Get Started

Privacy Policy

Lab1 GmbH

1) Introduction and Contact Details of the Controller

1.1 We are pleased that you are visiting our website and thank you for your interest. Below, we inform you about how we handle your personal data when using our website. Personal data is all data with which you can be personally identified.

1.2 The controller responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR) is Lab1 GmbH, Europa-Allee 42, 60327 Frankfurt am Main, Germany, Tel.: [Phone Number], Email: support@lab1.de. The controller responsible for processing personal data is the natural or legal person who, alone or jointly with others, determines the purposes and means of processing personal data.

1.3 Data Protection Officer:
If you have any questions about data protection, you can contact our Data Protection Officer:
[Name of Data Protection Officer]
Email: datenschutz@lab1.de

2) Data Collection When Visiting Our Website

2.1 When you use our website purely for information purposes, i.e., if you do not register or otherwise provide us with information, we only collect data that your browser transmits to the page server (so-called "server log files"). When you access our website, we collect the following data that is technically necessary for us to display the website to you:

  • Our visited website
  • Date and time at the time of access
  • Amount of data sent in bytes
  • Source/reference from which you arrived at the page
  • Browser used
  • Operating system used
  • IP address used (possibly in anonymized form)

Processing is carried out in accordance with Art. 6 Para. 1 lit. f GDPR based on our legitimate interest in improving the stability and functionality of our website. The data is not passed on or used in any other way. However, we reserve the right to subsequently check the server log files if there are concrete indications of illegal use.

2.2 For security reasons and to protect the transmission of personal data and other confidential content (e.g., orders, inquiries, test results), this website uses SSL or TLS encryption. You can recognize an encrypted connection by the character string "https://" and the lock symbol in your browser line.

3) Hosting & Content Delivery Network

3.1 Shopify

We use the system of the following provider for hosting our website and displaying page content: Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland ("Shopify")

Data is also transferred to: Shopify Inc., 150 Elgin St, Ottawa, ON K2P 1L4, Canada

All data collected on our website is processed on the provider's servers. We have concluded a data processing agreement with the provider that ensures the protection of our site visitors' data and prohibits unauthorized disclosure to third parties.

For data transfers to Canada, an adequate level of data protection is guaranteed by an adequacy decision of the European Commission.

3.2 Cloudflare

We use a Content Delivery Network from the following provider: Cloudflare Inc., 101 Townsend St. San Francisco, CA 94107, USA

This service enables us to deliver large media files such as graphics, page content, or scripts faster via a network of regionally distributed servers. Processing is carried out to safeguard our legitimate interest in improving the stability and functionality of our website in accordance with Art. 6 Para. 1 lit. f GDPR. We have concluded a data processing agreement with the provider that ensures the protection of our site visitors' data and prohibits unauthorized disclosure to third parties.

For data transfers to the USA, the provider has joined the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission.

4) Cookies

To make visiting our website attractive and to enable the use of certain functions, we use cookies, i.e., small text files that are stored on your device. Some of these cookies are automatically deleted after closing the browser (so-called "session cookies"), while others remain on your device for longer and enable the storage of page settings (so-called "persistent cookies"). In the latter case, you can see the storage duration in the overview of your web browser's cookie settings.

If personal data is also processed by individual cookies used by us, processing is carried out in accordance with Art. 6 Para. 1 lit. b GDPR either to perform the contract, in accordance with Art. 6 Para. 1 lit. a GDPR in the event of consent being given, or in accordance with Art. 6 Para. 1 lit. f GDPR to safeguard our legitimate interests in the best possible functionality of the website and a customer-friendly and effective design of the page visit.

You can set your browser so that you are informed about the setting of cookies and can decide individually about their acceptance or exclude the acceptance of cookies for certain cases or in general.

Please note that if you do not accept cookies, the functionality of our website may be limited.

5) Contact

When you contact us (e.g., via contact form or email), personal data is processed exclusively for the purpose of processing and responding to your request and only to the extent necessary for this purpose.

