Privacy Policy

Effective Date: April 18, 2026

1. Introduction; Scope

Welcome to LabGiant ("we," "our," "us"). We are committed to protecting your privacy and ensuring compliance with data protection laws such as the Personal Information Protection and Electronic Documents Act (PIPEDA) and the General Data Protection Regulation (GDPR), where applicable. This Privacy Policy explains how we collect, use, store, and share your personal information when you access or use our websites, applications, marketplace, AI-powered features, and related services (the "Services").

This Policy does not apply to information that we process on behalf of Sellers as their processor/service provider; in those cases, Sellers' privacy notices apply.

We act as a controller when we determine the purposes and means of processing (for example, account management, security, fraud prevention, analytics, and marketing) and as a processor when we process personal information on behalf of Sellers. Where we act as controller under the GDPR, our legal bases include: performance of a contract; our legitimate interests in providing and improving the Services, ensuring security, and preventing fraud; compliance with legal obligations; and consent where required.

The controller of your personal information for the purposes described in this Policy is LabGéant Inc. (LabGiant Inc.). Contact: [email protected].

Where we process personal information on behalf of Sellers, our Data Processing Addendum is available on request.

Processor Commitments. When acting for a Seller, we process personal information only on the Seller's documented instructions, do not sell or share it, do not use it for our own purposes, and provide assistance with security, breach notices, and data subject requests as required by law.

We conduct transfer impact assessments and privacy impact assessments when required by law (including Quebec Law 25 and the GDPR), particularly for cross-border processing.

2. Information We Collect

We collect the following types of data, depending on your interactions with the Services:

  • User Profile Data: This includes your name, email address, institution, faculty, department, research interests, research lab information, and publications.
  • Research Resource Data: Information related to reagents, equipment, and services that you provide or seek through our platform.
  • AI Interaction Data: Prompts, messages, and outputs from AI features (including chat and recommendations), as well as system metadata (timestamps, model versions, latency) and safety filters applied. We store this data to allow you to revisit interactions and to improve our AI services in accordance with this Policy.
  • Sensitive Data (Limited): Depending on your use of the Services, certain information such as research interests or affiliations could be considered sensitive in some jurisdictions. We limit our use of such information to the purposes described in this Policy and applicable law.
  • Social Media Data: Content such as posts related to lab news, publications, and updates that you share on our platform.
  • Payment Data: Payment processing details handled securely by Stripe. We do not store your sensitive payment information; it is processed directly by Stripe in accordance with their privacy policy.
  • Usage Data and Analytics: Device and browser information, IP address, language, pages viewed, referring/exit pages, and other usage metrics collected via cookies, SDKs, or similar technologies for performance, debugging, and security.
  • Support and Communications: Information you provide when contacting support, responding to surveys, or providing Feedback.

Sources of Personal Information. We collect personal information directly from you and your organization; from Sellers and Buyers in connection with Listings and Transactions; from your devices through cookies and similar technologies; and from service providers and public sources such as published lab websites and academic directories.

Third-Party Data You Submit. If you provide personal information about someone else (e.g., a colleague's name or email), you represent that you have authority or another lawful basis to do so. We will process that information in accordance with this Policy.

U.S. State "Notice at Collection."

For residents of California and similar U.S. state laws, we collect the following categories of personal information: identifiers (e.g., name, email) (Cat. A); commercial/transaction information related to Listings and purchases (Cat. D); internet or electronic activity (e.g., log data, device data) (Cat. F); professional or employment-related information (e.g., institution, department) (Cat. I); and inferences drawn from the above to provide recommendations (Cat. K). Sources and purposes are described in §§2–3. Retention is described in §5. We do not "sell" or "share" personal information for cross-context behavioral advertising as those terms are defined by applicable law, and we do not use or disclose sensitive personal information for purposes that would require a "right to limit." You can exercise your state privacy rights as described in §5.

