Privacy Policy

2.1 Account Information

When you create an account, we collect:

• Email address (required, verified via confirmation link)
• Username (optional, self-entered, unverified)
• Profile name (optional, self-entered, unverified - you may create multiple profiles)
• Password (encrypted using industry-standard bcrypt hashing, never stored in plain text)
• Gender (sex assigned at birth) (required for report accuracy - options: Male, Female, Prefer not to say)
• Age range (required for report accuracy - options: 18-24, 25-44, 45-64, 65+, Prefer not to say)

Why We Collect Gender and Age Range: Pharmacogenomic research shows that certain genetic associations and medication responses vary by biological sex and age. We collect this information only to customize your educational reports for accuracy. These fields are stored as broad categories (not exact values) and cannot be used to identify you personally.

If You Select "Prefer Not to Say": Your reports will be generated using general population research data rather than sex-specific or age-specific findings. This may reduce the specificity of certain insights but will not prevent you from using the Service.

Critical: What We DON'T Collect: We deliberately do NOT collect or verify: first name, last name, physical address, phone number, exact date of birth, government IDs, or any other personally identifiable information beyond your email address. This means we cannot verify your identity - even if legally compelled. The email address you provide is the ONLY verified connection to your account and data.

2.2 Genetic Data - Browser-Only Processing

Critical Privacy Feature: Your raw genetic files are NEVER uploaded to our servers.

• 100% Local Processing: Files are processed entirely in your web browser using JavaScript
• No File Upload: Raw genetic files never leave your device or enter our servers
• Minimal Data Extraction: Only approximately 1,000 specific genetic markers (SNPs) are extracted from ~600,000+ variants
• 0.016% of Your Genome: We store approximately 0.016% of your complete genetic data
• Anonymized Storage: Only rsID identifiers and genotypes stored (e.g., rs1801133: CT)
• No Sequences: We do NOT store complete DNA sequences, genealogical data, or phenotypic information

YOUR RESPONSIBILITY: Check Files Before Upload. DNA files from testing companies (23andMe, AncestryDNA, etc.) often contain personal information in their headers - including your name, address, testing date, and kit ID. While we process these files only in your browser and our system automatically strips metadata before storage, you must check your file for PII before uploading.

Under privacy laws (GDPR/CCPA), "processing" includes ANY operation on personal data - even if we don't store it. By uploading a file containing PII, you acknowledge that browser-based processing occurs. We cannot remove PII from your local file - that is your responsibility.

Best Practice: Open your DNA file in a text editor and delete the header lines containing personal information before uploading.

2.3 Automatically Stripped Metadata

Our browser-based processor automatically strips ALL file metadata before storing any data:

• Names, addresses, email addresses, phone numbers
• Birth dates and collection timestamps
• Customer IDs, kit IDs, barcodes, sample IDs
• Testing company names and metadata
• All header, comment, and metadata lines from genetic files
• File names and upload timestamps

Only approximately 1,000 genetic markers (SNP variants) are extracted and stored in our database - no file metadata ever reaches our servers.

2.4 Payment Information

We use Stripe for secure payment processing. We do NOT collect or store:

• ❌ Credit card numbers
• ❌ Cardholder names
• ❌ Billing addresses
• ❌ CVV codes or expiration dates

What we DO store for purchase verification:

• ✓ Stripe payment ID (anonymous transaction reference)
• ✓ Purchase amount
• ✓ Product type purchased
• ✓ Transaction status (completed/failed)
• ✓ Purchase date/time
• ✓ Associated user ID (internal, anonymized)

All payment details are handled securely by Stripe (PCI-DSS Level 1 certified). We never see or store your actual payment information.

2.5 User Feedback Data

When you provide feedback through our Service (such as medication effectiveness ratings), we collect:

• Feedback rating: Stored with your account while active, associated with your anonymous user ID
• Medication/supplement referenced: Associated with the feedback
• Timestamp: Date/time of feedback submission

Important: Your feedback data is stored separately from your genetic markers and can be independently deleted. See Section 6.2 for your deletion options.

Feedback Anonymization: When used for algorithm improvement (with your consent), feedback data is stripped of any connection to your user ID before being incorporated into our training datasets. See Section 3.3 for details on how anonymized feedback improves our Service.

