Back to GenosightVersion 2026-05-05.v5

Privacy Policy

Effective May 5, 2026. Genosight is operated by Rework AS, trading as Genosight.

1. Scope

This Privacy Policy explains how Genosight collects, uses, stores, shares, protects, and deletes personal data when you use the Genosight website, application, reports, chat features, billing features, and related services.

Genosight processes genetic data and the personal profile information you choose to provide. Genetic data is a sensitive special category of personal data under EU and UK data protection law and receives heightened protection under this policy. The personal profile may include information that is also treated as sensitive (for example, allergies, family history, or lifestyle habits), and we apply the same heightened protections to that information. If you do not want Genosight to process this information, do not upload DNA data or enter personal profile information.

Intended use. Genosight is provided solely as an educational, informational, and lifestyle service. It is not a medical device, in-vitro diagnostic medical device, or software as a medical device within the meaning of EU Regulation 2017/746 (IVDR), EU Regulation 2017/745 (MDR), the UK Medical Devices Regulations 2002, the United States Federal Food, Drug, and Cosmetic Act, or the IMDRF SaMD definition. Reports describe published research associated with variants present in your uploaded data and are designed to be discussed with your healthcare provider — never used as the basis for medical decisions on their own. The full intended-use and regulatory-classification disclosure lives in the Terms of Use § 3a.

2. Controller and contact

Rework AS, trading as Genosight, is the controller for personal data processed for consumer accounts. For privacy requests, use contact@genosight.ai with "Privacy request" in the subject line.

Legal entity: Rework AS, Norwegian organization number 927 255 812, registered address c/o Sebastian Oltedal Thorp, Vestveien 5B, 1450 Nesoddtangen, Norway.

For organization or business-customer use cases where Genosight processes personal data on behalf of another controller, the Data Processing Addendum applies in addition to the commercial agreement.

Data Protection Officer. Genosight has not appointed a formal Data Protection Officer. Our current processing scale and team size do not meet the mandatory thresholds in GDPR Art. 37(1). Privacy questions, data-subject-rights requests, and any concerns about our handling of personal data go to contact@genosight.ai. If our scale changes, we will appoint a DPO and update this policy.

3. Personal data we collect

4. Legal bases

For users in the EEA, UK, or Switzerland, Genosight relies on the following legal bases:

5. How we use personal data

6. AI provider processing

Genosight uses third-party AI services to generate report narratives and findings-chat responses. Genosight does not send your raw DNA file, legal name, email address, or exact date of birth to the AI model. The AI context may include structured findings, profile snapshots, report summaries, and chat history needed to answer your request.

We require AI providers and other service providers to process data only for the services they provide to Genosight and to apply contractual and technical safeguards. We do not permit service providers to sell your genetic data or health information.

7. Sharing and subprocessors

Genosight shares personal data only as needed to operate the service, comply with law, or with your direction. Current categories of recipients include:

Genosight does not sell genetic data, personal profile data, reports, or chat history. Genosight does not voluntarily share genetic data with insurers, employers, data brokers, or law-enforcement databases. Genosight does not provide voluntary database access for forensic matching or law-enforcement searches. If legally compelled to disclose information, we seek to narrow the request and notify you where legally permitted.

The current named subprocessor list is available on our Subprocessors page. Legal-demand statistics and our law-enforcement request posture are available on our Transparency Report.

8. International transfers

Genosight may process and store data in countries other than your own, including the United States and the European Economic Area. Where personal data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, Genosight uses appropriate transfer safeguards such as standard contractual clauses, approved transfer mechanisms, supplementary measures, or equivalent safeguards.

9. Retention

10. Your rights and choices

Depending on where you live, you may have rights to access, correct, delete, restrict, object to, or port your personal data; withdraw consent; opt out of marketing; and lodge a complaint with a data protection authority. EEA users may contact the Norwegian Data Protection Authority, Datatilsynet, or their local supervisory authority.

You can export account data from account settings. The export is a JSON bundle of account-owned records. Raw DNA files may need to be downloaded separately where the product exposes a storage download flow, and you should keep your original DNA-provider export.

You can withdraw optional marketing, research, and AI-improvement consents in account settings. Withdrawing optional consents does not affect the lawfulness of processing completed before withdrawal.

10a. Automated decision-making and AI-generated content

Genosight uses AI (Anthropic Claude) to generate report narratives and chat responses grounded in your structured findings and profile context. These outputs are informational and educational only. They do not constitute medical advice, diagnosis, treatment, or any legally binding decision under GDPR Art. 22, and we do not use solely-automated processing for account-impacting decisions (account suspension, billing disputes, fraud determinations all involve human review).

You retain full control over your health decisions and may request human review of any specific report finding by contacting contact@genosight.ai. Always discuss medically-relevant findings with a healthcare provider before acting on them.

11. Security

Genosight uses technical and organizational safeguards designed for sensitive data, including private storage, encryption in transit, encryption at rest where supported by our providers, row-level access controls, server-side authorization, rate limiting, audit-oriented logs, separation of service-role credentials from the browser, and deletion workflows. No system is perfectly secure, and genetic data carries special re-identification risk.

12. Children

Genosight is not directed to children. You must be at least 18 years old to create an account or upload DNA data.

