Published Oct 23, 2025 · 9 min read · by AI Viral Test Lab

Data Privacy & Compliance Checklist for AI Viral Labs

AI labs feel playful, but they still touch user data. This checklist outlines the privacy practices we follow so TikTok-ready experiments stay compliant across regions.

1. Collect the bare minimum

AI Viral Test Lab never asks for names, phone numbers, or logins. Credits are tracked via an anonymized client_id generated in usage.js. When you design your own lab, map every data field to a reason. If a field does not feed the card or billing, drop it.

2. Explain the use case

Our Privacy Policy clearly states how inputs are processed: prompts go to the LLM, outputs are not stored long term, and share logs are anonymized. Add similar language near your input form. Users appreciate seeing a one-sentence summary such as Prompts are processed instantly and not saved.

3. Respect regional rights

Even if you operate from Hong Kong, customers may come from the EU or US. Provide an email (support@aiviraltestlab.com) and the new support page so people can request deletions or credit refunds. Keep a lightweight CRM spreadsheet noting when someone exercised a right of access or erasure.

4. Limit retention

Prompts are ephemeral. Credit balances live in SQLite with daily reset logic. Share logs rotate every 30 days. When building your lab, set TTLs inside Redis or your database so stale metadata disappears automatically.

5. Secure payment data

We never touch card numbers. Stripe hosts Checkout and sends only order metadata through /api/stripe/webhook. If you add an additional provider, follow the same pattern: tokenize payments elsewhere, store only the pack ID, amount, and client identifier.

6. Prepare an incident flow

Draft a one-page plan covering who to notify, how to pause labs, and how to send user emails if an API key leaks. Save email templates (plain text and HTML) so you are not improvising during a crisis.

7. Keep dependencies updated

Run npm audit, rotate API keys annually, and monitor vendor status pages (OpenAI, DeepSeek, Gemini, Claude, Stripe). We log incidents in Notion and add a retro after each event think of it as a postmortem lite.