Last Updated: January 1, 2026
Privacy Policy
Privacy Highlights
Before reading the full policy, here are our core commitments:
- Your data belongs to you. We process it only to deliver and improve the SoDNAscan service.
- We will never sell your genetic data to insurance companies, employers, or data brokers.
- We will never voluntarily share your genetic data with law enforcement without a legally valid court order.
- Anthropic (our AI provider) does not train models on your data. API inputs are retained for 7 days and then deleted.
- You can delete your account and all associated data at any time from your account settings.
- We use no tracking cookies or third-party analytics. The only cookies on SoDNAscan are strictly necessary for authentication.
1. Who We Are
SoDNAscan is operated by Samuel Virag, a sole proprietorship ("SoDNAscan," "we," "us," or "our").
- Data Controller: Samuel Virag
- Contact Email: info@sodnascan.com
For the purposes of the EU General Data Protection Regulation (GDPR), Samuel Virag is the data controller responsible for your personal data.
2. Scope
This Privacy Policy applies to the SoDNAscan website at sodnascan.com, the SoDNAscan web application, and all related services (collectively, the "Service"). It describes how we collect, use, share, and protect your personal data.
This policy should be read together with our:
- Terms of Service
- Data Use Policy
- Consumer Health Data Privacy Policy (required under Washington law)
- Cookie Policy
- Medical & Wellness Disclaimer
3. Data We Collect
We collect the following categories of data:
3.1 Account Data
- Email address — required for account creation and authentication
- Name — display name you provide
- Password — hashed; we never store or access your plaintext password
3.2 Demographic Data
- Age, sex, height, weight — provided optionally to personalize your Health Book
- Ethnicity — provided optionally; used to contextualize population-specific genetic variant frequencies
3.3 Genetic Data
- Raw genetic files — uploaded in 23andMe or AncestryDNA format (typically 500,000–700,000 SNP genotypes)
- Parsed genotypes — individual SNP data (rsid, chromosome, position, alleles) extracted from your uploaded file
- Matched variants — your genotypes matched against our curated panel of health-relevant genetic variants
Genetic data is classified as special category data under GDPR Article 9 and Sensitive Personal Information under the California Consumer Privacy Act (CCPA/CPRA).
3.4 Blood Work Data
- Lab test results — biomarker names, values, units, reference ranges, and status flags (normal/high/low/critical)
- Lab metadata — lab name and test date
- Blood work files — uploaded PDF lab reports or pasted text
3.5 Wearable Health Data
- Wearable device exports — uploaded from Apple Health, Oura, Fitbit, Whoop, or generic CSV formats
- Parsed health metrics — heart rate, resting heart rate, HRV, SpO2, respiratory rate, active calories, exercise minutes, steps, sleep duration and stages (core/deep/REM), sleep score, VO2 max, body mass, BMI, readiness score, recovery score, and strain
3.6 Self-Reported Health Information
- Current health status — free-text description you provide
- Health history — free-text past medical history
- Family history — free-text family medical history (e.g., "father had heart disease")
- Current supplements — free-text list
- Health goals — free-text description of what you want to learn
- Lifestyle notes and preferences — free-text descriptions
3.7 Payment Data
- Stripe checkout session ID and payment intent ID — references to your Stripe transaction
- Purchase amount and currency — stored for order records
- Your email — shared with Stripe to create the checkout session
We do not store credit card numbers, bank account details, or other financial credentials. All payment processing is handled entirely by Stripe, which is PCI DSS Level 1 certified. See Stripe's Privacy Policy.
3.8 Technical Data
- Authentication tokens — session tokens managed by Supabase Auth
- Server logs — standard HTTP request logs (IP address, user agent, timestamps)
4. Legal Basis for Processing (GDPR)
Under the GDPR, we must have a legal basis for each type of processing. The table below maps each data category and purpose to its specific legal ground.
| Data Category | Purpose | Legal Basis |
|---|---|---|
| Account data (email, name, password) | Account creation and authentication | Art. 6(1)(b) — Performance of contract |
| Account data (email) | Service communications | Art. 6(1)(b) — Performance of contract |
| Demographic data | Personalizing Health Book content | Art. 6(1)(b) — Performance of contract |
| Genetic data | AI-powered analysis and Health Book generation | Art. 9(2)(a) — Explicit consent |
| Blood work data | AI-powered analysis and Health Book generation | Art. 9(2)(a) — Explicit consent |
| Wearable health data | AI-powered analysis and Health Book generation | Art. 9(2)(a) — Explicit consent |
| Self-reported health information | AI-powered analysis and Health Book generation | Art. 9(2)(a) — Explicit consent |
| Payment data | Processing purchases | Art. 6(1)(b) — Performance of contract |
| Technical data (server logs) | Security, fraud prevention, abuse detection | Art. 6(1)(f) — Legitimate interest |
| All data categories | Compliance with legal obligations | Art. 6(1)(c) — Legal obligation |
Important: Legitimate interest (Art. 6(1)(f)) is not used as a basis for processing genetic, health, or biometric data. These special categories are processed exclusively on the basis of your explicit consent under Art. 9(2)(a).
