Privacy Policy
Last updated: 12 July 2026
This Privacy Policy explains how Limitless Lab Innovations Pte. Ltd. ("Limitless Lab", "we", "us") collects, uses, and protects information when you use CoCreate AI (the "Service"). We handle personal data in accordance with Singapore's Personal Data Protection Act (PDPA) and, where applicable, the EU General Data Protection Regulation (GDPR).
1. Who we are
Limitless Lab Innovations Pte. Ltd. is the data controller for personal data processed through the Service. We are incorporated in Singapore. You can reach us at hello@limitlesslab.org.
2. Data we collect
- Account data: email address, display name, and authentication metadata for facilitator accounts.
- Session content: titles, descriptions, and guide questions you create.
- Participant submissions: display names participants choose and the ideas and upvotes they contribute. No participant login is required.
- Generated outputs: themes, posters, and slide content produced by the Service from your session.
- Usage & technical data: log data, device and browser information, IP address, and basic analytics needed to operate and secure the Service.
- Cookies: essential cookies to maintain your session; no advertising cookies.
3. How we use data
- To provide, maintain, and improve the Service.
- To generate the deliverables you request (synthesis, poster, slides).
- To secure the Service, prevent abuse, and comply with legal obligations.
- To communicate service updates and, if you opt in, product announcements.
4. Legal bases (PDPA & GDPR)
We process personal data on the following bases: your consent (e.g. creating an account, joining a session), performance of a contract (delivering the Service you requested), our legitimate interests (securing and improving the Service), and compliance with legal obligations.
5. AI processing
Session content is sent to third-party AI models (via an AI gateway provider) to generate themes, posters, and slides. Only the content necessary to produce the requested deliverable is shared. We do not authorize model providers to use your content to train their foundation models beyond what is required to return the response.
6. Sharing & subprocessors
We share personal data only with vendors that help us operate the Service, under appropriate contracts. Categories include:
- Cloud hosting and content delivery.
- Managed database and authentication providers.
- AI model gateway providers used to generate synthesis and deliverables.
- Analytics and error-monitoring providers used to keep the Service reliable.
We do not sell personal data.
7. Cookies
We use strictly necessary cookies to keep you signed in and to remember your session preferences. We do not use advertising cookies or cross-site tracking cookies.
8. Data retention
We retain account and session data for as long as your account is active or as needed to provide the Service. You can delete individual sessions from your dashboard, which removes the associated questions, responses, synthesis, and outputs. Backups and logs may persist for a limited period before being overwritten. We may retain data longer where required by law.
9. Your rights
Depending on your jurisdiction, you may have the right to access, correct, update, or delete your personal data; to withdraw consent; to object to or restrict certain processing; and to lodge a complaint with a data-protection authority. To exercise these rights, contact us at hello@limitlesslab.org. We will respond within a reasonable time and in line with applicable law.
10. International transfers
The Service is operated from Singapore and uses vendors that may process data in other jurisdictions. Where personal data is transferred outside your jurisdiction, we rely on appropriate safeguards (such as standard contractual clauses) required by applicable law.
11. Children
The Service is not directed to children under 16. Facilitators should not invite participants under that age without appropriate parental consent and applicable legal safeguards.
12. Security
We use industry-standard technical and organizational measures to protect personal data, including transport encryption, access controls, and row-level security in our database. No system is perfectly secure; we encourage you to use strong, unique passwords and to report any suspected security issue to us.
13. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be notified through the Service or by email. The "Last updated" date at the top reflects the most recent revision.
14. Contact
Questions or requests about this Privacy Policy can be sent to hello@limitlesslab.org.
This document is a general template provided for convenience. It is not legal advice. You should consult qualified counsel to ensure it fits your specific circumstances and jurisdiction.