Privacy Policy

Last updated: 22 April 2026

Version: privacy-v2.0-2026-04-22

Last Updated: 22 April 2026

1. INTRODUCTION

L4 Labs Limited ("we," "us," or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, and share information about you when you use our product, Ramsai, and our website (https://l4labs.com/ramsai). This policy is drafted in compliance with the EU General Data Protection Regulation (EU GDPR) and the Irish Data Protection Act 2018. Where applicable to UK-based users, the UK GDPR and the UK Data Protection Act 2018 also apply.

2. DATA CONTROLLER AND PROCESSOR ROLES

  • For Account and Billing Data: L4 Labs Limited acts as the Data Controller. We determine how and why this data is processed.
  • For Content and Inputs (Customer Data): If you are using Ramsai on behalf of a business entity, L4 Labs Limited acts as the Data Processor, and your organization is the Data Controller. We process this data solely on your instructions to generate Output.

3. INFORMATION WE COLLECT

We collect the information you supply to us through our online registration forms and through your direct use of the Service. We also collect information automatically about your use of the Service. The categories below indicate which lawful basis applies to each, by reference to the numbered list at section 4.

3.1. Information You Provide

  • Account information — your name, work email address, hashed authentication credentials, organisation, role, and last login (1, 2).
  • Billing information — billing contact name, email, billing address, VAT number, and transaction metadata. Card details are collected and tokenised directly by our payment processor; we do not see or store full card numbers (1, 3).
  • Customer Data (Inputs uploaded by your organisation):
    • Source construction documents (project plans, scopes, quotes and pricing data) you submit so the Service can extract structured information for your RAMS (1).
    • Generated RAMS PDFs and your edits to them (1).
    • Worker certifications and licences (e.g. Safe Pass, CSCS, First Aid, Forklift, hazardous material handling), including the scanned certificate which may contain a photograph and signature, the holder's name and employer, the issuer, ID, issue and expiry dates (1).
    • Site photographs and voice notes you capture or upload to support project scoping and quotation (1).
    • Project metadata, contact details for site personnel and client representatives, and other content you choose to add (1).
  • Support correspondence — name, email, and the contents of messages you send us, including any attachments (1, 2).

Special category data (Article 9 GDPR). The Service is not designed to process special category data and our user interface instructs users not to upload it. We do not currently process injury data; if we add such functionality in future, we will update this policy and notify customers in advance.

3.2. Information We Collect Automatically

  • Usage data — actions taken in the Service, document and feature usage frequency, and similar usage metrics, identified by user ID and organisation ID rather than name (2).
  • Technical data — IP address, browser type, operating system, device information, and timestamps of requests (2, 4).
  • Audit logs — records of who in your organisation accessed which records and when, used to provide audit trails to your organisation and to investigate security incidents (1, 2).

4. HOW WE USE YOUR DATA — LAWFUL BASIS

We will only use your personal data when the law allows us to. Most commonly, we use your personal data on one of the following lawful bases (the numbers below correspond to the lawful-basis tags used in section 3):

  1. Performance of a contract we are about to enter into or have entered into with you (Art. 6(1)(b) GDPR).
  2. Legitimate interests of L4 Labs Limited or a third party, where those interests are not overridden by your interests and fundamental rights (Art. 6(1)(f) GDPR). We rely on this for security, fraud prevention, service-improvement analytics on aggregated data, customer support, and service-related communications.
  3. Compliance with a legal obligation to which we are subject (Art. 6(1)(c) GDPR), for example tax and accounting record-keeping under Irish law.
  4. Consent, in limited circumstances where we ask for it (Art. 6(1)(a) GDPR), for example for non-essential cookies and any non-service marketing.

Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of any processing carried out before withdrawal. You may opt out of marketing communications at any time using the unsubscribe link in any marketing message or by contacting us.

Customer Data — controller / processor roles. When your organisation uses Ramsai to process personal data of your workers, site contacts, client representatives or other individuals, your organisation is the data controller of that personal data and L4 Labs Limited is the data processor. We process Customer Data only on documented instructions from your organisation, in accordance with the data processing terms in our Terms of Service.

Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you. In this case we may have to suspend or cancel a service you have with us, but we will notify you if this is the case at the time.

5. AI PROCESSING AND TRAINING

5.1. No training on your content.

We do not use your Inputs or AI Outputs to train any AI models, and we contractually require the same of our AI sub-processors. In particular, our agreement with Anthropic, PBC restricts retention of submitted prompt content to a maximum of 30 days and prohibits any use of that content for model training. Our agreement with Google for the Gemini / Vertex AI service likewise prohibits use of customer content for training of generally-available models.

5.2. How AI processing works.

When you upload a source document, photo or voice note, the relevant content is sent to our AI sub-processors (Anthropic and Google) over encrypted channels for the sole purpose of generating the structured extraction or RAMS Output you have requested. Worker certifications and licences (section 3.1) are not sent to AI sub-processors.

5.3. AI is assistive only.

AI Outputs may contain factual errors, omissions or inaccuracies. You are solely responsible for reviewing, verifying and approving AI Outputs by a competent person before relying on them. See the "AI-Specific Obligations" section of our Terms of Service.

