Cubit by Maiden Labs

Privacy Notice

Last updated: April 23, 2026
Data Controller: Maiden Labs, Inc.
Contact: privacy@maidenlabs.org

1. Introduction and Your Rights

Under the General Data Protection Regulation (GDPR, EU Regulation 2016/679), you have specific rights regarding your personal data. This notice explains what data we collect, why we collect it, how we use it, and your rights.

Your key rights:

  • Right to be informed (this notice fulfills that right)
  • Right of access: request a copy of your data
  • Right to rectification: correct inaccurate data
  • Right to erasure (“right to be forgotten”)
  • Right to restrict processing: limit how we use your data
  • Right to data portability: receive your data in a structured format
  • Right to object: object to certain types of processing
  • Rights related to automated decision-making: challenge automated decisions

To exercise any of these rights, contact us at privacy@maidenlabs.org.

2. Data We Collect and Legal Basis

2.1 Information you provide directly

What we collect:

  • Email address and name (when you create an account via Clerk, or sign in with Google)
  • Profile photo (if you sign in with Google; provided by Google, not stored by us separately)
  • Company or organization name (optional, if you provide it)

Legal basis:

  • Contract (Article 6(1)(b) GDPR): when necessary to provide the Service you have requested
  • Consent (Article 6(1)(a) GDPR): when you voluntarily create an account or sign up for communications

How to withdraw consent: contact privacy@maidenlabs.org to delete your account and all associated information.

2.2 Billing information

If you subscribe to a paid plan, payment is processed by Stripe. We do not store credit card numbers, bank account details, or other payment credentials on our servers. Stripe provides us with a customer identifier, subscription status, and the last four digits of your card for display purposes.

Legal basis: Contract (Article 6(1)(b) GDPR).

2.3 Information collected automatically

What we collect via third-party services associated with our site:

  • IP address (anonymized after 14 days)
  • Browser type and version
  • Device type and operating system
  • Pages visited and time spent
  • Referral source
  • API request logs: endpoint called, timestamp, response status, and response time
  • Cookies and similar tracking technologies (see Section 8 below)

Legal basis:

  • Legitimate Interests (Article 6(1)(f) GDPR): to operate, secure, and improve the Service, enforce rate limits, and detect abuse
  • Consent (for non-essential cookies): via our cookie banner

Data retention: technical and API logs are retained for 90 days, then deleted. Anonymized analytics data may be retained indefinitely as it cannot identify you.

2.4 Special category data

We do not knowingly collect special category data under Article 9 GDPR (racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, sex life, or sexual orientation).

2.5 What we do not collect

Cubit processes occupational data, not personal employee data. API queries contain occupational codes or search terms, not personal data. We do not collect, store, or process personal employee records. We do not receive or store your Google password.

3. How We Use Your Data

3.1 Service provision (Legal basis: Contract & Legitimate Interests)

  • Provide API access and dashboard functionality
  • Create and manage your account
  • Process payments and manage your subscription
  • Enforce rate limits and prevent abuse
  • Respond to support requests
  • Send service-related communications (account notifications, security alerts)

3.2 Analytics and improvement (Legal basis: Legitimate Interests)

  • Understand how users interact with the API and website
  • Identify and fix bugs and technical issues
  • Improve features and develop new capabilities

We only process analytics data where our legitimate interests do not override your rights. You can object to this processing by contacting us.

3.3 Legal compliance (Legal basis: Legal Obligation)

  • Comply with applicable laws and regulations
  • Respond to valid legal requests (court orders, subpoenas)
  • Protect our legal rights and prevent fraud

We do not sell, rent, or share your personal data with third parties for their marketing purposes. We do not use your data to train machine learning models.

4. Data Sharing and Transfers

4.1 Service providers (Article 28 GDPR)

We share data with third-party service providers who process data on our behalf under written contracts:

ProviderPurposeLocation
ClerkAuthentication and user managementUS
StripePayment processingUS
Supabase (AWS)Database hostingUS (us-east-1)
VercelApplication hostingUS
UnkeyAPI key managementUS
CloudflareDNS, CDN, and DDoS protectionUS/EU
Google AnalyticsWebsite usage analytics (anonymized)US (with SCCs)
TallyOpt-in formsEU

All processors are contractually required to:

  • Process data only on our instructions
  • Implement appropriate security measures
  • Assist with GDPR compliance
  • Delete or return data when no longer needed

4.2 Other disclosures

We may also share data in the following limited circumstances:

  • Legal authorities: when required by law, subpoena, court order, or government investigation
  • Business transfers: in the event of a merger, acquisition, or sale of assets, with advance notice to affected users
  • With your consent: when you explicitly authorize us to share specific information

4.3 We do not

  • Sell your personal data to third parties
  • Share data with data brokers or marketing lists
  • Use your data for advertising without consent
  • Use automated decision-making with legal effects (Article 22 GDPR)

4.4 International transfers

Cubit is operated from the United States. If we transfer data outside the European Economic Area (EEA), we use one of the following safeguards as required by Article 46 GDPR:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions: transfers only to countries deemed adequate by the EU Commission
  • Explicit consent: with your explicit consent for specific transfers

Current transfer mechanisms: we use AWS, Vercel, and Cloudflare infrastructure in the US with Standard Contractual Clauses. You can request a copy of the safeguards in place by contacting privacy@maidenlabs.org.

5. Data Retention

We retain your personal data only as long as necessary for the purposes outlined above or as required by law.

