Privacy Policy

This Privacy Policy describes how LifeGenix collects, uses, stores, shares, and protects your personal information and genetic data.

LifeGenix is committed to protecting your privacy and operates in compliance with:

• LGPD - General Data Protection Law (Brazil)
• GDPR - General Data Protection Regulation (European Union)
• HIPAA - Health Insurance Portability and Accountability Act (USA)
• International privacy best practices

We collect the following categories of data:

2.1. ACCOUNT DATA:

• Name, email, password (encrypted with bcrypt)
• Date of birth, biological sex
• Language preferences

2.2. GENETIC DATA (SENSITIVE):

• Raw DNA files (23andMe, Ancestry, Genera, etc.)
• Extracted SNPs (Single Nucleotide Polymorphisms)
• Haplogroups and ancestry

2.3. CLINICAL DATA (OPTIONAL):

• Blood tests and laboratory results
• Bioimpedance and body composition
• Current medications
• Anamnesis and medical history

2.4. USAGE DATA:

• Access and navigation logs
• AI chat interactions
• Generated reports

2.5. PAYMENT DATA:

• Processed by Stripe (we do NOT store card numbers)

3.1. PROVIDERS AND POLICIES:

GROK (xAI - USA):

• Retention: 30 days for API
• Training: Does NOT use API data to train models
• Certifications: SOC 2 Type 2, GDPR, CCPA
• Policy: xAI Privacy Policy

DEEPSEEK (China):

• Retention: Until account deletion or for 'legitimate interests'
• Training: MAY use prompts to improve models
• Storage: Servers in China
• WARNING: Subject to China's National Intelligence Law
• Policy: DeepSeek Privacy

CLAUDE (Anthropic - USA):

• API Retention: 7-30 days
• Training: Does NOT use API data to train
• Zero-Data-Retention option available for enterprise
• Policy: Anthropic Privacy

GEMINI (Google - USA):

• Paid API Retention: 30 days for monitoring
• Training: NOT for paid services
• Certifications: ISO 42001, SOC 2, HIPAA eligible
• Policy: Google AI Terms

OPENAI (USA):

• API Retention: 30 days
• Training: NOT by default for API
• Zero-Data-Retention available
• Policy: OpenAI Privacy

QWEN (Alibaba - China):

• Storage: China (subject to PIPL)
• No GDPR representative in EU
• Recommended: on-premise deployment for sensitive data
• Policy: Alibaba Trust Center

Your genetic data is transferred to servers in multiple countries:

UNITED STATES

• AWS (primary storage)
• xAI (Grok), Anthropic (Claude), OpenAI, Google (Gemini)
• Protection: Standard Contractual Clauses (SCCs)

CHINA

• DeepSeek, Alibaba (Qwen)
• WARNING: China does not have data protection adequacy recognized by the EU or Brazil
• Data may be accessed by Chinese authorities under local laws

EUROPEAN UNION

• Mistral (France)
• Protection: GDPR fully applicable

LEGAL BASIS FOR TRANSFERS

• Explicit user consent (Art. 33 LGPD)
• Necessity for contract execution
• Standard contractual clauses when available

Genetic data has unique characteristics that require special attention:

5.1. UNIQUE IDENTIFICATION:

• Genetic data is BIOMETRIC and can uniquely identify you
• 30-80 SNPs are sufficient for re-identification
• DNA cannot be 'anonymized' in the traditional sense

5.2. IMMUTABILITY:

• Your DNA does not change throughout your life
• Genetic data breaches have permanent impact

5.3. FAMILY IMPACT:

• Your data reveals information about biological relatives
• Consider implications for family members when sharing data

5.4. DISCRIMINATION RISKS:

• Employers, insurers, or others could theoretically use genetic data for discrimination
• In Brazil, Law 9,029/1995 prohibits requiring genetic tests for employment
• In the USA, GINA protects against genetic discrimination in employment and health insurance

We use your data for:

PRIMARY PURPOSES

• Generate personalized genetic reports
• Provide ancestry analysis
• Operate the genetic AI chat
• DNA comparisons (only with consent)
• Improve our internal algorithms

SECONDARY PURPOSES (with consent):

• Communications about new features
• Aggregated and anonymized scientific research

WE DO NOT USE FOR

• Selling data to third parties
• Targeted advertising
• Sharing with insurers or employers
• Automated decisions with legal effects

We NEVER SELL your genetic data.

We share information only with:

7.1. ESSENTIAL SERVICE PROVIDERS:

• AWS (cloud storage)
• Stripe (payment processing)
• AI providers (as per section 3)

7.2. LEGAL OBLIGATIONS:

• When required by court order
• To comply with regulatory obligations
• To protect LifeGenix or user rights

7.3. DNA COMPARISONS:

• Only with explicit consent from both parties
• Shared data is limited to what is necessary

7.4. SCIENTIFIC RESEARCH:

• Only aggregated and anonymized data
• Only with additional specific consent

You have the following rights over your data:

ACCESS:

Request a copy of all data we have about you

CORRECTION:

Correct incorrect or incomplete data

DELETION:

Request complete deletion of your data

PORTABILITY:

Export your data in structured format

OBJECTION:

Object to certain processing activities

RESTRICTION:

Limit processing in certain situations

REVOCATION:

Withdraw consents at any time

RESPONSE TIMES

• LGPD: 15 days (extendable)
• GDPR: 30 days (extendable)

CONTACT TO EXERCISE RIGHTS

[email protected]

We retain your data for the following periods:

ACCOUNT DATA

• While the account is active
• Up to 30 days after deletion request

GENETIC DATA

• While the account is active
• Deleted within 30 days of request
• Backups eliminated within 90 days

AI CONVERSATIONS

• History maintained for 12 months
• Can be deleted at any time by the user

SYSTEM LOGS

• 12 months for security purposes
• Anonymized after this period

TAX DATA

• 5 years (Brazilian legal obligation)

We use only essential cookies:

COOKIES USED

• Session authentication (NextAuth)
• Language preferences
• CSRF token (security)

WE DO NOT USE

• Tracking cookies
• Advertising cookies
• Third-party cookies for behavioral analytics

You can disable cookies in your browser settings, but this may affect platform functionality.

We implement multiple layers of security:

ENCRYPTION

• AES-256 for data at rest
• TLS 1.3 for data in transit
• Passwords with bcrypt + salt

INFRASTRUCTURE

• AWS with SOC 2, ISO 27001 certifications
• Web Application Firewall (WAF)
• Intrusion detection

ACCESS CONTROL

• Multi-factor authentication for team
• Principle of least privilege
• Immutable audit logs

For more details, see our Security page.

The platform is not intended for persons under 18 years of age.

For genetic analysis of minors:

• Requires consent from legal guardian
• Guardian must create the account and accept the terms
• Minor must be informed in an age-appropriate manner

If we become aware of data from minors collected without proper consent, we will proceed with immediate deletion.

For privacy questions:

DATA PROTECTION OFFICER (DPO):

Email: [email protected]

Response time: up to 15 business days

GENERAL CONTACT

Email: [email protected]

SECURITY

Email: [email protected]

ADDRESS

Av. Copacabana, 112

Barueri, SP - Brazil

EU REPRESENTATIVE (GDPR Art. 27):

To be designated