Privacy policy

PRIVACY POLICY
Last updated: January 8th, 2025
1.  General information
Prior Labs GmbH, Elisabeth-Emter-Weg 18, 79110 Freiburg im Breisgau (hereinafter “PriorLabs”, “we” or “us”) takes the protection of personal data very seriously. 
We treat personal data confidentially and always in accordance with the applicable data protection laws, in particular Regulation (EU) 2016/679 (hereinafter “General Data Protection Regulation” or “GDPR”), the German Federal Data Protection Act (hereinafter “BDSG”), and in accordance with the provisions of this privacy policy.
The aim of this privacy policy is to inform you (hereinafter “data subject” or “you”) in accordance with Art. 12 et seq. GDPR about how we process your personal data and for what purposes we process your personal data when using our website https://priorlabs.ai/ (hereinafter “Website”), our services or contacting us.
Unless otherwise stated in this privacy policy, the terms used here have the meaning as defined in the GDPR.
2.  Data controller
PriorLabs acts as a controller within the meaning of the GDPR in relation to your personal data processed in connection with the use of our Website, Service or a contact made to or by PriorLabs. 
If you have any questions about this privacy policy or the processing of your personal data, you can contact us at the following contact details:
Prior Labs GmbH
Elisabeth-Emter-Weg 18
79110 Freiburg im Breisgau
E-mail: dataprotection@priorlabs.ai

Categories, purposes and legal bases of the personal data processed
We process different categories of your personal data for different purposes. Below you can see which data we process in which contexts, for which purposes and on which legal basis we base the respective processing.
2.1.    Visiting our Website
When visiting our Website for informational purposes, i.e., mere viewing and without you providing us with any other information, certain personal data is automatically collected each time the Website are called up and stored in so-called server log files. These are:
•   Browser type and version. The specific type and model of Internet browser you are using, such as Google Chrome, Mozilla Firefox, or Microsoft Edge, along with the specific version of the browser.
•   Operating system used. Your operating system for your digital activity, such as Windows, macOS, Linux, iOS, or Android.
•   Host name of the accessing computer. The unique name that your device has on the Internet or on a local network.
•   The date and time of access. The exact time of access to the Website.  
•   IP address of the requesting computer. The unique numeric identifier assigned to a device when it connects to the Internet. 
Such data is not merged with other data sources, and the data is not evaluated for marketing purposes. 
Legal basis:
The legal basis for the temporary storage and processing of such personal data is Art. 6 para. 1 sent. 1 lit. f GDPR. Our legitimate interest here is to be able to provide you with technically functional, attractive and user-friendly Website as well as to ensure the security of our systems.
Duration of the storage:
Such personal data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected. For personal data stored in log files, this is the case after 7 days at the latest. 
However, in some cases, e.g., due to legal retention periods we might be under the legal obligation to continue the storage of your personal data.
2.2.    Use of our Services
We provide you with a software to TabPFN foundation models in the context of the analysis, processing and evaluation of tabular business data (“Services”). Please note our Acceptable Use Policy which strictly prohibits the upload of personal data to use our Services. 
Although, you are not allowed to upload (tabular) personal data to have them analyzed, processed and evaluated, we are processing certain personal data when you are accessing our Services via our API.
2.2.1.  User account
When you register your user account, we process the following personal data:
•   First and last name
•   E-mail address
•   Password

Legal basis:
We process the aforementioned information to create your user account and, thus, such data will be processed for the performance of a contract or in order to take steps prior to entering into a contract in accordance with Art. 6 para. 1 sent. 1 lit. b GDPR. 
Duration of the storage:
You can delete your user account at any time by sending an e-mail with your request to dataprotection@priorlabs.ai. We will delete your user account when it has been inactive for 3 years.
2.2.2.  Usage data
When you use our service, we process certain personal data about how you use it and the device you use to access it. We process the following usage data in the form of log files:
•   IP address of the requesting computer. The unique numeric identifier assigned to a device when it connects to the Internet. 
•   Browser type and version. The specific type and model of Internet browser you are using, such as Google Chrome, Mozilla Firefox, or Microsoft Edge, along with the specific version of the browser.
•   Operating system used. Your operating system for your digital activity, such as Windows, macOS, Linux, iOS, or Android.
•   The date and time of access. The exact time of access to the Website.  
•   Host name of the accessing computer. The unique name that your device has on the Internet or on a local network.
The processing of this data is used for the technical provision of our services and their contents, as well as to optimise their usability and ensure the security of our information technology systems.
