Privacy Policy

Last updated: March 26, 2026

This Privacy Policy explains how Reload dev, s.r.o. ("Reload dev", "Laborics", "we", "us", or "our") collects, uses, stores, discloses, and otherwise processes personal data in connection with the Laborics platform available at laborics.com, related websites, applications, APIs, integrations, and support channels (collectively, the "Service").

Laborics is an AI workforce platform that allows users to create and operate AI employees or agents, connect those agents to third-party services such as Google Calendar, Gmail, and GitHub, deploy agents to Telegram, upload files, and monetize certain AI-driven services.

This Privacy Policy is intended to satisfy our transparency obligations under Regulation (EU) 2016/679 ("GDPR"), Act No. 110/2019 Coll., on Personal Data Processing, and related EU and Czech privacy laws.

1. Data Controller

The controller of personal data processed in connection with the Service is:

Contact details:

• General inquiries: [email protected]
• Privacy and data protection matters: [email protected]
• Customer support: [email protected]
• Technical/security matters: [email protected]

We have not designated a data protection officer unless and until we explicitly state otherwise. References in this Privacy Policy to privacy contacts are not intended to imply that a formal data protection officer has been appointed under Article 37 GDPR.

For the purposes of this Privacy Policy, references to "you" mean the individual using the Service, accessing our websites, interacting with us on behalf of an organization, or otherwise communicating with us.

2. Scope of This Privacy Policy

This Privacy Policy applies to personal data that we process when:

• you create or use a Laborics account;
• you create, configure, train, or deploy AI agents;
• you connect third-party integrations such as Google, GitHub, Stripe, or Telegram;
• you upload files or submit prompts, chat messages, instructions, or feedback;
• you purchase credits or use monetization features;
• you contact us for support, legal, billing, or technical assistance;
• you visit our website or interact with essential service cookies; or
• we monitor, secure, maintain, and improve the Service.

This Privacy Policy does not apply to third-party services that you connect to Laborics and that operate under their own privacy notices, including Google, GitHub, Telegram, Stripe, and other third-party tools or services you choose to use.

3. Categories of Personal Data We Collect

Depending on how you use the Service, we may collect and process the following categories of personal data.

3.1 Account and identity data

• full name or display name;
• email address;
• username, account identifier, organization/workspace identifiers;
• password hash and authentication metadata handled through our authentication provider;
• account preferences, selected language or locale, and profile settings;
• records of account creation, verification, login, password reset, and deletion requests.

3.2 Service use and operational data

• prompts, chat messages, instructions, commands, and outputs generated through the Service;
• AI agent configuration, roles, workflows, memory settings, and tool permissions;
• timestamps, feature usage, clickstream within the product, and product event logs;
• device, browser, operating system, approximate technical environment, IP address, and security-related log data;
• error reports, crash diagnostics, and abuse-prevention signals.

3.3 Files and knowledge-base data

• files uploaded to the Service, including Word, PDF, Excel, text, and similar documents;
• file metadata such as filename, size, type, workspace, uploader, timestamps, and storage location;
• extracted text, embeddings, indexes, summaries, and other machine-readable derivatives generated to enable search, retrieval, or agent functionality.

3.4 Payment and billing data

• billing name, billing email, billing address, country, VAT or tax information where relevant;
• purchased credit packages, transaction amounts, currency, invoice data, and payment status;
• partial payment identifiers provided by Stripe such as payment method type, card brand, issuing country, and last four digits;
• fraud-prevention or dispute-related data received from Stripe.

We do not store full payment card numbers, full card verification codes, or full payment authentication data on our own systems.

3.5 Integration data

When you connect external services, we may process:

• OAuth tokens, refresh tokens, and authorization metadata;
• connected account identifiers;
• data retrieved from integrated services as authorized by you, such as:
• Google Calendar event data;
• Gmail message metadata and content where the relevant permissions are granted;
• GitHub repository metadata, issues, pull requests, file contents, commit references, and related workspace data;
• Telegram bot identifiers, chat identifiers, messages, commands, and bot deployment metadata.

We only process integration data to provide the features you enable or request.

3.6 Monetization and customer interaction data

If you monetize an agent or provide paid AI consultations through the Service, we may process:

• your service configuration and pricing settings;
• records of customer sessions, interactions, and credit consumption;
• payer identifiers, transaction records, and settlement-related metadata;
• communications relating to disputes, refunds, chargebacks, or service abuse.

