1. Overview
Lab Accurate, Inc. (“we,” “us,” or “our”) operates the Lab Accurate platform at app.labaccurate.com. This Privacy Policy explains what information we collect, how we use it, how we store it, and your rights regarding your data. We are committed to protecting the privacy and security of everyone who uses our platform.
This policy applies to all users of the Lab Accurate platform, including lab staff (Customer users) and their clients who access the Client Portal. It also applies to visitors of our website.
2. Information We Collect
When you create an account and use Lab Accurate, we may collect the following types of information:
- Account information — your name, email address, phone number, job title, and lab or company name
- Billing information — billing address, subscription plan, and payment history (credit card numbers are never stored on our servers — see “Payment Processing” below)
- Lab and sample data — sample submissions, test requests, test results, certificates of analysis (CoAs), inventory records, quality management records, and any other data you enter into the platform
- Client data — information about your lab’s clients, including company names, contact details, and associated sample and billing records
- Usage data — pages visited, features used, timestamps, browser type, and general interaction patterns that help us improve the platform
3. How We Use Your Information
We use the information we collect to:
- Operate and maintain the Lab Accurate platform and your account
- Process subscription billing through our payment provider
- Provide customer support and respond to your inquiries
- Improve the platform’s features, performance, and reliability
- Send essential account notifications (billing confirmations, security alerts, service updates)
- Generate aggregated, anonymized analytics to improve our product (individual user data is never shared)
- Fulfill our contractual obligations to you under the Terms of Service
We do not use your data for marketing purposes unless you have explicitly opted in to receive marketing communications. We do not use your lab data or sample data to train artificial intelligence models or for any purpose other than providing the Service to you.
4. Payment Processing
All payment processing is handled by Authorize.net. Credit card numbers, expiration dates, and security codes are transmitted directly to Authorize.net using their Accept.js tokenization technology. We never store credit card numbers on our servers. Authorize.net manages recurring billing through their Automated Recurring Billing (ARB) service. All billing is processed through Lab Accurate, Inc.
5. Data Storage and Security
Your data is stored in a MySQL database on our hosting provider’s infrastructure (Kualo). All data transmitted between your browser and our servers is encrypted in transit via HTTPS/TLS. We employ industry-standard security practices including:
- Access controls and role-based permissions with multi-tenant isolation
- Secure authentication via JWT-based sessions
- Encrypted data transmission (HTTPS/TLS)
- Regular security reviews and monitoring
- Blockchain-anchored validation for data integrity verification
6. Who Can Access Your Data
Access to your data is strictly controlled:
- Lab staff see only data belonging to their own lab (multi-tenant isolation ensures no cross-lab data access)
- Lab clients see only their own submissions, results, and billing records through the Client Portal
- Lab Accurate support staff may access your account data when necessary to provide technical support or resolve issues you report to us
- Sub-processors listed in Section 8 below may process limited data as necessary to provide their respective services
We do not provide data access to any other third parties except as described in the “Legal Compliance” section below.
7. We Do Not Sell Your Data
We will never sell, rent, or trade your personal information or lab data to third parties for marketing, advertising, or any other commercial purpose. This commitment applies to all categories of data we collect. Your data is yours. For purposes of the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA): we do not sell or share personal information as those terms are defined under California law.
8. Sub-Processors
We use the following third-party service providers (“sub-processors”) to help deliver the Service. Each sub-processor processes only the minimum data necessary for its specific function:
| Sub-Processor | Purpose | Data Processed |
|---|---|---|
| Kualo (Hosting) | Application hosting and database storage | All platform data (encrypted at rest and in transit) |
| Authorize.net | Payment processing and recurring billing | Billing information, tokenized payment credentials |
| Anthropic (Claude API) | AI-powered features (OCR, result validation) | Sample form images and test result data submitted to AI features only; data is not retained by Anthropic after processing |
We will notify customers via email at least thirty (30) days before adding any new sub-processor. If you object to a new sub-processor, you may contact us to discuss your concerns or terminate your subscription.
9. Cookies and Local Storage
Lab Accurate uses a JSON Web Token (JWT) stored in your browser’s localStorage to maintain your authenticated session. We do not use third-party tracking cookies, advertising pixels, or behavioral analytics tools. The only browser storage we use is for authentication and essential platform functionality.
10. Data Retention
Lab data, sample records, test results, certificates of analysis, and quality management records are retained for a minimum of seven (7) years following account cancellation, or longer if required by applicable law. This retention period supports FDA audit compliance and regulatory requirements under 21 CFR Part 11 and 21 CFR Part 111 that may require access to historical testing records.
Account information (name, email, contact details) is retained for the duration of your subscription and for a reasonable period afterward to support any follow-up inquiries.
Usage data and server logs are retained for up to twelve (12) months and then automatically purged.
