On this page
01 — Controller and contactWho is responsible
Controller of the website ailabrix.com: Mindys LLC, a limited-liability company incorporated in the State of Wyoming, USA (registered agent address available on request), email [email protected]. For the self-hosted product running inside your infrastructure, the controller is your organisation; Mindys LLC intervenes only as processor under a DPA signed before any access.
Data residency. The public AiLabrix website and the servers that host the demonstration platform are physically located inside the European Union (EU). Personal data submitted on this website is therefore processed on EU soil, even though the controller (Mindys LLC) is established in the USA. Optional cloud LLM backends are listed separately on /trust with their country and Standard Contractual Clauses.
Privacy contact. You can reach the privacy team at [email protected] for any GDPR-related question, including data-subject rights requests, DPIA copies, sub-processor list and the full compliance dossier under NDA.
02 — ScopeWhat this notice covers (and what it does not)
This notice covers personal data processed when you (a) browse ailabrix.com and its sub-pages, (b) send us a contact form, dossier request or newsletter subscription, (c) log into a demonstration instance hosted by us, (d) interact with the platform via documented APIs of the public website.
It does not cover the clinical or scientific datasets you upload to your own self-hosted AiLabrix instance — those remain inside your infrastructure and are governed by your own privacy notice and DPIA. Mindys LLC never receives a copy of them by default.
03 — Categories of personal dataWhat we collect
| Category | Examples | Source |
|---|---|---|
| Identification | Full name, organisation, role, work email, country | You (forms) |
| Communications | Subject, message body, attachments you choose to send | You (forms / email) |
| Account & authentication | Email, hashed password (Argon2id), TOTP secret (encrypted at rest), session cookies | You + the platform |
| Technical / log | IP address, user agent, request path, timestamps, error traces (90-day retention max) | Browser + server |
| Audit trail | Action (login, gate, config change, LLM call), actor id, dataset hash, model id, token counts, cost in USD | The platform |
| Marketing (opt-in) | Email, optional name, subscription status, source list — only if you subscribe | You (newsletter form) |
We do not knowingly process pseudonymised or identifiable patient data on the public website. Clinical PII inside a self-hosted deployment is filtered before any LLM call by an 18-category HIPAA Safe Harbor sanitisation gate — see /trust.
04 — Purposes and legal basesWhy we process, under which article
| Purpose | Legal basis | Retention |
|---|---|---|
| Reply to your contact, sales, partnership or privacy team request | Art. 6(1)(b) pre-contractual measures · Art. 6(1)(f) legitimate interest in operating an inbound channel | 36 months from last contact |
| Send the compliance dossier under NDA | Art. 6(1)(b) pre-contractual · Art. 6(1)(c) audit-trail obligation | 36 months |
| Product newsletter, release notes, lab playbooks | Art. 6(1)(a) consent (single opt-in, one-click unsubscribe) | Until you unsubscribe |
| Operate the demonstration / authenticated area | Art. 6(1)(b) contract · Art. 6(1)(f) legitimate interest in security (anti-bruteforce, TOTP) | Account lifecycle + 12 months |
| Detect abuse, fraud, intrusion attempts | Art. 6(1)(f) legitimate interest in network & information security (Recital 49) | 90 days (logs) · 12 months (security events) |
| Comply with legal obligations (accounting, tax, lawful requests) | Art. 6(1)(c) legal obligation | As required by applicable law (typ. 10 years EU) |
| Establish, exercise or defend legal claims | Art. 6(1)(f) · Art. 9(2)(f) for any incidental special-category data | Statute of limitations |
Where we rely on legitimate interest we run a documented LIA (Legitimate Interest Assessment) and you can object at any time — see Section 10.
05 — Special categoriesHealth data, research and Art. 9
AiLabrix is designed for research-use-only laboratory data. Where the self-hosted platform processes data falling under Art. 9(1) GDPR (data concerning health, genetic or biometric data), the controller (your organisation) must rely on a specific Art. 9(2) condition — typically Art. 9(2)(j) scientific research with Member-State safeguards, or Art. 9(2)(a) explicit consent.
AiLabrix supports these obligations with: pseudonymisation by design (dataset hash, no row-level transmission to LLMs), enforced PII gate, DPIA template, and a written Art. 28 DPA. The platform does not support clinical diagnostic use and refuses to be used outside the research scope by way of an enforced disclaimer on every screen and PDF.
06 — Recipients & sub-processorsWho else sees your data
Personal data is processed by trained Mindys LLC staff bound by confidentiality. We share it with a short list of qualified sub-processors strictly necessary to run the website and the optional cloud LLM backends. The current list, with country, role, DPA reference and Standard Contractual Clauses where applicable, is published at /trust and is updated 30 days before any change.
