Privacy Policy
1. Plain-English summary
LabLogger is an electronic lab notebook. We store the entries, files, samples, tasks, and account information you give us so we can provide the service. We use Google’s Gemini AI to classify, clean up, and answer questions about your content — those API calls are not used to train Google’s public models. We do not sell your data, ever. Your entries are visible only to you, members of any lab you join, and people you explicitly share with.
2. Who we are
“LabLogger”, “we”, “us” references the operating entity behind lab-logger.com. Contact: privacy@lab-logger.com.
3. What we collect
3.1 Account information
- Required: name, email, role (PI, postdoc, grad student, etc.), and a password hash (bcrypt) when you sign up with email + password. OAuth sign-up via Google captures the same fields from your Google profile.
- Optional: institution, lab name, profile bio, two-factor authentication secret (TOTP), Google OAuth tokens (only if you grant them — currently unused after the calendar feature was removed).
3.2 Notebook content
- Entries (raw text, AI-structured fields, images, attachments, tags, comments, references).
- Files you upload to My Files — stored as binary blobs alongside the entry data.
- Samples + sample event log entries.
- Tasks (manual or AI-extracted from entry text), including any deadlines you set.
- Voice transcripts. Voice dictation runs locally in your browser via the Web Speech API; only the resulting text is sent to our servers, never raw audio.
3.3 Operational + diagnostic data
- Server-side request logs (timing, status, route) retained 30 days for diagnostics.
- Sentry receives error events for production deployments only — stack traces, route, and a hashed user ID. Personal identifiers are scrubbed where we detect them.
- Append-only audit log of significant actions inside a lab (entry/comment/sample creation, role changes, share events). Used for the Lab admin compliance surface.
3.4 Access
This deployment does not collect payment information. Legacy plan fields can remain in the database for compatibility with migrated records, but they do not control feature access.
4. How we use your data
- To provide and operate the Service.
- To run the AI classification, organization, OCR, and Q&A features you actively trigger.
- To send transactional email — sign-in links, invitations, @-mention notifications, share notifications, task-due reminders, the optional daily digest.
- To detect and respond to abuse, fraud, or violations of our Terms.
- For aggregate, de-identified analytics about feature usage. We do not sell or share these aggregates with third parties for their own marketing.
5. How AI features handle your content
When you save an entry, ask Jethro a question, click AI organize on a folder, or import a PDF/image, the relevant content is transmitted to Google Gemini (model: 2.5 Flash) over the Gemini API for processing.
- Training data:Google’s Gemini API terms govern how prompts and outputs are handled. Review at ai.google.dev/gemini-api/terms.
- Retention at Google: Google may retain prompts for up to 60 days for abuse monitoring (per current Gemini API terms; verify the live policy when reading this).
- What we don’t do: we do not fine-tune models on your data, use your data to improve LabLogger classification quality without your consent, or transmit your data to any AI provider other than Google for the listed features.
- Opt-out: some AI features are core to the product (entry classification on save) and cannot be disabled without disabling LabLogger itself. Voice questions, AI organize, and AI restructure are fully opt-in per request.
6. Sharing & visibility within LabLogger
- Private workspace. Your entries are private to you by default.
- Lab Space. When you click Share to lab, a copy of the entry is added to your lab’s shared space and becomes visible to every member of that lab.
- Direct share.When you share an entry with a named user, only that user (and the recipient’s lab admin if applicable) can see it.
- Public share links. View-only links are public to anyone with the URL until you revoke them. Treat them like unlisted YouTube links — do not generate one for sensitive content.
- Lab admins can see member emails, role pills, and lab-shared content. Admins cannot see the private entries of their members.
7. Subprocessors
We rely on the following service providers to operate LabLogger. Each has its own privacy practices linked below.
| Provider | Role | Data shared | Region |
|---|---|---|---|
| Supabase | Database hosting (Postgres) | All notebook content, account data, audit log | US (configurable) |
| Vercel | App hosting + serverless functions | Request bodies during processing | US |
| Google (Gemini API) | AI classification, OCR, Q&A | Entry text, file content sent to AI features | Global (Google data centers) |
| Resend | Transactional email | Email content + recipient address | US |
| Liveblocks | Real-time collaborative editing | Entry document state when actively co-edited | US |
| Sentry | Error monitoring (production only) | Stack traces, hashed user ID | US |
We will provide 30 days’ notice before adding a new subprocessor that materially changes the data flow.
8. Your rights
8.1 Access, correction, export
You can review and edit most data directly from the app. You can export your entries as PDF, DOCX, LaTeX, Markdown, or Jupyter-compatible JSON at any time. To request a full data export (everything we store about you), email privacy@lab-logger.com; we’ll respond within 30 days.
8.2 Deletion
You can delete your account from Settings. On deletion:
- Your private entries, files, samples, and tasks are permanently removed within 30 days (immediate from the live database; up to 30 days to age out of backups).
- Entries you authored that were shared into a lab remain in that lab, attributed to your former display name, unless the lab admin requests removal. This mirrors how lab notebooks work historically — a postdoc’s notes don’t evaporate when they graduate.
- Lab admins can request bulk removal of a former member’s contributions; we honor these within 30 days.
8.3 GDPR (EU/UK/EEA users)
If you reside in the EU/UK/EEA, you have the rights of access, rectification, erasure (“right to be forgotten”), restriction of processing, data portability, and the right to object to processing for legitimate interests. Email privacy@lab-logger.com to exercise any of these. We act as the data controller for account data and as a processor for content you create on behalf of your lab/employer.
8.4 California (CCPA / CPRA)
California residents have the right to know what personal information we collect, to delete it, to correct it, and to opt-out of sale. We do not sell personal information.
9. Security
- In transit: TLS 1.2+ for every connection; HSTS enforced for lab-logger.com.
- At rest: Postgres data is encrypted at rest by our database provider. Files are stored encrypted in the same database (migrating to Vercel Blob is on the roadmap).
- Credentials: bcrypt password hashing. Optional TOTP two-factor authentication.
- Access:production database access is limited to maintainers and audited by the database provider’s access logs.
- Compliance posture: we are not yet SOC 2 audited or 21 CFR Part 11 validated. We don’t currently support storage of personal health information (PHI) governed by HIPAA — see Acceptable Use in the Terms.
10. Children’s privacy
LabLogger is not directed at children under 13 (or 16 in the EU/UK). If we discover that a child created an account, we will delete it. Undergraduate users 13+ are welcome but should review these terms with a parent or guardian where required by local law.
11. Cookies
We use essential cookies only — a NextAuth session token (HTTP-only) to keep you signed in, an active-organization cookie for lab switching, and an invite-code cookie used during sign-up. We do not use third-party advertising, retargeting, or tracking cookies.
12. International transfers
Our infrastructure is hosted in the United States. If you access LabLogger from outside the US, you consent to the transfer and processing of your data in the US under standard contractual clauses (where applicable to your jurisdiction).
13. Changes
We may update this Privacy Policy. Material changes will be announced via email and an in-product notice 30 days before they take effect for existing accounts.
14. Contact
General privacy inquiries, deletion requests, GDPR/CCPA requests, and law-enforcement inquiries: privacy@lab-logger.com.