This Privacy Policy explains how Ergon Labs LLC (“Ergon Labs,” “we,” “us,” or “our”) collects, uses, discloses, retains, and protects information in connection with our website at ergonlabs.co (the “Site”), our client dashboard (the “Dashboard”), and the AI automation services we provide to businesses (collectively, the “Services”).
Ergon Labs is a New York-based AI automation agency. We design, build, and maintain custom automation systems for small and mid-size businesses. We are a services business, not a software subscription or a consumer product. Our Services are directed to businesses and the professionals who represent them.
We take privacy seriously and have designed our Services to collect only the information we need to do our work well. If you have any questions about this Policy or our practices, contact us at ergonlabsllc@gmail.com.
Privacy at a glance
This summary is provided for convenience and does not replace the full Policy below.
Question
Short answer
Who is this for?
Businesses and their representatives — clients, prospective clients, and visitors to our Site. Our Services are not directed to consumers or children.
What do we collect?
Business contact details, account credentials, engagement and workflow data you share with us, communications, limited technical/usage data, and billing details.
Do you sell my data?
No. We do not sell, rent, or broker personal information, and we do not share it for cross-context behavioral advertising.
Do you use my data to train AI models?
No. We do not use client data to train, fine-tune, or improve AI models.
Do you track me across the web?
No. We use only essential cookies on the Dashboard and do not run third-party advertising or cross-site tracking on our Site.
Where is my data stored?
With U.S.-based service providers. We are a U.S. business serving U.S. clients.
What are my rights?
You may request access, correction, deletion, and a portable copy of your data, and you may object to certain uses. See your privacy rights.
How do I reach you?
Email ergonlabsllc@gmail.com. See Contact us.
1. Scope of this Policy
This Policy applies to information we process as a business (“controller”) — that is, information we collect and determine how to use for our own purposes, such as running our Site, managing client accounts, billing, and communicating with you.
Data we process on behalf of clients (“processor” data). When we build and operate automation workflows for a client, we may process data that belongs to or is controlled by that client, including information about the client’s own customers, contacts, or business records. We handle that data only as directed by the client and as described in the applicable Statement of Work (“SOW”) or services agreement. For that data, the client is the party responsible for providing privacy notices to, and obtaining any necessary consents from, the individuals concerned. This Policy governs our own practices; it does not replace a client’s own privacy policy.
This Policy does not apply to:
Third-party websites, platforms, or services we link to or integrate with, which are governed by their own privacy policies; or
Information practices of our clients with respect to their own end users.
2. Information we collect
We collect information in three ways: information you provide to us, information we collect automatically, and information we receive from third parties.
2.1 Information you provide
Contact and identity information — name, email address, phone number, company name, job title, and business type submitted through our contact form, scheduling tools, email, or a Statement of Work.
Account credentials — the email address associated with your Dashboard account and the authentication tokens generated to access it. We never store passwords in plaintext, and we do not store your password ourselves — authentication is handled through secure, hashed credentials by our infrastructure provider.
Business and engagement data — information you share with us during an engagement, including process documentation, workflow configurations, business rules, sample records, and the deliverables we exchange with you.
Integration credentials — API keys, access tokens, or account credentials for third-party platforms that you authorize us to connect to in order to build your workflows. We store these securely and use them only to operate the workflows described in your SOW.
Communications — emails, messages, request submissions, comments, notes, and support inquiries you exchange with us before, during, or after an engagement.
Payment and billing information — billing name, billing address, and the payment method details required to process payment. Card and bank account details are collected and processed by our payment processor (Stripe); Ergon Labs does not store full card numbers or full bank account numbers on its own infrastructure.
2.2 Information we collect automatically
Usage data — pages and features accessed within the Dashboard, actions taken, and request timestamps.
Technical and log data — IP address, browser type and version, device and operating system information, referring pages, and diagnostic/error events captured by our monitoring infrastructure.
Cookies and similar technologies — see Cookies and tracking technologies.
2.3 Information we receive from third parties
Scheduling data — appointment details (name, email, selected time, and any information you enter in the booking form) collected when you book a discovery or project call through our scheduling provider (Cal.com).
Payment status — confirmations, receipts, and payment status from Stripe.
Electronic signature data — records confirming that a document (such as an SOW) was viewed and signed, provided by our electronic-signature provider.
