Privacy Policy

1. Introduction

GenogramAI, Inc. ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our visualization and diagramming service, including our website, desktop applications, mobile applications, and related services (collectively, the "Service").

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with the terms of this Privacy Policy, please do not access the Service.

1.1 Important Notice About Healthcare Data

CRITICAL: GenogramAI is NOT HIPAA-compliant and is NOT intended for storing Protected Health Information (PHI) or clinical data. This Service is designed for educational, genealogical, and personal use only.

Healthcare providers: Do not use this Service to store patient or client information. See our Terms of Service for complete details on prohibited uses.

1.2 Data Controller

For the purposes of data protection laws, GenogramAI, Inc. is the data controller of your personal information.

Contact Information:

• GenogramAI, Inc.
• 177 E Colorado Blvd
• Pasadena, CA 91105
• Email: privacy@genogramai.com

Data Protection Officer:

• Email: dpo@genogramai.com

2. Information We Collect

2.1 Information You Provide to Us

Account Information

When you create an account, we collect:

• Email address (required)
• Password (stored in encrypted form)
• Name (optional)
• Profile information (optional)
• Payment information (processed by third-party payment processors)

User Content

We store the diagrams, genograms, text, notes, and images you create or upload ("User Content") to provide the Service. This may include:

• Diagram data (names, relationships, notes, dates)
• Uploaded images and files
• Text annotations and descriptions
• Custom templates and symbols
• Exported files

Important: We do not proactively monitor, review, or categorize the content of your diagrams. We treat all User Content as general data. You are responsible for ensuring your User Content does not contain Protected Health Information (PHI) or other prohibited data as described in our Terms of Service.

Communications

If you contact us directly, we collect:

• Your name and email address
• Content of your message
• Any attachments you send
• Support ticket history

Survey and Research Data

If you participate in surveys or research studies, we collect:

• Survey responses
• Feedback and opinions
• Product usage preferences

2.2 Information Collected Automatically

When you use the Service, we automatically collect:

Device Information

• Browser type and version
• Operating system
• Device type (desktop, mobile, tablet)
• Screen resolution
• Device identifiers (if using mobile apps)

Usage Data

• Pages and features accessed
• Time spent on the Service
• Actions performed (creating diagrams, exports, etc.)
• Feature usage patterns
• Navigation paths
• Interaction with UI elements
• Error logs and crash reports

Log Data

• IP address
• Date and time of access
• Referring URLs
• Search terms used to find our Service
• Browser language settings

Location Data

• Approximate geographic location based on IP address
• Country and region (not precise GPS location)

Cookies and Similar Technologies

We use cookies, web beacons, and similar tracking technologies. See Section 10 for details.

2.3 Information from Third-Party Sources

We may receive information from:

Authentication Providers

If you sign in using Google, Microsoft, or other single sign-on providers:

• Name
• Email address
• Profile picture
• Account ID from the provider

Payment Processors

From Stripe, PayPal, or other payment processors:

• Transaction confirmation
• Billing information
• Payment method type (last 4 digits of card)
• Transaction history

Analytics Services

From services like Google Analytics, Mixpanel:

• Aggregated usage statistics
• Demographic information (age range, interests)
• Device and browser information

We do not receive your payment card details directly. Payment information is processed and stored by our PCI-compliant payment processors.

3. How We Use Your Information

We use collected information for the following purposes:

3.1 To Provide and Maintain the Service

• Create and manage your account
• Store and synchronize your diagrams across devices
• Enable collaboration features (if you share diagrams)
• Process and fulfill your requests
• Provide customer support

3.2 To Process Transactions

• Process subscription payments
• Send billing invoices and receipts
• Manage subscription renewals and cancellations
• Detect and prevent payment fraud

3.3 To Communicate with You

• Send service-related announcements and updates
• Respond to your inquiries and support requests
• Send account notifications (password resets, security alerts)
• Provide technical notices and security updates
• Send optional marketing communications (with your consent)

3.4 To Improve and Develop the Service

• Analyze usage patterns and trends
• Monitor and analyze Service performance
• Develop new features and functionality
• Conduct research and testing
• Troubleshoot technical issues
• Enhance user experience

3.5 For Security and Fraud Prevention

• Detect, prevent, and address security incidents
• Monitor for suspicious activity
• Enforce our Terms of Service
• Protect against fraud and abuse
• Verify user identity when necessary

3.6 For Legal and Compliance Purposes

• Comply with legal obligations
• Respond to legal requests and prevent harm
• Enforce our agreements and policies
• Protect our rights and property