3. How We Use Your Information

We use your data for the following purposes:

  • Service Provision and Improvement: To provide, maintain, and improve our platform's services, including personalized research recommendations and resource sharing.
  • Research Collaboration: To facilitate connections and collaborations between researchers and institutions.
  • Payment Processing: To process transactions securely through Stripe.
  • AI Enhancement: To enhance AI-driven research recommendations and services. Your interactions with our AI features may be used to improve model performance and to evaluate safety and quality. Where we rely on third-party AI providers, we use contractual controls to limit provider-side training to the extent available and obtain consent or provide disclosure consistent with applicable law.
  • Automated Decision-Making: We do not make decisions that produce legal or similarly significant effects about you solely by automated means without human involvement. AI features provide suggestions and summaries for users to review.
  • Legal Compliance: To comply with legal obligations and enforce our Terms of Use.
  • Security and Fraud Prevention: To protect accounts and the Services, detect, prevent, and respond to fraud, abuse, and security incidents.
  • Marketing and Communications: To send service-related and, where permitted, marketing communications. You can opt out of non-essential marketing at any time.
  • De-identified and Aggregated Data: We may create de-identified or aggregated data for analytics, safety, and service improvement. We commit to maintain de-identified data without attempting to re-identify it, except as permitted by law to test and verify our de-identification processes.
  • Compliance with Anti-Spam Laws: We send marketing communications only as permitted by law, including Canada's Anti-Spam Legislation (CASL) and the U.S. CAN-SPAM Act. You can opt out at any time using the unsubscribe link or by contacting us.

4. Data Sharing & Third-Party Services

We may share your data with the following third parties:

  • Stripe: For secure payment processing. Your payment information is handled in accordance with Stripe's privacy policy.
  • AI Service Providers: We utilize AI models and services from providers such as OpenAI and Google to enhance our capabilities. These providers may process your inputs and outputs to provide the service. Where contractually available, we disable provider-side training and otherwise obtain consent or provide disclosure.
  • Institutional Partners: In cases of research collaboration, we may share relevant information with institutional partners, always in compliance with applicable data protection laws.
  • Analytics, Security, and Infrastructure Vendors: For hosting, performance monitoring, error tracking, and security. These vendors process data under agreements that limit their use of data to providing services to us.

We may disclose information to comply with law, enforce our Terms, protect rights, property, or safety, or as part of a corporate transaction (e.g., merger, acquisition, or asset sale) subject to appropriate safeguards.

We may disclose information in response to lawful requests from public authorities, including to meet national security or law enforcement requirements, after verifying the request and only to the extent required by law. Where legally permitted, we will notify affected users of governmental requests for their information.

We maintain and publish a list of key service providers (subprocessors) that process personal information for us and will provide reasonable advance notice of material changes to that list. If you have reasonable data-protection grounds to object to a new subprocessor, contact us and we'll work with you in good faith. You can request the current list by emailing [email protected].

