Privacy Policy

1. Introduction

Capture Lab, Inc. (“Capture Lab,” “we,” “us,” or “our”) is a workflow intelligence platform that helps enterprise organizations capture, analyze, and automate their internal business processes. Our software enables organizations to record desktop-based employee workflows, generate structured process analytics, and deploy AI-powered automation agents — all within a secure, access-controlled environment.

We understand that you care about your personal privacy and the privacy of your organization's data. This Privacy Statement describes our policies and practices regarding the collection, use, storage, and protection of personal and organizational data, and sets forth your privacy rights. We recognize that privacy is an ongoing responsibility and will update this Privacy Statement as our practices evolve or as required by applicable law.

This Privacy Statement applies to:

• Visitors to our website at capture-lab.com
• Prospective customers and partners who engage with us
• End users and employees of organizations that have contracted to use the Capture Lab platform
• Any individual whose personal data we process in connection with our services

2. Data Protection Contact

Capture Lab, Inc. is headquartered in Pittsburgh, Pennsylvania, in the United States. We have designated a Data Protection Officer (DPO) to oversee compliance with this Privacy Statement and applicable data protection laws. To contact our DPO with questions, concerns, or requests related to your personal data:

3. How We Collect and Use Your Personal Information

Capture Lab collects personal information in two primary contexts: (a) from visitors to our website and prospective customers, and (b) from end users operating within customer organizations that have deployed our platform.

3.1 Website and Prospect Data

When you visit our website or contact us directly, we may collect:

• Full name and job title
• Employer or organization name
• Work email address and work phone number
• General geographic location (country or region)
• Inquiry content submitted via contact forms or email

We use this information to respond to inquiries and demo requests, provide product information and onboarding materials, communicate service updates, and maintain our business relationship with you. We do not sell, rent, or trade this information to any third party.

3.2 Platform and Service Data

When a customer organization deploys the Capture Lab platform, we process data on behalf of that organization as a data processor. This may include:

• Desktop workflow recordings, including screen activity, application interactions, and user input metadata captured from authorized employee devices
• Employee role identifiers, team names, and job function labels associated with recorded workflows
• Structured task graphs, process maps, and analytics data derived from workflow recordings
• System and application metadata captured during recording sessions (e.g., application names, window titles, timestamps)

This data is processed solely to provide workflow intelligence services — including process visualization, analytics dashboards, SOP generation, and AI agent training — to the authorized operations teams within the customer's organization. We do not use this data for any purpose outside the scope of contracted services, and we do not cross-reference or combine data across different customer organizations.

Legal basis for processing (where applicable under GDPR): Processing of customer organization data is conducted pursuant to a contractual relationship with the customer (Article 6(1)(b) GDPR). Website and prospect data is processed on the basis of legitimate interest (Article 6(1)(f) GDPR) or consent where explicitly provided.

4. Use of the Capture Lab Website

Like most websites, capture-lab.com automatically collects certain technical information when you visit, including:

• Internet Protocol (IP) addresses
• Browser type, version, and operating system
• Pages viewed, time spent on each page, and navigation paths
• Referring URLs and search terms used to find our site
• General location inferred from IP address (country/region level)

We use this information to maintain and improve our website, diagnose technical issues, understand aggregate visitor behavior, and enhance the user experience. This data is not used to identify individual visitors unless you have separately provided us with your contact information through a form or direct communication.

Our website may contain links to third-party websites or services. This Privacy Statement applies only to capture-lab.com and the Capture Lab platform. We are not responsible for the privacy practices of third-party sites and encourage you to review their respective privacy policies before providing any personal information.

5. Cookies and Tracking Technologies

Our website uses a limited set of cookies to support core functionality and understand aggregate traffic patterns:

• Essential cookies: Required for the website to function correctly, including session management and security tokens. These cannot be disabled.
• Analytics cookies: Used to understand how visitors interact with our site in aggregate (e.g., page views, bounce rate). We do not use advertising or behavioral tracking cookies.

We do not use third-party advertising networks, cross-site trackers, or fingerprinting technologies. You may disable non-essential cookies through your browser settings; however, doing so may affect certain website features. The Capture Lab platform itself does not use cookies or browser-based tracking technologies.

Capture Lab's website does not currently respond to browser Do Not Track (DNT) signals, as no industry-wide standard for DNT has been adopted. We will revisit this position if a recognized standard is established.

