top of page

Privacy & Security Policy for GenesUnveiled
Last updated: August 1, 2025

1) Introduction

At GenesUnveiled (“we,” “us,” “our”), your privacy and security are core to how we build our services. This policy explains how we collect, use, disclose, and protect personal information when you visit GenesUnveiled.com and use our DNA-analysis tools. We designed this policy to comply with the EU/EEA & UK GDPR, the California Consumer Privacy Act as amended by the CPRA (collectively “California privacy laws”), and other similar U.S. state laws.

Who we are & our roles

  • Controller: We act as a data controller for account, billing, marketing preferences, cookie/analytics preferences, and customer support data.

  • No controller processing of genetic data: Our DNA analysis runs locally on your device. We do not collect, receive, or store your raw DNA file or per-variant results on our servers; therefore we are not a controller of your genetic data.

2) What we collect

  • Account & contact: Name, email, hashed password, and billing details (processed by our payment processor).

  • Device & usage: IP address, browser/OS, pages viewed, and site performance logs (used for security and troubleshooting).

  • Genetic data: Not collected by us. Your raw DNA file and per-variant results are processed locally on your device. See §10.

3) How we use personal information & legal bases (GDPR)

  • Provide the service (create/manage account, authenticate sessions, process payments, generate on-device reports) – Contractual necessity.

  • Site security & reliability (fraud/threat detection, debugging, uptime monitoring) – Legitimate interests.

  • Improve our product (aggregated, de-identified usage patterns; not genetic data) – Legitimate interests.

  • Communications: service emails (security alerts, changes); and marketing emails only with your consent – Consent. You can opt out any time.

4) Cookies & tracking

  • Essential cookies run the site (security, login, load balancing).

  • Non-essential cookies (e.g., analytics) load only with your consent in the EEA/UK via our cookie banner. You can change choices anytime from the banner’s “Preferences.”

  • Global Privacy Control (GPC): If your browser sends a GPC signal, we treat it as a request to opt out of any sale/sharing and targeted advertising where applicable.

  • Browser controls let you block or delete cookies, but essential features may break.

5) Sharing & disclosures

We do not sell or rent personal information. We share limited data with service providers under contracts that restrict use to our purposes and require appropriate security:

  • Website hosting & platform: Wix.com (site infrastructure, logs, performance).

  • Payments: Stripe (card processing; we do not store your full card details).

  • Email delivery: our website platform/provider (for service messages).

  • Legal & safety: Where required by law or to protect our rights, users, or the public.

We maintain a short list of our core processors on this page and will update it if we add or replace providers.

6) International transfers

We and our providers may process data in several countries, including the U.S., EU/Ireland, Israel, South Korea, and Taiwan (for Wix infrastructure), and the U.S. (for Stripe). For EEA/UK data:

  • Transfers to Israel rely on the EU’s adequacy decision for Israel (still in force as of July 2025).

  • Transfers to the U.S. rely on the EU-U.S. Data Privacy Framework (DPF) where the provider participates (e.g., Stripe). Where a provider does not participate, we use Standard Contractual Clauses (SCCs) plus Transfer Impact Assessments.

7) Retention

  • Category: Account identifiers (name, email)

    • Purpose: Provide & secure your account

    • Retention: Life of account + 24 months

  • Category: Authentication & security logs

    • Purpose: Fraud prevention, debugging

    • Retention: 12 months

  • Category: Billing & transaction records

    • Purpose: Accounting, tax, chargebacks

    • Retention: 7 years

  • Category: Support tickets

    • Purpose: Troubleshooting history

    • Retention: 24 months after last interaction

  • Category: Cookie consent records

    • Purpose: Legal compliance proof

    • Retention: 5 years

  • Category: Backups

    • Purpose: Disaster recovery

    • Retention: Rolling backups, typically ≤35 days

If you delete your account, we start deletion workflows immediately; legal retention (e.g., tax) may require us to keep limited records longer.

8) Your rights

  • GDPR (EEA/UK): access, rectification, erasure, restrict/objec­t, portability, and to lodge a complaint with your local supervisory authority.

  • California & similar U.S. laws: know/access, correct, delete, opt out of sale/sharing/targeted ads (if ever applicable), and appeal a denied request.

  • Marketing: withdraw consent anytime via the unsubscribe link.

How to exercise: email support@genesunveiled.com. We respond within 1 month (GDPR) or 45 days (California). We may request information to verify your identity and can extend once where permitted.

9) California Notice at Collection

We collect the following categories for the purposes and retention periods indicated. We do not sell or share personal information and do not use Sensitive Personal Information (SPI) beyond what’s necessary to provide the service (so the CPRA “right to limit” SPI does not apply).

  • Category (CPRA): Identifiers

    • Examples: name, email, IP

    • Purpose: account, security, support

    • Retention: Life of account + 24 months

  • Category (CPRA): Commercial info

    • Examples: subscription status, payments (via Stripe)

    • Purpose: billing, tax, fraud

    • Retention: 7 years

  • Category (CPRA): Internet activity

    • Examples: page views, device/OS, error logs

    • Purpose: security, debugging, analytics (consent in EEA/UK)

    • Retention: 12 months

  • Category (CPRA): Geolocation (coarse)

    • Examples: IP-based region

    • Purpose: content delivery, fraud prevention

    • Retention: 12 months

  • Category (CPRA): Sensitive Personal Information

    • Examples: account login/password

    • Purpose: authentication/security only

    • Retention: Life of account

Do Not Sell or Share: We don’t sell or share your PI (as defined by CPRA). If this ever changes, we will (i) update this policy, (ii) display a clear “Do Not Sell or Share My Personal Information” link/site control, and (iii) honor GPC signals.

10) Genetic data stays on your device

  • Your raw DNA file and per-variant results never leave your device by default. Calculations (e.g., risk scores) run locally in your browser/app.

  • We don’t receive, store, or back up your genetic data or derived variant-level outputs.

  • If you choose to export a report, the file is saved locally or to a storage provider you select; their terms apply.

  • Clearing local data: You can remove local data by deleting reports/files you saved and clearing your browser/app storage (e.g., site data/IndexedDB).

  • Threat model: Local analysis reduces server-side genetic risk; you remain responsible for device security (e.g., OS updates, disk encryption).

11) Security

We follow industry practices appropriate to a startup handling account and payment data (and not storing genetic data):

  • Transport security: HTTPS (TLS 1.2+) for all web traffic.

  • Encryption at rest: Account and billing metadata stored by our providers are encrypted at rest.

  • Access controls: Role-based access, MFA for employee accounts, least-privilege, and audit logging.

  • Testing & hardening: Regular vulnerability scanning and at least annual third-party security assessments of our application.

  • Payments: Card data handled by Stripe (PCI DSS Level 1).

  • Incident response: If we become aware of a personal-data breach, we will notify the relevant supervisory authority within 72 hours where required and inform affected users without undue delay.

(Note: Our hosting platform, Wix, manages platform-level security and provides HTTPS and encryption controls; see “Provider notes” at the end.)

12) Children’s privacy

Our services are not directed to children under 16. If you believe a child under 16 provided personal information, contact us to delete it.

13) Changes

We may update this policy to reflect legal or product changes. We’ll post updates here and revise the “Last updated” date.

14) Contact

Email: support@genesunveiled.com

cool innovative logo for a gene research
bottom of page