Privacy Policy

Welcome to ProfessorLab ("Company," "we," "us," or "our"). We operate the website at https://professorlab.co and our mobile applications available on iOS and Android (collectively, the "Services"). We are committed to protecting your personal information and your right to privacy.

This Privacy Policy explains what information we collect, how we use it, when we share it, and what rights you have in relation to it. Please read this policy carefully. If you disagree with its terms, please discontinue use of our Services.

This policy applies to all users of our Services worldwide, including users in the European Economic Area (EEA), United Kingdom (UK), United States (including California), Canada, and all other jurisdictions.

We collect information in the following ways:

2.1 Information You Provide Directly • Account registration data (name, email address, profile picture) when you sign in with Google OAuth. • Communications you send us (e.g., support emails).

2.2 Information Collected Automatically When you use our Services, we and our service providers may automatically collect: • Device information: device type, operating system version, unique device identifiers, browser type and version. • Log data: IP address, pages visited, referring URLs, timestamps, crash reports, and performance data. • Usage data: features accessed, content viewed, search queries, interactions (likes, saves). • Cookies and similar tracking technologies (see Section 8 for details).

2.3 Information We Do NOT Collect We do not collect: • Payment card numbers or financial data (we do not process payments directly). • Precise real-time GPS location. • Biometric data. • Health or medical information. • Sensitive personal data as defined under GDPR Article 9.

We use the information we collect to:

• Provide and operate the Services — authenticate your account, display your profile, and deliver content. • Personalize your experience — surface relevant AI-curated research and content. • Communicate with you — send service-related notices, respond to support inquiries, and (with your consent) send product updates. • Ensure safety and security — detect, prevent, and investigate fraud, abuse, and unauthorized access. • Improve the Services — analyze usage patterns, conduct research, and debug issues. • Comply with legal obligations — fulfill our duties under applicable laws and respond to lawful government requests. • Analytics and performance — understand how users interact with the Services using aggregated, anonymized data.

We will not use your information for purposes incompatible with those stated here without first obtaining your consent.

If you are located in the EEA or UK, we process your personal data under one or more of the following legal bases under the General Data Protection Regulation (GDPR) and UK GDPR:

• Contract (Article 6(1)(b)) — Processing necessary to provide the Services you requested (e.g., account creation, content delivery). • Legitimate Interests (Article 6(1)(f)) — Processing for our legitimate business interests (e.g., security, fraud prevention, improving the Services), where those interests are not overridden by your rights. • Consent (Article 6(1)(a)) — Where we rely on your consent (e.g., optional analytics cookies or marketing emails). You may withdraw consent at any time. • Legal Obligation (Article 6(1)(c)) — Processing required to comply with applicable law.

You have the right to object to processing based on legitimate interests at any time by contacting us at contact@professorlab.co.

We do not sell, rent, or trade your personal information to third parties.

We share data only in the following limited circumstances:

• Service Providers — Trusted third-party vendors who process data on our behalf under binding data processing agreements (e.g., cloud hosting, analytics, authentication). These providers are authorized to use your data only as necessary to provide services to us. • Google OAuth — When you sign in with Google, Google shares your name, email, and profile picture with us per Google's privacy policy. We do not share data back to Google beyond the standard OAuth handshake. • Google Analytics — We use Google Analytics to understand aggregate usage patterns. Data is anonymized and subject to Google's data processing terms. • Legal Requirements — We may disclose your information if required by law, court order, or government authority, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others. • Business Transfers — In the event of a merger, acquisition, or sale of all or substantially all of our assets, your information may be transferred. We will notify you before your data is subject to a different privacy policy. • With Your Consent — We may share your information for any other purpose with your explicit consent.

We retain personal data only as long as necessary for the purposes described in this policy or as required by law.

• Account data is retained for the duration of your account and for up to 90 days after account deletion to allow for recovery requests, then permanently deleted. • Log and usage data is typically retained for up to 12 months and then anonymized or deleted. • Communications (e.g., support emails) are retained for up to 3 years for record-keeping purposes. • Legal compliance data may be retained for longer periods where required by applicable law.

When data is no longer needed, we delete or anonymize it using industry-standard methods.

ProfessorLab is operated globally. Your information may be transferred to, stored in, and processed in countries other than your country of residence, including the United States, where our servers and service providers are located.

When we transfer personal data from the EEA, UK, or Switzerland to countries that the European Commission has not recognized as providing an adequate level of protection, we rely on appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission. • The UK International Data Transfer Agreement (IDTA) for UK transfers. • Other lawful transfer mechanisms as permitted by applicable law.

