Terms and Conditions

1. Legal Notice

Business Name: Advance Lab

VAT: VAT not applicable — art. 293 B CGI (French tax code)

Email: advancelab@proton.me

Hosting Provider: Cloudflare, Inc. — 101 Townsend St, San Francisco, CA 94107, USA. All site traffic and data are processed through Cloudflare's global network.

2. General Terms and Conditions of Sale

2.1 Purpose and Scope

These General Terms and Conditions of Sale apply to all orders placed on the Advance Lab website. They govern the contractual relationship between Advance Lab (the "Seller") and any purchaser (the "Customer"). By placing an order, the Customer accepts these Terms in their entirety.

2.2 Products and Services

Advance Lab specializes in the sale of accessories and jewelry through our online store.

2.3 Orders

Order Process:

  1. Select desired products and choose your payment method: "Buy with Monero (XMR)" or "Pay with Card (Stripe)".
  2. Monero: Send the exact XMR amount shown to the generated address from a personal wallet (Cake Wallet, Monerujo, or Feather). Card: Enter your card details in Stripe's secure payment form.
  3. Complete the order form with your full shipping details (address, email, name). For Monero, include your transaction ID (Tx Hash); for card, your payment is processed inline and the PaymentIntent ID is matched automatically. All data is PGP-encrypted in your browser before transmission — including your email and name. No plaintext personal data ever reaches our servers.
  4. After submitting, you will receive an order number displayed on the page. Use this for all future correspondence.
  5. Wait for payment confirmation and order processing.

Order Acceptance: We reserve the right to refuse or cancel orders for legitimate reasons including product unavailability, pricing errors, or suspected fraudulent activity.

3. Payment Terms — Monero (XMR) via NOWPayments & Card (Stripe)

3.1 Payment Methods

We offer two payment methods: Monero (XMR) processed via NOWPayments, and credit/debit card processed via Stripe. You may choose either method at checkout.

3.2 Card Payments (Stripe)

Card payments are processed by Stripe, a PCI DSS Level 1 compliant payment processor. Your card details are handled entirely within Stripe's secure iframe — they never reach our servers. We store only the Stripe PaymentIntent ID to match your order.

By choosing card payment, you authorize Stripe to charge the exact amount shown at checkout. All card payments are immediate and non-reversible once processed. Refunds follow our standard Returns & Refunds policy.

Stripe receives no personal identifying information from us — only the payment amount and order reference. Your name, email, and shipping address are PGP-encrypted before transmission, exactly as with Monero payments.

3.3 Monero — Irreversibility & Blockchain Confirmation

Monero payments are irreversible once confirmed by NOWPayments. We cannot cancel or refund payments made to an incorrect address, wrong amount, or erroneous transfer. Always verify the QR code and the exact amount generated by NOWPayments.

3.4 Monero — Volatility & Exchange Risk

The displayed XMR amount is locked at the time of generation (valid for approximately 1 hour). Any post-payment price fluctuation is borne by the customer. We do not guarantee any conversion or refund in the event of exchange rate changes.

3.5 No Systematic Client KYC

NOWPayments operates on a non-custodial basis. We do not collect KYC data on XMR payments unless required by TRACFIN for transactions exceeding legal thresholds or under reasonable suspicion (in accordance with French AML/CFT regulations).

3.6 AML / Reporting (Both Methods)

In accordance with TRACFIN and MiCA obligations, suspicious transactions or those exceeding legal thresholds may be reported without prior notice to the customer.

3.7 Proof of Payment

Monero: For any dispute, provide your TxID / Monero proof (via Cake Wallet or block explorer). Card: The Stripe PaymentIntent ID serves as proof. We verify exclusively through NOWPayments, the blockchain, or Stripe accordingly.

3.8 Tax Treatment

XMR payments are treated like any conventional payment method for VAT purposes. Prices are without VAT (VAT not applicable — art. 293 B CGI). Exports outside the EU are VAT-exempt. We declare income according to BIC/BNC rules (French tax regime for industrial and commercial profits / non-commercial profits).

3.9 NOWPayments Liability

NOWPayments is a third-party provider. We disclaim all liability in the event of downtime, technical errors, or API outages on their side.

3.10 Monero Privacy Specific

Monero protects the confidentiality of transactions. We cannot see the sender or the final recipient. This strengthens your privacy but limits our ability to trace transactions in the event of a dispute.

3.11 Processing Time

Card (Stripe): Orders are validated immediately upon payment confirmation by Stripe. Monero (XMR): Orders are validated only after confirmed receipt via NOWPayments (typically < 1 hour). Delivery time begins upon confirmation for both methods.

3.12 Payment Method Notice

XMR payments processed via NOWPayments (non-custodial, MiCA transitional compliant). See AMF whitelist for registered crypto service providers.

