Privacy Policy

Version 1.0 Effective Date: January 1, 2025 Last Updated: January 1, 2025

1. Introduction

Welcome to Ask My DNA ("we," "our," "us"). We are operated by Wundekind S.R.O., a company registered in the Czech Republic.

Company Details:

• Name: Wundekind S.R.O.
• Registration Number: [Company Registration Number]
• Address: Roháčova 145/14, Žižkov, 130 00 Praha 3, Czech Republic
• Email: privacy@askmydna.com
• Website: https://askmydna.com

Ask My DNA provides an AI-powered platform for analyzing and interpreting genetic data for educational and wellness purposes. We are committed to protecting your privacy and handling your personal data, including sensitive genetic information, with the highest standards of security and compliance.

This Privacy Policy explains how we collect, use, store, and protect your personal information in accordance with:

• EU General Data Protection Regulation (GDPR)
• California Consumer Privacy Act (CCPA)
• Other applicable data protection laws

2. Data Controller

Wundekind S.R.O. acts as the Data Controller for all personal data processed through Ask My DNA services. As a Czech company, we operate under EU data protection laws and ensure GDPR compliance for all users worldwide.

For questions about this Privacy Policy or data protection matters, please contact:

• Email: privacy@askmydna.com
• Address: Roháčova 145/14, Žižkov, 130 00 Praha 3, Czech Republic

3. Information We Collect

3.1 Account Information

• Email address
• Name (optional)
• Language preference
• Password (stored in hashed format)
• Account creation and last login timestamps

3.2 Genetic Data (Special Category Data)

When you choose to upload your genetic data:

• Raw genetic data files (from 23andMe, AncestryDNA, MyHeritage, WGS/WES, VCF format)
• Processed genetic variants indexed for analysis
• Genetic analysis results and interpretations

Important: Genetic data is classified as a special category of personal data under GDPR Article 9 and receives enhanced protection.

3.3 Usage Information

• Chat conversations with our AI assistant
• Questions asked and topics of interest
• Search queries within the platform
• Feature usage patterns
• Session duration and frequency

3.4 Technical Information

• IP address (anonymized after 30 days)
• Browser type and version
• Device type and operating system
• Referring URLs
• Pages visited and time spent
• Error logs and diagnostics

3.5 Communications

• Email correspondence with our support team
• Survey responses and feedback
• Marketing preferences

3.6 Payment Information

When you subscribe to paid services:

• Payment method (processed by third-party payment processors)
• Billing address
• Transaction history

Note: We do not store complete credit card numbers. Payment processing is handled by PCI-DSS compliant third-party processors.

4. Legal Basis for Processing

We process your personal data under the following legal bases (GDPR Article 6 and Article 9):

4.1 Consent (Article 6(1)(a) and Article 9(2)(a))

• Processing genetic data for analysis and interpretation
• Sending marketing communications
• Optional features and research participation

You may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

4.2 Contract Performance (Article 6(1)(b))

• Creating and managing your account
• Providing AI analysis services
• Processing payments
• Delivering customer support

4.3 Legitimate Interests (Article 6(1)(f))

• Improving our services
• Security and fraud prevention
• Analytics and performance monitoring
• Internal research and development

4.4 Legal Obligations (Article 6(1)(c))

• Compliance with tax and accounting requirements
• Responding to law enforcement requests
• Compliance with court orders

5. How We Use Your Information

5.1 Service Delivery

• Analyze genetic data and provide personalized insights
• Generate AI-powered responses to your health and wellness questions
• Create reports and visualizations of your genetic information
• Maintain your account and manage your subscription

5.2 Communication

• Send service notifications about your account and analysis results
• Provide customer support and respond to inquiries
• Send educational content and product updates (with your consent)
• Conduct surveys to improve our services

5.3 Platform Improvement

• Analyze usage patterns to enhance features and functionality
• Conduct research on AI model performance and accuracy
• Develop new features based on user needs
• Perform quality assurance and bug fixes

5.4 Security and Compliance

• Detect and prevent fraud and unauthorized access
• Monitor platform security and identify vulnerabilities
• Comply with legal obligations and regulatory requirements
• Enforce our Terms of Service

6. Data Sharing and Disclosure

We DO NOT sell, rent, or trade your personal data, especially genetic information, to third parties for their marketing purposes.

6.1 Service Providers

We share data with trusted third-party service providers who process data on our behalf:

Cloud Infrastructure:

• Provider: AWS (Amazon Web Services)
• Location: United States (with EU-U.S. Data Privacy Framework compliance)
• Purpose: Data storage, hosting, and computing services
• Safeguards: Standard Contractual Clauses, encryption, access controls

AI Services:

• Provider: Anthropic (Claude API)
• Purpose: AI-powered genetic data interpretation
• Data Shared: De-identified genetic variants and user questions
• Safeguards: API agreements, data minimization, encryption

Payment Processing:

• Provider: Stripe
• Purpose: Payment processing and subscription management
• Data Shared: Billing information (not stored by us)
• Safeguards: PCI-DSS compliance

Email Services:

• Provider: [Email Service Provider]
• Purpose: Sending transactional and marketing emails
• Data Shared: Email address, name, preferences
• Safeguards: Data processing agreements, encryption

Analytics:

• Provider: Minimal analytics tools
• Purpose: Understanding platform usage
• Data Shared: Anonymized usage statistics
• Safeguards: Data minimization, IP anonymization

6.2 Legal Requirements

We may disclose your information when required by law:

• In response to lawful court orders or subpoenas
• To protect our rights, property, or safety
• To investigate fraud or security issues
• To comply with regulatory investigations

We will notify you of such requests unless prohibited by law.

