Skip to waitlist
← Back to PrivDNA

Privacy Policy

Last updated: March 24, 2026

Who we are

PrivDNA is building a privacy-sovereign whole genome sequencing service and operates this website (privdna.com) during the pre-launch phase. Our mission is to give people access to their genomic data without surrendering control of it. This privacy policy reflects that mission — we collect as little as possible and protect what we do collect.

What we collect

Waitlist signup

When you join the waitlist, we collect your email address. It is:

  • Encrypted at rest with AES-256-GCM before being stored
  • Hashed with HMAC-SHA256 for duplicate detection (the hash cannot be reversed to recover your email)
  • Stored in an encrypted SQLCipher database on infrastructure we control

We also store the date you signed up and a random unsubscribe token. We do not store your name, IP address, location, or any other personal information.

Analytics

We use Rybbit, an open-source, cookieless analytics platform. In production, PrivDNA self-hosts this service where feasible; the fallback points to Rybbit's own hosted endpoint (app.rybbit.io) operated by the Rybbit team. It collects:

  • Page views and navigation paths
  • Referrer and UTM parameters (where you came from)
  • Browser, device type, operating system, and screen size
  • Language preference
  • Geographic location (city-level, derived from IP at the edge)
  • Session duration and engagement metrics
  • Custom events (e.g., waitlist signup — event name only, no email or PII)
  • Page performance metrics (Core Web Vitals)

Rybbit does not use cookies, does not fingerprint browsers, and does not assign persistent identifiers. Every visitor is anonymous by default — there is no way to link analytics data back to a specific individual. IP addresses are used transiently for geolocation but are not stored in our analytics database.

Cloudflare

Our site is served through Cloudflare, which processes requests at the network edge. Cloudflare may temporarily log IP addresses and request metadata for security and performance purposes (DDoS protection, bot detection) under their own privacy policy. We do not have access to individual IP addresses in Cloudflare logs.

What we do not collect

  • No cookies (zero — not even analytics cookies)
  • No advertising or tracking pixels
  • No browser fingerprinting
  • The only external script is Rybbit analytics (cookieless, no personal data transmitted)
  • No IP address storage
  • No location tracking
  • No cross-site tracking

How we use your data

Your email address is used for one purpose:

  • To send you updates about PrivDNA (launch announcements, waitlist status)

We do not sell, rent, license, or share your email address with any third party. We do not use your email for advertising. We do not build profiles.

Data sharing

We do not share your personal data with anyone. There are no third-party data processors with access to your email address. The encrypted database is stored on infrastructure we control and is not replicated to any external service.

Data retention and deletion

Your email remains on the waitlist until you unsubscribe or we launch the service. You can delete your data at any time:

  • Unsubscribe link — every email we send includes an unsubscribe link that immediately removes your data
  • Email us — contact contact@privdna.com to request deletion

When you unsubscribe, your record is soft-deleted (marked as unsubscribed). The encrypted email data is retained only for duplicate-prevention purposes and cannot be read without the encryption key.

Security

We take the security of your data seriously:

  • All data in transit is encrypted via TLS 1.3 (enforced by Cloudflare)
  • All data at rest is encrypted with AES-256-GCM (email field) and SQLCipher (entire database)
  • HSTS with preload enabled — browsers will only connect via HTTPS
  • Our waitlist system is open source — you can audit exactly how your data is handled

Your rights

Regardless of where you are located, you have the right to:

  • Access — know what data we hold about you
  • Rectification — correct inaccurate data
  • Deletion — request that we delete your data
  • Portability — receive your data in a standard format
  • Restriction — limit how we process your data
  • Objection — opt out of any communications at any time
  • Withdraw consent — at any time, without affecting the lawfulness of processing before withdrawal

To exercise any of these rights, email contact@privdna.com. We will respond within 30 days.

For European visitors (GDPR)

If you are in the European Economic Area (EEA) or United Kingdom, the following applies under the General Data Protection Regulation:

  • Legal basis: We process your email address based on your consent (Article 6(1)(a) GDPR), provided when you voluntarily submit it via the waitlist form. You may withdraw consent at any time by unsubscribing.
  • Data controller: PrivDNA, New York, NY, United States. Contact: contact@privdna.com
  • International transfers: Your data is processed in the United States. We rely on your explicit consent for this transfer (Article 49(1)(a) GDPR) and apply equivalent security protections regardless of location.
  • Automated decision-making: We do not use your data for automated decision-making or profiling.
  • Supervisory authority: You have the right to lodge a complaint with your local data protection authority if you believe your rights have been violated.

For California residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) provides you with additional rights:

  • Categories of personal information collected: Identifiers (email address only).
  • Purpose: To send waitlist updates and launch announcements.
  • Sale or sharing of data: We do not sell or share your personal information as defined under the CCPA/CPRA.
  • Right to know: You may request the categories and specific pieces of personal information we have collected about you.
  • Right to delete: You may request deletion of your personal information.
  • Right to opt out: Not applicable — we do not sell or share personal information.
  • Non-discrimination: We will not discriminate against you for exercising any of your CCPA rights.
  • Authorized agent: You may designate an authorized agent to make a request on your behalf by emailing us with written authorization.

To make a verifiable consumer request, email contact@privdna.com. We will verify your identity by confirming the email address associated with your request.

For New York residents

We comply with the New York SHIELD Act (Stop Hacks and Improve Electronic Data Security Act), which requires businesses that hold private information of New York residents to implement reasonable security safeguards. Our safeguards include:

  • AES-256-GCM encryption of personal data at rest
  • TLS 1.3 encryption of all data in transit
  • Access controls limiting who can access the encrypted database
  • Open-source codebase enabling independent security audits

In the event of a data breach involving your private information, we will notify you in accordance with the SHIELD Act's notification requirements.

Children

Our service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with their email address, please contact us and we will delete it immediately.

Changes to this policy

If we make material changes to this privacy policy, we will notify waitlist subscribers by email before the changes take effect. The “Last updated” date at the top of this page reflects the most recent revision.

Contact

For privacy-related questions or requests, email contact@privdna.com.

Privacy is not a feature. It's the architecture.