Privacy Policy

1. Information We Collect

1.1 Account Information

When you create an account with us, we collect your email address, which is required for account creation and communication purposes. We also collect your password, which is encrypted and never stored in plain text format. For payment processing, we collect payment information that is securely processed through Stripe—we do not store any payment card details on our systems. Additionally, we store your account preferences and settings to provide you with a personalized experience.

1.2 Health Data

When you voluntarily upload lab reports to our platform, we collect and process the lab report PDFs you provide. We extract biomarker data from these reports using AI technology to create visualizations and charts. We also store your chart configurations and visualization preferences so you can view your data in the format that works best for you. Any notes or comments you choose to add to your data points are also stored and associated with your account.

1.3 Technical Information

We automatically collect certain technical information when you use our service. This includes your IP address and general location information, which helps us provide location-relevant services and ensure security. We also collect information about your browser type and version, as well as details about your device and operating system. To improve our service, we track usage patterns and feature interactions, and we maintain error logs and performance metrics to identify and resolve technical issues.

1.4 Analytics Information

We use Google Analytics to better understand how users interact with our service. This includes tracking page views and user journeys throughout the platform, measuring feature usage statistics to identify popular functionality, monitoring session duration and engagement metrics, and collecting anonymized demographic information where available. This information helps us improve the user experience and develop new features that meet user needs.

2. How We Use Your Information

2.1 Core Service Delivery

The primary use of your information is to deliver our core services. We process your lab PDFs and use AI technology to extract biomarker data from them. This extracted data is then used to generate professional visualizations and charts that help you track your health metrics over time. We store your data securely so you can access it in the future, and we enable you to export your data in various formats including Excel and PDF. Additionally, we provide trend analysis tools that allow you to compare your biomarker levels across different time periods.

2.2 Account Management

We use your information to manage your account and ensure its security. This includes authenticating your identity when you log in and maintaining security measures to protect your account from unauthorized access. We process subscription payments and manage your billing information to keep your subscription active. We also send you important account notifications and service updates to keep you informed about changes or important information related to your account. Finally, we use your information to provide customer support and respond to any inquiries or issues you may have.

2.3 Service Improvement

We analyze usage patterns and technical data to continuously improve our service. This helps us enhance the accuracy of our AI extraction technology, identify and fix technical issues that may arise, and develop new features while improving existing functionality. We also use this information to monitor platform security and prevent abuse, ensuring a safe and reliable experience for all users.

3. Third-Party Services and Data Sharing

3.1 OpenAI (AI Processing)

We use OpenAI's API to extract biomarker data from your lab PDFs. It is important to note that OpenAI operates under a zero retention policy, meaning they do not store or retain your data in any way. Your data is processed in real-time and immediately discarded by OpenAI after processing is complete. All transmissions to and from OpenAI are encrypted and secure. There is no human review or manual processing of your health data at OpenAI.

3.2 Stripe (Payment Processing)

All payment processing is handled securely by Stripe, a leading payment processor. We never see or store your payment card details—all payment information is processed directly by Stripe. Stripe is PCI DSS compliant and maintains highly secure systems to protect payment data. The only payment-related information shared with us is your billing email address and your subscription status.

3.3 Supabase (Data Storage)

Your data is stored using Supabase, which provides secure, encrypted database storage services. All data is encrypted both at rest (when stored) and in transit (when being transferred). Supabase's infrastructure is SOC 2 Type II certified, which means it undergoes regular security audits and compliance monitoring to ensure the highest levels of security and data protection.

3.4 Google Analytics

We use Google Analytics to collect anonymized usage and traffic data that helps us understand how users interact with our service. This allows us to identify areas for improvement and better understand user needs. No personally identifiable information is shared with Google Analytics. If you prefer not to be included in this analytics data, you can opt-out using your browser settings or privacy extensions.

4. Data Security and Protection

4.1 Security Measures

We implement multiple layers of security to protect your data. All data is encrypted at rest using AES-256 encryption, and all data in transit is protected using TLS 1.3 encryption. We maintain strict access controls and authentication requirements to ensure only authorized personnel can access data, and even then, access is limited to what is necessary for their role. Our infrastructure is hosted on secure, compliant cloud infrastructure that meets industry standards. We conduct continuous security monitoring and threat detection to identify and respond to potential security issues quickly. Additionally, we perform regular encrypted backups with secure retention policies to ensure data availability and recovery capabilities.

