Privacy Policy
Last updated: June 2026
Genetic Data Special Notice (GDPR Article 9)
ExomeDNA processes genetic data, which is classified as "special category data" under GDPR Article 9. This data receives enhanced protection.
- Legal Basis: Your explicit consent (provided during account creation and DNA upload).
- Data Handling: Raw DNA files are processed transiently and discarded after scoring — never stored, logged, or retained.
- Your Rights: You may request immediate deletion of all data at any time via Settings > Privacy.
- Educational Use Only: ExomeDNA is NOT a medical device and is NOT FDA-cleared.
ExomeDNA Genetic Data & AI Processing Privacy Addendum
Effective Date: June 2026. This addendum supplements the General Privacy Policy below.
1. What we collect
1.1 Account data
- Email address, name (provided at registration).
- Authentication credentials (managed by Supabase; passwords are hashed, never stored in plaintext).
- Account preferences and settings.
1.2 Genetic data (temporary)
- The raw genetic data file you upload (e.g., from 23andMe or AncestryDNA).
- This file is processed transiently and discarded after scoring — never stored, logged, or retained.
- It is never saved to a database or transmitted to any third party.
- This process cannot be reversed — once destroyed, we cannot recover the raw file.
1.3 Derived trait results (retained)
- Polygenic risk scores and percentile rankings.
- Trait categories and confidence ratings.
- Pre-generated educational summaries.
- Display preferences (sentiment colors, lever direction, headline text).
1.4 What is NOT retained
- Gene names (e.g., BRCA1, APOE).
- rsID identifiers (e.g., rs12345).
- Genotype values (specific DNA letter sequences).
- Any data that could be used to reconstruct your original genetic file.
This separation between temporary processing data and retained results is enforced at the application architecture level and is fundamental to our privacy design.
2. How we use your data
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Generate your trait report | Raw DNA file (temporary), GWAS reference data | Your explicit consent (Service Consent) |
| Display your results | Derived trait scores, categories | Service operation under accepted Terms of Service |
| AI Health Coach responses | Trait names, scores, confidence, summaries | Your explicit, separate consent (AI Processing Consent) |
| Product updates (if you opt in) | Email address only | Your explicit consent (Marketing Consent) |
| Service operation and security | Browser fingerprint (hashed timestamp and user agent — not your IP address), usage logs | Service operation under accepted Terms of Service |
3. AI Health Coach — data handling
3.1 AI provider
ExomeDNA uses Anthropic, PBC (San Francisco, California, USA), operating the Claude language model, as its AI provider for the AI Health Coach feature.
3.2 What is sent to Anthropic
When you use the AI Health Coach, the following trait-level data is transmitted to Anthropic:
- Trait names (e.g., "Caffeine Metabolism").
- Polygenic risk scores and percentile rankings.
- Confidence ratings.
- Risk direction descriptions.
- Pre-generated trait summaries.
3.3 What is NEVER sent to Anthropic
The following categories of data are never transmitted to Anthropic or any other external AI service. This restriction is enforced at the application architecture level and cannot be overridden.
- Raw genetic data or DNA file contents.
- Gene names or gene symbols.
- rsID identifiers.
- Genotype values (DNA letter sequences).
- Your name, email address, or any personally identifying information.
3.4 How AI request data is handled
The AI Health Coach is powered by Anthropic's Claude API under Anthropic's standard commercial terms. Under those terms:
- Anthropic does not use ExomeDNA request data to train or fine-tune its models.
- Request and response data may be retained by Anthropic for a limited period (up to 30 days) for trust-and-safety and abuse monitoring, after which it is deleted. ExomeDNA does not keep its own copy of these AI requests.
- Your raw DNA, genotype values, gene names, and rsID identifiers are never sent to Anthropic. Only derived trait scores and category names leave our servers — the AI never receives identifying genetic data. This two-layer separation, not a retention promise, is what protects your genetic information.
3.5 Separate consent required
Use of the AI Health Coach requires a separate, standalone consent authorization, provided through a dedicated consent screen in compliance with the Illinois Genetic Information Privacy Act (410 ILCS 513). This consent is distinct from and in addition to the general Terms of Service and Privacy Policy.
3.6 AI Health Coach memory
To provide continuity between conversations, the AI Health Coach maintains a short written summary ("Gene's notes") about you — for example, goals you mention, lifestyle factors you raise, and topics you have explored. These notes are generated by the AI from your conversations and are subject to the same two-layer restriction as everything else the AI processes: they contain only trait-level context and never gene names, rsID identifiers, genotype values, or other identifying genetic data. The notes are stored in your account in our U.S. database, are never shared with third parties, and you can view, edit, or permanently delete them at any time from Settings. They are deleted when you delete your account.
