Privacy Policy

Account data. When you create an account, we collect your email address and a hashed password. You may optionally provide a display name.

Bloodwork data. If you use the Analyze feature, you may upload lab result documents (PDF or image) or enter values manually. Uploaded files are parsed locally in the browser, reviewed by you, and only confirmed biomarker rows are sent to our server when you save or run analysis.

Usage data. We collect standard server logs including IP address, browser type, pages visited, and timestamps. This data is used solely for security monitoring and aggregate analytics.

Communications. If you contact us via the contact form or email, we retain that correspondence to respond to your inquiry.

We use collected data to:

• Provide, operate, and improve the platform and its features
• Authenticate your account and maintain session security
• Process reviewed bloodwork biomarker rows to generate analysis output and saved history when you confirm an upload
• Send transactional emails (password reset, account notifications) - we do not send unsolicited marketing email
• Monitor for abuse, fraud, and security threats
• Comply with applicable legal obligations

We do not sell your personal data to third parties. We do not use your bloodwork data to train AI models or for any purpose beyond generating your personal analysis.

Account data is retained for as long as your account is active. If you delete your account, your email and profile data are permanently deleted within 30 days.

Raw bloodwork uploads are not persisted to our database in v1. Only the confirmed biomarker rows you choose to analyze or save are stored as panel history.

Server logs are retained for 90 days for security purposes and then deleted.

We use a single session cookie to maintain your authenticated state. This cookie is strictly necessary for the platform to function and is not used for tracking or advertising.

We do not use third-party advertising cookies, tracking pixels, or analytics services that set persistent cross-site cookies. If we add analytics in the future, this policy will be updated.

Depending on your jurisdiction, you may have the right to:

• Access - request a copy of the personal data we hold about you
• Correction - request that inaccurate data be corrected
• Deletion - request that we delete your account and associated data
• Portability - receive your data in a machine-readable format
• Restriction - request that we limit how we process your data
• Objection - object to certain types of processing

To exercise any of these rights, contact us at the address in Section 9. We will respond within 30 days.

We implement industry-standard security measures including TLS encryption in transit, bcrypt-hashed passwords, row-level security policies on all database tables, and regular dependency audits.

No system is perfectly secure. If you discover a security vulnerability, please contact us immediately rather than disclosing publicly.

This platform is not directed at individuals under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has created an account, contact us and we will delete it promptly.

For privacy-related inquiries, data access requests, or to report a concern, contact us via the contact form at /contact or by emailing the address on file with Vercel for this domain.

We will acknowledge privacy requests within 5 business days and resolve them within 30 days.

We may update this policy periodically. When we do, we will update the "Last updated" date above. Material changes will be communicated to registered users via email at least 14 days before taking effect.

Continued use of the platform after changes become effective constitutes acceptance of the revised policy.