The exact XMR amount shown at checkout is locked by NOWPayments and includes their transaction fee. The total order is displayed separately in your selected currency. The equivalent shown in your wallet may differ slightly from the exchange rate used at checkout.

3.13 Mandatory Order Form Submission

For safety reasons and to protect your privacy, we will only process orders that have been submitted through the official order form on our website, including a valid payment reference (Tx Hash for Monero, PaymentIntent ID for card) and your complete shipping details.

Orders paid via Monero without a matching form submission — including unsolicited transfers to wallet addresses — cannot be automatically matched or fulfilled. The transaction will be considered orphaned and no shipment will be made until a matching order submission is completed or our team is contacted directly. For card payments, the PaymentIntent ID is matched automatically when the form is submitted.

This policy exists to protect both parties: it guarantees that your shipping data, email, and name are PGP-encrypted before transmission — we never store your personal information in plaintext. Your order number (displayed after form submission) is the only reference you need for correspondence.

Because all customer data is encrypted, we cannot send automated email confirmations directly from the PGP blob. If you opt in for email notifications, your address is used once to send a confirmation via Resend and is not stored in plaintext. If the email fails to send (e.g., temporary outage), it is automatically queued and retried until delivery succeeds. If you have questions, contact us with your order number.

3.14 Late Payments (Monero only, late_paid)

The displayed XMR amount is valid for approximately 1 hour. If a payment arrives after the window has expired (NOWPayments late_paid status), the exchange rate may have shifted and the received amount may differ from the original quote.

Late payments are reviewed manually. If the received XMR covers the original order value at the current rate, we will honor the order. If not, we will contact the customer to arrange a top-up or refund. No automatic notification is sent for late or expired payments — if you believe your payment arrived late, contact us directly.

4. Delivery — Worldwide

  • France: 10 business days after payment confirmation
  • Europe (EU): 15 business days after payment confirmation
  • International (World Zone 1 — US, UK, CH, JP, CA, etc.): 20 business days after payment confirmation
  • Rest of World (World Zone 2): 20 business days after payment confirmation

Risk Transfer: Ownership and risk transfer to Customer upon delivery confirmation.

5. Right of Withdrawal (EU Consumers)

EU consumers have the legal right to withdraw from their purchase within 14 days from receipt without giving any reason, in accordance with Article L.221-18 of the French Consumer Code. Products must be returned in original condition and packaging. Custom or personalized items are exempt from this right (Art. L.221-28). Return shipping costs are borne by the Customer unless the product is defective.

In addition to the legal 14-day right, we voluntarily offer a 30-day return policy for all non-custom items. See our Returns & Refunds page for details.

6. Warranties and Liability

Products are covered by legal warranties against defects and non-conformity per French Consumer Code. Our liability is limited to the purchase price.

7. Intellectual Property

© 2026 Advance Lab. All designs, products, images, text, graphics, logos, and code on this website are the exclusive intellectual property of Advance Lab and are protected by applicable copyright, trademark, and design laws.

No Reproduction. No part of this website or its content may be reproduced, distributed, modified, displayed, copied, or transmitted in any form or by any means without prior written permission from Advance Lab. This includes, but is not limited to: product photographs, 3D renders, technical drawings, branding materials, editorial text, and page layouts.

AI Training Prohibited. All content on this website is explicitly excluded from use as training data for machine learning models, artificial intelligence systems, or any automated extraction process. This site is blocked by AI crawlers via robots.txt and X-Robots-Tag: noai, noimageai headers on all media assets.

Content Credentials. All images on this site are signed with C2PA Content Credentials containing cryptographic assertions of authorship, copyright, and non-AI origin. Any image lacking valid Advance Lab Content Credentials should be considered unauthorized.

Enforcement. Unauthorized use of our intellectual property, including scraping, hotlinking, or reproduction without permission, may result in legal action. To request permission, contact us at advancelab@proton.me.

8. Privacy Policy (GDPR Compliance)

Advance Lab is the data controller for personal data collected through our website.

Data Collected: We collect only the data you provide through our order form (name, shipping address, email, transaction ID) or contact form (name, email, message). All personal data is PGP-encrypted on your device before transmission. Your name, email, and shipping address are never stored or processed in plaintext — they reside exclusively in the PGP-encrypted blob.

Email address: If you opt in for order confirmation emails, your email address is used once to send your confirmation via Resend and is not stored in plaintext. It is never shared with third parties, never used for marketing. All personal data (name, email, shipping address) remains PGP-encrypted in the blob and is never stored in plaintext.

Your IP address (CF-Connecting-IP) is temporarily processed by Cloudflare for rate limiting and security purposes — it is not logged or stored by Advance Lab.

Data Sharing: We do not sell or share your data with third parties beyond what is necessary to fulfill your order. Shipping carriers receive only the information needed for delivery.

