Legal

Privacy Policy

Effective date: 1 July 2026 · Last updated: 1 July 2026

This Privacy Policy explains how Apricot Ion Company Limited, operator of the lab.ai Identity Platform (the "Platform", "we", "us"), collects, uses, shares, and protects personal data about you when you visit our website, create an account, purchase and manage an identity (for example john.lab.ai), or otherwise interact with us. It sits alongside our Cookie Policy and the Terms of Service.

1. Who we are (data controller)

1.1 The data controller responsible for your personal data is Apricot Ion Company Limited, a company registered in Thailand under company registration number 0105544108187, with its registered office at 559/67 Thanapat Haus, Nonsi Road, Chongnonsi, Yannawa, Bangkok 10120, Thailand. It is the same entity defined as the "Operator" in the Subscriber Agreement (A.1).

1.2 What we sell. We sell memorable identities under the shared lab.ai domain and provide DNS management for them. We do not provide web hosting, email hosting, or SSL certificate issuance. This matters for privacy: a large part of what happens to your website and email content occurs on third-party services you choose, not on our systems.

1.3 Data protection contact. Privacy questions and requests may be sent to legal@lab.ai (see Section 12).

1.4 EU/UK representative. Where we are required to appoint a representative in the EU/EEA or the UK under Article 27 of the GDPR (or the UK GDPR), we will do so and publish their details here. In the meantime, you may contact us about EU/EEA or UK data-protection matters at legal@lab.ai.

2. What personal data we collect

We collect the following categories of personal data. Where a third-party processor is the primary handler of that data, it is noted (see Section 5 for the full processor list).

  • Account and identity data. Your name and account email address, and any profile details you provide. Used to create and administer your account.
  • Authentication data (via Firebase Authentication — Google). Login credentials and authentication state are handled through Google Firebase Authentication. Depending on the sign-in method you choose — for example email and password, or a supported federated sign-in such as a Google account — this may include a hashed password, a federated sign-in identifier, authentication tokens, and sign-in metadata (timestamps, method).
  • Payment data (processed by Stripe — we do not store card numbers). Purchases and renewals are processed by Stripe, which collects your payment-method details directly. We do not receive or store full card numbers, CVC, or full payment credentials. We retain limited billing-related data returned to us by Stripe — such as a Stripe customer identifier, a payment-method token, card brand and last four digits, expiry month and year, billing country, and transaction and receipt records — to manage renewals, the non-payment lifecycle, and our own records.
  • Identity and DNS records data. The identity names you reserve, purchase, and hold; their status and billing state; and the DNS records you create (host, type, value, priority, TTL) under your identity. DNS record values you enter (for example IP addresses, target hostnames, verification tokens, mail-provider records) are stored and pushed to our DNS provider (ClouDNS) to make your configuration work. Note that DNS records and identity names are inherently public once published — anyone can query them.
  • Technical, usage, and analytics data. Your IP address, device and browser information, pages viewed, actions taken, referring URLs, approximate location derived from IP, and similar usage data — collected through our own systems and, subject to your consent, through analytics and advertising tools (PostHog, Google Analytics 4, and the Google Ads pixel / remarketing tag). See Section 4.
  • Abuse, audit, and security logs. Audit logs and security records — for example account and DNS-change actions (actor, action, resource, metadata, timestamp), reservation and checkout events, payment and fraud signals, abuse reports, blocklist-monitoring signals, and enforcement and review decisions. These may include your identifiers and IP address, and are used for security, fraud prevention, abuse containment, and legal defensibility.
  • Communications data. Emails and support messages you exchange with us, and delivery and engagement metadata for transactional email we send through SendGrid (for example renewal reminders and dunning notices).

We do not seek special-category (sensitive) personal data, and we ask you not to place such data in fields where it is not required. We do not store your full payment card details.

