Legal
Privacy Policy
How Tree Labs collects, uses, and protects personal data on treelabs.co.
Last updated June 8, 2026
Tree Labs builds AI agents for businesses. This policy explains what personal data we collect when you visit treelabs.co, what we do with it, and how to exercise the rights European data protection law gives you.
We try to write this in plain language. If anything is unclear, email privacy@treelabs.co and we will explain.
Who we are
Tree Labs is the trading name of the company that operates treelabs.co. We are the data controller for personal data collected through this website.
- Email for privacy questions: privacy@treelabs.co
- General contact: info@treelabs.co
If you are reaching us under the GDPR, our address and registration details are available on request.
What we collect and why
We collect personal data in three situations.
1. When you contact us
If you use the contact form, the roadmap builder, or email us directly, we collect:
- Your email address (required).
- Your phone number (only if you opt in to SMS or voice follow-up).
- Anything you choose to tell us in the message: company name, role, project description, attachments.
We use this information to reply to you and, if you become a client, to scope and deliver the engagement. Legal basis: taking steps at your request before entering into a contract (GDPR Art. 6(1)(b)), and our legitimate interest in responding to business inquiries (Art. 6(1)(f)).
2. When you use the roadmap builder
The roadmap builder at /roadmap accepts a free-text description of your project and produces a phased plan with price ranges. We store:
- The project description you submit.
- The roadmap configuration you generate (selected service, scale, edits).
- Any optional file you upload.
- A short identifier so you can return to the saved roadmap by URL.
We use this to power the tool, to follow up if you ask us to email the roadmap, and to improve the questions our classifier asks. Legal basis: taking steps at your request before entering into a contract (Art. 6(1)(b)) and our legitimate interest in improving the tool (Art. 6(1)(f)).
We do not sell your project description or use it to train a public AI model.
3. When you browse the site
We use PostHog for product analytics. PostHog records pages viewed, approximate location (country-level, from your IP), device type, and a randomly assigned visitor identifier. We do not collect cookies that identify you personally for advertising.
Our hosting provider (Vercel) keeps standard server logs for security and reliability: IP address, user agent, requested path, and timestamp.
Legal basis: our legitimate interest in understanding how the site is used and keeping it secure (Art. 6(1)(f)). If your browser sends a Do-Not-Track signal, we respect it.
Who processes data for us
We use a small number of vendors to operate the site. Each is bound by a written agreement and processes data only on our instructions.
| Processor | What they handle | Where |
|---|---|---|
| Vercel | Hosting, server logs | US / EU |
| Neon | Database for saved roadmaps and leads | EU |
| Resend | Outbound email (roadmap copies, internal notifications) | US |
| OpenAI (via Vercel AI Gateway) | Classifies your project description into a service category | US |
| PostHog | Product analytics | EU |
| Upstash | Rate limiting | EU |
| Cloudflare Turnstile | Bot protection on form submissions | Global |
This list may change. The current list is always the one in this document.
International transfers
Some of our processors are based outside the European Economic Area, including in the United States. When personal data leaves the EEA, we rely on the EU Standard Contractual Clauses approved by the European Commission as the transfer mechanism. We also configure EU-region storage where the vendor offers it.
How long we keep things
- Contact and roadmap submissions: up to 3 years from the last interaction, then deleted or anonymised. If we become engaged on a project, we keep records for the duration of the engagement and 7 years afterwards for tax and accounting purposes.
- Server logs: up to 30 days.
- Analytics events: up to 12 months.
If you would like us to delete your data sooner, see "Your rights" below.
Your rights
Under the GDPR you have the right to:
- Access the personal data we hold about you.
- Correct information that is wrong or incomplete.
- Delete your data (the "right to erasure").
- Restrict or object to our processing.
- Receive a copy of your data in a portable format.
- Withdraw consent at any time, where we relied on consent.
- Lodge a complaint with a supervisory authority in the EU member state where you live or work.
To exercise any of these, email privacy@treelabs.co. We will reply within 30 days. We may ask you to confirm your identity before acting on a request.
Cookies
We use the minimum cookies needed to run the site. We do not use advertising cookies and we do not sell data to advertisers.
| Cookie | Purpose | Duration |
|---|---|---|
| PostHog distinct_id | Anonymous visitor identifier for analytics | 12 months |
| Vercel session | Server-side session bookkeeping | Session |
Children
The site is intended for businesses, not children. We do not knowingly collect data from anyone under 16. If you believe we have, email privacy@treelabs.co and we will delete it.
Changes to this policy
If we change this policy in a way that affects your rights, we will update the "Last updated" date and, where reasonable, notify people who have given us their email.
Contact
Privacy questions: privacy@treelabs.co General contact: info@treelabs.co