E:LAB
← E:LAB Studio
Privacy Policy

Privacy policy

Last updated · 2026-05-08

E:LAB Studio ("the Company") follows Korea's Personal Information Protection Act (PIPA) and related law, and collects/uses the minimum personal data needed to provide its services. This policy explains what we collect and why.

1. What we collect

We collect the following to operate the service.

1.1 Sign-up & login (Google OAuth)

  • Email address, name, profile-image URL
  • OAuth identifier issued by Google (provider account id)
  • Session identifier (cookie) and session expiry

1.2 Payments (via LemonSqueezy)

  • Order ID, variant ID, payment status
  • Subscription renewal / expiry timestamps, cancellation state
  • We never store card numbers ourselves — LemonSqueezy handles them in a PCI-DSS environment.

1.3 Domain audit (Security)

  • The host (domain) you submit for audit
  • Audit token, ownership-verification method (file / meta) and timestamp
  • Scan results (finding data as JSON)

1.4 Contact & waitlist

  • Name, email, message body (when you use the contact form)

1.5 Automatically collected

  • Source IP, User-Agent, request timestamp, request path
  • Anonymised usage stats via Google Analytics (G-XPTGNWHQW1, G-6GESR50GKH)

2. Why we collect it

  • To authenticate you and run a unified account
  • To handle paid-service billing, refunds, and reconciliation
  • To run audits and let you re-run / re-fetch your results
  • To receive and respond to customer questions
  • For operational analytics and to block abuse / automated attacks (rate limiting)
  • To meet legal obligations

3. How long we keep it

Unless a law requires a longer retention period, we destroy data without delay once the purpose is met.

  • Member data: deleted immediately on account deletion / unsubscribe request
  • Payment records: retained 5 years under Korea's Act on the Consumer Protection in Electronic Commerce
  • Login / access logs: retained 3 months under Korea's Protection of Communications Secrets Act
  • Scan results: auto-deleted 90 days after last access (earlier on request)
  • Waitlist email: 1 year or until you ask to be removed

4. Sharing with third parties

We do not share your personal data externally except:

  • When you have given prior consent
  • When required by law (court warrant, etc.)

5. Sub-processors

We use the following sub-processors for reliable service delivery.

  • Google LLC — Google OAuth authentication, Google Analytics
  • LemonSqueezy (Lemon Squeezy USA Inc.) — payment processing, invoicing
  • Railway Corp. — infrastructure (server / database) hosting
  • Vercel Inc. — static-asset hosting (CDN), partial routing
  • Slack Technologies — contact-form notifications (includes message body)

Each sub-processor processes data under its own privacy policy. We require data-protection obligations in the sub-processor contracts.

6. Your rights

You may exercise these rights at any time:

  • Access, correct, or delete your personal data
  • Request processing be paused
  • Delete your account
  • Opt out of marketing (at sign-up or any time after)

Send requests to gdode2080@gmail.com — we respond within 7 business days.

7. Destruction procedure

  • Digital files: permanently erased via unrecoverable methods (logical delete first, physical delete on backup expiry)
  • Paper: shredded or incinerated

8. Security measures

  • We never store passwords — only Google OAuth tokens.
  • The personal-data database uses SSL/TLS encryption in transit.
  • Operational access is limited to one operator (the CEO).
  • The production server is protected by DDoS mitigation and rate limiting.

9. Cookies

We use cookies for:

  • Login session persistence (NextAuth session cookie, HTTP-only)
  • Anonymised usage analytics (Google Analytics)
  • Language preference (via LocalStorage, separate from cookies)

You can block cookies in your browser settings, but some features may not work properly if you do.

10. Children under 14

We do not knowingly collect data from children under 14. If we learn that a user is under 14, we delete the data immediately.

11. Data-protection officer

12. Change history

We may revise this policy as law or our services change. For material changes we notify you in advance via on-site notice or your registered email.

  • 2026-05-08: Initial publication — Google OAuth and LemonSqueezy added to the sub-processor list.