6. DATA SHARING AND SUB-PROCESSORS

We do not sell your personal data. We may share your personal data with the parties set out below:

  • Service providers acting as processors: Google Cloud Platform (hosting, storage, compute, authentication and logging — primary data residency europe-west4, Netherlands); Google Vertex AI / Gemini (generative AI extraction over source documents); Anthropic, PBC (generative AI reasoning over document text — contractual 30-day maximum retention; no use of customer content for model training); Stripe Payments Europe Ltd (payment processing); Landing AI, Inc. (OCR / document layout extraction). Each is bound by a Data Processing Agreement incorporating the EU Standard Contractual Clauses where applicable. A current list of our sub-processors is available at /subprocessors.
  • Professional advisers acting as processors or joint controllers: including lawyers, accountants, auditors and insurers based in Ireland who provide legal, accounting, audit and insurance services.
  • Legal requirements: If required by law, court order, or government regulation.
  • Business transfers: In connection with a merger, sale of assets, or financing of our business.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

7. INTERNATIONAL DATA TRANSFERS

L4 Labs Limited is established in Ireland. Application data is stored in the European Economic Area (primary region: europe-west4, Netherlands). Some of our sub-processors are based outside the EEA — in particular Anthropic, PBC and Google LLC are based in the United States — so providing the Service involves transfers of personal data outside the EEA.

Whenever we transfer personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

  • Adequacy decisions adopted by the European Commission (including the EU–US Data Privacy Framework where the recipient is self-certified).
  • The EU Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 (the "EU SCCs"), supplemented where necessary by additional technical, contractual and organisational measures.

8. DATA RETENTION

We retain personal data only as long as reasonably necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain personal data for a longer period in the event of a complaint, regulatory investigation, or where we reasonably believe there is a prospect of litigation in respect of our relationship with you.

The following are our standard retention periods:

Category of dataRetention period
User account data (name, email, login records)Life of the account + 30 days
Customer source documents and generated RAMSLife of customer contract + 1 year
Photos and voice notes (project scoping)Life of customer contract + 1 year
Worker certifications and licencesLife of customer contract + 6 years (aligned with Irish limitation period for personal injury claims)
Quote and pricing dataLife of customer contract + 6 years
Stripe billing records and invoices7 years from end of financial year (Irish Revenue requirement under the Taxes Consolidation Act 1997, s. 886)
Application access and audit logs12 months
BackupsRolling 30 days
Anthropic AI prompt content (sub-processor)Maximum 30 days (contractual)
Support correspondence24 months from last correspondence

At the end of the applicable retention period, personal data is deleted from primary storage. Backup copies are removed in line with the rolling 30-day backup cycle.

9. YOUR RIGHTS

Under the EU GDPR (and the UK GDPR where applicable), you have the following rights:

  • Access: Request a copy of the personal data we hold about you and check that we are lawfully processing it.
  • Rectification: Request correction of any incomplete or inaccurate data we hold about you. We may need to verify the accuracy of the new data you provide.
  • Erasure: Request deletion of your personal data where there is no good reason for us continuing to process it, subject to legal retention obligations (such as the tax-record retention period set out in section 8).
  • Restriction: Request that we suspend the processing of your personal data, for example while accuracy is being established.
  • Portability: Request transfer of your personal data, in a structured, commonly used and machine-readable format, to you or to a third party. This right applies to data you provided to us under a contract or with your consent.
  • Object: Object to processing of your personal data where we are relying on a legitimate interest, including for direct marketing.
  • Withdraw consent: Where we are relying on consent, withdraw that consent at any time. This will not affect the lawfulness of any processing carried out before withdrawal.
  • Automated decision-making: The Service uses AI to extract information from documents and to generate draft RAMS Output. This is not used to make decisions producing legal or similarly significant effects on you within the meaning of Article 22 GDPR — a competent person at your organisation reviews and approves the Output. You may contact us if you wish to discuss any concern about automated processing.

You will not have to pay a fee to exercise any of these rights. We may charge a reasonable fee, or refuse to act, if your request is clearly unfounded, repetitive or excessive. We may need to request specific information from you to confirm your identity before we act on your request, as a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We try to respond to all legitimate requests within one month.

To exercise any of these rights, please contact us at: hello@l4labs.com

You also have the right to make a complaint at any time to the Data Protection Commission (DPC), the Irish supervisory authority for data protection issues (www.dataprotection.ie). We would, however, appreciate the chance to deal with your concerns before you approach the DPC, so please contact us in the first instance.

10. SECURITY

We implement appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful processing, accidental loss, destruction or damage. These measures include:

  • Encryption of personal data in transit (TLS 1.2 or higher) and at rest (AES-256).
  • Strict per-tenant data isolation, enforced on every read and write.
  • Role-based access control on the principle of least privilege.
  • Application audit logging that excludes document content.
  • Primary data residency in europe-west4 (Netherlands).
  • Rolling 30-day backups in the same region.
  • Sub-processor due diligence and Data Processing Agreements with each sub-processor.
  • A documented personal-data-breach response procedure: where a breach affects customer data, we will notify the affected customer without undue delay and in any event within 72 hours of becoming aware.

No method of transmission over the Internet or method of electronic storage is completely secure, and we cannot guarantee absolute security.

11. COOKIES

We use cookies and similar technologies on the Ramsai web application. The categories of cookies we may use are:

  • Strictly necessary cookies — required for the operation of the Service, for example to keep you signed in to a secure session and to remember your selected organisation. These do not require consent.
  • Analytical or performance cookies — allow us to recognise and count the number of visitors and to see how visitors move around the Service so that we can improve it. These are only set with your consent.
  • Functionality cookies — used to remember choices you make (such as preferences) and to personalise the Service for you. These are only set with your consent.

Where consent is required (under the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011, S.I. 336/2011), you will be shown a cookie banner that lets you accept, reject, or customise your preferences before any non-essential cookie is set. You can change your preferences at any time using the cookie controls in the Service, and you can also block or delete cookies in your browser settings.

12. CONTACT US

If you have questions about this Privacy Policy or our data practices, please contact:

L4 Labs Limited
70 Rathgar Road, Dublin, D06 HX28, Ireland
Email: hello@l4labs.com

Terms of Service·Sub-processors·Previous versions
Back to Registration →