How we handle your data.
LabSync Solutions ("LabSync", "we", "our") provides a hosted Laboratory Information System (the "Service") used by diagnostic laboratories in the Philippines to register patients, manage samples, record test results, and issue reports. Because we process health information, we take the Data Privacy Act of 2012 (Republic Act No. 10173, the "DPA") and its Implementing Rules and Regulations seriously.
This policy explains what information we collect when you use the Service or visit labsyncsolutions.com, why we collect it, and the choices you have. It is written in plain language on purpose — the DPA-compliant short-form statements appear in a short-form summary at the end.
1.Who we are
LabSync Solutions is a sole-proprietor technology company registered in the Philippines. Our registered contact details and Data Protection Officer (DPO) are listed at the end of this policy. When you visit our public website, we are the Personal Information Controller ("PIC") for the data we collect from you directly — for example, your browser metadata or a demo request form.
When your laboratory subscribes to the Service and stores patient records in LabSync, a different relationship applies. See Our role and yours below.
2.Our role and yours
Under the DPA, two parties typically handle personal information: a Personal Information Controller (the party that decides why and how data is processed) and a Personal Information Processor (the party that processes data on the Controller's behalf).
| Scenario | You are | LabSync is |
|---|---|---|
| You visit our marketing site or request a demo | Data subject | PIC |
| Your lab subscribes to the Service and enters patient records | PIC (for your patients) | Processor (PIP) |
| You are a patient whose record was entered by a subscribing lab | Data subject — contact your lab first | Processor (PIP) |
When LabSync acts as Processor, our obligations are set out in the Data Processing Agreement executed with your lab. Patients seeking access, correction or erasure should contact their laboratory directly; we will assist the lab in responding.
3.What we collect
3.1 From subscribing laboratories (our customers)
- Account data: laboratory name, address, contact numbers, admin full name, email, hashed password, role, license numbers for medical technologists or pathologists.
- Billing data: subscription plan, GCash reference numbers, sender name and sender number submitted during verification, payment screenshots, invoice history.
- Configuration data: test catalog entries, branding assets, report signatories, user roles and permissions.
- Usage and diagnostic logs: IP address, user-agent, timestamps, audit trail entries (who did what, when), error traces.
3.2 From patients (on behalf of laboratories)
Your lab inputs patient information into LabSync. This is sensitive personal information under Sec. 3(l) of the DPA because it concerns health. It typically includes:
- Patient identifiers: full name, date of birth, sex, blood group, OSCA/PWD ID when applicable, patient number.
- Contact and demographic data: phone, email, address, emergency contact.
- Clinical data: sample collection records, test orders, numeric and qualitative results, physician notes, approval status.
- Billing data for the patient's visits.
3.3 From visitors and prospects
- Demo request form: lab name, your name, work email, phone, lab size, preferred callback time, free-text message.
- Technical signals: IP address, browser and OS string, referring URL, session cookie.
4.How we use information
- Deliver the Service: authenticating users, running the workflow, rendering reports, keeping an audit log consistent with ISO 15189.
- Support: answering tickets, investigating issues you raise.
- Billing and fraud prevention: verifying GCash payments, detecting abuse, enforcing subscription limits.
- Service improvement: aggregated, de-identified analytics about uptime, error rates, feature usage.
- Security: rate limiting, intrusion detection, backup integrity checks.
- Legal obligations: responding to lawful requests from courts or regulators, retaining billing records per BIR rules.
We do not use patient data for advertising, profiling, automated decision-making, or training third-party AI models.
5.Lawful basis (DPA Sec. 12 and 13)
For ordinary personal information we rely on one or more of: consent, necessity for a contract, legal obligation, protection of vital interests, performance of a function of public authority, or our legitimate interests balanced against your rights (Sec. 12).
For sensitive personal information (including health data), we rely on the narrower grounds in Sec. 13: explicit consent of the data subject (obtained by your laboratory), processing necessary for medical treatment by a licensed medical practitioner, compliance with legal obligations of the PIC, or protection of vital interests when consent cannot be obtained.