If your end customers interact with an AI agent that you publish through Laborics, we may process personal data relating to those end customers on your behalf or as independently described in the applicable product flow. You are responsible for ensuring that you have an appropriate legal basis and notices for any personal data you collect through agents you create and deploy.

3.7 Communications data

• messages you send to us by email or support channels;
• records of support requests, complaints, bug reports, and follow-up communications;
• legal requests, rights requests, and verification information needed to respond to them.

3.8 Cookie and similar technical data

We use only strictly necessary or essential cookies and similar technologies needed to provide the Service, such as session management, security, and locale preferences. For details, please see our Cookie Policy.

4. Sources of Personal Data

We collect personal data:

• directly from you;
• from your use of the Service;
• from third-party integrations you choose to connect;
• from payment providers and financial infrastructure used to process transactions;
• from authentication and hosting infrastructure providers;
• from your organization or workspace administrator where applicable; and
• from third parties reporting abuse, security incidents, legal claims, or fraud concerns.

5. Purposes of Processing and Legal Bases

Under GDPR, we process personal data only when we have a valid legal basis. Depending on the context, we rely on one or more of the following legal bases under Article 6 GDPR:

• Article 6(1)(b) GDPR: processing necessary for the performance of a contract with you or to take steps at your request before entering into a contract;
• Article 6(1)(c) GDPR: processing necessary for compliance with a legal obligation;
• Article 6(1)(f) GDPR: processing necessary for our legitimate interests or those of a third party, provided such interests are not overridden by your interests or fundamental rights and freedoms;
• Article 6(1)(a) GDPR: processing based on your consent, where consent is required.

5.1 Contract performance

We process personal data as necessary to provide the Service to you, including to:

• create and maintain your account;
• authenticate users and secure access;
• enable AI agents, workflows, chats, and file-based tasks;
• operate connected integrations you choose to authorize;
• deploy bots or agent endpoints you configure;
• process payments, apply credits, issue invoices, and maintain transaction records;
• provide customer support and respond to service requests.

5.2 Legal obligations

We process personal data where necessary to comply with applicable legal obligations, including:

• accounting, bookkeeping, and tax record retention obligations under Czech law;
• obligations relating to fraud prevention, sanctions, consumer protection, and payment disputes;
• compliance with lawful requests from courts, regulators, and public authorities;
• records required to respond to GDPR rights requests and related compliance obligations.

5.3 Legitimate interests

Subject to a balancing test, we process personal data for our legitimate interests in:

• maintaining and improving the security, reliability, stability, and functionality of the Service;
• preventing fraud, abuse, credential misuse, prompt injection attacks, scraping, account compromise, or other misuse;
• maintaining logs, diagnosing errors, and investigating incidents;
• defending, establishing, or exercising legal claims;
• enforcing our Terms of Service and platform policies;
• improving models, prompts, workflows, product quality, and user support processes using service usage information in a proportionate manner;
• communicating with business users regarding the operation of the Service.

Where we rely on legitimate interests, you have the right to object as described below.

5.4 Consent

We rely on consent where legally required, for example:

• when a particular use of connected third-party account data requires consent under applicable law or third-party platform rules;
• where a particular processing activity requires consent under applicable privacy or ePrivacy rules;
• where we request permission for a processing purpose that is not otherwise covered by contract, legal obligation, or legitimate interests.

If you connect an integration such as Google, GitHub, or Telegram, your act of connecting the integration authorizes the technical access needed for the feature. Our GDPR legal basis for subsequent processing is normally contract performance under Article 6(1)(b) GDPR, unless a different legal basis is specifically stated. Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

6. How We Use Personal Data

We use personal data to:

• provide, operate, maintain, and secure the Service;
• create and manage user accounts, organizations, and workspaces;
• power AI interactions, agent execution, file processing, and retrieval workflows;
• deliver integration functionality involving Google, GitHub, Telegram, and other services you connect;
• process purchases, apply credits, generate invoices, and manage billing;
• support monetization features and customer-facing AI sessions initiated through the Service;
• monitor usage, troubleshoot incidents, prevent abuse, and improve product performance;
• communicate with you regarding support, updates, outages, security notices, and legal matters;
• enforce our contractual terms and acceptable use rules;
• comply with legal, tax, accounting, and regulatory obligations.

7. Data Sharing and Recipients

We do not sell personal data. We share personal data only as necessary for the purposes described in this Privacy Policy and subject to appropriate contractual and technical safeguards.

