Privacy and what we do with your data

Your genome is the most identifying piece of data you will ever own. Haeckel treats it that way. Every raw DNA file is encrypted at rest with a per-user key, and the analytical results are stored in a relational database that requires authenticated session access for every query. Authentication runs through a dedicated identity provider with optional two-factor enforcement that we recommend turning on. Every data-access path through the application is logged, including reads by Mirror, so anyone with admin access leaves a trail rather than browsing silently.

Encryption at rest

Raw DNA files live in encrypted object storage. Each user has a unique data-encryption key generated at signup, which itself is wrapped under a master key held in the platform's key-management service (envelope encryption). The wrapped key is stored alongside your other profile data; the master key is never written to the application database. Recovering your raw file requires both the wrapped key from the database and an authorised call to the KMS, so a database breach alone cannot decrypt anything.

Analytical results (ancestry vectors, PRS scores, pharmacogenomic flags, etc.) are stored at the application database layer, where the database provider encrypts at rest and TLS protects in transit. Column-level encryption of every analytical field would prevent the application from running joins or aggregates, with negligible additional security against the threat models that matter here, so we intentionally do not apply it.

Where your data goes

Per Article 28 of GDPR we maintain a current list of every third-party subprocessor that touches user data, each operating under a no-training contract. The live list (including the role each subprocessor plays and the data scope it sees) is published on a dedicated subprocessors page and is updated whenever a change is made. In summary the list covers:

• A frontier-model LLM provider for Mirror conversations. Receives the assembled context plus your current message. Never the raw DNA file.
• A low-latency text-to-speech provider for voice synthesis. Receives Mirror's response text only.
• An embeddings provider for the Networks recommender. Receives a sanitised text profile, never raw genotypes.
• A hosting provider and an application-database provider, both with encrypted-at-rest storage.
• An encrypted object-storage provider for the raw DNA files, which see only ciphertext.
• An authentication provider that sees identity fields but never genomic data.
• An error-monitoring provider where sensitive fields are scrubbed at the SDK layer before any payload leaves the application.

No data goes to any third party for training, marketing, or research without explicit per-feature consent. There is no consent screen at signup that hides such permission in the fine print. No data goes to any insurer or employer; we will never share, sell, or otherwise transfer identified or pseudonymised genetic data to either category, regardless of legal pressure short of a court order with proper jurisdiction (in which case you are notified before disclosure unless we are legally prohibited from doing so).

Audit log

Every data access is logged with the user ID, the route, the timestamp, the IP, the user agent, and the data scope touched. The audit log is append-only at the database level and is reviewed by the security on-call rota for anomalies. You can request your own audit log through the data-export endpoint, which returns the full history of who or what accessed your data and when.

Data export (GDPR Article 20)

Open Settings → Privacy → Export my data and request a full export. The platform packages the following into a single zip archive and emails you a one-time download link with a 7-day expiry: your raw DNA file, every analytical result as JSON, your conversation history with Mirror, your network memberships, your privacy settings, and your audit log. The export is delivered within 24 hours for typical accounts and within 72 hours in the rare case of a particularly large WGS dataset.

How to delete everything (GDPR Article 17)

Open Settings → Privacy → Delete all my data. After a confirmation step (typed username, to prevent accidental deletion), the platform removes within 24 hours: your raw DNA file, every analytical result row in the database, every conversation history with Mirror, your Networks memberships, your saved artifacts, and your authentication record with our auth provider. An archived backup is retained for 30 days, encrypted under a key that requires a fraud-recovery process to access, and is then permanently destroyed. After day 31 nothing remains.

Regulatory posture

• GDPR (EU): full compliance. Data Protection Officer designated. Article 17 (erasure) and Article 20 (portability) implemented. Records of processing maintained per Article 30.
• CCPA (California): consumer rights honored regardless of residency. The "do not sell" provision is moot because we do not sell data, but the right is acknowledged.
• HIPAA (US healthcare): Haeckel is not a covered entity and does not bill insurance, so HIPAA does not apply by default. We treat data with HIPAA-equivalent care voluntarily, but we do not file the formal compliance reports.
• GINA (US genetic information): we do not transfer your data to insurers or employers. Period.