4.2 Data Isolation

Your data is completely isolated from other users' data. We implement strict separation between accounts, ensuring there is no cross-account data access or sharing. Where applicable, we use individual user encryption keys to provide an additional layer of data isolation. When data is removed, we follow secure deletion protocols that ensure data is completely and permanently erased from all systems.

4.3 Incident Response

In the unlikely event of a security incident, we have established procedures to respond quickly and effectively. We immediately begin containment and assessment procedures to limit any potential impact. If personal data is affected, we will notify affected users within 72 hours of becoming aware of the incident. We maintain transparent communication about the scope and impact of any incident, and we implement remediation steps to address the issue and prevention measures to reduce the risk of similar incidents in the future.

5. Your Rights and Choices

5.1 Data Access and Portability

You have full access to all of your data through your account dashboard, where you can view all of your lab results, biomarker data, and visualizations. You can export your data at any time in multiple formats including Excel, PDF, or CSV files. If you need a complete copy of all your data, you can request a full data export at any time, and we will provide it to you promptly. You also have access to view and export historical biomarker trends, allowing you to track changes in your health metrics over time.

5.2 Data Correction and Updates

You have the right to correct and update your information at any time. You can update your account information directly through your account settings. If you notice any errors in your biomarker data entries, you can correct or modify them. You can also add notes or context to your data points to provide additional information. If you believe any information in our system is inaccurate, you can request that we correct it.

5.3 Data Deletion

You have the right to delete your account and all associated data at any time. When you request account deletion, your data is permanently removed immediately—there is no waiting period or retention period for deleted accounts. We do not retain deleted data for any purpose once deletion is requested. When data is deleted, it is cryptographically wiped from all systems, including backups, to ensure complete removal.

5.4 Communication Preferences

You have control over how we communicate with you. You can opt-out of marketing communications at any time, though we will continue to send important service-related emails such as account notifications and security alerts. You can customize your notification preferences to choose what types of communications you receive, update your email address for communications, and set your preferred frequency for different types of communications.

6. International Users and Cross-Border Transfers

LabHealthCharts is available to users worldwide. By using our service, you understand that your data may be transferred to and processed in the United States. We comply with applicable international privacy laws including GDPR, CCPA, and others. Appropriate safeguards are in place for all cross-border data transfers, and you can exercise your rights regardless of your location.

6.1 GDPR Rights (EU/UK Users)

If you are located in the European Union or United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR). You have the right to be forgotten, which means you can request complete deletion of your data at any time. You have the right to data portability, allowing you to receive your data in a machine-readable format that you can transfer to another service. You can request restrictions on how we process your data, and you can object to certain types of data processing. If you have concerns about how we handle your data, you also have the right to file complaints with your local data protection authority.

6.2 CCPA Rights (California Users)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA). You have the right to know what personal information we collect about you and how it is used. You have the right to request deletion of your personal information. We will not discriminate against you for exercising any of your CCPA rights. Please note that we do not sell personal information, so there is no need to opt-out of the sale of personal information.

7. Data Retention and Storage

7.1 Retention Period

We retain your data for different periods depending on the type of data and your account status. For active accounts, we retain your data indefinitely while your account remains active, so you can access your historical health data at any time. We do not automatically delete data from inactive accounts—you maintain control over when your data is deleted. For payment and billing data, we retain billing history for seven years as required by tax and accounting regulations. Anonymized technical logs that don't contain personally identifiable information are retained for up to two years to help us maintain and improve our service.

7.2 Deletion Process

When you request account deletion or data deletion, we immediately begin the deletion process. All health data and biomarker information associated with your account are permanently deleted. Your account information and preferences are removed from our systems. Any uploaded files, including lab report PDFs, are permanently deleted from our servers. All charts and visualizations created from your data are removed. Finally, any backups containing your data are purged within 30 days to ensure complete removal.

8. Cookies and Tracking Technologies

8.1 Essential Cookies

We use essential cookies that are necessary for our service to function properly. These include authentication cookies that keep you logged in securely during your session, security cookies that protect against Cross-Site Request Forgery (CSRF) attacks, preference cookies that remember your settings and preferences so you don't have to reconfigure them each time you visit, and performance cookies that help optimize loading times and improve your user experience.

