Privacy Policy

1. Introduction

This Privacy Policy describes how LayLab ("we", "us", or "our") collects, uses, and shares information about you when you use our Service. It does not apply to other companies' or organizations' websites that you may be able to access through our Service.

1. Data We Collect

We collect certain information to provide and improve our Service. This includes:

Store Data: Information about your Shopify store necessary for the app to function, such as product details and store settings.
Generated Images Storage: Images you create using our Service are stored to allow you to access and use them.
Usage Data: We may collect data on how you interact with our Service to help us improve its functionality and user experience.

We explicitly do not collect any personally identifiable information (PII) from your customers. Our focus is solely on the data required for image generation and management related to your products.

2. Why We Collect It

The data we collect serves the following purposes:

To operate and maintain the Service.
To personalize your experience.
To improve the Service, including developing new features.
To provide customer support.
To monitor the usage of our Service for security and operational purposes.

Our legitimate business interests for collecting this data include providing a functional and user-friendly application, ensuring the security of our platform, and enhancing our service offerings.

3. Storage & Security

We take the security of your data seriously and implement appropriate measures to protect it.

Data Storage: Application data, such as your store information and job statuses, is stored using Cloudflare D1.
Image Storage: Generated images are securely stored using Cloudflare R2.
Security Measures: We encrypt all data in transit (TLS 1.2+) and at rest (AES-256). Production access is restricted to least-privilege service accounts authenticated by mTLS and hardware-backed keys. Logs are retained for 30 days and are continuously monitored for intrusion.

4. Data Retention & Deletion

We retain your information for as long as your account is active or as needed to provide you with the Service.

Retention Periods: Generated images: 24 months.
Job metadata & usage logs: 12 months.
Shop credentials & preferences: for the lifetime of the installation plus 30 days.
Back-ups: up to 35 days.
Cleanup on Uninstall: Upon uninstallation of our application from your Shopify store, we have procedures in place to delete your store-related data and generated images from our systems within 30 days (typically within minutes).

5. Merchant Rights

As a merchant using our Service, you have certain rights regarding your data:

Access: You have the right to access the information we hold about your store and your use of the Service.
Deletion: You can request the deletion of your data, subject to our retention policies and legal obligations. This is typically handled through the app uninstallation process.
Data Portability: We support export in JSON (settings) and ZIP (images); request via email and we will provide the archive within 14 days.

To exercise these rights, please contact us using the information provided below.

6. International Transfers

Your information may be transferred to — and maintained on — computers located outside of your state, province, country, or other governmental jurisdiction where the data protection laws may differ from those in your jurisdiction.

If you are located outside the United States and choose to provide information to us, please note that we transfer the data, including personal data (if any collected, though we aim to minimize this for merchants), to the United States and process it there. Our use of global infrastructure like Cloudflare means data is handled in compliance with their cross-border data transfer mechanisms. Cloudflare, Inc. relies on the EU Standard Contractual Clauses (2021/914) for any transfer outside the EEA. Data at rest is pinned to Cloudflare's EU region by default.

8. Cookies & Tracking Technologies

We use only essential cookies on our website and within our application. These include:

Session Cookies: These are temporary cookies that are necessary for the basic functionality of the service, such as maintaining your login state. They are erased when you close your browser or end your session.
CSRF (Cross-Site Request Forgery) Cookies: These cookies are used to protect against CSRF attacks by ensuring that requests to our server are legitimate.

We do not use marketing cookies, advertising cookies, or third-party tracking technologies that profile your behavior across different websites.

9. Data Controller

TILPAS ApS, CVR-nr. 44620308, Hostrups Have 46, 5 tv 1954 Frederiksberg, Denmark, acts as the data controller for all processing described in this policy.

10. Contact / DPO

If you have any questions about this Privacy Policy or our data handling practices, or if you wish to exercise any of your rights, please contact us at:

LayLab Support
Email: support@laylab.store

We are not currently required to appoint a formal Data Protection Officer under Article 37 GDPR. For all privacy enquiries, contact the address above.

If you believe we are unlawfully processing your personal data, you have the right to lodge a complaint with Datatilsynet (www.datatilsynet.dk).

7. Data Security

We take reasonable measures to help protect information about you from loss, theft, misuse, and unauthorized access, disclosure, alteration, and destruction. However, no internet-based service is 100% secure, and we cannot guarantee the absolute security of your information. LayLab uses industry-standard encryption and security protocols.

11. Contact Us

If you have any questions about this Privacy Policy, please contact us at:

LayLab Support
Email: support@laylab.store

Last updated: 14 May 2025