Last updated: February 2026
We collect the following categories of information when you use True46:
Data we collect, its purpose, and retention period
| Data Type | Purpose | Retention |
|---|
| Email address | Send report access link | Until report expires |
| Genetic raw data file | Generate analysis | Deleted after processing |
| Curated report data | Display your report | 30 days from generation |
Payment is processed by Stripe. We do not store credit card numbers or payment details on our servers. We do not collect physical addresses or browsing history.
2. How We Use Your Data
Your data is used exclusively to:
- Generate your personalized genome analysis report
- Send you a secure link to access your report via email
- Enable share link functionality if you choose to share your report
We do not use your data for advertising, marketing profiling, or any purpose beyond delivering and maintaining your report.
3. Genetic Data Specifically
We understand the sensitive nature of genetic information and apply strict safeguards:
- Temporary storage only — Your raw genotype file is stored in our database solely during the processing pipeline (typically under 5 minutes). Once analysis is complete, the raw data is permanently deleted.
- Curated results retained — Only the curated analysis results (variant interpretations, risk scores, pharmacogenomic findings) are stored as your report. The raw genotype file itself is not retained.
- No selling or sharing — We never sell, license, or share your genetic data with third parties for their own purposes. Your genetic information is not shared with insurance companies, employers, law enforcement, or data brokers.
- No aggregation for research — We do not aggregate user genetic data for population studies or research without explicit opt-in consent.
4. Data Storage and Security
We implement the following security measures:
- Encrypted database — PostgreSQL on Railway with encryption at rest
- HTTPS only — All data in transit is encrypted via TLS. HSTS is enforced in production.
- Token-based access — Reports are accessed via 43-character URL-safe tokens with approximately 256 bits of entropy. There are no user accounts or passwords to compromise.
- No PII in logs — Email addresses are masked in all application logs (e.g.,
shr***@domain.com)
- Session-gated polling — Upload status can only be checked by the session that initiated the upload
- Security headers — Report web pages include
Cache-Control: no-store and X-Robots-Tag: noindex to prevent caching and indexing
5. Data Retention
- Raw genetic data — Deleted immediately after processing (typically under 5 minutes)
- Report data — Automatically expires and becomes inaccessible 30 days after generation. Expired report data is periodically purged from our systems.
- Share links — Expire 7 days after creation
- Email addresses — Retained only as long as the associated report exists. Purged along with expired report data.
6. Your Rights
You have the right to:
- Request data deletion — Contact us at any time to request immediate deletion of your report and associated data, before the automatic 30-day expiration
- Request a copy of your data — You may request a copy of the curated report data we have stored for you
- Opt out of communications — You can request to not receive future emails from us
- Access your report — Use your report link to view or download a PDF of your analysis at any time before it expires
To exercise any of these rights, email admin@true46.com.
7. Cookies
We use only essential cookies required for the Service to function:
- Django session cookie — Used to maintain your session during upload and polling. This is a technical necessity, not a tracking mechanism.
- CSRF token cookie — Used to protect form submissions against cross-site request forgery attacks.
We use Google Analytics 4 (GA4) for anonymous site analytics. GA4 uses first-party cookies to distinguish unique users and sessions. We do not enable advertising features or link analytics data to your genetic information. You can opt out at https://tools.google.com/dlpage/gaoptout. We do not use advertising pixels, Facebook Pixel, or similar third-party tracking scripts beyond GA4.
8. Third-Party Services
The Service relies on the following third-party providers:
Third-party service providers and data shared
| Provider | Purpose | Data Shared |
|---|
| Stripe | Payment processing | Payment details (processed by Stripe, not stored on our servers). See Stripe's Privacy Policy. |
| Railway | Application hosting and database | All application data (encrypted at rest) |
| SendGrid | Email delivery | Email address and report link |
| Anthropic (Claude) | AI-powered report interpretation | Curated genetic findings for analysis |
| Google Analytics | Anonymous site analytics | IP address, page views, events (no genetic data). See Google's Privacy Policy. |
| Google Fonts | Font delivery | IP address (standard web request). See Google's Privacy Policy. |
| Sentry | Error monitoring | Technical error data only (no genetic data, no email addresses). See Sentry's Privacy Policy. |
When AI interpretation is enabled, curated genetic findings (not raw genotype data) are sent to Anthropic's Claude API for personalized report generation. This data is subject to Anthropic's Privacy Policy. Anthropic does not use API inputs for model training by default.
9. Children
The Service is not intended for use by individuals under the age of 18. We do not knowingly collect genetic data or personal information from minors. If you believe a minor has used the Service, please contact us immediately so we can delete the associated data.
10. California Residents (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
- The right to know what personal information we collect and how it is used
- The right to request deletion of your personal information
- The right to opt out of the sale of personal information — we do not sell personal information
- The right to non-discrimination for exercising your privacy rights
To submit a CCPA request, email admin@true46.com with the subject line "CCPA Request".
11. European Residents (GDPR)
If you are in the European Economic Area (EEA) or United Kingdom, you have rights under the General Data Protection Regulation (GDPR):
- Legal basis — We process your data based on your explicit consent when you upload your genetic file and agree to the Terms of Service
- Right of access — You can request a copy of all personal data we hold about you
- Right to rectification — You can request correction of inaccurate data
- Right to erasure — You can request deletion of your data at any time
- Right to data portability — You can request your report data in a machine-readable format
- Right to withdraw consent — You may withdraw consent at any time by requesting data deletion
Genetic data is classified as a "special category" of personal data under GDPR Article 9. We process this data only with your explicit consent, provided when you upload your file and accept these terms. Your consent is recorded at the time of upload.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. For material changes affecting how we handle genetic data, we will make reasonable efforts to notify affected users.
For privacy-related questions, data deletion requests, or to exercise any of your rights, please contact us at admin@true46.com.