Join beta waitlist

Legal

Privacy Policy

Effective date: May 2026

What this document covers

This policy explains what data PanelShift.app collects, how it is used, who can access it, and how you can delete it. It is written to be read, not to obscure.

PanelShift is operated as a sole-proprietor product. Questions or requests can be sent to privacy@panelshift.app.

What we collect and why

Account and settings data

We store your email address and, optionally, a display name. Email is required to authenticate your account and send transactional messages (e.g., billing receipts). We do not store your legal name, date of birth, home address, or phone number.

You may optionally enter settings such as biological sex, health intent, age bracket, height, weight, fasting default, draw-time default, and unit preference. These settings are used to personalize product behavior and provide appropriate context in AI analysis. They are not used for advertising or ad targeting.

Lab data

When you upload a lab report, we extract and store the following from each blood draw:

  • Biomarker names, values, units, reference ranges, and flags (H/L/etc.)
  • The lab source (e.g., Quest Diagnostics, LabCorp)
  • The draw month and year you enter at upload — not an exact date

We do not store your raw PDF, the raw text extracted from it, your physician name or NPI, your patient ID or accession number, your insurance information, or any text that could re-identify you as an individual. Before any text from a lab report is processed by an AI model, it passes through Presidio — a PII redaction layer that strips names, dates, identifiers, and addresses.

Context data (optional)

If you enable optional context logging, we store medications, supplements, or other self-entered context you choose to track, including names, amounts, frequencies, and categories you enter manually. This data is entirely voluntary and opt-in. It is used only to contextualize your own lab trends when you associate that context with a blood draw.

Optional de-identified data contribution

If you explicitly opt in, PanelShift creates a separate de-identified contribution snapshot containing resolved marker keys, numeric values, flags, normalized units, relative draw timing, and resolved protocol event keys. This copy is used to improve PanelShift and aggregate statistics. It is not used for advertising.

The contribution excludes your email, Clerk ID, billing data, raw PDFs, raw or redacted lab text, raw marker names, exact draw dates, protocol names, raw compound names, doses, frequencies, routes, notes, analyses, chat, and upload logs. You can revoke this while your account exists. Account deletion deletes the linked contribution by default unless you explicitly choose to keep the de-identified contribution during deletion.

Chat history and memory

If you use the chat feature, we store your chat messages, the assistant's responses, conversation metadata, and the scope you selected (for example, a specific draw or trend view). This lets the product provide conversation history and memory recall. Chat is linked to your account and uses stored, user-scoped structured lab data as context; it does not read raw PDFs or unredacted lab text.

Upload logs

We store a log of each upload attempt, including whether it succeeded, the lab source detected, any extraction warnings, and a content fingerprint used to detect duplicate uploads. Logs are scoped to your account and are used for debugging and product improvement.

Analytics and diagnostics data

We collect product analytics and diagnostic data to understand how PanelShift is used, identify errors, and improve the product. This may include page views, feature usage, clicked UI elements, session metadata, browser and device information, approximate location derived from IP address, error traces, performance metrics, and replay-style session diagnostics when enabled. We do not use this data for advertising or ad targeting.

We do not intentionally send raw PDFs, unredacted lab text, payment details, or sensitive free-text inputs to analytics or diagnostics tools. Session diagnostics are configured to avoid capturing sensitive inputs and to limit collection to product usage and debugging.

Subscription and billing data

Your payment information — including cardholder name or name on card, card number, billing address, payment method details, and payment identifiers — is handled by Stripe. PanelShift does not receive or store your cardholder name, card number, billing address, or payment method details in the app database. We store your subscription tier (Free, Pro, or Advanced), subscription status, Stripe customer/subscription identifiers, and billing period dates provided by Stripe webhooks.

How data flows through the system

PanelShift separates account identity, payments, lab data, analytics, and diagnostics as much as practical. Each service receives only the data needed to perform its role.

