Legal

Privacy Policy

Last updated: April 23, 2026

1. Who we are

NextLabs ("we", "our", "us") operates the LabFlow platform at nextlabs.fr. We are registered in France. For data protection matters, contact us at idriss@nextlabs.fr.

2. Data we collect

  • Account data: name, email address, password (hashed), organization name.
  • Usage data: experiments, protocols, samples, inventory records, files, and messages you create inside the platform.
  • Billing data: handled directly by Stripe. We store only the Stripe customer ID and subscription status — no raw card data touches our servers.
  • Technical data: IP address, browser type, and session tokens for authentication and security purposes.

3. How we use your data

  • To provide and operate the LabFlow platform.
  • To process payments and manage subscriptions via Stripe.
  • To send transactional emails (account confirmation, billing receipts, trial reminders).
  • To detect and prevent fraud and abuse.
  • To comply with legal obligations.

We do not sell your data. We do not use your lab data for training AI models or any commercial purpose other than operating the service.

4. Legal basis (GDPR)

  • Contract performance — processing necessary to deliver the service you signed up for.
  • Legitimate interests — security monitoring, fraud prevention, product improvement.
  • Legal obligation — compliance with French and EU law.

5. Data retention

Account and lab data is retained for the duration of your subscription plus 30 days after account deletion (to allow recovery). Billing records are retained for 10 years as required by French tax law. Anonymised usage statistics may be retained indefinitely.

6. Third-party processors

  • Stripe — payment processing (USA, EU–US Data Privacy Framework).
  • Cloudflare R2 — file storage (EU region).
  • Neon / PostgreSQL — database hosting (EU region).

All processors are bound by data processing agreements and comply with GDPR requirements.

7. Your rights

Under GDPR you have the right to: access your data, correct inaccuracies, request deletion, restrict or object to processing, and data portability. To exercise any right, email idriss@nextlabs.fr. We will respond within 30 days. You may also lodge a complaint with the CNIL (cnil.fr).

8. Cookies

We use only technically necessary cookies (session authentication). No tracking or advertising cookies. See our Cookie Policy for details.

9. Changes

We will notify you by email of material changes to this policy at least 14 days before they take effect.

10. Contact

NextLabs — idriss@nextlabs.fr