Last Updated: March 1, 2026
Privacy Policy
Privacy Highlights
Before reading the full policy, here are our core commitments:
- Your data belongs to you. We process it only to deliver and improve the SoDNAscan service.
- We will never sell your genetic data to insurance companies, employers, or data brokers.
- We will never voluntarily share your genetic data with relevant authorities without a legally valid court order.
- You can delete your account and all associated data at any time from your account settings.
- We use no third-party analytics or tracking cookies. Our self-hosted, cookie-free analytics collects no personal data. The only cookies on SoDNAscan are strictly necessary for authentication.
1. Who We Are
- Data Controller: Samuel Virag
- Contact Email: info@sodnascan.com
- Data Protection Contact: privacy@sodnascan.com
For the purposes of the EU General Data Protection Regulation (GDPR), Samuel Virag is the data controller responsible for your personal data.
2. Scope
This Privacy Policy applies to the SoDNAscan website at sodnascan.com and the SoDNAscan web application (collectively, the "Service"). It describes how we collect, use, share, and protect your personal data.
This policy should be read together with our:
- Terms of Service
- Data Use Policy
- Consumer Health Data Privacy Policy (required under Washington law)
- Data Protection Impact Assessment
- Cookie Policy
- Medical & Wellness Disclaimer
3. Data We Collect
We collect the following categories of data:
3.1 Account Data
- Email address — required for account creation and authentication
- Name — display name you provide
- Password — hashed; we never store or access your plaintext password
3.2 Demographic Data
- Age, sex, height, weight — provided optionally to personalize your Health Book
- Ethnicity — provided optionally; used to contextualize population-specific genetic variant frequencies
3.3 Genetic Data
- Raw genetic files — uploaded in raw form
- Parsed genotypes — individual SNP data (rsid, chromosome, position, alleles) extracted from your uploaded file
- Matched variants — your genotypes matched against our panel of health-relevant genetic variants
3.4 Blood Work Data
- Lab test results — biomarker names, values, units, reference ranges, and status flags (normal/high/low/critical)
- Lab metadata — lab name and test date
- Blood work files — uploaded PDF lab reports or pasted text
3.5 Wearable Health Data
- Wearable device exports — uploaded from Apple Health, Oura, Fitbit, Whoop, or generic CSV formats
- Parsed health metrics — heart rate, resting heart rate, HRV, SpO2, respiratory rate, active calories, exercise minutes, steps, sleep duration and stages (core/deep/REM), sleep score, VO2 max, body mass, BMI, readiness score, recovery score, and strain
3.6 Self-Reported Health Information
- Current health status — free-text description you provide
- Health history — free-text past medical history
- Family history — free-text family medical history (e.g., "father had heart disease")
- Current supplements — free-text list
- Health goals — free-text description of what you want to learn
- Lifestyle notes and preferences — free-text descriptions
3.7 Payment Data
- Stripe checkout session ID and payment intent ID — references to your Stripe transaction
- Purchase amount and currency — stored for order records
- Your email — shared with Stripe to create the checkout session
We do not store credit card numbers, bank account details, or other financial credentials. All payment processing is handled entirely by Stripe, which is PCI DSS Level 1 certified. please refer to Stripe's Privacy Policy for further information.
3.8 Waitlist Data
- Email address — collected via the landing page waitlist signup
- Name — optional, if provided
3.9 Technical Data
- Authentication tokens — session tokens.
- Server logs — standard HTTP request logs (IP address, user agent, timestamps)
4. Legal Basis for Processing (GDPR)
Under the GDPR, we must have a legal basis for each type of processing. The table below maps each data category and purpose to its specific legal ground.
