Skip to main content
DRAFT — Subject to legal counsel review. This document has not yet been reviewed or approved by an attorney and should not be relied upon as final legal terms.

Privacy Policy

Effective Date: February 10, 2026 · Last Updated: February 10, 2026

1. Introduction

Atlagene, Inc. ("Atlagene," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy describes how we collect, use, disclose, and safeguard your personal information, genetic data, and health information when you access or use our genomic health analysis platform, including our website, mobile applications, Helix AI Assistant, and related services (collectively, the "Services").

By using our Services, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree with these practices, please do not use our Services.

This Privacy Policy should be read in conjunction with our Terms of Service, HIPAA Notice of Privacy Practices, and GINA Notice.

2. Information We Collect

We collect information in several categories to provide, maintain, and improve our Services.

2.1 Account Information

When you create an account, we collect your full name, email address, date of birth, sex assigned at birth (used for genetic analysis accuracy), phone number (if you opt into SMS notifications), and a password (which is cryptographically hashed using Argon2id and never stored in plaintext). We may also collect your mailing address if you order a DNA swab kit.

2.2 Genetic Data

We collect raw genome files that you upload (e.g., from 23andMe, AncestryDNA, Nebula Genomics, or standard VCF/gVCF format). Through our analysis pipeline, we derive variant data, polygenic risk scores, carrier status assessments, pharmacogenomic profiles, and other health insights across 21 analysis categories. Your raw genome data is stored encrypted (AES-256) and in a database that is physically isolated from your personally identifiable information.

2.3 Health and Blood Test Data

If you choose to upload blood test results, we collect the biomarker values, reference ranges, lab provider name, and test dates. Blood test data can be submitted via photo (processed through OCR), PDF upload, or manual entry. We use this data to cross-reference with your genetic profile to provide precision health insights and to adjust supplement recommendations based on actual measured levels.

2.4 Helix Conversations

When you interact with Helix, our AI assistant (powered by Claude), we collect the questions you ask, the responses generated, and metadata about the conversation (timestamps, topics covered). Your conversations are stored to provide continuity across sessions and to improve the quality and safety of Helix. Conversations are associated with your account but are not shared with third parties.

2.5 Device and Technical Information

We automatically collect certain technical information when you use our Services, including device type and model, operating system and version, browser type and version, IP address, unique device identifiers, screen resolution, language preferences, referring URLs, and general geographic location (city/state level, derived from IP address). We do not collect precise geolocation data.

2.6 Cookies and Tracking Technologies

We use strictly necessary cookies for session management and authentication. We use analytics cookies (only with your consent) to understand how our Services are used and to identify areas for improvement. We do not use third-party advertising cookies or cross-site tracking pixels. You can control cookie preferences through your browser settings or our cookie consent banner.

2.7 Communication Records

We retain records of notifications we send to you across all channels (push notifications, SMS, email, in-app), including delivery status, opt-in/opt-out records, and timestamps. For SMS communications, we retain consent records in compliance with the Telephone Consumer Protection Act (TCPA).

3. How We Use Your Information

We use the information we collect for the following purposes, each supported by one or more legal bases:

  • Genomic Analysis and Health Insights — To process your genetic data through our 21-category analysis pipeline, generate risk assessments, carrier status reports, pharmacogenomic profiles, and personalized health insights. (Legal basis: performance of contract; your explicit consent for genetic data processing.)
  • Physician Review — To route results flagged as physician-required to licensed physicians in our partner network for clinical review before release. (Legal basis: performance of contract; compliance with applicable healthcare regulations.)
  • Helix AI Assistant — To power personalized, context-aware responses grounded in your genetic data and blood test results. (Legal basis: performance of contract; your explicit consent.)
  • Supplement Recommendations — To generate personalized supplement recommendations with priority scoring, dosage guidance, contraindication checks, and adjustments based on blood test feedback. (Legal basis: performance of contract.)
  • Blood Test Cross-Referencing — To correlate your uploaded blood test results with your genetic profile to provide precision insights about how your genetics may influence your biomarker levels. (Legal basis: performance of contract; your explicit consent.)
  • Notifications and Reminders — To send health reminders (supplement schedules, blood test retest timelines, checkup reminders) and service notifications (results ready, physician review complete) through your preferred channels. (Legal basis: your explicit consent; legitimate interest for service-critical notifications.)
  • Service Improvement — To improve the accuracy of our analysis algorithms, enhance the user experience, and develop new features. We use aggregated and de-identified data for this purpose whenever possible. (Legal basis: legitimate interest.)
  • Legal Compliance — To comply with applicable laws, regulations, legal processes, or enforceable governmental requests, including HIPAA, GINA, TCPA, CCPA/CPRA, and state genetic testing laws. (Legal basis: legal obligation.)
  • De-Identified Research — If you provide separate, explicit consent, we may use de-identified genetic data (stripped of all identifiers per HIPAA Safe Harbor method) for internal research to improve our analysis models. We will never conduct research on identifiable genetic data without your separate written authorization. (Legal basis: your separate, explicit consent.)