6.3 Business Transfers

In the event of a merger, acquisition, or sale of assets:

• We will provide notice before your data is transferred
• The successor entity will be bound by this Privacy Policy
• You will have the opportunity to delete your data before transfer

6.4 Aggregate Information

We may share anonymized, aggregated data that cannot identify you:

• Statistical reports about genetic variant frequencies
• Platform usage trends
• Research findings (with all identifiers removed)

7. International Data Transfers

Important Notice: While Wundekind S.R.O. is based in the Czech Republic (EU), we store data on servers located in the United States.

7.1 Transfer Safeguards

We ensure adequate protection for EU-to-US data transfers through:

EU-U.S. Data Privacy Framework:

• Our U.S. service providers are certified under the EU-U.S. Data Privacy Framework
• This provides an adequate level of protection recognized by the European Commission

Standard Contractual Clauses (SCCs):

• We have executed Standard Contractual Clauses approved by the European Commission
• These contracts ensure your data receives GDPR-level protection in the U.S.

Additional Technical Safeguards:

• End-to-end encryption for data in transit
• Encryption at rest for all stored data
• Access controls and authentication
• Regular security audits

Supplementary Measures:

• Data minimization practices
• Pseudonymization where feasible
• Strict access controls and monitoring
• Regular privacy impact assessments

7.2 Your Rights Regarding Transfers

You have the right to:

• Request information about the safeguards for your data transfers
• Object to data transfers in certain circumstances
• Obtain a copy of the Standard Contractual Clauses

Contact privacy@askmydna.com for more information about our data transfer safeguards.

8. Data Security

We implement comprehensive security measures to protect your data, especially genetic information:

8.1 Technical Security

• Encryption: AES-256 encryption at rest, TLS 1.3 for data in transit
• Access Controls: Role-based access control (RBAC), multi-factor authentication
• Network Security: Firewalls, intrusion detection systems, DDoS protection
• Secure Development: Code reviews, security testing, vulnerability scanning

8.2 Organizational Security

• Employee Training: Regular security and privacy training
• Access Limitation: Strict need-to-know access policies
• Background Checks: Screening of personnel with data access
• Incident Response: Documented procedures for data breaches

8.3 Data Storage

• Genetic Data: Stored separately from account data with additional encryption
• Backups: Encrypted backups with 90-day retention, then secure deletion
• Data Separation: Logical and physical separation of customer data

8.4 Monitoring and Auditing

• 24/7 Monitoring: Continuous security monitoring and alerts
• Regular Audits: Annual third-party security audits
• Penetration Testing: Regular testing of security controls
• Compliance Reviews: Ongoing GDPR and security compliance assessments

Despite our efforts, no system is 100% secure. In the event of a data breach, we will notify affected users and relevant authorities as required by law within 72 hours of discovering the breach.

9. Data Retention

We retain your data only as long as necessary for the purposes outlined in this policy:

9.1 Retention Periods

Account Data:

• Retained while your account is active
• Deleted within 30 days of account deletion request

Genetic Data:

• Retained while your account is active or as long as you choose
• You may delete genetic data at any time
• Permanently deleted within 30 days of deletion request
• Backups purged within 90 days

Chat History:

• Retained for service improvement and reference
• Automatically anonymized after 1 year
• Deleted upon account deletion

Payment Records:

• Retained for 7 years for tax and accounting purposes
• Required by law in the Czech Republic

Technical Logs:

• IP addresses anonymized after 30 days
• Error logs retained for 90 days
• Anonymized analytics retained indefinitely

9.2 Deletion Process

When you request data deletion:

1. We immediately mark your data for deletion
2. Data is removed from active systems within 30 days
3. Backup copies are overwritten within 90 days
4. You receive confirmation when deletion is complete

10. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

10.1 Right of Access (Article 15)

Request a copy of your personal data we hold, including:

• Categories of data processed
• Purposes of processing
• Recipients of your data
• Retention periods
• Source of data (if not collected from you)

10.2 Right to Rectification (Article 16)

Correct inaccurate or incomplete personal data.

10.3 Right to Erasure / "Right to be Forgotten" (Article 17)

Request deletion of your data when:

• Data is no longer necessary for its original purpose
• You withdraw consent
• You object to processing
• Data was unlawfully processed

Exceptions: We may retain data when required by law or for legal claims.

