Privacy Policy | DeepDNA — Genomic Data Privacy & GDPR Compliance

  The short version: We collect your email to manage the waitlist, plus minimal analytics metadata. We set zero cookies. We use no third-party trackers. We do not sell, share, or monetise your data. Your DNA file is processed to generate your report, then permanently deleted. We do not build a database of genomes. You can request deletion of any data at any time.

1. Data controller

DeepDNA is the data controller for the personal data described in this policy, as defined under the EU General Data Protection Regulation (GDPR).

For all privacy-related enquiries:

Email: [email protected]
Website: https://deepdna.ai

DeepDNA is operated as a European entity, subject to GDPR and applicable EU member state data protection laws.

2. What data we collect and why

When you join our waitlist, we collect the following data:

Data	Purpose	Legal basis	Retention
Email address	Waitlist registration and communication about DeepDNA	Consent (Art. 6(1)(a) GDPR)	Until you request deletion
Timestamp	Record when you signed up	Linked to consent	Same as email
Source / CTA identifier	Understand which page you signed up from (e.g. "homepage-hero", "blog-post") to improve our site	Legitimate interest (Art. 6(1)(f)) — improving our service	Same as email
Referring URL	Understand how you found us. The full URL of the page you came from, which may include search query parameters	Legitimate interest (Art. 6(1)(f)) — marketing attribution	Same as email
Country code	Two-letter ISO country code (e.g. "ES", "DE") derived from your connection by Cloudflare. Used for geographic insights, not geolocation	Legitimate interest (Art. 6(1)(f)) — understanding our audience	Same as email
UTM parameters	Campaign tracking tags (utm_source, utm_medium, utm_campaign) if present in the referring URL	Legitimate interest (Art. 6(1)(f)) — marketing attribution	Same as email
IP address	Rate limiting only (preventing abuse). Stored as a hashed key, not linked to your email record	Legitimate interest (Art. 6(1)(f)) — abuse prevention	3,600 seconds (1 hour), then automatically and permanently deleted

Legitimate interest justification

For data processed under legitimate interest (source, referrer, country, UTM parameters), our interest is understanding where our users come from and how they find us, so we can improve our site and outreach. This data is non-sensitive metadata tied to your waitlist signup. We have assessed that this processing does not override your fundamental rights and freedoms, given the minimal nature of the data and its limited use.

For IP-based rate limiting, our interest is preventing automated abuse of the signup form. The IP address is stored ephemerally (auto-deleted after 1 hour) and is never linked to your email record.

Data you provide voluntarily

Providing your email address is voluntary. However, it is required to join the waitlist. If you choose not to provide it, you will not be able to register for early access, but you can still browse the site freely.

3. What we do NOT collect

  Zero cookies. This site does not set any cookies — not first-party, not third-party, not analytics, not tracking. None.

  Zero third-party trackers. No Google Analytics, no Facebook Pixel, no advertising scripts, no social media widgets, no external tracking of any kind.

  No profiling or automated decision-making. We do not use your data for profiling, scoring, or any form of automated decision-making as defined under GDPR Art. 22.

4. Genomic data processing — GDPR Article 9 special categories

Genetic data is classified as a special category of personal data under GDPR Article 9. This section details how DeepDNA handles your DNA genotype file with the heightened protections this classification requires.

4.1 What genomic data we process

When you use the DeepDNA analysis service, you upload a raw genotype data file exported from a consumer DNA testing provider (such as 23andMe, AncestryDNA, or MyHeritage). This file contains:

Single Nucleotide Polymorphism (SNP) data — Hundreds of thousands of genetic variant positions across your genome
Genotype calls — The specific alleles you carry at each variant position
Chromosome and position data — The genomic coordinates of each variant

This data constitutes genetic data as defined in GDPR Article 4(13): "personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question."

