Privacy Policy

Last Updated: February 2026 · Effective Date: February 15, 2026

1. Introduction

Lab Sage ("Service"), operated by Lab Sage ("Company," "we," "us," or "our"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our Service.

2. Information We Collect

2.1 Information You Provide

  • Account Information: Email address, name, and password when you create an account
  • Lab Data: Laboratory test results you upload (PDFs, images, or manually entered values)
  • Practitioner Credentials: NPI number and professional license information (Practitioner tier only)
  • Payment Information: Billing details processed through Stripe (we do not store credit card numbers)
  • Communications: Any messages you send to us via email or support channels

2.2 Information Collected Automatically

  • Usage Data: Pages visited, features used, session duration, and interaction patterns
  • Device Information: Browser type, operating system, device type, and screen resolution
  • Log Data: IP address, access times, and referring URLs
  • Cookies: We use essential cookies for authentication and session management

2.3 Information We Do NOT Collect

  • We do not collect Social Security numbers
  • We do not collect insurance information
  • We do not collect demographic data beyond what you voluntarily provide

3. How We Use Your Information

We use your information to:

  • Provide, maintain, and improve the Service
  • Generate AI-powered lab interpretations from your uploaded data
  • Process payments and manage your subscription
  • Send transactional communications (account confirmations, billing receipts)
  • Respond to your inquiries and support requests
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal obligations

We do NOT use your information to:

  • Sell your data to third parties
  • Target you with advertising based on your health data
  • Train AI models on your personal lab data
  • Share your health information with employers, insurers, or data brokers

4. How We Share Your Information

We share your information only in these limited circumstances:

4.1 Service Providers

We share data with third-party service providers who assist in operating the Service:

  • Anthropic: Your lab data is sent to Anthropic's Claude AI for analysis. Anthropic's data retention policy applies (typically 30 days for API inputs). Anthropic does not use API data to train their models.
  • Stripe: Payment processing. Stripe's privacy policy governs payment data.
  • Vercel: Web hosting. Server logs may contain IP addresses and request data.
  • Neon: Database hosting (PostgreSQL). Your data is stored encrypted at rest.

4.2 Legal Requirements

We may disclose your information if required by law, subpoena, court order, or government request.

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your information becomes subject to a different privacy policy.

4.4 With Your Consent

We may share your information with third parties when you have given us explicit consent to do so.

5. Data Security

We implement reasonable security measures to protect your information, including:

  • Encryption at rest (AES-256) for stored data
  • Encryption in transit (TLS 1.3) for all data transmissions
  • Access controls and authentication requirements
  • Audit logging of data access
  • Regular security assessments

No method of electronic storage or transmission is 100% secure. While we strive to protect your information, we cannot guarantee its absolute security.

6. Data Retention and Deletion

6.1 Retention Period

We retain your account information and lab data for as long as your account is active or as needed to provide the Service. We retain billing records as required by tax and accounting laws (typically 7 years).

6.2 Deletion

You may request deletion of your account and associated data at any time by contacting us at privacy@labsage.ai or through your account settings. Upon receiving a valid deletion request:

  • Your account information will be deleted within 30 days
  • Your lab data and analysis results will be deleted from our primary database within 30 days
  • Backup copies may persist for up to 90 days before being purged
  • Data previously sent to Anthropic for AI analysis is subject to Anthropic's retention policy (typically 30 days from processing)
  • Aggregated, de-identified statistical data (e.g., total number of analyses performed) may be retained indefinitely

6.3 Account Termination

If your account is terminated for violation of our Terms of Service, we may retain your data as necessary to enforce our terms and comply with legal obligations.

7. Your Privacy Rights

7.1 All Users

All users have the right to:

  • Access their personal data
  • Correct inaccurate personal data
  • Request deletion of their personal data
  • Export their data in a portable format
  • Opt out of non-essential communications

7.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know: You may request that we disclose what personal information we collect, use, and share.
  • Right to Delete: You may request that we delete your personal information, subject to certain exceptions.
  • Right to Opt-Out of Sale: We do not sell your personal information. If this changes, we will provide opt-out mechanisms.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise your California privacy rights, contact us at privacy@labsage.ai.

7.3 Other State Privacy Laws

If you are a resident of Washington, Colorado, Connecticut, Virginia, or another state with comprehensive privacy legislation, you may have additional rights. Contact us at privacy@labsage.ai to exercise your state-specific privacy rights.

8. HIPAA Notice

Lab Sage is not a HIPAA-covered entity and is not a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA). We do not transmit, process, or store Protected Health Information (PHI) as defined under HIPAA.

While we are not subject to HIPAA requirements, we implement strong security practices to protect your health-related data as described in Section 5 of this policy.

If you are a healthcare professional using the Practitioner tier, you are responsible for complying with HIPAA and other applicable regulations regarding your patients' information. Do not upload patient-identifiable information unless you have obtained appropriate patient consent and are in compliance with your HIPAA obligations.

9. Children's Privacy

Lab Sage is not intended for use by individuals under the age of 18 without parental supervision. We do not knowingly collect personal information from children under 13. If we learn we have collected information from a child under 13 without parental consent, we will delete that information promptly.

10. International Users

Lab Sage is operated from the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States. By using the Service, you consent to this transfer.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a prominent notice on the Service. Your continued use of the Service after such notification constitutes acceptance of the updated policy.

12. Contact Us

For privacy questions, data requests, or concerns:

This Privacy Policy was last updated on February 15, 2026.

← Back to Lab Sage