Privacy Policy
This Personal Data Processing Policy (hereinafter the "Policy") has been developed in accordance with the requirements of Federal Law No. 152-FZ of July 27, 2006 "On Personal Data" and sets out the procedure for processing the personal data of users of the LabReadAI service (hereinafter the "Service"), available at labreadai.com.
1. Personal Data Operator
The personal data operator is Individual Entrepreneur Ivan Vasilyevich Bormotkin, INN 673203821665, OGRNIP 324670000039018, address: 214018, Россия, Смоленская обл., г. Смоленск, пр-кт Гагарина, д. 72. The operator's contact for matters relating to personal data processing: info@labreadai.com.
2. Processing Principles
Personal data is processed on a lawful and fair basis, is limited to the achievement of specific, predefined, and legitimate purposes, is conducted with the minimum necessary set of data, and for a period not exceeding the purposes of processing. The merging of personal data databases processed for incompatible purposes is not permitted.
3. Legal Grounds
Personal data is processed on the following grounds:
- The consent of the personal data subject, expressed through acceptance of the User Agreement and the Public Offer when using the Service (clause 1, part 1, article 6 of Federal Law No. 152-FZ).
- Performance of a contract to which the personal data subject is a party — for processing payments and providing paid services (clause 5, part 1, article 6 of Federal Law No. 152-FZ).
- The exercise of the operator's rights and legitimate interests — to protect the Service from abuse, bots, and automated attacks (clause 7, part 1, article 6 of Federal Law No. 152-FZ).
4. Categories of Data Processed
The operator processes the following categories of data:
- The content of files uploaded by the user (images and PDFs of medical documents): processed automatically to extract textual data and generate a decoding, deleted at the end of the retention period.
- Textual data extracted from documents (test indicators, study descriptions): data that the user voluntarily provides to the Service in order to obtain a decoding. This data may relate to special categories of personal data concerning health status.
- Patient information voluntarily entered by the user (sex, age, height, weight, complaints, chronic diseases, medications taken): used only within a single decoding session.
- IP address and technical session identifier: used to protect the Service, limit request frequency, and prevent automated attacks.
- Cookies and device identifiers: used for the proper operation of the Service and for analytics (only with the user's consent).
- Payment data (card number, cardholder name, expiry date, CVV): not transmitted to or stored on the operator's servers. Payment transactions are carried out directly on the side of the processing company JSC "Tinkoff Bank" (Tinkoff Kassa) in compliance with PCI DSS requirements. The operator receives only the transaction identifier, status, amount, and masked card number for accounting purposes.
5. Special Status of Health Data
The user confirms that the provision of information about their health status (the content of medical documents, test indicators, patient information) is carried out voluntarily and knowingly, and grants the operator consent to process such information in accordance with clause 1, part 2, article 10 of Federal Law No. 152-FZ — solely for the purpose of providing the automated decoding service. Consent may be withdrawn at any time by contacting info@labreadai.com.
6. Processing Purposes
- Providing the service of automated decoding of medical documents uploaded by the user.
- Performance of obligations toward the user under the concluded contract (the Public Offer), including the processing of payments and refunds.
- Protecting the Service from abuse and ensuring its technical operability.
- Analysis of user behavior in anonymized form (only where consent is given).
- Compliance with the requirements of the legislation of the Russian Federation.
7. Retention Periods
Uploaded files are stored for up to 1 year from the moment of upload and are then automatically deleted. The decoding result is stored for 1 year from the moment it is ready — to allow the user to view it again — and is automatically deleted upon the expiry of this period. Data on payment transactions is stored for the period established by accounting legislation (at least 5 years). Technical identifiers used to protect against abuse are stored for no more than 90 days; upon withdrawal of consent, they are deleted within 30 days.
8. Transfer of Data to Third Parties
The operator transfers the minimum necessary amount of data to the following processors acting on the operator's instructions in accordance with part 3, article 6 of Federal Law No. 152-FZ:
- JSC "Tinkoff Bank" (Tinkoff Kassa) — acceptance of user payments. The following are transferred: amount, currency, order identifier, and the user's email (if available).
- Providers of cloud-based AI models (OpenRouter and similar text-processing providers) — for generating the decoding. The following is transferred: anonymized text of the indicators without user identifiers. Files and personally identifying information are not transferred.
- LLC "Yandex" (Yandex.Metrica) — anonymized web analytics, only where the user has consented to the use of cookies.
The operator does not transfer personal data to third parties for commercial purposes and does not sell it or provide access to it to advertising networks. Cross-border transfer of data may take place when using foreign AI providers; such transfer is limited to anonymized content and is carried out only with the user's consent, expressed when using the Service.
9. Rights of the Personal Data Subject
In accordance with article 14 of Federal Law No. 152-FZ, the user has the right to:
- Obtain information concerning the processing of their personal data.
- Demand the clarification, blocking, or destruction of their personal data if it is incomplete, outdated, inaccurate, or unlawfully obtained.
- Withdraw previously given consent to the processing of personal data at any time.
- Appeal against the operator's actions or inaction to Roskomnadzor or in court.
To exercise these rights, send a request to info@labreadai.com. The response period is no more than 30 days.
10. Protection Measures
- Encryption of data transmission via the HTTPS/TLS protocol.
- Restriction of access to the server infrastructure through authentication and logging.
- Deletion of files at the end of the retention period, and minimization of stored data.
- Isolation of the payment circuit (PCI DSS) on the side of the processing company.
- Regular software updates and the application of technical protection measures.
11. Cookies
The Service uses strictly necessary technical cookies for proper operation (maintaining the session, protection against bots) and analytical cookies (Yandex.Metrica) — only after the user's explicit consent. The user may withdraw consent to the use of analytical cookies at any time by clearing them in the browser settings; the Service continues to operate in this case.
12. Changes to the Policy
The operator has the right to make changes to this Policy. The current version is always available at labreadai.com/privacy. Material changes are published at least 7 days before they take effect. Continued use of the Service after the publication of changes constitutes consent to the new version.
13. Contacts
For questions regarding the processing of personal data, the exercise of the personal data subject's rights, and other matters related to this Policy, please contact: info@labreadai.com.
Special categories of personal data, including data concerning health, are processed on the basis of separate consent — see the Consent to the Processing of Personal Data.
Last updated May 1, 2026