTA or Addendum), the EU–US Data Privacy Framework where a provider is certified (for example Stripe and Google), and supplementary measures as needed. Where the PDPA applies, we rely on its cross-border transfer mechanisms. You may request more information about the safeguards in place via legal@lab.ai.
We keep personal data only as long as necessary for the purposes in Section 3, then delete or anonymize it:
8.1 Subject to applicable law (GDPR, UK GDPR, Thailand PDPA, and others as relevant), you may have the right to: access a copy of your personal data; rectify inaccurate or incomplete data; request erasure, subject to our need to retain certain data (for example billing records and abuse logs); receive certain data in a portable, machine-readable format (portability); request restriction of processing in certain cases; object to processing based on legitimate interests, and to direct marketing at any time; and withdraw consent where we rely on it (for example analytics and advertising), without affecting prior lawful processing.
8.2 How to exercise. Submit requests to legal@lab.ai. We will respond within the timeframe required by law and may need to verify your identity before acting.
8.3 Complaints. Contact legal@lab.ai first, so we can try to resolve the matter. You may also lodge a complaint with your local supervisory authority — an EU/EEA Data Protection Authority, the UK ICO, or Thailand's Personal Data Protection Committee (PDPC).
9.1 We take technical and organizational measures to protect personal data, including: authentication via a managed provider (Firebase); not storing full card data (payments isolated to Stripe); access controls and least-privilege access to the database and DNS controls; encryption in transit; audit logging of sensitive actions; per-label cookie and origin isolation between customer identities; and abuse and blocklist monitoring with fast containment.
9.2 No system is perfectly secure. We cannot guarantee absolute security, and third-party services (hosting, email, DNS) operate under their own security programs outside our control.
9.3 Breach notification. In the event of a personal-data breach, we will notify supervisory authorities and affected individuals as required by GDPR (within 72 hours to the authority where feasible), the PDPA, and other applicable law.
The Platform is not intended for children. You must be at least 18 years old, or the age of majority in your jurisdiction if higher, to create an account or purchase an identity. We do not knowingly collect personal data from children below that age; if we learn we have done so, we will delete it.
We may update this Privacy Policy from time to time. Material changes will be communicated by email and/or a dashboard notice before they take effect, consistent with the Subscriber Agreement (A.10). The "last updated" date at the top indicates the current version.
For any privacy question, request, or complaint, contact us at legal@lab.ai. The data controller is Apricot Ion Company Limited (company registration number 0105544108187), registered office 559/67 Thanapat Haus, Nonsi Road, Chongnonsi, Yannawa, Bangkok 10120, Thailand. Data-handling commitments that sit alongside this policy — including audit logging and the platform's isolation and abuse controls — are also summarized on the Trust & Ownership page.