← Back to Neijing Lab

Privacy Policy

Last updated: April 19, 2026

Language Notice: This Privacy Policy is provided in English only. The English version is the sole legally binding version. Any translations provided by your browser are for convenience only and do not carry legal weight.

1. Information We Collect

When you use Neijing Lab, we may collect the following categories of information:

  • Account Information: Email address and authentication credentials (managed via Google Firebase Authentication). We do not store passwords directly.
  • Health & Wellness Data: Tongue images you upload, pre-analysis intake form responses (age range, sleep patterns, hydration, caffeine intake), and AI-generated analysis reports.
  • Biometric-Adjacent Data: Tongue photographs, which may be classified as sensitive personal data or biometric data under certain state and international laws (see Section 2).
  • Payment Information: Processed securely and exclusively by Stripe, Inc. We never store, access, or transmit your credit card numbers, CVV, or banking details on our servers.
  • Usage Data: Basic analytics such as pages visited, features used, and session duration to improve the Service.
  • Device Information: Browser type, operating system, and IP address for security and fraud prevention purposes.

2. Biometric & Health Data Notice

Special Notice Regarding Tongue Photographs

Tongue photographs you upload may be classified as "biometric data," "biometric identifiers," or "sensitive personal data" under various state and international privacy laws. Regardless of legal classification, we treat all tongue images with the highest level of data protection.

  • Collection Purpose: Solely for AI-powered educational wellness analysis within the Neijing Lab platform.
  • Storage: Encrypted at rest in Google Firebase Cloud Storage, accessible only by your authenticated account.
  • Retention Schedule: Images are retained for the duration of your active account. Upon account deletion or data deletion request, all images are permanently destroyed within 30 days.
  • No Sale or Disclosure: We do not sell, lease, trade, or otherwise profit from your tongue images or any data derived from them. We do not disclose this data to any third party except as described in Section 10 (Third-Party Services).
  • AI Processing: Your tongue images are sent to Google Gemini AI for analysis. Google's API processes the image to generate the report but does not retain the image after processing, per Google's API data handling policies.

This notice is provided in compliance with the Illinois Biometric Information Privacy Act (740 ILCS 14), Texas CUBI (Tex. Bus. & Com. Code § 503.001), Washington HB 1493, and all applicable comprehensive state privacy laws that classify biometric data as sensitive personal data.

3. How We Use Your Information

  • To provide, maintain, and improve the Neijing Lab educational wellness service.
  • To generate AI-powered tongue analysis reports for educational purposes.
  • To store your analysis history, journal entries, and trend data for your personal reference.
  • To manage your subscription and process payments via Stripe.
  • To communicate important service updates, security notices, and policy changes.
  • To detect and prevent fraud, abuse, and security threats.
  • To comply with legal obligations and respond to lawful requests from authorities.

We do not use your data for advertising, behavioral profiling, or commercial data brokerage.

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases:

  • Consent (Article 6(1)(a)): You provide explicit consent when creating your account, accepting the Terms of Service, and uploading tongue images. You may withdraw consent at any time by deleting your account.
  • Contract Performance (Article 6(1)(b)): Processing is necessary to provide the Service you have subscribed to.
  • Legitimate Interest (Article 6(1)(f)): For fraud prevention, security, and service improvement, where these interests do not override your fundamental rights.
  • Explicit Consent for Special Categories (Article 9(2)(a)): Health-related data and biometric-adjacent data (tongue images) are processed based on your explicit consent.

5. Data Retention & Deletion

  • Active Accounts: Your data is retained for as long as your account is active and you continue to use the Service.
  • Inactive Accounts: Accounts inactive for more than 24 months may be flagged for deletion. You will receive notice before any action is taken.
  • Deletion Requests: You may request complete deletion of your account and all associated data by emailing neijinglab@gmail.com. Deletion will be completed within 30 days.
  • Post-Deletion: Once deleted, your data cannot be recovered. Backup copies in our systems will be purged within 90 days of the deletion date.
  • Legal Retention: We may retain certain data beyond the deletion period if required by law (e.g., financial records for tax compliance).

6. Your Rights by Jurisdiction

California Residents (CCPA/CPRA):

  • Right to know what personal information we collect and how it is used.
  • Right to delete your personal information.
  • Right to opt out of the sale of personal information (we do not sell your data).
  • Right to non-discrimination for exercising your privacy rights.
  • Right to correct inaccurate personal information.

Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Delaware (DPDPA) Residents:

  • Right to access, correct, delete, and obtain a portable copy of your personal data.
  • Right to opt out of processing for targeted advertising (we do not target advertise).
  • Right to opt out of the sale of personal data (we do not sell your data).
  • Right to appeal a denial of your rights request.