Data Processors: We use Resend to deliver encrypted PGP blobs (which include shipping addresses) to our team. Since the blobs are PGP-encrypted, Resend cannot read them — decryption requires the private key held exclusively by Advance Lab. No customer-facing transactional emails are sent; Resend is used only for admin notifications. The PGP key is rotated periodically and immediately if compromised. NOWPayments processes payment data (transaction hashes, payment amounts, wallet addresses) for Monero payment verification as described in Section 3. Stripe processes card payment data (payment amount, PaymentIntent ID) as described in Section 3 — Stripe is PCI DSS Level 1 compliant and receives no personal identifying information from us. Cloudflare provides hosting infrastructure (CDN, DDoS protection, Workers) and temporarily processes IP addresses for rate limiting. No other third parties process your personal data.

Data Retention: Order metadata (payment ID, items, amount, status) is retained for 10 years as required by French accounting law (Code de commerce, Article L123-22). The encrypted personal data blob (name, email, shipping address) is zeroed 5 years after fulfillment in accordance with standard commercial limitation periods. Contact form encrypted data is zeroed after 5 years; the ticket number and timestamp are retained. You may request earlier erasure of your encrypted data at any time.

Your Rights: Under GDPR, you have rights to access, rectify, erase, and port your data (Art. 15–20). To exercise these rights, contact us at advancelab@proton.me with your order number and we will respond within one month.

Right of Access — How It Works: Because all personal data (name, email, shipping address) is PGP-encrypted before transmission, we cannot read or export it without your request. To obtain a copy of your data: (1) contact us with your order number; (2) we decrypt the relevant encrypted blob using our private key; (3) we provide the plaintext data to you via encrypted email or secure download. This request is free of charge. Data can only be accessed within the retention period stated above — once the encrypted blob is zeroed (5 years after fulfillment), no decryption is possible.

Data Security: We implement multiple independent layers of protection for all data and transactions:

  • PGP encryption (OpenPGP.js) — All personal data (name, email, shipping address) is encrypted in your browser before transmission. Our servers store only the encrypted blob. The SHA-256 hash of the PGP public key is verified client-side to prevent man-in-the-middle attacks.
  • Content Security Policy — Strict CSP headers block all unauthorized scripts, frames, and external connections. Only js.stripe.com is permitted as an external script source for card payments. No analytics, no trackers, no third-party fonts.
  • HTTPS everywhere — HSTS with preload (1 year), upgrade-insecure-requests enforced, Referrer-Policy: no-referrer to prevent URL leakage.
  • Webhook signature verification — Stripe webhooks are verified via HMAC-SHA256 with constant-time comparison, timestamp anti-replay (5-minute window), SHA-256 payload dedup, and server-side re-fetch from Stripe's API. NOWPayments IPNs are verified via HMAC-SHA512 with SHA-256 dedup and API re-query.
  • Rate limiting — All API endpoints are rate-limited per IP+User-Agent via D1-backed sliding window counters (TOCTOU-safe). Order submissions: 3/hour. Payment creation: 200/hour. Webhooks: 30/minute.
  • Email delivery resilience — All transactional emails are retried up to 3 times with exponential backoff (1s, 3s). If delivery permanently fails, the email is queued in D1 and retried by the hourly cleanup worker, with backoff up to 60 minutes and a maximum of 3 queue attempts before escalation.
  • Minimal plaintext storage — Name and shipping address are never stored in plaintext. Email address is stored in plaintext only if the customer opts in for order confirmation emails; it is used exclusively for transactional notifications and is automatically zeroed 90 days after fulfillment. All other personal data resides exclusively in the PGP-encrypted blob.
  • PCI DSS Level 1 — Card payments are processed entirely within Stripe's secure iframe (PCI DSS Level 1 certified). Card numbers never touch our servers. Stripe receives no personal identifying information from us — only the payment amount and order reference.
  • Hotlink protection — All media assets are served via authenticated Workers with Referer verification, path traversal prevention, and rate limiting (500 requests/minute per IP).
  • C2PA Content Credentials — All images are signed with cryptographic Content Credentials proving authorship and non-AI origin.
  • Canvas fingerprinting protection — Canvas capture is blocked by default to prevent browser fingerprinting, except for the QR code canvas which is explicitly allowed.
  • Secrets management — All API keys, webhook secrets, and private credentials are stored as Cloudflare encrypted secrets, never in source code. The Stripe publishable key is injected via environment variable at build time.

Complaints: You may lodge complaints with the French data protection authority (CNIL): cnil.fr

9. Dispute Resolution

French law governs these Terms. In the event of a dispute, you may contact us directly at advancelab@proton.me and we will do our best to find an amicable solution. Advance Lab itself serves as the point of contact for consumer mediation — no external mediator is appointed at this time.

For EU consumers, the European Commission's online dispute resolution platform is available at: ec.europa.eu/consumers/odr/

10. Contact

For all inquiries: advancelab@proton.me

Last updated: July 5, 2026