Privacy Policy


MOUNTAIN LABS LLC.
A Wyoming Corporation
Privacy Policy

GDPR · KVKK · CCPA Compliant
Effective Date: April 8, 2025
Last Updated: April 2026

Mountain Labs LLC. |30 N Gould ST 37676 Sheridan WY 82801 USA
Email: info@mountainlabs.io | info@mountainlabs.io
Website: www.mountainlabs.io


Privacy Policy
This Privacy Policy describes how Mountain Labs LLC. ("Mountain Labs", "we", "us", or "our"), a corporation incorporated under the laws of the State of Wyoming, USA, collects, uses, stores, transfers, and protects your personal data when you visit our website, purchase our products (including the Odak Indoor Air Quality Monitor), or otherwise interact with us.
This policy is designed to comply with:
The European Union General Data Protection Regulation (EU GDPR 2016/679)
The UK GDPR (as retained in UK law)
The Turkish Personal Data Protection Law (Kişisel Verilerin Korunması Kanunu — KVKK No. 6698)
The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA)
The Delaware Online Privacy and Protection Act

1. Data Controller
Data Controller: Mountain Labs LLC.
Registered Address: 30 N Gould ST 37676 Sheridan WY 82801 USA
Email: info@mountainlabs.io
Turkish Representative (KVKK): Mountain Labs Teknoloji A.Ş., Kocaeli Teknopark, Gebze, Kocaeli, Türkiye
Turkish Contact: info@mountainlabs.io


2. What Data We Collect
We collect the following categories of personal data:
2.1 Data You Provide Directly
Identity data: full name, company name
Contact data: email address, phone number, delivery address, billing address
Transaction data: purchase history, order details, payment method type (we do not store card numbers — payments are processed by Stripe Inc.)
Communications: messages sent to our support team, warranty claims, survey responses

2.2 Data Collected Automatically
Technical data: IP address, browser type and version, operating system, device identifiers
Usage data: pages visited, time on site, referral URLs, click data
Cookie data: session cookies, analytics cookies, preference cookies (see Cookie Policy)

2.3 Data from the Odak Device
The Odak IAQ Monitor operates on an offline-first architecture. By design:
Air quality measurements (CO2, VOC, temperature, humidity, pressure) are stored locally on the device.
We do NOT transmit air quality data to our servers unless you explicitly opt in to our optional cloud sync feature.
If you use the optional cloud sync, aggregated and anonymized environmental data may be stored on our servers hosted in the European Union.

3. Legal Basis for Processing (GDPR Article 6)
We rely on the following legal bases:
Legal Basis
Purpose
Performance of a contract
Processing your order, shipping your product, handling warranties and returns.
Legitimate interests
Fraud prevention, IT security, improving our products, direct marketing to existing customers (with opt-out).
Consent
Marketing emails to new contacts, non-essential cookies, optional cloud sync of device data. You may withdraw consent at any time.
Legal obligation
Compliance with tax, accounting, and consumer protection laws.
Vital interests
In exceptional circumstances where processing is necessary to protect life.


4. KVKK Basis for Processing (Article 5 & 6)
For data subjects in Türkiye, we process personal data on the following KVKK bases:
Explicit consent of the data subject (açık rıza) for marketing and optional cloud features.
Necessary for the performance of a contract to which the data subject is a party (m. 5/2-c).
Necessary to comply with a legal obligation (m. 5/2-ç).
Necessary for the establishment, exercise, or defense of legal claims (m. 5/2-e).
Necessary for the legitimate interests of the data controller, provided the fundamental rights of the data subject are not harmed (m. 5/2-f).

5. How We Use Your Data
Fulfilling and managing orders, deliveries, and returns
Processing payments via our third-party payment processor (Stripe)
Providing customer support and warranty services
Sending transactional emails (order confirmations, shipping updates)
Sending marketing communications (only with your consent or as a legitimate interest toward prior customers, with easy opt-out)
Improving our products, website, and services through analytics
Complying with legal and regulatory obligations
Preventing fraud and ensuring IT security

6. Data Sharing and Third Parties
We do not sell your personal data. We share data only in the following circumstances:
Recipient
Purpose
Stripe Inc.
Payment processing — card details are handled directly by Stripe under their privacy policy.
Shopify Inc.
E-commerce platform — order and customer data is stored on Shopify's servers.
Shipping carriers
Name and address shared with DHL, FedEx, UPS, or PTT as required for delivery.
Google Analytics / Plausible
Anonymized website usage statistics. We use privacy-preserving analytics where possible.
Mailchimp / Klaviyo / Substack
Email marketing — only for customers who have consented.
Legal authorities
When required by applicable law, court order, or government demand.


All third-party processors are bound by data processing agreements (DPAs) meeting GDPR Article 28 requirements.

