Legal

Privacy Policy

Last updated and effective as of June 1, 2025

This Privacy Policy describes how RedLab LLC ("RedLab," "we," "our," or "us"), a Texas limited liability company headquartered in Austin, Texas, collects, uses, discloses, and safeguards information about you when you visit our website at redlab.io, access or use our adversarial security platform, tools, APIs, and related services (collectively, the "Services"). Please read this policy carefully. If you do not agree with its terms, please discontinue use of the Services.

For questions about this policy or our privacy practices, contact us at privacy@redlab.io or by mail at RedLab LLC, Austin, TX.

1. Information We Collect

We collect information in three primary ways: information you provide directly, information collected automatically when you use the Services, and information obtained from third parties.

1.1 Information You Provide Directly

When you apply for access, register an account, submit a support request, or otherwise interact with our Services, you may provide us with:

  • Identity and Contact Information: Full name, email address, job title, employer name, and professional credentials (such as certifications).
  • Application Information: Details about your role, your organization's authorized testing scope, your use case, and any other information submitted in your access application.
  • Account Credentials: Username, hashed passwords, and authentication tokens. We never store passwords in plaintext.
  • Payment Information: If you subscribe to a paid tier, billing address and payment card details are collected and processed by our third-party payment processor. RedLab does not store full payment card numbers.
  • Communications: Content of messages, emails, and support tickets you send to us.
  • Authorization Documentation: Signed rules of engagement, scope documents, or other written authorizations required for access to specific tools.

1.2 Information Collected Automatically

When you use the Services, we automatically collect certain technical and usage information, including:

  • Log Data: IP address, browser type and version, operating system, referring URLs, pages viewed, timestamps, and HTTP request/response data.
  • API Usage Data: Endpoint calls, parameters submitted, tool invocations, campaign identifiers, target scope data submitted by you, response codes, and request volumes. This data is collected for security auditing, abuse prevention, and platform integrity purposes.
  • Device Information: Device type, screen resolution, language settings, and unique device identifiers.
  • Session Data: Session tokens, authentication events, login timestamps, and logout events.
  • Performance Data: Page load times, error rates, and feature usage patterns used for service improvement.

1.3 Information From Third Parties

We may receive information about you from third parties, including:

  • Professional verification services used to confirm your credentials or organizational affiliation.
  • Single sign-on providers if you authenticate via an integrated identity provider.
  • Fraud prevention and security intelligence services that help us identify misuse or unauthorized activity.

2. How We Use Information

We use the information we collect for the following purposes:

  • Providing and Operating the Services: Processing your application, creating and managing your account, authenticating your identity, executing API requests, and delivering the features of the platform.
  • Security and Integrity: Monitoring for unauthorized access, abuse, or misuse of our tools; enforcing our Terms of Service and Acceptable Use Policy; conducting security investigations; and maintaining detailed audit logs required by the nature of our services.
  • Authorization Verification: Confirming that all activities conducted through our platform occur within the scope of documented written authorization. This is a core operational requirement and not discretionary.
  • Communications: Sending service announcements, security notices, policy updates, and responding to your inquiries and support requests.
  • Billing and Transactions: Processing payments, managing subscriptions, generating invoices, and handling billing disputes.
  • Improvement and Analytics: Analyzing usage patterns, diagnosing technical issues, developing new features, and improving platform performance.
  • Legal Compliance: Meeting our obligations under applicable law, responding to lawful governmental or legal requests, and protecting our legal rights.
  • Research: With appropriate de-identification and aggregation, using usage data to inform security research publications and threat intelligence reports.

We do not sell your personal information. We do not use your data to train third-party artificial intelligence or machine learning models without your explicit consent.

3. Information Sharing

We do not sell, rent, or trade your personal information. We may share information in the following limited circumstances:

3.1 Service Providers

We engage trusted third-party vendors who perform services on our behalf, including cloud hosting and infrastructure providers, payment processors, email delivery services, error monitoring and logging services, and identity verification vendors. These providers are contractually restricted to processing your information only as necessary to perform services for us.

3.2 Legal Requirements and Law Enforcement

We may disclose information when we believe in good faith that disclosure is required by applicable law, regulation, or legal process (such as a subpoena, court order, or search warrant). Given the nature of our platform — which provides adversarial security testing tools exclusively to authorized professionals — we maintain comprehensive audit logs and cooperate fully with law enforcement investigations. We will notify affected users of legal process where we are legally permitted to do so.

3.3 Protection of Rights

We may disclose information to investigate, prevent, or take action against suspected illegal activity, violations of our Terms of Service or Acceptable Use Policy, threats to the safety of any person, or unauthorized use of our platform. The unauthorized use of our tools may constitute violations of the Computer Fraud and Abuse Act (18 U.S.C. § 1030), the Electronic Communications Privacy Act, or equivalent state or international laws, and such violations will be reported to appropriate authorities.

