Privacy Policy
Last updated: February 13, 2026
Who we are
GeneOps is operated by Premium Media OÜ, registered in Estonia. For privacy inquiries, contact us at ops@geneops.ai.
What data we collect
Account data
Your email address and optional display name. No passwords — we use magic link authentication.
Genetic data Special category
If you upload a genome file, we process it to identify specific genetic variants relevant to health. Your raw genome file (containing hundreds of thousands of data points) is classified as special category data under GDPR Article 9 — the most sensitive classification. We match your data against approximately 213 health-relevant variants in our database.
Health profiles
Computed summaries and recommendations based on your matched genotypes, organized by health category.
Payment data
If you pay, we store a Stripe customer ID and payment timestamp. We never see or store your card number — that is handled entirely by Stripe.
Session cookie
A single encrypted cookie to keep you logged in. No analytics, no advertising, no third-party tracking cookies.
How we use your data
| Purpose | Data | Legal basis |
|---|---|---|
| Personalized genetic insights | Genetic data, health profiles | Explicit consent (Art. 9(2)(a)) |
| Account management | Email, display name | Contract (Art. 6(1)(b)) |
| Login links | Contract (Art. 6(1)(b)) | |
| Payment processing | Stripe customer ID | Contract (Art. 6(1)(b)) |
| Partner offspring analysis | Both partners' genotypes | Explicit consent from both |
Your genetic data
- We never sell, rent, or share your genetic data with any third party.
- Your genome data is processed and stored entirely on our own servers in the EU. It is never transmitted to external services.
- You can delete all your genetic data at any time from your account page. Deletion is immediate and permanent.
- We never store your raw genome file. It is processed to extract relevant variants and immediately deleted. Only your matched genotypes (~213 variants) are retained.
- You can export all your data in machine-readable format (JSON/CSV) at any time.
Who we share data with
We use two external services. Neither has access to your genetic data.
| Service | Data shared | Purpose | Safeguard |
|---|---|---|---|
| Stripe | Email, payment info | Payment processing | EU-US Data Privacy Framework |
| SendGrid (Twilio) | Email address | Email delivery | EU-US Data Privacy Framework |
International transfers
Your genetic data is processed and stored exclusively within the EU. Your email address is transmitted to SendGrid (US) for email delivery and to Stripe (US) for payment processing, both protected by the EU-US Data Privacy Framework. No genetic data leaves the EU.
How long we keep your data
| Data | Retention |
|---|---|
| Raw genome file | Never stored — processed and immediately deleted |
| Matched genotypes & health profiles | Until you delete your data or your account |
| Account data | Until you delete your account |
| Magic link tokens | Expire automatically after 15 minutes |
| Payment records | 7 years (Estonian accounting obligations) |
Your rights
Under GDPR, you have the following rights. We aim to respond within 30 days.
Access
View all your stored data on your account page.
Portability
Download all your data in JSON and CSV format from your account page.
Erasure
Delete your genetic data or your entire account at any time. Deletion is immediate and permanent.
Rectification
Upload a new genome file to replace your previous results.
Restriction
Request that we stop processing while a concern is resolved.
Complaint
File a complaint with the Estonian Data Protection Inspectorate (aki.ee).
Security measures
- • All data transmitted over HTTPS (TLS encryption in transit)
- • No passwords to breach — magic link authentication only
- • Server access restricted to SSH key authentication
- • No third-party analytics or tracking
- • Servers located in the EU
Cookies
We use a single strictly necessary session cookie to keep you logged in. It is encrypted and transmitted only over HTTPS. We do not use analytics cookies, advertising cookies, or any third-party tracking. No cookie consent banner is needed because we only use strictly necessary cookies (exempt under the ePrivacy Directive).
Children
We do not knowingly collect data from persons under 16 years of age.
Changes to this policy
We update the date at the top when this policy changes. Material changes to how we process genetic data will be communicated directly to affected users.
Contact
- Privacy contact
- ops@geneops.ai
- Supervisory authority
- Andmekaitse Inspektsioon — aki.ee