10.4 Right to Restriction of Processing (Article 18)

Request that we limit processing of your data when:

• You contest the accuracy of the data
• Processing is unlawful but you don't want data deleted
• We no longer need the data but you need it for legal claims
• You've objected to processing pending verification

10.5 Right to Data Portability (Article 20)

Receive your data in a structured, machine-readable format and transmit it to another controller.

10.6 Right to Object (Article 21)

Object to processing based on legitimate interests or for direct marketing purposes.

10.7 Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects.

Note: Our AI analysis is always subject to your control and interpretation. We provide information, not medical diagnoses or legal decisions.

10.8 Right to Withdraw Consent (Article 7(3))

Withdraw consent at any time for processing based on consent, without affecting prior lawful processing.

10.9 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority:

Czech Supervisory Authority:

• Úřad pro ochranu osobních údajů (ÚOOÚ)
• Address: Pplk. Sochora 27, 170 00 Prague 7, Czech Republic
• Website: https://www.uoou.cz
• Email: posta@uoou.cz

Your Local Supervisory Authority: You may also contact the supervisory authority in your EU country of residence.

10.10 Exercising Your Rights

To exercise any of these rights:

• Email: privacy@askmydna.com
• Subject Line: "GDPR Rights Request - [Your Right]"
• Include: Your name, email, and account details for verification

Response Time: We will respond within 1 month (extendable by 2 months for complex requests). Cost: Free of charge unless requests are manifestly unfounded or excessive.

11. Rights Under CCPA (California Residents)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

11.1 Right to Know

Request information about the categories and specific pieces of personal information we've collected about you in the past 12 months.

11.2 Right to Delete

Request deletion of your personal information, subject to certain exceptions.

11.3 Right to Opt-Out

Opt-out of the "sale" of your personal information. Note: We do not sell personal information.

11.4 Right to Non-Discrimination

We will not discriminate against you for exercising your CCPA rights.

11.5 Authorized Agents

You may designate an authorized agent to make requests on your behalf.

To exercise CCPA rights: Contact privacy@askmydna.com with "CCPA Request" in the subject line.

12. Children's Privacy

Ask My DNA is not intended for individuals under the age of 18. We do not knowingly collect genetic data or personal information from children.

If you believe a child under 18 has provided us with personal data:

• Contact us immediately at privacy@askmydna.com
• We will delete the data within 30 days
• We will notify the child's parent or guardian if possible

Parental Consent: If you are a parent and wish to use our service for a child's genetic analysis, please contact us to discuss appropriate consent mechanisms.

13. Cookies and Tracking Technologies

We use minimal cookies and tracking technologies:

13.1 Essential Cookies

• Session cookies: Keep you logged in
• Security cookies: Prevent fraud and protect your account
• Preference cookies: Remember your language and settings

13.2 Analytics Cookies

• Usage analytics: Understand how users interact with our platform
• Performance monitoring: Identify and fix technical issues

Note: We use privacy-focused analytics with IP anonymization.

13.3 Your Cookie Choices

• Browser Settings: Most browsers allow you to refuse cookies
• Cookie Banner: You can manage preferences through our cookie banner
• Essential Cookies: Cannot be disabled as they're necessary for service operation

14. Third-Party Links

Our platform may contain links to third-party websites:

• We are not responsible for their privacy practices
• We encourage you to read their privacy policies
• This Privacy Policy only applies to Ask My DNA

15. Updates to This Privacy Policy

We may update this Privacy Policy to reflect:

• Changes in our practices
• Legal or regulatory requirements
• New features or services

When We Update:

• We will update the "Last Updated" date
• Material changes will be notified via email or platform notice
• Continued use after changes constitutes acceptance
• For significant changes requiring new consent, we will obtain your explicit agreement

Version History: Previous versions are available upon request at privacy@askmydna.com.

16. Contact Us

Data Protection Officer: Email: dpo@askmydna.com

General Privacy Inquiries: Email: privacy@askmydna.com

Mailing Address: Wundekind S.R.O. Attention: Privacy Team Roháčova 145/14, Žižkov 130 00 Praha 3 Czech Republic

Response Time: We aim to respond to all inquiries within 5 business days.

17. Special Notes on Genetic Data

17.1 Sensitivity of Genetic Information

Genetic data reveals information not only about you but potentially about your biological relatives. We treat this data with extreme care and never share it without your explicit consent.

17.2 Research and De-identification

If you consent to participate in research:

• Your genetic data will be de-identified (all direct identifiers removed)
• Data may be aggregated with others for statistical analysis
• You may withdraw research consent at any time
• Published research will never identify you personally

17.3 Discrimination Protections

We support genetic non-discrimination laws. Your genetic information:

• Will never be shared with employers or insurance companies without your consent
• Will never be sold to third parties
• Is protected by enhanced security measures

17.4 Interpretation Limitations

Important: Our AI analysis provides educational information, not medical advice:

• Results should not be used for medical diagnosis
• Always consult healthcare professionals for medical decisions
• Genetic predisposition does not guarantee disease development
• Results may be affected by limitations in scientific knowledge

By using Ask My DNA, you acknowledge that you have read, understood, and agree to this Privacy Policy.

Last Updated: January 1, 2025 Version 1.0