1. Who we are
Philos Lab Ltd(“Philos Lab”, “we”, “us”) is a private company registered in England & Wales. We operate the brand dashboard at app.philoslab.com and the consumer kiosk platform under the brand name Gollava (gollava.com).
For personal data you (a brand user) provide when using this dashboard, Philos Lab is the data controller. For the kiosk-collected end-user data we process to deliver campaign analytics, Philos Lab acts as data processor on your behalf, governed by the Data Processing Agreement (DPA) attached to your Service Agreement.
2. What we collect about brand users
| Category | Examples | Why |
|---|---|---|
| Identity & contact | Name, work email, role at your brand | Account creation, contract performance, support |
| Auth credentials | Supabase Auth session tokens, magic-link audit trail, optional Google OAuth claims | Sign-in security, account recovery |
| Dashboard activity | Pages accessed, campaigns created, media uploaded, audit log of writes | Security audit (UK GDPR Art. 32), abuse detection, billing |
| Communications | Emails to hello@philoslab.com, Slack-channel messages | Customer support, contract administration |
3. Legal basis for processing brand-user data
- Contract (UK GDPR Art. 6(1)(b)) — providing the dashboard service you’ve signed up for.
- Legitimate interests (Art. 6(1)(f)) — securing the platform, preventing fraud, improving product features. We balance these against your rights and you can object.
- Legal obligation (Art. 6(1)(c)) — record-keeping for tax, accounting, and UK regulatory requirements.
- Consent (Art. 6(1)(a)) — only used for optional marketing emails. Always opt-in, always withdrawable.
4. Kiosk-collected consumer data (we process on your behalf)
When a consumer claims a sample at a Gollava kiosk associated with one of your campaigns, the data flowing through Philos Lab includes: passkey-bound account identifier, age range, skin type, postcode prefix, sample claim record, survey responses, behaviour-event stream, device-fingerprint signals, and Day 7 / 30 / 60 follow-up feedback.
Brand data isolation is absolute. You receive aggregate, anonymised insights for your owncampaigns. You never see another brand’s consumers, and another brand never sees yours. Cross-brand analytics (e.g. category benchmarks) are published only in fully de-identified, k-anonymised form.
Your contract’s DPA is the authoritative document for this processing. The Gollava consumer privacy notice describes the end-user side of the same data flow.
5. Where data lives
- Primary database & storage: Supabase (AWS
eu-west-2, London). - Application hosting: Vercel (regional deployments, EU-preferred).
- Error monitoring: Sentry — IP addresses scrubbed, request bodies redacted.
- Email delivery: Supabase Auth SMTP provider for magic links.
All personal data is stored in the UK. Limited operational metadata (e.g. Vercel build logs) may transit through processors in the EU or US under standard contractual clauses and the UK Addendum.
6. Sub-processors
Our current list of sub-processors is available in your DPA. The major ones:
| Sub-processor | Purpose | Region |
|---|---|---|
| Supabase | Database, auth, storage, realtime | UK (eu-west-2) |
| Vercel | Web hosting + edge runtime | EU / US |
| Sentry | Error monitoring | EU |
| Anthropic / OpenAI | Optional content-moderation review (no PII passed) | US, opt-in |
We give brand customers 30 days’ notice of any material change to the sub-processor list, with a right to object as set out in the DPA.
7. How long we keep data
- Active accounts: for the lifetime of the contract.
- Contract records, invoices: 7 years post-termination (UK statutory).
- Application logs: 90 days (rolling).
- Audit log of dashboard writes: 24 months.
- De-identified aggregate insights: retained indefinitely once anonymised beyond reversibility.
8. Your rights
Under UK GDPR you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate or incomplete data.
- Erasure — “right to be forgotten”, subject to legal-retention exceptions.
- Restriction — limit how we process your data while a dispute is resolved.
- Portability — receive your data in a portable machine-readable format.
- Objection — to processing based on legitimate interests, including marketing.
- Withdraw consent — at any time, where consent is the legal basis.
- Lodge a complaint with the UK Information Commissioner’s Office (ico.org.uk).
Email privacy@philoslab.com to exercise any of these. We respond within 30 days (extendable to 90 days for complex requests, with notification).
9. Security
Personal data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Database access is gated by row-level security policies that enforce brand isolation. Brand-user accounts use magic-link or Google OAuth — no shared passwords. Every dashboard write produces an immutable audit-log entry tied to the actor’s account.
We disclose any personal data breach affecting brand customers within 72 hours of becoming aware, with the scope and our remediation plan.
10. Cookies & local storage
The dashboard uses strictly-necessary cookies/local-storage for authentication (Supabase session, CSRF protection) and UI preferences. We don’t use third-party advertising, marketing, or analytics cookies on this dashboard.
11. Children
The dashboard is intended for use by adult brand employees. Kiosk consumers are 18+ as required by the Gollava terms.
12. Changes to this notice
Material changes are notified at least 14 days before they take effect via the email address on your account, and at least one calendar day in the dashboard banner. Continued use after the effective date constitutes acceptance.
13. Contact
Data Protection lead: privacy@philoslab.com
General enquiries: hello@philoslab.com
Postal: Philos Lab Ltd, registered office — full address available on Companies House.
ICO registration: application in progress before first live campaign — number to be appended here on confirmation.