Privacy

Privacy Policy

Last updated April 2026

What we collect

We collect only the information needed to issue a Certificate of Analysis and run the laboratory operations behind it:

Account information — name, business name, email, phone, billing and shipping address, password (hashed). Created when you sign up at /auth/signup.
Sample submissions — the panel you ordered, the compound or matrix you submitted, lot / batch identifiers, and any notes you attach. Required for the COA itself.
Payment metadata — invoice number, amount, status, and the Mercury transaction id that paid it. We do not see or store full card numbers; payment processing is handled by Mercury (Mercury Privacy Policy).
Shipping data — origin and destination addresses, tracking numbers, label PDFs (mirrored from ShipStation).
Access logs — IP address and user-agent for security events (logins, terms acceptance, webhook receipts). Retained for audit per 21 CFR Part 11-style data integrity expectations.

What we do with it

Run the analyses you submitted and issue your COA.
Operate the customer portal (sample tracking, COA history, invoice access).
Send transactional email about your specific submission.
Generate the public COA verification database. Public COAs are searchable by accession number — anyone in the world with the number can read the result. Private COAs require a verification key the customer can choose to share. You select per sample at intake.
Comply with regulatory obligations (test-record retention, audit trail).

What we do NOT do

We do not sell your data, sample identity, or test results to third parties.
We do not use your sample data to train AI models or sell it to AI companies.
We do not share your private COA results with anyone other than you and the people you explicitly grant access (via verification key).
We do not run advertising trackers on this site.

Subprocessors

We use a small set of vendors to run the platform. Each receives only the minimum data needed for their function:

Vercel — application hosting and CDN.
Supabase — Postgres database, authentication, and file storage. Your account password is hashed by Supabase Auth.
Mercury — invoice issuance and payment matching.
ShipStation — UPS Ground label generation and delivery tracking.
Resend — transactional email (invoices, status updates, COA published).
Upstash — rate-limit counters (no PII; counts only).

Your rights

Access — request a copy of every record we hold about you and your samples.
Correction — fix anything inaccurate in your account profile.
Deletion — delete your account. Sample records associated with COAs already issued are retained for the regulatory retention window (typically 7 years for analytical records); your personal contact information is anonymized at deletion.
Opt-out of public COA listing — choose “private” per sample at intake. Existing public COAs can be retracted by emailing us with the accession number.

To exercise any of these, email cs@goldstandardanalytics.com. We respond within 30 days.

California, EU, UK

California residents have additional rights under the CCPA / CPRA; EU and UK residents have rights under GDPR / UK GDPR. The lists above cover the main ones — email us with any request and reference the framework you're acting under.

Changes

When we materially change this policy we'll update the “Last updated” date and, for current customers, send a notice email. The current version always lives at this URL.

Contact

Gold Standard Analytics LLC
5380 W 34th St, Houston, TX 77092
cs@goldstandardanalytics.com

What we collect

We collect only the information needed to issue a Certificate of Analysis and run the laboratory operations behind it:

Account information — name, business name, email, phone, billing and shipping address, password (hashed). Created when you sign up at /auth/signup.

Sample submissions — the panel you ordered, the compound or matrix you submitted, lot / batch identifiers, and any notes you attach. Required for the COA itself.

Payment metadata — invoice number, amount, status, and the Mercury transaction id that paid it. We do not see or store full card numbers; payment processing is handled by Mercury (Mercury Privacy Policy).

Shipping data — origin and destination addresses, tracking numbers, label PDFs (mirrored from ShipStation).

Access logs — IP address and user-agent for security events (logins, terms acceptance, webhook receipts). Retained for audit per 21 CFR Part 11-style data integrity expectations.

What we do with it

Run the analyses you submitted and issue your COA.

Operate the customer portal (sample tracking, COA history, invoice access).

Send transactional email about your specific submission.

Generate the public COA verification database. Public COAs are searchable by accession number — anyone in the world with the number can read the result. Private COAs require a verification key the customer can choose to share. You select per sample at intake.

Comply with regulatory obligations (test-record retention, audit trail).

What we do NOT do

We do not sell your data, sample identity, or test results to third parties.

We do not use your sample data to train AI models or sell it to AI companies.

We do not share your private COA results with anyone other than you and the people you explicitly grant access (via verification key).

We do not run advertising trackers on this site.

Subprocessors

We use a small set of vendors to run the platform. Each receives only the minimum data needed for their function:

Vercel — application hosting and CDN.

Supabase — Postgres database, authentication, and file storage. Your account password is hashed by Supabase Auth.

Mercury — invoice issuance and payment matching.

ShipStation — UPS Ground label generation and delivery tracking.

Resend — transactional email (invoices, status updates, COA published).

Upstash — rate-limit counters (no PII; counts only).

Your rights

Access — request a copy of every record we hold about you and your samples.

Correction — fix anything inaccurate in your account profile.

Deletion — delete your account. Sample records associated with COAs already issued are retained for the regulatory retention window (typically 7 years for analytical records); your personal contact information is anonymized at deletion.

Opt-out of public COA listing — choose “private” per sample at intake. Existing public COAs can be retracted by emailing us with the accession number.

To exercise any of these, email cs@goldstandardanalytics.com. We respond within 30 days.