← Back to site
// Legal

Privacy Policy

Effective June 18, 2026 Last updated June 18, 2026 Version 1.0

// The short version

01 Who we are & scope

This Privacy Policy explains how AAT Labs, an independent agent acceptance testing practice operated by Shayne Beavan (“AAT Labs,” “we,” “us,” or “our”), handles personal information collected through the website at aatlabs.dev (the “Site”). For the personal information collected through the Site, AAT Labs is the “controller” (GDPR) and “business” (CCPA/CPRA).

This policy covers only the Site. Personal information processed during a paid testing engagement is governed by the separate written services agreement and any data-processing addendum we sign with the client.

02 Information we collect

2.1 Information you give us (enquiry form)

Name
Your name, so we can address our reply.
Work email
Where we send our response.
Company
The organization you represent.
Launch window
When your agent is going live, to gauge urgency.
Engagement tier
The service you're interested in.
Agent description
Free-text detail about what your agent does. Please keep this high-level and do not include secrets, credentials, or third-party confidential information.

2.2 Information collected automatically

When you visit the Site, our hosting provider automatically records standard technical data such as your IP address, browser and device type, referring page, pages viewed, and timestamps. This is used for security, diagnostics, and basic, aggregate traffic understanding.

2.3 What we do not collect

  • We do not collect payment-card information on the Site (there is no checkout).
  • We do not knowingly collect special-category / sensitive personal information.
  • We do not run advertising, cross-context behavioral, or social-media tracking pixels.

03 How we use information

  • To respond to your enquiry, answer questions, and provide requested information;
  • To assess fit and, where appropriate, prepare a proposal or scope a possible engagement;
  • To operate, secure, maintain, and improve the Site;
  • To detect, prevent, and respond to fraud, abuse, or security incidents; and
  • To comply with legal obligations and enforce our Terms of Service.

We do not use the free-text content of your enquiry to train machine-learning models, and we do not sell your personal information.

04 Legal bases (EEA/UK)

If you are in the European Economic Area or the United Kingdom, we rely on the following legal bases under the GDPR / UK GDPR:

  • Legitimate interests — to respond to your enquiry, run and secure the Site, and pursue B2B business development, balanced against your rights;
  • Steps prior to a contract — to evaluate and discuss a possible engagement you initiated; and
  • Legal obligation — where we must process data to comply with law.

05 How we share information

We share personal information only as follows:

  • Service providers (processors) — vetted vendors who act on our behalf under contract, currently our website hosting provider and our transactional-email provider, used to operate the Site and deliver our replies. They may process your data only on our instructions.
  • Legal & safety — when required by law, subpoena, or legal process, or to protect the rights, safety, and property of AAT Labs, you, or others.
  • Business transfers — in connection with a merger, acquisition, financing, or sale of assets, subject to this policy.

We do not “sell” your personal information and do not “share” it for cross-context behavioral advertising, as those terms are defined under U.S. state privacy laws.

06 Cookies & tracking

The Site uses only strictly necessary, first-party storage required for the page to function and stay secure. We do not currently use analytics, advertising, or third-party tracking cookies, so no cookie-consent banner is required. We honor browser Global Privacy Control (GPC) signals as a valid opt-out where applicable. If we add analytics or other non-essential cookies in the future, we will update this policy and provide any consent controls the law requires.

07 Data retention

We keep enquiry information for as long as needed to respond to and follow up on your request, and thereafter for a reasonable period to maintain business records and meet legal, accounting, or dispute-resolution needs — typically up to 24 months from your last contact, unless a longer period is required by law or a shorter period is requested by you. Server logs are retained for a limited period for security and diagnostics. When no longer needed, information is deleted or anonymized.

08 Data security

We use reasonable administrative, technical, and organizational measures appropriate to the limited data we hold, including encryption in transit (HTTPS), access controls, and reputable infrastructure providers. No method of transmission or storage is perfectly secure, so we cannot guarantee absolute security; please do not send sensitive technical secrets through the form.

09 Your U.S. state rights

Depending on your state of residence (for example, California under the CCPA/CPRA, and comparable laws in Virginia, Colorado, Connecticut, Utah, Texas, and others), you may have the right to:

  • Know / access the personal information we have collected about you and how we use and disclose it;
  • Correct inaccurate personal information;
  • Delete personal information we hold about you;
  • Opt out of any sale or sharing of personal information for targeted advertising — note that we do not sell or share your information; and
  • Non-discrimination for exercising your rights.

You may use an authorized agent to submit a request; we may verify the agent's authority and your identity. We do not use or disclose sensitive personal information beyond the purposes permitted under the CCPA/CPRA.

10 Your EEA/UK rights

If you are in the EEA or UK, you have the right to access, rectify, erase, restrict, or object to processing of your personal data, to data portability, and to withdraw consent where processing is based on consent. You also have the right to lodge a complaint with your local supervisory authority. We will respond to requests in line with applicable law.

11 How to exercise your rights

To make any privacy request, email privacy@aatlabs.dev with “Privacy Request” in the subject line and tell us what you'd like to do. We will verify your request using the contact details we hold and respond within the timeframe required by applicable law (generally 30–45 days, extendable where permitted). There is no charge for a reasonable request.

12 International transfers

We operate from the United States, and our service providers may process data in the United States and other countries. Where we transfer personal data from the EEA or UK, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (and the UK Addendum) where required. You may contact us for more information about these safeguards.

13 Children's privacy

The Site is a business-to-business service and is not directed to children. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us personal information, contact us and we will delete it.

14 Third-party links

The Site may link to third-party websites or resources we do not control. This policy does not apply to those sites; please review their privacy policies.

15 Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date above and post the new version here. If changes are material, we will take additional steps as required by law. Your continued use of the Site after an update means you acknowledge the revised policy.

16 Contact us

Questions or requests about your privacy:

AAT Labs (operated by Shayne Beavan)
Privacy: privacy@aatlabs.dev
General: hello@aatlabs.dev