Data typeRetention periodReason
Account informationUntil you delete your accountService provision
API request logs90 daysRate limiting, debugging, security
Technical/security logs90 daysSecurity and fraud prevention
Anonymized analyticsIndefinitelyCannot identify you
Billing records7 yearsTax and accounting law
Support communications3 years after last contactLegal compliance

After deletion: when you delete your account or request data deletion, we will:

  1. Remove your personal data from active systems within 30 days
  2. Remove from backups within 90 days (during normal backup rotation)
  3. Retain anonymized, aggregated data that cannot identify you

6. Your Rights (Detailed)

The following rights apply to all users. Where GDPR applies, specific article references are noted.

6.1 Right of access (Article 15 GDPR)

You can request:

  • Confirmation whether we process your data
  • A copy of your personal data
  • Information about how we process it

How to exercise: email privacy@maidenlabs.org with “Data Access Request” in the subject line. Response time: 30 days (may extend to 60 days if complex, with notification). Free of charge for the first request; we may charge a reasonable fee for excessive or repeat requests.

6.2 Right to rectification (Article 16 GDPR)

You can request correction of inaccurate data or completion of incomplete data. How to exercise: email privacy@maidenlabs.org. Response time: 30 days.

6.3 Right to erasure (Article 17 GDPR)

You can request deletion of your data when:

  • No longer necessary for original purpose
  • You withdraw consent (where consent was the legal basis)
  • You object to processing (where legitimate interests was the basis)
  • Data was processed unlawfully

Exceptions: we may retain data when required by law (e.g., tax records), necessary for legal claims, or for the exercise of freedom of expression. How to exercise: email privacy@maidenlabs.org. Response time: 30 days.

6.4 Right to restriction (Article 18 GDPR)

You can request we limit processing when:

  • You contest data accuracy (while we verify)
  • Processing is unlawful but you do not want erasure
  • We no longer need data but you need it for legal claims
  • You have objected to processing (pending verification of our legitimate grounds)

6.5 Right to data portability (Article 20 GDPR)

You can receive your data in a structured, commonly used, machine-readable format (JSON or CSV) and transmit it to another controller. Applies when processing is based on consent or contract and processing is automated. How to exercise: email privacy@maidenlabs.org requesting “Data Export.” Response time: 30 days.

6.6 Right to object (Article 21 GDPR)

You can object to processing based on legitimate interests. We may continue processing if we demonstrate compelling legitimate grounds that override your interests. How to exercise: email privacy@maidenlabs.org with “Objection to Processing.”

6.7 Automated decision-making (Article 22 GDPR)

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you. If this changes, we will update this notice and seek your explicit consent where required.

7. Security Measures (Article 32 GDPR)

Technical measures

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • API keys hashed and never stored in plaintext
  • Access controls and authentication
  • Infrastructure providers with SOC 2 certifications
  • Regular software updates and patch management
  • Monitoring and logging of access

Organizational measures

  • Confidentiality agreements with employees and contractors
  • Data minimization and privacy-by-design principles
  • Regular review of data processing activities
  • Incident response procedures

Data breach notification

If a breach poses a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours (Article 33 GDPR)
  • Notify affected users without undue delay, and in any event within 30 days (Article 34 GDPR; Colorado C.R.S. 6-1-716)
  • Provide information about the breach and steps taken to mitigate it

8. Cookies and Tracking Technologies

Cookies are small text files stored on your device that help websites remember information about your visit.

8.1 Essential cookies (no consent required)

Strictly necessary for the site to function:

CookieProviderPurposeDuration
__sessionClerkAuthentication session tokenSession
__client_uatClerkClient session stateSession
__cf_bmCloudflareBot management30 min
cf_clearanceCloudflareSecurity challenge clearance30 min

Legal basis: necessary for service provision (Article 6(1)(b) GDPR).

8.2 Analytics cookies (consent required)

Help us understand how users interact with the site:

CookieProviderPurposeDuration
_gaGoogle AnalyticsDistinguish users2 years
_gidGoogle AnalyticsDistinguish users24 hours

We have configured Google Analytics to anonymize IP addresses and not share data with Google for other purposes. Legal basis: Consent (Article 6(1)(a) GDPR). You can opt out via browser settings or the Google Analytics Opt-out Browser Add-on.

9. Children's Privacy

Cubit is not directed at individuals under 18 years of age. We do not knowingly collect personal data from anyone under 18. If we learn we have collected data from a minor, we will delete it promptly. If you are a parent or guardian and believe your child has provided us with personal data, contact privacy@maidenlabs.org.

10. Changes to This Notice

We may update this notice to reflect changes in our practices or legal requirements.

For material changes, we will:

  • Notify you via email (if you have an account)
  • Post a prominent notice on dashboard.maidenlabs.tools
  • Update the “Last Updated” date
  • Request renewed consent where required

For non-material changes, we will update the “Last Updated” date and post the updated version on the website.

11. Contact and Complaints

Data controller

Maiden Labs, Inc.
1005 36th Street, Boulder, CO 80303
privacy@maidenlabs.org

Supervisory authority

You have the right to lodge a complaint with a supervisory authority if you believe we have violated your data protection rights.

We encourage you to contact us first so we can try to resolve your concern directly, but you have the right to contact the supervisory authority at any time.

12. Legitimate Interests Assessment

Where we rely on legitimate interests (Article 6(1)(f)), we have conducted balancing tests to ensure our interests do not override your rights. Documentation is available upon request.

Examples of legitimate interests:

  • Detecting and preventing fraud and abuse
  • Improving service security and reliability
  • Understanding product usage to improve features
  • Enforcing API rate limits

You can object to processing based on legitimate interests at any time.