The legal basis for processing this data is our legitimate interest in responding to your request in accordance with Art. 6 Para. 1 lit. f GDPR. If your contact aims at a contract, the additional legal basis for processing is Art. 6 Para. 1 lit. b GDPR. Your data will be deleted when it is clear from the circumstances that the matter in question has been conclusively clarified and provided there are no legal retention obligations to the contrary.

6) Data Processing When Opening a Customer Account

In accordance with Art. 6 Para. 1 lit. b GDPR, personal data continues to be collected and processed to the extent necessary if you provide it to us when opening a customer account. You can see which data is required to open an account in the input mask of the corresponding form on our website.

You can delete your customer account at any time by sending a message to the controller's address stated above. After deletion of your customer account, your data will be deleted provided that all contracts concluded via it have been fully processed, there are no legal retention periods to the contrary, and we have no legitimate interest in continuing to store the data.

Special Feature Core Line: If you set up a customer account for using the Core Line, your DNA and blood test results will additionally be stored in your password-protected account and can be accessed by you at any time. You can request deletion of this health data at any time separately (see Section 7).

7) Processing of Special Categories of Personal Data (Health Data) - Core Line

7.1 General Information on Health Data

As part of our Core Line offering, we process special categories of personal data within the meaning of Art. 9 Para. 1 GDPR, namely health data. This includes:

  • DNA test results (genetic data)
  • Blood test results (biomarker values)
  • Product recommendations derived from them
  • Historical data over time (changes in biomarkers)

The processing of this sensitive data is carried out exclusively on the basis of your explicit consent in accordance with Art. 9 Para. 2 lit. a GDPR in conjunction with Art. 7 GDPR.

7.2 Purposes of Processing Health Data

We process your health data exclusively for the following purposes:

  1. Laboratory Analysis: Evaluation of your DNA and blood samples by certified partner laboratories
  2. Algorithmic Product Recommendation: Calculation of personalized supplement formulas based on your genetic variants and biomarker values
  3. Progress Tracking: Tracking biomarker changes over time to adjust product formulas (Formula Rotation)
  4. Customer Service: Answering your questions about your test results
  5. Quality Assurance: Anonymized statistical evaluation to improve our algorithms and product formulas

No Disclosure for Other Purposes: Your health data will NOT be used for advertising purposes, NOT be disclosed to insurance companies, employers, or other third parties, and NOT be used for genetic research, unless you provide separate, voluntary consent for this.

7.3 Legal Basis for Processing

The processing of your health data is based on your explicit consent in accordance with Art. 9 Para. 2 lit. a GDPR in conjunction with Art. 7 GDPR. You provide this consent:

  • When ordering a test kit by checking the corresponding checkbox in the ordering process
  • By signing the consent form included with the test kit
  • By sending the sample to the partner laboratory

Your consent is voluntary. You can withdraw your consent at any time with effect for the future, without affecting the lawfulness of processing based on consent before its withdrawal. Upon withdrawal, your health data will be deleted immediately, provided there are no legal retention obligations.

7.4 Data Recipients (Partner Laboratories)

Your samples and the associated personal data (name, date of birth, sample number) are passed on to the following certified partner laboratories for analysis:

DNA Test:
[Name of DNA Laboratory]
[Address]
[Certification: e.g., ISO 15189, CAP-accredited]

Blood Test:
[Name of Blood Laboratory]
[Address]
[Certification: e.g., ISO 15189]

We have concluded Data Processing Agreements (DPA) in accordance with Art. 28 GDPR with all partner laboratories, which ensure that:

  • The laboratories only process your data on our instructions
  • Strict confidentiality is maintained
  • Appropriate technical and organizational measures are taken to protect your data
  • No disclosure to further third parties takes place
  • Data is deleted or returned after completion of the analysis

7.5 Data Security and Encryption

Your health data is processed with the highest security standards:

  • Transport: Encrypted transmission via SSL/TLS (at least TLS 1.2)
  • Storage: Encrypted database storage (AES-256)
  • Access: Strictly limited access only for authorized employees with two-factor authentication
  • Samples: Pseudonymization through sample numbers (laboratories do not know your name)
  • Separation: Genetic data and identification data are stored separately