5. Data Retention & User Rights

  • Data Retention: We retain personal information for as long as needed to provide the Services and for legitimate business purposes such as security, fraud prevention, audits, and legal compliance. Retention periods vary by data category and are determined by criteria such as the nature of the data, legal requirements, and potential need in connection with disputes. When data is deleted from active systems, it may remain in backups for a limited period consistent with our backup and disaster recovery policies.
  • Representative retention periods (pilot):
    • Account and profile data: for the life of the account and up to 12 months after closure.
    • AI interaction logs (prompts and outputs): up to 24 months, unless you request earlier deletion where feasible.
    • Security and web server logs: up to 12 months.
    • Support tickets and communications: up to 24 months after ticket closure.
    • Payment and billing records: up to 7 years to comply with tax and accounting requirements.
    • Backups: typically rotate within 90 days.
  • User Rights: You have the right to access, correct, or delete your personal data. You can manage your data through your account settings or by contacting us directly. Additionally, you can opt out of certain data collection features. Depending on your location, you may have additional rights (e.g., data portability, restriction, objection) which you can exercise by contacting us.
  • Right to Withdraw Consent: If our processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing before withdrawal.
  • Right to Object: You may object to processing based on our legitimate interests, including profiling related to direct marketing. We will stop such processing unless we demonstrate compelling legitimate grounds.
  • U.S. State Privacy Rights: Residents of certain U.S. states have rights to know/access, delete, correct, obtain a copy of personal information, and to opt out of certain processing. LabGiant does not sell or share personal information for cross-context behavioral advertising as those terms are defined by applicable law. You can exercise rights by emailing [email protected] or using account settings where available. We will verify requests and respond within required timelines.
  • Sensitive Information (U.S. states): We do not use or disclose sensitive personal information for purposes that would require a "right to limit" under applicable U.S. state privacy laws.
  • EEA/UK Supervisory Authorities: If you are in the EEA, UK, or Switzerland, you have the right to lodge a complaint with your local supervisory authority. Contact details are available from the European Data Protection Board and the UK Information Commissioner's Office.
  • Data Subject Requests: You may submit requests by emailing [email protected]. We may need to verify your identity and, where applicable, your authority to act on behalf of someone else. We will respond within the timelines required by law and provide appeal rights where applicable.
  • Authorized Agents (U.S.). You may designate an authorized agent to submit a request on your behalf. We may require proof of authorization and verification of your identity.
  • Non-Discrimination. We will not discriminate against you for exercising your privacy rights.
  • Appeals. If we deny your request, you may appeal by emailing [email protected] with "Privacy Appeal" in the subject. We will explain our decision and how you can contact your regulator if you remain unsatisfied.

6. Security Measures

We implement robust security protocols to protect your data, including encryption, access controls, and secure server infrastructure. While we strive to protect your personal information, no method of transmission over the internet or method of electronic storage is 100% secure.

We maintain a register of confidentiality incidents and evaluate risks and notifications in accordance with Quebec law.

To report a security vulnerability, please contact [email protected]. We will acknowledge receipt and work with you on coordinated disclosure.

7. International Data Transfers

Where personal information is transferred outside the country where it was collected, we rely on recognized safeguards such as the EU Standard Contractual Clauses and the UK International Data Transfer Addendum (IDTA), or on other adequacy mechanisms as applicable. Our primary hosting locations and key subprocessors are listed in a public "Subprocessors and Hosting Locations" document that we update from time to time.

Personal information stored or processed in other jurisdictions may be subject to lawful access by courts, law-enforcement, or national-security authorities in those jurisdictions.

For this pilot, we do not actively target or monitor individuals in the EEA or UK. If and when we do, we will appoint an EU/UK representative under GDPR Article 27 and update this Policy with their contact details.

8. Cookies and Similar Technologies

We and our partners use cookies, SDKs, and similar technologies to provide, analyze, and improve the Services, remember your preferences, and measure effectiveness. You can control cookies through your browser settings; however, certain features may not function properly without cookies. Where required by law (e.g., EEA, UK, Quebec), we obtain your consent via our cookie banner before setting non-essential cookies. You can change your choices any time in Cookie Settings (link in footer). We honor Global Privacy Control (GPC) signals where recognized.

9. Children's Privacy

Our Services are intended for individuals who are at least 18 years old. We do not knowingly collect personal information from children under 13 in the United States or under the age of digital consent in the EEA without appropriate parental consent, and we will take steps to delete such information if we become aware of it.

We do not knowingly sell or share personal information of individuals under 16 years of age.

10. Early Deals Program; Feedback and Telemetry

If you participate in any early access, beta, pilot, promotional pricing, or "early deals" program, you agree that we may contact you for feedback and collect usage telemetry and performance data to improve our Services, consistent with this Policy. Feedback you provide may be used by us without restriction or attribution.

