LabRat processes account, workspace, usage, device, and support information to operate an AI-assisted product research service. Research inputs may be sent to the AI or web-search provider selected for the workspace. Requests concerning personal data can be submitted through the Data Requests page.
Scope and operator
This policy applies when you visit a LabRat public site, create or use a LabRat account, join a workspace, use the mobile app or Local Runtime, contact support, or otherwise interact with LabRat services.
LabRat is operated under the Solvin apps name. In this policy, “LabRat,” “we,” “us,” and “our” refer to the operator of the LabRat service. This policy does not replace the privacy terms of third-party services that you choose to connect.
Information you provide
- Account and profile information, including email address, display name, avatar URL, authentication records, and workspace membership.
- Workspace content, including product ideas, captures, source URLs, notes, builder profiles, research prompts and reports, scores, competitor records, requirements, blueprints, previews, generated files, and handoff packages.
- Hosted settings you choose to save, including notification, interface, research, and Local Runtime preferences. BYOK model, endpoint, web-search, and credential settings are stored only by LabRat Local on the machine where you configure them.
- Billing and plan information, including plan selection, Paddle customer, transaction and subscription identifiers, billing contact details, subscription status, support notes, and read-only historical upgrade-request records. LabRat does not store complete payment-card numbers.
- Support communications, privacy requests, feedback, and any diagnostic context you choose to include.
Information collected automatically
- Service and security logs such as IP address, request time, route, response status, browser or device type, app version, and authentication or abuse signals.
- Usage information such as page views, product surface, feature interactions, workspace plan, research and generation counters, error states, and performance or reliability diagnostics.
- Web analytics identifiers and first-party analytics cookies when Firebase / Google Analytics is available in the browser.
- Mobile app-instance, crash, device, operating-system, and push-notification information processed by Firebase Analytics, Crashlytics, and Cloud Messaging.
- Local Runtime status such as runner identity, platform, app version, allowed workspace roots, capabilities, and task state. Local credentials, authorized filesystem paths, and response caches remain on the device unless a feature explicitly sends related output to the cloud workspace.
Mobile capture, speech, and notifications
If you choose a screenshot, LabRat uses on-device text recognition and submits the extracted text only when you create a capture; the selected image is not uploaded as part of that capture flow. Dictation is handled through the device speech service, and LabRat receives the resulting text. Your operating-system provider may separately process audio under its own settings and privacy terms.
If you enable notifications, LabRat stores a push token, platform, locale, workspace and user association, and delivery state so relevant research or workflow updates can be delivered. You can disable notifications in the app or device settings.
Where information comes from
Information comes from you, workspace owners or members who invite you or work with shared records, your device and browser, connected AI or search services, payment providers when enabled, and public sources that LabRat retrieves for product research. Public-source material remains subject to the source site’s terms.
How we use information
- Create and secure accounts, provision workspaces, enforce roles and tenant isolation, and keep sessions active.
- Run captures, research, demand scanning, scoring, AI generation, requirements, build planning, exports, Local Runtime jobs, and notification workflows.
- Route prompts and source queries to the selected AI or web-search provider and return the resulting output to the workspace.
- Measure plan usage, operate Paddle subscriptions and historical billing records, prevent abuse, and enforce service limits.
- Provide support, investigate errors, maintain security, monitor reliability, and improve product flows using aggregated or minimized usage information.
- Comply with legal obligations, enforce the Terms, and protect users, LabRat, and third parties.
Legal bases for EEA and UK processing
| Processing | Legal basis | Why it applies |
|---|---|---|
| Accounts, workspaces, requested AI/search routes, exports, support, and billing administration | Contract or steps requested before a contract | Needed to create the service relationship and provide the features you request. |
| Authentication security, tenant isolation, abuse prevention, reliability, minimal operational logs, and legal-claim protection | Legitimate interests | Needed to protect users and operate a reliable service; LabRat applies access controls, minimization, limited retention, and an objection right. |
| Optional Firebase / Google Analytics and optional Crashlytics collection | Consent | Disabled by default and enabled only after a clear affirmative choice; consent can be withdrawn without losing core service access. |
| Tax, accounting, sanctions, lawful orders, regulatory responses, and mandatory recordkeeping | Legal obligation | Processed only to the extent an applicable obligation requires. |
| Protecting a person or responding to an emergency | Vital interests where applicable | Used only in exceptional circumstances where this legal basis is available. |
Where legitimate interests apply, LabRat considers necessity, user expectations, data sensitivity, safeguards, and likely impact before processing. You may object through the in-product Privacy Request Center or the contact route below.
Hosted AI, Local BYOK, and web-search processing
Hosted Web and mobile research sends the prompt, selected workspace context, and relevant source material only to LabRat-managed platform AI and platform-managed search. An eligible signed-in account may instead start a task from LabRat Local, where the local runtime sends the selected context to the locally configured BYOK provider.