| Data Category | Purpose | Legal Basis |
|---|---|---|
| Account data (email, name, password) | Account creation and authentication | Art. 6(1)(b) — Performance of contract |
| Account data (email) | Service communications | Art. 6(1)(b) — Performance of contract |
| Demographic data | Personalizing Health Book content | Art. 6(1)(b) — Performance of contract |
| Genetic data | AI-powered analysis and Health Book generation | Art. 9(2)(a) — Explicit consent |
| Blood work data | AI-powered analysis and Health Book generation | Art. 9(2)(a) — Explicit consent |
| Wearable health data | AI-powered analysis and Health Book generation | Art. 9(2)(a) — Explicit consent |
| Self-reported health information | AI-powered analysis and Health Book generation | Art. 9(2)(a) — Explicit consent |
| Payment data | Processing purchases | Art. 6(1)(b) — Performance of contract |
| Waitlist data | Pre-launch communication | Art. 6(1)(a) — Consent |
| Technical data (server logs) | Security, fraud prevention, abuse detection | Art. 6(1)(f) — Legitimate interest |
| All data categories | Compliance with legal obligations | Art. 6(1)(c) — Legal obligation |
5. How We Use Your Data
5.1 Service Delivery
- Creating and maintaining your account
- Parsing and storing your uploaded genetic files, blood work, and wearable data
- Generating your personalized Health Book using AI-powered analysis (see Data Use Policy)
- Delivering your Health Book as a downloadable PDF
5.2 Service Operation
- Authenticating your identity
- Monitoring system health and performance
- Detecting and preventing security threats
5.3 Communication
- Sending service-related notifications (e.g., your Health Book is ready)
- Responding to support requests
We do not use your data for:
- Advertising or marketing profiling
- Selling or renting to third parties
6. Third-Party Data Processors
We share your data with the following third-party processors. Each is bound by a Data Processing Agreement (DPA) or equivalent contractual protections.
6.1 Anthropic
- Role: Data processor for AI-powered health analysis
- Data shared: Your full health profile (name, age, sex, height, weight, ethnicity, health status, health history, family history, supplements, goals, preferences), all matched genetic variant data with genotypes, all confirmed blood biomarker values, and all wearable health metrics
- Purpose: Generating analytical reports and Health Book chapters
- Data retention: Anthropic retains API inputs and outputs for 7 days by default, then deletes them
- Training: Anthropic does not use API data to train AI models — this is guaranteed in their commercial terms
- Safety systems: Anthropic's automated safety classifiers may process data to detect policy violations; classifier results may be retained separately from your data
- DPA: Anthropic's Data Processing Addendum is automatically incorporated into their commercial API terms (no separate signing required) and includes Standard Contractual Clauses (SCCs) for EU-to-US data transfers under GDPR Article 46(2)(c)
- Infrastructure sub-processors: Anthropic operates on Amazon Web Services (AWS) and Google Cloud Platform (GCP) infrastructure
- Location: United States
- More information: Anthropic Privacy Policy
6.2 Supabase — Database and Storage
- Role: Data processor for data storage, file storage, and authentication
- Data shared: All data listed in Section 3 (stored in Supabase-hosted PostgreSQL database and file storage)
- Purpose: Persistent storage of your account, health data, uploaded files, and generated Health Books
- Data residency: Supabase project is deployed in EU West — Frankfurt. EU region deployment (Frankfurt, Ireland, or London) is available and eliminates cross-border transfer for stored data
- DPA: Supabase's DPA requires separate signing via PandaDoc and includes SCCs plus the UK ICO International Data Transfer Addendum
- Backup retention: Supabase maintains automated database backups. After you delete your account, backup copies may persist for up to the backup retention window (typically 7 days for Pro plan) and are used exclusively for disaster recovery
- More information: Supabase Privacy Policy
6.3 Stripe — Payment Processing
- Role: Data processor for payment transactions
- Data shared: Your email address, internal user ID, product type, and purchase amount
- Purpose: Processing one-time Health Book purchases
- Data retention: Per Stripe's data retention policies
- PCI compliance: Stripe is PCI DSS Level 1 certified. We never receive or store your card details
- More information: Stripe Privacy Policy
Sub-Processor Chain
When you use SoDNAscan, your data flows through a three-layer processing chain:
- SoDNAscan (data controller) — collects and manages your data
- Anthropic / Supabase / Stripe (data processors) — process your data on our behalf under DPA terms
- AWS / GCP (infrastructure sub-processors) — provide the cloud infrastructure on which our processors operate
Under GDPR, we remain fully liable for the data protection obligations of our processors and sub-processors. The responsibility does not transfer down the chain.
7. International Data Transfers
7.1 EU-to-US Transfers
If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, some of your data is transferred to the United States for processing:
- Anthropic: Transfer is governed by Standard Contractual Clauses (SCCs) included in Anthropic's DPA, supplemented by technical measures (encryption in transit via TLS 1.2+, 7-day retention limit).
- Stripe: Transfer is governed by SCCs in Stripe's DPA.
- Supabase: If deployed in an EU region, your stored data does not leave the EU. If deployed in a US region, transfer is governed by SCCs in Supabase's DPA plus the UK ICO International Data Transfer Addendum.
