Privacy Policy

Last Updated: April 11, 2026

1. Purpose and Scope

This Privacy Policy explains how Lapis Labs Inc. ("Lapis," "we," "our") handles personal data when you interact with any website, dashboard, API, SDK, mobile app, or other online property that we own and operate (collectively, the "Services"). It applies to all users of the Services, including visitors who use features that do not require account creation, customers, end-users, event participants, and anyone who contacts us. By accessing or using any part of the Services, you accept this Policy. The notice does not apply to information that can no longer be linked to an individual, nor to third-party services you choose to connect with Lapis.

2. Who We Are

Legal entity: Lapis Labs Inc., a Delaware corporation

Headquarters: 2261 Market Street STE 86894, San Francisco CA 94114, United States

Primary contact for privacy: contact@trylapis.com

We respond to written requests only and do not accept privacy inquiries by telephone.

3. Key Concepts

Personal data: Information that identifies or can reasonably be linked to a natural person.

Customer data: Any content such as logs, datasets, prompts, or model outputs that you or your authorised users submit to or generate in the Services.

Processing: Any operation performed on personal data, including collection, storage, analysis, sharing, or deletion.

4. What We Collect

We may process:

Account details you submit, such as name, business email, organisation, login credentials, billing address, and subscription tier.

Customer data that flows through our analytics pipelines at your direction, including structured files, unstructured text, and derived AI outputs.

Brand and website data extracted when you provide a website URL for ad generation. Our systems programmatically crawl the URL you submit to extract brand assets including logos, colour palettes, fonts, and screenshots. This data is used solely to generate brand-consistent advertising content on your behalf.

Product data obtained when you submit product URLs from e-commerce platforms (such as Shopify or Amazon) or other websites. We extract product images, titles, descriptions, and related metadata to enable product-aware ad generation.

Target audience data you configure for ad campaigns, including company industries, company revenue ranges, company sizes, job functions, job titles, seniority levels, years of experience, and gender demographics.

Reference images you upload to guide the style or content of generated advertisements. These images are stored for the duration of your session or as part of your collections and may be used to inform the visual output of AI-generated content.

Product collections you create, including collection names, slugs, and associated product data, which enable @mention functionality in ad generation prompts.

Usage information recorded automatically, for example IP addresses, approximate geolocation derived from your IP address at the time of registration or access, device and browser types, timestamps, feature engagement metrics, error logs, and diagnostic reports.

Tracking identifiers placed by cookies, pixels, or local-storage objects.

Integration data obtained from identity providers, business apps you authorise, or third-party communication tools you connect, including workspace identifiers and account-linking data.

Payment metadata supplied by our payment processor, for example card type and last four digits.

Support and event content contained in emails, chat transcripts, surveys, or badge scans.

5. How We Collect It

Directly from you via forms, uploads, emails, in-product fields, or event registrations.

Automatically through server logs, client instrumentation, cookies, and similar technologies.

From third parties such as single-sign-on providers, integration partners, or authorised resellers.

By derivation when the platform generates insights, vector embeddings, or aggregated statistics.

6. Why We Process Personal Data

We use personal data to:

  • Provide, troubleshoot, and secure the Services you request.
  • Authenticate users, manage accounts, and handle billing.
  • Execute analytics, machine-learning, and visualisation tasks you initiate.
  • Research and develop new features, algorithms, and performance enhancements.
  • Send transactional notices, product updates, security alerts, and, with the requisite permission, marketing communications.
  • Train, improve, and benchmark Lapis's machine-learning models and AI systems using Generated Content and de-identified usage patterns, as further described in the Terms of Service.
  • Display selected Generated Content in public-facing galleries, showcases, and marketing materials to demonstrate the capabilities of the Services.
  • Detect, investigate, and prevent fraud, abuse, or policy violations.
  • Comply with legal, tax, and regulatory obligations or defend our legal rights.

7. Legal Grounds (where required)

Contract necessity for core functionality you have requested.

Legitimate interests in operating, improving, and securing an analytics platform, balanced against your rights.

Consent for optional cookies, promotional email, or other uses you proactively allow.

Legal obligation when statutes, regulations, or court orders compel us.

8. Cookies and Similar Technologies

We rely on small data files and software-development kits to:

  • Keep you signed in and route traffic efficiently.
  • Measure site traffic, feature adoption, and campaign results.
  • Remember locale, theme, and other interface preferences.
  • Deliver limited advertising or retargeting where law permits.

As of the last-updated date, the Services use the following analytics and monitoring providers: PostHog (product analytics and user identification), Google Analytics (site traffic measurement via Google Tag Manager), Meta Pixel (conversion tracking and retargeting), Sentry (error monitoring and diagnostics), and Vercel Speed Insights (performance monitoring). Each provider processes data in accordance with its own privacy policy and data-processing terms. Lapis may add, remove, or replace analytics and monitoring providers at any time without prior notice. By continuing to use the Services, you consent to data processing by these providers as described in this Section.

Lapis is currently intended only for customers located in the United States and India.