By using our Services, you acknowledge that your data may be processed in these jurisdictions.

We use cookies and similar technologies (web beacons, pixels, local storage) to operate and improve our Services.

8.1 Types of Cookies We Use • Strictly Necessary — Essential for the Services to function (e.g., authentication tokens). Cannot be disabled. • Analytics — Help us understand how visitors interact with our Services (Google Analytics). These use anonymized identifiers. • Preference — Remember your settings and preferences.

8.2 Your Cookie Choices • Browser settings — Most browsers allow you to refuse or delete cookies via settings. • Opt-out tools — You can opt out of Google Analytics tracking at tools.google.com/dlpage/gaoptout. • Do Not Track — We respect Do Not Track (DNT) browser signals where technically feasible.

Disabling strictly necessary cookies may impair certain features of the Services.

Depending on your location, you may have the following rights regarding your personal data:

9.1 Rights for EEA / UK Residents (GDPR / UK GDPR) • Access — Request a copy of the personal data we hold about you. • Rectification — Request correction of inaccurate or incomplete data. • Erasure ("Right to be Forgotten") — Request deletion of your personal data, subject to legal retention obligations. • Restriction — Request that we limit how we process your data in certain circumstances. • Portability — Receive your data in a structured, machine-readable format and transfer it to another controller. • Objection — Object to processing based on legitimate interests or for direct marketing. • Withdraw Consent — Where processing is based on consent, withdraw it at any time without affecting prior processing. • Lodge a Complaint — File a complaint with your local supervisory authority (e.g., ICO in the UK, your national DPA in the EU).

9.2 Rights for California Residents (CCPA / CPRA) California residents have the right to: • Know what personal information we collect, use, disclose, and sell. • Delete personal information we have collected (with certain exceptions). • Correct inaccurate personal information. • Opt out of the sale or sharing of personal information. We do not sell personal information. • Non-discrimination for exercising your privacy rights.

To submit a verifiable consumer request, contact us at contact@professorlab.co.

9.3 Rights for Canadian Residents (PIPEDA / Quebec Law 25) You may request access to and correction of your personal information and withdraw consent to our collection, use, or disclosure of your data (subject to legal or contractual restrictions).

9.4 Rights for Other Jurisdictions We respect privacy rights under applicable laws worldwide. Contact us to exercise any privacy rights you may have under your local law.

How to Exercise Your Rights: Email us at contact@professorlab.co with "Privacy Request" in the subject line. We will respond within 30 days (or as required by applicable law). We may need to verify your identity before processing your request.

Our Services are not directed to children under the age of 13 (or under 16 in the EEA/UK). We do not knowingly collect personal information from children under these ages.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at contact@professorlab.co. If we become aware that we have collected personal data from a child under the applicable age threshold without parental consent, we will take steps to delete that information promptly.

We implement administrative, technical, and physical security measures designed to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• TLS/HTTPS encryption for data in transit. • Encryption of sensitive data at rest. • Access controls and authentication requirements for internal systems. • Regular security reviews and vulnerability assessments. • Incident response procedures.

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. In the event of a data breach that affects your rights and freedoms, we will notify you and relevant regulators as required by applicable law.

Our Services may contain links to third-party websites, apps, or services that are not operated by us. We have no control over and assume no responsibility for the privacy practices of these third parties. We encourage you to review the privacy policy of every site or service you visit.

Third-party services we integrate with include: • Google Sign-In — Subject to Google Privacy Policy (policies.google.com/privacy). • Google Analytics — Subject to Google's data processing terms.

These third parties process data independently under their own privacy policies.

California Civil Code Section 1798.83 ("Shine the Light") permits California residents to request, once per year, information about personal data we've disclosed to third parties for direct marketing purposes in the preceding calendar year.

We do not disclose personal information to third parties for their own direct marketing purposes. If you have questions, contact us at contact@professorlab.co.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:

• Post the updated policy on this page with a new "Effective Date." • Provide a prominent notice within the Services or via email (where required by law).

Your continued use of the Services after any changes constitutes your acceptance of the updated policy. We encourage you to review this page periodically.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

ProfessorLab Email: contact@professorlab.co Website: https://professorlab.co

For EEA/UK users exercising GDPR rights, please include "GDPR Request" in your subject line. We aim to respond to all privacy inquiries within 30 days.