Skip to main content
ReadYourLab Logo
ReadYourLab
Open menu
Sign Up Log In

Data Security & Privacy

Last updated: May 18, 2026

At ReadYourLab, we take data security and privacy seriously. Your medical documents and personal information are protected through multiple layers of security, encryption, and strict data handling policies. This page explains how we safeguard your sensitive health information.

1. We Never Sell Your Data

We never sell your data. Your medical documents, images, personal information, and analysis results are never sold, rented, or traded to advertisers, data brokers, or any other third party, and we never use them for advertising.

What this means: Your personal data is used solely to provide the AI-powered analysis you request and to operate and improve the Service. We do not monetize your personal data.

To run the Service, we rely on a few trusted providers that process data only on our behalf:

  • Google Cloud — hosts our servers and stores your data, with all infrastructure located in the European Union.
  • OpenAI API — performs the AI analysis of your documents and imaging.
  • Modal.com — runs our image segmentation workloads.

Research and public statistics: We may use anonymized data to improve and research the Service. Only aggregated, anonymized statistics — never your personal or medical data — may be shared publicly.

2. Data Storage and Deletion

We apply different storage policies depending on the type of data you upload:

Document uploads (PDFs, images): Stored securely on our servers in original format along with analysis reports. You can delete all of them any time from your profile with a single click.

DICOM files: We store your uploaded DICOM files and analysis reports so you can view your scan, re-run analysis, and generate study summaries. For free users, DICOM files are deleted 1 month after upload.

User-controlled deletion: You may delete any upload at any time through the DICOM management page. Deletion permanently removes all related files from our servers.

3. Data Breach Protection

We implement multiple layers of protection to safeguard your data. For stored documents and DICOM files, we apply robust server-side security measures.

Security measures include:

  • Stored DICOM images are accessible only to the authenticated account owner
  • All stored data is encrypted at rest
  • Access control enforces per-user data isolation
  • Server access restricted via SSH key authentication and firewall rules

We implement strong security measures to prevent unauthorized access. In the unlikely event of a security incident, encryption at rest ensures that stored data cannot be read without the proper decryption keys.

4. What We Store in Our Database

To provide you with a seamless experience and maintain conversation history, we store the following information in our encrypted databases:

Stored Information:

  • Past conversations: Your chat history and Q&A sessions with the AI are stored so you can reference them later and continue conversations.
  • User name and email address: Your contact information is stored (encrypted) to identify your account and send you analysis results.
  • DICOM files and analysis reports: We store your uploaded DICOM files together with the generated analysis reports so you can view and re-analyze your scans. For free users, DICOM files are deleted 1 month after upload.

Encryption at rest: All stored data (conversations, name, and email) is encrypted before being stored in our databases using industry-standard encryption algorithms, ensuring it cannot be read even if database access is compromised.

Minimal data collection: We only collect and store the information necessary to provide you with analysis results, maintain conversation history, and respond to support inquiries.

Important Privacy Protections: While we store this information to provide you with service continuity, we maintain strict privacy protections:

  • Never sold: As described in section 1, we never sell your conversations, name, email, or any other stored data, and never use it for advertising. It is shared only with the trusted infrastructure providers listed in section 1, strictly to operate the Service.

This stored information allows you to access your conversation history and receive personalized service, while maintaining the highest standards of privacy and security. Your medical documents and sensitive health information remain protected through encryption, strict access controls, and deletion you control.

5. SSL/TLS Encryption for All Communications

All communication between your browser and our servers is encrypted using SSL/TLS. This ensures that your data is protected while in transit over the internet.

HTTPS encryption: All connections to ReadYourLab use HTTPS (SSL/TLS), which encrypts data as it travels between your device and our servers.

Protected uploads: When you upload medical documents, the transfer is encrypted, preventing interception or tampering.

Secure API calls: All API requests and responses are encrypted, ensuring your data remains protected throughout the analysis process.

How to verify: Look for the padlock icon in your browser's address bar when visiting ReadYourLab. This indicates that your connection is encrypted and secure.

6. User-Controlled Browser Storage

The application stores user metadata in browser local storage, where you have full control. Some non-sensitive information (like your name and email preferences) may be stored locally in your browser for convenience, but this data never leaves your device and you can delete it at any time.

What is stored locally in your browser:

  • UI preferences (like theme settings)
  • Session information (to maintain your session while using the site)

Your control: You can clear this data at any time through your browser settings. Local storage is managed entirely by your browser and is not accessible to our servers.

No medical data: Medical documents, images, analysis results, or any sensitive health information are never stored in browser local storage.

How to clear: You can clear local storage by going to your browser's settings and clearing site data, or by using your browser's developer tools. This will remove any locally stored information.

7. Google Sign-In Data

If you choose to sign in with Google, we receive only the minimum identity information needed to create and access your account. Google Sign-In is offered as a convenient alternative to email and password — using it is entirely optional, and the email/password flow remains available.

What we receive from Google when you sign in:

  • Your name — used as your display name and on your generated analysis reports.
  • Your email address — used as your account identifier and to send analysis results, verification messages, and important account notices.
  • A unique Google account ID (an opaque numeric identifier provided by Google) — stored so we can recognize you on return visits without exposing your password.
  • An indicator that Google has verified your email — lets us skip the separate email-verification step you would otherwise complete after a password signup.

What we do not receive or do, by design:

  • We do not receive your Google password — Google never shares it with us.
  • We do not read your Gmail, contacts, calendar, Google Drive, photos, or any other Google service data — we never request those permissions.
  • We do not post anything on your behalf or take any action in your Google account.
  • We do not sell, rent, or share this identity information with advertisers, data brokers, or any other third party for their own purposes, consistent with the no-selling policy in section 1.
  • We do not use Google Sign-In data for advertising, profiling, or any purpose other than account access and the medical-document analysis you specifically request.

How the information is protected: The name, email address, and Google account ID are stored using the same encryption-at-rest protections described in section 4. They are isolated to your account, accessible only to you and our automated systems for delivering the analysis service.

You can stop using Google Sign-In at any time by deleting your account from your profile page. We retain the identity information associated with your account only for as long as the account exists; on deletion, it is removed together with the rest of your account data.

Security Summary

ReadYourLab implements a comprehensive security model designed to protect your sensitive medical information:

  • No selling of your data - We never sell your data or use it for advertising; it is shared only with trusted EU-based infrastructure providers to run the Service
  • DICOM files stored securely - Your uploaded DICOM files are stored so you can view and re-analyze your scans, and you can delete them at any time
  • Access control - Per-user data isolation ensures you can only access your own data
  • Encrypted stored data - Past conversations, name, email, and database records are encrypted at rest and never shared
  • SSL/TLS encryption - All communications are encrypted in transit
  • Retention for free users - DICOM files from free users are deleted 1 month after upload
  • User-controlled deletion - Delete any stored DICOM files or clear browser storage at any time
  • Google Sign-In is optional and minimal - When used, we receive only your name, email, and a Google account ID; no Gmail, contacts, calendar, or other Google data is requested or accessed

Questions About Security?

If you have questions about our data security practices or privacy policies, please use our contact form and we'll get back to you.