Privacy Policy

Last updated: February 2026

1. Introduction

Lambent (operated by LAMB Lab, City University of Hong Kong) is committed to protecting the privacy of all users, including therapists, educators, students, and developers. This policy describes how we collect, use, store, and protect personal data.

2. Data We Collect

  • Account data: Email address, name (optional), role selection, hashed password.
  • Patient data (Therapist SaaS): Pseudonymized patient profiles, session text/audio uploads, assessment scores. No real patient names are stored.
  • Education data: Student responses, assignment submissions, class enrollment.
  • API usage data: API key metadata (prefix + hash only), endpoint usage logs, request counts.
  • Audit logs: Login events, data access, CRUD operations for compliance.

3. Data Anonymization

Patient data is stored under pseudonyms only. File uploads are stored with non-identifiable paths. We implement data minimization: only data necessary for clinical assessment and training is retained. Therapists control consent status per patient.

4. Data Storage and Security

  • All data is stored in encrypted PostgreSQL databases.
  • Passwords are hashed with bcrypt (cost factor 10).
  • API keys are stored as SHA-256 hashes; raw keys are shown only once at creation.
  • All API communication uses HTTPS/TLS encryption.
  • Role-based access control (RBAC) ensures users can only access data relevant to their role.

5. Access Control

We implement strict RBAC with four roles: Therapist, Educator, Student, and Developer. Each role has access only to their own data. Therapists cannot see other therapists' patients. Educators cannot access clinical data. Cross-role access is blocked at the API level with JWT-based authentication.

6. Data Retention and Deletion

Users can request deletion of their account and associated data by contacting us. Patient data can be deleted by the managing therapist. Audit logs are retained for compliance purposes for a minimum of 2 years.

7. Third-Party Services

We use Vercel (frontend hosting), Railway/Render (backend hosting), and PostgreSQL (database). No patient data is shared with third parties for marketing or analytics purposes.

8. Contact

For privacy inquiries, contact: lamblab@cityu.edu.hk

LAMB Lab, Department of Linguistics and Translation, City University of Hong Kong