Privacy Policy

Effective date: 20 February 2026 · Lab81 Ltd trading as MerakiGuard

1. Introduction

Lab81 Ltd, trading as MerakiGuard ("we", "us", "our"), is the data controller responsible for your personal data. We are committed to protecting your privacy and handling your data transparently and in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and what rights you have in relation to your data when you use the MerakiGuard platform and website (the "Service").

If you have any questions about this policy or our data practices, you can contact us at hello@lab81.io.

2. Data Controller

The data controller for the purposes of the UK GDPR is:

Lab81 Ltd (trading as MerakiGuard)
Email: hello@lab81.io

3. Data We Collect

We collect and process the following categories of data:

3.1 Account Information

  • Name — provided during registration
  • Email address — used for account authentication, notifications, and communication
  • Password — stored as a one-way cryptographic hash (bcrypt); we never store your password in plaintext

3.2 Meraki API Keys

  • Cisco Meraki Dashboard API keys — encrypted at rest using Fernet symmetric encryption. Keys are only decrypted momentarily during scan operations to authenticate with the Meraki Dashboard API. We never store API keys in plaintext.

3.3 Network Configuration Data

  • Network configuration snapshots — retrieved from the Cisco Meraki Dashboard API during compliance scans, including device settings, firewall rules, SSID configurations, switching policies, and admin access settings
  • Compliance scan results — scores, pass/fail outcomes, evidence data, and remediation details generated by our compliance engine

3.4 Billing Information

  • Stripe customer ID and subscription ID — used to manage your subscription and payment history
  • We do not store your credit card number, CVV, or full payment card details. All payment processing is handled directly by Stripe.

3.5 Technical Data

  • IP address, browser type, and device information collected automatically when you access the Service
  • Server logs for security monitoring and debugging purposes

4. How We Use Your Data

We use the data we collect for the following purposes:

Purpose Legal Basis (UK GDPR)
Providing and operating the Service Performance of a contract (Art. 6(1)(b))
Account authentication and security Performance of a contract (Art. 6(1)(b))
Running compliance scans and generating reports Performance of a contract (Art. 6(1)(b))
Processing subscription payments via Stripe Performance of a contract (Art. 6(1)(b))
Sending transactional emails (scan alerts, drift notifications, account notices) Performance of a contract (Art. 6(1)(b))
Security monitoring and fraud prevention Legitimate interest (Art. 6(1)(f))
Improving and developing the Service Legitimate interest (Art. 6(1)(f))
Responding to your support enquiries Legitimate interest (Art. 6(1)(f))
Complying with legal obligations Legal obligation (Art. 6(1)(c))

5. Third-Party Data Processors

We share your data with the following third-party processors, each of whom processes data on our behalf and under our instructions:

5.1 Stripe

Purpose: Payment processing, subscription management, and billing.
Data shared: Email address, Stripe customer ID, subscription details, payment method tokens.
Privacy policy: stripe.com/privacy

5.2 SendGrid (Twilio)

Purpose: Transactional email delivery (account notifications, compliance alerts, drift warnings).
Data shared: Email address, name (for personalisation).
Privacy policy: twilio.com/legal/privacy

5.3 No Data Sales

We do not sell, rent, or trade your personal data to any third parties. We do not share your data with any third parties for their own marketing purposes.

6. Data Retention

  • Account data (name, email, hashed password) — retained for as long as your account remains active
  • Meraki API keys (encrypted) — retained while the associated organisation is active in your account; deleted when you remove the organisation or close your account
  • Network configuration snapshots and scan results — retained while your account is active to provide compliance trend analysis and drift detection
  • Billing data (Stripe IDs) — retained as required for financial record-keeping obligations under applicable law
  • Server logs — retained for up to 90 days for security and debugging purposes

When you close your account or request data deletion, we will delete or anonymise your personal data within 30 days, except where we are required by law to retain certain records.

7. Data Security

We implement appropriate technical and organisational measures to protect your data, including:

  • Fernet symmetric encryption for Meraki API keys at rest
  • Bcrypt hashing for passwords (never stored in plaintext)
  • HTTPS/TLS encryption for all data in transit
  • JWT-based authentication with token expiration
  • Row-level data isolation between user accounts
  • Regular security reviews and updates

While we take reasonable precautions to protect your data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

8. Cookies and Tracking

MerakiGuard uses minimal cookies:

  • Authentication token (JWT) — a session cookie used to keep you signed in to the Service. This is a strictly necessary cookie required for the Service to function.

We do not use:

  • Third-party tracking cookies
  • Analytics cookies (Google Analytics, etc.)
  • Advertising or remarketing cookies
  • Social media tracking pixels

Because we only use strictly necessary cookies, no cookie consent banner is required under the Privacy and Electronic Communications Regulations (PECR).

9. Your Rights Under UK GDPR

Under the UK General Data Protection Regulation, you have the following rights regarding your personal data:

9.1 Right of Access

You have the right to request a copy of the personal data we hold about you. We will respond within one month of receiving your request.

9.2 Right to Rectification

You have the right to request correction of any inaccurate or incomplete personal data we hold about you. You can update most account information directly through the Service.

9.3 Right to Erasure

You have the right to request deletion of your personal data. You can delete your account through the Service, or contact us to request erasure. We will comply within 30 days, subject to any legal retention obligations.

9.4 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (e.g., JSON or CSV), and to transmit that data to another controller.

9.5 Right to Restrict Processing

You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to processing.

9.6 Right to Object

You have the right to object to processing of your personal data where we rely on legitimate interest as our legal basis. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

9.7 Right to Withdraw Consent

Where we process data based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

Exercising Your Rights

To exercise any of these rights, please contact us at hello@lab81.io. We will respond to your request within one month. If your request is complex, we may extend this by a further two months, in which case we will inform you within the initial one-month period.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection, at ico.org.uk.

10. International Data Transfers

Your data is primarily processed and stored within the United Kingdom and European Economic Area. Where any of our third-party processors transfer data outside the UK/EEA, they do so under appropriate safeguards as required by the UK GDPR, including Standard Contractual Clauses or adequacy decisions.

11. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 18, we will take steps to delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the Service. If we make material changes, we will notify you by email or by posting a prominent notice on the Service at least 30 days before the changes take effect.

We encourage you to review this policy periodically. The "Effective date" at the top of this page indicates when this policy was last updated.

13. Contact Us

If you have any questions about this Privacy Policy, our data practices, or wish to exercise your rights, please contact us:

Lab81 Ltd (trading as MerakiGuard)
Email: hello@lab81.io