Effective Date: June 10, 2026 · Version 1.0
Labcoat (“we,” “us,” or “our”) is a direct-to-consumer service that uses artificial intelligence to help you understand lab reports that you choose to upload. You can contact us about anything in this policy at privacy@labcoat.net.
Labcoat is not a healthcare provider, health plan, or business associate of any healthcare provider, and is therefore not subject to the Health Insurance Portability and Accountability Act (HIPAA). Your data is instead protected by this Privacy Policy, the Federal Trade Commission’s Health Breach Notification Rule, and applicable state consumer health data laws, including the Washington My Health My Data Act and the California Confidentiality of Medical Information Act.
Labcoat provides educational information only. It does not provide medical advice, diagnosis, or treatment. See our Terms of Service for details.
Account information: your email address and authentication details when you sign up with Google or email/password.
Health profile information you provide: date of birth, gender, weight, height, body fat percentage, pregnancy status, chronic conditions, medications, and lifestyle information.
Lab report data: the lab report files you upload (PDFs or images), the test values extracted from them, and context you provide such as the reason for your lab visit, blood draw date, and weight or blood pressure at the time of the draw.
Chat data: messages and file attachments you exchange with the AI assistant about your results.
Payment information: records of your purchases. Payments are processed by Stripe; we never see or store your full card number.
Technical and consent records: the timestamp, IP address, and version of the consent you provide, kept as a legal audit trail, and basic session information needed to operate the service.
We use your information solely to:
We do not use your data for advertising, sell it to anyone, share it with data brokers, or use third-party analytics or advertising trackers on this site.
Your data is shared only with the service providers required to run Labcoat:
Google Gemini (AI analysis). Your uploaded lab files, relevant health profile information, and chat questions are sent to Google’s Gemini API to generate analysis. We use Google’s paid API tier, under which Google does not use your data to train its AI models. Google may retain API data for up to 55 days solely for abuse monitoring and policy enforcement.
Supabase (database and storage). Your account, health profile, lab reports, chat history, and consent records are stored with our database provider, Supabase, encrypted in transit and at rest, with row-level security so only your account can access your records.
Stripe (payments). Stripe processes payments and receives your email address and purchase details. Stripe never receives your health information.
We may also disclose information if required by law, such as in response to a valid legal process, and in that event we will notify you unless legally prohibited from doing so.
The demo profiles shown on our site contain real health data belonging to volunteers (including our founder) who have expressly consented to its public display. Demo data is never drawn from customer accounts.
Before you can use Labcoat, we ask for separate, explicit consent to (1) collect your health information, (2) share it with Google Gemini for analysis, (3) store it with Supabase, and (4) our Terms of Service and this Privacy Policy. We record the time, IP address, and version of your consent.
You may withdraw your consent at any time by deleting your account from your dashboard or by emailing privacy@labcoat.net. Because all consents are necessary to provide the service, withdrawing consent means you will no longer be able to use Labcoat.
We retain your data for as long as your account exists. When you delete your account, we permanently delete your lab reports, analyses, chat history, health profile, and account records from our systems. Copies held by our providers expire on their own schedules: Google retains API data for no more than 55 days, and Stripe retains payment records as required by financial regulations.
Regardless of where you live, you can:
Washington residents: under the My Health My Data Act, you additionally have the right to withdraw consent for the collection and sharing of consumer health data, the right to have your consumer health data deleted, and the right to appeal a refusal. See our separate Consumer Health Data Privacy Policy for the full disclosures required by that law. To exercise these rights or appeal a decision, email privacy@labcoat.net.
California residents: your medical information is protected under the Confidentiality of Medical Information Act. You have the right to access and delete your information and the right to know it is never sold or shared for advertising. We do not and will not discriminate against you for exercising any privacy right.
We respond to all verified requests within 30 days.
Your data is encrypted in transit (TLS) and at rest. Database access is restricted with row-level security policies so each user can access only their own records. Administrative access is limited and authenticated, and payment webhooks are cryptographically verified. No system is perfectly secure, but we design for the sensitivity of the data you trust us with.
In the event of a breach of security involving your identifiable health information, we will notify you and the Federal Trade Commission as required by the FTC Health Breach Notification Rule — without unreasonable delay and no later than 60 days after discovery — and will tell you what happened, what data was involved, and what we are doing about it.
Labcoat is intended for adults. You must be at least 18 years old to use the service, and we do not knowingly collect information from anyone under 18. If you believe a minor has provided us data, contact us and we will delete it.
If we make material changes to this policy — especially any change to how your health data is shared — we will notify you and ask for your renewed consent before the change applies to you. The version and effective date at the top of this page will always reflect the current policy.
For privacy questions, data requests, or appeals: privacy@labcoat.net
Questions? Contact us at privacy@labcoat.net