Effective Date: 08.09.2025
Website: https://www.lab88.ai
Company: Lab88 OÜ
All visitors should read this Privacy Policy carefully.
By using the website lab88.ai and our services, you acknowledge that your personal data will be processed in accordance with this Privacy Policy. Certain types of processing (such as non-essential cookies or direct marketing) will only take place with your explicit consent, which you can withdraw at any time.
(1) WHO WE ARE
Lab88 OÜ is a consulting and technology development company based in Estonia. We offer services in digital strategy, technical implementation, and team mentoring.
Address: Harju maakond, Tallinn, Kesklinna linnaosa, Tornimäe tn 5, 10145, Estonia.
Email for privacy matters: operations@lab88.ai.
Lab88 OÜ is the data controller for the processing of your personal data through our website and services. We have not appointed a Data Protection Officer (DPO), as this is not required under Article 37 GDPR. If this changes, we will update this Policy accordingly.
(2) SCOPE
This policy explains how we process personal data when you visit our website, use our services, interact with our AI assistants, complete forms, book meetings, receive newsletters, or contact us.
We do not intentionally collect special categories of personal data (such as health information, biometric data, or political opinions). Please do not submit such data unless strictly necessary and with an appropriate lawful basis under the GDPR.
We do not use automated decision-making that produces legal or similarly significant effects on you within the meaning of Article 22 GDPR.
(3) THE DATA WE COLLECT
We collect only the data needed for the purposes set out in this Privacy Policy.
3.1 Website and device data
- Pages viewed, time on page, referrers, general device information.
- IP address and basic location derived from IP.
- Cookie preferences.
Legal basis: legitimate interests (Article 6(1)(f) GDPR) to maintain site performance and security.
3.2 Cookies and similar technologies
- See section 8 for details and controls.
Legal basis: consent (Article 6(1)(a) GDPR) for non-essential cookies; legitimate interests (Article 6(1)(f)) for strictly necessary cookies.
3.3 Contact and support
- Name, email, company, role, message content and any attachments.
- Submitted via Typeform or email.
Legal basis: performance of a contract or steps prior to entering into a contract (Article 6(1)(b)) or legitimate interests (Article 6(1)(f)) for general inquiries.
3.4 Newsletter
- Email address and, if provided, name.
- We use double opt-in.
Legal basis: consent (Article 6(1)(a) GDPR), which you may withdraw at any time.
3.5 Meetings, scheduling, and video calls
- Name, email, meeting details, availability data, and any information you share during the meeting.
- Scheduling is handled by Calendly. Video calls are provided via Google Meet.
- We do not record meetings by default. If a meeting will be recorded, we will notify participants in advance and, where required, obtain consent.
- If you share files or links in meeting chat, they are processed to provide the service.
Legal basis: performance of a contract (Article 6(1)(b)) or legitimate interests (Article 6(1)(f)).
3.6 AI-powered services and GPTs
- Inputs you provide during a session, for example country, sector, project details.
- Subscription or access status if you use paid features.
- We do not keep GPT session content in our systems unless you explicitly ask us to.
- Inputs may be processed by OpenAI, which acts as our processor under Article 28 GDPR.
- Please do not provide special categories of data (Article 9 GDPR) unless strictly necessary.
Legal basis: performance of a contract (Article 6(1)(b)) or consent (Article 6(1)(a)) where applicable.
3.7 Billing and subscriptions
- Payment email and transaction metadata to verify access and manage billing.
- Card data is handled securely by Stripe. We do not store card numbers.
Legal basis: performance of a contract (Article 6(1)(b)) and compliance with legal obligations (Article 6(1)(c)).
3.8 Security logs
- IP address, user agent, requested URLs, timestamps, and events triggered by suspicious activity.
Legal basis: legitimate interests (Article 6(1)(f)) to ensure site security and prevent abuse.