2.4 Information we do not collect
Protected Health Information (“PHI”) as defined under HIPAA. Our infrastructure is not designed to store PHI. Engagements involving healthcare clients are scoped so that PHI remains within client-controlled systems at all times.
Sensitive personal information such as government identifiers, financial account credentials beyond what is needed for billing, precise geolocation, biometric data, or information about racial or ethnic origin, health, sexual orientation, religious beliefs, or union membership. We do not intentionally collect these categories, and we ask that you not send them to us.
Information from children. Our Services are directed exclusively to businesses and professionals. We do not knowingly collect information from anyone under 18. See Children’s privacy.
3. How we use information
We use the information we collect for the following business purposes:
To deliver the Services — designing, building, configuring, testing, deploying, and maintaining the automation workflows described in a Statement of Work.
To manage accounts — creating and maintaining Dashboard access, sending magic-link invitations, and managing the team members within a client account.
To communicate with you — responding to inquiries, sending project updates, invoices, retainer reports, system notifications, and support responses.
To bill and get paid — generating invoices, processing payments through Stripe, and maintaining the financial records required by law.
To provide support — triaging and resolving requests submitted through the Dashboard.
To operate securely and reliably — authenticating users, preventing and detecting fraud and abuse, monitoring for and diagnosing errors, backing up data, and maintaining the integrity and availability of our Services.
To improve our Services — understanding how our Dashboard is used, in aggregate, so we can make it more useful. We do not use identifiable client data for this purpose beyond what is necessary to operate and support the Services.
To comply with law and enforce our agreements — meeting our legal, tax, and accounting obligations, responding to lawful requests, and enforcing our Terms of Service.
We do not use client data to train, fine-tune, or improve AI models; sell advertising; or use your information for any purpose incompatible with those described above or in your SOW.
Where applicable law (for example, in jurisdictions that require a “legal basis”) requires it, we rely on the following bases to process personal information: performance of a contract with you; our legitimate business interests in operating and securing our Services; compliance with legal obligations; and, where required, your consent.
4. How we use AI and automated processing
AI is central to what we build. To be clear about how it works within our Services:
AI providers. We use large language models from Anthropic (Claude) as our primary AI provider, and Google (Gemini) as a fallback. Content sent to these providers for processing within a workflow or feature is handled under their enterprise/API terms, which prohibit using that content to train their models.
No model training on your data. We do not use client data, engagement data, or any personal information to train, fine-tune, or otherwise develop AI models — ours or anyone else’s.
Human oversight. The Services do not make decisions that produce legal or similarly significant effects about an individual through solely automated processing without human involvement. Automation workflows we build are tools operated by and for our clients; the client remains responsible for how those tools are configured and used.
AI limitations. AI outputs can be inaccurate or inconsistent. We test workflows before delivery, but AI-generated output should be reviewed by a human where accuracy matters.
5. Cookies and tracking technologies
Dashboard (essential cookies only). We use httpOnly, Secure, SameSite=Lax session cookies to authenticate users on the Dashboard. These cookies are strictly necessary to operate the Service and keep you signed in; they cannot be disabled while using the Dashboard. They are not used for advertising.
Marketing Site. We do not use third-party advertising cookies, marketing pixels, or cross-site tracking tools on ergonlabs.co. We do not run third-party analytics that profile you across websites.
Server logs. We collect basic server-side request logs (IP address, user agent, requested path, and timestamp) for security and operational purposes. These logs are retained for 90 days and then deleted or anonymized.
Do Not Track. We honor “Do Not Track” browser signals on our Site and do not engage in cross-site behavioral tracking. Because we do not track you across sites, no additional action is required to opt out.
If we introduce any non-essential analytics or cookies in the future, we will update this Policy and, where required, present a cookie choice or consent banner before they take effect.
6. How we share and disclose information
We do not sell, rent, or broker personal information, and we do not “share” it for cross-context behavioral advertising (as those terms are defined under U.S. state privacy laws). We disclose information only in the following circumstances:
Service providers (sub-processors). We share information with vetted third-party vendors that perform services on our behalf — such as hosting, payment processing, transactional email, appointment scheduling, electronic signatures, error monitoring, and AI model inference. These vendors are contractually limited to using the information only to provide services to us and are prohibited from using it for their own purposes. See Sub-processors for the current list.
At your direction. We disclose information to third-party platforms when you instruct us to connect your workflows to them.