7.6 Storage Duration of Health Data

Your health data is stored as follows:

Data TypeStorage DurationReason
Raw Data (DNA Test)Duration of business relationshipFor product adjustment and customer service
Raw Data (Blood Tests)Duration of business relationship + 3 months after last testProgress monitoring
Test Result Reports (PDF)Duration of business relationshipAlways accessible for you
Product RecommendationsDuration of business relationshipDocumentation of formulas
Anonymized StatisticsUnlimitedQuality assurance (no traceability to you)

After termination of the business relationship (account closure or 12 months of inactivity for Core Line), all personalized health data will be deleted, provided there are no legal retention obligations (e.g., commercial law retention of invoices for 10 years).

You can request immediate deletion of your health data at any time (see Section 7.9 - Your Rights).

7.7 No Disclosure to Third Parties

Your health data will NOT be disclosed to:

  • ❌ Insurance companies (health, life, disability insurance)
  • ❌ Employers
  • ❌ Authorities (except in case of legal obligation)
  • ❌ Research institutions (without separate consent)
  • ❌ Advertising partners
  • ❌ Other customers or users

Exceptions (only with separate consent):

  • Voluntary participation in research projects (anonymized or pseudonymized)
  • Disclosure to doctors or naturopaths named by you at your express request

7.8 Special Feature: Medical Second Opinion

If abnormalities occur in your test results that could indicate serious health problems (e.g., extremely high homocysteine value > 20 μmol/L, ferritin < 10 ng/mL), we may point this out and recommend that you consult a doctor. However, we do not transmit any of your data to doctors unless you expressly instruct us to do so.

7.9 Your Rights Regarding Your Health Data

You have the following special rights:

Right of Access (Art. 15 GDPR):
You can request a copy of all your stored health data in machine-readable format (JSON, CSV) at any time.

Right to Rectification (Art. 16 GDPR):
If you believe that your health data is incorrect, you can request correction. Please note: Laboratory test results are objective measured values and cannot be changed retrospectively. If you doubt the accuracy, you can request retesting.

Right to Erasure (Art. 17 GDPR):
You can request the immediate and complete deletion of your health data at any time. This includes:

  • All DNA test results
  • All blood test results
  • All product recommendations derived from them
  • All historical data

Important: After deletion, we can no longer create personalized product recommendations. Current subscriptions may need to be terminated. Anonymized data for quality assurance remains (no traceability to you).

Right to Restriction of Processing (Art. 18 GDPR):
You can request that your health data is temporarily not processed (e.g., while you have the accuracy verified).

Right to Data Portability (Art. 20 GDPR):
You can receive your health data in a structured, commonly used, and machine-readable format and have it transmitted to another provider.

Right to Withdraw Consent (Art. 7 Para. 3 GDPR):
You can withdraw your consent to the processing of your health data at any time. After withdrawal, your data will be deleted (see above).

How to Exercise Your Rights:
Email: datenschutz@lab1.de
Letter: Lab1 GmbH, Data Protection, Europa-Allee 42, 60327 Frankfurt am Main
Via your customer account: Settings → Privacy → Delete Health Data

We respond to inquiries within 30 days (may be extended to 60 days for complex inquiries with justification).

7.10 Right to Lodge a Complaint with the Supervisory Authority

You have the right to lodge a complaint with the competent data protection supervisory authority regarding the processing of your health data:

Hessian Commissioner for Data Protection and Freedom of Information
Gustav-Stresemann-Ring 1
65189 Wiesbaden, Germany
Phone: +49 611 1408 - 0
Email: poststelle@datenschutz.hessen.de
Website: https://datenschutz.hessen.de

8) Use of Customer Data for Direct Marketing

8.1 Registration for Our Email Newsletter

If you register for our email newsletter, we will regularly send you information about our offers. The only mandatory information for sending the newsletter is your email address. Providing additional data is voluntary and will be used to address you personally. For newsletter dispatch, we use the so-called double opt-in procedure, which ensures that you only receive newsletters after you have expressly confirmed your consent to receive newsletters by clicking a verification link sent to the specified email address.