8.2 Analytics Cookies

We use Google Analytics cookies to help us understand how users interact with our service. These cookies allow us to track page views and user journeys throughout the platform, measure feature usage and engagement levels, identify areas where we can improve the user experience, and monitor technical performance to ensure the platform is running smoothly.

8.3 Cookie Management

You have several options for managing cookies. You can configure your cookie preferences directly in your browser settings, where you can choose to block or allow cookies from specific sites. If you want to opt-out of Google Analytics specifically, you can use the Google Analytics opt-out browser add-on. We respect Do Not Track browser signals where technically possible, though note that some essential functionality may require cookies. We also respect third-party privacy tools and ad blockers that you may have installed.

9. Children's Privacy Protection

LabHealthCharts is not intended for use by children under the age of 18. We do not knowingly collect personal information from children under 18. Users must be 18 years of age or older to create an account with us, and we take steps to verify age during account creation. If we learn that a user under 18 has created an account, we will immediately delete that account and all associated data. Parents or legal guardians who believe their child under 18 has provided us with personal information can contact us to request deletion of that data. If you believe a child under 18 has provided us with personal information, please contact us immediately and we will take steps to remove that information. We fully comply with the Children's Online Privacy Protection Act (COPPA) and take the protection of children's privacy seriously.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

10.1 Notification Process

When we make significant changes to this Privacy Policy, we will email all users to notify them of the changes. For material changes to our data practices, we will provide at least 30 days advance notice before the changes take effect. The latest version of this Privacy Policy will always be posted on our website with the effective date clearly indicated. Changes become effective on the date specified in the updated policy.

10.2 Your Choices

When we make changes to this Privacy Policy, your continued use of our service after the changes take effect constitutes acceptance of the updated policy. If you disagree with any changes, you have the right to delete your account at any time. If you have questions about how policy changes affect your data or your rights, please contact us and we will be happy to help you understand the implications of any changes.

11. Business Transfers and Corporate Changes

In the event that Rays Health Technologies, LLC is involved in a merger, acquisition, bankruptcy, or sale of assets, we will notify users at least 30 days before any transfer takes place. Your data will continue to receive the same privacy protections, and all privacy rights will transfer to the new entity. The acquiring entity must agree to honor this privacy policy and maintain equivalent privacy protections. We will not transfer your data to any entity that does not agree to maintain these protections. If you do not wish to have your data transferred, you have the option to delete your account before the transfer occurs.

12. Legal Compliance and Law Enforcement

We may disclose your information only when required by law or to protect our rights and the rights of our users. Such disclosures are made carefully and only when necessary.

12.1 Legal Requirements

We may disclose your information when we are compelled by valid court orders or subpoenas, or in response to lawful requests from law enforcement agencies. We may also disclose information when necessary to prevent imminent harm to individuals or to investigate suspected fraud or abuse of our service. These disclosures are made only when legally required and after careful consideration of the request.

12.2 Our Protections

We take your privacy seriously and have protections in place when responding to legal requests. All requests for user data are reviewed by legal counsel to ensure they are valid and lawful. We limit any disclosure to only the minimum information required by the request. When legally permitted, we will notify affected users about any disclosure requests. If we receive requests that are overly broad or invalid, we will challenge them to protect user privacy to the fullest extent possible.

13. Contact Information and Data Protection Officer

For any privacy-related questions, concerns, or requests, please contact us:

13.1 Response Times

We are committed to responding to your privacy inquiries in a timely manner. General inquiries are typically responded to within 2 business days. Data requests, such as requests for access or deletion, are fulfilled within 30 days. For urgent privacy concerns, we aim to respond within 24 hours. Requests under GDPR or CCPA are handled within the timeframes required by those regulations, typically 30 days for GDPR and 45 days for CCPA, with the possibility of extensions where permitted.

13.2 Request Information

When contacting us about privacy matters, please include your full name and the email address associated with your account. Please provide a clear description of the specific nature of your request or concern, along with any relevant account information or reference numbers that might help us locate your account. We may also need verification information to confirm your identity before we can process certain requests, such as data access or deletion requests, to protect your privacy and security.