Privacy Policy — LabReadAI

This Privacy Policy describes how the LabReadAI service (labreadai.com) processes user data. Please note: the service is operated under the jurisdiction of the Russian Federation; the legally binding version of this document is the Russian one available at labreadai.com/privacy. The English version below is provided as a courtesy translation.

1. Data controller

The data controller is Individual Entrepreneur Bormotkin Ivan Vasilyevich, INN 673203821665, OGRNIP 324670000039018, address: 214018, Russia, Smolensk Region, Smolensk, Gagarina Avenue 72, apt. 104. Contact: info@labreadai.com.

2. Processing principles

Personal data is processed lawfully and fairly, limited to specific predefined purposes, with the minimum necessary scope, and for the period required by those purposes.

3. Legal grounds

Personal data is processed on the following grounds:

  • User consent expressed by accepting the Terms of Use and Public Offer when using the service.
  • Performance of the contract for paid services.
  • Legitimate interests of the controller — protection of the service from abuse, bots, and automated attacks.

4. Categories of data processed

The controller processes the following categories of data:

  • Content of files uploaded by the user — processed automatically to extract data and generate interpretation; deleted immediately after processing.
  • Text data extracted from documents (lab parameters, study descriptions) — voluntarily provided by the user. May relate to special categories of data concerning health.
  • Patient information voluntarily entered by the user (sex, age, height, weight, complaints, conditions, medications) — used only within a single interpretation session.
  • IP address and technical session identifier — used for service protection, rate limiting, and bot mitigation.
  • Cookies and device identifiers — used for proper service operation and analytics (only with user consent).
  • Payment data (card number, holder name, expiry, CVV) — never transmitted to or stored by the controller. Payment operations occur entirely on the side of AO Tinkoff Bank (Tinkoff Kassa) under PCI DSS. The controller receives only the operation ID, status, amount, and masked card number for accounting.

5. Special category (health) data

By using the service, the user voluntarily and knowingly consents to processing of health-related data solely for the purpose of providing the automatic interpretation service. Consent may be withdrawn at any time by writing to info@labreadai.com.

6. Purposes of processing

  • Providing the automatic interpretation service for uploaded medical documents.
  • Performance of obligations under the Public Offer, including payment processing and refunds.
  • Protecting the service from abuse and ensuring its technical operation.
  • Anonymous user behaviour analytics (only with consent).
  • Compliance with applicable legislation.

7. Retention periods

Uploaded files are deleted immediately after extraction and result generation. The interpretation result is stored for 7 days from completion to allow re-viewing by the user, then automatically deleted. Payment transaction data is retained for the period required by accounting law (at least 5 years). Technical identifiers used for abuse prevention are retained for no more than 90 days.

8. Transfers to third parties

The controller transfers the minimum necessary amount of data to the following processors acting on the controller's instructions:

  • AO Tinkoff Bank (Tinkoff Kassa) — payment acceptance. Transferred: amount, currency, order ID, user email (if available).
  • Cloud AI providers (OpenRouter and similar text-processing providers) — for generating the interpretation. Transferred: anonymous text of parameters without user identifiers. Files and personally identifying information are not transferred.
  • Yandex Metrica — anonymous web analytics, only with user consent for cookies.

The controller does not sell or commercially share personal data with third parties or advertising networks. Cross-border data transfers may occur when using foreign AI providers; such transfers are limited to anonymous content and occur only with user consent expressed through service use.

9. User rights

The user has the right to:

  • Receive information about the processing of their personal data.
  • Request correction, blocking, or deletion of incomplete, outdated, inaccurate, or unlawfully obtained data.
  • Withdraw previously given consent at any time.
  • Lodge a complaint with the supervisory authority (Roskomnadzor) or the courts.

To exercise rights, send a request to info@labreadai.com. Response time — up to 30 days.

10. Security measures

  • HTTPS/TLS encryption for data transmission.
  • Restricted access to server infrastructure with authentication and audit logging.
  • Files deleted immediately after processing; data minimisation.
  • Payment perimeter (PCI DSS) isolated on the processor's side.
  • Regular software updates and use of technical security controls.

11. Cookies

The service uses strictly necessary technical cookies (session, bot protection) and analytics cookies (Yandex Metrica) — the latter only after the user's explicit consent. Consent for analytics cookies can be withdrawn at any time via browser settings; the service continues to operate.

12. Changes to this Policy

The controller may amend this Policy. The current version is always available at labreadai.com/privacy. Material changes are published at least 7 days in advance.

13. Contact

For any questions regarding personal data processing, please contact: info@labreadai.com.

Last updated: May 1, 2026.