This Privacy Policy explains how CustomerLabs Inc (โCustomerLabs,โ โwe,โ โusโ) collects, uses, discloses, and protects personal information when you visit our websites, interact with our marketing, create an account, or use our Services in your capacity as a customer, prospect, or authorized user.
If you are an end user, visitor, lead, or customer of one of our customers and your data is processed through our Services on their behalf, the relevant customer is the controller of that data and their privacy notice applies. In that context, CustomerLabs acts as a processor or service provider and processes Customer Data under the applicable Data Processing Addendum (DPA) and related agreements with that customer.
This Privacy Policy is designed to meet our obligations under applicable data protection and privacy laws, including the EU General Data Protection Regulation (GDPR), the UK GDPR and Data Protection Act 2018, the Swiss Federal Act on Data Protection (FADP), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and other applicable US state privacy laws.
We may update this Privacy Policy from time to time. The Last Updated date at the top indicates when it was most recently revised.
1. Who We Are
Controller: CustomerLabs Inc is the controller responsible for personal data described in this Privacy Policy.
Privacy contact: [email protected]
DPA and data processing inquiries: [email protected]
Postal address: CustomerLabs Inc, 651 N Broad St, Ste 206, Middletown, Delaware 19709, USA
You have the right to make a complaint at any time to the relevant supervisory authority for data protection issues in your jurisdiction. We would appreciate the chance to address your concerns first, so please contact us at [email protected].
2. Scope and Roles
This Privacy Policy applies to personal information that CustomerLabs processes as a controller, including:
- Website visitors and users of our online properties.
- Prospects and customers who communicate with us, book demos, request trials, or receive marketing communications.
- Account holders and authorized users of our Services for account administration, billing, support, and security.
This Privacy Policy does not replace the Data Processing Addendum that applies when CustomerLabs processes Customer Data on behalf of a customer in a processor role. If your request relates to Customer Data processed through our Services on behalf of one of our customers, please contact that customer directly.
3. Personal Information We Collect
Depending on how you interact with us, we may collect the following categories:
- Identity and contact: name, work email, phone number, company name, job title, and country or region.
- Account and authentication: usernames, passwords, and account settings.
- Billing and transaction: billing contact details, invoices, and payment-related records. Payment card details are handled by our payment processor; we do not store full card numbers.
- Support and communications: messages, tickets, and feedback you provide.
- Technical and usage: IP address, device identifiers, browser type, operating system, referring pages, pages viewed, features used, and approximate location derived from IP.
- Marketing preferences: your opt-in or opt-out status for marketing emails.
Sensitive Information
We do not intend to collect sensitive personal information (such as racial or ethnic origin, political opinions, religious beliefs, health data, or biometric data) through our public website forms or marketing intake. Please do not provide sensitive personal information in general inquiries.
Protected Health Information (PHI)
Our Services may be used by certain customers to process sensitive data, including health data, and in some cases protected health information (PHI). Where HIPAA applies, CustomerLabs processes PHI as a business associate under the HIPAA Business Associate Agreement terms included in the DPA (Annex F). Processing of Customer Data within the Services on behalf of a customer is governed by the customer agreement and DPA. We do not request PHI through our website contact forms and you should not include PHI in general inquiries or emails.
4. Sources of Personal Information
- Directly from you: when you fill out forms, request a demo or trial, sign up, contact support, or provide feedback.
- Automatically: through cookies, server logs, pixels, and similar technologies when you use our websites. See Section 7.
- Third parties: such as event partners, resellers, advertising networks, analytics providers, data enrichment services, and publicly available sources, where permitted by law.
- Third-party sign-in: if you sign in using a third-party account (such as Google), we receive identity and contact data from that provider in accordance with their privacy policy and your authorization.
5. How We Use Personal Information and Legal Bases
We use personal information only when the law allows us to. The table below sets out our purposes and the corresponding legal basis for each, as required under GDPR and other applicable laws.
| Purpose | Legal Basis |
| Register you as a customer; provide and manage your account and the Services | Performance of a contract |
| Process billing, payments, and contract administration | Performance of a contract; legal obligation (tax/accounting) |
| Provide customer support and manage our relationship with you | Performance of a contract; legitimate interests (service quality) |
| Send service communications (updates, security alerts, policy changes) | Performance of a contract; legal obligation |
| Send marketing communications and measure campaign effectiveness | Consent; or legitimate interests (existing customers, where permitted) |
| Improve the performance, reliability, functionality, and security of our websites and Services | Legitimate interests (product improvement, security) |
| Analytics and business intelligence (understanding usage patterns) | Legitimate interests (understanding our users, improving our business) |
| Security, fraud prevention, and abuse detection | Legitimate interests (protecting our business and users); legal obligation |
| Comply with legal and regulatory obligations | Legal obligation |
Where we rely on legitimate interests, we balance our interests against your rights and freedoms and do not use this basis where your rights override. Where we rely on consent (such as for certain marketing or non-essential cookies), you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
Automated Processing
CustomerLabs may use automated processing, including rules-based and machine-assisted techniques, on our websites and within the Services for purposes such as analytics, fraud prevention, and service optimization. We do not use personal data collected through our website to train general-purpose machine learning or AI models made available to third parties. We do not engage in automated decision-making that produces legal or similarly significant effects on individuals based solely on automated processing.
