Privacy Policy - Easylab AI SARL

1. Identity of the Controller

Controller	Easylab AI SARL
Registered Address	55, allée de la Poudrerie, L-1899 Roeser, Grand Duchy of Luxembourg
Trade Register	RCS Luxembourg B276290
Data Protection Contact	privacy@easylab.ai
Data Protection Officer	Julien Doussot, CEO -- dpo@easylab.ai
General Contact	contact@easylab.ai

Easylab AI SARL is the data controller for the personal data processed through the easylab.ai website and its associated services. As data controller, Easylab AI SARL determines the purposes and means of processing of personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Luxembourg data protection law.

2. Scope

This Privacy Policy applies to:

The website easylab.ai and all its subdomains (*.easylab.ai), including but not limited to openclaw.easylab.ai
All interactions with Easylab AI through its corporate website, including the contact form, newsletter sign-up, and any other data collection mechanisms on the site

This policy also serves as the master privacy policy framework for services operated by Easylab AI. Individual SaaS products (such as EasyBoard, EasyBlood, EasyFund, and others) may have their own supplementary privacy policies that address service-specific data processing. Where a service-specific policy exists, it takes precedence over this master policy for matters specific to that service.

Note: If you are a user of a specific Easylab AI product, please also refer to the privacy policy of that product for details on how your data is processed within that service.

3. Categories of Personal Data Collected

3.1 Contact Form Data

When you submit a message through our contact form, we collect:

Full name
Email address
Company name (if provided)
Country (if provided)
Message content

3.2 Navigation and Usage Data

When you visit our website, we automatically collect certain technical data:

IP address (anonymized where possible)
Browser type and version
Device type and operating system
Pages visited and time spent on each page
Referring website URL
Approximate geographic location (derived from IP address)

3.3 Cookies and Tracking Technologies

We use cookies and similar technologies as described in Section 11 (Cookies) of this policy. Analytics data is collected only with your prior consent.

3.4 SaaS Product Data

For specific Easylab AI SaaS products (e.g., EasyBoard, EasyBlood, EasyFund), additional categories of personal data may be collected, including account data, payment data, health data, or audio recordings. These are detailed in the privacy policy of each individual service.

4. Purposes and Legal Bases for Processing

We process your personal data for the following purposes, each with a corresponding legal basis under Article 6(1) of the GDPR:

Purpose	Data Used	Legal Basis (GDPR)
Responding to contact form inquiries and pre-contractual requests	Name, email, company, message content	Art. 6(1)(b) -- Performance of a contract or pre-contractual measures at your request; Art. 6(1)(f) -- Legitimate interest in communicating with prospective clients
Website analytics and improvement	Usage data, cookies, anonymized IP	Art. 6(1)(a) -- Consent (via cookie consent mechanism)
Session recording and UX analysis	Anonymized interaction data, click patterns	Art. 6(1)(a) -- Consent (via cookie consent mechanism)
Newsletter and marketing communications	Email address, name	Art. 6(1)(a) -- Consent (opt-in)
Compliance with legal obligations (tax, commercial law, AML)	Accounting records, correspondence, billing data	Art. 6(1)(c) -- Legal obligation
Security monitoring and fraud prevention	Access logs, IP addresses, authentication events	Art. 6(1)(f) -- Legitimate interest in protecting our systems and users
Provision of SaaS products and services	Account data, service usage data (varies by product)	Art. 6(1)(b) -- Performance of a contract
Payment processing (for paid services)	Payment data, subscription information	Art. 6(1)(b) -- Performance of a contract

Where we rely on legitimate interest (Art. 6(1)(f)), we have conducted a balancing test to ensure that our interests do not override your fundamental rights and freedoms. You have the right to object to processing based on legitimate interest at any time (see Section 8).

5. Sub-Processors and Third-Party Services

We share personal data only with sub-processors that are necessary for the operation of our website and services. We do not sell personal data to third parties, and we do not share personal data with third parties for their own marketing purposes.

All sub-processors are bound by Data Processing Agreements (DPAs) that impose data protection obligations at least as protective as those set out in the GDPR.

5.1 Sub-Processors for the easylab.ai Website

Provider	Purpose	Location	Safeguards
Netlify Inc.	Website hosting and content delivery	CDN worldwide; Functions configurable for EU	DPA, SOC 2 Type II, ISO 27001, PCI-DSS, SCCs
Google Analytics 4 (Google Ireland Ltd.)	Website analytics and usage measurement	US (Google LLC), with EU entity as contracting party	DPA (CDPA), EU-US Data Privacy Framework, SCCs, SOC 2, ISO 27001
Microsoft Clarity (Microsoft Corp.)	Session analytics and UX heatmaps	US	Microsoft DPA, SCCs; consent signal required for EEA visitors
Resend Inc.	Contact form email delivery (transactional email)	US (AWS infrastructure)	DPA, SOC 2 Type II, EU SCCs (Commission Decision 2021/914)
Google Cloud / Firebase (Google Ireland Ltd.)	Backend infrastructure for SaaS products (Auth, Firestore, Storage, Functions)	EU (europe-west regions) [TO BE CONFIRMED per project]	DPA (Firebase Data Processing Terms + CDPA), SOC 1/2/3, ISO 27001/27017/27018/27701, EU-US DPF, SCCs

