Legal

Privacy Policy

SchemaLabs, Inc.

Effective date
May 13, 2026
Version
1.2

SchemaLabs, Inc. ("SchemaLabs," "we," "us") provides the Schema Models, our proprietary foundation models for tabular data, through a web application and API (the "Service"). This Privacy Policy explains how we collect, use, and protect personal information when you use the Service or visit schemalabs.ai.

The Service is currently in beta. Beta-status considerations apply throughout this Policy and in our Terms of Service.

If you are an enterprise customer with a separate Data Processing Agreement, that agreement governs our processing of personal data on your behalf and takes precedence over this Policy where the two conflict.

1. The most important thing

We do not use your Customer Data to train, improve, or modify any Schema Model or any other customer's Fine-Tuned Checkpoint. When you fine-tune a Schema Model on your data, the result is an isolated checkpoint architecturally separated from the Base Model and from every other customer's checkpoint. Your data is processed only on your behalf and is never used by anyone else. This is enforced by our system architecture, not just by policy.

This is the single load-bearing commitment of how we operate.

2. Information we collect

Account information. When you create an account, we collect your name, email address, organization name, and billing information. Payment card numbers are processed by our payment processor (Stripe) and are not stored on our systems.

Customer Data. When you upload data to the Service, or connect an external database or data source, for processing by a Schema Model, we receive that data. It may contain personal data depending on what you upload or connect. We process Customer Data only to provide the Service.

Usage data. We automatically collect technical information about your use of the Service, including API request timestamps, features used, error logs, session duration, browser type, operating system, IP address, and referring URLs.

Communications. If you contact us by email or through support channels, we collect the contents of those communications.

3. How we use information

We use information to:

  • Provide the Service, including processing Customer Data and creating Fine-Tuned Checkpoints
  • Operate billing and accounts
  • Improve the Service operationally, by analyzing aggregated and anonymized usage patterns. We do not use Customer Data for this. Only technical telemetry that does not identify any individual.
  • Detect and prevent abuse
  • Comply with law, including responding to lawful requests from authorities

We do not sell personal data. We do not use Customer Data to train any Schema Model or any other model. Customer Data is used only to serve your requests, including inference against any Schema Base Model and the creation and operation of your Fine-Tuned Checkpoint within your account.

4. How we share information

We share information only in these circumstances:

  • Sub-Processors. Third-party service providers we use to operate the Service. A current list is at schemalabs.ai/sub-processors. Sub-Processors are bound by data protection obligations no less protective than ours.
  • BYOL Endpoints. If you connect a third-party large language model endpoint (such as OpenAI, Anthropic, Google Gemini, or Mistral) through the Service, your Customer Data may be transmitted to that provider. This transmission is directed by you and governed by your agreement with that provider. The BYOL provider is not our Sub-Processor.
  • Legal requirements. We may disclose information when required by law. Where legally permitted, we will notify the affected customer before complying with a compulsory request for their data.
  • Business transfers. In connection with a merger, acquisition, or sale of substantially all our assets, your information may transfer to the acquiring entity.

5. Customer Data: prohibited categories

You may not upload certain categories of data to the Service unless we have specifically agreed in writing (for example, through a HIPAA Business Associate Agreement). The full list is in our Use Policy §1.8, and includes special category data under GDPR Article 9, payment card data, government-issued identifiers, children's data, export-controlled technical data, and attorney-client privileged communications.

6. Data retention and deletion

Account data. We retain account information for as long as your account is active and for the period required by applicable tax, audit, and legal obligations after closure.

Customer Data and Fine-Tuned Checkpoints. Upon account termination, we will delete your Customer Data and Fine-Tuned Checkpoints as soon as reasonably practicable. We will work in good faith with any customer who has a specific deletion request and honor all rights guaranteed by applicable law.

Usage logs. For active accounts, we retain technical usage logs for ninety (90) days. If you delete your account, the associated usage logs are deleted following account deletion.

Billing records. Retained for seven (7) years for tax and audit purposes.

7. Security

We protect your data with:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256), with keys managed through Google Cloud KMS and AWS KMS
  • Role-based access controls and multi-factor authentication for SchemaLabs personnel accessing production systems and Customer Data
  • Architectural isolation of per-customer Fine-Tuned Checkpoints
  • Audit logging of administrative actions, data access events, API requests, fine-tune jobs, and playground jobs
  • Infrastructure hosted on Google Cloud Platform and Amazon Web Services in US-based data centers; GCP and AWS each maintain SOC 2 Type II, ISO 27001, and other independent certifications

We are a pre-seed company in beta. Our security posture is appropriate to our stage and is being actively built out. We will notify customers of any security incident affecting their data in accordance with our Data Processing Agreement.

8. International data transfers

We process data in US-based GCP and AWS infrastructure. If you are located outside the United States, your data will be transferred to and processed in the United States.

For transfers of personal data from the European Economic Area, the United Kingdom, or Switzerland to the United States, we rely on the Standard Contractual Clauses adopted by the European Commission (Module Two: Controller-to-Processor). The SCCs are set out in DPA Annex III and form part of our Data Processing Agreement.

If you require data residency in the EU rather than transfer to the US, we offer a dedicated EU deployment as a paid option. Contact [email protected].

9. EU representative

SchemaLabs is currently in the process of designating a representative in the European Union pursuant to Article 27 of the GDPR.

Until designation is complete, EU and UK data subjects may contact us directly at [email protected]. You also have the right to lodge a complaint with your local data protection authority.

10. Your privacy rights

EEA, UK, Switzerland

You have the rights provided by GDPR, including access, rectification, deletion, restriction, portability, objection, and not being subject to solely automated decision-making without human oversight. To exercise these rights, email [email protected]. We will respond as soon as reasonably practicable and within the timeframes required by applicable law.

If your personal data is contained within an enterprise customer's Customer Data, we will direct your request to that customer, who is the controller.

California

Under the CCPA/CPRA, you have the right to know, delete, opt out of sale or sharing (which we do not engage in), non-discrimination, and limits on use of sensitive personal information. To exercise these rights, email [email protected] or visit schemalabs.ai/privacy-choices.

Other jurisdictions

If you are located in another jurisdiction with applicable data protection laws, contact [email protected] and we will honor your rights to the extent required by law.

11. AI-specific disclosures

The Schema Models are artificial intelligence systems and foundation models for tabular data.

  • Outputs are probabilistic. You are responsible for validating Outputs before relying on them.
  • No training on Customer Data. As stated in Section 1, we do not use Customer Data to train, improve, or modify any Schema Base Model.
  • High-stakes decisions require human oversight. If you deploy a Schema Model in contexts involving automated decisions significantly affecting individuals, you must implement appropriate human oversight as required by applicable law.
  • For details on each Schema Model's intended use, training, evaluation, and known limitations, see the Schema Model Card.

12. Cookies

Our website and Web App use cookies and similar technologies. We do not use advertising cookies. See our Cookie Policy for details.

13. Children

The Service is not directed to individuals under 18 years old. We do not knowingly collect personal information from children.

14. Changes to this Policy

We may update this Policy from time to time. The current version and its effective date are always posted on this page, and you are responsible for checking the website periodically to stay informed of changes. We may, but are not required to, send additional notice of material changes by email or in-app notification.

15. Contact

SchemaLabs, Inc.