Legal
Privacy Policy
Effective date: January 7, 2026
0. Scope & applicability
This Privacy Policy applies to FitMyGenes’ website, APIs, digital genetic analysis reports, file upload and automated processing pipeline, and customer support. Our users are primarily located in the United States, and we are an EU-based company (Finnish Oy). This policy addresses GDPR (EU/EEA), baseline US state privacy expectations (CCPA/CPRA-style), and the handling of special category data including genetic data (GDPR Art. 9).
1. Data controller identity
Optima Systems Oy (Business ID / Y-tunnus: 3347527-2) is the data controller for the processing described in this Privacy Policy.
- Registered address: Yliopistonkatu 14A18, 40100 Jyväskylä, Finland
- Contact for privacy questions: support@fitmygenes.com
We use infrastructure, analytics, payment, and email providers to operate the Services. These providers act as our data processors and process personal data on our documented instructions.
2. Definitions
- Personal Data: information relating to an identified or identifiable natural person.
- Genetic Data: personal data relating to inherited or acquired genetic characteristics that provides unique information about a person’s physiology or health, derived from analysis of a biological sample or similar source data.
- Raw Genetic File: a genetic data file uploaded by a user (for example, consumer genomics provider formats) used as input for the Services.
- Derived Genetic Data: results produced from the Raw Genetic File, such as polygenic scores, percentiles, and generated reports.
- Processing: any operation performed on personal data, such as collection, storage, analysis, use, disclosure, or deletion.
- User: an individual who accesses or uses the Services.
- Services: FitMyGenes’ digital genetic analysis reports, website, APIs, and support communications.
3. Categories of personal data collected
We process only the following categories of personal data:
3.1 Order & transaction data
- Email address
- Order identifiers and timestamps
- Payment confirmation metadata (no card details)
3.2 Uploaded genetic data
- Raw DNA files uploaded by the user (e.g., consumer genomics provider formats)
- These files are genetic data and special category data
3.3 Derived genetic data
- Polygenic scores
- Percentiles
- Generated reports
3.4 Technical & usage data
- IP address
- Browser and device information
- Cookie identifiers
- Aggregated analytics events
4. Purpose of processing
We process personal data for the following purposes:
- Service delivery (report generation): process uploaded Raw Genetic Files to generate requested reports.
- Digital product delivery and access: provide access to purchased reports and order information.
- Customer support: respond to questions, handle requests, and troubleshoot issues.
- Fraud and abuse prevention (minimal): protect the Services from misuse and unauthorized access.
- Website analytics (aggregated, non-genetic): understand site performance and improve usability.
Prohibitions
- We do not sell personal data or genetic data.
- We do not use genetic data for advertising, tracking, profiling, or targeted marketing.
- We do not reuse genetic data for research or for training algorithms or models.
5. Legal basis for processing (GDPR)
We rely on the following legal bases under GDPR:
- Order & transaction data: performance of a contract (Art. 6(1)(b)).
- Uploaded genetic data: explicit consent (Art. 9(2)(a)). Consent must be explicit, informed, freely given, and you may withdraw it at any time.
- Derived genetic data: performance of a contract (Art. 6(1)(b)) and legitimate interest limited to service delivery (Art. 6(1)(f)).
- Analytics data: consent via cookies; legitimate interest only if anonymized.
6. Genetic data handling
6.1 Raw genetic files
- Raw Genetic Files are used solely to generate the report you request.
- Raw Genetic Files are not stored permanently.
- Raw Genetic Files are deleted immediately after successful processing and within 24 hours of a processing failure.
- Raw Genetic Files are not included in backups and are not retained in logs.
6.2 Derived genetic data
- Derived Genetic Data is stored only to deliver and provide access to your report.
- Derived Genetic Data is retained until you request deletion of it.
- Derived Genetic Data cannot be reverse-engineered to reconstruct your Raw Genetic File.
6.3 No secondary use
- No resale of personal data or genetic data.
- No sharing of genetic data with insurers, employers, or law enforcement.
- No research use.
- No reuse for algorithm or model training.
7. Data retention policy
We retain personal data for the periods below:
| Data | Retention |
|---|---|
| Raw genetic files | Deleted immediately after successful processing and within 24 hours of a processing failure. |
| Derived genetic data (reports and results) | Retained until you request deletion of it. |
| Order & transaction data | Retained for 6 years for accounting and legal obligations. |
| Logs and technical data | Retained for 30 days, unless needed longer to investigate security incidents. |
| Cookie identifiers and analytics events | Retained for 12 months. |
8. Data storage & international transfers
- Primary processing location: United States.
- Cloud region: AWS us-east-1.
- Your personal data may be processed outside your country of residence.
- For transfers from the EU/EEA, we use appropriate safeguards such as the European Commission’s Standard Contractual Clauses (SCCs) with our processors.
9. Data sharing & processors
We share personal data only with the following categories of processors, solely to provide the Services:
- Cloud infrastructure provider: hosts the application and stores report outputs.
- Analytics provider: provides aggregated website analytics; genetic data is never sent to analytics.
- Payment processor: processes payments and returns payment confirmation metadata (no card details shared with us).
- Email delivery service: sends transactional emails (e.g., receipts, order messages).
We do not share personal data for marketing, and we do not share genetic data with third parties for their own purposes.
10. Cookies & tracking
We use cookies and similar technologies in the following categories:
- Necessary: required for site functionality and security.
- Analytics: helps us understand aggregated usage and improve the website.
- Marketing: used to deliver and measure advertising.
You can manage analytics and marketing cookies through our cookie consent mechanism and your browser settings, and you can opt out of targeted advertising by disabling marketing cookies. Genetic data is never used for advertising, tracking, or profiling.
11. User rights
GDPR rights
- Right of access
- Right to rectification
- Right to erasure
- Right to restriction of processing
- Right to data portability
- Right to object
- Right to withdraw consent
US user rights (baseline)
- Right to know
- Right to delete
- Right to opt out of targeted advertising
To exercise your rights, contact support@fitmygenes.com. We respond within 30 days.
12. Security measures
We use technical and organizational measures designed to protect personal data, including encryption in transit, access controls and least-privilege principles, and secure deletion practices.
13. Children’s data
The Services are not intended for individuals under 18. We do not knowingly collect children’s genetic data. If you believe a minor has provided personal data to us, contact support@fitmygenes.com.
14. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. The effective date above reflects the current version. If we make material changes, we will provide notice via the website or by email where appropriate.
15. Contact & complaints
Privacy questions and requests: support@fitmygenes.com.
You have the right to lodge a complaint with the Finnish supervisory authority: the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto). More information is available at tietosuoja.fi.