Lab Research Hub
Privacy Policy
Our Core Commitment
The developer of Lab Research Hub has absolutely no access to your data. We do not collect it, we do not store it on our servers, we do not read it, and we never will. Every piece of information you enter — your research entries, logbook records, tasks, schedules, and personal details — lives exclusively within your laboratory's own private server environment. It never leaves your circle.
1. Introduction
Lab Research Hub is an integrated laboratory management system developed for the Hydrochemistry Laboratory, Universiti Teknologi Malaysia. It supports research workflows, team coordination, and academic record-keeping within a closed, authorised group of laboratory members.
This Privacy Policy explains the principles under which the application operates, what data is handled within the system, and the rights of every user.
2. The Closed-Circle Principle
Access to Lab Research Hub is strictly invitation-only. There is no public registration. Every user must receive a unique, single-use invitation code issued by a laboratory administrator. Once used, the code is permanently invalidated.
- No stranger can join your lab. The system is not open to the public.
- No outsider can view your data. All records are accessible only to authenticated members of your specific laboratory.
- No one outside your laboratory circle — including the developer — can see your entries, your members, or your activity.
The application is designed so that the developer has no administrative backdoor, no master password, and no remote access to any laboratory's data. The server is operated and controlled entirely by the laboratory or its institution.
3. What Data Is Stored Within Your Laboratory System
The following data is stored within your laboratory's own server — not on any developer-controlled infrastructure.
3.1 User Profile Data
| Data Field | Purpose |
|---|---|
| Full name and preferred name | Identity display within the lab |
| Email address | Authentication and password recovery |
| Password (bcrypt-hashed only) | Account security — never stored as plain text |
| Profile photograph | Member identification |
| Phone / WhatsApp number | Lab communication |
| Student ID or Staff ID | Institutional identification |
| Lab role (PhD, Postdoc, Advisor…) | Role-based access control |
| ORCiD identifier | Academic profile linkage |
| Scopus author ID | Research publication tracking |
| Research area | Lab profile and directory |
| Semester registered | Applicable to student roles only |
| Last sign-in timestamp | Security and activity monitoring |
| Push notification token | In-app notification delivery |
3.2 Research and Laboratory Activity Records
All records below are created by users, stored within the laboratory's own server, and are never transmitted to the developer.
Research Logbook
Experiments, results, observations, attachments, advisor comments
Tasks
Assignees, due dates, priority, tags, completion records
Lab Schedule
Calendar events, leave requests, approval status
Meeting Minutes
Attendees, agenda, decisions, action items
Announcements
Title, content, target audience, pin status
Inventory
Items, quantities, locations, suppliers
Lab Instruments
Models, calibration records, booking history
Milestones & To-Dos
Personal and lab-wide progress tracking
Publications
Bibliographic data fetched from Scopus
4. What the Developer Does NOT Have Access To
To be unambiguous:
The application code is provided as a deployed system. Once it is running within your laboratory's infrastructure, it operates entirely independently. The developer's role ends at the point of deployment.
5. Optional Cloud Backup Integrations
The application provides an optional feature allowing laboratory administrators to back up lab data to a cloud storage service of their choosing. These integrations — Google Drive, Microsoft OneDrive, and Dropbox — are:
- Configured solely by the laboratory administrator
- Connected using credentials provided and controlled by the laboratory
- Used only to export backup files initiated manually or on a schedule set by the administrator
- Never accessed by the developer
If a backup integration is enabled, data is transferred directly from your laboratory's server to your laboratory's cloud storage account. The developer has no access to that cloud storage account and receives no copy of the backup.
6. Third-Party Services
The following external services may be used depending on configuration:
| Service | Purpose | Who Controls It |
|---|---|---|
| Google OAuth | Optional sign-in with Google | User's own Google account |
| Google Drive | Optional lab data backup | Administrator-configured lab account |
| Microsoft OneDrive | Optional lab data backup | Administrator-configured lab account |
| Dropbox | Optional lab data backup | Administrator-configured lab account |
| Scopus API (Elsevier) | Fetching publication records by Scopus ID | Elsevier's public API |
| Expo Push Notification | Delivering push notifications | Device push token only; no content stored externally |
| SMTP Email Server | Password reset and email verification | Administrator-configured email server |
In all cases, the laboratory administrator controls which integrations are enabled. None of these integrations route data through the developer.
7. Security Architecture
bcrypt Password Hashing
Plain-text passwords are never stored, logged, or transmitted.
Secure Session Cookies
HTTP-only cookies that expire automatically on sign-out.
HTTPS / TLS Encryption
All data transmission between the app and server is encrypted.
Role-Based Access Control
Each user can only access data appropriate to their assigned role.
Invitation-Only Registration
Prevents unauthorised access at the point of entry.
Soft-Delete Synchronisation
Deletions reflected in real time with conflict resolution.
Closed-Circle Architecture
No public-facing API, no external data pipeline, no developer backdoor.
8. Data Retention
- Active user data is retained for as long as the account exists within the laboratory's system.
- Deleted records are soft-deleted and filtered from all views; permanent purging is at the discretion of the laboratory administrator.
- Session tokens, OTP codes, and password reset tokens expire automatically and are invalidated after use.
- Invite codes are single-use and permanently invalidated after registration.
The laboratory administrator has full control over data retention and may permanently delete any record or user account at any time.
9. Your Rights
As a user, you have the following rights within the system:
Access
View all your personal data via the Profile & Settings screen at any time.
Correction
Update your name, phone, student/staff ID, research area, photo, ORCiD, and Scopus ID.
Deletion
Request deletion of your account and associated data from your laboratory administrator.
Data Portability
Request a copy of your personal data via the backup feature.
Notification Control
Manage push notifications through your device's system settings.
10. Children's Privacy
The application is intended for university-level researchers and students. It is not directed at individuals under the age of 18. Administrators are responsible for ensuring that all registered members meet this requirement.
11. Changes to This Policy
This policy may be updated to reflect changes in the application's features or applicable regulations. The effective date at the top of this document will be updated accordingly. Continued use of the application after any update constitutes acceptance of the revised policy.
12. Contact
For privacy-related enquiries or data deletion requests, please contact:
This policy applies to Lab Research Hub v1.0.30 and later versions unless superseded by a newer policy document.
← Back to Hydrochemistry Lab Portal
