Privacy Policy

Account information. When you create an account, we collect your name, email address, organization name, role, and authentication credentials. If you subscribe to a paid plan, our payment processor collects billing details on our behalf.

Customer Data you enter. As you use the Service, you and your users submit records that may include patient identifiers, draw logs, inventory counts, arrival checklists, rejection notes, and related workflow data. You control what is entered.

Usage and device data. We collect standard technical information such as IP address, browser type, device identifiers, and pages accessed, for security and service reliability.

Support communications. If you contact us, we keep records of the correspondence to resolve your issue.

• To provide, maintain, and improve the Service;
• To authenticate users and prevent abuse;
• To process payments and send billing notices;
• To send essential service communications (security alerts, account notices);
• To respond to support requests and fulfill legal obligations.

We do not sell your data. We do not use Customer Data to train third-party machine learning models.

We rely on the following vetted providers to operate the Service. Each is bound by written agreements that require appropriate security and confidentiality:

• Vercel — application hosting, edge networking, and deployment infrastructure.
• Neon — managed PostgreSQL database hosting.
• Supabase — authentication, storage, and row-level security services.
• Stripe — subscription billing and payment processing.
• Resend — transactional email delivery.

We implement reasonable and industry-standard safeguards:

• Encryption in transit — all traffic between your browser and the Service is protected with TLS 1.2 or higher.
• Encryption at rest — production databases and backups are encrypted at rest by our infrastructure providers.
• Access controls — database access is restricted via row-level security (RLS) in Postgres, scoped per organization; internal staff access is limited and logged.
• Audit logging — available on Pro plans for customer-level traceability of key actions.
• Least privilege — application credentials are scoped to the minimum required permissions.

No system is perfectly secure; we encourage you to use strong, unique passwords and to configure appropriate role-based access for your team.

We retain Customer Data for as long as your account is active or as needed to provide the Service. On account closure, Customer Data is retained for a reasonable grace period to allow export, then scheduled for deletion, except where retention is required by law.

Depending on your jurisdiction, you may have the right to:

• Access the personal data associated with your account;
• Correct inaccurate personal data;
• Delete your account and associated personal data, subject to legal retention obligations;
• Export a machine-readable copy of your Customer Data;
• Object to or restrict certain processing;
• Withdraw consent where processing is based on consent.

To exercise these rights, email us at support@labsandhealth.com. We may need to verify your identity before acting on a request.

The Service is not directed to children under 13, and we do not knowingly collect personal information from children. If you believe a child has provided us personal information, please contact us so we can remove it.

Our infrastructure is primarily hosted in the United States. If you access the Service from outside the U.S., you consent to the transfer of your information to the U.S. and to processing in accordance with this Policy.

We may update this Policy periodically. Material changes will be communicated by email or in-app notice. The “Effective date” above indicates the latest revision.

Questions or concerns about privacy? Contact us at support@labsandhealth.com.