Your health data, in plain English.

Meridix Labs ("Meridix," "we," "us") operates the website at meridixlabs.com and the related services that help you understand your medical lab results. The service is operated by an individual founder based in the Republic of Türkiye and is the "data controller" for the personal data described in this policy.

This Privacy Policy explains what information we collect when you use those services, why we collect it, and what your rights are. By using Meridix Labs you accept this Privacy Policy. If you don't agree with it, please don't use the service.

2.1 — Account information

You need an account to use most Meridix Labs tools end-to-end. When you sign up we collect:

• Account identifiers from our authentication provider: email address, display name, and sign-in method. Your password is held only by the auth provider — we never see it.
• Profile data you choose to provide: age, sex, weight, height, ethnicity, medications, allergies, conditions, family history, and lifestyle notes. This is optional, but it makes interpretations more accurate.

2.2 — Health inputs and AI outputs you generate

When you use the tools, we save the inputs you provide and the AI-generated outputs to your account so you can return to them, track them over time, and have continuity across tools:

• Lab analyses: the extracted lab values, abnormal flags, AI interpretation, summary, source filename, and date. The original uploaded file (PDF or image) is not retained — it is processed in memory by the AI provider and discarded once the structured interpretation has been generated.
• Diagnosis explainer sessions— the condition you asked about and the AI's explanation.
• Symptom-checker sessions— symptoms you entered and the AI's differential and follow-up suggestions.
• Visit-prep sessions — the notes and questions you generate for upcoming appointments.
• Lab-chat messages — your follow-up conversations with the AI about your reports.
• Supplements, medications, health goals, and interventions you track in your dashboard.
• Trend data derived from your lab analyses over time, so you can see how individual biomarkers have moved.

2.3 — Operational data

• Anonymous usage metrics (which tools were used, completion rates, selected language) — used in aggregate to improve the product. Not tied to your identity.
• Server logs (IP address, request timestamps) collected by our hosting provider for operational and security purposes.

2.4 — What we do NOT collect

• The original PDF or image of your lab report after analysis.
• Your password — authentication is handled by our identity provider, which never shares passwords with us.
• Payment information — we don't currently charge for the service.
• Social media data, contact lists, browsing history, or location data.

We use the information we collect for these purposes only:

• Providing the service — running the AI interpretation, showing your saved analyses, powering the chat panel, and producing the outputs you ask for.
• Continuity across sessions — so you can come back to a previous lab analysis, diagnosis explainer, or symptom-checker session without re-entering everything.
• Trend tracking — so we can show how your lab values have moved over time across multiple uploads.
• Personalization within the tools — using your profile (age, sex, medications, conditions) to make AI interpretations more relevant.
• Improving the service — anonymous, aggregate usage metrics help us decide what to build next.
• Communicating with you — transactional emails (account verification, a copy of an interpretation if you request one). We do not send marketing emails without your explicit opt-in.
• Security — detecting abuse and protecting accounts.

We do not sell your data, share it with advertisers, use your health data to train AI models, or hand it to third parties except the operational sub-processors listed below in Section 5.

• Where it's stored: Your account data, profile, analyses, sessions, chat messages, supplements, goals, and trend data are stored in our managed Postgres database (Supabase). The website itself is hosted on Vercel.
• Encryption in transit: All traffic between your browser and our servers uses HTTPS/TLS.
• Encryption at rest: Data stored in our database is encrypted at rest by our database provider.
• Access control:Database reads and writes go through server-side API routes with row-level security enabled and deny-by-default policies. Only the signed-in user's own server requests can read or write their records.
• No original-file retention: Raw lab files (PDFs and images) are passed to the AI provider in memory for analysis and are not written to disk on our servers. Only the resulting structured interpretation is saved.

No system is 100% secure. While we apply commercially reasonable safeguards, we can't guarantee absolute security. If we ever discover a breach affecting your data, we will notify you promptly as required by applicable law.

We rely on a small number of trusted vendors to operate Meridix Labs. They are bound by their own privacy commitments, and we only share with them what they need to do their job:

We may add or change sub-processors over time. When we do, we'll update this list and the "Last updated" date at the top of this policy.

