Privacy Policy

This Privacy Policy explains how Lapis Labs Inc. ("Lapis," "we," "our") handles personal data when you interact with any website, dashboard, API, SDK, mobile app, or other online property that we own and operate (collectively, the "Services"). It applies to visitors, customers, end‑users, event participants, and anyone who contacts us. The notice does not apply to information that can no longer be linked to an individual, nor to third‑party services you choose to connect with Lapis.

• Legal entity: Lapis Labs Inc., a Delaware corporation
• Headquarters: 201 Spear Street, San Francisco, California 94105, USA
• Primary contact for privacy: privacy@trylapis.com

We respond to written requests only and do not accept privacy inquiries by telephone.

• Personal data: Information that identifies or can reasonably be linked to a natural person.
• Customer data: Any content such as logs, datasets, prompts, or model outputs that you or your authorised users submit to or generate in the Services.
• Processing: Any operation performed on personal data, including collection, storage, analysis, sharing, or deletion.

We may process:

• Account details you submit, such as name, business email, organisation, login credentials, billing address, and subscription tier.
• Customer data that flows through our analytics pipelines at your direction, including structured files, unstructured text, and derived AI outputs.
• Usage information recorded automatically, for example IP addresses, device and browser types, timestamps, feature engagement metrics, error logs, and diagnostic reports.
• Tracking identifiers placed by cookies, pixels, or local‑storage objects.
• Integration data obtained from identity providers or business apps you authorise.
• Payment metadata supplied by our payment processor, for example card type and last four digits.
• Support and event content contained in emails, chat transcripts, surveys, or badge scans.

• Directly from you via forms, uploads, emails, in‑product fields, or event registrations.
• Automatically through server logs, client instrumentation, cookies, and similar technologies.
• From third parties such as single‑sign‑on providers, integration partners, or authorised resellers.
• By derivation when the platform generates insights, vector embeddings, or aggregated statistics.

We use personal data to:

• Provide, troubleshoot, and secure the Services you request.
• Authenticate users, manage accounts, and handle billing.
• Execute analytics, machine‑learning, and visualisation tasks you initiate.
• Research and develop new features, algorithms, and performance enhancements.
• Send transactional notices, product updates, security alerts, and, with the requisite permission, marketing communications.
• Detect, investigate, and prevent fraud, abuse, or policy violations.
• Comply with legal, tax, and regulatory obligations or defend our legal rights.

• Contract necessity for core functionality you have requested.
• Legitimate interests in operating, improving, and securing an analytics platform, balanced against your rights.
• Consent for optional cookies, promotional email, or other uses you proactively allow.
• Legal obligation when statutes, regulations, or court orders compel us.

We rely on small data files and software‑development kits to:

• Keep you signed in and route traffic efficiently.
• Measure site traffic, feature adoption, and campaign results.
• Remember locale, theme, and other interface preferences.
• Deliver limited advertising or retargeting where law permits.

Users in jurisdictions requiring opt‑in will see a consent banner. Cookie settings can be updated at any time, and browser‑level blocking is also possible, although some features may behave unpredictably.

We never sell personal data. We disclose it only:

• To carefully vetted service providers that host infrastructure, process payments, send email, supply customer‑support tools, or monitor performance; each is bound by strict confidentiality and data‑processing terms.
• To third‑party applications you enable through integrations, and only to the extent necessary to make the integration work.
• To our professional advisers, including attorneys, auditors, and insurers, under confidentiality duty.
• In connection with a merger, acquisition, financing, or sale of assets, subject to continuous protection of the data.
• When required by law or to protect the rights, safety, or property of Lapis, our users, or the public.

The Services operate from the United States and may rely on cloud providers in other countries. When we transfer personal data from regions with export restrictions, for example the European Economic Area or the United Kingdom, we rely on approved safeguards such as Standard Contractual Clauses, supplemented by encryption, access controls, and resilient infrastructure.

Lapis has not yet completed a SOC 2 examination. Nevertheless, we employ administrative, technical, and physical controls that align with respected security frameworks:

• Governance policies reviewed by senior leadership and audited annually.
• Multi‑factor authentication, least‑privilege role assignments, and quarterly access reviews.
• Encryption in transit using TLS 1.2 or higher with HSTS, and encryption at rest using AES‑256 with managed keys.
• Virtual‑private‑cloud segmentation, firewalls, and web‑application‑firewall rules.
• Continuous vulnerability scanning, weekly dependency checks, and independent penetration tests.
• Real‑time monitoring, immutable audit trails, and an incident‑response plan that includes notification procedures.
• Redundant backups, disaster‑recovery drills, and round‑the‑clock on‑call engineering coverage.
• Mandatory security and privacy training for all personnel and background screening where lawful.

We keep personal data only as long as necessary for the purposes outlined above.

• Account and billing records persist throughout the customer relationship and for seven years afterward to meet tax and audit requirements.
• Customer data remains for the term specified in our agreement and is typically erased within thirty days of service termination or upon verified deletion request.
• Backup copies roll off a short, fixed schedule and are then unrecoverable.
• Marketing contacts are deleted or anonymised when you opt‑out or after two years of inactivity.

Depending on your jurisdiction, you may have the right to:

• Ask whether we process your personal data and obtain a copy.
• Correct inaccurate or incomplete information.
• Request deletion where no lawful reason to retain it exists.
• Receive data you provided in a portable format.
• Restrict or object to processing based on legitimate interests.
• Withdraw consent at any time without affecting prior lawful processing.
• Lodge a complaint with a supervisory authority if you believe we have violated applicable law.

Lapis does not "sell" or "share" personal data as defined by California or similar state privacy statutes, but we honour any applicable opt‑out rights. To exercise any right, email privacy@trylapis.com with sufficient information to verify your identity, and we will respond within the timeframe mandated by law.

• Customer data used for analytics and model inference remains under your control, and we do not incorporate it into general‑purpose training sets unless you give express, written permission.
• We aggregate usage statistics and system telemetry in a de‑identified form to improve performance and reliability.
• Lapis does not rely on solely automated decision‑making that produces legal or similarly significant effects for individuals. If this changes, we will publish an updated explanation and provide the rights guaranteed by law.

The Services target professional users and are not intended for anyone under sixteen years of age. We do not knowingly collect personal data from minors. If you learn that a child has provided data to Lapis, contact privacy@trylapis.com so that we can delete it promptly.

Our websites and products may offer links or connections to services operated by third parties. Your interactions with those services are subject to their privacy practices, not ours. Review their policies before sharing information.

We may revise this Privacy Policy from time to time. If a modification materially alters your rights or obligations, we will provide conspicuous notice, such as an email or in‑app alert, no fewer than thirty days before the change takes effect. Historical versions will remain accessible on our site for transparency. Continued use of the Services after the effective date constitutes acceptance of the updated policy.

For any privacy‑related question, to exercise a data‑subject right, or to raise a concern, email privacy@trylapis.com or write to:

We handle privacy matters exclusively through written communication and do not accept phone calls.