4. Data storage and security
4.1 Infrastructure
- Database: Supabase (PostgreSQL), hosted in the United States.
- Frontend: Vercel, hosted in the United States.
- Backend: Render, hosted in the United States.
- AI Processing: Anthropic, processing in the United States.
ExomeDNA uses U.S.-based infrastructure providers for all core service operations.
4.2 Security measures
- Row-Level Security (RLS) on all user-facing database tables.
- JWT authentication with 30-minute token expiry.
- TLS encryption for all data in transit.
- Encryption at rest for database storage.
- Service role separation (user queries vs. admin operations).
4.3 Raw DNA file handling
Your raw DNA file is processed transiently and discarded after scoring — never stored, logged, or retained. It is never:
- Stored in any database table.
- Logged in application logs.
- Transmitted to any third party.
- Retained after processing completes.
5. Data sharing
ExomeDNA does not sell, license, or rent your genetic data or derived trait results to any third party.
We share data only in the following limited circumstances:
| Recipient | What Is Shared | Purpose | Your Control |
|---|---|---|---|
| Anthropic (AI provider) | Trait-level scores and summaries only | AI Health Coach responses | Requires separate consent; revocable |
| Stripe (payment processor) | Payment information only | Process purchases | Required for paid tiers |
| Supabase (infrastructure) | Account and results data | Database hosting | Required for service operation |
No recipient receives raw genetic data, gene names, rsIDs, or genotype values.
6. Your rights
The following rights are provided in compliance with applicable U.S. privacy laws. ExomeDNA currently serves U.S. residents. References to data access, deletion, and portability rights are provided in accordance with CCPA, Texas HB 2545, and as a matter of best practice — they do not constitute a representation that ExomeDNA is subject to GDPR or other non-U.S. regulatory jurisdiction.
6.1 Access: You may export all your data at any time from Settings > Privacy, or by contacting support@exomedna.com.
6.2 Deletion: You may request deletion of all data from Settings > Privacy or by contacting support@exomedna.com. Deletion is permanent and irreversible. Deletion of derived results is typically immediate. Consent audit records are retained for compliance purposes as described in Section 7.
6.3 Consent Withdrawal: You may revoke any optional consent (AI Processing, Marketing) at any time from Settings > Privacy. Revoking AI Processing consent immediately disables the AI Health Coach. Revoking Service consent requires account deletion.
6.4 Data Portability: You may download your trait results in JSON format from Settings > Privacy or by contacting support@exomedna.com.
6.5 Non-Discrimination: We do not discriminate against you for exercising any of these rights (CCPA § 1798.125).
6.6 Insurance Disclosure: The federal Genetic Information Nondiscrimination Act (GINA) generally protects against genetic discrimination in health insurance and employment. However, GINA does not cover life insurance, disability insurance, or long-term care insurance. You should consider this before uploading genetic data or sharing your results.
7. Data retention
| Data Type | Retention Period | Deletion Method |
|---|---|---|
| Raw DNA file | Duration of processing only (minutes) | Destroyed in memory immediately after analysis |
| Derived trait results | Until you request deletion or delete your account | Permanent deletion via Settings > Privacy |
| Consent records | Retained for a limited period after account deletion where reasonably necessary to demonstrate compliance, resolve disputes, or satisfy applicable legal obligations | Per Texas HB 2545 and FTC HBNR recordkeeping requirements |
| Payment records | As required by financial regulations | Managed by Stripe per their retention policy |
8. Children's privacy
ExomeDNA is intended for adults 18 and older and is not for anyone under 18. ExomeDNA is not directed to children. We do not knowingly collect personal information or genetic data from anyone under 18, and in particular do not knowingly collect personal information from children under 13 (consistent with the Children's Online Privacy Protection Act). We do not knowingly permit genetic data files belonging to individuals under 18 to be uploaded or processed.
If you are a parent or guardian and believe ExomeDNA may have collected information relating to a child under 13, contact us at support@exomedna.com with the subject “COPPA — Child Data Deletion Request.” If we become aware that we have processed genetic data from anyone under 18, we will delete all associated data without undue delay.
9. International transfers
ExomeDNA currently serves U.S. residents and uses U.S.-based infrastructure providers for all core service operations including data processing, storage, and AI interactions. We do not intentionally transfer genetic data or derived results outside the United States.
10. Changes to this policy
Material changes will be communicated via email at least 30 days before taking effect. For material changes to how ExomeDNA processes genetic data or shares data with third parties, we will request your renewed consent before the change takes effect. For other material changes, your continued use of ExomeDNA after the effective date constitutes acceptance.
11. Contact
For privacy-related inquiries, data access requests, or to exercise any of your rights:
Email: support@exomedna.com
Mailing address: 5900 Balcones Dr, Suite 100, Austin, TX 78731