2.6 Access Logs and IP Addresses

We temporarily collect IP addresses and access logs for security and fraud prevention:

• Purpose: Detect suspicious activity, prevent fraud, debug technical issues
• Retention: 90 days maximum, then automatically deleted
• Storage: Encrypted and access-controlled
• Use: Never used for marketing or tracking; security purposes only

Note: IP addresses are considered personal data under GDPR and CCPA. We minimize retention and do not share with third parties except as required by law.

2.7 Analytics and Tracking Technologies

We use analytics services to understand how users interact with our Service and to improve functionality:

• Google Analytics: We use Google Analytics to collect information about Service usage, including pages visited, time on site, browser type, device information, and general geographic location. Google Analytics uses cookies and may collect your IP address. For information about how Google uses this data, visit: google.com/policies/privacy/partners. You can opt out using the Google Analytics Opt-out Browser Add-on.
• Plausible Analytics: We also use Plausible Analytics for privacy-focused, cookie-free traffic analytics.
• Google Ads: For advertising our services, conversion tracking may occur on your device.

We use this information to:

• Understand how users navigate our Service
• Identify technical issues and improve performance
• Measure the effectiveness of our features
• Make data-driven decisions about Service improvements

2.8 Usage Information

We collect usage information through our analytics services:

• Pages visited and navigation patterns
• Browser type and device information
• Device type (mobile vs desktop)
• Geographic region (country-level)
• Time spent on pages and features used

2.9 Cookies and Similar Technologies

We use cookies and similar technologies to operate and improve our Service:

• Essential Cookies: Required for site functionality, authentication, and security
• Analytics Cookies: Used by Google Analytics to understand usage patterns
• Preference Cookies: Remember your settings and choices

You can control cookie settings through your browser. Disabling certain cookies may affect Service functionality. For more information about cookies and how to manage them, visit allaboutcookies.org.

3.1 Providing the Service

We use your information to:

• Generate educational pharmacogenomics reports based on your genetic markers
• Match your genetic variants to published scientific research
• Provide general information about how genetic variants have been studied
• Authenticate your identity and maintain your account
• Process payments and verify purchases
• Customize report content based on your demographic information (gender, age range) for accuracy

3.2 Account Management

• Authenticate your identity and maintain your account
• Send important service updates and security notifications
• Respond to your support requests

3.3 Service Improvement and AI Algorithm Development

• Improve our genetic analysis algorithms
• Enhance user experience and platform functionality
• Develop new features and reports
• Collect anonymized user feedback on medication and supplement effectiveness
• Use feedback data internally to train and improve our proprietary AI algorithms

Important: All feedback data used for algorithm improvement is fully anonymized and cannot be traced to individual users. Your anonymized contributions help improve the accuracy and effectiveness of our Service for all users.

3.4 Automated Decision-Making

Our service uses automated processing to analyze your genetic data and generate reports. This includes:

• Algorithm-Based Analysis: We use proprietary algorithms to match your genetic variants against research databases
• Report Generation: Automated systems generate personalized reports based on your genetic markers
• Risk Scoring: Algorithms calculate risk scores based on published scientific research

Important Limitation: These automated analyses are for educational purposes only and should not be used for medical decisions. All reports should be discussed with qualified healthcare professionals. You have the right to request human review of any automated decision by contacting our support team.

3.5 What We Do NOT Use Your Information For

We do NOT use your genetic data, health information, or personal data to:

• Create marketing profiles or target advertising based on your genetics
• Sell to or share with data brokers
• Conduct research without your explicit consent
• Make decisions about your employment, insurance, or creditworthiness
• Share with any third party for their own purposes

4.1 Where Data is Stored

• Infrastructure: Google Cloud Platform (GCP) — Cloud SQL, Compute Engine, Cloud Run
• Account information: Encrypted database servers
• Anonymized genetic markers: Secure database with row-level security
• Reports: Generated on-demand and stored locally on your device
• PDFs: Created in your browser, never uploaded to our servers
• Server Location: Data centers primarily located in the United States with backup and redundancy systems that may be distributed globally

Infrastructure Details: We utilize Google Cloud Platform (GCP) infrastructure with servers in the United States (us-central1 region). For specific data center location information related to GDPR or other regulatory requirements, please contact us at privacy@braingenome.ai.

