Privacy policy

We collect the minimum data needed to give you a working supplement reference and personalised analysis. We do not sell your data. We do not store the raw bloodwork PDFs you upload. You can delete your account and all associated data at any time.

• Account information. When you sign up, your email address is stored by our authentication provider (Supabase). We do not see or store your password — Supabase handles credentials with industry-standard hashing.
• Stack and routine data. The supplements you add, the medications you list, your scheduling preferences, and your saved stacks. This is associated with your account.
• Biometrics. Optional weight and height you enter for per-kilogram dose calculations.
• Bloodwork markers. Structured lab values (e.g. ferritin = 28 ng/mL) extracted from PDFs you upload. The raw PDF is processed in memory and discarded; only the extracted markers persist.
• Usage analytics. Page views, click events, and aggregated funnel data via PostHog. We tag analytics events with a stable identifier when you are signed in so we can compute funnels per user.
• Server logs. Standard web server logs (IP address, user agent, timestamps, request paths) for security and abuse prevention. Retained for 30 days.

• Raw PDF files of your bloodwork. They are deleted from temporary storage after extraction.
• Payment information. We do not currently process payments. If we add paid tiers, payment will be handled by a regulated processor (e.g. Stripe), not us.
• Social Security Numbers, government ID numbers, or other regulated identifiers.
• Location data beyond the country-level inference from your IP address.

• Supabase — authentication and database hosting.
• Vercel — application hosting and CDN.
• OpenRouter — large language model proxy used for bloodwork PDF text extraction. Your PDF is sent to OpenRouter for OCR and is not retained by them per their data retention policy.
• PostHog — product analytics. Configured to collect identified events only when you are signed in; pageviews are anonymous otherwise.

Each third party has its own privacy policy. We do not share your data with parties beyond what is required to operate the service.

We use cookies and localStorage for authentication state, your saved routine, your medical disclaimer acknowledgement, and analytics. You can clear these through your browser settings; doing so will sign you out and reset your local routine.

• Access. Request a copy of your data.
• Correction. Edit or correct your data through the app.
• Deletion. Delete your account and all associated data. Email us to request this until in-app self-serve deletion is available.
• Portability. Export your stack and bloodwork history as JSON on request.
• Opt out of analytics. Use Do Not Track or a privacy extension; we honour DNT for PostHog identification.

California residents (CCPA) and EU/UK residents (GDPR) have additional rights around their personal data. Contact us to exercise them.

Account data and your stack history are retained until you delete your account. Bloodwork markers are retained until you delete the upload or your account. Server logs are retained for 30 days.

Stack Lab is not directed at children under 18. We do not knowingly collect data from children. If you believe a child has provided us with personal information, contact us and we will delete it.

We may update this policy as the product evolves. Material changes will be notified in-app or by email. The "last updated" date at the top of this page reflects the most recent revision.

For privacy questions or to exercise your rights, contact us through the email address listed on our about page.