Privacy Policy

Last updated: 29 March 2026

FiorLab Limited ("FiorLab", "we", "our", "us"), a company registered in Ireland (CRO 813471), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our supplier risk intelligence platform at app.fiorlab.com and our website at fiorlab.com (collectively, the "Service").

1. Data Controller

FiorLab is the data controller for personal data processed through the Service. Our registered address is Dublin, Ireland. For data protection enquiries, contact us at privacy@fiorlab.com.

2. Information We Collect

We collect the following categories of information:

• Account Information: Name, email address, company name, role, and industry when you register for an account.
• Supplier Assessment Data: Financial metrics, compliance certifications, sustainability scores, delivery performance, quality management data, innovation metrics, and (where applicable) GxP pharmaceutical compliance data including supplier qualification records, CAPA documentation, and batch documentation submitted during onboarding and assessments.
• Usage Data: Pages visited, features used, timestamps, browser type, and IP address collected automatically through server logs.
• Communication Data: Email correspondence and support requests.
• Contract and RFP Data: Documents, proposals, and contract details uploaded or created within the platform.

3. Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases:

• Contract Performance: Processing necessary to provide the Service you have signed up for.
• Legitimate Interest: Analytics, security monitoring, and service improvement.
• Legal Obligation: Compliance with applicable laws and regulatory requirements.
• Consent: Marketing communications, which you can opt out of at any time.

4. How We Use Your Information

We use collected information to: provide and maintain the Service; calculate supplier risk scores and compliance assessments; generate reports and analytics; send transactional emails (assessment results, contract notifications, invitations); improve the Service; respond to support requests; and comply with legal obligations.

5. Data Storage and Security

Your data is stored on Google Cloud Platform (Firebase/Firestore) infrastructure within the European Union. All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Our infrastructure provider maintains ISO 27001, SOC 1/2/3, and other certifications. Access to production data is restricted to authorised personnel on a need-to-know basis.

6. Data Sharing and Third Parties

We do not sell your personal data. We share data only with:

• Infrastructure Providers: Google Cloud Platform (Firebase) for data storage and authentication.
• Email Provider: Resend for transactional email delivery.
• Hosting Providers: Vercel (application hosting) and Netlify (marketing site hosting).
• Payment Processor: Stripe for subscription billing and payment processing. Stripe processes payment data under its own privacy policy.

All third-party processors are bound by data processing agreements and process data only on our instructions.

7. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Assessment data and audit logs are retained for a minimum of 7 years to meet regulatory requirements for financial services and pharmaceutical (GxP) industries. You may request deletion of your account and associated data at any time, subject to legal retention requirements.

8. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the right to:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate personal data.
• Erasure: Request deletion of your personal data ("right to be forgotten").
• Restriction: Request restriction of processing of your personal data.
• Portability: Request transfer of your data in a structured, machine-readable format.
• Objection: Object to processing based on legitimate interests.
• Withdraw Consent: Where processing is based on consent, withdraw at any time.

To exercise any of these rights, contact privacy@fiorlab.com. We will respond within 30 days.

9. International Data Transfers

Where data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or adequacy decisions.

10. Cookies

We use essential cookies required for authentication and session management. We do not use advertising or tracking cookies. We use Sentry for error monitoring to maintain platform reliability. Analytics data is collected server-side without third-party tracking scripts. You can manage cookie preferences through your browser settings.

11. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and notify affected users without undue delay, in accordance with GDPR Article 33. We maintain incident response procedures to detect, report, and investigate security incidents promptly.

12. Children's Privacy

The Service is a business platform not directed to individuals under 18. We do not knowingly collect personal data from children.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email at least 30 days before they take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.

14. Contact Us

For any questions about this Privacy Policy or our data practices:

FiorLab Limited
CRO Number: pending
Dublin, Ireland
Email: privacy@fiorlab.com
General: hello@fiorlab.com

15. Supervisory Authority

If you are unsatisfied with our handling of your data, you have the right to lodge a complaint with the Data Protection Commission (DPC) of Ireland at dataprotection.ie.