3.4 Business Transfers

In the event of a merger, acquisition, sale of assets, or similar corporate transaction, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website prior to your information becoming subject to a different privacy policy.

3.5 Aggregated and De-Identified Data

We may share aggregated, de-identified data that cannot reasonably be used to identify you for research, threat intelligence publications, marketing, or industry analysis purposes.

4. Data Security

We implement administrative, technical, and physical safeguards designed to protect your information against unauthorized access, disclosure, alteration, and destruction. These measures include:

  • Encryption of data in transit using TLS 1.2 or higher on all connections.
  • Encryption of sensitive data at rest using AES-256 or equivalent standards.
  • Hashing of all passwords using bcrypt or equivalent adaptive algorithms.
  • Role-based access controls and the principle of least privilege for internal staff.
  • Multi-factor authentication requirements for administrative access.
  • Comprehensive audit logging of all platform activity.
  • Regular penetration testing of our own infrastructure (as befits a company of our nature).
  • Incident response procedures for detecting and responding to security events.

No security system is impenetrable. In the event of a data breach that affects your personal information, we will notify you as required by applicable law. Security incident reports can be directed to security@redlab.io.

5. Data Retention

We retain personal information for as long as necessary to fulfill the purposes described in this policy, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods:

  • Account Information: Retained for the duration of your account and for a period of five (5) years after account closure, in accordance with our legal and audit obligations.
  • API and Audit Logs: Retained for a minimum of two (2) years. Logs related to security incidents may be retained longer as required for investigations.
  • Authorization Documentation: Retained for seven (7) years from the end of the relevant engagement.
  • Payment Records: Retained for seven (7) years as required by tax and accounting regulations.
  • Communications: Retained for three (3) years or as required by applicable law.

You may request deletion of your personal information subject to our legal retention requirements by contacting privacy@redlab.io.

6. Your Rights

Depending on your jurisdiction, you may have certain rights regarding your personal information. We honor the following rights for all users where technically feasible and not in conflict with our legal obligations:

  • Access: You may request a copy of the personal information we hold about you.
  • Correction: You may request that we correct inaccurate or incomplete information.
  • Deletion: You may request deletion of your personal information, subject to retention obligations described above. Note that audit logs may not be deletable due to legal requirements.
  • Portability: You may request a machine-readable export of your account data.
  • Objection: You may object to certain processing of your information.
  • Restriction: You may request that we restrict processing of your information in certain circumstances.

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information is collected, the right to know whether personal information is sold or disclosed and to whom, the right to opt out of the sale of personal information, and the right to non-discrimination. We do not sell personal information.

If you are located in the European Economic Area, United Kingdom, or Switzerland, you may also have rights under the General Data Protection Regulation (GDPR) or equivalent legislation. Our legal bases for processing include performance of a contract, legitimate interests (including security and fraud prevention), compliance with legal obligations, and, where applicable, your consent.

To exercise any of these rights, contact us at privacy@redlab.io. We will respond within thirty (30) days. We may need to verify your identity before processing your request.

7. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to operate the Services. We do not operate an advertising network and do not use tracking for advertising purposes.

7.1 Types of Cookies We Use

  • Strictly Necessary Cookies: Required for authentication, session management, security, and basic platform functionality. These cannot be disabled without breaking core features.
  • Functional Cookies: Used to remember your preferences such as language, display settings, and dashboard layout.
  • Analytics Cookies: Used to understand how users navigate the platform, which features are used most, and where errors occur. We use self-hosted or privacy-respecting analytics that do not share data with advertising networks.

You may configure your browser to block or delete cookies. Blocking strictly necessary cookies will prevent you from using authenticated features of the Services.

8. Third-Party Services

Our Services may link to or integrate with third-party services. This policy does not govern the privacy practices of third parties. We encourage you to review the privacy policies of any third-party services you interact with. Third-party services we may integrate with include payment processors, email service providers, and cloud infrastructure providers.

Our website may use web fonts served by third-party CDNs. These services may collect your IP address and browser characteristics as a technical necessity of serving the font files.

9. Children's Privacy

Our Services are intended solely for professional use by individuals who are at least 18 years of age and possess appropriate professional qualifications. We do not knowingly collect personal information from anyone under the age of 18. If we learn that we have collected personal information from a minor, we will delete that information promptly. If you believe we may have collected information from a minor, please contact us at privacy@redlab.io.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this policy;
  • Post the revised policy on our website; and
  • Notify registered users by email at least thirty (30) days before the changes take effect where required by law or where the changes are material.

Your continued use of the Services after the effective date of any revised policy constitutes your acceptance of the changes. If you do not agree to the revised policy, you must discontinue use of the Services and contact us to close your account.

11. Contact Us

If you have questions, concerns, or requests relating to this Privacy Policy or our privacy practices, please contact us:

RedLab LLC
Austin, TX
Email: privacy@redlab.io
General Inquiries: hello@redlab.io
Security Issues: security@redlab.io