7.2 Transfer Impact Assessment
Given that genetic data is special category data under GDPR, we have conducted a Transfer Impact Assessment (TIA) evaluating the legal framework of each recipient country, supplementary measures in place, and the nature of the data transferred. The TIA is available upon request by contacting privacy@sodnascan.com.
8. Data Retention
| Data Category | Retention Period |
|---|---|
| Account data | Until you delete your account |
| Genetic data (raw files and parsed genotypes) | Until you delete your account |
| Blood work data | Until you delete your account |
| Wearable health data | Until you delete your account |
| Self-reported health information | Until you delete your account |
| Generated Health Books | Until you delete your account |
| Payment records | 7 years after transaction (legal/tax obligation) |
| Server logs | 90 days |
| Waitlist data | Until service launch or you request removal |
| Anthropic API data | 7 days (managed by Anthropic, then deleted) |
| Supabase database backups | Up to the backup retention window after deletion (typically 7 days), used only for disaster recovery |
When you delete your account, we cascade deletion across all data types in the following order: wearable metrics, wearable uploads, blood biomarkers, blood work uploads, generated books and chapters, analysis reports, processing jobs, purchases, SNP genotypes, genetic file uploads, and finally your user record. We also request deletion from our processors (Anthropic data expires after 7 days; Supabase and Stripe are notified of deletion).
Backup transparency: As per Applicable Law, after you request deletion, automated backup copies in our infrastructure may persist for the backup retention window. These backups are encrypted, access-restricted, and used exclusively for disaster recovery — not for any other purpose.
9. Your Rights
9.1 Rights Under GDPR (EEA, UK, Switzerland)
If you are located in the EEA, UK, or Switzerland, you have the following rights:
- Access — request a copy of all personal data we hold about you
- Rectification — request correction of inaccurate data
- Erasure ("Right to be Forgotten") — request deletion of your data, subject to legal retention obligations
- Restriction — request that we limit processing of your data
- Portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interest.
- Withdraw consent — withdraw consent for genetic/health data processing at any time without affecting the lawfulness of prior processing
To exercise these rights, contact info@sodnascan.com. We will respond within 30 days (extendable by 60 days for complex requests, with notice).
10. Data Security
We implement the following security measures to protect your data:
- Encryption in transit — all data transmitted between your browser, our servers, and third-party processors uses TLS 1.2 or higher
- Encryption at rest — database and file storage are encrypted at rest using AES-256
- Row-Level Security (RLS) — database access policies ensure that each user can only access their own data
- Password hashing — passwords are hashed using industry-standard algorithms; we never store plaintext passwords
- File integrity — uploaded genetic files are hashed (SHA-256) to detect tampering
- Rate limiting — upload endpoints are rate-limited (10 uploads per hour) to prevent abuse
- File size limits — genetic files (50 MB), blood work PDFs (20 MB), and wearable exports (200 MB) are size-limited
- Authentication — JWT-based authentication with ES256 algorithm, verified against Supabase's JWKS endpoint
- Access control — service role keys are used only for server-side operations; client requests use scoped user tokens
Data Protection Impact Assessment (DPIA)
Processing genetic data with AI triggers three independent DPIA requirements under GDPR: (1) large-scale processing of Article 9 special category data, (2) AI-based profiling, and (3) processing that creates high risk to individuals. We have conducted a Data Protection Impact Assessment evaluating the necessity, proportionality, and risk mitigation measures for this processing. A summary is available in our published DPIA document, and the full assessment is available upon request by contacting privacy@sodnascan.com.
11. Breach Notification
In the event of a data breach affecting your personal data:
- EU/EEA residents: We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay. Breaches involving genetic data are presumed to be high-risk.
- California residents: We will notify affected individuals within 30 calendar days. For breaches involving genetic data, we will notify the California Department of Public Health within 15 business days and the California Attorney General if 500+ residents are affected, as required by SB 446.
- Washington residents: We will notify affected individuals within 30 days as required by MHMDA.
- All users: We will describe the nature of the breach, the data involved, the measures taken, and the steps you can take to protect yourself.
12. Children's Data
SoDNAscan is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you are under 18, do not create an account or upload any data. If we learn that we have collected data from a child under 18, we will delete it promptly. If you believe a child has provided us with personal data, please contact info@sodnascan.com.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes:
- We will update the "Last Updated" date at the top
- If a change materially affects the processing of your genetic or health data, we will request renewed consent
16. Contact Us
For questions about this Privacy Policy or to exercise your data rights:
- Email: info@sodnascan.com
- Data Protection Contact: privacy@sodnascan.com