Privacy Policy
Effective date: April 1, 2026
Your privacy is critically important to us. This policy explains what data we collect, how we use it, where it is stored, and your rights regarding your data, with particular attention to the handling of genetic information.
1. Who We Are
Insights on Ancestry (“we,” “us,” “our”) operates the website at ioancestry.com. We provide a genetic ancestry analysis platform that allows users to upload raw DNA data and run population genetics models against ancient and modern reference datasets.
For questions or requests regarding this policy, contact us at insightsonancestry@gmail.com.
2. Data We Collect
2.1 Account Information
When you create an account, we collect:
- Email address (used for login and communication)
- First name, last name, and optional middle name
- Country of residence
- Password (securely hashed — we never see or store your plaintext password)
2.2 Genetic Data
When you upload a DNA file, we receive:
- Your raw genotype file (the file you export from your DNA testing provider)
- File metadata: file name, file size, provider name, upload timestamp
- A user-chosen label for the file
We do not extract, analyze, or store health-related genetic variants. The Service processes genotype data solely for ancestry analysis purposes. We do not perform medical, diagnostic, or health-related analysis of any kind.
2.3 Analysis Data
When you run an analysis, we store:
- Analysis configuration (selected dataset, source populations, reference populations, target)
- Analysis results (ancestry estimates, statistical outputs)
- Run metadata (timestamps, duration, status, stage progression)
2.4 Technical Data
We automatically collect:
- IP address (used for rate limiting and abuse prevention — not stored long-term)
- Browser user agent (used for debugging — not stored long-term)
- Request timestamps and durations (audit logs)
We do not use cookies for tracking or advertising. We use strictly necessary cookies for authentication and session management only.
3. How We Use Your Data
| Account information | To create and manage your account, authenticate you, and communicate service-related updates |
| Genetic data | To run the ancestry analyses you request — and for no other purpose |
| Analysis results | To display your results in your dashboard and allow you to export them |
| Technical data | To enforce rate limits, prevent abuse, debug errors, and maintain service security |
We do not:
- Sell, rent, license, or share your data with third parties
- Use your genetic data for research, product development, or any purpose beyond providing the Service to you
- Build profiles or models from your data
- Use your data for advertising or marketing targeting
- Share your data with law enforcement unless compelled by a valid legal order
4. Where Your Data Is Stored
All data is hosted on Amazon Web Services (AWS) infrastructure in the United States.
| Raw DNA files | Encrypted at rest using industry-standard encryption. All public access is blocked. |
| Analysis outputs | Same encryption and access controls as raw files. |
| Account data & metadata | Encrypted at rest. Accessed only via authenticated API routes. |
| Authentication credentials | Passwords are securely hashed and salted. We never see or store plaintext passwords. |
| Data in transit | All connections are encrypted (HTTPS enforced). |
Each user's files are isolated from all other users at the infrastructure level. Access requires a valid, user-specific authentication token.
5. Data Retention
| Raw DNA files | Retained while your account is active. Deleted immediately when you remove a file from your dashboard. |
| Analysis results | Automatically deleted 90 days after the run completes (enforced by database TTL). |
| Analysis configuration | Same 90-day retention as results. |
| Account information | Retained until you delete your account. |
| Rate-limit records | Automatically deleted within minutes to hours (short-lived TTL records). |
| Audit logs | Retained per our cloud provider’s default retention policy. Contain request metadata only — never raw genetic data. |
6. Your Rights
You have the right to:
6.1 Access
View all data associated with your account at any time via the dashboard. Your DNA files, analysis results, and account information are visible in the application.
6.2 Deletion
- Per-file deletion:Delete any DNA file from the “My DNA Files” section. This immediately removes the file and all associated data from our systems.
- Account deletion: Request full account deletion by emailing insightsonancestry@gmail.com. We will remove all your data, including DNA files, analysis results, and account information, from our systems within 30 days.
6.3 Data Export
You can export your analysis results from the dashboard (as text or PNG). Your original DNA file is not re-downloadable for security reasons: you already have the original from your testing provider.
6.4 Withdraw Consent
You may withdraw consent to process your genetic data at any time by deleting your files and/or your account. Withdrawal does not affect the lawfulness of processing performed before the withdrawal.
7. How We Obtain Consent
We obtain explicit, informed consent at multiple points:
- Account creation: By creating an account, you agree to the Terms of Service and this Privacy Policy. This consent-by-action is clearly stated on the registration form before you submit.
