L

Privacy Policy

Version 1.0 · Effective Date: March 2026

1. Information We Collect

L-Center collects the following categories of information:

  • Account Information: Name, email address, password (stored as a bcrypt hash — we never store your plaintext password), date of birth, and biological sex
  • Health Data: Biomarker values from lab reports, biological age calculations, and historical trends
  • Nutrition Data: Food photos, meal logs, calorie and macronutrient estimates, and AI-generated food analysis
  • Symptom Reports: Patient-reported symptom scores, severity ratings, and care team communications
  • Wearable Data: Sleep metrics, heart rate variability, steps, resting heart rate, and other data from connected devices (e.g., Oura Ring)
  • Vitality Scores: Composite wellness scores derived from your wearable data, sleep, and activity
  • Lab Report Files: Photos and PDFs you upload for biomarker extraction (processed by AI, then discarded — raw files are not permanently stored)
  • Device Information: Browser type, operating system, and screen size (for compatibility and bug resolution)
  • Usage Data: Pages visited, features used, and session duration (aggregated, not tied to health data)

2. How We Use Your Information

  • Provide the Service: Calculate your biological age, analyze your meals, track your symptoms, generate vitality scores, and deliver your health reports
  • Improve the Service: Fix bugs, optimize performance, and enhance the user experience using aggregated, non-identifiable analytics
  • Communicate With You: Send email notifications, weekly health summaries, verification emails, and support responses
  • Research (Tier 2 only): If you opt in, your de-identified data may be included in research analyses and publications
  • AI Model Improvement (Tier 3 only): If you opt in, your de-identified data may be used to improve L-Center's AI models

We NEVER sell your personal health data. We NEVER share identifiable health data with advertisers, data brokers, employers, or insurers.

3. Tiered Consent Model

L-Center gives you granular control over how your data is used:

Tier 1 — Care (Required)
Your data is used to provide the L-Center service: calculating your biological age, analyzing your meals, tracking your symptoms, and generating your health reports. Without this consent, the service cannot function. Revoking this consent requires account deletion.
Tier 2 — Research (Optional)
Your de-identified data may be included in research analyses and publications. De-identification means your name, email, and other identifying information are removed using HMAC-SHA256 pseudonymization and all 18 HIPAA Safe Harbor identifiers are stripped. No researcher can trace the data back to you. You can revoke this consent at any time — your data will be excluded from future research exports within 30 days.
Tier 3 — AI Improvement (Optional)
Your de-identified data may be used to train and improve L-Center's AI models (food analysis accuracy, health insights relevance, predictive analytics). The same de-identification standards apply. You can revoke at any time.

4. Who We Share With

We share your data only with the following parties, each bound by appropriate agreements:

  • Infrastructure Providers (with BAAs):
    • Vercel — application hosting and serverless compute
    • Cloud database provider — database infrastructure
    • Anthropic — AI processing for food analysis and lab report extraction
    • Sentry — error monitoring and performance tracking
  • Your Care Team (clinical mode only): Your assigned clinician, nutritionist, and scientist can view your health data to support your protocol
  • Research Partners (Tier 2 only): De-identified data only, for approved research studies
  • Law Enforcement: Only with valid legal process (subpoena, court order, or warrant)

We NEVER share your data with: advertisers, data brokers, employers, or insurers — unless you explicitly request us to do so in writing.

5. Data Security

  • Encryption in Transit: All data is transmitted over TLS 1.3
  • Encryption at Rest: AES-256 encryption via our database infrastructure
  • De-Identification: HMAC-SHA256 pseudonymization for all research exports, with all 18 HIPAA Safe Harbor identifiers removed
  • Access Controls: Role-based access control ensures only authorized personnel can access your data
  • Audit Trail: An immutable audit log records every access to clinical data
  • Password Security: Passwords are hashed using bcrypt with a cost factor of 12
  • Security Reviews: Regular security assessments of the platform
  • HIPAA-Compliant Infrastructure: All infrastructure providers operate under Business Associate Agreements

6. Your Rights

You have the following rights regarding your data:

  • Access: View all your data at any time within the app
  • Export: Download all your data (JSON + PDF) at any time via the Settings page
  • Correction: Edit your profile and health data through the app
  • Deletion: Request account deletion, completed within 30 days
  • Revoke Consent: Change your Tier 2 and Tier 3 consent at any time via Settings
  • Accounting of Disclosures: Request a log of who has accessed your data

California Residents (CCPA/CPRA): In addition to the rights above, California residents have the right to:

  • Know what personal information is collected, used, shared, or sold
  • Delete personal information held by businesses and their service providers
  • Opt out of the sale or sharing of personal information (we do not sell your data)
  • Non-discrimination for exercising your CCPA rights
  • Correct inaccurate personal information
  • Limit the use and disclosure of sensitive personal information

To exercise any of these rights, contact us at privacy@l-center.com or use the in-app Settings page.

7. Data Retention

  • Active Accounts: Your data is retained for as long as your account remains active
  • Deleted Accounts: Identifiable data is deleted within 30 days of account closure
  • De-Identified Research Data: If you consented to Tier 2, your de-identified data may be retained indefinitely (it cannot be traced back to you)
  • Audit Trails: Clinical access logs are retained for a minimum of 7 years, as required by healthcare regulatory standards

8. Cookies and Tracking

  • L-Center uses essential cookies only for session management and authentication
  • We do not use advertising cookies or tracking pixels
  • We do not use third-party analytics that track individual health data
  • Basic usage analytics (page views, feature usage) are aggregated and do not contain health information

9. Children

L-Center is not directed to children under 18 years of age. We do not knowingly collect personal information from minors. If we discover that we have inadvertently collected data from a person under 18, we will promptly delete that information.

10. International

L-Center processes and stores data in the United States. If you access L-Center from outside the United States, you consent to the transfer and processing of your data in the United States.

For users in the European Union, we comply with applicable data protection laws. If you have questions about international data transfers, please contact us.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and update the effective date at the top of this page. Your continued use of L-Center after notification constitutes acceptance of the updated policy.

12. Contact

For privacy questions or to exercise your data rights:

L-Center, Inc.
Privacy Inquiries
Email: privacy@l-center.com

← Back to L-Center