Privacy

• Encrypted at rest with a key derived from your wallet signature. We never see the key in plaintext on the server side.
• Stored in a HIPAA-isolated database, separate from your account profile.
• The raw file you upload is parsed, then discarded immediately. Only the extracted variants are kept.
• Never sold, never shared with third parties, never used to train models we don't run.

• Email, password hash (Argon2id), wallet address, and basic profile fields you fill in (height, weight, etc.) are stored with PII-grade encryption.
• Used only for sign-in, generating your reports, and contacting you about your account.

• Session JWT for sign-in. Stored in localStorage, not a cookie. Cleared when you sign out or delete your account.
• Google Analytics 4 + Google Tag Manager load on public pages (landing, about, /snp/, /gene/) and throughout the app once you sign in. We use them to understand which pages get read and how new visitors arrive , not to build advertising profiles. Google sets its own first-party cookies (_ga, _ga_*) for visitor identification; you can block them in your browser with no loss of functionality.
• No third-party advertising cookies. No Facebook pixel, no Twitter conversion tracker, no programmatic ad partners.
• IP addresses appear in transient nginx and Cloudflare logs (standard for any web server). They don't get joined to your account record.
• Consent banner status: not currently shown. We're operating under the legitimate-interest basis while in private beta with a small invited audience; a full consent flow lands before public launch. EU/UK visitors who prefer to opt out today can do so via browser-level Do Not Track or by blocking the GA4 loader.

• Transactional email (verification, password reset, report- ready notifications) goes through Resend. Resend logs delivery success/failure for spam-prevention purposes; we keep the same record in our own database and never share your address with anyone outside of Resend's processing.
• The mailing-list opt-in on the bottom of public pages is separate from your account email. You can unsubscribe with one click from any newsletter we send.
• We don't auto-subscribe you to anything when you create an account.

You can delete your account from /app/settings. Deletion is immediate and removes both your account row and every derived report. There's no recovery window , if you change your mind, you have to re-upload and re-generate.

Questions, corrections, or data requests: contact@expressive.fit.