The Slab Lab Logo

Privacy Policy

Last updated: 17 March 2026

1. Introduction

The Slab Lab ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and services.

2. Data Controller

The data controller for your personal information is THE SLAB LAB LTD, a company registered in England and Wales.

  • Company Number: 16940122
  • Registered Address: Lytchett House 13 Freeland Park, Wareham Road, Poole, Dorset, United Kingdom, BH16 6FA
  • Contact Email: info@theslablab.co.uk

3. Information We Collect

Personal Information

We collect personal information that you provide to us, including:

  • Name and email address
  • Date of birth (for age verification)
  • Account credentials (email and password)
  • Payment information (processed securely through Revolut — we do not store your full card details)
  • Shipping addresses
  • Bank account details for withdrawals (account name, sort code, and account number — encrypted at rest)
  • Referral code usage (if you register via a referral link)
  • Marketing consent preferences

Information from Third-Party Sign-In

If you sign in using Google, we receive your name, email address, and profile photo from Google. We do not receive your Google password.

Usage Information

We automatically collect certain information when you use our services:

  • Device information (IP address, browser type, operating system)
  • Usage patterns and interactions with our platform
  • Last activity timestamp
  • Cookies and similar tracking technologies (see Section 8)

4. How We Use Your Information

We use the collected information for:

  • Providing and maintaining our services
  • Processing transactions and managing your account
  • Verifying your identity and age eligibility
  • Processing withdrawals to your bank account
  • Communicating with you about your account and our services
  • Improving our platform and user experience
  • Complying with legal obligations
  • Preventing fraud and ensuring security

5. Lawful Basis for Processing

Under UK GDPR, we process your personal data based on the following lawful grounds:

  • Contractual Necessity: We process your account data, transaction information, and shipping details to fulfil our contract with you and provide our services.
  • Legitimate Interests: We process data for fraud prevention, platform security, and improving our services, where these interests do not override your rights and freedoms.
  • Legal Obligation: We process and retain certain data to comply with legal obligations, including tax records and regulatory requirements.
  • Consent: Where we send marketing communications, we do so based on your consent, which you can withdraw at any time through your account settings.

6. Data Storage and Security

We implement appropriate technical and organisational measures to protect your personal information:

  • Sensitive data (bank details, two-factor authentication secrets, recovery codes) is encrypted at rest
  • Secure transmission of data (HTTPS)
  • Token-based authentication with automatic expiry
  • Two-factor authentication available for additional account security
  • Access controls and role-based permissions
  • Regular security assessments

However, no method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

7. Data Sharing and Disclosure

We do not sell your personal information. We may share your information with:

  • Service Providers: Third-party companies that help us operate our platform:
    • Revolut Business: Processes payment transactions and stores saved card details
    • Royal Mail and other UK carriers: Handle physical shipments of slabs
    • TrackingMore: Provides shipment tracking updates
    • Google: Provides OAuth sign-in and address autocomplete (Google Maps)
    • DigitalOcean and Microsoft Azure: Host card images
  • Legal Requirements: When required by law or to protect our rights
  • Business Transfers: In connection with a merger, acquisition, or sale of assets

8. Cookies and Tracking Technologies

We use cookies and similar technologies to:

  • Maintain your session and authentication state
  • Remember your preferences and settings
  • Protect against cross-site request forgery (CSRF)
  • Analyse website traffic and usage

Types of Storage We Use

  • Essential cookies: Required for the platform to function (session management, CSRF protection)
  • Local storage: Used to store your authentication token for a seamless experience across page loads
  • Analytics: We may use third-party analytics tools (including TikTok Pixel) to understand how users interact with our platform

You can control cookies through your browser settings, though this may affect website functionality.

9. Marketing Communications

We may send you marketing communications about our services, promotions, and updates if you have opted in. You can opt out of marketing communications at any time by:

  • Updating your preferences in your account settings
  • Clicking the unsubscribe link in any marketing email
  • Contacting us directly at info@theslablab.co.uk

Please note that even if you opt out of marketing communications, we may still send you important service-related messages about your account or transactions (for example, purchase confirmations, shipping updates, and withdrawal notifications).

10. Your Rights (UK GDPR)

Under UK GDPR, you have the right to:

  • Access: Request copies of your personal data
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion of your data (subject to legal retention obligations and any outstanding account obligations — see our Terms and Conditions, Section 22)
  • Restriction: Request limitation of processing
  • Portability: Request transfer of your data in a machine-readable format
  • Objection: Object to processing of your data

To exercise these rights, please contact us at info@theslablab.co.uk. We will respond to your request within 30 days as required by UK GDPR.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe we have not handled your personal data in accordance with UK GDPR. You can find more information at ico.org.uk.

11. Automated Decision-Making

We do not use automated decision-making or profiling that significantly affects users without human oversight. All significant decisions regarding your account, including account suspensions, withdrawal approvals, or fraud detection, involve human review and assessment.

Our provably fair card selection system uses a deterministic algorithm to assign cards, but this is a core service function (not a decision about you as an individual) and does not constitute automated decision-making under UK GDPR.

12. Data Retention

We retain your personal information for as long as necessary to:

  • Provide our services to you
  • Comply with legal obligations (including tax records, which we are required to retain for at least 6 years)
  • Resolve disputes and enforce agreements

When data is no longer needed, we will securely delete or anonymise it. Transaction records and email logs may be retained for legal and audit purposes even after account deletion.

13. Children's Privacy

Our services are not intended for individuals under 18 years of age. We require date of birth verification at registration and do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately and we will take steps to delete it.

14. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence through our use of third-party service providers (such as cloud hosting and image storage). We ensure appropriate safeguards are in place to protect your data in accordance with UK GDPR, including the use of standard contractual clauses where applicable.

15. Third-Party Links

Our website may contain links to third-party websites or services that are not operated by us. We are not responsible for the privacy practices or content of these third-party sites. We encourage you to review the privacy policies of any third-party sites you visit.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by emailing registered users and posting the updated Privacy Policy on this page with a revised "Last updated" date. You are advised to review this Privacy Policy periodically.

17. Terms and Conditions

Your use of The Slab Lab is also governed by our Terms and Conditions. Please review the Terms and Conditions alongside this Privacy Policy to understand the complete terms governing your use of our platform.

18. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your rights under UK GDPR, please contact us at info@theslablab.co.uk. We aim to respond to all enquiries within 30 days as required by UK GDPR.