Privacy Policy

Last updated: May 2026 · Effective immediately

Ideallab ("we", "us", "our") is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, share, and protect information about you when you use our marketing website at ideallab.org and our web applications (collectively, the "Services").

This policy is written in compliance with the EU General Data Protection Regulation (GDPR) (Regulation 2016/679) and, where applicable, the UK GDPR.

Data Controller: Ippocra S.R.L. · Contact: info@ippocra.com

1. What Data We Collect

We collect different types of data depending on how you interact with us:

1.1 Data you provide directly

Account information (name, email address, password) when you register on growthengine.ideallab.org
Product descriptions and inputs you enter into the application to generate your ICP and growth recommendations
Communications you send us (e.g. support requests, feedback emails)

1.2 Data collected automatically

Usage data: pages visited, features used, time spent, click patterns
Device and browser data: browser type, operating system, screen resolution, language settings
IP address (masked before storage)
Referrer URL and UTM parameters
Cookies and similar tracking technologies (see our Cookie Policy)

1.3 Data from third parties

Aggregated analytics data from Umami (self-hosted)

2. How We Use Your Data

We use your personal data for the following purposes:

Providing the Services — to operate, maintain and deliver the features of Ideallab, including generating your ICP, customer discovery maps and contact playbooks
Account management — to create and manage your account, authenticate you, and send essential service communications
Analytics and improvement — to understand how visitors use our Website and app so we can improve them (via self-hosted Umami analytics)
Security and fraud prevention — to detect, investigate and prevent fraudulent or abusive activity
Legal compliance — to comply with applicable laws, regulations and legal obligations
Communications — to respond to enquiries and, where you have opted in, to send product updates

3. Legal Basis for Processing (GDPR Article 6)

We process your personal data under the following legal bases:

Contract (Art. 6(1)(b)) — processing necessary to perform our contract with you (providing the Services)
Legitimate interests (Art. 6(1)(f)) — analytics to improve our Services, security monitoring, and fraud prevention, where your interests and fundamental rights do not override these interests
Legal obligation (Art. 6(1)(c)) — where we are required to comply with applicable law

4. Analytics (Umami)

We use Umami, a self-hosted, open-source web analytics platform, to understand how visitors interact with our Website. All analytics data is processed on our own servers at analytics.ideallab.org within the European Economic Area (EEA).

Umami does not use cookies and does not track individual users. Your IP address is masked (truncated to the subnet level) before any data is stored. The analytics data collected includes pages viewed, session duration, device type, and referral source — all aggregated to protect your privacy.

Unlike third-party analytics tools, no data is shared with Google, Meta, or any other third-party provider. All data remains under our control and is subject to our own retention policies.

5. How We Share Your Data

We do not sell, trade, or rent your personal data. We may share your data in the following limited circumstances:

Service providers — trusted third-party vendors who process data on our behalf (e.g. hosting, email delivery) under data processing agreements that comply with GDPR
Legal requirements — if required by law, court order, or governmental authority
Business transfers — in the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity; we will notify you before your data becomes subject to a different privacy policy

6. International Data Transfers

All analytics data collected by Umami is processed and stored exclusively on our self-hosted servers within the European Economic Area (EEA). No analytics data is transferred outside the EEA.

7. Data Retention

We retain personal data only for as long as necessary for the purposes described in this policy:

Account data: retained for the duration of your account plus 90 days after deletion
Application inputs (product descriptions, ICP data): retained while your account is active; deleted within 30 days of account deletion upon request
Analytics data: retained for up to 24 months in our self-hosted Umami instance, after which it is automatically deleted
Support communications: retained for up to 3 years

8. Your Rights Under GDPR

If you are located in the EU, EEA, or UK, you have the following rights regarding your personal data:

Right of Access Request a copy of the personal data we hold about you (Art. 15)

Right to Rectification Request correction of inaccurate or incomplete data (Art. 16)

Right to Erasure Request deletion of your personal data ("right to be forgotten") (Art. 17)

Right to Restrict Processing Request that we limit how we use your data in certain circumstances (Art. 18)

Right to Data Portability Receive your data in a structured, machine-readable format (Art. 20)

Right to Object Object to processing based on legitimate interests or for direct marketing (Art. 21)

Right to Withdraw Consent Withdraw consent at any time without affecting prior processing (Art. 7(3))

Right to Lodge a Complaint File a complaint with your national supervisory authority (Art. 77)

To exercise any of these rights, contact us at info@ippocra.com. We will respond within 30 days. We may need to verify your identity before fulfilling your request.

If you are based in the EU, you may also lodge a complaint with your national data protection authority. A list of EU authorities is available at edpb.europa.eu. For UK residents, the supervisory authority is the Information Commissioner's Office (ICO).

9. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include encrypted data transmission (HTTPS/TLS), access controls, and regular security reviews. However, no method of transmission over the Internet is 100% secure, and we cannot guarantee absolute security.

10. Children's Privacy

Our Services are not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at info@ippocra.com.

11. Links to Third-Party Sites

Our Website may contain links to third-party websites. We are not responsible for the privacy practices of those sites and encourage you to review their privacy policies independently.

12. Changes to This Policy

We may update this Privacy Policy periodically. When we make material changes, we will notify you by updating the "Last updated" date at the top of this page, and where appropriate, by sending an email notification or displaying a notice in the application. We encourage you to review this policy regularly.

13. Contact Us

If you have questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact us:

Email: info@ippocra.com

← Back to Ideallab · Cookie Policy