3.7 AI Features

When you use AI-powered features:

• Your prompts and relevant diagram data are sent to third-party AI providers (Anthropic Claude, OpenAI, etc.)
• AI providers process your data to generate requested content
• We do NOT use your User Content to train AI models unless you explicitly opt in
• AI providers may use prompts for their own model improvement (subject to their policies)

3.8 What We Do NOT Do

We do NOT:

• Sell your personal information to third parties
• Use your User Content for advertising or marketing
• Share your diagrams with third parties for their marketing purposes
• Use your User Content to train AI models without your consent
• Monitor or review your diagram content unless required for support or legal reasons

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, we process your personal data based on the following legal grounds:

4.1 Contract (GDPR Art. 6(1)(b))

Processing is necessary to:

• Provide the Service you've subscribed to
• Fulfill our contractual obligations
• Manage your account and billing

4.2 Consent (GDPR Art. 6(1)(a))

With your explicit consent for:

• Marketing communications
• Optional data collection (surveys, research)
• Non-essential cookies
• AI feature usage

You may withdraw consent at any time without affecting prior processing.

4.3 Legitimate Interests (GDPR Art. 6(1)(f))

When necessary for our legitimate interests:

• Improving and developing the Service
• Preventing fraud and security threats
• Analyzing usage patterns
• Conducting research and development
• Enforcing our Terms of Service

We balance our interests against your privacy rights and do not process data where your interests override ours.

4.4 Legal Obligation (GDPR Art. 6(1)(c))

When required to comply with:

• Legal requirements
• Court orders
• Regulatory obligations
• Tax and accounting requirements

5. Data Storage, Security & Retention

5.1 Data Storage Location

Your data is stored on secure servers located in the United States. We use trusted cloud infrastructure providers including:

• Amazon Web Services (AWS)
• Google Cloud Platform
• Supabase (PostgreSQL database hosting)

By using the Service, you consent to the transfer and processing of your data in the United States.

5.2 Security Measures

We implement industry-standard security measures to protect your data:

Encryption

• Transport Security: TLS 1.2+ / SSL encryption protects data during transmission
• Encryption at Rest: AES-256 encryption for data stored on servers
• Database Encryption: Encrypted database storage
• Backup Encryption: Encrypted backup systems

Access Controls

• Strong password requirements
• Two-factor authentication (2FA) available
• Role-based access control for employees
• Least-privilege access principles
• Regular access reviews and audits

Monitoring and Response

• 24/7 security monitoring
• Intrusion detection systems
• Regular security assessments
• Vulnerability scanning
• Incident response procedures

Employee Security

• Background checks for employees with data access
• Security training and awareness programs
• Confidentiality agreements
• Limited employee access to User Content

Physical Security

• SOC 2 certified data centers (AWS, Google Cloud)
• Physical access controls
• Environmental protections
• Redundant systems

5.3 Security Limitations

Please note:

• No system is 100% secure
• Internet transmission carries inherent risks
• You are responsible for securing your account credentials
• This Service does NOT provide HIPAA-level security safeguards

You acknowledge that there is inherent risk in transmitting data over the internet and storing data electronically.

5.4 Local Storage Option

Our desktop application offers a local storage option:

• Store diagrams exclusively on your device
• No cloud synchronization
• Data never transmitted to our servers
• You are responsible for backups

This option provides maximum privacy but sacrifices synchronization and collaboration features.

5.5 Data Retention

We retain your information for different periods depending on the type:

5.6 Data Deletion

You can request deletion of your data at any time:

• Use the "Delete Account" feature in account settings
• Contact support@genogramai.com
• Email privacy@genogramai.com

Upon deletion request:

• Active data deleted within 30 days
• Backup copies deleted within 90 days
• Some information retained for legal compliance (payment records, audit logs)
• Anonymized data may be retained indefinitely

Important: Deletion is permanent and cannot be undone. Export your data before requesting deletion.

6. Data Sharing and Disclosure

We do NOT sell your personal information to third parties.

We may share your information in the following circumstances:

6.1 Service Providers (Data Processors)

We share data with third-party service providers who perform services on our behalf:

All service providers:

• Are contractually obligated to protect your data
• May only use data to provide services to us
• Must comply with applicable data protection laws
• Have signed Data Processing Agreements (DPAs) with us

Your User Content is NEVER:

• Shared with third parties for their marketing
• Sold to data brokers
• Used to train AI models (unless you opt in)

6.2 Business Transfers

If GenogramAI is involved in a merger, acquisition, sale of assets, bankruptcy, or similar transaction:

• Your information may be transferred as part of that transaction
• We will notify you via email and/or prominent notice on our website
• The acquiring company must honor this Privacy Policy

6.3 Legal Requirements

We may disclose your information if required to:

• Comply with legal obligations (subpoenas, court orders)
• Enforce our Terms of Service and other agreements
• Protect our rights, property, or safety
• Protect the rights, property, or safety of our users or the public
• Prevent fraud, security threats, or illegal activity
• Respond to government requests

We will notify you of legal requests unless prohibited by law.

