Privacy Policy

Last Updated: October 5, 2025

1. Purpose and Scope

This Privacy Policy explains how Lapis Labs Inc. ("Lapis," "we," "our") handles personal data when you interact with any website, dashboard, API, SDK, mobile app, or other online property that we own and operate (collectively, the "Services"). It applies to visitors, customers, end-users, event participants, and anyone who contacts us. The notice does not apply to information that can no longer be linked to an individual, nor to third-party services you choose to connect with Lapis.

2. Who We Are

Legal entity: Lapis Labs Inc., a Delaware corporation

Headquarters: 2261 Market Street STE 86894, San Francisco CA 94114, United States

Primary contact for privacy: contact@trylapis.com

We respond to written requests only and do not accept privacy inquiries by telephone.

3. Key Concepts

Personal data: Information that identifies or can reasonably be linked to a natural person.

Customer data: Any content such as logs, datasets, prompts, or model outputs that you or your authorised users submit to or generate in the Services.

Processing: Any operation performed on personal data, including collection, storage, analysis, sharing, or deletion.

4. What We Collect

We may process:

Account details you submit, such as name, business email, organisation, login credentials, billing address, and subscription tier.

Customer data that flows through our analytics pipelines at your direction, including structured files, unstructured text, and derived AI outputs.

Usage information recorded automatically, for example IP addresses, device and browser types, timestamps, feature engagement metrics, error logs, and diagnostic reports.

Tracking identifiers placed by cookies, pixels, or local-storage objects.

Integration data obtained from identity providers or business apps you authorise.

Payment metadata supplied by our payment processor, for example card type and last four digits.

Support and event content contained in emails, chat transcripts, surveys, or badge scans.

5. How We Collect It

Directly from you via forms, uploads, emails, in-product fields, or event registrations.

Automatically through server logs, client instrumentation, cookies, and similar technologies.

From third parties such as single-sign-on providers, integration partners, or authorised resellers.

By derivation when the platform generates insights, vector embeddings, or aggregated statistics.

6. Why We Process Personal Data

We use personal data to:

  • Provide, troubleshoot, and secure the Services you request.
  • Authenticate users, manage accounts, and handle billing.
  • Execute analytics, machine-learning, and visualisation tasks you initiate.
  • Research and develop new features, algorithms, and performance enhancements.
  • Send transactional notices, product updates, security alerts, and, with the requisite permission, marketing communications.
  • Detect, investigate, and prevent fraud, abuse, or policy violations.
  • Comply with legal, tax, and regulatory obligations or defend our legal rights.

7. Legal Grounds (where required)

Contract necessity for core functionality you have requested.

Legitimate interests in operating, improving, and securing an analytics platform, balanced against your rights.

Consent for optional cookies, promotional email, or other uses you proactively allow.

Legal obligation when statutes, regulations, or court orders compel us.

8. Cookies and Similar Technologies

We rely on small data files and software-development kits to:

  • Keep you signed in and route traffic efficiently.
  • Measure site traffic, feature adoption, and campaign results.
  • Remember locale, theme, and other interface preferences.
  • Deliver limited advertising or retargeting where law permits.

Lapis is currently intended only for customers located in the United States.

9. Sharing and Disclosure

We never sell personal data. We disclose it only:

  • To carefully vetted service providers that host infrastructure, process payments, send email, supply customer-support tools, or monitor performance; each is bound by strict confidentiality and data-processing terms.
  • To third-party applications you enable through integrations, and only to the extent necessary to make the integration work.
  • To our professional advisers, including attorneys, auditors, and insurers, under confidentiality duty.
  • In connection with a merger, acquisition, financing, or sale of assets, subject to continuous protection of the data.
  • When required by law or to protect the rights, safety, or property of Lapis, our users, or the public.

10. Cross Border Transfers

The Services operate in, and we store and process personal data exclusively in the United States. The Services are available only to users located in the United States. We block access from IP addresses geolocated outside the United States. If you attempt to access the Services from outside the United States (including the European Economic Area or the United Kingdom), your access will be denied. We do not intentionally collect or store personal data of non-U.S. users; however, minimal technical logs related to blocked requests may be processed in the United States for security and compliance purposes.

11. Information Security

Lapis has not yet completed a SOC 2 examination. Nevertheless, we employ administrative, technical, and physical controls that align with respected security frameworks:

  • Governance policies reviewed by senior leadership and audited annually.
  • Multi-factor authentication, least-privilege role assignments, and quarterly access reviews.
  • Encryption in transit using TLS 1.2 or higher with HSTS, and encryption at rest using AES-256 with managed keys.
  • Virtual-private-cloud segmentation, firewalls, and web-application-firewall rules.
  • Continuous vulnerability scanning, weekly dependency checks, and independent penetration tests.
  • Real-time monitoring, immutable audit trails, and an incident-response plan that includes notification procedures.
  • Redundant backups, disaster-recovery drills, and round-the-clock on-call engineering coverage.
  • Mandatory security and privacy training for all personnel and background screening where lawful.

12. Data Retention

We keep personal data only as long as necessary for the purposes outlined above.

Account and billing records persist throughout the customer relationship and for seven years afterward to meet tax and audit requirements.

Customer data remains for the term specified in our agreement and is typically erased within thirty days of service termination or upon verified deletion request.

Backup copies roll off a short, fixed schedule and are then unrecoverable.

Marketing contacts are deleted or anonymised when you opt-out or after two years of inactivity.

13. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Ask whether we process your personal data and obtain a copy.
  • Correct inaccurate or incomplete information.
  • Request deletion where no lawful reason to retain it exists.
  • Receive data you provided in a portable format.
  • Restrict or object to processing based on legitimate interests.
  • Withdraw consent at any time without affecting prior lawful processing.
  • Lodge a complaint with a supervisory authority if you believe we have violated applicable law.

Lapis does not "sell" or "share" personal data as defined by California or similar state privacy statutes, but we honour any applicable opt-out rights. To exercise any right, email contact@trylapis.com with sufficient information to verify your identity, and we will respond within the timeframe mandated by law.

14. Children's Privacy

The Services target professional users and are not intended for anyone under sixteen years of age. We do not collect any personal data related to any individual. If you learn that a child has provided data to Lapis, contact contact@trylapis.com so that we can delete it promptly.

15. Third Party Links and Integrations

Our websites and products may offer links or connections to services operated by third parties. Your interactions with those services are subject to their privacy practices, not ours. Review their policies before sharing information.

16. Changes to This Policy

We may revise this Privacy Policy from time to time. If a modification materially alters your rights or obligations, we will provide conspicuous notice, such as an email or in-app alert, no fewer than thirty days before the change takes effect. Historical versions will remain accessible on our site for transparency. Continued use of the Services after the effective date constitutes acceptance of the updated policy.

17. Contact Information

Questions about this Privacy Policy should be directed in writing to:

Lapis Labs Inc.
2261 Market Street STE 86894
San Francisco CA 94114
United States
contact@trylapis.com

Lapis handles legal and privacy communications exclusively through written correspondence and does not accept phone calls regarding the Terms.