InsightLab stores your study inputs: target URLs, audience descriptions, tasks, and optionally PostHog context. This page describes exactly what we store, how we protect it, and the controls you retain.
A target URL or Figma link, an audience description, and the tasks to attempt. PostHog context is optional and never required. We do not ask for session logs, source code, or production credentials.
InsightLab works with URLs, task descriptions, and optional event context. If you include PostHog context in a study, PII fields can be excluded or anonymized before the study runs.
Study data is scoped to your workspace using row-level security. It is used only to run your simulations and is never shared across accounts. Internal access follows a least-privilege model and is subject to audit logging.
Data is encrypted in transit using TLS and encrypted at rest. Storage infrastructure uses industry-standard ciphers throughout.
You retain ownership of your study data at all times. Submit a deletion request and we will remove your study inputs, simulation results, and any stored context associated with your account.
We are an early-stage company. We would rather be transparent about our current posture than overstate certifications we have not yet completed.
A DPA is available for customers who require one as a condition of onboarding. Contact us and we will engage your legal team directly.
Formal SOC 2 Type II readiness is on our near-term roadmap. We are happy to walk your security team through our current control environment in a dedicated session.
The compliance representations on this page reflect our current state and will be updated as certifications are completed. We do not claim certifications we have not obtained.
We will get your security or legal team the answers they need before you commit to onboarding.