Last updated: March 17, 2026
MedLab ("we", "us", or "our") operates the MedLab platform — a medical education tool for students and institutions. This Privacy Policy explains what data we collect, how we use it, and the choices you have. By using MedLab, you agree to the practices described here.
We do not sell your personal data. We do not use your data to train AI models without explicit consent. Medical education data is handled with the same care we would expect from any platform we would trust with our own learning.
Account information. When you sign up, we collect your email address, name, and a password hash. Institutional accounts may include your university affiliation.
Usage data. We record your interactions with cases — answers submitted, time spent, hints requested, and performance scores. This data powers your progress dashboard and the analytics visible to your institution if applicable.
Device and log data. Standard server logs: IP address, browser type, device type, pages visited, and timestamps. Used for security, debugging, and aggregate analytics.
Payment information. We use Paddle as our payment processor. We never see or store your full card details — Paddle handles all payment data under their own PCI-DSS compliance.
We do not use your data for advertising, and we do not share it with third parties for marketing purposes.
If you access MedLab through a university or medical school, your institution's administrator may have access to your performance data, including case scores, completion rates, and reasoning analytics. This is disclosed at the point of enrollment.
Institutions are considered joint data controllers for the data their students generate within the platform. Our Data Processing Agreement (DPA) governs this relationship and is available upon request.
We retain your account and usage data for as long as your account is active. If you delete your account, we delete your personal data within 30 days, except where retention is required by law or for fraud prevention.
Anonymised, aggregate performance data (e.g. average score on a case type) may be retained indefinitely for platform improvement.
We use a small number of cookies that are strictly necessary for authentication and session management. We do not use advertising cookies or third-party tracking pixels.
Depending on your location, you may have rights under GDPR, FERPA, CCPA, or similar laws. In all cases, you can:
To exercise any of these rights, email us at privacy@getmedlab.com. We will respond within 30 days.
MedLab is built on Supabase infrastructure with encryption at rest and in transit (TLS 1.2+). Access to production data is restricted to core team members on a need-to-know basis. We conduct regular security reviews and respond to reported vulnerabilities promptly.
If you discover a security issue, please disclose it responsibly to security@getmedlab.com.
MedLab is intended for medical students and healthcare professionals. We do not knowingly collect data from anyone under the age of 16. If you believe a minor has created an account, contact us and we will remove it promptly.
We may update this policy as the platform evolves. For material changes, we will notify active users by email at least 14 days before the change takes effect. Continued use after that date constitutes acceptance.
For privacy questions or to exercise your rights, email privacy@getmedlab.com. We aim to respond within 30 days.