6. Use of the Capture Lab Platform and Services

The Capture Lab platform is a B2B service deployed within and on behalf of customer organizations. The platform operates as follows:

• Workflow Recording: Our desktop recording agent captures screen activity, application interactions, and input metadata from authorized employee devices within the customer's environment. Recording is performed only on devices where the software has been explicitly installed and authorized by the customer organization.
• Data Transmission: Recorded workflow data is transmitted securely from the customer's devices to Capture Lab's cloud infrastructure via encrypted channels (TLS 1.2 or higher).
• Data Processing: Workflow data is processed on Capture Lab's AWS-hosted infrastructure to generate process maps, task graphs, analytics insights, and AI agent training datasets — exclusively for the originating customer organization.
• Agent Deployment: Where contracted, AI automation agents trained on a customer's workflow data may be deployed back into the customer's environment via Capture Lab's AWS-based execution infrastructure.

Customer organizations are solely responsible for:

• Obtaining all necessary consents, authorizations, or legal bases from their employees prior to deploying workflow recording software, in accordance with applicable employment law, privacy law, and any applicable collective bargaining agreements
• Notifying their employees about the nature and scope of workflow monitoring
• Defining appropriate access controls within their Capture Lab deployment to limit who can view workflow recordings and analytics

Capture Lab does not share workflow data or derived analytics across customer organizations. Each customer's data is logically isolated within Capture Lab's infrastructure.

7. When and How We Share Information with Third Parties

Capture Lab does not sell, rent, or trade personal information or customer workflow data to any third party under any circumstances.

We may share information with third parties only in the following limited circumstances:

• Infrastructure subprocessors: Amazon Web Services (AWS) provides the cloud infrastructure on which Capture Lab operates. AWS serves as an infrastructure-level subprocessor and does not have independent access to customer data. All data is stored in Capture Lab-operated AWS accounts in the United States.
• Legal compliance: We may disclose information if required by applicable law, regulation, court order, or valid legal process. We will make reasonable efforts to notify affected customers of such requests to the extent permitted by law.
• Protection of rights: We may disclose information to protect the rights, safety, or property of Capture Lab, our customers, our employees, or the public — including to prevent fraud or address security incidents.
• Business transfers: In the event of a merger, acquisition, or asset sale involving Capture Lab, customer data may be transferred as part of that transaction. We will notify affected customers prior to any such transfer and ensure the receiving entity provides equivalent privacy protections.
• With explicit consent: We may share information in any other circumstance with your prior, explicit, written consent.

A current list of third-party subprocessors is available upon written request at privacy@capture-lab.com. We will provide reasonable advance notice to customers before adding new subprocessors.

Enterprise customers who require a Data Processing Agreement (DPA) — including those subject to GDPR, HIPAA, or other regulatory frameworks — may request one by contacting privacy@capture-lab.com. The DPA will govern the terms under which Capture Lab processes personal data on behalf of the customer organization.

8. Data Storage and Retention

All customer workflow data and personal information collected through the Capture Lab platform is stored on Capture Lab-operated servers hosted on Amazon Web Services (AWS) in the United States. Data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher.

8.1 Retention Periods

• Customer platform data: Retained for the duration of the customer's active contract with Capture Lab, and for up to 12 months following contract termination to support offboarding, dispute resolution, and regulatory compliance. Following this period, data is securely deleted or irreversibly anonymized.
• Website visitor data: Retained for up to 24 months from the date of collection, after which it is deleted or anonymized.
• Prospect and contact data: Retained as long as there is an active business relationship or legitimate interest, and purged within 12 months of the last meaningful interaction.
• Security logs and audit trails: Retained for a minimum of 12 months to support incident investigation and compliance audit requirements.

8.2 Data Deletion Requests

Upon receipt of a verified written deletion request, Capture Lab will delete or anonymize the relevant personal data within 30 days, except where retention is required by applicable law or for the resolution of active disputes. Deletion requests may be submitted to privacy@capture-lab.com.

8.3 Legal Hold

Notwithstanding the retention periods described above, Capture Lab may retain personal data beyond the standard retention period where required by applicable law, or where data is subject to an active legal hold, litigation, regulatory investigation, or dispute resolution proceeding. Affected data will be deleted as soon as the legal hold or proceeding is resolved.

9. Security of Your Information

Capture Lab maintains a comprehensive information security program designed to protect the confidentiality, integrity, and availability of customer and personal data.

