# Privacy Policy for Lab+
**Last updated:** April 16, 2026
**Effective date:** upon first public release of Lab+ on the Apple App Store.
Lab+ ("we", "us", "our") is an iOS application that helps wet-lab researchers design and pressure-test experiment plans with the assistance of artificial intelligence. This Privacy Policy explains what information we collect, why we collect it, and how we handle it.
By creating an account or using Lab+, you agree to the terms of this Privacy Policy. If you do not agree, please do not use the app.
---
## 1. Who we are
Lab+ is developed and operated by **Relja Bulajic** and **Rastko Todorovic** (together, "Lab+", "we"), acting as independent co-founders.
Location: **Belgrade, Serbia**
Contact: **reljapps@gmail.com**
If you have questions about this policy or about your data, email us at the address above.
---
## 2. Information we collect
### 2.1 Information you provide
- **Account data:** email address, password (hashed), and, if you sign in with Apple, the name and email Apple relays to us.
- **Lab profile:** lab name, institution, budget level, equipment list, preferred assays, default cell types.
- **Experiment content:** research questions, cell types, perturbation details, conditions, timeline, readouts, topic tags, and any additional notes you enter into the app.
- **Attachments:** any photos, PDFs, or files you attach to an experiment run (e.g. gel images, microscopy screenshots, protocols).
- **AI feedback interactions:** which controls, suggestions, or flags you accept or ignore.
### 2.2 Information collected automatically
- **Authentication metadata:** sign-in timestamps and sessions (managed by Supabase Auth).
- **Diagnostic information:** crash reports and basic device information if you opt in to share them with Apple via iOS system settings. We do not operate our own analytics SDK.
### 2.3 Information we do **not** collect
- We do not use advertising SDKs.
- We do not track you across other apps or websites.
- We do not collect your precise location, contacts, calendar, health data, microphone, or browsing history.
- We do not sell your data. Ever.
---
## 3. How we use your information
We use the information above solely to operate and improve Lab+:
1. **Provide the core service** — store your experiment plans, reviews, projects, and attachments so you can access them across sessions and devices.
2. **Generate AI reviews** — your research question and experimental parameters are sent to our backend (Supabase Edge Functions) which in turn calls the OpenAI API (see §4) to produce design critiques, control recommendations, and literature suggestions.
3. **Search public literature** — a distilled keyword query is sent to the NCBI PubMed (E-utilities) public API. We do not send your account identifier, email, or attachments to PubMed.
4. **Maintain account security** — detect and block unauthorized access and abusive usage.
5. **Communicate with you** — respond to support requests you send to us.
We do **not** use your experiment content to train AI models. See §4.
---
## 4. Third-party services
Lab+ relies on the following processors. Each is used only to the extent necessary to operate the app.
| Provider | Purpose | Data shared |
|---|---|---|
| **Apple** (Sign in with Apple, App Store, iCloud for device-level backups) | Authentication, app distribution | Email, name (if you choose), device info |
| **Supabase** (database, auth, storage, edge functions) | Backend hosting for accounts, plans, attachments | All information listed in §2.1 |
| **OpenAI** (GPT-4o via the OpenAI API) | AI-generated experiment critiques | Research questions and experimental parameters you enter (no email, name, or password) |
| **NCBI PubMed (E-utilities)** | Public scientific literature search | Distilled keyword queries only |
**OpenAI data handling.** Per OpenAI's API data-usage policy, data submitted through the API is **not** used to train OpenAI's models. OpenAI retains API inputs for up to 30 days for abuse monitoring, after which they are deleted, unless a longer period is required by law. See https://openai.com/policies/api-data-usage-policies.
We do not share your data with any other third parties for their own purposes.
---
## 5. Where your data is stored
Account data, experiment plans, and attachments are stored in Supabase infrastructure located in the **European Union (Ireland, West EU region)**. Data is encrypted in transit (TLS) and at rest.
Because OpenAI's API endpoints are operated globally, sending a prompt to OpenAI may result in your research question being transferred outside your country of residence, including to the United States. By using the AI features of Lab+, you consent to this transfer.
---
## 6. Artificial intelligence — important limitations
Lab+ uses large language models to generate suggestions about experiment design, controls, statistics, and related literature. **AI output can be inaccurate, incomplete, fabricated, or misleading.** Lab+:
- is **not** a medical device, clinical decision tool, or substitute for scientific judgment;
- is intended for educational and planning purposes by trained researchers;
- does **not** guarantee the accuracy, safety, or reproducibility of any experiment it reviews.
You are solely responsible for the experiments you run. Always verify AI-generated recommendations with your supervisor, institutional protocols, and the primary literature before acting on them.
---
## 7. How long we keep your data
- **Account and experiment content:** kept while your account is active.
- **Attachments:** kept while your account is active.
- **After account deletion (see §8):** all account data, experiment content, and attachments are permanently deleted from our active systems. Encrypted backups may retain residual copies for up to **30 days**, after which they are purged.
- **OpenAI inputs:** retained by OpenAI per §4 (up to 30 days).
---
## 8. Your rights and how to exercise them
You have the following rights with respect to your personal data:
- **Access** — request a copy of what we store about you.
- **Correction** — update or correct inaccurate information directly in the app (Profile screen) or by contacting us.
- **Deletion** — delete your entire account and all associated data from within the app via **Profile → Delete Account**. This is permanent and cannot be undone.
- **Portability** — request an export of your data by emailing us.
- **Objection / restriction** — object to, or request restriction of, specific processing activities.
- **Withdraw consent** — withdraw consent at any time by deleting your account.
If you are in the European Economic Area, the United Kingdom, Serbia, or California, you also have rights under the EU GDPR, UK GDPR, Serbia's Law on Personal Data Protection ("Zakon o zaštiti podataka o ličnosti"), or CCPA/CPRA respectively, including the right to lodge a complaint with your local data-protection authority (in Serbia, the *Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti*).
To exercise any of these rights, email **reljapps@gmail.com**. We respond within 30 days.
---
## 9. Security
We implement technical and organizational safeguards appropriate to the sensitivity of the data, including:
- TLS encryption for all network traffic;
- encryption at rest for databases and storage;
- row-level security policies that restrict each user's data access to their own account;
- key rotation and least-privilege access for backend services.
No system is perfectly secure. If we become aware of a breach that affects your data, we will notify you and the appropriate regulators as required by law.
---
## 10. Children
Lab+ is intended for use by researchers and students aged **17 or older**. We do not knowingly collect personal information from children under 13 (or 16 in the EEA/UK). If you believe a child has created an account, contact us and we will delete it.
---
## 11. Changes to this policy
If we materially change this Privacy Policy, we will update the "Last updated" date above and, where required, notify you in-app or by email before the change takes effect. Continued use of Lab+ after a change constitutes acceptance.
---
## 12. Contact
Questions, requests, or complaints about this policy:
**Relja Bulajic & Rastko Todorovic** — Lab+ co-founders
Email: **reljapps@gmail.com**
Belgrade, Serbia
---
*Lab+ is an independent product and is not affiliated with Apple Inc., OpenAI, the National Institutes of Health, or any institution referenced in the app.*