6.Who we share with
We share personal information only with the following categories of recipients, each bound by written agreement, confidentiality obligations and technical safeguards:
- Infrastructure sub-processors: hosting, backup, and content delivery vendors. The current list is published in our Data Processing Agreement and updated 30 days before any change.
- Email delivery: transactional email for password resets, report notifications, invoice receipts.
- Payment verification: the information you submit for GCash verification stays with us; we do not transmit it to third parties.
- Law enforcement and regulators: only in response to a subpoena, court order, or formal request that we have a legal obligation to honor. We notify the affected PIC whenever permitted.
- Acquirers: in the event of a merger, acquisition, or asset sale, subject to continuity of this policy or equivalent protections.
We never sell personal information. We never share patient-level data with advertising networks, data brokers, or analytics vendors that profile end users.
7.Retention
| Category | Retention period | Why |
|---|---|---|
| Clinical records (samples, orders, results) | 15 years from last activity | DOH retention guidance for clinical laboratories |
| Billing and invoices | 10 years | BIR and NIRC requirements |
| Authentication logs | 2 years | Security monitoring and incident investigation |
| Audit trail (ISO 15189) | Co-terminus with clinical records | Reconstruction of clinical events |
| Demo requests (no sign-up) | 24 months | Sales follow-up then purged |
| Marketing cookies | Session or up to 12 months | See cookies section |
When a subscription ends, we retain your tenant's data for 90 days in a readable export window, then irreversibly delete it along with its backups within one further quarterly cycle, unless a legal hold requires otherwise.
8.Security
A detailed description lives in our Security Overview. In brief: TLS 1.2+ in transit, encrypted storage at rest, role-based access control, append-only audit trail, daily encrypted backups, quarterly restore drills, and annual third-party penetration testing.
9.Your rights (DPA Sec. 16)
As a data subject you have the right to:
- Be informed whether and how your data is processed.
- Access a copy of the data we hold about you.
- Object to processing, including direct marketing.
- Correct inaccurate data and have it promptly rectified.
- Erase or block data unlawfully processed, or withdraw consent.
- Damages for inaccurate, incomplete, unlawfully obtained or unauthorized use of personal data.
- Data portability — receive a machine-readable copy to move elsewhere.
If you are a patient, please route requests through the laboratory that registered you; they hold the authoritative record. If you are a lab admin, email our DPO directly. We respond to verified requests within 15 working days as required by NPC Circular 16-01.
10.Cookies and analytics
We set a single session cookie required for login and CSRF protection. The marketing site uses no third-party analytics, no advertising pixels, and no cross-site tracking. If we ever add privacy-respecting analytics (first-party, aggregated, without individual profiles) we will update this section and notify active users.
11.Children and minors
The Service is not marketed to individuals under 18. Pediatric patients are registered by their attending laboratory under parental or guardian consent; we do not collect data directly from minors.
12.International transfers
Production data is hosted on servers located in the Philippines. Encrypted backups may be mirrored to a secondary region outside the Philippines for disaster-recovery purposes only. Any such transfer occurs under contractual safeguards consistent with NPC Advisory 2017-01 on cross-border processing. Current locations are listed in the DPA.
13.Complaints and the NPC
If you believe your rights under the DPA have been violated, please contact our DPO first; we take complaints seriously and will investigate. If the matter remains unresolved you may file a complaint with the National Privacy Commission:
14.Changes to this policy
We update this policy when our practices change, when new services launch, or when guidance from the NPC evolves. Material changes are announced in-app 30 days before they take effect. The version number and effective date at the top of this page always reflect the current document.
15.How to reach our DPO
Short-form summary
We collect only what we need to run your laboratory's information system. We never sell your data, never use patient records for marketing, and always tell you within 72 hours if something goes wrong. Patients have a right to see, correct, or delete their information — contact the lab that registered you. Complaints escalate to the NPC.