EU/UK Residents (GDPR):

  • Right to access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, and objection.
  • Right to withdraw consent at any time without affecting the lawfulness of prior processing.
  • Right to lodge a complaint with your local data protection authority.

Canadian Residents (PIPEDA):

  • Right to access your personal information held by us.
  • Right to request correction of inaccurate information.
  • Right to withdraw consent for data processing.

To exercise any of these rights, contact us at neijinglab@gmail.com. We will respond within 30 days (or 45 days for complex requests, as permitted by law).

7. Do Not Sell My Personal Information

Neijing Lab does not sell, rent, lease, or trade your personal information to any third party for monetary or other valuable consideration. This applies to all users regardless of jurisdiction. This disclosure is made in compliance with the California Consumer Privacy Act (CCPA) and similar state laws.

8. Children's Privacy (COPPA)

Neijing Lab is not directed at children under the age of 13 (or 16 in the EEA/UK). We do not knowingly collect personal information from children under these age thresholds. If we become aware that a child under the applicable minimum age has provided us with personal data, we will take steps to promptly delete such information and terminate the associated account. If you believe a child has provided us with personal data, please contact us at neijinglab@gmail.com.

9. International Data Transfers

Neijing Lab is operated from the United States. If you are accessing the Service from outside the United States (including the EEA, UK, Canada, or any other jurisdiction), your personal data will be transferred to and processed in the United States, where data protection laws may differ from those in your country.

By using the Service and providing your consent, you acknowledge and agree to this transfer. For EU/UK users, we rely on your explicit consent (Article 49(1)(a) GDPR) as the legal mechanism for these transfers.

10. Third-Party Services

We use the following third-party services to operate Neijing Lab:

  • Google Firebase (Google LLC) — Authentication, Firestore database, and Cloud Storage. Data is encrypted in transit and at rest. Firebase Privacy Policy.
  • Google Gemini AI (Google LLC) — For generating tongue analysis reports. Your tongue images are sent to the Gemini API for processing. Per Google's API Terms, data sent via the paid API is not used to train Google's models and is not retained after processing. Gemini API Terms.
  • Stripe, Inc. — For secure payment processing. We never store your payment card details. Stripe Privacy Policy.

We do not share your personal data with any other third parties for marketing, advertising, or data brokerage purposes.

11. Cookies & Tracking

Neijing Lab uses minimal cookies and local storage strictly necessary for the Service to function:

  • Authentication Cookies: Firebase Authentication tokens to keep you logged in.
  • Preference Storage: Local storage for user preferences (e.g., language selection, theme).
  • Stripe Cookies: Session cookies used by Stripe during the checkout process.

We do not use third-party tracking cookies, advertising pixels, or behavioral analytics tools (e.g., no Google Analytics, no Facebook Pixel, no retargeting).

12. Data Security

We implement industry-standard security measures to protect your personal data:

  • Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2+.
  • Encryption at Rest: Data stored in Google Firebase is encrypted at rest using AES-256 encryption.
  • Access Controls: Firestore and Storage security rules restrict data access to authenticated account owners only.
  • Signed URLs: Tongue images are accessed via time-limited signed URLs rather than public links.
  • No Plain-Text Storage: We do not store passwords in plain text. Authentication is managed by Firebase (Google).

While we take reasonable measures to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice within the Service at least 30 days before taking effect. Your continued use of Neijing Lab after the changes take effect constitutes your acceptance of the revised Privacy Policy. We encourage you to review this page periodically.

14. California Privacy Rights (CCPA/CPRA)

Under the California Consumer Privacy Act, California residents have specific rights regarding their personal information. In the past 12 months, we have collected the following categories of personal information:

  • Identifiers: Email address.
  • Biometric Information: Tongue photographs (for educational analysis).
  • Health Information: Self-reported wellness intake data, AI-generated educational reports.
  • Internet Activity: Pages visited, features used within the Service.
  • Commercial Information: Subscription and payment records (via Stripe).

We do not sell personal information. We do not share personal information for cross-context behavioral advertising. To submit a verifiable consumer request, contact neijinglab@gmail.com.

15. Contact & Data Protection Officer

For any questions, concerns, or requests regarding this Privacy Policy or your personal data, contact us at:

Neijing Lab

Email: neijinglab@gmail.com

Subject Line: "Privacy Request — [Your Request Type]"

For GDPR-specific inquiries, you may contact our designated data protection contact at the same email address. EU/UK residents also have the right to lodge a complaint with their local supervisory authority.

16. Data Export Tool

If you are currently logged into Neijing Lab, you can instantly download a complete JSON archive of all your personal data (including analysis logs, intake form responses, and usage history) by clicking the button below. This feature satisfies your right to data portability under GDPR and CCPA.