Privacy · Toxic Waste Protocol
You upload your raw DNA. We read it, score it, cite it. We destroy the file. Nothing persists in memory, disk, or backup. Only your 2,600 trait scores remain — and the 822,000 peer-reviewed studies that produced them. This is the Toxic Waste Protocol.
Sequencing facilities already classify raw genomic DNA as biohazard-adjacent. They have to — a raw DNA file contains the full sequence of a specific living person. It can’t be shredded and forgotten. It can’t be anonymized away. It can’t be repurposed without re-consent. The industrial handling class is “controlled disposal” — the same chain-of-custody discipline applied to medical waste.
We took the same framing and applied it to software. The file you upload is digital biohazard-adjacent material. We read it exactly once, produce the trait scores and citations you paid for, and destroy the original. The only remaining artifact is the report — a structured data object containing derived scores and study citations, not raw bases.
This is a deliberate inversion of the DTC genomics industry norm. The prevailing pattern is the opposite: keep the raw file forever, add new interpretations quarterly, re-mine the data as new GWAS findings land. That model treats raw DNA as an asset. We treat it as a liability.
The liability framing compounds. Data you can’t destroy, you can’t protect. Every week of retention multiplies exposure to threats you can’t anticipate. Shredding the file at the read boundary collapses that entire surface to zero.
We named the discipline to hold ourselves to it. “Privacy” is a marketing word. “Toxic Waste Protocol” is an operational policy.
The file you upload is processed transiently and discarded after scoring — never stored, logged, or retained. Our pipeline parses your genotype calls in the same process that scores them, then throws the raw data away the moment scoring completes. We keep only the derived trait scores tied to your account — never the raw file, and never your individual genotypes.
Once parsed, genotype data lives in a Python dictionary inside the FastAPI worker process. Nothing gets handed to another service. Nothing gets logged. Nothing gets queued. The scoring engine, the confidence calculator, and the trait-card generator all read from the same in-process dictionary — one handoff, zero network hops.
When scoring finishes, we explicitly destroy the genotype data in memory and force the process to reclaim it. Destruction happens before the HTTP response is even returned. Your trait scores are already written to the database by that point; the raw data has no reason to persist another millisecond.
What we keepYour trait scores, the studies behind them, and a confidence rating for each one. When your scores travel anywhere else — like to the AI coach — they leave without your identity attached. Your report is a summary. Your DNA is gone.
The dominant DTC genomics pattern is permanent retention. Raw files stay on the company’s servers indefinitely. New interpretations ship quarterly against the same retained data. Users are retained as data subjects whether or not they’re retained as customers. When the company is acquired — and most are — the raw files transfer with the acquirer. When a regulator issues a subpoena, the files exist to be subpoenaed. When a breach happens, the files exist to be breached.
We don’t do that. We read, score, cite, destroy. The product is a report, not an account. If we go out of business tomorrow, there’s nothing for an acquirer to inherit beyond the already-delivered reports. If a regulator subpoenas us next week, we can truthfully answer that the raw files were destroyed in the ordinary course of processing.
Three industry practices we specifically reject
Re-analysis services
subscribe to get new findings on your old DNA. This requires permanent retention. We don't offer it.
Data partnership programs
pharma research partnerships that monetize aggregated genomic data. This requires permanent retention plus broad consent. We don't offer it.
Ancestry-network matching
algorithmic matching against a database of stored genomes. This requires permanent retention plus a matching infrastructure. We don't offer it.
Each of those products has a real use case for some users. None of them are compatible with the protocol we chose to hold ourselves to. That was the tradeoff.
Verification anchorsEverything on this page is architectural, not aspirational. Account and data deletion is a single action from your settings — full purge, signed confirmation, 24-hour SLA.
That’s the protocol. It’s not a marketing promise; it’s an engineering choice. If something here is unclear or verifiable differently than you expected, tell us at privacy@exomedna.com — we’ll update the page, or update the code, depending on which was wrong.