Privacy Policy
Last updated: April 2026
1. Introduction
[Company Name] ("we", "us", "our") operates a genomic analysis platform that helps you understand your DNA. We take your privacy seriously — especially when it comes to genetic data, which is among the most personal information that exists.
This policy explains what data we collect, why we collect it, how we protect it, and what rights you have. It applies to all users of our website and services.
We process personal data in compliance with the General Data Protection Regulation (EU 2016/679, "GDPR") and applicable national data protection laws. Our legal basis for processing genetic data is your explicit consent, as required by GDPR Article 9(2)(a).
2. What data we collect
Genetic data
When you upload a raw DNA file (from 23andMe, AncestryDNA, or similar services), we receive your genotype data. This includes variant calls (SNPs) and associated metadata. We only process this data after you give explicit consent on our consent page.Your data, your consent.
Account data
- Email address
- Hashed password (we never store plaintext passwords)
- Name (if provided)
- Consent records and timestamps
Usage data
We collect minimal usage data to keep the platform running reliably: page visits, feature usage, and error logs. We do not use third-party analytics or tracking pixels. No data is shared with advertisers.
3. How we process genetic data
Genetic data is classified as a "special category" of personal data under GDPR Article 9. We only process it with your explicit, informed consent, which you provide separately on our dedicated consent page before any analysis begins.
We process your genetic data for the following purposes:
- Generating your personalized genomic report (health traits, carrier status, wellness insights)
- Providing AI-powered interpretation of your genetic variants
- Notifying you of new research relevant to your profile (only if you opt in)
We do not use your genetic data for insurance underwriting, employment decisions, advertising, or any purpose beyond what you have consented to. We do not sell your data to third parties. Ever.
4. Data storage & security
Your data is stored and processed exclusively within the European Union. We have implemented the following security measures:
- Encryption at rest and in transit — all genetic files and personal data are encrypted using AES-256. All connections use TLS 1.3.
- EU-based infrastructure — your data is stored in Supabase's Frankfurt (Germany) region. Compute processing runs on Scaleway GPU servers located in France.
- HDS certification — our compute provider (Scaleway) holds the French Hébergeur de Données de Santé (HDS) certification, the highest standard for hosting health data in France.
- Access controls — genetic data access is restricted to automated processing pipelines. No human reviews your raw genetic file.
5. Third-party processors
We use a limited number of sub-processors to operate the platform. Each has been selected for their security practices and GDPR compliance.
Supabase (database & authentication)
Stores your account data, consent records, and encrypted genetic files. Hosted in the EU (Frankfurt). Supabase is GDPR compliant and offers a Data Processing Agreement (DPA).
Scaleway (GPU compute)
Runs our genomic analysis pipelines. Located in France, HDS-certified. Your genetic data is processed on these servers and is not persisted beyond the analysis session.
OpenRouter (LLM interpretation)
We send anonymized variant data to generate natural-language interpretations of your results. Only specific genetic variants are sent — never your full file, name, or email. OpenRouter does not store the data we send for processing.
We do not share your data with any other third party. If we ever add a new sub-processor, we will update this policy and notify you.
6. Your rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access — request a copy of all personal data we hold about you.
- Right to rectification — correct inaccurate personal data.
- Right to erasure — request deletion of your data. You can delete your genetic files and account at any time from your account settings.
- Right to data portability — receive your data in a structured, machine-readable format.
- Right to withdraw consent — you can withdraw your genetic data consent at any time. This does not affect the lawfulness of processing carried out before withdrawal.
- Right to lodge a complaint — you can contact your local data protection authority (in France: the CNIL).
To exercise any of these rights, contact us at privacy@[domain].com or use the self-service options in your account settings. We will respond within 30 days.
7. Data retention
| Data type | Retained until |
|---|---|
| Genetic files & reports | You request deletion (via /account) |
| Account data | You delete your account |
| Consent records | 5 years after last action (legal obligation) |
| Audit logs | 5 years (regulatory compliance) |
When you delete your data, it is permanently removed from our systems within 30 days. Backup copies are purged within 90 days. Consent records and audit logs are retained longer to meet legal obligations.
9. Children
Our service is not intended for anyone under the age of 18. We do not knowingly collect personal data from minors. If you believe a child has provided us with data, please contact us immediately and we will delete it.
10. Changes to this policy
We may update this policy from time to time. When we make significant changes — especially to how we handle genetic data — we will notify you by email and display a notice on the platform. The "last updated" date at the top of this page always reflects the most recent version.
11. Contact
If you have any questions about this privacy policy or how we handle your data, reach out to us:
We aim to respond to all privacy-related inquiries within 30 days.