LabsVault
[LEGAL]

Privacy Policy

Last updated: February 27, 2026

Introduction

LabsVault ("we", "our", "us") is a Wyoming, USA entity that provides a personal health data management platform. We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, store, and safeguard your information when you use our service at labsvault.com (the "Service").

LabsVault is not a covered entity under HIPAA. We are a personal record-keeping tool — not a healthcare provider, health plan, or healthcare clearinghouse. While we take the security of your health data seriously and implement strong safeguards, the HIPAA Privacy Rule does not apply to our Service.

Information We Collect

Account Information

When you create an account, we collect:

  • Email address
  • Password (hashed, never stored in plain text)
  • Name (optional)
  • Social login data (if you sign in via a third-party provider): provider ID and associated email

Health Data

When you use our Service, you may provide:

  • Date of birth and gender (stored per vault)
  • Lab test results, biomarkers, and reference ranges
  • Lab provider names and assessment dates
  • Uploaded files (lab report PDFs and images)

Your health data is yours. We do not sell, share, or use your health data for advertising or AI model training. We only process it to provide you with the Service.

Automatically Collected Information

When you use the Service, we automatically collect:

  • IP address and user agent (for session management and security)
  • Cookie-less analytics data (pages visited, general geographic region)

We do not use tracking cookies or build advertising profiles.

How We Use Your Information

We use your information to:

  • Provide, maintain, and improve the Service
  • Authenticate your identity and manage sessions
  • Process and organize your lab results, including AI-powered extraction from uploaded files
  • Process payments for paid plans
  • Send transactional emails (account verification, password resets, payment receipts)
  • Detect and prevent fraud, abuse, and security incidents
  • Respond to your requests and support inquiries

AI Processing of Your Data

When you upload lab reports, we send the file contents to a third-party AI provider for data extraction. Regarding this processing:

  • Data is sent solely for the purpose of extracting structured lab values from your documents
  • The AI provider does not retain your data after processing is complete
  • Your data is not used to train AI models
  • AI extraction may contain errors — you should always verify extracted values against your original documents

Lawful Basis for Processing (GDPR)

If you are in the European Economic Area (EEA) or United Kingdom, we process your personal data under the following legal bases:

  • Contract performance: Processing necessary to provide you with the Service you signed up for (account management, lab data storage, AI extraction)
  • Legitimate interests: Security, fraud prevention, and service improvement, where these interests are not overridden by your rights
  • Consent: Marketing emails (which you can opt out of at any time)
  • Legal obligation: Where we are required to process data to comply with applicable law

Data Storage and Security

We take the security of your data seriously and implement security best practices, including:

  • Data encrypted at rest and in transit (TLS/HTTPS)
  • Passwords are hashed using industry-standard algorithms — we never store plain-text passwords
  • Sessions expire after a period of inactivity
  • Secure cloud infrastructure with access controls and monitoring

Data Retention

We retain your data for as long as your account is active. When you delete your account:

  • All personal data and health data are permanently deleted
  • Uploaded files are permanently removed from storage
  • Backups containing your data are purged within 30 days

We may retain certain data beyond account deletion where required by law (e.g., payment records for tax and accounting purposes).

Third-Party Services

We use the following categories of third-party service providers to operate the Service. We do not share your personal health data with any third party for marketing purposes.

  • Cloud infrastructure: Hosting, content delivery, and edge computing
  • Database provider: Managed database hosting for application data
  • File storage: Encrypted object storage for uploaded lab reports
  • AI processing: Lab report data extraction (data processed but not retained or used for training)
  • Payment processor: Secure payment handling (we do not store your full payment card details)
  • Transactional email: Account-related emails (verification, password resets, receipts)
  • Email marketing: Product updates and announcements. You can unsubscribe at any time via the link in each email
  • Cookie-less web analytics: Privacy-focused, cookie-less website analytics that do not track individual users
  • SEO analytics: Website performance and search analytics, which may use cookies

International Data Transfers

LabsVault is based in the United States. If you access the Service from outside the US, your data will be transferred to and processed in the United States.

For users in the EEA or United Kingdom, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate protection for your data when transferred internationally.

Your Rights

All Users

Regardless of where you are located, you have the right to:

  • Access and view your personal data
  • Correct inaccurate data
  • Delete your account and all associated data
  • Export your data

EEA and UK Residents (GDPR)

In addition to the rights above, you also have the right to:

  • Restrict processing of your personal data
  • Object to processing based on legitimate interests
  • Data portability (receive your data in a structured, machine-readable format)
  • Withdraw consent at any time (where processing is based on consent)
  • Lodge a complaint with your local data protection authority

California Residents (CCPA)

If you are a California resident, you have the right to:

  • Know what personal information we collect, use, and disclose
  • Request deletion of your personal information
  • Opt out of the sale of personal information — we do not sell your personal information
  • Non-discrimination for exercising your privacy rights

To exercise any of these rights, contact us at privacy [at] labsvault.com. We will respond to all requests within 30 days.

Data Breach Notification

In the event of a data breach that affects your personal data, we will:

  • Notify affected users by email within 72 hours of becoming aware of the breach
  • Notify the relevant regulatory authorities as required by applicable law
  • Provide details of what data was affected and what steps we are taking in response

Cookies

We use essential cookies only for authentication and session management. We do not use third-party advertising or tracking cookies.

Our primary web analytics provider is cookie-less and does not track individual users. One analytics provider used for SEO purposes may use cookies — you can manage cookie preferences in your browser settings.

Children's Privacy

Our Service is not intended for anyone under the age of 18. We do not knowingly collect personal data from anyone under 18. If we learn that we have collected data from someone under 18, we will delete it promptly.

Changes to This Policy

We may update this policy from time to time. We will notify you of any material changes by email or through the Service. The "last updated" date at the top of this page reflects the most recent revision. Continued use of the Service after changes constitutes acceptance.

Contact Us

If you have questions about this privacy policy or your data, contact us at:

privacy [at] labsvault.com

For questions about the Service generally, see our Terms of Service.