Consent is:
- Explicit — you must affirmatively opt in before genetic, health, or wearable data is processed
- Granular — you consent to specific processing purposes, not a blanket authorization
- Separately withdrawable — you may withdraw consent for AI processing while retaining your account and data (see our Data Use Policy)
- Recorded — we store the timestamp and policy version of each consent event
5. How We Use Your Data
5.1 Service Delivery
- Creating and maintaining your account
- Parsing and storing your uploaded genetic files, blood work, and wearable data
- Generating your personalized Health Book using AI-powered analysis (see Data Use Policy)
- Delivering your Health Book as a downloadable PDF
- Processing payments through Stripe
5.2 Service Operation
- Authenticating your identity
- Enforcing upload limits and rate controls
- Monitoring system health and performance
- Detecting and preventing security threats
5.3 Communication
- Sending service-related notifications (e.g., your Health Book is ready)
- Responding to support requests
We do not use your data for:
- Advertising or marketing profiling
- Selling or renting to third parties
- Training AI models (Anthropic's API terms prohibit training on API data)
- Research (unless you separately and explicitly consent to a distinct research program, which we do not currently operate)
6. Third-Party Data Processors
We share your data with the following third-party processors. Each is bound by a Data Processing Agreement (DPA) or equivalent contractual protections.
6.1 Anthropic (Claude API) — AI Processing
- Role: Data processor for AI-powered health analysis
- Data shared: Your full health profile (name, age, sex, height, weight, ethnicity, health status, health history, family history, supplements, goals, preferences), all matched genetic variant data with genotypes, all confirmed blood biomarker values, and all wearable health metrics
- Purpose: Generating analytical reports and Health Book chapters
- Data retention: Anthropic retains API inputs and outputs for 7 days by default, then deletes them
- Training: Anthropic does not use API data to train AI models — this is guaranteed in their commercial terms
- Safety systems: Anthropic's automated safety classifiers may process data to detect policy violations; classifier results may be retained separately from your data
- DPA: Anthropic's Data Processing Addendum is automatically incorporated into their commercial API terms (no separate signing required) and includes Standard Contractual Clauses (SCCs) for EU-to-US data transfers under GDPR Article 46(2)(c)
- Infrastructure sub-processors: Anthropic operates on Amazon Web Services (AWS) and Google Cloud Platform (GCP) infrastructure
- Location: United States
- More information: Anthropic Privacy Policy
6.2 Supabase — Database and Storage
- Role: Data processor for data storage, file storage, and authentication
- Data shared: All data listed in Section 3 (stored in Supabase-hosted PostgreSQL database and file storage)
- Purpose: Persistent storage of your account, health data, uploaded files, and generated Health Books
- Data residency: Supabase project is deployed in EU West — Frankfurt. EU region deployment (Frankfurt, Ireland, or London) is available and eliminates cross-border transfer for stored data
- DPA: Supabase's DPA requires separate signing via PandaDoc and includes SCCs plus the UK ICO International Data Transfer Addendum
- Backup retention: Supabase maintains automated database backups. After you delete your account, backup copies may persist for up to the backup retention window (typically 7 days for Pro plan) and are used exclusively for disaster recovery
- More information: Supabase Privacy Policy
6.3 Stripe — Payment Processing
- Role: Data processor for payment transactions
- Data shared: Your email address, internal user ID, product type, and purchase amount
- Purpose: Processing one-time Health Book purchases
- Data retention: Per Stripe's data retention policies
- PCI compliance: Stripe is PCI DSS Level 1 certified. We never receive or store your card details
- More information: Stripe Privacy Policy
Sub-Processor Chain
When you use SoDNAscan, your data flows through a three-layer processing chain:
- SoDNAscan (data controller) — collects and manages your data
- Anthropic / Supabase / Stripe (data processors) — process your data on our behalf under DPA terms
- AWS / GCP (infrastructure sub-processors) — provide the cloud infrastructure on which our processors operate
Under GDPR, we remain fully liable for the data protection obligations of our processors and sub-processors. The responsibility does not transfer down the chain.
