Privacy Policy

Last Updated: January 28, 2026

1. Purpose and Scope

This Privacy Policy explains how Lapis Labs Inc. ("Lapis," "we," "our") handles personal data when you interact with any website, dashboard, API, SDK, mobile app, or other online property that we own and operate (collectively, the "Services"). It applies to visitors, customers, end-users, event participants, and anyone who contacts us. The notice does not apply to information that can no longer be linked to an individual, nor to third-party services you choose to connect with Lapis.

2. Who We Are

Legal entity: Lapis Labs Inc., a Delaware corporation

Headquarters: 2261 Market Street STE 86894, San Francisco CA 94114, United States

Primary contact for privacy: contact@trylapis.com

We respond to written requests only and do not accept privacy inquiries by telephone.

3. Key Concepts

Personal data: Information that identifies or can reasonably be linked to a natural person.

Customer data: Any content such as logs, datasets, prompts, or model outputs that you or your authorised users submit to or generate in the Services.

Processing: Any operation performed on personal data, including collection, storage, analysis, sharing, or deletion.

4. What We Collect

We may process:

Account details you submit, such as name, business email, organisation, login credentials, billing address, and subscription tier.

Customer data that flows through our analytics pipelines at your direction, including structured files, unstructured text, and derived AI outputs.

Brand and website data extracted when you provide a website URL for ad generation. Our systems programmatically crawl the URL you submit to extract brand assets including logos, colour palettes, fonts, and screenshots. This data is used solely to generate brand-consistent advertising content on your behalf.

Product data obtained when you submit product URLs from e-commerce platforms (such as Shopify or Amazon) or other websites. We extract product images, titles, descriptions, and related metadata to enable product-aware ad generation.

Target audience data you configure for ad campaigns, including company industries, company revenue ranges, company sizes, job functions, job titles, seniority levels, years of experience, and gender demographics.

Reference images you upload to guide the style or content of generated advertisements. These images are stored for the duration of your session or as part of your collections and may be used to inform the visual output of AI-generated content.

Product collections you create, including collection names, slugs, and associated product data, which enable @mention functionality in ad generation prompts.

Usage information recorded automatically, for example IP addresses, device and browser types, timestamps, feature engagement metrics, error logs, and diagnostic reports.

Tracking identifiers placed by cookies, pixels, or local-storage objects.

Integration data obtained from identity providers or business apps you authorise.

Payment metadata supplied by our payment processor, for example card type and last four digits.

Support and event content contained in emails, chat transcripts, surveys, or badge scans.

5. How We Collect It

Directly from you via forms, uploads, emails, in-product fields, or event registrations.

Automatically through server logs, client instrumentation, cookies, and similar technologies.

From third parties such as single-sign-on providers, integration partners, or authorised resellers.

By derivation when the platform generates insights, vector embeddings, or aggregated statistics.

6. Why We Process Personal Data

We use personal data to:

  • Provide, troubleshoot, and secure the Services you request.
  • Authenticate users, manage accounts, and handle billing.
  • Execute analytics, machine-learning, and visualisation tasks you initiate.
  • Research and develop new features, algorithms, and performance enhancements.
  • Send transactional notices, product updates, security alerts, and, with the requisite permission, marketing communications.
  • Detect, investigate, and prevent fraud, abuse, or policy violations.
  • Comply with legal, tax, and regulatory obligations or defend our legal rights.

7. Legal Grounds (where required)

Contract necessity for core functionality you have requested.

Legitimate interests in operating, improving, and securing an analytics platform, balanced against your rights.

Consent for optional cookies, promotional email, or other uses you proactively allow.

Legal obligation when statutes, regulations, or court orders compel us.

8. Cookies and Similar Technologies

We rely on small data files and software-development kits to:

  • Keep you signed in and route traffic efficiently.
  • Measure site traffic, feature adoption, and campaign results.
  • Remember locale, theme, and other interface preferences.
  • Deliver limited advertising or retargeting where law permits.

Lapis is currently intended only for customers located in the United States and India.

9. Sharing and Disclosure

We never sell personal data. We disclose it only:

  • To carefully vetted service providers that host infrastructure, process payments, send email, supply customer-support tools, or monitor performance; each is bound by strict confidentiality and data-processing terms.
  • To third-party applications you enable through integrations, and only to the extent necessary to make the integration work.
  • To our professional advisers, including attorneys, auditors, and insurers, under confidentiality duty.
  • In connection with a merger, acquisition, financing, or sale of assets, subject to continuous protection of the data.
  • When required by law or to protect the rights, safety, or property of Lapis, our users, or the public.