7. International Data Transfers
Mountain Labs LLC. is based in the United States. When we transfer personal data from the European Economic Area (EEA), UK, or Turkey to the USA or other third countries, we rely on the following safeguards:
EU Standard Contractual Clauses (SCCs) adopted by the European Commission (Commission Decision 2021/914) for transfers from the EEA.
UK International Data Transfer Agreements (IDTA) for transfers from the UK.
For transfers from Turkey: we obtain explicit consent pursuant to KVKK Article 9, or rely on the existence of an adequate protection determination, or use contractual safeguards equivalent to SCCs.
We maintain records of all cross-border data transfers as required by KVKK Article 9.

8. Data Retention
Data Category
Retention Period
Order and transaction records
7 years (tax and commercial law compliance)
Customer account data
Duration of account + 3 years after last interaction
Marketing consent records
Until consent is withdrawn + 3 years
Website analytics data
26 months (anonymized after 14 months)
Support correspondence
3 years from resolution
Device data (if cloud sync enabled)
Duration of subscription + 12 months


9. Your Rights
Depending on your location, you have the following rights regarding your personal data:
9.1 Rights under GDPR (EEA/UK residents)
Right of access (Article 15): obtain a copy of your personal data.
Right to rectification (Article 16): correct inaccurate or incomplete data.
Right to erasure / 'right to be forgotten' (Article 17): request deletion of your data.
Right to restriction of processing (Article 18).
Right to data portability (Article 20): receive your data in a structured, machine-readable format.
Right to object (Article 21): object to processing based on legitimate interests or direct marketing.
Rights related to automated decision-making (Article 22).
Right to lodge a complaint with your national supervisory authority.

9.2 Rights under KVKK (Turkish residents — Article 11)
Learn whether your personal data has been processed (madde 11/a).
Request information if your personal data has been processed (madde 11/b).
Learn the purpose of processing and whether data is used in accordance with its purpose (madde 11/c).
Know the third parties to whom your data has been transferred domestically or abroad (madde 11/ç).
Request rectification of incomplete or incorrect data (madde 11/d).
Request erasure or destruction of data (madde 11/e).
Request notification to third parties of rectification or erasure (madde 11/f).
Object to processing of your data by automated systems that produce adverse results (madde 11/g).
Request compensation for damages caused by unlawful processing (madde 11/ğ).
To exercise your KVKK rights, you may submit a written application to: kvkk@mountainlabs.io or Mountain Labs Teknoloji A.Ş., Kocaeli Teknopark, Gebze, Kocaeli. We will respond within 30 days. Requests are free of charge; excessive requests may incur a fee per KVKK Board tariff.

9.3 Rights under CCPA (California residents)
Right to know: request disclosure of the categories and specific pieces of personal information we have collected.
Right to delete: request deletion of personal information we have collected.
Right to opt-out of sale: we do not sell personal information.
Right to non-discrimination: we will not discriminate against you for exercising your rights.

To exercise any of these rights, contact us at privacy@mountainlabs.io. We will respond within 30 days (GDPR), 30 days (KVKK), or 45 days (CCPA).

10. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including:
TLS/SSL encryption for all data transmitted via our website.
AES-256 encryption for data at rest.
Access controls — data accessible only to employees who need it.
Regular security reviews and penetration testing.
Incident response procedures with breach notification within 72 hours to supervisory authorities where required by GDPR.

11. Children's Privacy
Our products and services are not directed to children under the age of 16 (or under 18 in jurisdictions requiring parental consent for minors). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@mountainlabs.io and we will delete it promptly.

12. Supervisory Authorities
If you are located in the EEA and believe we are processing your data unlawfully, you have the right to lodge a complaint with your national data protection authority. A full list is available at: https://edpb.europa.eu/about-edpb/board/members_en
If you are located in the United Kingdom, you may contact the Information Commissioner's Office (ICO): https://ico.org.uk/
If you are located in Turkey, you may contact the Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu — KVKK): https://www.kvkk.gov.tr/

13. Changes to This Policy
We may update this Privacy Policy periodically to reflect changes in law, technology, or our business practices. We will notify you of material changes by posting the revised policy on our website with a new effective date. Where required by law, we will seek your consent before making material changes.

14. Contact Us
Data Controller: Mountain Labs LLC.
Address: 30 N Gould ST 37676 Sheridan WY 82801 USA
Privacy inquiries (GDPR): info@mountainlabs.io
KVKK inquiries: info@mountainlabs.io
General inquiries: info@mountainlabs.io

 

Free Shipment

We ship globally for free

Easy Refund

If you're not happy with the product, we give easy refund within 14 days

2 Years Warranty

The warranty period starts from the date of delivery of the goods and lasts for 2 years.

Shopify Safe Payment

Shop flawlessly with Shopify Payments