Legal basis:
The legal basis for the temporary storage and processing of such personal data is Art. 6 para. 1 sent. 1 lit. f GDPR. Our legitimate interest here is the technical provision of our services and their contents, as well as to optimise their usability and ensure the security of our information technology systems to be able to provide you with technically functional, attractive and user-friendly Website as well as to ensure the security of our systems.
Duration of the storage:
Such personal data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected. For personal data stored in log files, this is the case after 7 days at the latest. 
However, in some cases, e.g., due to legal retention periods we might be under the legal obligation to continue the storage of your personal data.
2.3.    Contact
It is possible to contact us on our Website by e-mail. When you contact us, we collect and process certain information in connection with your specific request, such as, e.g., your name, e-mail address, and other data requested by us or data you voluntarily provide to us (hereinafter “Contact Data”). 
Legal basis:
If you contact us as part of an existing contractual relationship or contact us in advance for information about our range of services, the Contact Data will be processed for the performance of a contract or in order to take steps prior to entering into a contract and to respond to your contact request in accordance with Art. 6 para. 1 sent. 1 lit. b GDPR. 
Otherwise, the legal basis for the processing of Contact Data is Art. 6 para. 1 sent. 1 lit. f GDPR. The Contact Data is processed to pursue our legitimate interests in responding appropriately to customer/contact inquiries.
Duration of storage:
We will delete Contact Data as soon as the purpose for data storage and processing no longer applies (e.g., after your request has been processed). 
However, in some cases, e.g., due to legal retention periods we might be under the legal obligation to continue the storage of your personal data.
2.4.    Newsletter
With your consent, we may process your personal data to send you a newsletter via e-mail that contains information about our products and services. To send you the newsletter, we require processing your e-mail address, date and time of your registration, your IP address and browser type. 
Our newsletters contain so-called tracking links that enable us to analyze the behavior of newsletter recipients. We may collect personal data such as regarding the opening of the newsletter (date and time), selected links, and the following information of the accessing computer system: IP address used, browser type and version, device type and operating system (“Tracking Data”). This enables us to statistically analyze the success or failure of online marketing campaigns.
Legal basis:
The data processing activities with regard to the newsletter sending and newsletter tracking only take place if and insofar as you have expressly consented to it within the merits of Article 6 para. 1 sent. 1 lit. a GDPR. Your prior consent for such processing activities is obtained during the newsletter subscription process (double opt-in) by way of independent consent declaration referring to this privacy policy.
You can revoke your consent at any time with effect for the future by clicking on the unsubscribe link in e-mails. The withdrawal of your consent does not affect the lawfulness of processing based on your consent before its withdrawal. 
Duration of storage:
We will delete your personal data as soon as the purpose for data storage and processing no longer applies. Your e-mail address will be stored for as long as the subscription to our newsletter is active. 
However, in some cases, e.g., due to legal retention periods, we might be under the legal obligation to continue the storage of your personal data.
2.5.    Social media and professional networks and platforms
We utilize the possibility of company appearances on social and professional networks and platforms (LinkedIn, Github, X and Discord) in order to be able to communicate with you and to inform you about our services and news about us. 
You can, inter alia, access the respective network or platform by clicking on the respective network icon displayed on our Website, which includes a hyperlink. A hyperlink activated by clicking on it opens the external destination in a new browser window of your browser. No personal data is transferred to the respective network before this activation.
2.5.1.  Visiting our page on social media and professional networks and platforms
The respective aforementioned network or platform is, in principle, solely responsible for the processing of personal data when you visit our company page on one of those networks or platforms. 
Please do not contact us via one of the networks or platforms if you wish to avoid this. You use such networks and platforms and their functions on your own responsibility. 
2.5.2.  Communication via social media and professional networks and platforms
We process information that you have made available to us via our company page on the respective network or platform, e.g., your (user) name, e-mail address, contact details, communication content, job title, company name, industry, education, contact options, photo, and other data you voluntarily provide to us. The (user) names of the registered network or platform users who have visited our company page on the networks or platforms may be visible to us. 
Legal basis:
If you contact us as part of an existing contractual relationship or contact us in advance for information about our range of services, the personal data will be processed for the performance of a contract or in order to take steps prior to entering into a contract and to respond to your contact request in accordance with Art. 6 para. 1 sent. 1 lit. b GDPR. 
Otherwise, the legal basis for the processing of the personal data is Art. 6 para. 1 sent. 1 lit. f GDPR. The personal data is processed to pursue our legitimate interests in responding appropriately to customer/contact inquiries.
