Privacy Policy
Effective date: 1 June 2026
This notice is provided under UK GDPR Articles 13 and 14 (and, where applicable, EU GDPR). It explains who we are, what personal data we collect, why we collect it, and your rights.
1. Data controller and contact
The data controller is Gene-Cortex.com Ltd, registered in England and Wales.
For all privacy enquiries and to exercise your rights, contact our Data Protection Officer:
Data Protection OfficerGene-Cortex.com Ltd
[email protected]
We aim to respond to all data subject requests within one calendar month (extendable by up to two further months for complex requests, with notification to you).
2. Special category data (genomic)
Genomic sequence data and copy number variant (CNV) coordinates may constitute βspecial category dataβ (health data or genetic data) under UK GDPR Article 9. We rely on the following conditions for processing where applicable:
- Article 9(2)(a) β Explicit consent: where you choose to opt in to model improvement or research use of de-identified analysis outputs.
- Article 9(2)(j) β Scientific research: for aggregated, de-identified analysis of variant interpretation patterns to improve clinical decision support, subject to appropriate safeguards.
You must not submit patient-identifiable data to the Service. All genomic coordinates must be fully de-identified before submission. We are not responsible for any PII inadvertently included in submitted data.
3. Categories of personal data we collect
| Category | Examples | Source |
|---|---|---|
| Account data | Email address, display name, encrypted password hash | Provided by you at registration |
| Professional information | Job title, institution, country | Provided by you optionally during onboarding |
| CNV submissions | Genomic coordinates (chr, start, end), assembly, SV type (must be de-identified) | Submitted by you via the Service |
| Analysis outputs | AI-generated interpretation text, ACMG classification, evidence citations | Generated by the Service |
| Usage and audit logs | IP address, browser/API client, timestamps, endpoints called, credit transactions | Automatically collected |
| Payment data | Email for receipt; card details handled exclusively by Stripe (we never receive raw card data) | Stripe (our payment processor) |
| Support communications | Email content when you contact us | Provided by you |
4. Legal bases for processing
| Purpose | Legal basis (UK GDPR Art. 6) |
|---|---|
| Account creation and management | Art. 6(1)(b) β Performance of contract |
| Providing AI analysis and evidence dashboard | Art. 6(1)(b) β Performance of contract |
| Processing payments via Stripe | Art. 6(1)(b) β Performance of contract |
| Fraud prevention and security logging | Art. 6(1)(f) β Legitimate interests |
| Service improvement and aggregate analytics | Art. 6(1)(f) β Legitimate interests |
| Communicating service changes | Art. 6(1)(f) β Legitimate interests |
| Optional research use of de-identified outputs | Art. 6(1)(a) + Art. 9(2)(a) β Explicit consent |
| Complying with legal obligations | Art. 6(1)(c) β Legal obligation |
Where we rely on legitimate interests, we have conducted a balancing test and determined that our interests do not override your fundamental rights. You may object to processing on legitimate interests grounds (see section 9).
5. How we use your data
- Creating and managing your account and authenticating you;
- Running CNV evidence retrieval and AI interpretation analysis;
- Calculating and deducting analysis credits from your balance;
- Processing payments and sending receipts via Stripe;
- Detecting and preventing fraud, abuse, and security incidents;
- Maintaining audit trails for clinical governance purposes;
- Sending transactional emails (password reset, subscription renewal notices);
- Improving the Service via aggregated, de-identified usage analytics.
We do not use your personal data for automated decision-making with legal or similarly significant effects (within the meaning of UK GDPR Article 22) without human review. AI-generated interpretations are decision support tools, not automated decisions.
6. Recipients and third-party processors
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Database (accounts, analysis outputs, audit logs) | EU / USA (SCCs applied) |
| OpenAI | AI model inference for CNV interpretation | USA (SCCs applied; data not used to train OpenAI models per API terms) |
| Stripe | Payment processing | USA (SCCs applied; PCI DSS Level 1) |
| Fly.io | Backend application hosting | EU |
| Vercel | Frontend hosting and edge CDN | Global / USA (SCCs applied) |
| Resend / Postmark | Transactional email delivery | USA (SCCs applied) |
We do not sell, rent, or share your personal data with third parties for their own marketing purposes. We may disclose data where required by law, court order, or to protect the rights, safety, or property of Gene-Cortex.com or its users.
7. Retention periods
| Data type | Retention period |
|---|---|
| Account data | For the life of your account, then deleted within 30 days of account closure |
| Analysis outputs and CNV submissions | For the life of your account, or 3 years from last access if your account is deleted |
| Credit ledger records | 7 years (financial record-keeping obligation) |
| Audit and security logs | 2 years from creation |
| Payment records | 7 years (legal and tax obligation) |
| Support communications | 3 years from resolution |
After the applicable retention period, personal data is securely deleted or irreversibly anonymised.
8. International transfers
Some of our processors are located outside the UK/EEA (notably OpenAI, Stripe, and Vercel in the USA). Where we transfer personal data internationally we rely on:
- UK International Data Transfer Agreements (IDTAs) or approved EU Standard Contractual Clauses (SCCs) as adopted under UK law;
- An adequacy decision by the UK Secretary of State (where applicable).
Copies of the relevant transfer mechanisms are available on request by emailing [email protected].
9. Your data subject rights
Under UK GDPR you have the following rights:
- Access (Art. 15) β request a copy of the personal data we hold about you.
- Rectification (Art. 16) β ask us to correct inaccurate data.
- Erasure (Art. 17) β request deletion of your data (βright to be forgottenβ) where no overriding legal basis applies.
- Restriction (Art. 18) β ask us to pause processing in certain circumstances.
- Portability (Art. 20) β receive your data in a structured, machine-readable format (applies to data processed by contract or consent).
- Objection (Art. 21) β object to processing based on legitimate interests.
- Withdraw consent (Art. 7(3)) β where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, email us at [email protected]. We will respond within one month. We may ask you to verify your identity before processing your request. Exercising these rights is free of charge.
You may also exercise some rights directly in your account settings (e.g., account deletion, data export).
10. Children
The Service is not directed at or intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately and we will take steps to delete it.
12. Security
We implement technical and organisational measures appropriate to the risk, including:
- Encryption of data at rest (AES-256) and in transit (TLS 1.2+);
- Bcrypt hashing of passwords (never stored in plaintext);
- Role-based access controls and least-privilege database permissions;
- Audit logging of all sensitive operations;
- Regular security review and dependency updates.
No method of transmission or storage is 100% secure. If you discover a security vulnerability, please disclose it responsibly to [email protected].
13. Supervisory authority
You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) if you believe we have processed your personal data unlawfully:
Information Commissioner's OfficeWycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
https://ico.org.uk
We would, however, appreciate the opportunity to address your concerns before you approach the ICO β please contact us first at [email protected].
14. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent in-app notice at least 14 days before they take effect. The effective date at the top of this page reflects the date of the last revision. Continued use of the Service after the effective date constitutes acceptance of the revised policy.