ThePlaceLabs

Privacy Policy

Last updated: 2026-05-20

This Privacy Policy explains what data ThePlaceLabs (“we,” “our”) collects when you use any of our applications undertheplacelabs.com, how it is stored, and how to request changes or deletion. By using our services, you agree to the practices described below.

1. Data we collect

  • Account data. When you create an account, we store your username, email, and a hashed password. We never store your password in plain text.
  • OAuth/OIDC session data. When you sign in to one of our child apps through ThePlaceLabs identity, we store a session token tied to that app and the OIDC claims (subject, name, email, role) needed to verify your access.
  • Application data. Each child app may store data you produce while using it (for example, golf rounds in Eagle Rank, collection items in Trove, saved bank queries in Bank Beacon). This data is scoped to your account and is not sold or shared.
  • Operational data. Web-server access logs (IP address, request path, status code, user agent) are retained briefly for security and abuse response.

2. Where the data lives

All user data is stored in PostgreSQL databases on infrastructure operated by ThePlaceLabs. Database backups are stored in the same operational environment and rotated periodically. Data does not leave this infrastructure except for the third-party processors listed below.

3. Cookies

We use cookies to keep you signed in. The main cookies are:

  • tpl_session — set by ThePlaceLabs when you sign in to the parent portal; identifies you across child-app consent screens.
  • Per-child-app session cookies (for example, bb_session, egr_session, trove_session) — set by each child app after successful sign-in.

Session cookies are HttpOnly and Secure in production. We do not use third-party advertising or tracking cookies.

4. Third-party processors

  • Resend — transactional email delivery (password resets, contact form submissions).
  • Sentry — error tracking. Sentry receives crash and exception traces from our applications. We avoid sending personally identifiable information into Sentry payloads.
  • Cloudflare — DNS, CDN, and proxy for some traffic.
  • FFIEC public data— Bank Beacon reads bank call-report data from the FFIEC's public dataset. We do not send any of your data to the FFIEC.

5. How long we keep data

We keep account and application data for as long as your account is active. Server access logs are typically retained for less than 30 days. You may request deletion of your account and associated data at any time (see Section 7).

6. Sharing

We do not sell your personal data. We do not share your data with third parties except the processors listed above and only as needed to operate the services.

7. Your rights — access, correction, deletion

You can request a copy of the data we hold about you, request corrections, or request deletion of your account. To do so, email [email protected] or use the contact form. We will respond within a reasonable timeframe.

8. Children

Our services are not directed at children under 13, and we do not knowingly collect personal information from children.

9. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top.

10. Contact

Privacy questions: [email protected].