Recipients may include:

• our service providers and infrastructure partners;
• third-party integrations that you intentionally enable;
• payment processors and financial institutions;
• legal, regulatory, or public authorities where required by law;
• advisers, auditors, insurers, or acquirers in connection with legal compliance or corporate transactions;
• other users or end customers where this is inherent to the Service configuration you choose, such as when you publish or deploy an agent to interact with third parties.

7A. When Laborics Acts as Controller or Processor

Laborics primarily acts as an independent controller for personal data relating to:

• account registration, authentication, billing, tax, fraud prevention, support, security, and compliance;
• website operation, essential cookies, and platform administration;
• our own business records, legal claims, and contractual communications.

When a business customer uses Laborics to upload customer data, employee data, chat data, files, or other operational content for its own purposes, Laborics generally acts as that customer's processor and processes such data on the customer's documented instructions, subject to our Terms, product configuration, and any applicable data processing agreement.

Where Laborics acts as processor:

• the customer is responsible for identifying a valid legal basis, providing required notices, and responding to data subject requests unless otherwise agreed;
• Laborics will assist the customer with GDPR obligations under Article 28 GDPR to the extent required by applicable law and proportionate to the nature of the processing;
• Laborics will use sub-processors only subject to appropriate contractual safeguards; and
• a separate data processing agreement may apply or be made available for business customers where required.

8. Sub-processors and Third-Party Services

We use the following core third-party service providers. Their role may differ depending on the processing context. In some cases they act as our processor or sub-processor, and in some cases they act as an independent controller for their own compliance, security, fraud prevention, or regulatory purposes.

8.1 Supabase

Function: authentication, database, backend infrastructure Location: EU, including Frankfurt region Data involved: account details, authentication metadata, workspace data, chat and configuration records, application data, security logs Why we share data: to host and operate core platform infrastructure, user authentication, data persistence, and related backend functions Role: generally processor/sub-processor acting on our instructions for hosted platform data

8.2 Stripe

Function: payment processing, billing infrastructure, fraud prevention Location: EU and US Data involved: billing identity data, transaction amounts, invoice records, payment status, limited payment method metadata, fraud and dispute-related information Why we share data: to accept and process payments, manage saved payment methods, issue receipts, handle refunds, detect fraud, and administer disputes or chargebacks Role: Stripe generally acts as an independent controller for payment processing, compliance, anti-fraud, and financial regulatory purposes, and may also process data on our behalf for limited service functions

See Section 9 below for additional detail on Stripe.

8.3 OpenAI

Function: AI text generation and related model inference services Location: United States Data involved: prompts, instructions, selected context, chat messages, tool inputs, and outputs sent to enable requested AI functionality Why we share data: to generate AI responses, summaries, classifications, planning, or other model-driven features requested through the Service Role: processor or service provider in connection with our delivery of AI functionality, subject to contractual protections

8.4 Anthropic

Function: AI text generation and related model inference services Location: United States Data involved: prompts, instructions, selected context, chat messages, tool inputs, and outputs sent to enable requested AI functionality Why we share data: to generate AI responses and support model-driven features requested through the Service Role: processor or service provider in connection with our delivery of AI functionality, subject to contractual protections

8.5 MinIO / S3-compatible storage

Function: file storage and object storage Location: European Union Data involved: uploaded files, derived artifacts, metadata, backups, and storage logs Why we share data: to store files and service content, maintain backups, and enable file retrieval and processing Role: processor/sub-processor acting on our instructions

8.6 GitHub

Function: optional repository access and developer workflow integration Location: United States Data involved: repository metadata, code or file content, issues, pull requests, commit references, comments, and related OAuth credentials where you enable the integration Why we share data: to allow agents or workflows to access repositories and perform actions you authorize Role: third-party service provider and separate controller of the GitHub platform you choose to connect

8.7 Telegram

Function: bot deployment and messaging channel Location: may involve the European Union and other jurisdictions, including the UAE, depending on Telegram infrastructure and routing Data involved: bot identifiers, chat identifiers, message content, commands, deployment metadata, and usage events generated through Telegram bots you deploy Why we share data: to publish and operate bots and deliver conversations through Telegram at your request Role: third-party platform and separate controller for data processed within Telegram's own environment

8.8 Other recipients

We may also disclose personal data to:

• professional advisers, auditors, accountants, and legal counsel;
• banks, card networks, and payment-related entities;
• regulators, tax authorities, law enforcement, or courts where required;
• potential purchasers, investors, or successors in connection with a merger, acquisition, financing, or asset sale, subject to confidentiality and lawful transfer requirements.