4. Genetic Data Specific Disclosures

Your genetic data is among the most sensitive personal information that exists. We want you to understand the following important facts:

  • De-identification Practices: When we use genetic data for internal research or service improvement, we apply the HIPAA Safe Harbor de-identification method, removing all 18 categories of identifiers. De-identified data cannot be re-linked to your identity.
  • No Employer or Insurer Sharing: We will never share your genetic data with employers, health insurers, life insurers, disability insurers, long-term care insurers, or any entity that could use it for discriminatory purposes. This commitment goes beyond what federal law (GINA) requires.
  • Research Use Only with Separate Consent: We will never use your identifiable genetic data for research purposes without obtaining your separate, written, informed consent. This consent is independent of your agreement to this Privacy Policy and can be revoked at any time.
  • Familial Implications: Your genetic data may reveal information about your biological relatives, including parents, siblings, children, and more distant relatives. This information could include predisposition to certain health conditions, carrier status, and ancestry information. You should consider these implications before uploading your data and before sharing your results with family members.
  • Irreversibility of Disclosure: Once genetic information is disclosed, it cannot be made private again. Unlike a password, you cannot change your DNA. We urge you to carefully consider who you share your genetic results with and to use the access controls we provide to limit sharing.

5. Data Sharing and Disclosure

We do not sell your personal information or genetic data. We share information only in the following circumstances:

5.1 Physician Partners

When your genetic analysis produces results that require physician review (such as clinically significant variants in oncology, pharmacogenomics, rare disease, or high-risk findings in other categories), we share relevant results with licensed, board-certified physicians in our partner network. Physicians receive only the minimum necessary information to conduct their review. All physician partners are bound by HIPAA Business Associate Agreements.

5.2 Service Providers

We use the following categories of service providers, all bound by data processing agreements and, where applicable, HIPAA Business Associate Agreements:

ProviderPurposeData Accessed
Amazon Web Services (AWS)Cloud infrastructure, storage, computeAll data (encrypted at rest and in transit)
TwilioSMS notificationsPhone number, message content
Amazon SESEmail notificationsEmail address, message content
Anthropic (Claude)Helix AI Assistant, analysis explanationsDe-identified genetic context, chat messages
Firebase Cloud Messaging / APNsPush notificationsDevice tokens, notification content

5.3 Legal Process

We may disclose your information if required by law, subpoena, court order, or other legal process, or if we reasonably believe disclosure is necessary to protect our rights, your safety, or the safety of others. Where legally permitted, we will notify you of such requests before disclosure. We will challenge overly broad or legally questionable requests.

5.4 Business Transfers

If Atlagene is involved in a merger, acquisition, bankruptcy, or asset sale, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our website of any change in ownership or uses of your personal information, and your choices regarding your information. The acquiring entity will be bound by the terms of this Privacy Policy with respect to any data collected prior to the transfer.

5.5 Aggregated and De-Identified Data

We may share aggregated, de-identified data that cannot reasonably be used to identify any individual. Such data may be used for scientific publications, industry benchmarking, or public health research. This data is stripped of all 18 HIPAA identifiers using the Safe Harbor method.

5.6 No Sale of Personal Information

We do not sell, rent, or lease your personal information or genetic data to any third party for any purpose. We do not share your personal information for cross-context behavioral advertising. This applies to all categories of personal information we collect, including genetic data, health data, and account information.

6. Your Rights

6.1 General Rights (All Users)

Regardless of your state of residence, all Atlagene users have the right to:

  • Access — Request a copy of all personal and genetic data we hold about you, delivered in a portable, machine-readable format.
  • Delete — Request deletion of your account and all associated personal data. Genetic data will be permanently destroyed within 30 days. Certain data may be retained as required by law (see Data Retention Schedule below).
  • Correct — Request correction of inaccurate personal information in your account.
  • Portability — Download your raw genome file, analysis results, and blood test data in standard formats at any time from your account settings.
  • Withdraw Consent — Withdraw consent for optional data processing (such as research use or non-essential notifications) at any time without affecting the lawfulness of prior processing.
  • Opt Out of Communications — Opt out of non-essential notifications through your notification settings or by replying STOP to any SMS message.

