Serena Labs

LEGAL

Privacy Policy.

Last updated:2026-05-25

This Privacy Policy describes how Serena Labs ("we," "us," "our") collects, uses, and shares information when you visit or interact with our website at serenalabs.io and our authenticated application at serenalabs.io/app.

We comply with the EU General Data Protection Regulation (GDPR — Regulation 2016/679) and the Spanish Organic Law 3/2018 on the Protection of Personal Data and the Guarantee of Digital Rights (LOPDGDD).

1. Data Controller

The data controller for personal data collected through our Services is Serena Labs. Address: Carrer de Sant Antoni Maria Claret, 167, Horta-Guinardó, 08025 Barcelona, Spain. Email: hello@serenalabs.io.

2. What Data We Collect

Information you provide via contact / newsletter forms: name, email, company, role, segment, country, message, language preference.

Information you provide when creating an account:

  • Sign-in via LinkedIn (default for self-serve signup): when you authenticate with LinkedIn we receive, through OpenID Connect, your verified email address, first name, last name, profile picture URL and locale. We do not access your LinkedIn connections, posts, messages, or any other private content.
  • Sign-in via email (invitation-only): when an admin invites you, we receive only the email address used to deliver the one-time sign-in code.
  • Profile completion: company, job title, industry segment, country, language preference, optional work email (overrides the LinkedIn personal address for our follow-ups), optional mobile phone number, and your acceptance of these Terms and this Privacy Policy.

Information generated when you use the simulators (/app/tools): every scenario you save — the inputs you enter (channel mix, conversion rates, episode volume, ARPU, etc.) and the computed outputs — is stored against your account in our user_simulations table. These inputs may reveal commercial information about your organization; we treat them as confidential business data and protect them with row-level security so only you (and Serena Labs admins for support) can read them.

Information collected automatically: anonymized IP, browser type, OS, referring URL, pages visited, timestamps. Cookies are described in our Cookie Policy.

Information we do not collect through this website: special categories of personal data (e.g., clinical health data, biometric data — these may be processed only inside our separate Executive Health Companion product under its own privacy notice). Data from children under 16.

3. Legal Basis (GDPR Art. 6)

  • Consent: marketing communications, optional analytics cookies, newsletter subscription, optional fields in your profile (work email, phone, marketing opt-in).
  • Contract performance: account creation and authentication, persistence of simulator scenarios and account preferences, responding to contact-form inquiries, delivering content you sign up for.
  • Legitimate interest: site and account security, fraud and abuse prevention, debugging, service improvement.

4. Retention

  • User account, profile and saved simulator scenarios: kept while your account is active. You can delete your account at any time from /app/profile (right of erasure, GDPR Art. 17); deletion cascades to every related record (profile, simulator scenarios, consent log) within seconds.
  • Consent log entries: append-only record of when you accepted the Terms and this Privacy Policy; retained for the lifetime of the account as proof of consent.
  • Contact-form submissions: 3 years from last interaction.
  • Newsletter subscribers: until unsubscribed.
  • Analytics: anonymized per provider policy.

5. Sharing and Sub-processors

We do not sell your data and we do not share it with advertisers. We use the following processors under written data-processing agreements:

  • Supabase (PostgreSQL hosting + authentication, EU region) — user accounts, profiles, simulator scenarios and the consent log.
  • Vercel (web hosting, EU region) — serves the site and the application.
  • Resend (transactional email) — sends sign-in codes and operational notifications.
  • PostHog (analytics, EU instance, only with your consent) — anonymized product analytics.
  • Google LLC / Google Ireland Limited (Google Analytics 4, only with your consent) — anonymized site analytics. We load GA with Consent Mode v2 set to "denied" by default; identifiers are only set after you opt in. International transfers are covered by Google's standard Data Processing Addendum and Standard Contractual Clauses.

Identity providers: when you choose to sign in with LinkedIn, LinkedIn Ireland Unlimited Company acts as an independent OpenID Connect identity provider. LinkedIn authenticates you and returns to us only the claims listed in §2. Use of LinkedIn for sign-in is governed by LinkedIn's own privacy policy and terms — we do not share back to LinkedIn any information about how you use Serena Labs.

6. International Transfers

Data is processed and stored in the EU/EEA by default. Where any sub-processor processes data outside the EU/EEA, the transfer is protected by Standard Contractual Clauses (SCCs) approved by the European Commission.

7. Your Rights (GDPR Arts. 15-22)

You have the right to access, rectify, erase ("right to be forgotten"), restrict and port your personal data, to object to processing, to refuse decisions based solely on automated processing, and to withdraw your consent at any time without affecting the lawfulness of processing before the withdrawal.

To exercise any of these rights, write to hello@serenalabs.io. We respond within 30 days. You may also lodge a complaint with the Spanish Data Protection Agency (AEPD — aepd.es).

You can also self-serve the right to erasure directly from /app/profile → "Delete my account".

8. Security

Encryption in transit (TLS 1.2+) and at rest. Database row-level security gates every read and write to your account-scoped data. Service-role access is restricted to a small set of audited operations. Regular dependency and configuration assessments. Principle of data minimization.

9. Cookies

Detailed in our Cookie Policy.

10. Changes

We may update this Policy. Material changes are posted on this page with an updated "Last updated" date and, where the change affects your rights, communicated by email to active account holders.

11. Contact

hello@serenalabs.io · Health Hub Barcelona, Carrer de Sant Antoni Maria Claret, 167, Horta-Guinardó, 08025 Barcelona, Spain.

Privacy Policy — Serena Labs