Web Analytics

We use Plausible Analytics (Plausible Insights OÜ, Estonia/EU) to collect aggregated, anonymous website usage statistics. Plausible does not use cookies and is designed to process only anonymised, aggregated usage data. According to Plausible's data policy, no personal data is collected or stored. For details, see plausible.io/data-policy.

9. Stripe Payment Processing

When you purchase credits or otherwise pay for the Service, payments are processed through Stripe.

9.1 Stripe's role

Stripe typically acts as an independent data controller for payment transaction processing, fraud prevention, anti-money laundering, sanctions screening, dispute handling, and compliance with financial regulations. Stripe may also process some data as our service provider for payment infrastructure functions.

9.2 What we receive and store

We generally receive and store only limited payment-related information necessary to administer your account and meet legal obligations, such as:

• Stripe customer ID and payment intent or invoice identifiers;
• payment status, purchase amount, currency, and timestamps;
• billing name, billing email, billing address, and tax information;
• partial card metadata such as brand, country, expiration month/year, and last four digits;
• chargeback, refund, and dispute metadata.

We do not store full card numbers or CVC/CVV codes on our servers.

9.3 Card security and PCI DSS

Payment card data is collected and processed by Stripe using its own payment infrastructure. Stripe represents that it maintains PCI DSS compliance as a payment service provider. Laborics is designed so that full card details are entered directly into Stripe-controlled payment interfaces or equivalent secure payment flows rather than being stored by us.

9.4 Saved payment methods and recurring charging

If you choose to save a payment method, enable automatic top-ups, or subscribe to recurring billing, Stripe may store your payment instrument and process future charges according to your instructions and the applicable service terms.

For more information about Stripe's processing, please consult Stripe's privacy documentation and terms applicable in your region.

10. Google API Services and Limited Use Disclosure

If you connect Google services such as Google Calendar or Gmail through OAuth, we process Google user data solely to provide the functionality you request inside Laborics.

Laborics' use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Without limiting the generality of the statement above:

• we request only the Google permissions that are reasonably necessary for the features you choose to enable;
• we use Google user data only to provide or improve user-facing features that are visible and prominent in Laborics;
• we do not use Google Workspace API data to develop, improve, or train generalized AI or machine learning models unless expressly permitted by Google policy and applicable law and disclosed to the user;
• we do not sell Google user data;
• we do not use Google user data for advertising, retargeting, personalized advertising, or data brokerage;
• we do not allow humans to read Google user data except where necessary for security, legal compliance, troubleshooting with your explicit request or consent, or other circumstances expressly permitted by Google policy;
• we do not transfer Google user data to third parties except as necessary to provide the requested functionality, for security, to comply with law, or as part of a lawful corporate transaction with any required user consent.

You can revoke Laborics' access to your Google account at any time through your Google account permissions and by disconnecting the integration within Laborics.

11. International Data Transfers

Some of our service providers are located outside the European Economic Area ("EEA"), including in the United States. As a result, personal data may be transferred outside the EEA when necessary to provide the Service.

This may include transfers to or access by:

• OpenAI (United States);
• Anthropic (United States);
• Stripe (including United States processing);
• GitHub (United States);
• Telegram or its affiliated infrastructure where applicable.

Where personal data is transferred outside the EEA, we rely on a valid transfer mechanism under Chapter V GDPR. Depending on the recipient and the destination country, this may include:

• an adequacy decision of the European Commission, including where applicable the EU-U.S. Data Privacy Framework for certified recipients;
• the European Commission's Standard Contractual Clauses ("SCCs");
• transfer impact assessments where appropriate; and
• supplementary technical and organizational safeguards, such as encryption in transit, access controls, data minimization, and role-based permissions.

You may contact us at [email protected] for more information about the safeguards we use for relevant international transfers and, where applicable, how to obtain a copy of those safeguards or information about where they have been made available.

12. Data Retention

We retain personal data only for as long as necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Our standard retention periods are:

• Account data: while the account remains active and for 30 days after account deletion, unless longer retention is required for legal claims, security investigations, or legal obligations.
• Chat messages: while the account remains active and for 30 days after account deletion.
• Files and uploaded content: while the account remains active and for 30 days after account deletion.
• Payment and accounting records: 10 years, where required by Czech accounting, tax, and recordkeeping law.
• Usage and security logs: 12 months, after which they are deleted or anonymized, unless preservation is required for security, fraud, or legal matters.
• Support communications: for as long as reasonably necessary to handle the request and maintain an audit trail, typically aligned with the active account period and any applicable limitation periods.
• Integration tokens and credentials: until the integration is disconnected, expires, or is deleted, subject to backup and security log cycles.

