Last updated: May 2025
GeneAI Ltd is committed to protecting your privacy, especially when processing sensitive genetic and health data. This policy explains what we collect, why, how we protect it, and your rights under UK GDPR.
1. Who We Are
Data Controller: GeneAI Ltd, registered in England and Wales. We are responsible for deciding how and why your personal data is processed.
Data Protection Officer (DPO): You can contact our DPO directly at dpo@geneai.com for any data protection concerns, subject access requests, or questions about this policy.
Data Processor — Infrastructure: Supabase Inc processes data on our behalf as our primary infrastructure provider. Supabase acts strictly under our documented instructions and under the terms of a signed Data Processing Agreement incorporating EU/UK Standard Contractual Clauses.
2. What Data We Collect
Personal Information
Full name, email address, date of birth, nationality, phone number, and country of residence. Collected at registration and updated as you maintain your account.
Health Data (Special Category)
Medical history relevant to genomic analysis, current medications, known genetic conditions, and family history of genetic conditions. This is Special Category data under Article 9 UK GDPR and processed only with your explicit consent.
Genetic Data (Special Category)
Genomic analysis results produced by our partner UK laboratories. This is the most sensitive category of personal data we process. Genetic data is processed as Special Category data under Article 9 UK GDPR, requires your explicit consent, and is subject to enhanced security and access controls.
Technical Data
IP address, browser type and version, device type and operating system, and session identifiers. Collected automatically to ensure platform security and diagnose technical issues.
Usage Data
Platform interaction records, page views, feature usage, consent records (including timestamps and consent version), and audit logs. Consent records are retained permanently as an immutable audit trail.
3. Legal Basis for Processing
Genetic and health data: Explicit consent under Article 9(2)(a) UK GDPR. You provide this separately for each processing scope and may withdraw at any time.
Coordination services: Performance of a contract under Article 6(1)(b) UK GDPR. We cannot deliver genomic coordination services without processing your data.
Platform security and fraud prevention: Legitimate interests under Article 6(1)(f) UK GDPR. We have assessed that these interests do not override your rights and freedoms.
Legal compliance: Legal obligation under Article 6(1)(c) UK GDPR for retention obligations, regulatory reporting, and clinical governance requirements.
4. Purposes of Processing
Delivering genomic coordination services: managing your case from sample collection through to report delivery.
AI-assisted genomic interpretation: generating informational reports from laboratory results using our AI platform.
Report generation and delivery: compiling and securely transmitting your genomic report.
Logistics coordination: arranging anonymised sample collection and transport to UK laboratories.
Partner assignment: matching your case to an appropriate UK analysis laboratory using anonymised case codes only.
Regulatory compliance: maintaining records required by clinical governance obligations and applicable law.
Improving service quality: with your separate consent, using anonymised interaction data to improve platform features.
5. Data Recipients
UK Analysis Laboratories
Receive anonymised sample codes and collection instructions only. They never receive your name, contact details, or any other personally identifiable information.
GCC Collection Laboratories
Receive anonymised collection instructions and booking references only. They do not know which UK laboratory will process the sample.
Logistics Providers
Receive anonymised shipment codes only. No patient-identifiable information is shared with logistics partners.
Supabase Inc (Infrastructure Processor)
Our primary infrastructure provider processes data under a signed DPA incorporating EU/UK Standard Contractual Clauses. Supabase acts only on our documented instructions.
Resend Inc (Email Delivery)
Processes email addresses and message content solely for delivery of platform notifications. Subject to an EU data processing agreement.
Anthropic PBC (AI Processing)
Processes anonymised genomic data for AI-assisted interpretation. No personally identifiable information is ever transmitted to Anthropic. Data is processed under a data processing agreement with appropriate safeguards.
6. International Data Transfers
GeneAI's core service involves transferring data between GCC countries and the United Kingdom. All such transfers rely on the UK's international transfer mechanisms, including:
UK adequacy regulations for countries with equivalent data protection standards.
International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses (SCCs) for transfers to countries without an adequacy decision.
We do not transfer data to any jurisdiction without ensuring appropriate safeguards are in place. If you have questions about specific transfer mechanisms, please contact our DPO.
7. Data Retention
| Data Category | Retention Period | Reason |
|---|---|---|
| Case data | 7 years post-closure | Clinical governance requirements |
| Consent records | Permanently retained | Immutable audit log obligation |
| Account data | Until deletion request; minimum 3 years post last activity | Contract and regulatory obligation |
| Genetic analysis results | 10 years | Medical record obligations |
| Technical/security logs | 12 months | Security and fraud prevention |
8. Your Rights Under UK GDPR
Right of Access (Subject Access Request)
You may request a copy of all personal data we hold about you. We will respond within 30 days. Identity verification is required before we release any data.
Right to Rectification
You may ask us to correct inaccurate personal data or complete incomplete data without undue delay.
Right to Erasure ("Right to be Forgotten")
You may request deletion of your personal data. Note that legal retention obligations (such as clinical governance requirements) may mean some data cannot be immediately deleted.
Right to Restriction of Processing
You may ask us to restrict how we use your data while a complaint is investigated or accuracy is verified.
Right to Data Portability
You may request your personal data in a structured, commonly used, machine-readable format (JSON or CSV), and have it transferred to another controller where technically feasible.
Right to Object
You may object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your rights.
Right to Withdraw Consent
Where processing is based on consent, you may withdraw consent at any time without penalty. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
Right Not to Be Subject to Automated Decision-Making
No decisions with significant legal or similar effects are made based solely on automated processing of your data. All GeneAI reports require human review before delivery.
9. Genetic Data Specific Rights
Genetic data carries unique privacy considerations because it is inherently identifying and affects not only you but also biological relatives. GeneAI applies enhanced protections beyond the standard UK GDPR baseline:
Enhanced consent: Each use of your genetic data requires a separate, informed, explicit consent. You will never be asked for blanket consent to open-ended uses.
Access log: You have the right to know who has accessed your genetic data. You may request a full access log at any time via privacy@geneai.com.
Research consent withdrawal: You may withdraw consent for research use of your anonymised genetic data at any time with no adverse consequences.
Limitation on withdrawal: Withdrawal of consent cannot retroactively undo completed genomic analysis. Once a laboratory has performed analysis, those results exist. However, we will cease all further processing immediately upon withdrawal and will not share results with any third party after that point.
10. How to Exercise Your Rights
To exercise any of the rights described in this policy, please contact us at privacy@geneai.com.
We will acknowledge your request within 5 working days and respond in full within 30 days. For complex requests, we may extend this by a further 60 days, in which case we will notify you with reasons.
We are required to verify your identity before acting on any request. This protects your data from being disclosed to, or altered by, an unauthorised person. We will ask for appropriate identifying information — we will not ask for more than is necessary to verify your identity.
11. Complaints
If you are unhappy with how we have handled your personal data, please contact us first so we have an opportunity to resolve the issue. We take all complaints seriously and will respond within 30 days.
You also have the right to lodge a complaint directly with the UK Information Commissioner's Office (ICO), the supervisory authority for data protection in the UK:
12. Cookies
We use cookies to operate the platform and, with your consent, to understand how it is used. For full details of the cookies we use, their purposes, and how to manage your preferences, please see our Cookie Policy.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes — changes that affect your rights, introduce new data uses, or change how we protect your data — we will notify you by email at least 14 days before the changes take effect.
The date at the top of this policy indicates when it was last updated. Continued use of the GeneAI platform after the effective date of any change constitutes your acceptance of the revised policy. If you do not accept the changes, you may close your account before the changes take effect.
GeneAI Ltd — Registered in England and Wales — dpo@geneai.com