Loading...
How we process your personal data — in compliance with GDPR Article 13 and Article 14.
Who is responsible for your personal data
As the entity responsible for the personal data processed through this platform, we determine the purposes and means of processing your personal data in accordance with applicable data protection laws.
What personal data we process and why
Email address, display name, and authentication credentials (hashed).
Payment method details processed by our payment provider. We do not store full card numbers.
If you choose to save results, they are stored server-side. Client-side AES-256-GCM encryption is planned for a future release. Raw genetic files are never stored.
The lawful grounds on which we process your data
For processing genetic analysis data, we rely on your explicit consent. You may withdraw consent at any time through your account settings without affecting the lawfulness of processing carried out before withdrawal.
Processing of account and billing data is necessary for the performance of our service agreement with you, including account management and payment processing. Payment processing is handled by Stripe, Inc. We share your billing details and IP address with Stripe for the purpose of processing your payment. Stripe's privacy policy is available at stripe.com/privacy.
Processing of your genetic data requires explicit consent under GDPR Article 9(2)(a) because genetic data is a special category of personal data. This consent is obtained via our dedicated consent modal before any analysis begins.
Rights you have under the GDPR regarding your personal data
You have the right to obtain confirmation of whether your personal data is being processed, and to access that data (GDPR Article 15).
You can request correction of inaccurate personal data or completion of incomplete data (GDPR Article 16).
You can request deletion of your personal data when it is no longer necessary for the purposes for which it was collected (GDPR Article 17).
You have the right to receive your personal data in a structured, commonly used, and machine-readable format (GDPR Article 20).
You can request restriction of processing in certain circumstances, such as when you contest the accuracy of the data (GDPR Article 18).
You have the right to object to processing based on legitimate interests or direct marketing (GDPR Article 21).
How long we keep your data
Planned client-side encryption for saved results
We plan to implement client-side AES-256-GCM encryption using Argon2id-derived keys, so that saved analysis results are encrypted in your browser before being transmitted to our servers. This feature is not yet active. Until it is released, saved results are stored server-side with standard transport and at-rest encryption.
Our DPO contact and appointment status
Data Protection Officer: privacy@mergenix.com. A Data Protection Officer will be formally designated prior to public launch. This designation will be completed before Mergenix becomes accessible to the general public. In the interim, all data protection inquiries are handled directly by the Mergenix privacy team via the address above.
Our designated representative in the European Union
An EU Representative under GDPR Article 27 will be formally designated prior to public launch. This designation will be completed before Mergenix becomes accessible to the general public, and the representative's contact details will be published in this notice at that time. Until formal designation, EU data subjects may direct inquiries to our Data Protection Officer at privacy@mergenix.com.
How we safeguard cross-border data transfers
Your data may be processed in the United States. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission for any transfers of personal data outside the EEA, ensuring an equivalent level of protection for your data. Our primary sub-processor, Stripe, Inc. (payment processor), is certified under the EU-U.S. Data Privacy Framework. We have conducted a Transfer Impact Assessment (TIA) to evaluate the legal framework of the destination country and have implemented supplementary measures, including encryption in transit and at rest, to ensure an equivalent level of protection.
When we may be required to disclose data
We may disclose your account data (never raw genetic data, which we do not possess) if required by valid legal process such as a court order or subpoena. We will notify you of any such request unless we are legally prohibited from doing so.
Our assessment of risks to your genetic data
We have conducted a Data Protection Impact Assessment (DPIA) as required by GDPR Article 35 for large-scale processing of special category data, including genetic data. Our DPIA evaluates the necessity and proportionality of processing, assesses risks to data subjects' rights and freedoms, and documents the technical and organisational measures we implement to mitigate those risks. A summary of our DPIA is available upon request by contacting our Data Protection Officer.
How to reach us about data protection matters
For any questions about this privacy notice or to exercise your data subject rights, contact us at privacy@mergenix.com
If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority in the EU Member State of your habitual residence, place of work, or the place of the alleged infringement (GDPR Article 77).