6.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

  • Right to Know — You may request that we disclose the categories and specific pieces of personal information we have collected, the sources from which it was collected, the business or commercial purpose for collection, and the categories of third parties with whom we share it.
  • Right to Delete — You may request deletion of personal information we have collected, subject to certain exceptions (e.g., legal retention requirements).
  • Right to Correct — You may request correction of inaccurate personal information.
  • Right to Opt Out of Sale/Sharing — We do not sell personal information or share it for cross-context behavioral advertising. However, you may still exercise this right by contacting us.
  • Right to Limit Use of Sensitive Personal Information — Genetic data and health information are considered sensitive personal information under CPRA. We use this data only for the purposes disclosed in this Policy and as necessary to provide our Services.
  • Non-Discrimination — We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To exercise your California rights, email privacy@atlagene.com with the subject line "CCPA Request." We will verify your identity before processing your request and respond within 45 days.

6.3 HIPAA Rights

To the extent your information constitutes Protected Health Information (PHI) under HIPAA, you have additional rights as described in our HIPAA Notice of Privacy Practices. These include the right to access, amend, and receive an accounting of disclosures of your PHI.

6.4 Genetic-Specific Rights

Under GINA and various state genetic privacy laws, you have protections against genetic discrimination by health insurers and employers. See our GINA Notice for detailed information. Additionally, in states such as Florida, your genetic test results are your exclusive property, and we honor this right for all users regardless of state.

7. Data Retention Schedule

We retain different categories of data for different periods based on legal requirements, regulatory obligations, and service needs:

Data CategoryRetention PeriodBasis
Raw genome filesDuration of account + 10 yearsClinical record retention standards
Analysis results6 years after creationHIPAA record retention (45 CFR 164.530(j))
Physician review notes6–10 years after creationState medical record retention laws (varies)
Account dataDuration of account + 30 daysService provision; deletion grace period
Blood test dataDuration of account + 6 yearsHIPAA record retention
Helix conversationsDuration of account + 30 daysService provision
SMS consent records5 years after last consentTCPA compliance (FCC guidance)
SMS opt-out recordsIndefiniteTCPA compliance — must honor permanently
Audit logs6 yearsHIPAA record retention
De-identified / aggregated dataNo limitNot personal information; not subject to deletion requests

When you delete your account, we will permanently delete or de-identify your data according to the schedule above. Data that must be retained for legal or regulatory purposes will be securely stored with restricted access and will not be used for any other purpose during the retention period.

8. Security

We implement comprehensive administrative, physical, and technical safeguards to protect your information. These include AES-256 encryption at rest, TLS 1.3 encryption in transit, isolated database architecture (genetic data stored separately from PII), role-based access controls, multi-factor authentication for all staff, real-time audit logging, regular penetration testing, and documented incident response procedures.

For detailed information about our security practices and HIPAA compliance, please see our HIPAA Notice of Privacy Practices.

While we use commercially reasonable measures to protect your information, no system is 100% secure. If you become aware of any unauthorized access to your account, please contact us immediately at security@atlagene.com.

9. Children's Privacy

Our Services are intended for individuals who are at least 18 years of age. We do not knowingly collect personal information, genetic data, or health information from anyone under the age of 18. If we learn that we have collected information from a person under 18, we will promptly delete that information and any associated genetic data.

If you are a parent or guardian and believe that your child has provided us with personal information or genetic data, please contact us at privacy@atlagene.com so that we can take appropriate action.

10. Do Not Sell / Do Not Share

As required by the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), we disclose the following:

  • We do not sell personal information. We have not sold personal information in the preceding 12 months and have no plans to do so.
  • We do not share personal information for cross-context behavioral advertising. We do not participate in ad networks or share your data with advertisers.
  • Opt-out mechanism: Although we do not sell or share your information, you may submit a "Do Not Sell or Share My Personal Information" request by emailing privacy@atlagene.com or through the opt-out link in your account settings. We will confirm receipt and process your request within 15 business days.

11. International Users

Atlagene is based in the United States, and our Services are currently available only to residents of the United States. All data is processed and stored on servers located in the United States. If you access our Services from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country of residence.

By using our Services from outside the United States, you consent to the transfer of your information to the United States. We do not currently offer Services to residents of the European Economic Area, United Kingdom, or other jurisdictions with GDPR-equivalent protections, and we do not market our Services in those regions.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes:

  • Non-material changes (e.g., clarifications, formatting): We will update the "Last Updated" date at the top of this page. Your continued use of the Services after such changes constitutes acceptance.
  • Material changes (e.g., new data sharing, new purposes for genetic data, changes to retention periods): We will provide at least 30 days' advance notice via email to the address associated with your account and a prominent notice on our website. For changes that affect how we use your genetic data, we will seek your affirmative consent before applying the changes to your existing data.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

13. Contact

If you have any questions, concerns, or requests related to this Privacy Policy or our data practices, please contact us:

Data Protection Officer
Atlagene, Inc.
Wilmington, DE 19801
United States

Email: privacy@atlagene.com

HIPAA inquiries: hipaa@atlagene.com

Security concerns: security@atlagene.com

We will respond to all privacy-related inquiries within 30 days (or within the timeframe required by applicable law, if shorter).