4.2 Security Measures

• Encryption in transit: All data transmission uses HTTPS/TLS 1.2 or higher
• Encryption at rest: All stored data is encrypted using AES-256 encryption
• Row-level security policies on database (users can only access their own data)
• Regular security audits and updates
• Access controls and authentication requirements
• Separation of genetic markers from account identifiers

Our infrastructure providers (Google Cloud Platform) maintain SOC 2 Type II compliance and undergo regular third-party security audits.

4.3 Data Minimization

We practice data minimization by storing only the absolute minimum genetic information necessary for analysis. The approximately 1,000 genetic markers we store cannot be used to reconstruct your identity, trace your ancestry, or determine your physical characteristics.

4.4 Data Retention and Deletion Timeline

We retain data as follows:

• Active Accounts: Data retained while account is active
• Immediate Deletion Request: Data is immediately removed from our production servers when you request complete deletion
• AWS Backup Retention: Deleted data may persist in automated AWS backup systems for up to 30 days before permanent purging
• Anonymized Data (if you choose to keep it): Retained indefinitely for research purposes - cannot be deleted after account deletion as it becomes permanently unidentifiable
• Access Logs: Retained for 90 days for security purposes

We are committed to protecting your privacy. We share information only as described in this Privacy Policy:

We will NOT share your identifiable genetic information with:

• Insurance companies for underwriting purposes
• Employers for employment decisions
• Law enforcement without valid legal process

We may share information as follows:

• Service Providers: With vendors who help us operate the Service
• Aggregated/De-identified Data: We may share aggregated, de-identified information that cannot reasonably be used to identify you for research, analytics, partnerships, or other lawful purposes
• Legal Requirements: When required by valid legal process
• Business Transfers: In connection with a merger, acquisition, or sale of assets
• With Your Consent: When you direct us to share information

5.1 Service Providers and Data Sharing

We may share data with trusted service providers and partners as follows:

• Service Operations: Providers who assist with hosting, email delivery, payment processing, and analytics
• Aggregated/De-identified Data: We may share aggregated or de-identified information that cannot reasonably identify you for research, analytics, product development, or other purposes

These providers are bound by strict confidentiality agreements and may only use data to perform services on our behalf.

5.2 Legal Requirements and Law Enforcement

We may disclose information if required by law, such as:

• In response to valid legal process (subpoena, court order, search warrant)
• To protect our legal rights and property
• To prevent harm to individuals or public safety

5.3 Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will:

• Notify you via email and/or prominent notice on the Service before your information becomes subject to a different privacy policy
• Give you the opportunity to delete your data before any transfer
• Ensure the acquiring entity agrees to honor this Privacy Policy or provide equivalent protections

Any successor entity will be bound by the same restrictions on data use described in this Privacy Policy.

6.1 Access and Portability

• You can access your account information and genetic data at any time
• You can download your reports as PDF files
• You can request a copy of your stored genetic markers in machine-readable format

6.2 Data Deletion

• You can delete your genetic data at any time through your profile settings
• Deletion is immediate from production servers - data removed from AWS backups within 30 days
• Downloaded reports (PDFs) remain on your local device
• You can delete your entire account through Settings, choosing to delete all data or keep anonymized data for research
• Important: The decision to keep anonymized data is permanent - once your account is deleted, we cannot identify or remove anonymized data

6.3 Profile Management

• You can create multiple profiles for different individuals
• Each profile's data is stored separately and securely
• You control which profile is active and can switch at any time

6.4 Communication Preferences

• You can opt out of marketing communications
• Important service updates will still be sent for account security

6.5 Withdraw Consent

You may withdraw your consent for data processing at any time by:

• Deleting your genetic data through your account settings
• Deleting your entire account
• Contacting us at privacy@braingenome.ai

Withdrawing consent does not affect the lawfulness of processing conducted before withdrawal. If you previously consented to anonymized data use for research, you may withdraw that consent for future use, but data already anonymized and incorporated into aggregate datasets cannot be retrieved or deleted.

We will respond to all data requests within 30 days.

6.6 Deletion Options

When you delete your account, you will choose between two options:

Important: If you choose Option B, this decision is permanent. Once your account is deleted, the anonymized feedback cannot be identified or retrieved because it is no longer connected to any identifying information.