7. International Data Transfers
7.1 EU-to-US Transfers
If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, some of your data is transferred to the United States for processing:
- Anthropic (Claude API): Operates in the US. Transfer is governed by Standard Contractual Clauses (SCCs) included in Anthropic's DPA, supplemented by technical measures (encryption in transit via TLS 1.2+, 7-day retention limit).
- Stripe: Operates globally including the US. Transfer is governed by SCCs in Stripe's DPA.
- Supabase: If deployed in an EU region, your stored data does not leave the EU. If deployed in a US region, transfer is governed by SCCs in Supabase's DPA plus the UK ICO International Data Transfer Addendum.
7.2 Transfer Impact Assessment
Given that genetic data is special category data under GDPR, we have conducted a Transfer Impact Assessment (TIA) evaluating the legal framework of each recipient country, supplementary measures in place, and the nature of the data transferred. The TIA is available upon request by contacting info@sodnascan.com.
8. Data Retention
| Data Category | Retention Period |
|---|---|
| Account data | Until you delete your account |
| Genetic data (raw files and parsed genotypes) | Until you delete your account |
| Blood work data | Until you delete your account |
| Wearable health data | Until you delete your account |
| Self-reported health information | Until you delete your account |
| Generated Health Books | Until you delete your account |
| Payment records | 7 years after transaction (legal/tax obligation) |
| Server logs | 90 days |
| Anthropic API data | 7 days (managed by Anthropic, then deleted) |
| Supabase database backups | Up to the backup retention window after deletion (typically 7 days), used only for disaster recovery |
When you delete your account, we cascade deletion across all data types in the following order: wearable metrics, wearable uploads, blood biomarkers, blood work uploads, generated books and chapters, analysis reports, processing jobs, purchases, SNP genotypes, genetic file uploads, and finally your user record. We also request deletion from our processors (Anthropic data expires after 7 days; Supabase and Stripe are notified of deletion).
Backup transparency: After you request deletion, automated backup copies in our infrastructure may persist for the backup retention window. These backups are encrypted, access-restricted, and used exclusively for disaster recovery — not for any other purpose. This disclosure is required under Washington's My Health My Data Act, which extends the deletion obligation to archives and backups.
9. Your Rights
9.1 Rights Under GDPR (EEA, UK, Switzerland)
If you are located in the EEA, UK, or Switzerland, you have the following rights:
- Access — request a copy of all personal data we hold about you
- Rectification — request correction of inaccurate data
- Erasure ("Right to be Forgotten") — request deletion of your data, subject to legal retention obligations
- Restriction — request that we limit processing of your data
- Portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interest (note: genetic data processing is consent-based, not legitimate-interest-based)
- Withdraw consent — withdraw consent for genetic/health data processing at any time without affecting the lawfulness of prior processing
- Lodge a complaint — file a complaint with your national data protection authority
To exercise these rights, contact info@sodnascan.com. We will respond within 30 days (extendable by 60 days for complex requests, with notice).
9.2 Rights Under CCPA/CPRA (California Residents)
If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:
- Right to Know — request disclosure of the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the categories of third parties with whom we share it
- Right to Delete — request deletion of your personal information
- Right to Correct — request correction of inaccurate personal information
- Right to Limit Use of Sensitive Personal Information — direct us to limit the use of your Sensitive Personal Information (including genetic data) to purposes necessary for performing the Service
- Right to Opt Out of Sale/Sharing — we do not sell or share personal information for cross-context behavioral advertising
- Right to Non-Discrimination — we will not discriminate against you for exercising any of these rights
Categories of Sensitive Personal Information collected in the preceding 12 months:
| SPI Category | Collected | Source | Third Parties Shared With |
|---|---|---|---|
| Genetic data | Yes | User upload (23andMe, AncestryDNA files) | Anthropic (processing), Supabase (storage) |
| Health information | Yes | User upload (blood work, wearable exports) and user input (health history) | Anthropic (processing), Supabase (storage) |
We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We do not use or disclose Sensitive Personal Information for purposes other than those necessary to perform the Service.
Response timeline: We will acknowledge your request within 10 business days and respond substantively within 45 calendar days (extendable by an additional 45 days with notice). We retain records of consumer requests for 24 months.
To exercise these rights, contact info@sodnascan.com with the subject line "CCPA Request."
California Genetic Information Privacy Act (GIPA): California residents may file complaints about genetic data handling with the California Attorney General's office.
