Subprocessors
Effective April 30, 2026. This page lists the main third-party services Genosight uses to operate the consumer service. Genosight is operated by Rework AS, Norwegian organization number 927 255 812, registered address c/o Sebastian Oltedal Thorp, Vestveien 5B, 1450 Nesoddtangen, Norway.
Genosight uses subprocessors only as needed to provide, secure, support, and bill for the service. We do not sell genetic data, health profile data, reports, or chat history. We do not voluntarily provide genetic data for law-enforcement database searches, forensic matching, insurance underwriting, employment decisions, or data-broker resale.
Raw DNA files are stored in private storage and are not sent to AI providers by design. If our subprocessors or data flows materially change, we will update this page and, where required, notify users or request renewed consent.
Current subprocessors
Supabase
Database, authentication, and private genome-file storage
- Data
- Account records, consent records, profile data, raw DNA files, parsed findings, reports, chat history, billing metadata, and security records.
- Safeguards
- Row-level security, private storage, encryption in transit and at rest where supported, service-role isolation, and deletion workflows.
Vercel
Application hosting, runtime, deployment, and limited operational logs
- Data
- Request metadata, runtime logs, deployment metadata, and data processed transiently by server routes.
- Safeguards
- Environment-variable controls, access controls, deployment separation, logging controls, and data processing terms.
Anthropic
AI-assisted report and findings-chat generation
- Data
- Limited structured findings, rsIDs, genes, genotype tags, evidence levels, selected health-profile context, report summaries, and chat history needed for the request.
- Safeguards
- Raw DNA files, legal name, email address, exact date of birth, and payment details are not sent to the AI provider by design.
Stripe
Checkout, subscriptions, invoices, customer portal, fraud prevention, and payment events
- Data
- Email address, customer identifiers, purchases, invoices, subscription status, tax/payment metadata, and webhook metadata. Genosight does not store full card numbers.
- Safeguards
- Stripe-hosted checkout and portal, webhook signature verification, payment-provider security controls, and Stripe privacy/data processing terms.
Resend
Transactional and optional email delivery
- Data
- Email address, email metadata, and message content. Genosight avoids including raw DNA, detailed findings, diagnoses, or report content in emails.
- Safeguards
- Transactional-email purpose limitation, sender authentication, and data processing terms.
Sentry
Error monitoring and diagnostics
- Data
- Error events, stack traces, route names, request metadata, browser errors, and possible incidental identifiers.
- Safeguards
- Replay disabled by default, server-side redaction, project data-scrubbing settings, and no intentional raw DNA or health-profile logging.
Cloudflare Turnstile
Bot and abuse protection for account signup
- Data
- IP address, browser/device/challenge signals, and token verification metadata.
- Safeguards
- Security-only use for bot detection and Cloudflare Turnstile privacy controls.
Google Ads (conversion measurement)
Search advertising and first-party conversion measurement for paid-acquisition campaigns
- Data
- IP address, browser/device signals, referrer, ad-click identifiers (gclid), and a pseudonymous transaction key (the internal user ID) when a new account is created via a paid-ad-attributed visit. Genetic data, raw DNA, profile fields, report content, and chat history are NEVER sent to Google Ads.
- Safeguards
- Google Consent Mode v2 with default-deny in EEA until the cookie banner is accepted, IP anonymization, no remarketing audiences, no advertising audiences derived from genetic or health categories, conversion-tracking scope only.
Google Analytics 4
Aggregate web analytics (page views, traffic sources, sign-up funnel)
- Data
- Pseudonymous client identifier (cookie), anonymized IP address, page paths, referrer, browser/device signals, and standard interaction events such as page_view and sign_up. Genetic data, raw DNA, profile fields, report content, and chat history are NEVER sent to Google Analytics.
- Safeguards
- Google Consent Mode v2 default-deny until the cookie banner is accepted, anonymize_ip enforced, Google Signals demographic enrichment off, no User-ID join with personal data, ad-personalization disabled.
Google Fonts
Web font delivery (Inter typeface) for the consumer web app
- Data
- Connection metadata only — IP address and user-agent. No genetic data, health-profile data, account data, or report content is transferred. Font requests are issued by your browser when loading any Genosight page.
- Safeguards
- Metadata-only delivery via Google CDN over TLS. Google Fonts is operated under Google Workspace privacy controls and the Google Cloud Platform terms.
jsDelivr (Cloudflare/Fastly CDN)
Web font delivery (Inter typeface) used in generated PDF reports
- Data
- Connection metadata only — IP address and user-agent. No genetic data, health-profile data, account data, or report content is transferred. Font files are fetched server-side during PDF generation.
- Safeguards
- Metadata-only delivery via the jsDelivr public CDN over TLS. Open-source-asset delivery service operated under jsDelivr terms.
HaveIBeenPwned (Pwned Passwords API)
Server-side breach-database check during password creation to prevent account takeover via credential stuffing
- Data
- A 5-character SHA-1 prefix derived from the candidate password is sent to the API. The full password and any user-identifying information are NOT transmitted (k-anonymity model). No PII or PHI is shared.
- Safeguards
- k-anonymity-only request shape, server-side TLS, no logging or retention of password hashes by Genosight, fail-open on network error so an HIBP outage does not break signup.
Questions or objections
Contact contact@genosight.ai with "Privacy request" in the subject line if you have questions about subprocessors, international transfers, or how a vendor processes data for Genosight.