Privacy Policy

Information You Provide Directly

• Account information: Email address, name, and password (hashed) when you create an account
• Payment information: Processed entirely by Stripe. We receive transaction confirmations and tier status but never see or store your full credit card number
• Support communications: Emails, messages, or feedback you send us

Information Collected Automatically

• Usage data: Pages visited, features used, and general interaction patterns (anonymized)
• Device information: Browser type, operating system, screen resolution (for compatibility)
• Log data: IP address, access timestamps, and referring URLs

Information We Do NOT Collect

This is our most important privacy feature. All genetic analysis happens entirely within your web browser:

1. File Upload: You select your genetic data file (e.g., from 23andMe or AncestryDNA). The file is read by JavaScript running locally in your browser — it is never uploaded to any server.
2. Parsing: The file is parsed client-side. SNP data is extracted into an in-memory data structure within your browser.
3. Analysis: Your variants are compared against our embedded SNP reference database (bundled with the application JavaScript). Risk scores, carrier status, traits, and pharmacogenomics results are calculated locally.
4. Display: Results are rendered in your browser. If you choose to save a report, only aggregated category scores (e.g., “elevated cardiovascular risk”) may be stored — never individual genotypes.
5. Closure: When you close the browser tab, your genetic data is cleared from memory. We retain nothing.

We use the following third-party services:

We do not use third-party advertising networks, social media trackers, or data brokers. We do not sell, rent, or share your personal information with any third party for their marketing purposes.

• Genetic data: Never stored on our servers. Exists only in your browser memory during active use and is cleared when you close the tab.
• Account data: Retained for as long as your account is active. You may delete your account at any time, and all associated data will be removed within 30 days.
• Saved reports: Aggregated report summaries (if you opt to save them) are retained until you delete them or your account.
• Payment records: Transaction records are retained as required by applicable tax and financial regulations (typically 7 years).
• Server logs: Automatically deleted after 90 days.
• Support communications: Retained for up to 2 years after the last interaction to provide continuity of support.

Depending on your location, you may have the following rights regarding your personal data:

GDPR Rights (EU/EEA Residents)

Under the General Data Protection Regulation, genetic data is classified as “special category” data under Article 9. We process this data based on your explicit consent. You have the right to:

• Access: Request a copy of the personal data we hold about you
• Rectification: Request correction of inaccurate personal data
• Erasure: Request deletion of your personal data (“right to be forgotten”)
• Portability: Receive your data in a structured, machine-readable format
• Restrict processing: Request limitation of data processing
• Object: Object to processing of your personal data
• Withdraw consent: Withdraw consent at any time without affecting the lawfulness of prior processing

CCPA Rights (California Residents)

Under the California Consumer Privacy Act, you have the right to:

• Know what personal information we collect, use, and disclose
• Request deletion of your personal information
• Opt-out of the sale of personal information (we do not sell your data)
• Non-discrimination for exercising your privacy rights

To exercise any of these rights, contact us at henry.m.martinez93@gmail.com. We will respond within 30 days (or sooner as required by applicable law).

We use minimal cookies and browser storage:

We do not use tracking cookies, advertising cookies, or third-party analytics cookies. We do not participate in cross-site tracking or behavioral advertising.

We implement industry-standard security measures to protect your data:

• TLS 1.3 encryption for all data in transit
• AES-256 encryption for data at rest
• Content Security Policy (CSP) headers
• Rate limiting on all API endpoints
• Strict CORS configuration
• Secure session management (httpOnly, secure, sameSite cookies)
• Regular dependency auditing and security assessments
• Input validation and sanitization to prevent XSS and SQL injection

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at henry.m.martinez93@gmail.com and we will promptly delete such information.

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page and updating the “Last updated” date. For significant changes, we will also send an email notification to registered users.

We encourage you to review this Privacy Policy periodically for any changes. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

For privacy-related questions, concerns, or to exercise your data rights:

• Privacy inquiries: henry.m.martinez93@gmail.com
• General support: henry.m.martinez93@gmail.com
• Contact page: genomeinsight.com/contact