Effective Date: March 1, 2026 · Last Updated: March 24, 2026
Garmo Labs, LLC ("Garmo Labs," "Company," "we," "us," or "our") is a California limited liability company. We are committed to protecting the privacy of individuals who visit our websites, register for our Services, and interact with our products. This Privacy Policy describes how we collect, use, share, and protect personal information in connection with our websites at garmolabs.com, axiom.garmolabs.com, and chronicle.garmolabs.com, and our related APIs and services (collectively, the "Services").
This Privacy Policy is incorporated into and forms part of our Terms of Service. By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our privacy practices, you should not use the Services.
Account Information. When you create an account, we collect your email address and password (stored in hashed form). If you subscribe to a paid plan, we collect your name or organization name for billing purposes.
Billing Information. When you subscribe to a paid plan, payment information (credit card number, expiration date, billing address) is collected and processed directly by our payment processor, Stripe, Inc. Garmo Labs does not store your full credit card number. We receive from Stripe a payment token, the last four digits of your card, card type, and billing address for record-keeping.
Customer Data — AXIOM. When you use AXIOM, you may submit the following data for compliance verification:
AXIOM generates Compliance Reports based on your submissions, including pass/fail determinations, risk scores, and recommendations. These reports are signed with SHA-256 hashes for tamper evidence.
Customer Data — CHRONICLE. When you use CHRONICLE, you may submit the following data for memory storage:
user_id), role, content (free-text), metadata (structured), and a timestampCommunications. When you contact us via email at support@garmolabs.com, legal@garmolabs.com, or privacy@garmolabs.com, we collect the content of your communications, your email address, and any attachments you provide.
Support Requests. If you submit a support request, we collect information necessary to resolve your inquiry, including your account details, a description of the issue, and any diagnostic information you provide.
API Logs. We automatically log information about each API request made to the Services, including:
Usage Metrics. We collect aggregated usage data, including:
Device and Browser Information. When you access our websites, we may collect your browser type and version, operating system, screen resolution, language preference, and referring URL.
IP Addresses. We collect IP addresses for security, rate limiting, abuse prevention, and approximate geolocation (country/region level only).
Stripe. Our payment processor, Stripe, may provide us with limited information related to your payment transactions, including transaction amounts, dates, and payment status. Stripe's collection and use of your data is governed by Stripe's Privacy Policy.
We use the information we collect for the following purposes:
To Operate and Provide the Services. We use your Account Information and Customer Data to authenticate your identity, process your API requests, generate Compliance Reports (AXIOM), store and retrieve episodes (CHRONICLE), and deliver the functionality described in our Terms of Service.
To Process Payments. We use your billing information and transaction data from Stripe to process subscription payments, manage billing cycles, send invoices, and handle refund requests.
To Ensure Security and Prevent Abuse. We use API logs, IP addresses, and usage metrics to detect and prevent unauthorized access, fraud, abuse, and violations of our Acceptable Use Policy. This includes rate limiting, anomaly detection, and enforcement actions.
To Communicate with You. We use your email address to send transactional communications (account confirmations, billing receipts, security alerts, service notifications), respond to your support requests, and, with your consent where required, send product updates and announcements. We do not send marketing emails without your opt-in consent.
To Improve and Develop the Services. We use aggregated and de-identified usage data to analyze performance, identify areas for improvement, optimize infrastructure, fix bugs, and develop new features. We do not use identifiable Customer Data for these purposes.
To Comply with Legal Obligations. We use your information as necessary to comply with applicable laws, regulations, legal processes, or governmental requests.
To Enforce Our Terms. We use your information to enforce our Terms of Service, Acceptable Use Policy, and other agreements, including investigating potential violations and taking appropriate action.
Garmo Labs does not sell, rent, or trade your personal information to third parties. We share your information only in the following limited circumstances:
We use the following third-party sub-processors to operate the Services:
| Sub-processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Fly.io | Cloud infrastructure hosting | All data processed by the Services (encrypted in transit and at rest) | IAD region (Ashburn, Virginia, USA) |
| Stripe, Inc. | Payment processing | Billing information, payment card details, transaction amounts | United States |
Each sub-processor is bound by data processing agreements that require them to protect your data in a manner consistent with this Privacy Policy.
We may disclose your information if we believe in good faith that disclosure is necessary to: (a) comply with applicable law, regulation, legal process, or governmental request; (b) enforce our Terms of Service or other agreements; (c) protect the rights, property, or safety of Garmo Labs, our Customers, or the public; or (d) detect, prevent, or address fraud, security, or technical issues.
In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of the transaction. We will notify you via email and/or a prominent notice on our website of any change in ownership or use of your personal information.
We may share your information with third parties when you have given us explicit consent to do so.
If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, our legal bases for processing your personal data under the General Data Protection Regulation (GDPR) are as follows:
Regardless of your location, you have the following rights with respect to your personal information:
To exercise any of these rights, please contact us at privacy@garmolabs.com. We will respond to your request within thirty (30) days.
If you are a California resident, you have the following additional rights under the California Consumer Privacy Act of 2018 (CCPA) as amended by the California Privacy Rights Act of 2020 (CPRA):
Right to Know. You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected it, our business or commercial purposes for collecting it, and the categories of third parties with whom we share it.
Right to Delete. You have the right to request that we delete your personal information, subject to certain exceptions permitted by law.
Right to Correct. You have the right to request that we correct inaccurate personal information.
Right to Opt-Out of Sale or Sharing. Garmo Labs does not sell your personal information, and we do not share your personal information for cross-context behavioral advertising. Because we do not engage in these activities, there is no need to opt out. If our practices change, we will update this policy and provide a "Do Not Sell or Share My Personal Information" link.
