This Privacy Policy explains how Paweł Rosner (sole proprietor, Poland) — operator of Massive Research Lab ("the Service") — handles personal data. Contact: privacy@myresearchlab.app.
Two roles, kept separate
- Researcher data (your account + how you use the Service): we are the controller.
- Participant data (people who take your studies): you are the controller and we are your processor. This policy describes how we, as processor, are built to protect it.
Researcher data we collect
- Account: email address and display name (via our authentication provider, Clerk); optional profile fields you add (e.g. affiliation, ORCID).
- Content: the studies, materials, and settings you create.
- Usage and technical: coarse, non-identifying technical data needed to run and secure the Service (e.g. request metadata, coarse country). We do not store raw IP addresses for analytics.
- Cookies: see the Cookie Policy.
Participant data (how we minimise it)
The Service is built to keep participant data minimal and hard to re-identify:
- participants are identified by an opaque, anonymous token, not by name or email;
- we do not store participants' raw IP addresses or raw browser user-agent strings; where a technical signal is needed (e.g. rate-limiting, consent audit) we use a one-way hash and/or coarse country only;
- responses belong to your workspace and are isolated from other workspaces;
- participant withdrawal is supported and propagates across the Service.
You decide what your study asks; you are responsible for the lawful basis and consent for any personal data your study itself collects.
How we use researcher data
To provide, secure, support, and improve the Service, and to communicate with you about it. We do not sell personal data.
Legal bases (GDPR)
- Contract — to provide the Service you sign up for.
- Legitimate interests — to secure and improve the Service (balanced against your rights).
- Consent — for optional cookies/analytics (see the Cookie Policy); withdrawable at any time.
- Legal obligation — where the law requires.
Sub-processors
We use the following providers to run the Service. Several AI/integration providers are connected with your own keys and only process data when you choose to use them.
| Sub-processor | Purpose | Location | Data accessed |
|---|---|---|---|
| Clerk | Authentication | USA | Email, display name, auth tokens |
| Neon (PostgreSQL) | Database hosting | EU/USA | Researcher and participant data |
| Vercel | Application hosting | USA | Request/response data; no direct DB access |
| Cloudflare R2 | Asset storage | Global | Uploaded images/audio/video, generated audio |
| Cloudflare CDN | Delivery + DDoS protection | Global | HTTP request metadata (coarse country) |
| Upstash Redis | Rate limiting | USA | One-way-hashed coarse buckets; never raw IPs |
| Inngest | Background jobs | USA | Job metadata; study data only as a job requires |
| OSF (your key) | Preregistration | USA | Study metadata you choose to push |
| Anthropic (your key) | AI text features | USA | Prompts + content you send per study config |
| Hume AI (your key, where enabled) | Voice/emotion AI | USA | Content/audio per study config, with consent |
| Prolific (your key) | Recruitment | UK | Recruitment metadata; opaque participant IDs |
International transfers (e.g. to the USA) rely on appropriate safeguards such as the EU Standard Contractual Clauses where required.
Security
HTTPS in transit; database encryption at rest; third-party credentials you connect are encrypted application-side (AES-256-GCM) and never shown back to the browser; strict workspace isolation; rate limiting against abuse.
AI processing
When you use an AI feature, the relevant content is sent to your connected provider under their terms. AI output is non-deterministic and may be inaccurate. We meter usage for cost/abuse control but do not use your content to train models.
Retention
We keep researcher and study data while your account is active and as needed to provide the Service. You can delete studies and your account; we then delete or anonymise associated data within a reasonable period, except where the law requires us to keep it.
Your rights
Under the GDPR you may request access, rectification, erasure, restriction, portability, and may object to certain processing. Email privacy@myresearchlab.app. You also have the right to lodge a complaint with the Polish supervisory authority (UODO — Urząd Ochrony Danych Osobowych) or your local authority.
Children
The Service is for researchers and is not directed at children. Whether your study may include minors is your responsibility as the controller of participant data.
Changes
We may update this policy; material changes update the version + effective date and, where required, prompt re-acknowledgement.