We use a small number of cookies and local-storage entries, all strictly necessary for the service to work:

• Authentication cookies set by Clerk to keep you signed in.
• localStorage entries set by us to remember UI preferences (e.g., language choice, returning-visitor flag, last-viewed tool). These never leave your browser. Your medical data is stored server-side on your account, not in localStorage.

We do notuse third-party advertising cookies, tracking pixels, or cross-site analytics tools. Because everything we set is strictly necessary, we don't show a cookie consent banner — but you can clear cookies and localStorage at any time from your browser settings.

• Account data and health records: Kept indefinitely while your account is active, so your history and trend data remain available to you. We do not run an inactivity-based deletion sweep — your data stays until you delete it. You can delete individual records or your entire account at any time; once you do, we delete all linked records within 30 days.
• Original lab files: Not retained. Discarded as soon as the AI interpretation has been generated.
• Server logs: Standard operational logs (kept by our hosting provider) are retained for up to 30 days.
• Email records: When you ask us to email you a transactional message, that record may be kept by our email provider for up to 90 days.

You have the following rights over your data. To exercise any of them, use the dashboard tools described below or email us at contact@meridixlabs.com.

• Access: View all your saved analyses, sessions, and chat history directly in your account dashboard.
• Correction: Edit your profile information from the dashboard at any time.
• Deletion:Delete an individual record from the dashboard, or delete your entire account and all linked data from your account settings. If you can't find what you need, email us at the address above and we will action it within 30 days.
• Portability: Request a copy of your data in a machine-readable format by emailing us.
• Withdraw consent: Stop using the service at any time and delete your account.
• Complain:If you're in the EU/UK and believe we've handled your data improperly, you can lodge a complaint with your local data-protection authority.

If you're in Türkiye:The rights above include your statutory rights under KVKK (Kişisel Verilerin Korunması Kanunu) Article 11 — to learn whether we process your data, to request information about how it's being used, to request correction or deletion, and to object to processing. Requests can be sent to the contact address below. If you're not satisfied with our response, you can lodge a complaint with the Turkish Personal Data Protection Authority (KVKK).

If you're in the EU/UK: The rights above include your statutory GDPR/UK-GDPR rights to access, rectification, erasure, restriction, portability, and objection.

If you're in the U.S.: For users in California (CCPA), Colorado (CPA), Virginia (VCDPA), and other U.S. states with privacy laws, the rights above include your statutory rights to access, delete, and opt out of the "sale" of personal data. We do not sell personal data.

Because we are not a HIPAA-covered entity, please consider the following before uploading any data:

• Don't upload data you'd be uncomfortable trusting to a consumer health app.
• If you're testing on someone else's lab report (e.g., a family member's), you must have their permission.
• If you're a healthcare provider, do not use Meridix Labs to process Protected Health Information (PHI) covered by HIPAA. Our service is designed for individual personal use.

Meridix Labs is not intended for users under 16. We do not knowingly collect data from children under 16. If you believe a child has provided us with personal data, please email us and we'll delete it promptly.

Meridix Labs is operated from the Republic of Türkiye and serves users globally. Because our sub-processors (listed in Section 5) have infrastructure outside Türkiye, your personal data may be transferred to and processed in the United States, the European Union, or other regions.

By using Meridix Labs you consent to your data being processed in those regions, subject to the safeguards described in this policy and our sub-processors' own international-transfer commitments (e.g., Standard Contractual Clauses for EU-origin data, KVKK-compliant transfer mechanisms for Türkiye-origin data). If you do not consent to these transfers, please do not use the Service.

We may update this Privacy Policy from time to time as the service evolves. When we make a material change, we will update the "Last updated" date at the top of this page and, for significant changes, notify account-holders by email. Your continued use of Meridix Labs after such an update constitutes acceptance of the revised policy.

Questions, requests, or concerns about your privacy? Email us at contact@meridixlabs.com. We aim to respond to data-related requests within 30 days.

See also our Terms of Service.