Labreels
UploadReports

Privacy Policy

Last updated: April 2025

1. Who we are

Labreels (“we”, “us”, “our”) operates the website www.labreels.com and the Labreels web application. We provide AI-powered analysis of medical lab reports. We are a data fiduciary under India’s Digital Personal Data Protection Act, 2023 (“DPDP Act”).

Grievance / Data Protection Contact: hi@labreels.com. We will respond to all data-related requests within 30 days.

2. What data we collect

  • Email address — collected at sign-up for identity verification via OTP and as your account identifier.
  • Profile information — full name, date of birth, and gender, if you choose to provide them.
  • Lab report PDFs — uploaded by you for analysis. These contain sensitive health data including test results, patient details, and diagnostic information.
  • Extracted report data — structured test results, patient demographics, and lab metadata extracted from your PDFs by our AI.
  • Usage data — IP address, browser/device type, and time of access, collected automatically for security and audit purposes.

3. Why we collect it (purpose)

  • To verify your identity and manage your account
  • To process and analyse your lab reports using AI
  • To display and securely store your results
  • To respond to your support and data rights requests

We do not sell, rent, or share your personal data or health data with third parties for marketing purposes.

4. How long we keep your data

  • Account data and reports — retained until you delete your account or individual reports.
  • Anonymous uploads — retained until you claim or delete them.
  • OTP records — automatically purged 24 hours after expiry.
  • Session tokens — revoked tokens and expired refresh tokens are automatically purged after 30 days.
  • Admin audit logs — retained for compliance and security audit purposes.

5. Your rights under the DPDP Act 2023

  • Right to access — view all reports and profile data stored about you.
  • Right to correction — update your profile from the Profile page.
  • Right to erasure — delete individual reports any time, or delete your entire account and all associated data from Profile → Delete Account.
  • Right to grievance redressal — raise a complaint via Contact or email hi@labreels.com. We will respond within 30 days.
  • Right to withdraw consent — you may withdraw consent at any time by deleting your account. Withdrawal does not affect lawfulness of prior processing.

6. Cross-border data transfer

To provide AI-powered lab report analysis, the text content of your uploaded reports is transmitted to Google Cloud Vertex AI infrastructure located in the United States (us-central1) for AI processing. This constitutes a cross-border transfer of personal data (including health data) outside India.

By creating an account and uploading a report, you explicitly consent to this cross-border transfer for the purpose of AI analysis. Google processes this data under its Cloud Data Processing Addendum and does not use your data to train its AI models.

If you do not consent to cross-border processing, please do not upload reports. You may use the anonymised view of previously processed results without uploading new data.

7. Security

  • Passwords are hashed using bcrypt (cost factor 12) and never stored in plaintext.
  • Authentication uses short-lived access tokens (15 minutes) with rotating refresh tokens (7 days), stored as SHA-256 hashes.
  • All API communication is over HTTPS in production.
  • Responses include security headers (X-Content-Type-Options, X-Frame-Options, HSTS in production).
  • OTP codes expire in 10 minutes and are invalidated after use or 5 failed attempts.
  • An immutable audit log records every significant event on each report.

8. Data breach notification

In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify affected users by email within a reasonable timeframe and report to the Data Protection Board of India as required under the DPDP Act 2023.

9. Third-party services

  • Google Cloud Vertex AI (Gemini) — AI analysis of lab report content. Data processed in the US. Not used to train Google’s models. See Section 6.
  • GoDaddy Titan Email (SMTP) — delivers OTP and transactional emails. Your email address is shared with GoDaddy solely for email delivery.

10. Contact

For privacy-related concerns, data rights requests, or to report a potential breach, contact us at hi@labreels.com.