3. How and why we use your data, and legal bases

3.1 Purposes. We use personal data to:

  • create and administer your account and authenticate you;
  • reserve, sell, activate, renew, and manage identities, and run the non-payment lifecycle;
  • provide DNS management by pushing your records to our DNS provider;
  • send transactional and service communications, including renewal reminders and dunning;
  • operate, secure, and improve the Platform, including analytics and product measurement;
  • carry out marketing, advertising, and remarketing, including via Google Ads — subject to consent where required;
  • detect, prevent, investigate, and contain fraud and abuse, and protect the shared lab.ai reputation; and
  • comply with legal obligations and establish, exercise, or defend legal claims.

3.2 Legal bases (GDPR). Where GDPR applies, we rely on:

PurposeLegal basis (GDPR Art. 6)
Account creation, authentication, selling & managing identities, DNS management, transactional emailContract (Art. 6(1)(b)) — necessary to provide the service you purchase
Payment processing and renewalsContract (Art. 6(1)(b)); plus legal obligation (Art. 6(1)(c)) for tax and accounting records
Security, fraud prevention, abuse containment, audit logs, protecting the shared domainLegitimate interests (Art. 6(1)(f)) — securing the Platform and protecting all customers
Product analytics and service improvementConsent (Art. 6(1)(a)) where analytics trackers require it
Marketing, advertising, remarketing (Google Ads pixel, GA4 advertising features)Consent (Art. 6(1)(a))
Compliance with law; legal claimsLegal obligation (Art. 6(1)(c)); legitimate interests (Art. 6(1)(f))

3.3 Thailand PDPA. Because Apricot Ion Company Limited is a company registered in Thailand, our processing is subject to the Thailand Personal Data Protection Act B.E. 2562 (2019) (the "PDPA"), and the Personal Data Protection Committee (PDPC) is our supervisory authority. Where the PDPA applies, we rely on analogous lawful bases: performance of a contract, legitimate interest, legal obligation, and consent where required (notably for marketing and certain trackers). Because the PDPA in several respects requires consent more readily than GDPR's legitimate-interests route, cookie and marketing consent and clear notice at collection are treated as the default for data subjects to whom the PDPA applies. The data-subject rights described in Section 8 apply to data subjects under the PDPA, mirroring those listed there.

3.4 Automated decisions. Our abuse and fraud controls involve automated triage, but enforcement decisions with a significant effect on you — such as suspension of an identity — are subject to human review, and you may contest them through the appeal channel in the Subscriber Agreement (A.5).

4. Cookies and tracking

4.1 We and our analytics and advertising providers use cookies and similar technologies (including pixels, tags, and local storage) for authentication and session management, security, product analytics (PostHog, Google Analytics 4), and advertising and remarketing (Google Ads pixel / remarketing tag).

4.2 Our separate Cookie Policy describes the specific cookies and trackers, their purposes and durations, and how to manage your choices. Where consent is required, non-essential cookies and trackers (analytics and advertising) are set only after you opt in via our consent banner.

4.3 Because lab.ai is (or will be) listed on the Public Suffix List, cookies are scoped per-label (for example to app.lab.ai) and are not shared across customer identities. This is a privacy and isolation benefit.

5. Third-party processors and sub-processors

We share personal data with the service providers below, who process it on our behalf (as processors or sub-processors) or, where noted, as independent controllers for their own purposes. Data is shared only to the extent needed for each function.

ProviderFunctionData involved
Google Firebase (Google)Authentication + Firestore database (core data store)Account, authentication, identity/DNS, most application data
StripePayment processing, saved cards, renewalsPayment-method data (held by Stripe), billing references, transaction records
SendGrid (Twilio)Transactional email deliveryEmail address, message content and metadata
ClouDNSDNS record hosting and resolutionDNS record values, identity names (public)
PostHogProduct analyticsUsage and event data, IP, device, identifiers
Google Analytics 4 (Google)Web and product analyticsUsage data, IP (may be truncated), identifiers
Google Ads (Google)Advertising pixel / remarketingAd-interaction identifiers, cookies

We maintain this list and will update it if we add materially new providers. We may also disclose personal data: to professional advisers (legal, accounting); to authorities or third parties where required by law, to enforce our terms, or to protect rights, safety, and the integrity of the shared lab.ai domain (including abuse and child-safety reporting under the AUP); and to a successor entity in a merger, acquisition, wind-down, or escrow and continuity event. We do not sell your personal data.

