This Privacy Policy explains how LabsNinja (“we”, “us”) collects, uses, and shares personal data in connection with the LabsNinja SCIM Connector service (the “Service”). It is designed with GDPR principles in mind and applies to our website, the customer portal, and the SCIM endpoints we operate.
1. Who is the controller?
For data we collect about you when you visit our website, create an account, or contact us, LabsNinja is the controller. For SCIM user and group data that a customer provisions through the Service, the customer is the controller and LabsNinja is the processor. The processor relationship is governed by our Data Processing Addendum.
2. Categories of data we process
- Account data. Email address, company name (optional), hashed password, plan, trial dates, and verification timestamps used to operate your account.
- SCIM user and group data. User identifiers, names, email addresses, group memberships, and other attributes provisioned by the customer’s identity provider. Processed on the customer’s behalf.
- Logs and audit events. Request metadata, IP address, user agent, action category, outcome, and timestamps used for security, audit, and troubleshooting.
- Support data. Information you provide in support messages, including your name and email address.
- Billing data. Placeholder — billing is not yet enabled. When paid plans are introduced, this section will be updated to reflect the payment processor and the data fields involved.
3. How we use this data
- To operate, secure, and improve the Service.
- To authenticate users and enforce tenant isolation.
- To send transactional emails (verification, password reset, security notices).
- To investigate incidents, prevent abuse, and meet legal obligations.
- To respond to support requests and questions you send us.
4. Legal bases
Where data protection law requires a legal basis, we rely on (a) performance of a contract with you, (b) our legitimate interests in operating and securing the Service, (c) compliance with legal obligations, or (d) your consent where applicable. We do not rely on consent for strictly necessary cookies.
5. Retention
Account data is retained for the life of the account plus a reasonable period to support recovery and to meet legal or audit obligations. SCIM provisioning data is retained while your tenant is active and will be deleted or returned on termination as described in the DPA. Audit logs are retained on a rolling window for security and compliance purposes; exact durations will be documented in the finalised version of this policy.
6. Subprocessors
We use a small number of subprocessors to operate the Service. The current list is published on the Subprocessors page and will be kept up to date.
7. International transfers
Where personal data is transferred outside the jurisdiction in which it was collected, we will rely on appropriate safeguards (such as Standard Contractual Clauses) as required by applicable law. Specific transfer mechanisms will be detailed following legal review.
8. Your rights
Depending on where you are located, you may have rights to access, rectify, delete, restrict, or port personal data we hold about you, and to object to certain processing. To exercise these rights, contact privacy@labsninja.com. Where you are an end user provisioned by a customer organisation, we will direct requests to that organisation as the controller of SCIM data.
9. Security
We maintain a security-focused architecture including TLS in transit, bcrypt hashing of bearer tokens, tenant-scoped queries, structured audit logging, and fail-fast configuration validation. See our Security page for the current control set.
10. Cookies
The Service today uses strictly necessary cookies only (session and CSRF). We do not use analytics or marketing cookies. If we introduce any non-essential cookies, we will obtain consent before doing so. See the Cookie Policy.
11. Contact
Privacy questions or rights requests: privacy@labsninja.com. Other inquiries: see our Contact page.