10.1 Notice of Financial Incentive (California)

Our Early Deals Program may include promotional pricing or similar benefits. This can be considered a financial incentive under California law because it is reasonably related to the value of program participation and the telemetry or feedback you choose to provide.

Categories of personal information involved may include identifiers (e.g., email), usage telemetry, and inferences used to improve the Services. We make a good‑faith estimate that the value of the incentive is reasonably related to program costs, expected revenue, and the value of aggregated insights.

Participation is optional. You can opt in by accepting an Early Deals offer, and you may withdraw at any time without affecting your ability to use the core Services, though the incentive may end. To opt out, contact [email protected].

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify you of any significant changes by posting the new policy on our website and updating the effective date. Where required by law, we will provide additional notice (for example by email or in-product) before material changes take effect.

12. Google User Data and Google API Services

LabGiant offers an optional feature in the Protocol Builder Inventory Node that lets you connect a Google account to sync lab inventory with a Google Sheet you own. This section describes what Google user data we access, how we use it, how it is stored, and how you can revoke access. You are never required to connect a Google account to use LabGiant.

12.1 Scopes we request

When you connect a Google account, LabGiant requests only the following OAuth 2.0 scopes from Google:

  • https://www.googleapis.com/auth/spreadsheetsto read and write cells in Google Sheets that you explicitly link to a Protocol Builder Inventory Node, so we can display inventory data, detect inventory columns, and push updates back to your sheet.
  • https://www.googleapis.com/auth/userinfo.emailto retrieve the email address of the Google account you connected, so we can display which account is in use and support connecting multiple Google accounts to one LabGiant user.

We do not request access to Gmail, Google Drive (beyond the specific spreadsheets you link), Google Calendar, Contacts, Photos, or any other Google service.

12.2 How we use Google user data

Google user data is used solely to provide and improve the user-facing Inventory Node feature you requested. Specifically:

  • Read spreadsheet metadata (title, sheet names, row and column counts) and cell values from the specific sheets and ranges you link to an Inventory Node.
  • Write or update cell values in those same sheets when you edit inventory inside LabGiant.
  • Display the connected Google account email in the Credentials Panel so you know which account is in use.

We do not use Google user data for advertising, we do not sell or rent Google user data to any third party, and we do not use Google user data to train, fine-tune, or evaluate generalized or third-party artificial intelligence or machine learning models. Humans do not read your Google user data except (a) with your explicit consent, (b) where necessary for security investigations, or (c) to comply with applicable law.

12.3 Storage, retention, and deletion

Google OAuth access and refresh tokens are encrypted at rest in our database and are used only to call Google APIs on your behalf. Spreadsheet contents are fetched on demand when you open an Inventory Node or trigger a sync; we do not maintain a long-term mirror copy of your sheet. If you revoke access, or if the Google account disconnects itself, both the access token and refresh token are revoked with Google and then deleted from our database.

12.4 How to revoke access

You can disconnect a Google account from LabGiant at any time through the Credentials Panel in any Protocol Builder Inventory Node. You can also revoke LabGiant's access directly from your Google Account at myaccount.google.com/permissions. Revocation takes effect immediately.

12.5 Limited Use disclosure

LabGiant's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

13. Contact Information

For privacy-related inquiries or to exercise your data protection rights, please contact us at [email protected].

Privacy Officer. The person responsible for the protection of personal information at LabGiant is our Privacy Officer. Contact: Privacy Officer, LabGéant Inc. (LabGiant Inc.), [email protected].

Complaints. You may lodge a complaint with the Office of the Privacy Commissioner of Canada or the Commission d'accès à l'information du Québec, or with another competent data protection authority, in addition to exercising your rights with us.

In the event of a data breach affecting personal information, we will notify affected individuals and regulators without undue delay and within 72 hours where required by the GDPR, and we will follow PIPEDA and Quebec's Act respecting the protection of personal information in the private sector breach reporting requirements, including notification to the Commission d'accès à l'information du Québec (CAI) where there is a risk of serious injury.