  • Clerk — handles authentication. Knows your email and session. Knows nothing about your lab results.
  • Stripe — handles payments. Knows your email, cardholder/billing details, and payment method details needed to process billing. Knows nothing about your lab results.
  • PanelShift database — stores biomarker values, structured draw history, analyses, optional self-entered context data if enabled, chat history, upload logs, and Stripe customer/subscription identifiers needed for billing state. Linked to your account by an internal UUID. Contains no legal name, date of birth, home address, card number, billing address, or payment method details.
  • Analytics and diagnostics tools — receive product usage, session, performance, and error data used to operate and improve the product. They are not used for advertising.

When AI extraction or upload-time analysis runs, Anthropic receives the redacted and structured marker data needed for that request. When chat runs, OpenAI receives the stored, user-scoped structured lab context and the chat messages you provide. Neither provider receives your raw PDF or unredacted lab text.

What we never do

  • Sell your data — to anyone, ever, under any circumstance
  • Use your lab data for advertising or ad targeting
  • Share your lab data with insurers, employers, or government agencies
  • Store your raw PDF or unredacted lab text
  • Infer your identity from your biomarker values
  • Store more personal information than the product requires to function

Third-party services

The following third-party services process data in the course of running PanelShift:

  • Clerk — authentication and session management. Subject to Clerk's Privacy Policy.
  • Stripe — subscription billing, payment processing, payment method details, cardholder/billing details, invoices, refunds, disputes, fraud prevention, and payment-related legal compliance. Subject to Stripe's Privacy Policy.
  • Anthropic — PDF extraction and upload-time AI analysis via the Claude API. Receives redacted, structured marker data for those requests. No raw PDFs or unredacted lab text. Subject to Anthropic's Privacy Policy.
  • OpenAI — paid-tier conversational chat via the OpenAI API. Receives stored, user-scoped structured lab context and the chat messages you submit. Chat requests are configured with model storage disabled. No raw PDFs or unredacted lab text. Subject to OpenAI's Privacy Policy.
  • Railway— cloud infrastructure and managed Postgres database hosting. Data is stored in Railway's infrastructure. Subject to Railway's Privacy Policy.
  • PostHog — product and web analytics, including page views, feature usage, session metadata, and product interaction data. Used for product improvement, not advertising. Subject to PostHog's Privacy Policy.
  • Sentry — error monitoring, performance monitoring, and session diagnostics. Used to find and fix bugs. Subject to Sentry's Privacy Policy.

Data retention

Your account and all associated product data are retained for as long as your account is active. If you delete your account, all stored data — including draws, markers, optional context entries, analyses, chat history, upload logs, and any linked de-identified contribution — is permanently deleted by default. If you had opted in and explicitly choose to keep your de-identified contribution during account deletion, that detached contribution may remain without being linked to your account. Stripe may retain its own payment and billing records, including cardholder/billing details, under its legal obligations; we have no control over that.

Analytics and diagnostics records may be retained by PostHog and Sentry according to their own retention settings and legal obligations. We do not retain backups of deleted user data beyond the infrastructure backup window (typically 7 days on Railway Postgres).

Your rights

You can request a copy of the structured data we hold about you, or request deletion of your account and all associated data, from Settings or by emailing privacy@panelshift.app. We will respond within 30 days.

Account deletion permanently deletes your stored PanelShift product data and any linked de-identified contribution by default. If you previously opted in, you may explicitly choose during deletion to keep a detached de-identified contribution. If you have an active Stripe subscription, deletion attempts to cancel that subscription first. Stripe may still retain payment and billing records under its own legal obligations.

Cookies and tracking

We use session cookies set by Clerk for authentication. We also use analytics and diagnostics technologies from PostHog and Sentry to measure product usage, understand user flows, detect errors, monitor performance, and debug sessions. These tools may set cookies or similar identifiers and may collect session-level data such as page views, clicks, browser and device details, approximate location, and error context.

We do not use advertising cookies, third-party ad pixels, or analytics for ad targeting.

Business transfers

If PanelShift is involved in a merger, acquisition, financing, reorganization, or sale of assets, account data and de-identified contributed data may transfer as part of that transaction, subject to this Privacy Policy. If a materially different use is proposed, we will provide notice and choices where applicable.

Changes to this policy

If we make material changes to how we collect or use data, we will update the effective date above and, for paid subscribers, send an email notification. Continued use of PanelShift after the effective date constitutes acceptance of the updated policy.