3.9 Lead generation via LinkedIn
- Data you submit through LinkedIn Lead Gen Forms, such as name, email, company, job title.
Legal basis: consent (Article 6(1)(a)) provided via LinkedIn forms.
(4) WHY WE USE YOUR DATA
We process personal data under one or more of the following legal bases in accordance with Article 6 GDPR.
4.1 Contract
- Provide services you request, including AI assistants and paid features.
- Manage subscriptions and customer accounts.
- Take steps at your request before entering into a contract.
4.2 Consent
- Send newsletters and marketing emails.
- Set non-essential cookies, including analytics and marketing cookies.
- Keep GPT session content if you explicitly ask us to.
You can withdraw consent at any time. Use the unsubscribe link in emails, the Cookie Settings link in the site footer, or email operations@lab88.ai. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.
4.3 Legitimate interests
- Answer inquiries and provide customer support.
- Keep security logs and protect our services.
- Improve site performance and measure service quality using aggregated or de-identified data.
We balance our interests against your rights using a documented legitimate interest assessment.
4.4 Legal obligations
- Keep records needed for accounting and tax.
- Respond to lawful requests from authorities.
4.5 Special categories of data
We do not intentionally process special categories of personal data (such as health, biometric, or political data). If you choose to submit such data, it will only be processed where one of the conditions in Article 9 GDPR applies (for example, explicit consent).
4.6 Automated decision-making
We do not use personal data for automated decision-making that produces legal effects or similarly significant effects on you within the meaning of Article 22 GDPR.
4.7 International transfers
Some of our processors (such as Google, Stripe, OpenAI, and LinkedIn) may transfer personal data outside the European Economic Area. In such cases, we ensure that appropriate safeguards are in place in accordance with Articles 44–49 GDPR, such as Standard Contractual Clauses or adequacy decisions.
(5) WHERE WE GET DATA
We collect personal data from the following sources:
- Directly from you via our website, GPTs, email, calls, and meetings.
- Automatically from your device when you browse our site (for example, through cookies and security logs).
- From LinkedIn when you submit a Lead Gen Form on our page (with your consent).
We do not collect personal data from other third-party sources or public databases. If this changes, we will update this Policy.
(6) RECIPIENTS AND PROCESSORS
We share personal data with trusted service providers. Where they act as processors, they operate under written data processing agreements and follow our documented instructions in line with Article 28 GDPR.
- Web hosting and site platform: Webflow.
- Forms: Typeform.
- Scheduling: Calendly.
- Video conferencing and collaboration: Google Meet (Google LLC, provided as part of Google Workspace).
- Email and CRM: HubSpot.
- Payments: Stripe.
- Analytics: Google Analytics.
- AI model provider: OpenAI.
OpenAI may act as our processor when we embed models in our services. When you use OpenAI products directly, OpenAI acts as an independent controller and its own privacy policy applies. Similarly, Stripe and Google Analytics act as independent controllers for certain processing activities (such as payment processing and analytics).
Where data is transferred outside the European Economic Area, we ensure that appropriate safeguards are in place in accordance with Articles 44–49 GDPR. These safeguards may include the use of Standard Contractual Clauses (SCCs), the EU–US Data Privacy Framework, or adequacy decisions.
In the case of LinkedIn Lead Gen Forms, LinkedIn and Lab88 may act as joint controllers for the initial collection of your data. In that case, LinkedIn’s privacy policy also applies.
We do not sell personal data.
(7) INTERNATIONAL TRANSFERS
Some of our providers process personal data outside the European Economic Area (EEA). When this occurs, we implement one or more of the following safeguards in accordance with Articles 44–49 GDPR:
- Adequacy decisions adopted by the European Commission (including participation in the EU–US Data Privacy Framework (DPF) where applicable).
- Standard Contractual Clauses (SCCs) approved by the European Commission, together with supplementary technical and organizational measures where required (e.g., encryption in transit and at rest, access controls, data minimization, and strict purpose limitation).
