Summary
We collect the minimum data needed to accept your order, ship your research standards, prevent fraud, and comply with law. We never receive full card numbers. We rely on a small set of third-party processors, all listed below. We serve U.S. researchers primarily and honor data-subject requests from anywhere we do business.
1. Who we are
elev8 Labs is the data controller for personal information collected through this website. Contact us at support@elev8labsrx.com with any privacy question.
2. What we collect
Account and order data
- Name and email address
- Shipping address (street, city, state, postal code, country)
- Billing address as separate from shipping, when provided
- Order history, including SKUs, quantities, and prices paid
- Payment tokens, last-four digits of your card, expiration month and year — never the full card number or CVV
- Subscription state (active, paused, cancelled; next renewal date)
Wholesale applicant data
- Business name, institution type, and EIN or equivalent tax identifier where required
- Point-of-contact name, role, and business email
- Supporting documentation you upload in your application
Technical data
- IP address, user-agent string, referrer, and timestamps for security and fraud prevention
- Cookie identifiers and consent state
- Chatbot conversation transcripts associated with your session (retained 30 days for authenticated users; session-only for guests)
- Affiliate referral attribution: a signed
affcookie linking you to the referring affiliate for up to 90 days; the click event itself stores a one-way SHA-256 hash of your IP and user-agent — never the raw values — for fraud prevention and de-duplication
What we do not collect
- Full card numbers (PAN), CVVs, or card track data. Card data is tokenized in your browser before it reaches our servers.
- Social Security numbers or government-issued identifiers, unless required for wholesale verification.
- Biometric data.
3. Sources
- Forms you submit on this site (account creation, checkout, wholesale application, contact form).
- Cookies and browser storage when you consent to analytics or marketing categories.
- Third-party processors (payment gateway, email service) that return order status, delivery confirmations, or bounce codes.
4. Purposes
We use your information to:
- Fulfill your order, including shipping, tax, and customer support.
- Prevent fraud, account takeover, and chargeback abuse.
- Comply with tax, anti-money-laundering, and card-network obligations.
- Send transactional email (order confirmations, shipping notifications, password resets, subscription renewals).
- Send marketing email, only if you have opted in. You can unsubscribe at any time from any marketing email.
- Improve the website and our product catalog through consented, aggregated analytics.
We do not sell your personal information. We do not share your personal information with advertisers beyond the privacy-safe analytics described below.
5. Third-party processors
We rely on the following processors. Each is bound by a data processing agreement and processes data only on documented instructions.
| Processor | Purpose | Data categories |
|---|---|---|
| Neon (Postgres hosting) | Primary database hosting (U.S. region) | Account, order, subscription, wholesale data |
| Vercel | Application hosting and edge delivery | Request logs, IP address, user-agent |
| Cloudflare (R2, Turnstile) | Asset storage and bot-protection challenge | Uploaded assets, challenge-event metadata |
| Resend | Transactional and marketing email delivery | Email address, email body, delivery status |
| Proton Business | Support mailbox for @elev8labsrx.com | Email content from support conversations |
| Sentry | Server-side error monitoring (PII scrubbed) | Stack traces, request metadata, scrubbed user ID |
| PostHog | Product analytics (consent-gated) | Event stream, page views, anonymous identifiers |
| Google Analytics 4 | Audience analytics (consent-gated) | Anonymized page views, referrer, device category |
| Payment gateway (TBD) | Card-tokenization and authorization | Payment token, last-four, expiry, billing address |
Processors may change as our stack evolves. Material changes will be reflected here.
6. Cookies
We use the minimum cookies required to operate the site and, with your consent, a small set of analytics and marketing cookies.
| Category | Purpose | Consent required |
|---|---|---|
| Essential | Session management, CSRF tokens, age-gate acknowledgment, consent state | No |
| Essential | Affiliate referral cookie (aff) — signed, 90-day max, links a click to an affiliate so we can attribute commission on a subsequent purchase | No |
| Analytics | PostHog and GA4 traffic analysis | Yes |
| Marketing | Attribution for marketing campaigns; not currently active at launch | Yes |
You can update your consent preferences at any time via the cookie banner or by clearing your browser cookies for this site.
7. Data retention
| Data category | Retention window |
|---|---|
| Order and invoice records | 7 years (tax and chargeback evidence) |
| Account profile | Active account lifetime + 90 days after deletion |
| Shipping address history | With the associated order, per the 7-year window |
| Payment tokens | Until the token expires or you remove the card on file |
| Chatbot transcripts (authed) | 30 days |
| Chatbot transcripts (guest) | Session only; not persisted after session end |
| Analytics events | 30 days at the event grain; indefinite as aggregates |
| Security and fraud logs | 12 months |
| Marketing email suppressions | Indefinite (needed to honor unsubscribe) |
| Affiliate click + attribution | Hashed IP / UA + click metadata: 24 months. Attributed conversions: with the order record (7 years). |
| Affiliate tax forms (W-9 / W-8) | 4 years after the last 1099-NEC issued, per IRS retention rules |
8. Your rights
We honor the rights granted by the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including the right to:
- Know what personal information we collect, disclose, and share.
- Request access to and a copy of your personal information.
- Request correction of inaccurate personal information.
- Request deletion of your personal information, subject to legal retention obligations.
- Opt out of any sale or sharing of personal information (we do not sell).
- Limit the use and disclosure of sensitive personal information.
If you reside in a jurisdiction covered by the EU General Data Protection Regulation (GDPR) or the UK GDPR, you have additional rights including data portability and the right to object to processing based on legitimate interest.
To exercise any right, email support@elev8labsrx.com from the address associated with your account. We may require additional verification for sensitive requests. We will respond within 45 days, or sooner where required by law.
9. Children's privacy
This website is not directed at children. We do not knowingly collect personal information from anyone under 18. If you believe a minor has submitted information to us, contact support@elev8labsrx.com and we will delete it.
10. Security
We protect your data with:
- Transport Layer Security (TLS) on all connections.
- Tokenized card data; no PAN or CVV on our servers.
- Role-based access controls on the admin dashboard.
- Rate limiting on authentication and mutation endpoints.
- Scrubbed error tracking with personally identifiable information removed from breadcrumbs.
- Regular dependency audits and security-header enforcement (HSTS, CSP, X-Content-Type-Options).
No system is perfectly secure. If you suspect a security issue with your account, email support@elev8labsrx.com immediately.
11. International transfers
Our infrastructure is U.S.-based. If you access the site from outside the United States, your information will be transferred to and processed in the United States. By using this site, you consent to that transfer.
12. Updates to this policy
We may update this policy to reflect changes in our processing, stack, or legal obligations. The "last updated" date at the top of this page reflects the most recent revision. Material changes to processing will be communicated by email where we have a lawful basis and current contact details.
Questions
Reach us at support@elev8labsrx.com.
elev8 Labs products are reference standards for laboratory research only. Not for human consumption.