Privacy Policy

Last updated: 1 January 2025 · Effective: 1 January 2025 · Controller: LabEase (Italy)

    Short version: We do not store your lab results. We do not sell or share your data. We use no advertising cookies. Your query is processed in-memory and discarded immediately.
  

1. Who we are (Data Controller)

LabEase is an educational health literacy service operated from Italy. For GDPR purposes, the data controller is the operator of labease.app. Contact: [email protected]

2. What data we collect and why

We operate a strict data minimisation policy in accordance with Article 5(1)(c) GDPR.

Lab result text you submit: Transmitted securely to our Cloudflare Worker server for AI processing. Not stored. Discarded immediately after the response is generated.
Technical logs: Cloudflare and our Worker may retain standard server access logs (IP address, timestamp, request path) for up to 7 days for security and abuse-prevention purposes only. These are not linked to your lab data.
Cookie consent preference: Stored only in your browser's localStorage, never on our servers.
Optional email contact: If you email us at [email protected], we retain your email address solely to respond to your query.

3. Special category data (health data)

Lab results may constitute special category data under Article 9 GDPR. Our legal basis for processing is Article 9(2)(a) — your explicit consent, given at the moment you submit your results using the tool. By submitting, you consent to temporary in-memory processing for the purpose of receiving an educational explanation. You may withdraw this consent at any time (simply do not submit).

Because data is not stored, your right to erasure (Article 17) is satisfied automatically.

4. Legal bases for processing

Lab result text: Consent (Art. 6(1)(a) and Art. 9(2)(a) GDPR)
Technical logs: Legitimate interests (Art. 6(1)(f) GDPR) — security and abuse prevention
Email correspondence: Legitimate interests (Art. 6(1)(f) GDPR)

5. Third-party processors

Anthropic, Inc. (USA): Our AI engine (Claude). Lab text is sent to Anthropic's API for processing. Anthropic does not use submitted content to train its models when accessed via API. Transfer basis: Standard Contractual Clauses (SCCs) per Art. 46 GDPR.
Cloudflare, Inc. (USA): Hosting, CDN, and Worker serverless compute. Transfer basis: SCCs and EU adequacy mechanisms.
Google Fonts (USA): Font delivery only. Google's IP logging applies; fonts are preconnected. Alternatively, self-host fonts to avoid this transfer.
Brevo (France): Transactional email only, if applicable. EU-based processor.

6. International transfers

Some processors are based outside the EU/EEA (primarily the USA). Transfers are safeguarded by Standard Contractual Clauses approved by the European Commission under Art. 46(2)(c) GDPR.

7. Your rights under GDPR

You have the following rights. To exercise any of them, contact [email protected]:

Access (Art. 15): Request a copy of your personal data we hold.
Rectification (Art. 16): Correct inaccurate personal data.
Erasure (Art. 17): Request deletion of your personal data. (Lab data is never stored, so erasure is already satisfied.)
Restriction (Art. 18): Restrict how we process your data.
Portability (Art. 20): Receive your data in a portable format.
Object (Art. 21): Object to processing based on legitimate interests.
Withdraw consent (Art. 7(3)): At any time, without affecting prior processing.

You also have the right to lodge a complaint with your national supervisory authority. In Italy: Garante per la protezione dei dati personali — garanteprivacy.it.

8. Cookies and tracking

We use no advertising or analytics cookies. The only browser storage we use is:

labease_cookie_consent — localStorage key storing your cookie preference. No expiry. Stored locally in your browser only.

No tracking pixels, no third-party analytics, no fingerprinting.

9. Data security

All data in transit is encrypted via HTTPS/TLS 1.3. Our Cloudflare Worker runs in Cloudflare's isolated environment. Lab data is never written to disk or a database. Environment secrets (API keys) are stored as encrypted Cloudflare Worker secrets, not in code.

10. Children

LabEase is not directed at children under 16. We do not knowingly process data from minors. If you believe a minor has submitted data, contact [email protected].