Privacy Policy
1. Who We Are
MB Labelis is a private limited company registered in the Republic of Lithuania (company registration number pending). Our registered address is Gedimino pr. 1, LT-01103 Vilnius, Lithuania.
Contact us regarding data protection: support@labelis.app
2. Data We Collect
2.1 Account and Profile Data
- Email address (required for account creation and authentication)
- Display name (optional, set by the user)
- Device identifiers (for push notifications and multi-device support)
2.2 Healthcare Workflow Data
The App is designed for use by healthcare professionals. You may enter and store the following data within the App:
- Patient records: name, date of birth, patient code, tags, and external IDs
- Photos associated with patient records (label photos, clinical photos)
- Scanned barcode and label data (GS1, UDI, QR, 1D barcodes)
- Notes, tags, and metadata attached to records or photos
You are the data controller for any patient data you enter. We act as a data processor on your behalf. You are responsible for ensuring you have the appropriate legal basis to collect and process patient data under applicable healthcare and data protection law.
2.3 Usage and Technical Data
- App version, device type, operating system version
- Sync activity logs and error reports (used solely for troubleshooting)
- Firebase Analytics events (feature usage statistics, anonymized)
- IP address (collected by Firebase infrastructure during requests)
2.4 Subscription and Billing Data
Subscription billing is handled by Paddle (our payment processor). We do not store payment card details. Paddle shares with us your subscription status, plan, and transaction identifiers. See Paddle's Privacy Policy.
3. How We Use Your Data
- Provide the service — authenticate you, sync your data across devices and team members, deliver push notifications
- Support and troubleshooting — diagnose errors and respond to support requests
- Billing — manage subscription state and communicate billing information
- Security — detect abuse, unauthorized access, and protect accounts
- Legal obligations — comply with applicable EU and Lithuanian law
- Service improvement — anonymized, aggregated usage analytics to improve the App
We do not use patient data you enter for any purpose other than providing you with the App's functionality.
4. Legal Basis for Processing
- Contract (Art. 6(1)(b) GDPR) — processing necessary to provide the App to you under our Terms of Service
- Legitimate interests (Art. 6(1)(f) GDPR) — security, fraud prevention, service improvement
- Legal obligation (Art. 6(1)(c) GDPR) — where required by law
- Consent (Art. 6(1)(a) GDPR) — where you have given specific consent (e.g., optional analytics)
5. Data Storage and Security
Your data is stored on Google Firebase infrastructure (Firebase Authentication,
Firestore, and Firebase Storage), operated by Google LLC. Firebase data centres used are located
in the European Union (Belgium, eur3 region) where applicable.
- Data in transit is encrypted using TLS 1.2+
- Data at rest is encrypted by Firebase (AES-256)
- Access is controlled by Firebase security rules and our Cloud Functions backend
- Local device data is stored in encrypted Hive databases on your device
See Google Firebase Privacy and Security for further detail.
6. Data Sharing
We share data only in the following circumstances:
- Within your team — company administrators and members you invite can access shared patient records according to their assigned roles
- Google Firebase — infrastructure provider; bound by a Data Processing Agreement and EU Standard Contractual Clauses
- Paddle — payment processor; receives only what is necessary for billing
- Legal requirements — if required by Lithuanian or EU law or a valid court order
We do not sell, rent, or trade your personal data to third parties.
7. Data Retention
- Account data is retained while your account is active
- After account deletion, account data is deleted within 30 days, subject to legal retention obligations
- Patient records and photos are deleted when you delete them; company data is deleted when the company account is closed
- Billing records may be retained for up to 7 years as required by Lithuanian accounting law
- Activity logs used for security are retained for up to 12 months
8. Your GDPR Rights
As a data subject under GDPR, you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — request correction of inaccurate data
- Erasure — request deletion of your personal data ("right to be forgotten")
- Restriction — request we limit processing of your data
- Portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interests
- Withdraw consent — where processing is based on consent, withdraw it at any time
To exercise any of these rights, contact us at support@labelis.app. We will respond within 30 days. You also have the right to lodge a complaint with the State Data Protection Inspectorate of Lithuania (vdai.lrv.lt).
9. Children's Privacy
The App is intended for use by healthcare professionals aged 18 and over. We do not knowingly collect personal data from persons under 18. If you believe a minor has created an account, contact us and we will delete it promptly.
10. Cookies and Web Analytics
This website does not use advertising cookies or tracking pixels. We may use minimal, session-only cookies for basic website function. No personal data is collected on this website beyond what you voluntarily submit (e.g., contact forms).
11. International Data Transfers
Google Firebase may transfer data to servers outside the EEA. Such transfers are covered by Google's EU Standard Contractual Clauses and adequacy decisions where applicable.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users of material changes via the App. The "Last updated" date at the top of this page indicates the most recent revision. Continued use of the App after changes constitutes acceptance of the updated policy.
13. Contact
For any questions about this Privacy Policy or your personal data:
- Email: support@labelis.app
- Post: MB Labelis, Gedimino pr. 1, LT-01103 Vilnius, Lithuania