Account Creation:

Only individuals 18 years of age or older may create a Brain Genome account. We do not knowingly allow minors to register accounts.

8.1 Service Restrictions

For data protection and regulatory compliance, our service is not available to residents of the following jurisdictions:

• Russian Federation
• People's Republic of China
• Countries without adequate data protection frameworks as determined by international standards

These restrictions are based on data protection regulatory requirements and international sanctions compliance, not discrimination based on national origin. Users traveling temporarily in restricted jurisdictions may experience service interruptions.

9.1 Legal Basis for Processing

Under the General Data Protection Regulation (GDPR), we process your genetic data based on your explicit consent (GDPR Article 9(2)(a)). Genetic data is classified as a "special category" of personal data requiring explicit consent and additional protections.

Legal Basis for Other Personal Data:

• Contract Performance: Processing your email and account data is necessary to provide the Service you requested
• Legitimate Interests: Processing for security, fraud prevention, and service improvement, balanced against your rights and interests
• Legal Obligation: Processing required to comply with applicable laws

9.2 Your GDPR Rights

As an EU/UK/EEA resident, you have the following rights:

• Right to Access: Request copies of your personal and genetic data
• Right to Rectification: Correct inaccurate data
• Right to Erasure ("Right to be Forgotten"): Request deletion of your data
• Right to Restrict Processing: Limit how we use your data
• Right to Data Portability: Receive your data in a machine-readable format
• Right to Object: Object to processing for specific purposes
• Right to Withdraw Consent: Withdraw your consent at any time without affecting prior processing
• Right to Lodge a Complaint: File a complaint with your local supervisory authority
• Right to Object to Automated Decision-Making: Request human review of automated genetic analysis results

9.3 International Data Transfers

When we transfer your data outside the EU/UK/EEA, we use Standard Contractual Clauses (SCCs) approved by the European Commission to ensure your data receives adequate protection.

9.4 Data Protection Officer

For GDPR-related inquiries, contact our Data Protection Officer:

9.5 Supervisory Authority

You have the right to lodge a complaint with your local data protection authority. For a list of EU supervisory authorities, visit: https://edpb.europa.eu

10.1 Your California Rights

• Right to Know: Request disclosure of personal information collected, used, or shared
• Right to Delete: Request deletion of your personal information
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out: Opt-out of sale or sharing of personal information
• Right to Limit: Limit use of sensitive personal information
• Right to Non-Discrimination: Exercise privacy rights without discriminatory treatment

10.2 Sale and Sharing of Personal Information

Brain Genome does not sell your identifiable personal information or genetic data for monetary consideration. We may share de-identified, aggregated data that cannot reasonably identify you for research, analytics, or other purposes. Under CCPA definitions, sharing of de-identified data does not constitute a "sale" of personal information.

California residents have the right to opt out of the sale or sharing of personal information. To exercise this right, contact privacy@braingenome.ai.

10.3 Sensitive Personal Information

We collect and use sensitive personal information (genetic data) only for the purposes disclosed in this Privacy Policy. You may limit our use of your sensitive personal information by contacting us.

10.4 Exercising Your Rights

California residents can exercise their privacy rights through our automated CCPA portal or by contacting us:

Authorized Agents: California residents may designate an authorized agent to make requests on their behalf. Authorized agents must provide written authorization from the consumer and verify their own identity. We may require the consumer to verify their identity directly with us before processing the request.

11.1 Consumer Health Data

We collect consumer health data (genetic markers) for the sole purpose of generating educational genetic analysis reports. This data is anonymized and used only to provide our services.

11.2 Your Washington Rights

• Right to Confirm: Confirm whether we process your health data
• Right to Access: Access your consumer health data
• Right to Delete: Delete your consumer health data
• Right to Obtain a Copy: Receive a copy of your health data in a portable format
• Right to Appeal: Appeal any denial of your rights request

11.3 What We Do NOT Do

• We do NOT sell your consumer health data
• We do NOT share your health data with third parties for advertising purposes
• We do NOT use geofencing technology to collect or infer health data

11.4 Filing a Complaint

You may file a complaint with the Washington State Attorney General's Office if you believe we have violated the MHMDA:

11.5 Consent Under MHMDA

In accordance with MHMDA, we obtain your affirmative consent before collecting or processing your consumer health data through our Platform Consent process. This consent is separate from your agreement to our Terms of Service.