11. Data Deletion (Right to Erasure)
You have the right to request deletion of your personal data. To exercise this right, contact us at support@labaccurate.com. Upon receiving a verified deletion request, we will:
- Delete or anonymize your personal account information (name, email, phone number, job title) within thirty (30) days
- Delete any non-regulatory data that is not subject to legal retention requirements
Regulatory exception: Certain lab data, sample records, test results, and quality management records may be subject to mandatory retention periods under FDA regulations (21 CFR Part 11, 21 CFR Part 111), ISO 17025:2017, or other applicable regulatory frameworks. We are unable to delete data that we are legally required to retain. In such cases, we will inform you of the specific regulatory basis for retention and will delete the data promptly upon expiration of the applicable retention period. Retained data will be anonymized to the extent possible while preserving regulatory compliance.
12. Data Export and Portability
You have the right to receive a copy of your data in a structured, commonly used, and machine-readable format. To request a data export, contact support@labaccurate.com. We will provide your data in CSV and/or JSON format within thirty (30) days of your request. Data exports include: sample records, test results, certificates of analysis, client records, invoice records, quality management records, and account information. This right may be exercised at any time during or after your subscription.
13. Data Breach Notification
In the event of a security breach that results in unauthorized access to, or disclosure of, your personal data or lab data:
- We will notify affected customers without undue delay and in no event later than seventy-two (72) hours after becoming aware of the breach, where feasible
- Our notification will include: the nature and scope of the breach, the categories and approximate number of records affected, a description of the measures taken or proposed to address the breach, and a point of contact for further information
- We will cooperate with any regulatory authorities as required by applicable law
- We will take immediate steps to contain and remediate the breach, including preserving evidence for investigation
If the breach is unlikely to result in a risk to your rights and freedoms, we may document the breach internally without individual notification, consistent with applicable law.
14. Legal Compliance
We may disclose your information if required to do so by law, in response to a valid court order, subpoena, or government regulatory inquiry (including FDA audits). We will make reasonable efforts to notify you of such requests unless prohibited by law from doing so. We will narrow the scope of any disclosure to the minimum necessary to comply with the legal obligation.
15. Your Rights
Depending on your jurisdiction, you may have some or all of the following rights regarding your personal information:
- Access — Request a copy of the personal information we hold about you
- Correction — Request correction of inaccurate or incomplete information
- Deletion — Request deletion of your personal data (subject to regulatory exceptions described in Section 11)
- Data portability — Request a copy of your data in a machine-readable format (see Section 12)
- Restriction — Request that we restrict processing of your personal data in certain circumstances
- Objection — Object to processing of your personal data for certain purposes
- Non-discrimination — Exercise any of these rights without receiving discriminatory treatment from us
To exercise any of these rights, contact us at support@labaccurate.com. We will respond to verified requests within thirty (30) days. If we need additional time, we will inform you of the reason and extension period (not to exceed an additional sixty days).
16. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
- Right to know — You may request that we disclose the categories and specific pieces of personal information we have collected about you, the sources from which it was collected, the business purpose for collecting it, and the categories of third parties with whom we share it.
- Right to delete — You may request deletion of your personal information, subject to certain exceptions (including regulatory retention requirements).
- Right to opt-out of sale/sharing — We do not sell or share your personal information as defined under California law. No opt-out is necessary.
- Right to non-discrimination — We will not discriminate against you for exercising your CCPA/CPRA rights.
To submit a request, contact support@labaccurate.com. We may need to verify your identity before processing your request.
17. International Data Transfers
Lab Accurate’s servers are located in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer. If you are located in the European Economic Area (EEA) or the United Kingdom and require Standard Contractual Clauses (SCCs) or other transfer mechanisms for GDPR compliance, please contact support@labaccurate.com and we will work with you to put appropriate safeguards in place.
18. Children’s Privacy
Lab Accurate is a business-to-business platform designed for use by laboratory professionals. We do not knowingly collect personal information from individuals under the age of 18. If we become aware that we have inadvertently collected personal information from a minor, we will take steps to delete that information promptly. If you believe a minor has provided us with personal information, please contact us at support@labaccurate.com.
19. Data Processing Agreement (DPA)
If your organization requires a formal Data Processing Agreement for GDPR, CCPA/CPRA, or other regulatory compliance, we offer a standard DPA addendum that covers: the scope and purpose of processing, sub-processor obligations, data subject rights, breach notification procedures, audit rights, and data transfer mechanisms. Contact support@labaccurate.com to request our DPA.
20. Changes to This Policy
We may update this Privacy Policy from time to time. When we make significant changes, we will notify you via email or through a notice on the platform at least thirty (30) days before the changes take effect. Your continued use of Lab Accurate after changes are posted constitutes your acceptance of the updated policy. If you do not agree with the updated policy, you may cancel your subscription before the changes take effect.
21. Contact Us
If you have questions or concerns about this Privacy Policy or how your data is handled, please contact us at:
Lab Accurate, Inc.
Salt Lake City, Utah, United States
Effective date: March 20, 2026 — Last updated: March 20, 2026