Privacy Policy
Last updated: February 5, 2026
1. Information We Collect
We collect information you provide directly to us, including:
- Account information: Name, email address, password (hashed)
- Health information: Health metrics, biomarker results, symptoms, medications, and health goals you share during onboarding and through our services
- Documents: Lab results, medical reports, and other health documents you upload
- Wearable data: Health metrics synced from connected devices (heart rate, sleep, activity, glucose, etc.)
- Payment information: Billing details processed through Stripe (we do not store full card numbers)
- Communications: Messages with our support team and AI assistant
- Usage data: How you interact with our platform (pages visited, features used)
2. How We Use Your Information
We use the information we collect to:
- Provide personalized health insights and recommendations
- Process orders and deliver test kits
- Analyze your health data using our AI systems
- Connect you with healthcare practitioners (with your consent)
- Improve our services and develop new features
- Send important updates about your account and orders
- Comply with legal obligations
We will only use your health information for the purposes for which it was collected, unless you give us consent for additional uses.
3. Data Security
We implement industry-standard security measures to protect your data:
- Encryption in transit: All data transmitted between your device and our servers uses TLS 1.3 encryption
- Encryption at rest: Your data is encrypted at rest in our database (Neon PostgreSQL with AES-256 encryption)
- Password security: Passwords are hashed using bcrypt with a cost factor of 12
- Multi-factor authentication: Optional TOTP-based 2FA available for enhanced account security
- Access controls: Role-based access ensures only authorized personnel can access your data
- Audit logging: All access to sensitive data is logged for security monitoring
- Regular security reviews: We conduct regular security assessments of our systems
4. Data Sharing
We do not sell your personal information. We may share data with:
- Healthcare practitioners: When you book a consultation, the practitioner can access your health data during a defined access window (with your explicit consent)
- Lab partners: To process your biomarker tests (minimum data required for testing)
- Payment processors: Stripe processes payments on our behalf
- Service providers: Third parties who help us operate our platform (see Section 9)
- Law enforcement: When required by law or to protect rights and safety
For clinician consultations, you can review and modify what data is shared before each session. Access is time-limited and logged.
5. Your Rights
Under Australian and New Zealand privacy laws, you have the right to:
- Access: Request a copy of all personal information we hold about you
- Correction: Request correction of inaccurate or incomplete information
- Deletion: Request deletion of your personal information (see Section 7)
- Data portability: Export your data in standard formats (CSV, FHIR JSON)
- Withdraw consent: Revoke consent for data collection or sharing at any time
- Restrict processing: Ask us to limit how we use your data
- Complain: Lodge a complaint with the relevant privacy regulator
To exercise any of these rights, visit your Account Settings or contact us at privacy@longevitylabs.com. We will respond to your request within 20 working days (NZ) or 30 days (AU).
6. Data Retention
We retain your data for as long as necessary to provide our services and comply with legal obligations:
| Data Type | Retention Period |
|---|---|
| Account information | Until account deletion + 30 days |
| Health information | Until account deletion |
| Test results | 7 years (medical record requirements) |
| Order/payment records | 7 years (financial record requirements) |
| Clinician access logs | 7 years (audit requirements) |
| Chat history | Until account deletion |
| Wearable device data | Until account deletion or integration disconnected |
After the retention period, data is either permanently deleted or anonymized for aggregate analytics purposes.
7. Account Deletion
You can request deletion of your account at any time through your Account Settings. The deletion process works as follows:
- Submit a deletion request through your account
- Confirm the request via email link
- 14-day grace period: You can cancel the request during this time
- After 14 days, all personal data is permanently deleted
- We send a confirmation email when deletion is complete
Before deleting: We recommend exporting your data first. You can download your health data in CSV or FHIR JSON format from the Health Data Export page.
What is retained: Anonymized order records (for financial compliance) and audit logs of the deletion request are retained for 7 years as required by law.
8. Data Breach Notification
In the event of a data breach that is likely to result in serious harm:
- We will notify the relevant privacy regulator (OAIC and/or NZ Privacy Commissioner)
- We will notify affected individuals as soon as practicable
- Notification will include: what happened, what data was affected, what we're doing, and what you can do
We maintain a comprehensive data breach response plan and conduct regular security training.
9. International Data Transfers
Your data may be processed by service providers located outside Australia and New Zealand. We use the following third-party services:
| Service | Location | Purpose |
|---|---|---|
| Neon (Database) | United States | Data storage |
| Vercel (Hosting) | United States | Application hosting |
| Stripe (Payments) | United States | Payment processing |
| Resend (Email) | United States | Email delivery |
| Google Cloud (AI) | United States | AI analysis |
| Terra / Open Wearables | Various | Wearable device integration |
These providers are contractually obligated to protect your data in accordance with applicable privacy laws. The United States is not considered to have equivalent privacy protections to Australia or New Zealand; however, our service providers maintain appropriate safeguards including encryption and access controls.
10. New Zealand Privacy Laws
For users in New Zealand, we comply with:
- Privacy Act 2020 — governing the collection, use, and disclosure of personal information
- Health Information Privacy Code 2020 — providing additional protections for health information including the 13 rules governing health agencies
You may lodge a complaint with the Office of the Privacy Commissioner if you believe your privacy rights have been breached:
- Website: www.privacy.org.nz
- Phone: 0800 803 909
11. Australian Privacy Laws
For users in Australia, we comply with:
- Privacy Act 1988 (Cth) — the primary legislation governing privacy in Australia
- Australian Privacy Principles (APPs) — setting out standards for handling personal information
- Notifiable Data Breaches (NDB) scheme — requiring notification of eligible data breaches
Health information is treated as "sensitive information" under Australian law and receives additional protections. We will only collect health information with your consent and for purposes directly related to providing our services.
You may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if you believe your privacy rights have been breached:
- Website: www.oaic.gov.au
- Phone: 1300 363 992
12. Cookies and Tracking
We use essential cookies for authentication and session management. We do not use third-party analytics or advertising tracking cookies. Your browser settings can be adjusted to refuse cookies, but this may affect your ability to use our services.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by email and/or by posting a notice on our website at least 14 days before the changes take effect.
14. Contact Us
If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact our Privacy Officer:
- Email: privacy@longevitylabs.com
- Response time: Within 20 working days (NZ) or 30 days (AU)
Longevity Labs Pty Ltd
ABN: [To be added]
Registered in Australia