Data processing for business customers (DPA). If you use the Platform as a business customer and we process personal data on your behalf, a Data Processing Addendum (DPA) incorporating the processor terms required by Article 28 of the GDPR (and the equivalent provisions of the PDPA) is available on request — contact legal@lab.ai. The DPA incorporates the sub-processor list set out in this Section 5.

6. International data transfers

6.1 Our providers (Google/Firebase, Stripe, SendGrid, PostHog, Google) operate globally, so your personal data may be transferred to and processed in countries outside your own, including the United States and other jurisdictions that may not offer the same level of data protection as your home country.

6.2 Where such transfers are subject to GDPR or UK GDPR, we rely on appropriate safeguards — typically the European Commission's Standard Contractual Clauses (and the UK IDTA or Addendum), the EU–US Data Privacy Framework where a provider is certified (for example Stripe and Google), and supplementary measures as needed. Where the PDPA applies, we rely on its cross-border transfer mechanisms. You may request more information about the safeguards in place via legal@lab.ai.

7. Data retention

We keep personal data only as long as necessary for the purposes in Section 3, then delete or anonymize it:

  • Account data — for the life of your account and for a limited period afterward before deletion or anonymization.
  • Identity ownership records — retained through the non-payment lifecycle and while the identity is held; note that ownership records are not immediately deleted on non-payment.
  • Payment and billing records — retained for as long as required by applicable tax and accounting law.
  • Audit, abuse, and security logs — retained for as long as needed for security and legal-defensibility purposes.
  • Analytics data — retained per provider settings and your consent.
  • Email and communications — retained for as long as needed to support you and keep our records.

8. Your rights

8.1 Subject to applicable law (GDPR, UK GDPR, Thailand PDPA, and others as relevant), you may have the right to: access a copy of your personal data; rectify inaccurate or incomplete data; request erasure, subject to our need to retain certain data (for example billing records and abuse logs); receive certain data in a portable, machine-readable format (portability); request restriction of processing in certain cases; object to processing based on legitimate interests, and to direct marketing at any time; and withdraw consent where we rely on it (for example analytics and advertising), without affecting prior lawful processing.

8.2 How to exercise. Submit requests to legal@lab.ai. We will respond within the timeframe required by law and may need to verify your identity before acting.

8.3 Complaints. Contact legal@lab.ai first, so we can try to resolve the matter. You may also lodge a complaint with your local supervisory authority — an EU/EEA Data Protection Authority, the UK ICO, or Thailand's Personal Data Protection Committee (PDPC).

9. Security measures

9.1 We take technical and organizational measures to protect personal data, including: authentication via a managed provider (Firebase); not storing full card data (payments isolated to Stripe); access controls and least-privilege access to the database and DNS controls; encryption in transit; audit logging of sensitive actions; per-label cookie and origin isolation between customer identities; and abuse and blocklist monitoring with fast containment.

9.2 No system is perfectly secure. We cannot guarantee absolute security, and third-party services (hosting, email, DNS) operate under their own security programs outside our control.

9.3 Breach notification. In the event of a personal-data breach, we will notify supervisory authorities and affected individuals as required by GDPR (within 72 hours to the authority where feasible), the PDPA, and other applicable law.

10. Children

The Platform is not intended for children. You must be at least 18 years old, or the age of majority in your jurisdiction if higher, to create an account or purchase an identity. We do not knowingly collect personal data from children below that age; if we learn we have done so, we will delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email and/or a dashboard notice before they take effect, consistent with the Subscriber Agreement (A.10). The "last updated" date at the top indicates the current version.

12. Contact

For any privacy question, request, or complaint, contact us at legal@lab.ai. The data controller is Apricot Ion Company Limited (company registration number 0105544108187), registered office 559/67 Thanapat Haus, Nonsi Road, Chongnonsi, Yannawa, Bangkok 10120, Thailand. Data-handling commitments that sit alongside this policy — including audit logging and the platform's isolation and abuse controls — are also summarized on the Trust & Ownership page.