Privacy Policy · GroLabs

This Privacy Policy explains what information GroLabs collects when you use our diagnostic platform or our public free-audit widget, how we use it, who else processes it on our behalf, and the choices you have. We try to keep this short and concrete rather than legally defensive — if anything is unclear, write us.

GroLabs is a software service for ecommerce diagnostics. The “prospects” we evaluate are public storefronts our customers diagnose; the customers themselves are the operators who paid for the service or used the public widget. This policy covers both kinds of users.

1. Who we are

GroLabs (“we,” “us”) operates the admin application at app.grolabs.ai and the public marketing site at grolabs.ai. We are the data controller for the personal data described below.

2. Information we collect

From authenticated customers:

Account data: email address, name, the workspace (instance) you belong to, the role you hold, your authentication credentials (stored hashed by our auth provider).
Usage data: the prospects you create, the URLs you analyze, the test entries you configure, the diagnostics you run, IP address and user agent for session security and abuse detection.
Content you upload: contact details for the prospects you track (typically the storefront owner’s name and email), notes, custom search-test vocabulary.

From visitors to our public free-audit widget (no account):

The storefront URL you ask us to diagnose.
Your IP address — used solely to rate-limit anonymous requests so the public endpoint isn’t abused. Stored against the request log and discarded with that log on a rolling basis.

From the prospect storefronts we diagnose: publicly available HTML, JSON-LD, sitemap data, screenshots captured by our browser probe, and any product metadata your storefront exposes. We do not scrape behind authentication; we only fetch what an anonymous visitor could see.

3. How we use the information

To deliver the diagnostic reports you ask us to run.
To populate your dashboard, scan history, and report views.
To improve our scoring rubric and detection heuristics — using aggregate, de-identified signals.
To support your account (email, ticket replies).
To meet legal obligations (e.g. tax records, lawful requests).

We do not sell your personal data. We do not use your data for advertising profiling. We do not train third-party AI models on your data without your explicit consent.

4. Sub-processors we share data with

Running a diagnostic involves a small set of trusted vendors. Each plays a specific role; none receives more than what they need to perform their task:

Supabase — managed Postgres + Auth + Storage. Stores accounts, runs, findings, screenshots.
Vercel — hosts the GroLabs web application. Sees request logs.
Browserless — managed Chromium that powers the browser-based probe. Sees the storefront URLs we ask it to load plus the queries we type into search boxes during diagnostics.
Google PageSpeed Insights — receives the URLs we ask it to score for Core Web Vitals.
Anthropic — receives small text snippets when we use Claude for vertical classification or blog-content assistance. Anthropic does not train models on data sent through its API.
Railway — hosts our Agentic Services Engine (ASE) backend.
Meilisearch Cloud — powers in-app search.
Replicate — runs image-generation models for the blog editor when you ask it to.

You can verify the live integration status at /configuration/system-health after logging in.

5. Where data is stored

Your data is stored on infrastructure operated by our sub-processors in the United States and, for some services, the European Union. When you submit data from outside the US, it is transferred to and processed in the regions noted above.

6. How long we keep it

Account data: for as long as your account is active, plus a brief window after closure for billing reconciliation.
Diagnostic runs and screenshots: retained for the life of your account unless you delete them. Anonymous public-widget runs are kept for 90 days for support purposes, then purged.
Rate-limit logs: 30 days.

7. Your rights

Depending on where you live, you may have the right to access, correct, delete, port, or restrict processing of your personal data, and to object to processing. Reach us at the address at the bottom of this page and we will respond within a reasonable time.

8. Children

GroLabs is a B2B product. We do not knowingly collect personal data from anyone under 16. If you believe we have, contact us and we will delete it.

9. Cookies and similar technologies

We use a small set of cookies needed to operate the service: a session cookie set by our authentication provider, and optionally a preference cookie for the chosen language and theme. We do not use third-party advertising cookies.

10. Changes to this policy

We may update this policy from time to time. When we make material changes, we will note them at the top of this page and, for active customers, send a notice to the account email.

11. Contact

Privacy questions and requests: [email protected].