Minor-data takedown. If you believe a person under 18 has created an account or uploaded data to Genosight, contact contact@genosight.ai with the subject "Minor-data takedown" and we will promptly delete the account and associated data. Parents and legal guardians can use the same address to report and request removal.

13. Cookies and similar technologies

Genosight uses cookies and similar technologies for authentication, session security, preferences, fraud prevention, and service operation. Cloudflare Turnstile may process limited device, browser, IP, and challenge signals to help distinguish real users from bots.

With your explicit consent — granted via the on-site cookie banner on first visit — Genosight also sets analytics and ad-measurement cookies via Google Analytics 4 and Google Ads, used to understand aggregate site usage and measure paid-acquisition campaign effectiveness. These cookies operate under Google Consent Mode v2: until you accept the banner, they remain in default-denied state and no personalised advertising or analytics identifiers are set. Choosing "Essential only" in the banner keeps them denied. You can revoke prior consent at any time by clearing your browser storage for genosight.ai, after which the banner will reappear.

We do not use genetic data, health-profile data, or report content for targeted advertising. We do not build advertising audiences based on genetic or health categories.

13a. United States consumer-health and genetic-privacy addendum

Genosight is operated from Norway. Where U.S.-resident consumers interact with the service, the following state-law disclosures apply in addition to (and not in lieu of) the rest of this Privacy Policy. They sit alongside the HIPAA disclosure already given in our Terms and Informed Consent (Genosight is not a HIPAA-covered entity).

Categories covered by U.S. state genetic and consumer-health privacy laws. Genetic data and consumer health data are expressly covered by, among others, the Washington My Health My Data Act (MHMDA), the Nevada Consumer Health Data Privacy Act, the California Genetic Information Privacy Act (GIPA) and the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), and direct-to-consumer genetic-testing statutes enacted in several states including Florida, Maryland, Tennessee, Texas, Utah, and Virginia. The data Genosight processes — self-reported personal profile, uploaded raw DNA, parsed genotype findings, generated reports, and chat history — falls within these definitions.

Collection and processing. Genosight collects this data only for the purposes set out in § 5 of this policy: providing the service you signed up for, securing your account, billing, legal compliance, and operating the product. We do not collect consumer health or genetic data for advertising, profiling for eligibility, employment-related, insurance-related, or financial- services purposes.

No sale, no sharing for cross-context behavioural advertising. Genosight does not sell your consumer health data, genetic data, or any personal data, as those terms are defined in MHMDA RCW 19.373.030, CCPA/CPRA, the Nevada Consumer Health Data Privacy Act, or California GIPA. Genosight does not "share" your personal data for cross-context behavioural advertising as that term is defined under CCPA/CPRA. Genosight does not use genetic or consumer-health data for targeted advertising on or off the service. We do not maintain a "do-not-sell" link because there is nothing to opt out of — sale and behavioural-ad sharing are not part of how Genosight operates.

Sharing limited to processors who help operate the service. The processors we share data with — to provide you the service — are listed at /legal/subprocessors. Each one operates under a written data-protection agreement; none is authorised to use your consumer health or genetic data for their own purposes.

First-party measurement vs. cross-context behavioural advertising. Genosight uses Google Ads conversion tracking and Google Analytics 4 to measure paid-acquisition effectiveness and operate aggregate site analytics. These tools receive only pseudonymous identifiers, anonymized IP, page paths, referrer, and standard interaction events (page_view, sign_up) with a hashed user ID as a transaction-dedup key. They do not receive genetic data, raw DNA, profile fields, findings, reports, or chat content, and we do not use them to build cross-context behavioural-advertising audiences as defined in CCPA/CPRA Civ. Code § 1798.140(ah) or to "share" consumer health data as defined in MHMDA RCW 19.373.030. We do not run remarketing audiences keyed on health, symptom, gene, or variant data, and Google Consent Mode v2 keeps measurement signals in default-denied state for users who do not accept the cookie banner.

Consent for genetic-data processing. Genosight obtains separate explicit consent for processing genetic and health data through the Informed Consent flow before any DNA file is processed or any health-profile field is stored. The consent record is timestamped and version-pinned so you can see what you agreed to. You can withdraw consent at any time per § 12 of the Informed Consent ("Pause processing" or "Delete account"). Withdrawal does not affect the lawfulness of processing that already happened.

Your rights as a U.S. consumer. Subject to your state of residence and the specific statute that applies:

How to exercise rights. Email contact@genosight.ai with "Privacy request" in the subject. Provide enough information for us to verify your identity (we typically verify by sending a confirmation email to the registered account address). We respond within the timeframes required by your state law (45 days under CCPA/CPRA and most other state statutes; 45 days under MHMDA, with a single 45-day extension where reasonable). No charge for the first request in any 12-month period.

State Attorney General complaints. Where state law gives you the right to lodge a complaint with the state Attorney General or a designated regulator (Washington AG under MHMDA; California Privacy Protection Agency or California AG under CCPA/CPRA; etc.), that right is preserved.

14. Changes to this policy

We may update this Privacy Policy as the service, law, vendors, or safeguards change. If a change materially affects your rights or how we process sensitive data, we will provide notice and, where required, request renewed consent before continuing the affected processing.

15. Contact

Privacy questions and rights requests: contact@genosight.ai with "Privacy request" in the subject line.