4.2 Legal basis for processing genomic data

Processing of genetic data under GDPR Article 9 requires an explicit legal basis beyond those in Article 6. Our legal basis is:

Explicit consent (Art. 9(2)(a) GDPR) — Before uploading your DNA file, you provide explicit, informed, and specific consent to the processing of your genetic data for the purpose of generating your DeepDNA analysis report.

This consent is:

Freely given — You are under no obligation to use the service
Specific — Consent is limited to generating your personal analysis report. Your data is not used for any other purpose
Informed — This privacy policy, combined with the consent interface, provides full transparency about what processing occurs
Unambiguous — Consent is collected through a clear affirmative action (uploading your file after reviewing and accepting these terms)

4.3 How your DNA file is processed

Your genotype file undergoes the following processing steps. For full technical details, see our Methodology page.

Upload and validation — Your file is uploaded over an encrypted TLS 1.3 connection. It is validated for format, integrity, and quality.
In-memory analysis — Your genetic variants are analysed by our pipeline. This processing occurs in memory on secure, isolated compute instances. Your file is never written to persistent storage beyond what is required for active processing.
Report generation — The analysis results are synthesised into your personal report.
Permanent deletion — Once your report is generated and delivered, your raw genotype file and all intermediate processing data are permanently deleted. This deletion is automatic and irreversible.

  Zero retention: We do not store your DNA file after report generation. We do not build a database of genomes. We do not retain genetic data for research, analytics, or any other purpose. Your raw genotype data exists in our systems only for the duration of active processing.

4.4 What we retain after analysis

After your DNA file is deleted, we retain only:

Your report — The generated analysis report (health findings, pharmacogenomic profiles, nutrigenomic insights, ancestry results) so you can access it. This report contains interpreted results, not raw genotype data.
Transaction record — A record of your purchase (email, timestamp, payment confirmation) for accounting and legal compliance purposes.

We do not retain:

Your raw genotype file
Individual variant-level data
Any intermediate analysis files
Any data that could be used to reconstruct your genotype

4.5 Genomic data deletion rights

You have the right to request deletion of all data associated with your account at any time, including your generated report. Upon request:

Your report and all associated metadata are permanently deleted
Deletion is confirmed by email within 30 calendar days
Since we do not retain your raw DNA file after processing, there is no raw genetic data to delete — it was already permanently removed at the time of report generation

To request deletion: [email protected]

4.6 Data Protection Impact Assessment (DPIA)

In accordance with GDPR Article 35, we have conducted a Data Protection Impact Assessment for our processing of genetic data. This assessment concluded that our zero-retention, in-memory processing model, combined with encryption-in-transit and explicit consent mechanisms, adequately mitigates the risks associated with processing special category genetic data. The DPIA is reviewed annually or whenever significant changes are made to our processing pipeline.

4.7 No genetic discrimination

DeepDNA does not share your genetic data or analysis results with:

Insurance companies
Employers
Government agencies
Law enforcement (except where legally compelled by a valid court order, in which case we would have no raw genetic data to provide)
Pharmaceutical companies
Any other third party

We support and comply with the principles of the EU Charter of Fundamental Rights Article 21 (non-discrimination) as it applies to genetic characteristics.

5. Data processor

Your data is processed and stored using Cloudflare, Inc. (101 Townsend Street, San Francisco, CA 94107, USA) as our data processor. Specifically:

The site is hosted on Cloudflare Pages
Waitlist data is stored in Cloudflare Workers KV, a key-value store distributed across Cloudflare's global network
The signup API runs on Cloudflare Workers (serverless functions at the edge)

Cloudflare acts as a data processor under GDPR Art. 28. Cloudflare maintains a GDPR compliance programme and offers a Data Processing Addendum (DPA) that includes Standard Contractual Clauses (SCCs) for international data transfers.

We do not share your data with any other third parties. We do not sell your data. We do not use it for advertising.

6. Data storage and international transfers

Your waitlist data is stored in Cloudflare Workers KV. Cloudflare KV is a globally distributed key-value store, which means your data may be replicated across Cloudflare's network of data centres worldwide, including locations outside the European Economic Area (EEA).