9. Sharing and Disclosure

We never sell personal data. We disclose it only:

  • To carefully vetted service providers that host infrastructure, process payments, send email, supply customer-support tools, or monitor performance; each is bound by strict confidentiality and data-processing terms. This includes internal operational and customer-relationship-management tools that help us deliver, monitor, and improve the Services.
  • To third-party applications you enable through integrations, and only to the extent necessary to make the integration work.
  • To our professional advisers, including attorneys, auditors, and insurers, under confidentiality duty.
  • In connection with a merger, acquisition, financing, or sale of assets, subject to continuous protection of the data.
  • When required by law or to protect the rights, safety, or property of Lapis, our users, or the public.

9A. Use of Customer Marks in Marketing

For information about how we may use your brand identifiers in marketing, see Section 6A of the Terms of Service.

10. Cross Border Transfers

The Services operate in, and we store and process personal data in the United States. The Services are available only to users located in the United States and India. We block access from IP addresses geolocated outside these regions. If you attempt to access the Services from outside the United States or India (including the European Economic Area or the United Kingdom), your access will be denied. We do not intentionally collect or store personal data of users outside our supported regions; however, minimal technical logs related to blocked requests may be processed in the United States for security and compliance purposes.

11. Information Security

Lapis has not yet completed a SOC 2 examination and does not hold any third-party security or compliance certifications. Nevertheless, we employ commercially reasonable administrative, technical, and physical controls designed to protect the confidentiality, integrity, and availability of your data:

  • Governance policies reviewed by senior leadership.
  • Multi-factor authentication and least-privilege role assignments.
  • Encryption in transit using TLS 1.2 or higher, and encryption at rest using industry-standard algorithms with managed keys.
  • Network segmentation, firewalls, and web-application-firewall rules.
  • Commercially reasonable vulnerability scanning and dependency monitoring.
  • Monitoring, logging, and an incident-response plan that includes notification procedures.
  • Regular backups and disaster-recovery planning.
  • Security awareness guidance for personnel.

While Lapis endeavors to protect your data using commercially reasonable measures, no method of transmission over the Internet or electronic storage is completely secure, and we cannot guarantee absolute security.

12. Data Retention

We keep personal data only as long as necessary for the purposes outlined above.

Account and billing records persist throughout the customer relationship and for seven years afterward to meet tax and audit requirements.

Customer data remains for the term specified in our agreement and is typically erased within thirty days of service termination or upon verified deletion request.

Backup copies roll off a short, fixed schedule and are then unrecoverable.

Marketing contacts are deleted or anonymised when you opt-out or after two years of inactivity.

13. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Ask whether we process your personal data and obtain a copy.
  • Correct inaccurate or incomplete information.
  • Request deletion where no lawful reason to retain it exists.
  • Receive data you provided in a portable format.
  • Restrict or object to processing based on legitimate interests.
  • Withdraw consent at any time without affecting prior lawful processing.
  • Lodge a complaint with a supervisory authority if you believe we have violated applicable law.

Lapis does not "sell" or "share" personal data as defined by California or similar state privacy statutes, but we honour any applicable opt-out rights. To exercise any right, email contact@trylapis.com with sufficient information to verify your identity, and we will respond within the timeframe mandated by law.

14. Children's Privacy

The Services are designed for professional business use and are not directed at anyone under sixteen years of age. We do not knowingly collect personal data from children under sixteen. If we learn that we have collected personal data from a child under sixteen, we will delete that data promptly. If you believe a child has provided data to Lapis, contact contact@trylapis.com.

15. Third-Party Links and Integrations

Our websites and products may offer links or connections to services operated by third parties. Your interactions with those services are subject to their privacy practices, not ours. Review their policies before sharing information.

Advertising Platform Integrations. The Services may integrate with third-party advertising platforms such as LinkedIn, Meta (Facebook and Instagram), Google, TikTok, and others. When you connect your advertising accounts or publish content to these platforms through the Services, data may flow between Lapis and those platforms as necessary to enable the integration. This may include campaign data, creative assets, audience targeting parameters, and performance metrics. Each platform's collection and use of your data is governed by its own privacy policy.

Design, Productivity, and Communication Tools. The Services may integrate with third-party design tools (such as Figma), productivity tools (such as Notion), and communication tools (such as Slack). When you authorize any third-party integration, you direct Lapis to exchange data with that provider as necessary to enable the integration. Lapis is not responsible for the privacy practices, security, or availability of any third-party service, and your use of such integrations is at your sole risk.

16. Changes to This Policy

We may revise this Privacy Policy from time to time. If a modification materially alters your rights or obligations, we will provide conspicuous notice, such as an email or in-app alert, no fewer than thirty days before the change takes effect. Continued use of the Services after the effective date constitutes acceptance of the updated policy.

17. Region-Specific Provisions

India. If you are located in India, the following provisions apply in addition to the rest of this Policy. For the purposes of the Digital Personal Data Protection Act, 2023 ("DPDPA") and any rules made thereunder, the Grievance Officer is reachable at contact@trylapis.com. Indian data principals may exercise their rights under the DPDPA by writing to the Grievance Officer, and Lapis will respond within the time periods mandated by applicable Indian law. By using the Services, you consent to the transfer and storage of your personal data in the United States as described in Section 10 of this Policy.

18. Contact Information

Questions about this Privacy Policy should be directed in writing to:

Lapis Labs Inc.
2261 Market Street STE 86894
San Francisco CA 94114
United States
contact@trylapis.com

Lapis handles legal and privacy communications exclusively through written correspondence and does not accept phone calls regarding the Terms.