Privacy Policy

We collect:

• Account information: name, email, organization, and role you provide when you register or are provisioned a portal account.
• Sample and order data: product/compound names, lot numbers, vial counts, shipping details, optional client logo, and any notes you submit.
• Authentication data: securely hashed passwords and session records managed via our authentication provider (better-auth).
• Technical data: IP address, browser/device type, and basic usage logs collected for security and to operate the site.
• Communications: messages you send to us by email or through the portal.

We do not intentionally collect special-category personal data, and you should not submit it. Sample data describes substances, not people.

• To perform analytical testing and produce, seal, store, and verify Certificates of Analysis;
• To operate the portal, authenticate you, and provide customer support;
• To process orders, invoices, and shipping coordination;
• To maintain security, prevent fraud and abuse, and keep an integrity/audit trail required for a defensible laboratory record;
• To improve our methods and Services using de-identified or aggregated data; and
• To comply with legal obligations and enforce our Terms.

Where applicable law (such as the GDPR) requires a legal basis, we rely on: performance of a contract (providing the Services you request), legitimate interests (operating and securing the lab and verification system), consent (where specifically requested, e.g. non-essential cookies), and compliance with legal obligations.

We do not sell your personal information. We share it only with:

• Service providers / sub-processors who operate our infrastructure under contract, for example database hosting (Neon), application hosting (Railway), object storage for uploaded files (S3-compatible), and DNS/security (Cloudflare);
• Contracted laboratory partners strictly to the extent needed to perform testing you requested;
• Authorities or third parties when required by law, subpoena, or to protect rights, safety, and the integrity of the verification system; and
• A successor entity in connection with a merger, acquisition, or asset sale, subject to this Policy.

Note that the verification interface intentionally exposes COA authenticity data (report identifier, status, hash, and seal) publicly, by design, so that anyone holding a report identifier can confirm it. It does not expose your account or contact details.

We retain account and order data for as long as your account is active and as needed to provide the Services. Released COAs and their cryptographic seals, hashes, and revision history are retained on a long-term basis as part of an immutable, verifiable laboratory record, even after an account closes, so that previously issued certificates remain verifiable. We retain other personal data only as long as necessary for the purposes above or as required by law.

We use technical and organizational measures appropriate to the risk, including encryption in transit, hashed credentials, httpOnly session cookies, role-based access control, and cryptographic sealing of COAs. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security.

Depending on your location, you may have rights to access, correct, delete, or port your personal data, to object to or restrict certain processing, and to withdraw consent. California residents have rights under the CCPA/CPRA, including the right to know, delete, and opt out of "sale" or "sharing" (we do not sell or share personal information as those terms are defined). To exercise any right, contact privacy@axiomanalytics.us. We will not discriminate against you for exercising your rights.

Some data cannot be erased without undermining the integrity of an issued certificate (e.g. the sealed contents of a released COA). Where that applies, we will explain the limitation.

We use strictly necessary cookies for authentication and security. See our Cookie Policy for details.

We operate primarily in the United States. If you access the Services from outside the U.S., your information may be transferred to and processed in the U.S. and other countries where our providers operate, with appropriate safeguards where required.

The Services are intended for business and research use and are not directed to children under 18. We do not knowingly collect personal data from children.

We may update this Policy; material changes will be marked with a new effective date. Questions or requests: privacy@axiomanalytics.us · Axiom Analytics Labs LLC, 2108 N St Ste N, Sacramento, CA 95816, USA.