By activating the confirmation link, you give us your consent to use your personal data in accordance with Art. 6 Para. 1 lit. a GDPR. We store your IP address entered by the Internet Service Provider (ISP) as well as the date and time of registration to be able to trace possible misuse of your email address at a later time.

You can unsubscribe from the newsletter at any time via the link provided in the newsletter or by sending a corresponding message to the controller mentioned at the beginning.

Important: Newsletters do NOT contain personalized health information or test results. You can only find these in your password-protected customer account.

8.2 Sending Email Newsletter to Existing Customers

If you have provided us with your email address when purchasing goods or services, we reserve the right to regularly send you offers for similar goods or services from our range by email. For this purpose, we do not need to obtain separate consent from you in accordance with Section 7 Para. 3 UWG. Data processing is based solely on our legitimate interest in personalized direct advertising in accordance with Art. 6 Para. 1 lit. f GDPR.

You are entitled to object to the use of your email address for the aforementioned advertising purpose at any time with effect for the future by sending a message to the controller mentioned at the beginning.

8.3 Klaviyo

Our email newsletters and other promotional email communication are sent via this provider: Klaviyo, Inc., 125 Summer St., Ste 600, Boston, MA 02110, USA

Based on our legitimate interest in effective and user-friendly email marketing, we pass on your data provided during registration to this provider in accordance with Art. 6 Para. 1 lit. f GDPR.

We have concluded a data processing agreement with the provider that protects the data of our site visitors and prohibits disclosure to third parties.

For data transfers to the USA, the provider has joined the EU-US Data Privacy Framework.

Important: NO health data is transmitted to Klaviyo. Newsletter dispatch only uses general marketing data (name, email, purchase history).

8.4 Test Kit Shipping Notifications (Core Line)

If you subscribe to a Core Line subscription, you will receive automatic email notifications:

  • 5-7 days before shipping a new blood test kit (quarterly)
  • Upon shipping of the test kit (tracking information)
  • Upon receipt of sample at the laboratory (confirmation)
  • Upon availability of test results

These notifications are necessary for contract fulfillment in accordance with Art. 6 Para. 1 lit. b GDPR and cannot be unsubscribed from (would otherwise impair your contract performance).

9) Data Processing for Order Fulfillment

9.1 To the extent necessary for contract processing for delivery and payment purposes, the personal data we collect is passed on to the commissioned transport company and the commissioned credit institution in accordance with Art. 6 Para. 1 lit. b GDPR.

Special Feature Test Kits: When ordering Core Line test kits, your contact details (name, date of birth) are additionally passed on to the partner laboratory so that the sample can be correctly assigned. The disclosure is made in accordance with Art. 6 Para. 1 lit. b GDPR (contract fulfillment) and Art. 9 Para. 2 lit. a GDPR (consent for health data).

9.2 Disclosure of Personal Data to Shipping Service Providers

DPD

We use the following transport service provider: DPD Deutschland GmbH, Wailandtstraße 1, 63741 Aschaffenburg, Germany

We pass on your email address and/or telephone number to the provider in accordance with Art. 6 Para. 1 lit. a GDPR before delivery for the purpose of coordinating a delivery date, provided you have given your express consent for this in the ordering process.

Important: DPD packages with test kits are neutrally packaged without indication of the contents (health data protection).

9.3 Use of Payment Service Providers

PayPal

The following provider's online payment methods are available on this website: PayPal (Europe) S.a.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg

When selecting a payment method from the provider, your payment data is passed on for payment processing in accordance with Art. 6 Para. 1 lit. b GDPR.

Shopify Payments / Stripe

The following provider's online payment methods are available on this website: Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland

When selecting a payment method, your payment data is passed on for payment processing in accordance with Art. 6 Para. 1 lit. b GDPR.

Important: NO health data is transmitted to payment service providers. Product descriptions in payment transactions are generic (e.g., "Lab1 Core Line Subscription") without details on test results.