Beyond sub-processors we may disclose data to (i) competent authorities pursuant to a binding legal order, (ii) professional advisors (lawyers, auditors) under confidentiality, (iii) a successor entity in case of merger or acquisition, with prior notice where feasible.
07 — International transfersOutside the EU/EEA
Where a sub-processor (e.g. Anthropic, OpenAI) is established outside the EU/EEA, the transfer is covered by the European Commission's Standard Contractual Clauses (Decision 2021/914) plus a documented Transfer Impact Assessment (TIA) and, where applicable, supplementary measures (in-region routing, end-to-end TLS, no-training contractual clauses).
You can obtain a copy of the SCCs and the TIA summary by writing to the privacy team.
Mindys LLC staff access (USA). Although the website servers run in the EU, members of Mindys LLC staff established in the United States may need to access personal data stored on those servers for limited operational purposes (support, security incident response, billing reconciliation). This intra-organisation access qualifies as a Chapter V GDPR transfer and is governed by the EU Standard Contractual Clauses (Decision 2021/914, controller-to-controller Module 1, or controller-to-processor Module 2 where applicable), the same documented Transfer Impact Assessment (TIA) referenced above, and supplementary measures: role-based access control, multi-factor authentication, full audit logging of every access event, encryption in transit, and a written confidentiality obligation that survives termination of employment.
08 — RetentionHow long we keep it
Retention periods are summarised in the table at Section 4. After the relevant period data is either deleted, anonymised beyond reconstruction, or — if retained for legal obligations — placed in restricted archival storage. The append-only audit trail is retained for 90 days at row level; aggregated metrics are retained indefinitely without personal identifiers.
09 — SecurityTechnical and organisational measures
- TLS 1.2+ in transit; HSTS preloaded; database on private network, not exposed.
- Passwords hashed with Argon2id; TOTP secrets encrypted at rest with Fernet.
- Strict Content Security Policy, CSRF tokens, rate-limiting (Flask-Limiter), bot challenge on public forms.
- Append-only audit log with SHA-256 hash chain; tamper-evident.
- Pinned CycloneDX SBOM, weekly dependency scanning, signed releases.
- Documented incident-response plan with 72-hour Art. 33 notification target.
- Least-privilege RBAC, MFA enforced on administrative roles.
10 — Your rightsArticles 15–22 GDPR
- Access (Art. 15) — obtain confirmation and a copy of your personal data.
- Rectification (Art. 16) — correct inaccurate or incomplete data.
- Erasure / right to be forgotten (Art. 17) — including by dataset hash query.
- Restriction (Art. 18) — limit processing while a dispute is reviewed.
- Portability (Art. 20) — receive data in a structured, machine-readable format.
- Objection (Art. 21) — including for processing based on legitimate interest or direct marketing.
- Withdraw consent at any time (Art. 7(3)) without affecting prior processing.
- Complain to a supervisory authority (Art. 77), typically the one of your habitual residence or of the alleged infringement.
Exercise any of these rights by writing to [email protected]. We answer within one month (Art. 12(3)); the period may be extended by two further months for complex requests, with notice. Service is free of charge unless requests are manifestly unfounded or excessive.
Self-service. Logged-in users can exercise the rights of access, portability and erasure immediately from /account: download a full machine-readable archive of your data (Art. 15 & 20) or delete your account and all associated personal data (Art. 17). If you are the only admin of your workspace, deletion also erases the workspace.
11 — Automated decisionsAI, profiling and Art. 22
AiLabrix does not produce decisions with legal or similarly significant effect on you in the meaning of Art. 22(1) GDPR. The pipeline produces analytical artefacts (figures, statistics, suggested interpretations) that are always presented to a human reviewer through enforced validation gates. The final scientific or clinical decision is human.
We log model identity, prompt hashes, token counts and outcome for every LLM call. You can request the LLM-call trail attached to any operation involving your personal data.
12 — ChildrenNot for minors
The AiLabrix website and platform are not directed at minors and are not intended for the processing of data of persons below 16. We do not knowingly collect personal data from such individuals. If you believe we did, contact the privacy team and we will delete it without undue delay.
13 — Changes & contactUpdates to this notice
We may amend this notice to reflect product, regulatory or organisational changes. Material changes are announced 30 days in advance to subscribers and visibly on this page. The version and effective-date stamp at the top of the page is authoritative; superseded versions are archived and available on request.
Questions, complaints or rights requests: [email protected]. General contact: /contact. Full compliance posture and per-control evidence: /trust.