Cloudflare is a US-based company. International transfers of personal data to Cloudflare are governed by:

Standard Contractual Clauses (SCCs) as approved by the European Commission
Cloudflare's Data Processing Addendum (DPA), which incorporates appropriate safeguards under GDPR Art. 46
Cloudflare's participation in relevant data transfer frameworks

We are transparent about this: we do not claim EU-only storage. Your data is processed within Cloudflare's infrastructure with contractual EU data protection standards applied regardless of where it is physically stored.

Genomic data transfers

Your raw genotype file is processed on secure compute instances. During active processing, the data may transit through infrastructure outside the EEA. However:

All transfers occur over encrypted TLS 1.3 connections
Processing is ephemeral — data exists in-transit and in-memory only
No persistent copy is stored outside (or inside) the EEA after processing completes
Appropriate contractual safeguards (SCCs) are in place for all data processors

7. Data retention

Email and associated metadata (timestamp, source, referrer, country, UTM): retained until you request deletion, or until we determine the data is no longer needed for the waitlist purpose
IP address (rate limit key): automatically deleted after 3,600 seconds (1 hour). This is enforced at the infrastructure level via Cloudflare KV TTL and cannot be extended
Raw genotype file: deleted immediately and permanently after report generation. Not retained under any circumstances
Analysis report: retained until you request deletion

When you request deletion, we remove your email record, analysis report, and all associated metadata. Deletion is permanent.

8. Your rights

Under the GDPR, you have the following rights regarding your personal data. To exercise any of these rights, contact us at [email protected]. We will respond within 30 calendar days.

Right of access (Art. 15): Request a copy of all personal data we hold about you. We will provide it in JSON format
Right to rectification (Art. 16): Request correction of inaccurate personal data
Right to erasure (Art. 17): Request deletion of your personal data, including your analysis report. We will delete all records and confirm by email
Right to restriction of processing (Art. 18): Request that we limit how we use your data
Right to data portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format (JSON)
Right to object (Art. 21): Object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds
Right to withdraw consent: You may withdraw your consent at any time, including consent for genomic data processing. Withdrawal does not affect the lawfulness of processing before withdrawal. Note: if your DNA file has already been processed and deleted, withdrawal applies to any remaining data (report, email record). To withdraw, email us or request deletion

Additional rights for genetic data

Given the special nature of genetic data under GDPR Article 9, you have additional protections:

Right to be forgotten — Given our zero-retention model, your raw genetic data is automatically deleted after processing. You can additionally request deletion of your generated report at any time.
Right to explanation — You may request a detailed explanation of how your genetic data was processed, what databases were consulted, and how specific findings were derived. See our Methodology page for the general approach.
Right to restrict automated processing — While our analysis pipeline is automated, you can request human review of any specific finding by contacting [email protected].

9. Right to lodge a complaint

If you believe we have not handled your data correctly, you have the right to lodge a complaint with a supervisory authority. The relevant authority for complaints is:

Agencia Española de Protección de Datos (AEPD)
https://www.aepd.es

You may also lodge a complaint with the supervisory authority in your own EU/EEA member state of residence.

10. Data breach notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Art. 33
Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Art. 34

Given our zero-retention model for genetic data, the scope of any potential breach involving genomic information is inherently limited: if your DNA file has already been processed and deleted, it cannot be compromised in a subsequent breach.

11. Children

DeepDNA does not knowingly collect personal data from anyone under the age of 16. If we become aware that we have collected data from a child under 16, we will delete it immediately. DeepDNA's genomic analysis service is available only to individuals aged 18 and over.

12. Changes to this policy

We may update this privacy policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For significant changes — particularly those affecting genomic data processing — we will notify users by email and require re-consent where applicable.

13. Contact

For any questions about this privacy policy, your personal data, or to exercise your rights:

Email: [email protected]
Response time: Within 30 calendar days

See also: About DeepDNA · Methodology · Terms of Service