Privacy policy

We handle health data. Here is exactly how.

Test2Sheet Enterprise processes health-related information on behalf of organizations. This policy explains what we collect, how we use it, and the controls in place to protect it.

Effective May 19, 2026support@test2sheet.com

Who we are and what this policy covers

This privacy policy describes how Young Software Solutions GmbH ("we," "us," or "Test2Sheet Enterprise"), a company incorporated in Switzerland, collects, uses, stores, and protects personal information through the Test2Sheet Enterprise service at enterprise.test2sheet.com.

This policy applies to organization administrators, staff members, and other individuals whose personal data we process as a data controller. For health-related data your organization uploads on behalf of patients, your organization acts as the data controller and we act as a data processor under your instructions.

Information we collect

When you or your organization uses Test2Sheet Enterprise, we may collect the following categories of information:

  • Account and profile data: name, email address, job role, and authentication credentials when a staff account is created.
  • Organization data: organization name, workspace URL, team membership configuration, and billing information where applicable.
  • Usage data: access timestamps, operational log entries, and session metadata generated while using the service. Protected health information is not written into application logs.
  • Patient and health data uploaded by your organization: patient names, dates of birth, patient identifiers, and biomarker results extracted from blood-test PDF reports. This data is processed under your organization's instructions.
  • Support communications: emails, inquiries, or other messages you send to our support address.

How we use information

We use the information we collect to provision and operate your organization's workspace, authenticate staff users, enforce role-based access controls, deliver PDF extraction, biomarker review, and export features, respond to support requests, and meet security and legal obligations.

We do not sell personal data. We do not use patient health data for advertising, product analytics, or model training beyond what is inherent in the AI extraction service described below.

Data sharing and subprocessors

We share data only with service providers necessary to deliver the product. All subprocessors are bound by confidentiality obligations and data processing terms. Current subprocessors include:

  • Supabase, Inc.: database hosting, authentication, and file storage. Patient files and biomarker data are stored on Supabase-managed infrastructure with encryption at rest.
  • Anthropic, OpenAI, and Google: AI model providers used to extract biomarker data from uploaded PDFs. The content of uploaded reports, which may include patient information contained in the PDF, is transmitted to these providers for extraction. We do not transmit unnecessary identifiers beyond what is present in the source file. These providers do not use API data to train their models. API data is retained by these providers for a limited period for abuse detection purposes only.
  • Protonmail AG: email service for support communications and staff invitations.
  • Email delivery provider (to be confirmed): transactional delivery of staff invitations and notifications.
  • We do not share personal data with third parties for their own marketing or analytics purposes.

Data retention

We retain personal data for as long as your organization account is active and as required to provide the service. Upon account closure or a deletion request, we delete or de-identify personal data in accordance with our data lifecycle procedures and applicable legal retention requirements.

Specific retention windows for uploaded PDFs, parsed results, exports, and audit records can be requested by your organization's owner by contacting support@test2sheet.com.

Your rights

Depending on your jurisdiction, you may have the right to access the personal data we hold about you, request correction of inaccurate or incomplete data, request deletion where no legal basis for retention remains, receive a portable copy of your data, and object to or restrict certain processing.

For patient data controlled by your organization, requests should be addressed to your organization in the first instance. To exercise your individual rights as a staff user, contact us at support@test2sheet.com.

International data transfers

Young Software Solutions GmbH is incorporated in Switzerland. Data may be stored and processed by our subprocessors in the European Union, the United States, or other jurisdictions. Where required, we rely on appropriate transfer mechanisms, such as Standard Contractual Clauses, to protect data transferred outside the EEA or Switzerland.

Security

We implement technical and organizational measures to protect personal data against unauthorized access, loss, or disclosure. These include TLS encryption in transit, encryption at rest for all stored data, private organization-scoped file storage, row-level database access controls, and an append-only audit log for all significant health data events.

A detailed description of our security controls is available on our security page at enterprise.test2sheet.com/security.

Changes to this policy

We may update this policy from time to time. Material changes will be communicated by email to the organization owner or via a notice within the service before they take effect. Your organization's continued use of Test2Sheet Enterprise after the effective date constitutes acceptance of the updated policy.

Contact

For questions or requests under this policy, contact Young Software Solutions GmbH at support@test2sheet.com.