6. Marketing Choices
You can opt out of marketing emails at any time by using the unsubscribe link in our emails or by contacting us at [email protected]. You may still receive non-marketing communications such as billing and service notices.
We do not sell your personal information as defined under applicable law. For details on how we share personal information with advertising and analytics partners (including cross-context behavioral advertising) and how to opt out, see Section 8 and Sections 12 and 13.
7. Cookies and Similar Technologies
We use cookies and similar technologies (pixels, web beacons, local storage) to operate our websites, remember preferences, understand usage, and measure our marketing. We use the following categories:
- Essential: Enable core functionality such as security, authentication, and session management. These cannot be disabled.
- Analytics: Help us understand how visitors use our website so we can improve it (e.g., Google Analytics).
- Marketing: Used to deliver relevant advertisements and track the effectiveness of our campaigns.
- Preferences: Remember your settings for a better experience.
Where required by applicable law, we present a cookie consent banner or preferences tool that allows you to accept or reject non-essential cookies. You can change your preferences at any time through our cookie settings (where available) or your browser settings. Disabling cookies may affect site functionality.
8. Who We Share Your Data With
We may disclose personal information to:
- Service providers: companies that help us operate our business, such as cloud hosting (such as Google Cloud Platform and AWS), payment processing, email delivery, analytics, and customer support tooling. These providers process data only on our instructions and are bound by contractual data protection obligations.
- Professional advisers: lawyers, auditors, insurers, and banks where necessary.
- Authorities: where required by law, regulation, or legal process, and to protect our rights, users, and Services.
- Business transfers: in connection with a merger, acquisition, reorganization, or sale of assets, subject to applicable data protection laws.
We may share limited information with analytics and advertising partners to measure and promote our Services, including in ways that may be considered “sharing” for cross-context behavioral advertising under the CCPA/CPRA. Where required by applicable law, we provide the ability to opt out of such sharing, including by honoring Global Privacy Control (GPC) signals as described in Section 13. We require these partners to respect the security of your personal information and to process it in accordance with applicable law and contractual restrictions.
9. International Transfers
CustomerLabs Inc is based in the United States. Your personal information may be processed in the US and other jurisdictions where we and our service providers operate, including India. Whenever we transfer personal data out of the EEA, UK, or Switzerland, we ensure appropriate safeguards are in place:
- EU Standard Contractual Clauses (SCCs): adopted under Commission Implementing Decision (EU) 2021/914 for transfers from the EEA.
- UK International Data Transfer Addendum: issued by the UK ICO under section 119A of the Data Protection Act 2018 for transfers from the UK.
- Swiss modifications: the EU SCCs with modifications required under Swiss law, including references to the Swiss FADP and the Swiss FDPIC as the competent supervisory authority.
CustomerLabs is not currently certified under the EU-US Data Privacy Framework and does not rely on it as a transfer mechanism unless and until we are certified and explicitly state so in an updated policy.
For more information about our transfer safeguards, contact [email protected] or refer to our DPA (Annex B).
10. Security
We maintain technical and organizational measures designed to protect personal information against unauthorized access, loss, misuse, alteration, or disclosure. These include encryption in transit (TLS 1.2 or higher), encryption at rest using cloud provider managed encryption, role-based access controls, audit logging, and security awareness training for our personnel.
No method of transmission or storage is fully secure. We work to maintain appropriate safeguards but cannot guarantee absolute security.
11. Data Retention
We retain personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, including to comply with legal, accounting, and reporting requirements. General retention guidelines:
- Account data: retained for the duration of your account plus up to 90 days after account closure or termination, unless you request earlier deletion.
- Billing and transaction data: retained for up to 7 years after the relevant transaction to comply with tax and accounting obligations.
- Marketing data: retained until you unsubscribe or withdraw consent, plus a suppression record to honor your opt-out.
- Technical and usage data: generally retained for up to 24 months for analytics purposes, unless a shorter period applies.
- Backup copies: deleted in accordance with our automated backup lifecycle policies.
Customer Data processed on behalf of customers is retained as described in the DPA and customer instructions. In some circumstances we may anonymize personal data so that it can no longer be associated with you, in which case we may use such data without further notice.