Provider examples. Depending on the feature you use, data may be transferred by:
- Google (Google Meet / Workspace, Google Analytics) – DPF and/or SCCs (as applicable).
- Stripe (payments) – DPF and/or SCCs (as applicable).
- OpenAI (AI processing) – SCCs and supplementary measures (as applicable).
- HubSpot, Calendly, Typeform, Webflow – SCCs and/or DPF (as applicable).
We conduct Transfer Impact Assessments (TIAs) for relevant transfers and monitor legal developments affecting international data flows. Our processors are contractually required to implement appropriate safeguards and to manage any onward transfers only with equivalent protections.
In limited cases—and only when permitted by law—we may rely on Article 49 GDPR derogations, for example your explicit consent or transfers necessary for the performance of a contract at your request. Such transfers will be exceptional and proportionate.
You can request information on these safeguards at operations@lab88.ai.
(8) COOKIES AND CONSENT
We use cookies and similar technologies. Non-essential cookies are set only with your consent through our cookie banner, which allows you to make granular choices (for example, accepting analytics but rejecting marketing). No non-essential cookies are set before you give consent. You may withdraw your consent at any time by revisiting the banner in the site footer. Withdrawal is as easy as giving consent.
8.1 Cookie categories
- Strictly necessary. Required for site security and core functions. Always active and do not require consent.
- Functional. Remember preferences and improve features. Consent-based.
- Analytics. Help us understand site usage. Consent-based. Google Analytics is configured to minimize data and reduce identifiability (for example, by IP anonymization).
- Marketing. Measure the effectiveness of our communication and advertising. Consent-based.
Some cookies are placed by third-party providers (such as Google and HubSpot) when you interact with our site. These providers may act as independent controllers for certain processing; their privacy policies also apply.
8.2 Managing cookies
You can control cookies in your browser, but blocking some may affect functionality. You can also revisit our cookie banner at any time to update or withdraw your choices. Cookie lifetimes vary depending on their purpose but will not exceed 13 months unless you consent to a longer duration.
(9) GOOGLE ANALYTICS
We use Google Analytics to understand how our site is used. Analytics cookies are set only with your consent through our cookie banner in accordance with Article 6(1)(a) GDPR and the ePrivacy Directive. You may withdraw your consent at any time by revisiting the banner.
- IP addresses are truncated before storage to reduce identifiability.
- User- and event-level data retention is set to a maximum of 14 months.
- We have a Data Processing Agreement (DPA) with Google.
Google may process data outside the European Economic Area. Transfers are safeguarded using the EU–US Data Privacy Framework and/or Standard Contractual Clauses (SCCs), together with supplementary measures as required.
For some processing activities, Google acts as an independent controller (for example, improving its own services). In such cases, Google’s Privacy Policy applies.
(10) DATA RETENTION
We keep personal data only as long as necessary for the purposes described in this Policy or as required by law (Article 5(1)(e) GDPR). When the retention period ends, personal data is securely deleted or anonymized. In limited cases, data may remain in system backups for a short additional period before being overwritten.
- Newsletter data. Retained until you unsubscribe or your email bounces persistently.
- Contact and support records. Up to 12 months after resolution unless needed longer for follow-up or to establish or defend legal claims.
- Calendly scheduling data. Retained as long as needed to arrange and document the meeting and for up to 12 months afterward, unless required longer for legal claims.
- Security logs. Up to 12 months, longer if needed to investigate incidents or protect security.
- Analytics event data. Up to 14 months.
- GPT session content. Not stored by us unless you explicitly ask us to, in which case we will agree on a retention period with you.
- Meetings and video calls. No recordings are kept unless we notify you. If a recording is made, we retain it until the project or engagement ends or for up to 12 months, unless a longer period is required by law or to establish or defend legal claims.
- Billing and transaction records. Seven years to meet accounting and tax obligations in Estonia.
