Privacy Policy
Last updated: 15 March 2026
FiorLab Limited ("FiorLab", "we", "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you use our platform.
1. Data Controller
FiorLab Limited (CRO 813471), Dublin, Ireland is the data controller. Contact: privacy@fiorlab.com
2. Data We Collect
We collect: account information (name, email, company name, role); company data (registration numbers, VAT numbers, LEI numbers); supplier assessment data (financial metrics, compliance records, sustainability scores); usage data (page views, feature usage, session duration); uploaded documents (contracts, RFPs, certificates); and communications (support requests, notifications). For pharmaceutical users, this may include GxP compliance data, supplier qualification records, and CAPA documentation.
3. Legal Basis for Processing
We process your data on the basis of: contract necessity (to provide the service); legitimate business interests (to improve the platform and prevent fraud); regulatory compliance (to meet legal obligations); and consent (for marketing communications, which you may withdraw at any time).
4. How We Use Your Data
We use your data to: provide and improve the platform; generate assessment scores and reports; facilitate buyer-supplier connections; send transactional notifications; comply with legal obligations; and detect and prevent fraud or abuse.
5. Data Storage and Security
Data is stored on Google Cloud Platform within the EU. We use TLS 1.2+ encryption in transit and AES-256 encryption at rest. Our infrastructure providers maintain ISO 27001 and SOC certifications. Access is restricted via role-based access control, and all data modifications are logged.
6. Data Sharing
We share data only with approved sub-processors under data processing agreements: Google Cloud Platform (Firebase) for EU storage; Vercel for EU hosting; Resend for email delivery (US, via Standard Contractual Clauses); and Stripe for payment processing. We do not sell your data to third parties.
7. Data Retention
Active account data is retained for the duration of your account. Assessment data is retained for a minimum of 7 years to comply with financial and pharmaceutical regulatory requirements. You may request early deletion subject to legal retention obligations.
8. Your Rights (GDPR)
Under GDPR, you have the right to: access your personal data; rectify inaccurate data; request deletion ("right to be forgotten"); restrict processing; data portability; object to processing; and withdraw consent. Requests will be responded to within 30 days. Contact privacy@fiorlab.com to exercise your rights.
9. Cookies and Analytics
We use essential cookies for authentication and session management. We use Sentry for error monitoring and may use analytics tools to understand platform usage. You can manage cookie preferences through your browser settings.
10. International Transfers
Where data is transferred outside the EEA (e.g., to US-based email providers), we use Standard Contractual Clauses or other approved transfer mechanisms to ensure adequate protection.
11. Data Breach Notification
In the event of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, in accordance with GDPR Article 33.
12. Children's Privacy
FiorLab is a business platform not intended for use by individuals under 18. We do not knowingly collect data from minors.
13. Changes to This Policy
We may update this Privacy Policy with 30 days' notice via email to registered users. The latest version is always available at this page.
14. Supervisory Authority
You have the right to lodge a complaint with Ireland's Data Protection Commission (dataprotection.ie) if you believe your data has been processed unlawfully.
15. Contact
For privacy inquiries: privacy@fiorlab.com
For general questions: hello@fiorlab.com
FiorLab Limited (CRO 813471), Dublin, Ireland