5.2 Sub-Processors for SaaS Products

Our individual SaaS products use additional sub-processors for AI processing, payment processing, document conversion, and other service-specific functions. These include, but are not limited to:

Provider	Purpose	Location	Safeguards
Anthropic LLC	AI processing (Claude API) for agent-based services	US (EU routing available via Vertex AI / AWS Bedrock)	DPA with SCCs, SOC 2 Type II, ISO 27001, Zero Data Retention addendum available
OpenAI (OpenAI Ireland Ltd.)	AI analysis and content generation	US, with EU data residency option (Dublin)	DPA, SOC 2 Type II, ISO 27001/27701, Zero Data Retention, SCCs
Stripe Inc.	Payment processing	EU for European merchants	DPA, PCI DSS Level 1, SOC 2 Type II, ISO 27001, EU-US DPF, SCCs
Google Gemini API (Google Ireland Ltd.)	AI processing for specific products	EU (via Vertex AI) or US	DPA (CDPA), SOC 1/2/3, ISO 27001/42001, SCCs
CloudConvert GmbH	Document conversion	Germany (EU)	DPA (on request), ISO 27001
Supabase Inc.	Database infrastructure for selected products	EU (Frankfurt) when configured	DPA, SOC 2 Type II, SCCs

Note: For the complete and current list of sub-processors for each Easylab AI product, please refer to the privacy policy or sub-processors page of that specific service. A consolidated Sub-Processors Register is maintained internally and is available upon request to privacy@easylab.ai.

6. International Data Transfers

Easylab AI's primary data storage and processing occurs within the European Union. We prioritize EU-based service providers and EU data residency options wherever technically feasible.

However, certain sub-processors are established in the United States or operate infrastructure outside the EU/EEA. When personal data is transferred outside the EU/EEA, we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR:

6.1 Transfer Mechanisms

EU-US Data Privacy Framework (DPF): Where the receiving organization is certified under the EU-US DPF (pursuant to the European Commission Adequacy Decision of 10 July 2023), this serves as the primary transfer mechanism.
Standard Contractual Clauses (SCCs): We have entered into SCCs (Commission Implementing Decision (EU) 2021/914) with all US-based sub-processors, providing a supplementary or alternative safeguard.
Supplementary Measures: In line with the CJEU's Schrems II ruling (C-311/18), we implement additional technical and organizational measures where necessary, including encryption in transit and at rest, contractual zero-data-retention commitments from AI providers, and data minimization practices.

6.2 Sub-Processors with US Data Transfers

The following sub-processors used by the easylab.ai website involve data transfers to the United States:

Google Analytics 4: Usage analytics data. Transfer safeguards: EU-US DPF, SCCs, IP anonymization.
Microsoft Clarity: Session analytics data. Transfer safeguards: Microsoft DPA, SCCs. Requires explicit consent signal for EEA visitors.
Resend Inc.: Email addresses transmitted for contact form email delivery only. No website content or sensitive data is shared. Transfer safeguards: DPA, SCCs.

A Transfer Impact Assessment (TIA) has been conducted for all sub-processors involving international data transfers. [LAWYER REVIEW -- confirm TIA status and documentation]

7. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. The following retention periods apply:

Data Category	Retention Period
Contact form submissions	12 months from submission, unless an ongoing business relationship is established
Website analytics data (Google Analytics 4)	14 months (GA4 default retention setting)
Session analytics data (Microsoft Clarity)	13 months [TO BE CONFIRMED -- verify Clarity retention settings]
Cookie consent preferences	12 months from last interaction
Security and access logs	90 days
Newsletter subscription data	Until withdrawal of consent (unsubscribe)
Accounting and billing records	10 years from date of transaction (Luxembourg commercial law, Art. 16 Code de Commerce)
SaaS product account data	Duration of contractual relationship plus 10 years (Luxembourg commercial law)
SaaS product usage data	90 days (operational logs); varies by product for analytical data

At the end of the applicable retention period, personal data is securely deleted or anonymized. You may request earlier deletion of your data at any time, subject to legal retention obligations (see Section 8).

8. Your Rights Under the GDPR

Under the General Data Protection Regulation, you have the following rights regarding your personal data. We are committed to facilitating the exercise of these rights promptly and transparently.

Right	Description
Right of access (Article 15)	You may request a copy of all personal data we hold about you, together with information on how it is processed, the purposes of processing, and the recipients of your data.
Right to rectification (Article 16)	You may request correction of any inaccurate or incomplete personal data we hold about you.
Right to erasure (Article 17)	You may request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations. We will act on your request within 30 days unless a legal exemption applies.
Right to restriction of processing (Article 18)	You may request that we restrict processing of your personal data in certain circumstances, for example while we verify the accuracy of contested data or while we assess an objection you have raised.
Right to data portability (Article 20)	You may request to receive your personal data in a structured, commonly used, machine-readable format (e.g., JSON or CSV), and to have it transmitted to another controller where technically feasible.
Right to object (Article 21)	You may object at any time to processing of your personal data based on legitimate interest (Art. 6(1)(f)). We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims.
Right to withdraw consent (Article 7(3))	Where processing is based on your consent (e.g., analytics cookies, newsletter), you may withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.

