Privacy Policy

We collect the following categories of information:

1.1 Information You Provide

• Account data: name, email address, password (stored as a bcrypt hash), institution or organization name.
• Lab data: experimental records, sample information, protocols, inventory entries, attachments, and other research content you upload or create.
• Payment data: billing address and payment method details (processed by our payment provider; we do not store full card numbers).
• Communications: messages you send to our support team or via in-app feedback.

1.2 Information Collected Automatically

• Usage data: pages visited, features used, actions taken, timestamps, and session duration.
• Device & network data: IP address, browser type and version, operating system, and referring URLs.
• Log data: server logs, error reports, and audit trail entries (append-only for compliance purposes).

We use the information we collect to:

• Provide, operate, and improve the Service.
• Process transactions and send related information such as confirmations and invoices.
• Respond to your comments, questions, and requests, and provide customer support.
• Send technical notices, updates, security alerts, and administrative messages.
• Monitor and analyze usage patterns to improve platform performance, features, and user experience.
• Detect, investigate, and prevent fraudulent transactions and other illegal activities.
• Comply with legal obligations and enforce our agreements.

We do not use your Lab Data to train machine learning models or AI systems without your explicit, opt-in consent.

We take the security of your data seriously:

• Encryption at rest: All Lab Data is encrypted at rest using AES-256.
• Encryption in transit: All data transmitted between your browser and our servers uses TLS 1.2 or higher.
• Access controls: Role-based access controls restrict data access to authorized personnel only.
• Password hashing: Passwords are hashed using bcrypt with a work factor of 12.
• Audit logging: All significant actions are recorded in an immutable audit log for compliance traceability.
• Backups: Data is backed up regularly with point-in-time recovery capabilities.

No method of electronic storage or transmission is 100% secure. While we use commercially reasonable measures to protect your information, we cannot guarantee absolute security. If you discover a security vulnerability, please report it to [email protected].

We do not sell your data. We share your information only in the following circumstances:

• Service providers: We work with trusted third parties who assist in operating the Service (e.g., cloud hosting, payment processing, email delivery). These providers are contractually bound to use your data only to perform services on our behalf and in compliance with applicable law.
• Team members: Data you share within a team workspace is accessible to other members of that workspace according to the permissions you configure.
• Legal requirements: We may disclose your information if required by law, subpoena, or other legal process, or if we believe disclosure is necessary to protect the rights, property, or safety of PonyLab, our users, or the public.
• Business transfers: In connection with a merger, acquisition, or sale of assets, your information may be transferred. We will provide notice before your information is transferred and becomes subject to a different privacy policy.
• With your consent: We may share your information with third parties when you explicitly consent to such sharing.

We use the following types of cookies and similar technologies:

• Essential cookies: Required for the Service to function (e.g., session authentication tokens). These cannot be disabled.
• Preference cookies: Remember your settings and preferences (e.g., language, theme).
• Analytics cookies: Help us understand how users interact with the Service. We use privacy-respecting analytics tools and do not share this data with advertising networks.

You can control non-essential cookies through your browser settings. Disabling cookies may affect the functionality of the Service.

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete data.
• Erasure ("right to be forgotten"): Request deletion of your personal data, subject to certain legal obligations.
• Data portability: Request your data in a structured, machine-readable format. PonyLab provides built-in export tools for your Lab Data.
• Restriction of processing: Request that we limit how we use your data in certain circumstances.
• Object to processing: Object to our processing of your data where we rely on legitimate interests.
• Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

We retain your personal data for as long as your account is active or as needed to provide you with the Service. Specifically:

• Account data: Retained for the duration of your account plus 30 days after deletion to allow data export.
• Lab Data: Retained until you delete it or your account is closed. Deleted data is permanently purged within 90 days.
• Audit logs: Retained for a minimum of 5 years to meet regulatory compliance requirements (e.g., GLP, FDA 21 CFR Part 11).
• Billing records: Retained for 7 years as required by financial regulations.

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information without parental consent, please contact us at [email protected] and we will take steps to remove that information.

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that are different from the laws of your country.

Where we transfer personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to countries not recognized as providing an adequate level of data protection, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission.

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or by posting a prominent notice on the Service at least 14 days before the change takes effect. The "Last updated" date at the top reflects when this policy was last revised.

Your continued use of the Service after the effective date of any revision constitutes your acceptance of the updated policy.

PonyLab is the data controller for the personal data processed under this policy. If you have questions or concerns about this Privacy Policy or our data practices, please contact our Privacy team:

• Privacy inquiries: [email protected]
• Security issues: [email protected]
• General support: [email protected]