Deletion from active systems may be followed by a limited period before deletion from backups and disaster recovery media, consistent with our backup lifecycle and security requirements.

13. Your Rights Under GDPR

Subject to the conditions and limitations set out in applicable law, you have the following rights:

• Right of access: to obtain confirmation whether we process your personal data and to receive a copy of the relevant data.
• Right to rectification: to request correction of inaccurate or incomplete personal data.
• Right to erasure: to request deletion of personal data where there is no overriding legal reason to continue processing.
• Right to restriction: to request that we restrict processing in certain circumstances.
• Right to data portability: to receive personal data you have provided to us in a structured, commonly used, machine-readable format and, where feasible, to have it transmitted to another controller.
• Right to object: to object to processing based on our legitimate interests, including related profiling where applicable.
• Right to withdraw consent: where processing is based on consent.
• Right to lodge a complaint: with a competent supervisory authority, in particular in the EU member state of your habitual residence, place of work, or alleged infringement.

If we process personal data for direct marketing purposes, you have the right to object at any time to that processing, including related profiling. Laborics does not currently send marketing communications based on connected Google Workspace or Gmail content.

These rights are not absolute. For example, we may need to retain certain data to comply with legal obligations, establish or defend legal claims, or complete a transaction you requested.

14. How to Exercise Your Rights

To exercise your rights, contact us at [email protected].

Please include enough information for us to verify your identity and understand your request. We may request additional information where reasonably necessary to confirm that the request is made by the data subject or an authorized representative.

We will respond within the timeframes required by applicable law, typically within one month of receiving a valid request. That period may be extended where permitted by law due to complexity or the number of requests, in which case we will inform you.

Account deletion requests can also be submitted through the Service where the relevant functionality is available, or by contacting [email protected] or [email protected].

15. Automated Decision-Making

Laborics uses automated systems, including AI models, to generate outputs, execute workflows, classify content, and assist users in performing tasks. However, we do not currently make decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you within the meaning of Article 22 GDPR.

AI-generated outputs may influence user choices or automated actions configured by users, but final responsibility for reviewing, validating, and using such outputs remains with the user or organization operating the relevant workflow.

If we introduce a feature that involves solely automated decision-making producing legal or similarly significant effects, we will provide the affected data subjects with the information required by Articles 13, 14, and 22 GDPR, including the logic involved in meaningful terms, the significance and envisaged consequences of the processing, and the available safeguards such as the right to obtain human intervention, express a point of view, and contest the decision.

16. Security Measures

We implement appropriate technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access.

These measures include, as appropriate:

• encryption in transit using TLS;
• access controls, role-based permissions, and authentication safeguards;
• secure hosting and infrastructure segmentation;
• logging and monitoring for abuse and security incidents;
• backup and recovery procedures;
• least-privilege practices for personnel and service accounts;
• contractual safeguards with service providers;
• periodic review of security and privacy controls.

No method of transmission over the internet or method of electronic storage is completely secure. We therefore cannot guarantee absolute security.

17. Cookies

We use only strictly necessary cookies and similar technologies necessary to provide core website and service functions, such as authentication, session integrity, CSRF protection, and locale preferences.

For more information, please see our Cookie Policy.

18. Children

The Service is not directed to children and is not intended for individuals under the age of 18. We do not knowingly collect personal data from children under 18 in connection with the Service. If you believe that a child has provided personal data to us in violation of this section, please contact us at [email protected] and we will take appropriate steps.

19. Supervisory Authority

If you believe that our processing of your personal data infringes applicable law, you have the right to lodge a complaint with the Czech supervisory authority:

You may also contact the supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

20. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in legal requirements, technology, our processing practices, or the Service itself.

If we make material changes, we will provide appropriate notice, such as by posting an updated version on the website, through the Service, or by email where appropriate. The "Last updated" date at the top of this Privacy Policy indicates when it was last revised.

21. Contact Us

If you have questions about this Privacy Policy or our data protection practices, please contact:

• Privacy contact: [email protected]
• Support: [email protected]
• General inquiries: [email protected]
• Technical/security matters: [email protected]