Privacy Policy

Summary

• I do not sell personal data.Beelab does not, and has never, sold or “shared” (as defined under CCPA/CPRA) personal information.
• Minimal collection. Order email, name, payment details (handled by the payment processor, not by me), and any messages you send to support.
• EU and UK customers have GDPR/UK GDPR rights to access, correct, port, restrict, object, and delete their data.
• California, Colorado, Virginia, etc. customers have CCPA/CPRA-style rights to know, delete, correct, and limit use of sensitive personal information.

1. Data we collect

Beelab is operated by Samad Ballaj as a sole independent business (“Controller” under GDPR). Based in Washington, DC, USA; mailing address provided on request via [email protected]. EU representative under GDPR Art. 27: to be appointed before the first EU sale; current intent is VeraSafe or EDPO, and this section will be updated with the appointed representative's name and address once the contract is signed. The data Beelab collects is limited to what is necessary to fulfil orders and answer support.

• Account / order data: name, email, billing address, country, the products or services you bought.
• Payment data: handled by our Merchant of Record (Lemon Squeezy, see section 7). Beelab receives only the order summary and last 4 digits of the card or wallet identifier; we never receive the full card number or CVV.
• Support messages: the contents of emails or tickets you send to [email protected] and any attachments.
• Server logs: the IP address, user-agent, and request path are written to short-lived web-server access logs by our hosting provider for abuse detection. Logs are rotated as described in section 6.
• Analytics (if any): If we deploy analytics, it will be a privacy-preserving, no-cookie tool such as Plausible, with aggregate metrics only and IP truncation. We will list it in section 7 before turning it on.

Beelab does not use behavioural advertising cookies, cross-site trackers, fingerprinting, or session-replay.

2. Why we use it

• To process and ship your order.
• To answer your support questions and run warranty claims.
• To send transactional email about your order (receipts, shipping updates, refund notifications, security advisories about a specific product you bought).
• To meet our legal obligations (tax records, fraud prevention, export-control checks where applicable).
• To improve Beelab: aggregated, de-identified support trends only.

3. Lawful bases under GDPR

For EU and UK customers, the lawful bases under GDPR Art. 6(1) are:

• Contract (Art. 6(1)(b)): processing your order, shipping, support.
• Legal obligation (Art. 6(1)(c)): tax invoices, fraud screening, retention of accounting records.
• Legitimate interest (Art. 6(1)(f)): securing the site, preventing abuse, basic anonymous analytics if deployed. Balanced against your rights and freedoms.
• Consent (Art. 6(1)(a)): only used for optional communications such as a marketing newsletter, where we ask opt-in.

4. Your rights under GDPR (Art. 15-22)

If you are in the EU, EEA, or UK, you have the right to:

• Access a copy of your personal data (Art. 15).
• Rectify inaccurate data (Art. 16).
• Erasedata (the “right to be forgotten,” Art. 17), subject to legal-retention overrides.
• Restrict processing while a dispute is open (Art. 18).
• Receive your data in a portable, machine-readable format (Art. 20).
• Object to processing based on legitimate interest (Art. 21).
• Avoid solely-automated decisions with legal effect (Art. 22). Beelab does not run such decisions.
• Lodge a complaint with your supervisory authority. We hope you contact us first so we can fix it.

To exercise any right, email [email protected] from the address on the order. We will respond within 30 days, free of charge for first requests.

5. Your rights under CCPA/CPRA (and similar US laws)

If you are a California resident you have the right to:

• Know what personal information we collect, the sources, the purposes, and which categories we share with sub-processors.
• Delete personal information we collected from you, with the standard legal exceptions (e.g. completing your order, tax records).
• Correct inaccurate information.
• Limit use of sensitive personal information (we do not collect sensitive PI as defined by CPRA).
• Opt out of sale or sharing. Beelab does not sell or share personal information as defined by the CCPA/CPRA. There is no opt-out link because there is no sale or sharing to opt out of.
• Non-discrimination for exercising any right.

Residents of Colorado (CPA), Virginia (VCDPA), Connecticut (CTDPA), Utah (UCPA), and other states with similar comprehensive privacy laws have analogous rights. The same email address handles those requests: [email protected].

6. Retention

• Order records and tax invoices: kept for 7 years from the order date as required by U.S. and EU tax-record rules, then deleted or anonymised.
• Support tickets: kept for 3 years from the last message, so we can recognise repeat issues, then anonymised.
• Server access logs: rotated within 30 days.
• Marketing email lists: kept until you unsubscribe; the unsubscribe link is in every marketing email.

7. Sub-processors

Beelab uses a small number of independent vendors to actually run the business. They process personal data only on our instructions. The list below is updated when a vendor is added or removed; the most recent change is reflected in “Last updated” at the top.

The list is updated as we add tools. We will not add a sub-processor that materially changes how data is processed without first updating this page and giving notice on the next order receipt.

8. International transfers

If your personal data is transferred from the EU/EEA or UK to the United States, we rely on the EU-US Data Privacy Framework adequacy decision (EUR-Lex 2023/1795) where the receiving vendor is DPF-certified. For transfers to vendors or countries not covered by an adequacy decision, we use the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, plus appropriate supplementary measures (encryption in transit, access controls). A copy of the SCCs is available on request.

9. Cookies

The marketing site uses no advertising or tracking cookies. The only first-party cookies set, if any, are strictly necessary cookies for session and CSRF protection, set when you submit a form.

When you proceed to checkout, our Merchant of Record (Lemon Squeezy) loads its lemon.js script and may set third-party analytics cookies on its own checkout pages. Loading is gated to the moment you click a checkout button (consent-by-action under ePrivacy Directive 2002/58/EC Art. 5(3)); the script is not loaded on pages where you have not initiated checkout. You can clear all cookies at any time in your browser. If we add a separate analytics tool, it will be cookieless or first-party only and listed in section 7.

10. Children

Beelab is sold to adults running their own infrastructure. Beelab and the marketing site are not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe we have, email [email protected] and we will delete it.

11. Changes

We may update this Privacy Policy. The “Last updated” date at the top reflects the most recent change. For material changes that reduce your rights we will use reasonable efforts to notify active customers by email and the change will take effect no earlier than 14 days after the notice.

12. Contact and complaints

Privacy questions, rights requests, complaints: [email protected]. EU and UK residents can also lodge a complaint with their national data protection authority.