Privacy & Security

Your blood work is yours.
We treat it that way.

No legal-template fluff on this page. Just plain English about where your data lives, what we do with it, and how to get rid of it whenever you want.

The short version

  • We never sell your data. Not to advertisers, not to insurers, not to anyone. Full stop.
  • Your lab PDFs and reports are encrypted at rest and in transit.
  • We delete your raw lab upload 30 days after your report is generated. We keep your finished report so you can come back to it.
  • You can ask us to delete everything at any time. One email. No questions asked.
  • We are not a doctor, hospital, or insurer. HIPAA does not apply to us — but the protections below go beyond what most HIPAA paperwork would force.

What we collect

Only what we need to build your report and email it to you:

  • Your email address (so we can send you the magic-link sign-in and your finished report).
  • The lab PDFs or images you upload.
  • The structured biomarker data extracted from those labs, plus the report we generate from it.
  • Standard payment metadata from Stripe (we never see or store your card number — Stripe handles that).

We do not require your name, date of birth, address, phone number, insurance info, or Social Security number. If your uploaded lab PDF contains those details, they sit inside the file — we never extract or index them as separate fields.

Where your data lives

Your lab PDFs and generated reports are stored in encrypted object storage on Cloudflare R2 (AES-256 at rest). All traffic between your browser, our servers, and our storage uses TLS 1.2+ encryption.

Database records (your email, order history, report metadata) live in a managed Postgres database on Render with encryption at rest and restricted network access. Backups are encrypted.

How long we keep it

Raw lab uploads: automatically deleted 30 days after your report is generated. Once we've built your report, we don't need the original file anymore.

Your generated reports: retained as long as your account exists, so you can re-download them or compare them to future panels. You can delete any individual report at any time.

Account metadata (email, order history): retained as long as your account exists. Required to log you in and provide receipts.

Payment records: we retain Stripe transaction IDs and amounts for tax and accounting purposes. We never see your card number.

Who can see your data

Access is limited to the founder and any technical staff with a direct, documented need to debug or improve the service. No third party gets access to your raw labs or your report except the narrow infrastructure providers we need to operate:

  • Cloudflare R2 — encrypted file storage
  • Render — application hosting and database
  • Anthropic — the AI model that helps draft your report. Your data is sent over an encrypted connection and is not used to train their models.
  • Stripe — payment processing
  • Resend — email delivery (sign-in links and finished reports)

We do not sell, rent, trade, or share your data with advertisers, insurers, data brokers, marketers, or anyone else. There is no scenario in our business model where selling your data makes us money. We charge $99 per report. That's the whole business.

How to delete your data

Email privacy@swordfishresearch.org from the email address tied to your account. Tell us what you want deleted:

  • A specific report
  • All your reports and uploads
  • Your entire account, including email and order history

We'll confirm within 7 days and process the deletion. We will keep the bare minimum payment records required for tax and accounting (transaction ID, amount, date — no lab data, no report content).

What we are not

Swordfish Research Group is an educational and informational service. We are not a doctor, hospital, health plan, healthcare clearinghouse, or covered entity under HIPAA. Our reports do not diagnose, treat, cure, or prevent any disease. Every report ends with a printable page of questions to bring to your physician — that's the point.

Because we're not a covered entity, HIPAA's specific paperwork doesn't apply to us. The protections on this page are commitments we make voluntarily because handling someone's blood work deserves more than the legal minimum.

If something goes wrong

If we ever discover that your data has been accessed by someone who shouldn't have it, we'll email you within 72 hours of confirmation, explain what happened, what was accessed, and what we're doing about it. No corporate spin.

Children

Swordfish is built for adults. We do not knowingly accept lab uploads or accounts from anyone under 18. If you believe a minor has created an account, email privacy@swordfishresearch.org and we'll remove it.

Changes to this page

If we change anything that materially affects how we handle your data, we'll email account holders before the change takes effect. The "last updated" date below always reflects the current version.

Questions

Email privacy@swordfishresearch.org or use the contact form. A real human reads every message.

Last updated: May 14, 2026
Swordfish Research Group is operated by Frontier Organics LLC.