12. Your Privacy Rights
EEA and UK Residents
If you are located in the EEA or the United Kingdom, you have the following rights under GDPR and UK GDPR:
- Access: request a copy of the personal data we hold about you.
- Rectification: request correction of inaccurate or incomplete personal data.
- Erasure: request deletion of your personal data where there is no compelling reason for continued processing.
- Restriction: request that we restrict processing of your personal data in certain circumstances.
- Portability: request transfer of your personal data in a structured, commonly used, machine-readable format.
- Objection: object to processing based on legitimate interests or for direct marketing purposes.
- Withdraw consent: withdraw consent at any time where we rely on consent as our legal basis.
- Lodge a complaint: lodge a complaint with your local supervisory authority.
US State Residents
If you are a resident of California, Virginia, Colorado, Connecticut, Texas, Oregon, Montana, or another US state with a comprehensive privacy law, you may have the following additional rights depending on your state:
- Right to know/access: request information about the categories and specific pieces of personal data we have collected, the sources, purposes, and categories of third parties with whom we share it.
- Right to delete: request deletion of personal data we have collected, subject to certain exceptions.
- Right to correct: request correction of inaccurate personal data.
- Right to opt out of sale or sharing: we do not sell personal information as defined under applicable law. We may share personal information for cross-context behavioral advertising. You can opt out of such sharing by contacting us at [email protected] and, where available, using our cookie preferences tool. We also honor GPC signals where required by law (Section 13).
- Right to non-discrimination: we will not discriminate against you for exercising your privacy rights.
- Right to appeal: where applicable, you may appeal a denial of a privacy request.
California-Specific Disclosures (CCPA/CPRA)
In the preceding 12 months, we have collected the categories of personal information described in Section 3 for the business purposes described in Section 5. We do not sell personal information as defined by the CCPA/CPRA. We may share certain personal information for cross-context behavioral advertising to measure and promote our Services. The categories of personal information we may share for this purpose include identifiers (such as online identifiers) and internet or other electronic network activity information. The categories of third parties with whom we may share include advertising networks and analytics providers. You can opt out of sharing by contacting us at [email protected] and, where available, using our cookie preferences tool. We also honor GPC signals where required by law (Section 13). We do not have actual knowledge that we sell or share the personal information of consumers under 16 years of age. Authorized agents may submit requests on your behalf, subject to verification.
Exercising Your Rights
To exercise any of the rights above, contact us at [email protected]. We will respond within one month for GDPR/UK requests (extendable by two months for complex requests) and within 45 days for US state law requests (extendable by an additional 45 days where permitted). We may need to verify your identity before fulfilling your request. There is generally no fee, but we may charge a reasonable fee for manifestly unfounded or excessive requests. You may also designate an authorized agent to submit a request on your behalf where permitted by applicable law, subject to verification.
If your request relates to Customer Data processed through our Services on behalf of one of our customers, please contact that customer directly. We will assist our customers in responding to such requests as required by law and our agreements.
13. Do Not Track and Global Privacy Control
Some browsers transmit โDo Not Trackโ (DNT) signals. There is currently no uniform standard for responding to DNT, and we do not currently respond to DNT signals.
We honor Global Privacy Control (GPC) signals where required by applicable law. If we detect a GPC signal from your browser, we will treat it as a valid request to opt out of the sale or sharing of your personal data for that browser or device, to the extent applicable under US state privacy laws.
14. Children
Our websites and Services are not intended for children under the age of 16 and we do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child without appropriate consent, we will take steps to delete that data.
15. Third-Party Sites and Services
Our websites may include links to third-party websites and services. Their privacy practices are governed by their own policies. We encourage you to review them before providing personal information.
16. Data Processing Addendum
If you are a CustomerLabs customer, the processing of your end usersโ data through our platform is governed by our Data Processing Addendum (DPA), which covers GDPR, UK GDPR, Swiss FADP, US state privacy laws, HIPAA (Annex F), international transfer mechanisms (EU SCCs and UK Addendum), technical and organizational security measures, subprocessor obligations, and data subject rights assistance. The DPA is incorporated into our Terms of Service by reference and is available in the Services and/or upon request.
17. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or the Services. If changes are material, we will provide notice by posting the revised policy on our website with an updated Last Updated date and, where required by law, by email or through the Services. Your continued use of our website or Services after a change constitutes acceptance of the updated policy.
18. Contact Us
If you have questions about this Privacy Policy, wish to exercise your rights, or have concerns about how we handle your personal data:
Privacy inquiries: [email protected]
DPA and data processing: [email protected]
Postal address: CustomerLabs Inc, 651 N Broad St, Ste 206, Middletown, Delaware 19709, USA