Right to Non-Discrimination. We will not discriminate against you for exercising any of your CCPA/CPRA rights.
Categories of Personal Information Collected (12-Month Lookback). In the preceding twelve (12) months, we have collected the following categories of personal information:
| Category | Examples | Collected |
|---|---|---|
| Identifiers | Email address, account name, IP address, API Key identifiers | Yes |
| Customer Records | Name, billing address (via Stripe), payment card type and last four digits | Yes |
| Commercial Information | Subscription plan, billing history, usage records | Yes |
| Internet/Network Activity | API logs, browsing history on our websites, usage metrics | Yes |
| Geolocation Data | Approximate location derived from IP address (country/region) | Yes |
| Professional/Employment Info | Organization name (if provided) | Yes (if provided) |
| Inferences | Usage patterns, feature preferences | Yes |
| Sensitive Personal Information | N/A | No |
To Exercise Your Rights. California residents may submit a verifiable consumer request by emailing privacy@garmolabs.com with the subject line "CCPA Request." We will verify your identity by confirming your email address and account ownership. You may also designate an authorized agent to make a request on your behalf, provided the agent can demonstrate written authorization from you. We will respond to verified requests within forty-five (45) days, with the possibility of a forty-five (45) day extension for complex requests, as permitted by law.
If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following additional rights under the GDPR:
To exercise these rights, please contact privacy@garmolabs.com. We will respond within thirty (30) days.
We retain your personal information and Customer Data only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Our specific retention periods are as follows:
| Data Type | Retention Period |
|---|---|
| Account Information (email, hashed password) | Duration of account + 30 days after deletion request |
| Billing Records (transaction history, invoices) | 7 years (tax and legal compliance) |
| Customer Data — Agent States (AXIOM) | Duration of account + 30 days after deletion or termination |
| Customer Data — Compliance Reports (AXIOM) | Duration of account + 30 days after deletion or termination |
| Customer Data — Episodes and Embeddings (CHRONICLE) | Until deleted by Customer or 30 days after account termination |
| API Logs | 90 days (rolling) |
| Usage Metrics (aggregated) | 24 months |
| IP Addresses | 90 days (rolling) |
| Support Communications | 3 years after resolution |
| API Keys (hashed) | Until revoked or account terminated + 30 days |
After the applicable retention period expires, we will securely delete or anonymize the data. Aggregated, de-identified data that cannot be used to identify any individual may be retained indefinitely for analytical purposes.
We implement commercially reasonable technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:
user_id scoping, ensuring that one customer's data is not accessible to another.While we strive to protect your personal information, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee absolute security.
In the event of a security incident that results in unauthorized access to, disclosure of, or loss of personal information ("Data Breach"), Garmo Labs will:
Garmo Labs is based in California, United States. The Services are hosted in the United States (IAD region, Ashburn, Virginia). If you access the Services from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction.
EU/EEA Transfers. For transfers of personal data from the European Economic Area, United Kingdom, or Switzerland to the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission (Implementing Decision (EU) 2021/914). You may request a copy of the SCCs by contacting legal@garmolabs.com.
By using the Services, you consent to the transfer of your information to the United States as described in this Privacy Policy.
The Services are not directed to, and we do not knowingly collect personal information from, individuals under the age of eighteen (18). If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information promptly. If you believe that we have inadvertently collected personal information from a child under 18, please contact us at privacy@garmolabs.com.
Some web browsers transmit "Do Not Track" (DNT) signals to the websites they visit. There is currently no universally accepted standard for how companies should respond to DNT signals. We do not currently respond to DNT signals. However, we note that we do not engage in cross-site tracking, behavioral advertising, or selling of personal information, regardless of DNT signal status.
Our websites may use cookies and similar technologies for essential functionality, such as maintaining your authenticated session. We do not use cookies for advertising or cross-site tracking purposes. The Services are primarily API-based and do not rely on cookies for API access.
The following table lists all third-party sub-processors that process Customer Data on behalf of Garmo Labs:
| Sub-processor | Service | Data Processing Purpose | Location |
|---|---|---|---|
| Fly.io | Cloud hosting | Hosting and operating the Services, including storing and processing Customer Data | Ashburn, Virginia, USA (IAD) |
| Stripe, Inc. | Payment processing | Processing subscription payments, managing billing, and handling refunds | United States |
We will provide at least thirty (30) days' notice before engaging a new sub-processor that will process Customer Data. If you object to a new sub-processor, you may terminate your account as described in the Terms of Service.
We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable law. We will provide at least thirty (30) days' prior notice of material changes by: (a) posting the updated Privacy Policy on our website with a revised "Last Updated" date; and (b) sending an email notification to the address associated with your Account.
Your continued use of the Services after the effective date of any modification constitutes your acceptance of the updated Privacy Policy. If you do not agree with the updated Privacy Policy, you should discontinue your use of the Services.
Non-material changes (such as typographical corrections, formatting updates, or clarifications that do not alter the substance of any provision) may be made without notice.
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Garmo Labs, LLC
California, United States
Privacy inquiries: privacy@garmolabs.com
General support: support@garmolabs.com
Legal inquiries: legal@garmolabs.com
Website: garmolabs.com
For CCPA/CPRA requests, please email privacy@garmolabs.com with the subject line "CCPA Request." For GDPR requests, please email privacy@garmolabs.com with the subject line "GDPR Request."
© 2026 Garmo Labs, LLC. All rights reserved.