Privacy Policy

Labotrack (“we”, “us”, or “our”) operates the website www.labotrack.com and the labotrack application at app.labotrack.com (collectively, the “Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

We are committed to protecting your personal data and complying with the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR). By using the Service, you agree to the collection and use of information in accordance with this policy.

labotrack is responsible for looking after your personal data. If you have any questions about this Privacy Policy or how we handle your data, please contact us at alwyn@labotrack.com.

3.1 Personal Information

When you create an account or use the Service, we may collect:

• Identity data: your name and email address, as provided during account registration.
• Organisation data: the name and details of your research lab or organisation.
• Sign-in data: account credentials managed through our sign-in provider (Clerk). We do not store passwords directly.

3.2 Asset and Usage Data

When you use the Service, we store the data you input, including:

• Asset records (equipment names, descriptions, categories, locations, conditions, purchase data, and assignment history).
• Organisational structures (labs, teams, and member roles).
• Activity logs and change history generated by your use of the Service.

3.3 Automatically Collected Data

When you access the Service, we may automatically collect:

• Device and browser information (browser type, operating system, device type).
• IP address and approximate geographic location.
• Pages visited, time spent, and interaction patterns.
• Referral source and session identifiers.

We process your personal data on the following legal bases under the GDPR:

• Contractual necessity: processing is necessary to provide the Service you have requested (Article 6(1)(b)).
• Legitimate interests: processing is necessary for our legitimate interests, such as improving the Service, ensuring security, and preventing fraud (Article 6(1)(f)).
• Consent: where you have given consent for specific activities, such as marketing communications (Article 6(1)(a)).
• Legal obligation: processing is necessary to comply with a legal obligation (Article 6(1)(c)).

We use the information we collect to:

• Provide, operate, and maintain the Service.
• Authenticate your identity and manage your account.
• Process and store asset data on behalf of your organisation.
• Send essential service messages (account verification, security alerts, service updates).
• Analyse usage patterns to improve the Service.
• Ensure the security and integrity of the Service.
• Comply with legal obligations and enforce our terms.

We use the following third-party service providers:

• Clerk (sign-in): manages user sign-in, sessions, and identity verification. Clerk Privacy Policy.
• Supabase (database): stores application data with strict data separation between organisations — each lab's data is completely isolated. Supabase Privacy Policy.
• Vercel (hosting): hosts the Service infrastructure in the UK/EU region. Vercel Privacy Policy.

Your data is hosted in the United Kingdom and European Union. We implement appropriate measures including:

• All data is encrypted when sent between your device and our servers, and while stored on our servers.
• Strict data separation in our database — each organisation's data is completely isolated from others.
• Regular security reviews and access controls.
• Sign-in managed by Clerk with industry-standard security practices.

• Account data: retained for the duration of your account. Upon account deletion, personal data is removed within 30 days.
• Asset data: retained for the duration of your organisation's account. When an organisation is deleted, all associated asset data is permanently removed within 30 days.
• Automatically collected data: retained for up to 12 months for analytics and security purposes, then summarised or deleted.
• Backup data: may persist in encrypted backups for up to 90 days after deletion.

You have the following rights regarding your personal data:

• Right of access: request a copy of the personal data we hold about you.
• Right to rectification: request correction of inaccurate or incomplete personal data.
• Right to erasure: request deletion of your personal data (“right to be forgotten”).
• Right to restrict processing: request that we limit how we use your data.
• Right to data portability: request your data in a structured, commonly used, machine-readable format.
• Right to object: object to processing based on legitimate interests or for direct marketing purposes.
• Right to withdraw consent: withdraw consent at any time where processing is based on consent.

To exercise any of these rights, contact us at alwyn@labotrack.com. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

We use cookies and similar tracking technologies. For details, see our Cookie Policy.

Our primary infrastructure is hosted in the UK/EU region. Where data is transferred outside the UK or EEA, we ensure appropriate legal safeguards are in place as required by data protection law.

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children.

We may update this Privacy Policy from time to time. We will post the new policy on this page and update the “Last updated” date.

Email: alwyn@labotrack.com
Website: www.labotrack.com