Skip to waitlist
← Back to PrivDNA

Pre-launch · Planned for NYC · Genome #1 waitlist open

Your DNA can be locked.
Here's what that actually means.

Most consumer genomics companies will tell you they protect your data. Almost none of them can show you how. This page is the difference between a privacy promise and a privacy architecture.

The asymmetry nobody mentions

Your password is 12 characters.

Your genome is 3 billion.

When your password leaks, you change it in 30 seconds.

When your genome leaks, you change it in zero seconds. Ever. For the rest of your life. And your children's lives.

Every other piece of data you have ever shared — email, SSN, credit card, phone number, address — can be rotated, reissued, replaced. Your genome is the only credential that is literally you.

Why “delete my data” isn't enough

Deletion is a promise. Irrevocability is physics. Once your sequence has been copied into research partner handoffs, insurance underwriting models, backup systems, and whatever database the bankruptcy buyer eventually inherits — the delete button at the front-end provider doesn't reach any of it.

In April 2023 through October 2023, 23andMe was credential-stuffed for ~14,000 accounts (later revised to 18,000+) and 6.9 million profiles were exposed via relative-matching. Those customers can change their passwords. They cannot change the genetic data the attackers now have. In March 2025 the company filed Chapter 11 and the database was sold to TTAM Research Institute for $305 million. The toggle flipped without the 15 million customers in that database voting in the auction.

This is the failure mode of most “privacy-first” consumer genomics companies that retain a copy. Not bad luck. The business model.

The discrimination risk US law does not cover

The Genetic Information Nondiscrimination Act (GINA), passed in 2008, prevents employers and health insurers from using your genetic data against you. It does not cover three categories of insurance that most people carry:

  • Life insurance
  • Disability insurance
  • Long-term care insurance

Underwriters in those three lines can keep your sequence in their risk models indefinitely — even as the products you bought protection for change shape, owner, or jurisdiction. A leaked password is a 30-second problem. A leaked genome is an underwriting input forever.

What “locked” actually requires

For DNA to be genuinely locked — not just claimed-locked in a privacy policy — three things have to be true at the same time:

  1. You hold the only copy. Nobody else gets one. Not the lab, not a research partner, not a future acquirer.
  2. You can verify the absence of copies. Not because someone wrote a sentence in a PDF — because you watched the working drives be cryptographically destroyed.
  3. The custody chain never leaves the room. No mail carrier, no sorting facility, no third-party lab you have never visited.

Anything short of all three leaves real ownership uncertain.

How PrivDNA does it

Two visits to a physical location. Roughly 55 minutes of your time, split across them.

  • Visit 1. You give a saliva sample at the lab bench, collected there by a technician — not brought in. It is barcoded, logged into chain of custody, and handed to the air-gapped sequencer in the same room. Nothing leaves the building on a network cable.
  • Between visits (4–6 business days). Your sequence is processed on the air-gapped workstation. There is no external network connection. Output lives only on workstation drives until handoff.
  • Visit 2. You receive your encrypted drives. Then, through a glass wall, in real time, you watch every working copy of your genome on our systems be cryptographically erased. Under five seconds per drive. You leave with a Certificate of Destruction signed and timestamped.

The destruction is the product as much as the sequencing is. If the database does not exist at your provider, there is nothing to sell, subpoena, breach, or repurpose.

What you walk out with

  • Your whole genome (~30x coverage) on encrypted media you control
  • The decryption keys, in your hands, on separate media
  • A signed Certificate of Destruction
  • An open-source pipeline so anyone — a researcher, a journalist, a paranoid customer — can audit exactly what happened to your sequence data (BAM, VCF, gVCF). Raw FASTQ is available on request.
  • No copy left behind. Not for marketing. Not for research. Not for an acquirer.

Read the architecture

We publish the technical detail because we have to. Privacy claims you can't verify are not privacy claims — they are marketing.

Read the PrivDNA whitepaper →

Read the security disclosure policy →

Be first in line

We are opening the waitlist for the first cohort of genome #1 customers. Two visits, one genome you leave with, zero copies behind.

Join the waitlist →

The only genome nobody can breach is the one that was never uploaded in the first place.