- File upload: Uploading a DNA file is a deliberate, multi-step action: you select your provider, choose a file, and confirm the upload. No genetic data is collected passively or automatically.
- Analysis execution:Each analysis run is explicitly initiated by you. You configure the parameters and click “Run.” No analysis is performed without direct user action.
8. Third-Party Services (Sub-Processors)
We use the following third-party services to operate the platform. None of these services receive or have access to your raw genetic data:
- Amazon Web Services (AWS): Cloud infrastructure provider. Hosts all data and runs all compute. Subject to the AWS Customer Agreement.
- Dodo Payments: Payment processing (merchant of record). Receives billing information only, never genetic or analysis data. See Dodo Payments Privacy Policy.
- PostHog: Product analytics. Receives anonymized usage events (page views, feature interactions) and, if you are an identified user, your user ID, subscription tier, and country. PostHog is only initialized after you accept analytics cookies. Raw email address is never sent. See PostHog Privacy Policy.
- Sentry: Error monitoring. Receives error context and stack traces to help us diagnose technical issues. May include request metadata (URL, user ID) but never raw genetic data. See Sentry Privacy Policy.
- Resend: Transactional email delivery. Receives your name and email address to send account confirmations, billing notifications, and service-related communications. See Resend Privacy Policy.
We do not use third-party advertising or user-tracking services. No third-party service has access to your DNA files or analysis results. For questions about sub-processors, contact us at insightsonancestry@gmail.com.
9. Security Measures
We implement the following technical safeguards:
- Encryption at rest for all stored files and database records
- Encryption in transit for all network communication
- Secure authentication with automatic session expiry after inactivity
- Abuse prevention measures including rate limiting on all endpoints
- Input validation and sanitization on all user-submitted data
- User-isolated storage — your files are separated from all other users at the infrastructure level
- Industry-standard security headers and access controls
No system is 100% secure. If we become aware of a security breach affecting your data, we will notify you and relevant authorities in accordance with applicable law.
10. Children's Privacy
The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information or genetic data from children. If we learn that we have collected data from a child under 18, we will delete it promptly. If you believe a minor has provided us with data, please contact us at insightsonancestry@gmail.com.
11. International Data Transfers
All data is stored and processed in the United States. If you are accessing the Service from outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer.
12. Data Breach Notification
In the event of a data breach involving your personal or genetic data, we will:
- Notify affected users by email within 72 hours of becoming aware of the breach
- Describe the nature of the breach and the data involved
- Describe the measures taken to address the breach
- Notify relevant regulatory authorities as required by applicable law
13. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, especially regarding genetic data handling, we will notify you by email at least 30 days before the changes take effect. The “Effective date” at the top of this page indicates when the policy was last updated.
Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated policy.
14. Your California Privacy Rights
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Genetic Information Privacy Act (CalGINA):
- Right to know what personal information we collect and how it is used
- Right to delete your personal information
- Right to opt out of the sale of personal information (we do not sell personal information)
- Right to non-discrimination for exercising your privacy rights
- Your genetic data is protected under CalGINA — we will not share it with insurance companies, employers, or third parties without your explicit consent
To exercise these rights, contact us at insightsonancestry@gmail.com.
15. GDPR Rights (EEA Residents)
If you are a resident of the European Economic Area, you have additional rights under the General Data Protection Regulation (GDPR).
Legal basis for processing:Genetic data is classified as a “special category” of personal data under GDPR Article 9. Our legal basis for processing your genetic data is your explicit consent (Article 9(2)(a)), which you provide when you create an account and upload your DNA file. For account and technical data, our legal basis is legitimate interest (Article 6(1)(f)) and contract performance (Article 6(1)(b)).
You have the right to:
- Access your personal data
- Rectify inaccurate personal data
- Erase your personal data (“right to be forgotten”)
- Restrict processing of your personal data
- Data portability (receive your data in a structured, machine-readable format)
- Object to processing of your personal data
- Withdraw consent at any time
- Lodge a complaint with a supervisory authority
To exercise these rights, contact us at insightsonancestry@gmail.com.
16. Contact
For any questions, concerns, or requests regarding this Privacy Policy or your data, contact us at:
Insights on Ancestry
Email: insightsonancestry@gmail.com