How to Exercise Your Rights

To exercise any of these rights, please contact us at:

Email: privacy@easylab.ai
Post: Easylab AI SARL, Data Protection, 55 allée de la Poudrerie, L-1899 Roeser, Luxembourg

We will acknowledge your request within 5 business days and provide a substantive response within 30 days of receipt. If your request is particularly complex or involves a large volume of data, this period may be extended by an additional 60 days, in which case we will inform you of the extension and the reasons for it within the initial 30-day period.

We may request verification of your identity before processing your request, to ensure the security of your personal data.

There is no fee for exercising your rights, unless requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request, providing reasons.

9. Your Rights Under the EU AI Act

Certain Easylab AI products incorporate artificial intelligence systems. In compliance with the EU AI Act (Regulation 2024/1689), you have the following rights in relation to AI-processed data:

Right	Description
Right to explanation (Article 86)	You may request a clear and meaningful explanation of how AI was used to process your data and generate any AI-produced output. This includes information about the AI model used, the type of data processed, and the logic involved.
Right to complaint regarding AI systems (Article 85)	You may lodge a complaint with a national supervisory authority if you believe that an Easylab AI system does not comply with the requirements of the EU AI Act.
AI-generated content disclosure (Article 50(2))	All content generated by AI in Easylab AI products is clearly marked as such, both visually in the user interface and through machine-readable metadata.

Note: These rights apply specifically to Easylab AI's SaaS products that use AI systems. The easylab.ai corporate website itself does not perform AI processing on visitor data. For detailed AI governance information for each product, please refer to the AI Governance page of the relevant service.

10. Automated Decision-Making and Profiling (Article 22)

The easylab.ai website does not perform any automated decision-making or profiling that produces legal effects or similarly significant effects on you.

Regarding our SaaS products that incorporate AI:

All AI-generated outputs (e.g., meeting minutes, blood test analyses, document summaries) are advisory and informational in nature only.
All AI outputs are subject to mandatory human review. No decisions with legal or similarly significant effects are made solely by automated means.
Users always retain full control over whether and how to act on AI-generated content.

If you believe that an automated decision has been made about you, you have the right to request human intervention, to express your point of view, and to contest the decision. Contact us at privacy@easylab.ai.

11. Cookies and Tracking Technologies

We use cookies and similar technologies on the easylab.ai website. A cookie is a small text file stored on your device when you visit a website.

11.1 Cookie Categories

Category	Purpose	Consent Required	Duration
Essential / Strictly Necessary	Required for the website to function properly (security, session management, cookie consent preferences)	No (Art. 5(3) ePrivacy Directive)	Session to 12 months
Analytics	Help us understand how visitors interact with our website (Google Analytics 4, Microsoft Clarity)	Yes	Up to 14 months

11.2 Managing Your Cookie Preferences

You can manage your cookie preferences at any time through:

Our cookie consent banner (displayed on your first visit)
Your browser settings (to block or delete cookies)

Refusing non-essential cookies will not affect the core functionality of our website.

[LAWYER REVIEW -- confirm whether a separate Cookie Policy document is needed, or if this section is sufficient. Consider referencing a detailed Cookie Policy if one is created.]

12. Supervisory Authority

If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the competent data protection supervisory authority. As Easylab AI SARL is established in Luxembourg, the lead supervisory authority is:

Authority	Commission Nationale pour la Protection des Données (CNPD)
Address	15, Boulevard du Jazz, L-4370 Belvaux, Luxembourg
Phone	(+352) 26 10 60 - 1
Website	www.cnpd.lu

You may also lodge a complaint with the supervisory authority of your habitual residence or place of work, if different from Luxembourg.

We encourage you to contact us first at privacy@easylab.ai so that we may attempt to resolve your concern directly.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our data processing practices, legal requirements, or regulatory guidance.

When we make material changes, we will:

Update the "Date" and "Version" fields at the top of this document
Publish a notice on the easylab.ai website
Where feasible and where we have your contact details, notify you by email prior to the change becoming effective

We encourage you to review this policy periodically. Your continued use of our website and services after any changes constitutes your acknowledgment of the updated policy.

Last updated: [DATE -- to be set upon publication]

14. Contact

For any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us using the appropriate channel below:

Privacy inquiries & data subject requests	privacy@easylab.ai
Data Protection Officer	Julien Doussot, CEO -- dpo@easylab.ai
Legal inquiries	legal@easylab.ai
Compliance	compliance@easylab.ai
General inquiries	contact@easylab.ai
Postal address	Easylab AI SARL, 55 allée de la Poudrerie, L-1899 Roeser, Grand Duchy of Luxembourg