Regulatory Compliance

LifeGenix is committed to full compliance with global data protection regulations. We recognize that genetic data is among the most sensitive personal information and requires the highest level of protection.

This page details our compliance with multiple regulatory frameworks and your rights under each jurisdiction.

We operate in compliance with the following regulations:

LGPD - Lei Geral de Protecao de Dados (Brazil)

• Law No. 13,709/2018
• Effective since September 2020
• Applies to all processing of Brazilian citizens' data

GDPR - General Data Protection Regulation (EU)

• Regulation 2016/679
• Applies to EU residents regardless of data location
• Gold standard for data protection worldwide

HIPAA - Health Insurance Portability and Accountability Act (USA)

• Applies to Protected Health Information (PHI)
• Relevant for health-related genetic data
• We implement HIPAA-aligned security controls

ePrivacy Directive (EU)

• Directive 2002/58/EC
• Governs electronic communications privacy

PIPL - Personal Information Protection Law (China)

• Relevant for data processed in China
• We disclose China-based AI providers clearly

CCPA/CPRA - California Consumer Privacy Act (USA)

• Applies to California residents
• Enhanced consumer privacy rights

We process your genetic data based on:

CONSENT (Art. 7, I LGPD / Art. 6(1)(a) GDPR):

• Primary basis for sensitive genetic data
• Obtained in a specific, informed, and unambiguous manner
• Can be revoked at any time

CONTRACT EXECUTION (Art. 7, V LGPD / Art. 6(1)(b) GDPR):

• Necessary for provision of contracted services

LEGAL OBLIGATION (Art. 7, II LGPD / Art. 6(1)(c) GDPR):

• Tax data retention
• Compliance with court orders

LEGITIMATE INTERESTS (Art. 7, IX LGPD / Art. 6(1)(f) GDPR):

• Platform security
• Fraud prevention

Genetic data is classified as SENSITIVE DATA under:

• Art. 5, II and Art. 11 of LGPD
• Art. 9 of GDPR ('special categories of data')
• HIPAA (as Protected Health Information)

4.1. ENHANCED PROTECTION:

• Specific and highlighted consent
• AES-256 encryption
• Restricted access control
• Audit logs for all access

4.2. AI PROCESSING:

Processing of genetic data by third-party AI systems constitutes sensitive data processing with international transfer.

Legal basis: Explicit consent (Art. 11, I LGPD / Art. 9(2)(a) GDPR)

4.3. RE-IDENTIFICATION WARNING:

According to scientific literature, 30-80 SNPs are sufficient for unique identification of individuals. By consenting to AI use, you acknowledge this inherent technical risk.

We apply the following principles (LGPD Art. 6 / GDPR Art. 5):

PURPOSE:

Data used only for genetic analysis and related services

ADEQUACY:

Processing compatible with informed purposes

NECESSITY (MINIMIZATION):

We collect only essential data for services

FREE ACCESS:

You can consult your data free of charge

QUALITY:

We maintain accurate and up-to-date data

TRANSPARENCY:

Clear information about all processing

SECURITY:

Robust technical and administrative measures

PREVENTION:

Proactive actions against incidents

NON-DISCRIMINATION:

Data never used for unlawful discrimination

ACCOUNTABILITY:

We demonstrate compliance through documentation

Under LGPD (Art. 18) and GDPR (Art. 15-22), you may exercise:

CONFIRMATION AND ACCESS:

Confirm existence of processing and access your data

CORRECTION:

Correct incomplete, inaccurate, or outdated data

ANONYMIZATION, BLOCKING OR DELETION:

For unnecessary, excessive, or non-compliant data

PORTABILITY:

Transfer data to another provider in structured format

DELETION WITH CONSENT:

Delete data processed based on consent

INFORMATION:

Know with whom your data was shared

NON-CONSENT:

Be informed about consequences of not consenting

REVOCATION:

Withdraw consent at any time

AUTOMATED DECISION REVIEW:

Request review of decisions made solely by AI

OBJECTION (GDPR):

Object to processing for direct marketing

RESTRICTION (GDPR):

Restrict processing in certain circumstances

Pursuant to Art. 41 of LGPD and Art. 37 of GDPR, we have appointed a DPO responsible for:

