Privacy Policy

1. Information we collect

We collect information you provide directly to us, including account information such as name, email address, and hashed password; health information such as health metrics, biomarker results, symptoms, medications, and health goals you share during onboarding and through our services; documents such as lab results, medical reports, and other health documents you upload; wearable or device data such as heart rate, sleep, activity, glucose, and related metrics if you connect an integration; payment metadata processed through Stripe, excluding full card numbers; support communications and health assistant messages; and usage data such as pages visited and features used.

Health information is sensitive information. We collect it only for purposes connected with providing the platform, supporting optional practitioner access with your consent, processing orders, improving services, and meeting legal obligations.

2. How we use information

We use information to provide personalised educational health insights and recommendations, process orders and deliver test kits, analyse health data to generate summaries, connect you with independent healthcare practitioners where you choose and consent, improve our services and develop new features, send important account and order updates, protect security, prevent misuse, and comply with legal obligations.

We will only use your health information for the purposes for which it was collected, or for directly related purposes you would reasonably expect, unless you give consent for additional uses or the law permits or requires another use.

3. Data security

We use security controls intended to protect personal and health information, including encryption in transit, encrypted database storage, password hashing, access controls, optional multi-factor authentication, audit logging for sensitive data access, and regular security reviews.

No system can be guaranteed perfectly secure. You are responsible for keeping your account credentials secure and notifying us promptly if you suspect unauthorised access.

4. Data sharing

We do not sell personal information. We may share information with independent healthcare practitioners when you book a consultation and grant access; lab partners to process biomarker tests; Stripe and other payment processors; service providers who help operate, host, secure, analyse, or support the platform; shipping and fulfilment providers; regulators, law enforcement, courts, or other parties where required by law; and professional advisers where reasonably necessary.

For clinician consultations, you can review and modify what data is shared before each session. Access is time-limited and logged.

5. Your rights

Depending on your location and applicable law, you may have rights to access personal information we hold about you, request correction of inaccurate or incomplete information, request deletion, export data in supported formats, withdraw consent for certain collection or sharing, restrict or object to certain processing, and lodge a complaint with the relevant privacy regulator.

To exercise privacy rights, visit Account Settings or contact privacy@longevitylabs.com. We aim to respond within 20 working days for New Zealand requests and 30 days for Australian requests, subject to applicable law.

6. Data retention and account deletion

We retain account information until account deletion plus a short operational period; health information, chat history, and wearable data until account deletion or integration disconnection unless a longer period is legally required; test results, order and payment records, clinician access logs, deletion audit records, and other compliance records for periods reasonably required by law, accounting requirements, dispute handling, audit, or regulatory obligations.

You can request deletion of your account through Account Settings. The deletion process includes a confirmation step and a 14-day grace period. After the grace period, personal data is permanently deleted or anonymised unless retention is required by law or for legitimate compliance purposes.

7. Data breach notification

If a data breach is likely to result in serious harm, we will notify the relevant privacy regulator, such as the New Zealand Privacy Commissioner or the Office of the Australian Information Commissioner, and affected individuals as required by applicable law.

Notifications will describe what happened, what data was affected, what we are doing, and steps you can take.

8. International data transfers and service providers

Your information may be processed by service providers located outside Australia and New Zealand, including providers in the United States. Current provider categories include database hosting, application hosting, payment processing, email delivery, health data analysis, wearable device integration, analytics, and support tooling.

We require service providers to protect information through contractual, technical, and organisational safeguards. Some countries may not have privacy protections equivalent to Australia or New Zealand.

9. New Zealand and Australian privacy laws

For users in New Zealand, we handle personal information in line with the Privacy Act 2020 and, where applicable, the Health Information Privacy Code 2020. You may lodge a complaint with the Office of the Privacy Commissioner at privacy.org.nz or by calling 0800 803 909.

For users in Australia, we handle personal information in line with the Privacy Act 1988, the Australian Privacy Principles, and the Notifiable Data Breaches scheme where applicable. Health information is sensitive information under Australian law and receives additional protections. You may lodge a complaint with the Office of the Australian Information Commissioner at oaic.gov.au or by calling 1300 363 992.

10. Cookies and tracking

Essential cookies are required for authentication, session management, security, and core platform functionality. These cannot be disabled through the platform.

With your consent, we may use analytics tools such as Google Analytics, PostHog, and Vercel Analytics to understand platform usage and performance. We configure analytics to avoid collecting personal health information. With your consent, we may use marketing pixels to measure advertising effectiveness, and we do not intentionally include personal health information in marketing data.

You can manage cookie preferences by clearing browser cookies and revisiting the site, which will redisplay the consent banner. Browser settings can also refuse cookies, but this may affect platform functionality.

11. Changes and contact

We may update this Privacy Policy from time to time. If a change is material, we will take reasonable steps to notify you, such as email notice, a website notice, or requiring renewed acceptance before continued use of affected features.

If you have questions about this Privacy Policy or wish to exercise privacy rights, contact our Privacy Officer at privacy@longevitylabs.com. Longevity Labs Pty Ltd is registered in Australia.