Legal and safety. We may disclose information if we believe in good faith it is required by law, regulation, subpoena, court order, or other legal process, or where necessary to protect the rights, property, or safety of Ergon Labs, our clients, or others. Where we are legally permitted to do so, we will make reasonable efforts to notify the affected client before disclosing.
Business transfers. If Ergon Labs is involved in a merger, acquisition, financing, reorganization, or sale of all or part of its assets, information may be transferred as part of that transaction. We will notify affected clients before their information becomes subject to a materially different privacy policy.
With consent. We may share information for any other purpose disclosed to you at the time, with your consent.
7. Sub-processors
We rely on the following third-party service providers (“sub-processors”) to operate our Services. Each is bound by contractual confidentiality and data-protection obligations. Data is processed with U.S.-based providers.
Sub-processor
Purpose
Data handled
Supabase
Database, authentication, and file storage
Account data, engagement records, hashed credentials, uploaded attachments
Vercel
Hosting and content delivery for the Site and Dashboard
Request metadata, content served
Railway
Hosting for our application/API and background jobs
Engagement and operational data
Stripe
Payment processing
Billing contact and tokenized payment method; transaction records
Resend
Transactional email delivery
Name, email address, and message content
Cal.com
Appointment scheduling
Name, email address, and appointment details
Electronic signature provider
Signing of Statements of Work and related documents
Name, email address, and signed documents
Anthropic
Primary AI model inference (Claude)
Content submitted for processing within a workflow or feature; not used to train models
Fallback AI model inference (Gemini)
Content submitted for processing within a workflow or feature; not used to train models
Sentry
Application error monitoring
Technical/diagnostic logs, configured to redact personal information
We may add or change sub-processors as our Services evolve. When we do, we will update this list. For the current list of sub-processors at any time, or to receive notice of changes, contact ergonlabsllc@gmail.com.
8. Data retention
We keep information only as long as necessary for the purposes described in this Policy, after which we delete or anonymize it. Our standard retention periods are:
Active client accounts — retained for the duration of the engagement and for seven (7) years after the final invoice, consistent with New York business-record and tax requirements.
Inactive accounts — accounts with no active engagement are scheduled for deletion after two (2) years of inactivity. We provide thirty (30) days advance notice before deletion.
Server and operational logs — retained for 90 days.
Payment and financial records — retained for seven (7) years to meet New York tax and business-record requirements.
Prospect and contact-form data — retained for as long as needed to respond to your inquiry and for a reasonable period thereafter, unless you ask us to delete it sooner.
When we are required to retain certain records to meet legal obligations (for example, invoices for tax purposes), we retain the minimum necessary and delete or anonymize the rest. See Your privacy rights for how legal-retention obligations interact with deletion requests.
9. How we protect information
We implement administrative, technical, and organizational safeguards appropriate to the sensitivity of the information we handle, including:
Encryption in transit — all traffic between you and our Services is encrypted using TLS.
Encryption at rest — data stored with our infrastructure providers is encrypted at rest.
Row-level security — each client organization can access only its own data; cross-organization access is prevented at the database layer, not just in the application.
Secure authentication — session tokens are stored in httpOnly cookies that are never accessible to browser-side JavaScript; passwords are never stored in plaintext.
Access controls — access to Dashboard data is limited to authenticated users with a verified role, and every API endpoint enforces authorization at both the application and database layers. Administrative access is limited to the founders on a need-to-know basis.
Error-monitoring hygiene — our error-monitoring tooling is configured to redact personal information from diagnostic reports.
No method of transmission or storage is completely secure, and we cannot guarantee absolute security. In the event of a data breach that materially affects your information, we will notify affected clients within seventy-two (72) hours of discovery where technically feasible, and we will cooperate with any legally required regulatory notifications.
10. Your privacy rights and choices
Regardless of where you are located, we offer the following rights with respect to the personal information we hold about you or your organization:
Access — request confirmation of whether we process your information and a copy of it.
Correction — request that we correct inaccurate or incomplete information.
Deletion — request that we delete your account and associated personal information, subject to legal-retention obligations described in Data retention.
Portability — receive a copy of your business data in a structured, commonly used, machine-readable format (we provide JSON or CSV).
Objection / restriction — object to or ask us to restrict certain processing of your information.