• Accepting complaints and communications from data subjects
• Receiving communications from ANPD and European authorities
• Providing clarifications about data processing
• Guiding employees on data protection
• Executing attributions determined by the controller

DPO CONTACT

[email protected]

RESPONSE TIMES

• Simple requests: 15 days
• Complex requests: up to 30 days

We conduct Data Protection Impact Reports (DPIA) pursuant to Art. 38 LGPD and Art. 35 GDPR for:

• Processing of sensitive genetic data
• International data transfers
• Use of AI systems for processing

THE DPIA DOCUMENTS

• Nature, scope, and context of processing
• Purposes and necessity of processing
• Risks to data subjects' rights and freedoms
• Implemented mitigation measures
• Safeguards and security mechanisms

Under LGPD Chapter V and GDPR Chapter V, your data is transferred to:

UNITED STATES

• AWS, OpenAI, Anthropic, Google, xAI
• Mechanism: Standard Contractual Clauses (SCCs)
• Certifications: SOC 2, ISO 27001

CHINA

• DeepSeek, Alibaba Cloud
• WARNING: No Brazil-China or EU-China adequacy decision
• Basis: Explicit consent from data subject (Art. 33, VIII LGPD)
• Risk: Data may be accessed by Chinese authorities

EUROPEAN UNION

• Mistral (France)
• Adequacy: GDPR fully applicable

ADDITIONAL SAFEGUARDS

• Encryption of data in transit and at rest
• Minimization of transferred data
• Contracts with protection clauses

In case of a security incident that may pose relevant risk or damage to data subjects:

NOTIFICATION TO ANPD (Art. 48 LGPD):

• Reasonable timeframe (guidance: 2 business days)
• Description of the nature of affected data
• Information about involved data subjects
• Technical security measures used
• Risks related to the incident
• Measures taken to reverse or mitigate

COMMUNICATION TO DATA SUBJECTS

• When there is relevant risk or damage
• In clear and accessible language
• With measures that can be taken by the data subject

GDPR (Art. 33-34):

• Notification to authority within 72 hours
• Communication to data subjects without undue delay

HIPAA

• Notification within 60 days of discovery
• Notification to HHS for breaches affecting 500+ individuals

BRAZIL - ANPD (Autoridade Nacional de Protecao de Dados):

• Website: gov.br/anpd
• Competent for LGPD oversight
• Channel for complaints from Brazilian data subjects

EUROPEAN UNION:

• Each member state has its supervisory authority
• Data subjects in the EU can complain to their local authority
• Lead authority determined by main establishment

UNITED STATES:

• FTC - Federal Trade Commission (general privacy)
• HHS - Health and Human Services (HIPAA)
• State attorneys general (state privacy laws)

WE MAINTAIN

• Active communication channel with authorities
• Priority response to regulatory requests
• Updated compliance documentation

To exercise any right provided by LGPD, GDPR, HIPAA, or other applicable laws:

SEND REQUEST TO

[email protected]

INCLUDE IN YOUR REQUEST

• Full name and registered email
• Right you wish to exercise
• Detailed description of request
• Identification document (for confirmation)

TIMEFRAMES

• Receipt confirmation: 2 business days
• Initial response: 15 days (LGPD) / 30 days (GDPR)
• Extension if necessary: prior communication

COSTS

• First request: free
• Repetitive or excessive requests: reasonable fee may apply

FOR EU DATA SUBJECTS (GDPR):

• EU Representative (Art. 27): To be designated
• Legal basis for marketing: Explicit opt-in consent only
• Automated decisions (Art. 22): Right not to be subject to solely automated decisions with legal effects
• Portability (Art. 20): Structured, commonly used, machine-readable format
• Right to erasure (Art. 17): Deletion without undue delay

FOR US DATA SUBJECTS:

• HIPAA: We implement appropriate administrative, physical, and technical safeguards
• GINA: We do not use genetic information for employment or health insurance decisions
• CCPA/CPRA (California): Right to know, delete, opt-out of sale (we do not sell data)

FOR BRAZILIAN DATA SUBJECTS (LGPD):

• ANPD is the competent authority
• Consumer Protection Code (CDC) also applies
• Judicial remedies available in Brazil