Response Timeline: We will respond to MHMDA rights requests within 30 days. Complex requests may require up to 45 days with notice to you.

12.1 Illinois - Biometric Information Privacy Act (BIPA)

For Illinois residents:

• We collect and use genetic data only with your informed written consent
• We do not sell, lease, or trade genetic information
• We implement reasonable security measures to protect genetic data
• You may request deletion of your genetic data at any time

12.2 Texas - Biometric Privacy Law

For Texas residents:

• Written consent required before collecting genetic data (obtained through Platform Consent)
• We do not sell or disclose genetic information without your consent
• Upon account deletion, genetic data is destroyed within 30 days
• For active accounts, genetic data is retained only as long as necessary to provide the Service
• You may request deletion at any time through your account settings

12.3 Additional State Protections

We also comply with genetic privacy laws in:

• Alaska: Genetic information privacy protections
• Arkansas: Genetic information privacy requirements
• Colorado: We comply with the Colorado Privacy Act, including the requirement for consent to process sensitive data (including genetic data) and the right to opt out of profiling
• Florida: DNA analysis and data bank regulations
• Georgia: Genetic information privacy in insurance and employment
• Montana: Genetic information protections
• New Hampshire: Genetic testing privacy requirements
• New Jersey: Genetic Privacy Act
• Oregon: Genetic information privacy rules
• Virginia: We comply with the Virginia Consumer Data Protection Act, including consent requirements for sensitive data processing

13.1 Our Commitment Under GINA

• We will NEVER share your genetic information with employers
• We will NEVER share your genetic information with health insurance companies
• GINA prohibits discrimination based on genetic information in health insurance and employment

13.2 Important Limitations of GINA

GINA Does NOT Cover:

• Life insurance
• Disability insurance
• Long-term care insurance

You should be aware that genetic information may affect your eligibility or premiums for these types of insurance. We recommend consulting with an insurance advisor before sharing genetic reports with insurance providers.

14.1 Our Notification Commitment

• We will notify affected users within 72 hours of discovering a breach (as required by GDPR)
• We will notify relevant supervisory authorities and regulatory bodies as required by applicable law
• Notification will be sent to your registered email address

If we cannot reach you via your registered email address, we will post a prominent notice on our website and, if we have sufficient information, attempt to contact you through alternative means.

14.2 Breach Notification Will Include

• Nature of the security breach
• Types of data potentially affected
• Estimated date and time of the breach
• Steps we are taking to address the breach
• Recommended protective actions for affected users
• Contact information for questions and support

14.3 Security Incident Contact

15.1 What We Use

We use the following types of cookies and tracking technologies:

• Essential Cookies: Required for authentication and core service functionality
• Performance Cookies: Help us understand how users interact with our service (anonymous)
• Preference Cookies: Remember your settings and preferences

Cookie Consent: When you first visit our Service, you will be presented with a cookie consent banner allowing you to accept or reject non-essential cookies. Essential cookies required for authentication and core functionality do not require consent. You can change your cookie preferences at any time through your browser settings or by clearing your cookies and revisiting the site.

15.2 Third-Party Services

We use the following third-party services:

• Google Cloud Platform: Hosting, database, and compute infrastructure (essential cookies only)
• Firebase Authentication: User authentication (essential cookies only)
• Stripe: Payment processing (uses cookies for fraud prevention, PCI-DSS compliant)
• Plausible Analytics: Privacy-focused analytics (no cookies, fully anonymous)
• Google Ads: Advertising platform (may set conversion tracking cookies on your device)

Links to third-party privacy policies:

• Google Cloud Privacy Notice
• Firebase Privacy Policy
• Stripe Privacy Policy
• Plausible Privacy Policy
• Google Privacy Policy

15.3 Managing Cookies

You can control cookies through your browser settings:

• Most browsers allow you to refuse cookies or delete existing cookies
• Disabling essential cookies may affect service functionality
• Browser settings: Check your browser's Help menu for cookie management options

15.4 Do Not Track

We honor "Do Not Track" browser signals. When we detect a DNT signal, we limit data collection to essential Service functionality only. You also have the ability to control your data through the rights described in this Privacy Policy.