When you configure a third-party or OpenAI-compatible endpoint in LabRat Local, that provider processes submitted information under its own agreement and privacy terms. Review its retention and training controls before sending confidential material. LabRat does not control an independently selected provider’s processing.
The hosted service does not accept or store personal or team BYOK API keys. Locally configured provider credentials stay in the LabRat Local credential store on that machine. You remain responsible for the provider account, charges, permissions, and data settings attached to a BYOK credential.
When information is shared
LabRat shares information only as needed to provide or protect the service: with workspace members according to their roles; with infrastructure, authentication, analytics, notification, support, AI, search, and payment providers; when required by law or a valid legal process; to investigate fraud, abuse, or security incidents; or as part of a business reorganization subject to appropriate safeguards.
Service providers are expected to process information for the contracted service. Optional AI, search, and payment providers are used only when the related route or feature is selected or enabled.
Cookies, browser storage, and analytics
LabRat uses browser storage for authentication sessions, workspace selection, theme and runner preferences, in-progress job references, and similar necessary service functions. Firebase / Google Analytics is disabled until you accept optional analytics. A clear Reject option is available beside Accept, and Cookie settings in the footer or Account privacy controls let you withdraw later.
Analytics events include a stable LabRat app identifier, product surface, platform, route or event name, and normalized product context. LabRat does not intentionally send passwords, API keys, access tokens, research body text, or complete support messages as analytics parameters.
Service communications and direct marketing
LabRat may send authentication, security, privacy-request, billing, support, workspace, and material service-change messages needed to provide or protect the service. These transactional messages are not optional marketing, although you can often control non-essential product notifications in the app or device settings.
LabRat does not currently operate an email advertising or promotional campaign. Before sending direct marketing, LabRat will identify an applicable permission or customer-relationship basis, keep marketing consent separate from core service access, and provide a clear unsubscribe route in every marketing message. An objection or opt-out will be honored for future direct marketing.
Retention and deletion
| Category | Normal retention rule |
|---|---|
| Account and workspace content | While the account or workspace is active, then deleted or de-identified when a verified deletion completes unless another workspace member or legal duty requires limited retention. |
| Scheduled account deletion | 7-day cancellation period; a short-lived deleted-user tombstone remains for 2 days to block still-valid access tokens from recreating the account. |
| Privacy requests and acceptance evidence | Request/audit records and terms acceptance evidence are retained for up to 3 years for accountability and legal-claim handling, then purged unless a legal hold applies. |
| Optional Google Analytics | Subject to the configured GA4 event retention setting and consent; LabRat’s target is 14 months or less. Browser cookies may expire sooner or be removed on withdrawal. |
| Optional Crashlytics | Crash reports are subject to Firebase Crashlytics retention, currently 90 days before deletion processing begins. |
| Push tokens and Local Runner registrations | Until disabled, unregistered, the device record is replaced, or the account is deleted. |
| Security and operational records | Kept for the shortest operational period supported by the relevant provider, normally no more than 30 days unless needed to investigate an incident or legal claim. |
| Billing and transaction records | For the statutory accounting, tax, fraud, chargeback, or legal-claim period applicable to the transaction. |
When a verified deletion request is completed, LabRat deletes or de-identifies account-linked information that is not required to be retained. Shared workspace records may remain for other members when their legitimate workspace ownership or collaboration rights apply. Residual backup copies are isolated from ordinary use and expire through the backup lifecycle.
Security
LabRat uses measures designed for the service, including encrypted transport, Supabase authentication, workspace role checks and row-level protections, tenant-scoped Worker access, encrypted cloud secret values, redacted secret responses, and restricted Local Runtime filesystem roots. No method of storage or transmission is guaranteed to be completely secure.
Keep account and provider credentials confidential, use unique passwords, review workspace membership, and report suspected unauthorized access promptly.
Your choices and privacy rights
Depending on applicable law, you may have rights to access, correct, receive, delete, restrict, or object to certain processing; withdraw consent where consent is the basis; or appeal a request decision. You may also update product settings, leave a workspace where supported, disable notifications, clear browser storage, or stop using a connected provider.
LabRat may verify your identity and workspace authority before acting on a request. Authorized agents may be required to provide proof of authority. LabRat will not discriminate against you for making a valid privacy request.
International processing
LabRat and its providers may process information in countries other than your own. Where required, transfers are handled using the provider’s contractual, legal, or technical transfer safeguards. Connected providers selected by you may use their own processing locations.
Children
LabRat is a professional product-research service and is not designed or directed specifically to children. LabRat does not impose a universal 18+ account rule. A user must have the legal capacity to accept the Terms or the parent, guardian, or other authorization required by applicable law. A connected provider may impose stricter eligibility requirements, but those requirements apply only when that provider is selected. Contact support if you believe a child has provided information without the authorization required by law.
Changes and contact
This policy may be updated when the service, providers, or legal requirements change. Material changes will be communicated through an appropriate service notice or updated effective date. Continued use after an update is subject to the revised policy where permitted by law.