This policy covers the domains controlled by LabMinds, including, but not limited to, labminds.com, labminds.co.uk, and labminds.co, as well as the operations of LabMinds, including any products and services provided to our clients.
When we refer to “your” or “you”, we are referring to the data subjects whose personal data we are processing. “Data subjects” includes registered users of services provided by LabMinds, as well as visitors, contractors and contacts.
This policy informs you about:
- The legal basis under which we process personal data under the EU GDPR;
- Our obligations to data subjects under the EU GDPR;
- The processing of your personal data that we undertake as a data controller, including our data retention policies;
- International transfers of your personal data;
- Third-party data controllers and data processors;
- Our contact details.
- The Legal Basis for Data Processing Under the EU GDPR
Data processing covered by this policy is performed under the legal basis of it being our legitimate interest. This means that the nature and extent of personal data processing (as detailed below) is in line with what would be expected by the data subjects whose personal data are being processed, given the nature of their interactions with us. We may also perform data processing under the legal basis of it being a legal obligation, for instance, when compelled to comply with a request by a law enforcement agency or when a specific regulation is applicable.
- Our Obligations to Data Subjects Under the EU GDPR
You are informed about the legal basis under which we process your personal data and the specific data processing that occurs.
You can request access to any of your personal data that are under our control.
You can request rectification of your personal data.
You can request that your personal data are erased once processing of the data is no longer required, when not subject to processing required as part of a legal obligation.
You can object to the processing of your personal data, when not subject to processing required as part of a legal obligation.
You can request that data processing be restricted when contesting the legal basis for its processing or when it is in the process of being rectified.
You can request that wholly-automated decisions, which are made when processing your personal data, are reviewed by a human.
To contact us in relation to these obligations, when applicable to you, please use the contact details given in the Contact Details section of this policy.
- Data Processing
3.1 All Visitors
Your IP address is collected from you when you access our sites. We process IP addresses as part of the security monitoring of our domains and the servers on which our services are hosted. We may block access to our services based on IP addresses, if the behavior originating from those IP addresses is deemed to be malicious.
Your email address and name will be used to respond to any requests you make for information or support, using the name and email address you provided as part of that request.
A cookie (named “csrftoken”) is used to protect against your browser being hijacked when sending data to us. For more information on what this protects against, see this explanation of cross-site request forgery. The cookie expires after a year. If you never interact with a form on our sites, this cookie will not be set. The security token stored in the cookie is refreshed each time you authenticate, if you are a registered user.
A cookie (named “messages”) is used to enable confirmation messages to be displayed to you after you complete an action on our sites. The cookie expires immediately.
3.2 Registered Users
Your name and email address are either provided by you or collected from the company through which you are granted access to our systems (usually your employer), and it is that company which is our client. Your name is used to account for your system usage as part of billing, and to greet you on our sites or in any notifications you have activated. Your email address is used as part of authentication, to direct any notifications that you have activated, and to communicate with you as part of the support of the services we provide.
Your organizational affiliations (laboratories, projects, groups and so on) are collected from the company through which you are granted access to our systems (usually your employer), and it is that company which is our client. We use your organizational affiliations for billing, and to control permissions conferred on you by your affiliation with those organizations.
We collect your system usage history (“order history”) as you use our services. Your order history is used for billing and logistics purposes.
Any system preferences that you provide will be used to configure our services.
A cookie (named “sessionid”) is used to identify your authenticated session so that actions you perform do not require you to continually re-enter your authentication credentials. The cookie expires after 14 days. A new session is created each time you authenticate.
3.3 Retention Policies
IP addresses are kept in logs for between 30 days and one year.
For registered users, your name, organizational affiliations, and order history are retained as a requirement for our compliance with regulations and guidance related to both financial reporting and electronic record keeping, and your email address and system preferences are retained while your user account is present.
For data subjects other than registered users, your email address and name are retained for the duration of the interaction that you have initiated.
The “csrftoken” cookie is used to support site security.
The “messages” cookie is used to present the results of actions to users of our sites.
The “sessionid” cookie is used to identify an authenticated session of a registered user.
- International Transfer of Data
LabMinds is based in both the UK and the US. We store data in the US and the EU, with personal data of registered users being primarily located in the same region as the client company through which they are granted access to our systems. In order to support our operations, LabMinds may transfer personal data between and access personal data within these regions, employing safeguards to protect the data both in transit and at rest.
- Third-Party Data Controllers and Data Processors
6.1 Third-Party Data Controllers
For registered users, the company through which you are granted access to our services will receive all personal data that are necessary for us to invoice that company. This invoicing is based on your system utilization and will include your name, organizational affiliations, and order history.
6.2 Third-Party Data Processors
LabMinds makes use of the following third-party data processors to support its operations.
- We use ZenDesk (https://www.zendesk.com) as part of our technical-support offerings.
- We use HubSpot (https://www.hubspot.com) as part of our account management, and sales and marketing work.
- We use Amazon Web Services (https://aws.amazon.com) as part of our cloud infrastructure, supporting data storage and transmission.
- We use Google’s G Suite (https://gsuite.google.com), Dropbox(https://www.dropbox.com), Slack (https://slack.com) and Atlassian’s tools (https://www.atlassian.com) to provide some of our internal business-support tools, including but not limited to communication, calendars, planning tools and document storage.
- Contact Details
If you have any questions or complaints about this policy or about our privacy practices, please contact us by email at firstname.lastname@example.org, or by post at either:
57 Woodstock Road
230 Somerville Avenue Somerville MA 02143
If contacting us does not resolve your complaint, you have further options, for example, you may always lodge a complaint with a data protection supervisory authority, for example The Information Commissioner’s Office (https://ico.org.uk).