9A. Use of Customer Marks in Marketing

By creating an Account or using the Services, you grant Lapis a non-exclusive, worldwide, royalty-free licence to use, reproduce, and display your company name, logo, trademark, trade name, service mark, and similar brand identifiers (collectively, "Customer Marks") in Lapis's marketing materials, website, sales presentations, case studies, press releases, investor communications, and other promotional content for the purpose of identifying you as a customer of Lapis.

This licence does not grant Lapis any ownership interest in Customer Marks, and all goodwill arising from such use shall inure to your benefit. Lapis agrees to use Customer Marks in a manner that does not disparage or damage your reputation or the goodwill associated with Customer Marks.

If you prefer that Lapis not use your Customer Marks for marketing purposes, you may notify us in writing at contact@trylapis.com. Upon receipt of such notice, Lapis will remove your Customer Marks from future marketing materials within a commercially reasonable timeframe, provided that Lapis shall have no obligation to recall or modify materials already in circulation or distributed to third parties prior to such notice.

10. Cross Border Transfers

The Services operate in, and we store and process personal data in the United States. The Services are available only to users located in the United States and India. We block access from IP addresses geolocated outside these regions. If you attempt to access the Services from outside the United States or India (including the European Economic Area or the United Kingdom), your access will be denied. We do not intentionally collect or store personal data of users outside our supported regions; however, minimal technical logs related to blocked requests may be processed in the United States for security and compliance purposes.

11. Information Security

Lapis has not yet completed a SOC 2 examination. Nevertheless, we employ administrative, technical, and physical controls that align with respected security frameworks:

  • Governance policies reviewed by senior leadership and audited annually.
  • Multi-factor authentication, least-privilege role assignments, and quarterly access reviews.
  • Encryption in transit using TLS 1.2 or higher with HSTS, and encryption at rest using AES-256 with managed keys.
  • Virtual-private-cloud segmentation, firewalls, and web-application-firewall rules.
  • Continuous vulnerability scanning, weekly dependency checks, and independent penetration tests.
  • Real-time monitoring, immutable audit trails, and an incident-response plan that includes notification procedures.
  • Redundant backups, disaster-recovery drills, and round-the-clock on-call engineering coverage.
  • Mandatory security and privacy training for all personnel and background screening where lawful.

12. Data Retention

We keep personal data only as long as necessary for the purposes outlined above.

Account and billing records persist throughout the customer relationship and for seven years afterward to meet tax and audit requirements.

Customer data remains for the term specified in our agreement and is typically erased within thirty days of service termination or upon verified deletion request.

Backup copies roll off a short, fixed schedule and are then unrecoverable.

Marketing contacts are deleted or anonymised when you opt-out or after two years of inactivity.

13. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Ask whether we process your personal data and obtain a copy.
  • Correct inaccurate or incomplete information.
  • Request deletion where no lawful reason to retain it exists.
  • Receive data you provided in a portable format.
  • Restrict or object to processing based on legitimate interests.
  • Withdraw consent at any time without affecting prior lawful processing.
  • Lodge a complaint with a supervisory authority if you believe we have violated applicable law.

Lapis does not "sell" or "share" personal data as defined by California or similar state privacy statutes, but we honour any applicable opt-out rights. To exercise any right, email contact@trylapis.com with sufficient information to verify your identity, and we will respond within the timeframe mandated by law.

14. Children's Privacy

The Services target professional users and are not intended for anyone under sixteen years of age. We do not collect any personal data related to any individual. If you learn that a child has provided data to Lapis, contact contact@trylapis.com so that we can delete it promptly.

15. Third Party Links and Integrations

Our websites and products may offer links or connections to services operated by third parties. Your interactions with those services are subject to their privacy practices, not ours. Review their policies before sharing information.

Advertising Platform Integrations. The Services may integrate with third-party advertising platforms such as LinkedIn, Meta (Facebook and Instagram), Google, TikTok, and others. When you connect your advertising accounts or publish content to these platforms through the Services, data may flow between Lapis and those platforms as necessary to enable the integration. This may include campaign data, creative assets, audience targeting parameters, and performance metrics. Each platform's collection and use of your data is governed by its own privacy policy.

16. Changes to This Policy

We may revise this Privacy Policy from time to time. If a modification materially alters your rights or obligations, we will provide conspicuous notice, such as an email or in-app alert, no fewer than thirty days before the change takes effect. Historical versions will remain accessible on our site for transparency. Continued use of the Services after the effective date constitutes acceptance of the updated policy.

17. Contact Information

Questions about this Privacy Policy should be directed in writing to:

Lapis Labs Inc.
2261 Market Street STE 86894
San Francisco CA 94114
United States
contact@trylapis.com

Lapis handles legal and privacy communications exclusively through written correspondence and does not accept phone calls regarding the Terms.