Privacy Policy
How we collect, use and protect your personal and genetic data.
1. The short version
We treat your DNA and health data with the highest care. We never sell it. We use it only to deliver and improve the Service. You stay in control: you can download or delete your data anytime.
2. Who is the data controller
My Genetic reStart acts as the data controller (GDPR) / treatment operator (LGPD) for personal data you provide. Contact: privacy@mygeneticrestart.com.
3. What we collect
Account info (name, email, password hash). Health questionnaire answers. DNA raw data and parsed SNPs (only if you upload them). Lab report files (only if you upload them). Technical logs (IP, device, timestamps) for security and audit. Geolocation derived from IP for legal compliance only.
4. Legal bases
We process data based on: your explicit consent (sensitive health data), performance of contract (paid plans), legitimate interest (security, fraud prevention) and legal obligation (audit, tax).
5. How we store it (server locations)
We use Amazon Web Services (AWS) and store your data in the AWS region closest to your country of residence: EU residents → eu-central-1 (Frankfurt) or eu-west-1 (Ireland); Brazilian residents → sa-east-1 (São Paulo); US residents → us-east-1 (N. Virginia); Middle East → me-south-1 (Bahrain); APAC → ap-southeast-1 (Singapore) or ap-northeast-1 (Tokyo); Oceania → ap-southeast-2 (Sydney); Africa → af-south-1 (Cape Town). Data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
6. Raw DNA file — your choice
When you upload a raw DNA file you choose whether we keep it on our servers for future updates and re-analysis, or whether we delete it within 24 hours after processing. We always keep the parsed clinically-relevant SNPs needed for your reports unless you delete your account. You can change your retention choice anytime in settings.
7. Who can see your data
Only you, our authorized technical staff under confidentiality, and processors strictly necessary to operate the Service (hosting, payments, email). We never share with insurers, employers, advertisers, or law enforcement without a valid court order.
8. International transfers
We avoid transferring your data outside the region of residence. When unavoidable (for example, payment processing), we use Standard Contractual Clauses and equivalent safeguards.
9. Retention
Account and report data: kept while the account is active. Audit logs: 5 years. Raw DNA: per your choice (kept or deleted after 24h). After account deletion, we delete or anonymize within 30 days, except where law requires longer.
10. Your rights
You have the right to: access, rectify, delete, restrict processing, port your data, withdraw consent, and lodge a complaint with your local data protection authority (ANPD in Brazil, EDPB members in EU, ICO in UK, etc.). Email privacy@mygeneticrestart.com to exercise these rights.
11. Children
Service is not intended for users under 18 without parental authorization.
12. Security
Defense in depth: encryption, role-based access, MFA for staff, audit logging, vulnerability scanning, security-by-design SDLC. Incidents are notified within 72 hours where required by law.
13. Cookies
Essential cookies for login and security. Analytical cookies only with consent.
14. Changes
We notify material changes in-app. Continued use after the effective date means acceptance.
15. Contact
Data Protection Officer (DPO): dpo@mygeneticrestart.com. General: privacy@mygeneticrestart.com.