9.3 Rights Under Other US State Laws
Residents of Colorado, Connecticut, Florida, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, Virginia, and Washington may have additional rights under their respective state privacy laws. Contact info@sodnascan.com to exercise your rights.
For Washington residents, see our separate Consumer Health Data Privacy Policy as required by the My Health My Data Act.
9.4 Automated Decision-Making (ADMT)
SoDNAscan uses AI to generate personalized health analysis. Under California's ADMT regulations (effective January 2026) and GDPR Article 22:
- You have the right to opt out of AI-powered analysis while retaining access to your account and uploaded data
- You may request information about the logic involved in AI processing
- AI outputs are informational and do not constitute decisions with legal or similarly significant effects
See our Data Use Policy for full details on how AI processes your data.
10. Data Security
We implement the following security measures to protect your data:
- Encryption in transit — all data transmitted between your browser, our servers, and third-party processors uses TLS 1.2 or higher
- Encryption at rest — database and file storage are encrypted at rest using AES-256
- Row-Level Security (RLS) — database access policies ensure that each user can only access their own data
- Password hashing — passwords are hashed using industry-standard algorithms; we never store plaintext passwords
- File integrity — uploaded genetic files are hashed (SHA-256) to detect tampering
- Rate limiting — upload endpoints are rate-limited (10 uploads per hour) to prevent abuse
- File size limits — genetic files (50 MB), blood work PDFs (20 MB), and wearable exports (200 MB) are size-limited
- Authentication — JWT-based authentication with ES256 algorithm, verified against Supabase's JWKS endpoint
- Access control — service role keys are used only for server-side operations; client requests use scoped user tokens
Data Protection Impact Assessment (DPIA)
Processing genetic data with AI triggers three independent DPIA requirements under GDPR: (1) large-scale processing of Article 9 special category data, (2) AI-based profiling, and (3) processing that creates high risk to individuals. We have conducted a DPIA evaluating the necessity, proportionality, and risk mitigation measures for this processing. The DPIA is available upon request by contacting info@sodnascan.com.
11. Genetic Information Nondiscrimination Act (GINA)
The US Genetic Information Nondiscrimination Act (GINA) prohibits discrimination based on genetic information in health insurance and employment. However, you should be aware that:
- GINA does not cover life insurance, disability insurance, or long-term care insurance. Insurers in these categories may lawfully request or use genetic information.
- GINA protections apply only to asymptomatic individuals. Once a genetic predisposition manifests as a diagnosed condition, federal genetic privacy protections may no longer apply.
These limitations are outside SoDNAscan's control. We recommend consulting a genetic counselor or legal advisor if you have concerns about how genetic testing results may affect your insurance coverage.
12. Genetic Data and Family Implications
Genetic data is unique in that it reveals information not only about you, but about your biological relatives who have not consented to testing or analysis. A DNA file may contain information about inherited conditions, carrier status, and familial predispositions that extend to parents, siblings, children, and more distant relatives.
By uploading genetic data to SoDNAscan, you acknowledge this inherent characteristic of genetic information. We encourage you to consider the implications for your family members before sharing your Health Book results.
13. Breach Notification
In the event of a data breach affecting your personal data:
- EU/EEA residents: We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay. Breaches involving genetic data are presumed to be high-risk.
- California residents: We will notify affected individuals within 30 calendar days. For breaches involving genetic data, we will notify the California Department of Public Health within 15 business days and the California Attorney General if 500+ residents are affected, as required by SB 446.
- Washington residents: We will notify affected individuals within 30 days as required by MHMDA.
- All users: We will describe the nature of the breach, the data involved, the measures taken, and the steps you can take to protect yourself.
Genetic data breaches are uniquely harmful because DNA cannot be changed like a password or credit card number. A breach creates permanent exposure that may also affect your biological relatives.
14. Children's Data
SoDNAscan is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you are under 18, do not create an account or upload any data. If we learn that we have collected data from a child under 18, we will delete it promptly. If you believe a child has provided us with personal data, please contact info@sodnascan.com.
15. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes:
- We will update the "Last Updated" date at the top
- We will notify you by email at the address associated with your account
- We will provide a summary of the changes
- Continued use of the Service after notification constitutes acceptance of the updated policy
- If a change materially affects the processing of your genetic or health data, we will request renewed consent
16. Contact Us
For questions about this Privacy Policy, to exercise your data rights, or to request our DPIA or Transfer Impact Assessment:
- Email: info@sodnascan.com
EU residents: You have the right to lodge a complaint with your national data protection supervisory authority. A list of authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.
European Commission Online Dispute Resolution: https://ec.europa.eu/odr