10) Online Marketing

10.1 Google Ads & Meta Pixel

We use online marketing tools (Google Ads, Meta Pixel) to display advertising.

Important: These tools are ONLY used for Essential Line (standard supplements). Core Line customers (with health data) are NOT addressed through retargeting or personalized advertising to protect your health data.

All marketing processing only takes place with your express consent in accordance with Art. 6 Para. 1 lit. a GDPR via our cookie consent tool.

11) Web Analysis Services

11.1 Google Analytics 4

This website uses Google Analytics 4, a web analysis service by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.

Important: For Core Line customers, anonymized analyses are carried out. Pages with health data (test results, product recommendations) are excluded from Google Analytics.

Processing only takes place with your consent in accordance with Art. 6 Para. 1 lit. a GDPR via our cookie consent tool.

We have concluded a data processing agreement with Google.

12) Site Functionalities

12.1 Google Maps

This website uses Google Maps by Google Ireland Limited to display our location.

Processing is carried out in accordance with Art. 6 Para. 1 lit. f GDPR based on our legitimate interest.

12.2 Typeform

We use the following provider for online forms and surveys: TYPEFORM SL, Carrer de Can Rabia 3-5, 4th Floor, 08017 Barcelona, Spain

Important: Health data is NOT collected via Typeform forms. For Core Line consents, we use internal, GDPR-compliant forms.

13) Tools and Miscellaneous

Cookie Consent Tool

This website uses a cookie consent tool to obtain effective user consent for consent-required cookies and cookie-based applications.

The tool sets technically necessary cookies to store your cookie preferences. Processing is carried out in accordance with Art. 6 Para. 1 lit. c and f GDPR.

14) Rights of the Data Subject

14.1 Applicable data protection law grants you the following data subject rights (information and intervention rights) vis-à-vis the controller with regard to the processing of your personal data:

  • Right of Access in accordance with Art. 15 GDPR
  • Right to Rectification in accordance with Art. 16 GDPR
  • Right to Erasure in accordance with Art. 17 GDPR
  • Right to Restriction of Processing in accordance with Art. 18 GDPR
  • Right to Notification in accordance with Art. 19 GDPR
  • Right to Data Portability in accordance with Art. 20 GDPR
  • Right to Withdraw Consent in accordance with Art. 7 Para. 3 GDPR
  • Right to Lodge a Complaint in accordance with Art. 77 GDPR

Special Consideration for Health Data: See detailed rights in Section 7.9.

14.2 RIGHT TO OBJECT

IF WE PROCESS YOUR PERSONAL DATA BASED ON A BALANCE OF INTERESTS DUE TO OUR OVERRIDING LEGITIMATE INTEREST, YOU HAVE THE RIGHT TO OBJECT TO THIS PROCESSING AT ANY TIME WITH EFFECT FOR THE FUTURE FOR REASONS ARISING FROM YOUR PARTICULAR SITUATION.

IF YOU EXERCISE YOUR RIGHT TO OBJECT, WE WILL END THE PROCESSING OF THE DATA CONCERNED.

IF YOUR PERSONAL DATA IS PROCESSED BY US FOR DIRECT MARKETING PURPOSES, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF PERSONAL DATA CONCERNING YOU FOR THE PURPOSE OF SUCH ADVERTISING.

15) Duration of Storage of Personal Data

The duration of storage of personal data is determined by the respective legal basis, the processing purpose and – if applicable – additionally by the respective legal retention period.

Special Storage Periods for Health Data: See detailed table in Section 7.6.

When processing personal data on the basis of express consent in accordance with Art. 6 Para. 1 lit. a GDPR, the data concerned is stored until you withdraw your consent.

If legal retention periods exist (e.g., commercial and tax retention periods of 6-10 years), data is routinely deleted after these periods expire, provided it is no longer required for contract fulfillment.

Contact

Lab1 GmbH
Europa-Allee 42
60327 Frankfurt am Main
Germany

Email: support@lab1.de
Privacy: datenschutz@lab1.de
Phone: [Phone Number]

© 2025 Lab1 GmbH. All rights reserved.