9.1 Technical Controls

• Encryption of all data in transit using TLS 1.2 or higher
• Encryption of all data at rest using AES-256
• Role-based access controls (RBAC) limiting data access to authorized personnel only
• Multi-factor authentication (MFA) required for all internal systems and cloud infrastructure
• Network segmentation and firewall rules on all cloud infrastructure
• Vulnerability scanning and patch management on all production systems
• Automated logging and monitoring of access to customer data environments

9.2 Organizational Controls

• All employees and contractors sign a confidentiality and information security agreement prior to accessing any company or customer data
• Annual security awareness training required for all personnel
• Defined incident response plan with escalation procedures and notification timelines
• Quarterly review of access permissions and least-privilege enforcement
• SOC 2 Type 1 compliance program in progress; audit planned for 2026

9.3 Incident Response

In the event of a confirmed data security incident affecting personal data or customer workflow data, Capture Lab will:

• Contain and investigate the incident within 24 hours of detection
• Notify affected customers within 72 hours of a confirmed breach, consistent with GDPR Article 33 and applicable breach notification laws
• Provide a written incident report including the nature of the incident, data affected, remediation steps taken, and measures to prevent recurrence
• Cooperate with any regulatory investigations as required by law

To report a suspected security incident, contact security@capture-lab.com immediately.

10. Data Subject Rights

Depending on your location and applicable law, you may have the following rights with respect to your personal data:

• Right to be informed: You have the right to know what personal data we collect, how we use it, and with whom we share it.
• Right of access: You may request a copy of the personal data we hold about you, including information about how it is processed.
• Right to rectification: You may request that we correct inaccurate or incomplete personal data without undue delay.
• Right to erasure: You may request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, subject to legal retention requirements.
• Right to restrict processing: You may request that we limit how we process your data in certain circumstances.
• Right to data portability: Where processing is based on consent or contract and carried out by automated means, you may request your data in a structured, machine-readable format.
• Right to object: You may object to processing based on legitimate interests, including for direct marketing purposes.
• Right to withdraw consent: Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of the above rights, please submit a written request to privacy@capture-lab.com. We will verify your identity before processing the request and respond within 30 days. For complex requests, we may extend this period by an additional 30 days and will notify you accordingly.

10.1 Cross-Border Data Transfers

Capture Lab processes all data in the United States. For customers or data subjects located in the European Economic Area (EEA) or United Kingdom, we will enter into Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms as required under GDPR Article 46 to ensure appropriate safeguards for cross-border data transfers.

Since its founding, Capture Lab has received zero government requests for customer information.

10.2 California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) grant you the following additional rights:

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the purposes for collection, and the categories of third parties with whom it is shared.
• Right to Delete: You may request deletion of personal information we have collected, subject to certain legal exceptions.
• Right to Correct: You may request correction of inaccurate personal information we maintain about you.
• Right to Opt-Out of Sale or Sharing: Capture Lab does not sell or share personal information with third parties for cross-context behavioral advertising. No opt-out action is required, but you may contact us to confirm this at any time.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To submit a California privacy request, contact us at privacy@capture-lab.com. We will respond within 45 days, with a possible extension of an additional 45 days for complex requests.

11. Children's Data

Capture Lab's platform and services are designed exclusively for enterprise business use and are intended for use by adults in a professional capacity. We do not knowingly collect, solicit, or process personal data from individuals under the age of 16. If we become aware that we have inadvertently collected personal data from a child under 16, we will take prompt steps to delete such data. If you believe we have collected data from a minor, please contact us immediately at privacy@capture-lab.com.

12. Changes to This Privacy Statement

We may update this Privacy Statement periodically to reflect changes in our data practices, service offerings, or applicable legal requirements. Each update will be reflected in a revised “Last Reviewed” date at the top of this document.

For material changes — including changes that expand data collection, alter data sharing practices, or affect data subject rights — we will:

• Notify active customers via email at least 30 days prior to the change taking effect
• Post a prominent notice on our website
• Where required by applicable law, obtain renewed consent

We recommend reviewing this Privacy Statement at least annually. Continued use of our services following notice of material changes constitutes acceptance of the updated Privacy Statement.

13. Questions, Concerns, or Complaints

If you have any questions, concerns, or complaints regarding this Privacy Statement or our data practices, please contact us:

We are committed to resolving all privacy concerns promptly and transparently. If you are not satisfied with our response, you have the right to escalate your complaint to the appropriate data protection authority in your jurisdiction.