We do not intentionally process special categories of personal data (Article 9 GDPR). If such data is provided, it will only be retained for as long as strictly necessary and with an appropriate lawful basis.
(11) YOUR RIGHTS
Subject to legal limits, you have the right to:
- Access your data (Article 15 GDPR).
- Rectify inaccurate data (Article 16).
- Erase your data (Article 17).
- Restrict processing (Article 18).
- Object to processing based on legitimate interests (Article 21).
- Data portability for data you provided to us based on consent or contract (Article 20).
- Withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal (Article 7(3)).
- Not to be subject to automated decision-making with legal or similarly significant effects (Article 22).
To exercise your rights, email operations@lab88.ai. We will respond within one month. We may ask you to verify your identity.
You also have the right to lodge a complaint with your local data protection authority. In Estonia, this is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).
(12) CHILDREN
Our services are not directed to children. We do not knowingly collect personal data from individuals below the age of digital consent under applicable law. If you believe a child has provided data to us, contact operations@lab88.ai and we will delete it.
(13) SECURITY
We use technical and organizational measures appropriate to the risk.
- TLS encryption for data in transit on our website.
- Role based access controls and least privilege.
- Firewalls, monitoring and alerts for suspicious activity.
- Vendor due diligence and data processing agreements.
No method of transmission or storage is perfectly secure. We regularly review and improve our controls.
(14) AI SERVICES SPECIFICS
- Purpose. To deliver the GPT features you request and to verify subscription status where applicable.
- Legal bases. Performance of a contract (Article 6(1)(b) GDPR), legitimate interests for fraud prevention and service protection (Article 6(1)(f)), and consent where required (Article 6(1)(a)).
- Storage. We do not keep GPT session content in our systems unless you explicitly ask us to. If you want us to retain content for ongoing work, we will tell you what we will keep and for how long.
- Sensitive data. Please do not provide special categories of personal data (Article 9 GDPR) unless strictly necessary and with a valid lawful basis.
- Automated decision-making. Our AI services do not involve automated decision-making that produces legal or similarly significant effects under Article 22 GDPR.
- Processors. AI inputs may be processed by OpenAI, which acts as our processor under Article 28 GDPR. Where OpenAI processes data outside the EEA, safeguards such as Standard Contractual Clauses or the EU–US Data Privacy Framework apply.
- Payments. Stripe processes payment data as an independent controller for compliance and fraud prevention, and as our processor where applicable. We receive only confirmation and metadata needed to grant access and keep records.
(15) LINKEDIN LEAD GEN FORMS
Legal basis. Consent (Article 6(1)(a) GDPR).
- Joint controllership. For the initial collection of your data via Lead Gen Forms, LinkedIn and Lab88 act as joint controllers. LinkedIn’s privacy policy also applies.
- Use. To contact you about your request and our services.
- Retention. Data is stored by LinkedIn for up to 90 days. If transferred to our CRM, it is retained only as long as needed for the stated purpose or until you request deletion.
- Transfers. LinkedIn may transfer personal data outside the EEA. In such cases, safeguards such as Standard Contractual Clauses or adequacy decisions apply.
- Opt out. You can opt out of further communications at any time by using the unsubscribe link in our emails or by contacting operations@lab88.ai.
(16) DO NOT TRACK
We honor your choices set through our Cookie Settings and your browser. Some browsers send "Do Not Track" (DNT) signals, but because there is currently no common standard for DNT, we rely on the consent controls described in this policy. You may withdraw your cookie consent at any time by revisiting the cookie banner in the site footer. Where technically feasible, we will also respect recognized browser-based opt-out mechanisms such as Global Privacy Control (GPC).
(17) CHANGES TO POLICY
We may update this policy to reflect changes in law or our services. We will post the new version on this page and change the effective date below. Material changes will be highlighted on the site.
If we make material changes that significantly affect the way we process your personal data, we will also notify you directly (for example, by email if we have your address or via a message in your account).
