Record of Processing Activities
This is LevelSixLabs's Record of Processing Activities (RoPA), maintained under Article 30 of the UK GDPR. It documents the personal data we process, the purposes, legal bases, recipients, and retention periods.
Download Word version (.docx)1. Controller and contact details
| Field | Detail |
|---|---|
| Organisation | LevelSixLabs Ltd |
| Registered in | Scotland, United Kingdom |
| Role | Processor on behalf of customer organisations; Controller for its own account, billing and marketing data |
| Data protection contact | privacy@levelsixlabs.com |
| ICO registration | Registered as a data controller (UK GDPR fee payer) |
2. Processing activities
The following table summarises each processing activity, its purpose, and legal basis.
| Activity | Purpose | Legal basis |
|---|---|---|
| Account & authentication | Create and secure user accounts, sign-in, sessions | Contract |
| Platform operation | Store and display lab data: chemicals, equipment, bookings, training, waste, assets | Contract |
| Booking & training enforcement | Manage equipment/room bookings and training-gated access | Contract |
| Notifications & automations | Expiry alerts, service reminders, booking confirmations, digests | Contract / legitimate interests |
| Billing | Process subscriptions and invoices via Stripe | Contract / legal obligation |
| Audit logging | Record significant actions for security and accountability | Legitimate interests |
| AI label scanning (optional) | Extract chemical label details from an uploaded image when explicitly used | Consent / contract |
| Marketing & onboarding email | Welcome sequence, product updates to account holders | Legitimate interests (with opt-out) |
| Support | Respond to enquiries and support requests | Legitimate interests |
3. Categories of data subjects and personal data
Categories of data subjects:
- Customer staff and lab managers (account users)
- Students and researchers using a customer's lab
- Contractors and external engineers (service records, fault reports)
- Visitors signed into the visitor log
- Billing and procurement contacts
Categories of personal data processed:
- Identity & contact: name, email address, job role/title, organisation
- Account: hashed credentials (managed by Supabase Auth), role and permissions, last sign-in
- Activity: bookings, training records, fault reports, audit log entries, waste records logged by a user
- Visitor log: visitor name, organisation, host, sign-in/out times
- Billing: billing contact name and email, organisation name, payment metadata (card data handled solely by Stripe)
- No special category data is intentionally collected. The platform is not designed to store health, biometric, or other Article 9 data.
4. Recipients and sub-processors
Personal data may be shared with the following categories of recipients, all acting as sub-processors under contract:
| Recipient | Purpose | Location |
|---|---|---|
| Supabase, Inc. | Database, authentication, file storage | EU West (London) |
| Vercel, Inc. | Hosting, CDN, edge functions | US / EU edge |
| Stripe, Inc. | Payments and subscriptions | US / EU |
| Resend, Inc. | Transactional & notification email | US |
| Anthropic, PBC | Optional AI label scanning | US |
The current list is maintained at Subprocessors.
5. International transfers
Primary customer data is stored in the EU West (London) region. Where sub-processors process data outside the UK/EEA (US-based hosting edge, payments, email, or optional AI processing), transfers rely on an appropriate UK GDPR transfer mechanism — the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or an adequacy decision.
6. Retention periods
| Data | Retention |
|---|---|
| Account & platform data | For the life of the subscription; deleted or returned within 30 days of termination |
| Audit log | 12 months |
| Billing records | Retained as required by UK statutory accounting obligations (typically 6 years) |
| AI label scan images | Processed transiently for extraction; not retained beyond the request by LevelSixLabs |
| Marketing email contacts | Until the account closes or the contact opts out |
| Support correspondence | Up to 24 months after resolution |
7. Security measures
A general description of the technical and organisational security measures applied:
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Row-Level Security enforcing per-organisation isolation
- Role-based access control and least-privilege permissions
- Private storage with short-lived signed URLs
- Security headers and breach-response process
- Audit logging of significant actions
See the Security Overview for detail.
8. Review
This Record of Processing Activities is reviewed at least annually and whenever a material change to processing occurs (for example, a new feature, sub-processor, or data category). Questions can be directed to privacy@levelsixlabs.com.
LevelSixLabs Ltd
Registered in Scotland, United Kingdom.
For any questions about this document, contact us at privacy@levelsixlabs.com