How to exercise your rights
Send a written request to ergonlabsllc@gmail.com identifying yourself and describing your request. To protect your information, we will verify your identity before acting — typically by confirming you control the email address on file and, for organizational requests, that you are the account owner or billing contact of record.
Acknowledgment: We will acknowledge your request within five (5) business days.
Completion: We will complete verified requests within thirty (30) days. If we need more time or additional information, we will tell you.
No fee / no retaliation: We do not charge a fee for a first, reasonable request, and we will not deny you services, charge different prices, or provide a different level of service because you exercised your rights.
Because we operate on a small team, data access, export, and deletion are handled through a documented manual process rather than a self-serve button. This is by design, so that the rights we promise are actually honored and verified.
11. Your U.S. state privacy rights
Some U.S. states grant residents additional rights. We honor these rights to the extent they apply to us. Note that many state laws exclude information collected in a purely business-to-business or employment context, and thresholds for coverage may not apply to a business of our size — but we extend the core rights below regardless.
11.1 California (CCPA/CPRA)
If you are a California resident, you have the right to know, access, correct, delete, and obtain a portable copy of your personal information, and to limit the use of sensitive personal information. In the 12 months preceding the effective date of this Policy, we collected the categories of personal information described in Information we collect — namely identifiers, contact and commercial information, internet/network activity (technical and usage data), and professional/employment information — for the business purposes described in How we use information.
We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We have not done so in the preceding 12 months, including with respect to minors under 16.
Sensitive personal information. We do not collect or use sensitive personal information for purposes that would give rise to a right to limit its use.
Sources and recipients. We collect information from the sources in Information we collect and disclose it for business purposes only to the sub-processors listed in Sub-processors.
Non-discrimination. We will not discriminate against you for exercising your rights.
Authorized agents. You may use an authorized agent to submit a request; we may require proof of authorization and verification of your identity.
To exercise these rights, contact ergonlabsllc@gmail.com.
11.2 Other U.S. states
Residents of states with comprehensive privacy laws — including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others as such laws take effect — may have rights to access, correct, delete, and obtain a portable copy of their personal data, and to opt out of targeted advertising, the sale of personal data, and certain profiling. Because we do not sell personal data, engage in targeted advertising, or conduct profiling that produces legal or similarly significant effects, most opt-out rights do not apply to our processing.
Appeals. If we decline to act on your request and your state grants an appeal right, you may appeal by replying to our decision at ergonlabsllc@gmail.com. We will respond to appeals within the timeframe required by your state’s law. If your appeal is denied, you may contact your state Attorney General.
12. Data storage and international transfers
Ergon Labs is a U.S. business, and our Services are directed to clients and their representatives in the United States. Personal information is stored and processed with U.S.-based service providers. We do not intend our Services for individuals located in the European Economic Area, the United Kingdom, or other regions with data-transfer restrictions. If you access the Services from outside the United States, you understand that your information will be processed in the United States, where data-protection laws may differ from those in your location.
13. Children’s privacy
Our Services are designed for and directed exclusively to businesses and the professionals who represent them. We do not knowingly collect personal information from individuals under the age of eighteen (18). If we learn that we have inadvertently collected information from a minor, we will delete it promptly. If you believe a minor has provided us with personal information, contact ergonlabsllc@gmail.com.
14. Third-party links and services
Our Site and workflows may link to or integrate with third-party websites, platforms, and services (for example, scheduling embeds, payment pages, and the tools we connect to on a client’s behalf). We are not responsible for the privacy practices or content of those third parties. Information you provide to them is governed by their own privacy policies, and we encourage you to review them. Clients are responsible for reviewing and accepting the terms of any third-party platform used in their workflows.
15. Changes to this Policy
We may update this Policy to reflect changes in our practices, Services, or applicable law. For material changes, we will provide at least thirty (30) days advance notice by email to clients before the updated Policy takes effect. Non-material clarifications or formatting changes may take effect immediately and will be reflected in the “Last updated” date at the top of this page. Your continued use of the Services after the effective date of a change constitutes acceptance of the updated Policy. We encourage you to review this Policy periodically.
16. How to contact us
Questions, concerns, or requests regarding this Privacy Policy or your information should be directed to:
Ergon Labs LLC
4 Redbud Court
Miller Place, NY 11764
United States
Email: ergonlabsllc@gmail.com
Website: ergonlabs.co
We will do our best to resolve any privacy concern you raise directly with us.