Duration of storage:
We will delete your personal data as soon as the purpose for data storage and processing no longer applies (e.g., after your request has been processed). 
However, in some cases, e.g., due to legal retention periods we might be under the legal obligation to continue the storage of your personal data.
3.  Data receiver
We might transfer your personal data to certain data receivers if such transfer is necessary to fulfill our contractual and legal obligations.
In individual cases, we transfer personal data to our consultants in legal or tax matters, whereby these recipients act independently in their own data protection responsibilities and are also obliged to comply with the requirements of the GDPR and other applicable data protection regulations. In addition, they are bound by special confidentiality and secrecy obligations due to their professional position. 
In the event of corporate transactions (e.g., sale of our business or a part of it), we may transfer personal data to involved advisors or to potential buyers.
Additionally, we also use services provided by various specialized companies, e.g., IT service providers, that process data on our behalf (hereinafter “Data Processors”). We have concluded a data processing agreement according to Art. 28 GDPR or EU standard contractual clauses of the EU Commission pursuant to Art. 46 para. 2 lit. c GDPR with each service provider and they only process data in accordance with our instructions and not for their own purposes. 
Our current Data Processors are:
Data Processor  Purpose of commissioning the Data Processor / purpose of processing
OpenAI  Processing text inputs to our model API
Mailchimp   Newsletter Signup
Google Analytics    Usage analytics
4.  Data transfers to third countries
Your personal data is generally processed in Germany and other countries within the European Economic Area (EEA).
However, it may also be necessary for personal data to be transferred to recipients located outside the EEA, i.e., to third countries, such as the USA. If possible, we conclude the currently applicable EU standard contractual clauses of the EU Commission pursuant to Art. 46 para. 2 lit. c GDPR with all processors located outside the EEA. Otherwise, we ensure that a transfer only takes place if an adequacy decision exists with the respective third country and the recipient is certified under this, if necessary. We will provide you with respective documentation on request.
5.  Your rights
The following rights are available to you as a data subject in accordance with the provisions of the GDPR:
5.1.    Right of revocation
You may revoke your consent to the processing of your personal data at any time pursuant to Art. 7 para. 3 GDPR. Please note, that the revocation is only effective for the future. Processing that took place before the revocation remains unaffected. 
5.2.    Right of access
Under the conditions of Art. 15 GDPR you have the right to request confirmation from us at any time as to whether we are processing personal data relating to you. If this is the case, you also have the right within the scope of Art. 15 GDPR to receive access to the personal data as well as certain other information about the personal data and a copy of your personal data. The restrictions of § 34 BDSG apply.
5.3.    Right to rectification
Under the conditions of Art. 16 GDPR you have the right to request us to correct the personal data stored about you if it is inaccurate or incomplete.
5.4.    Right to erasure
You have the right, under the conditions of Art. 17 GDPR, to demand that we delete the personal data concerning you without delay. 
5.5.    Right to restrict processing
You have the right to request that we restrict the processing of your personal data under the conditions of Art. 18 GDPR.
5.6.    Right to data portability
You have the right, under the conditions of Art. 20 GDPR, to request that we hand over, in a structured, common and machine-readable format, the personal data concerning you that you have provided to us. Please note that this right only applies where the processing is based on your consent, or a contract and the processing is carried out by automated means.
5.7.    Right to object
You have the right to object to the processing of your personal data under the conditions of Art. 21 GDPR.
5.8.    Right to complain to a supervisory authority
Subject to the requirements of Art. 77 GDPR, you have the right to file a complaint with a competent supervisory authority. As a rule, the data subject may contact the supervisory authority of his or her habitual residence or place of work or place of the alleged infringement or the registered office of PriorLabs. The supervisory authority responsible for PriorLabs is the State Commissioner for Data Protection and Freedom of Information for Baden-Württemberg. A list of all German supervisory authorities and their contact details can be found here.
6.  Obligation to provide data
When you visit our Website, you may be required to provide us with certain personal data as described in this privacy policy. Beyond that, you are under no obligation to provide us with personal data. However, if you do not provide us with your personal data as required, you may not be able to contact us and/or we may not be able to contact you to respond to your inquiries or questions.
7.  Automated decisions/profiling
The processing of your personal data carried out by us does not contain any automated decisions in individual cases within the meaning of Art. 22 para. 1 GDPR.
8.  Changes to this privacy policy
We review this privacy policy regularly and may update it at any time. If we make changes to this privacy policy, we will change the date of the last update above. Please review this privacy policy regularly to be aware of any updates. The current version of this privacy policy can be accessed at any time at Priorlabs.ai/privacy.