6.4 With Your Consent

We may share your information for other purposes with your explicit consent.

6.5 Aggregated and Anonymized Data

We may share aggregated, anonymized data that cannot identify you:

• Industry reports and trends
• Research and academic studies
• Marketing materials
• Public statistics

7. Your Rights and Choices

7.1 Rights for All Users

Regardless of your location, you have the following rights:

Access Your Data

• Request a copy of the personal data we hold about you
• View your account information in settings

Correct Your Data

• Update inaccurate or incomplete information
• Edit your account details in settings

Delete Your Data

• Request deletion of your account and data
• Use "Delete Account" in settings or contact us

Export Your Data

• Download your diagrams in JSON, PDF, or other formats
• Use the "Export Data" feature in settings

Opt-Out of Marketing

• Unsubscribe from marketing emails via the link in any email
• Adjust email preferences in account settings

Disable Cookies

• Adjust cookie settings in your browser
• Use our cookie preference center

7.2 Additional Rights for EEA/UK/Swiss Users (GDPR)

If you are in the EEA, UK, or Switzerland, you have additional rights:

Right to Restriction

• Request restriction of processing in certain circumstances
• Data will be stored but not processed

Right to Object

• Object to processing based on legitimate interests
• Object to direct marketing at any time

Right to Data Portability

• Receive your data in a structured, machine-readable format
• Transmit your data to another service provider

Right to Withdraw Consent

• Withdraw consent for processing at any time
• Does not affect prior lawful processing

Right to Lodge a Complaint

• File a complaint with your local supervisory authority
• UK: Information Commissioner's Office (ICO)
• EU: Your national data protection authority
• Contact us first: We'll try to resolve your concerns

Automated Decision-Making

• Right not to be subject to solely automated decisions with legal effects
• We do not use fully automated decision-making

To exercise these rights, contact: privacy@genogramai.com

We will respond within 30 days (may extend to 90 days for complex requests).

7.3 Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have rights under the California Consumer Privacy Act:

Right to Know

• Categories of personal information collected
• Sources of personal information
• Business purposes for collection
• Categories of third parties we share with

Right to Delete

• Request deletion of personal information
• Subject to certain exceptions (legal obligations, fraud prevention)

Right to Opt-Out

• We do NOT sell personal information
• No opt-out necessary

Right to Non-Discrimination

• We will not discriminate against you for exercising your rights

Authorized Agent

• You may designate an authorized agent to make requests
• Agent must provide proof of authorization

7.4 Rights for Other Jurisdictions

Canada (PIPEDA)

• Right to access personal information
• Right to challenge accuracy
• Right to withdraw consent
• Contact: Office of the Privacy Commissioner of Canada

Australia

• Right to access and correct personal information
• Contact: Office of the Australian Information Commissioner (OAIC)

Brazil (LGPD)

• Similar rights to GDPR (access, correction, deletion, portability)
• Contact: Autoridade Nacional de Proteção de Dados (ANPD)

8. Your Responsibilities

8.1 Data You Upload

You are responsible for the data you upload to the Service.

You should:

• ✓ Use pseudonyms or initials instead of real names when appropriate
• ✓ Avoid uploading sensitive personal information
• ✓ Consider using the local storage option for highly sensitive data
• ✓ De-identify or anonymize data before upload
• ✓ Use fictional data for practice and educational purposes

Healthcare providers and covered entities:

• ✗ DO NOT upload patient or client information
• ✗ DO NOT upload Protected Health Information (PHI)
• ✗ DO NOT use this Service for clinical documentation

See our Terms of Service Section 4 for complete details on prohibited data.

8.2 Account Security

You are responsible for:

• Keeping your password secure and confidential
• Using a strong, unique password
• Enabling two-factor authentication (recommended)
• Logging out of shared or public devices
• Notifying us immediately of unauthorized access

We will never ask for your password via email, phone, or any other method.

8.3 Compliance with Laws

If you are subject to privacy regulations (HIPAA, GDPR, PIPEDA, etc.):

• You are responsible for ensuring your use complies with applicable laws
• You acknowledge this Service is NOT designed for regulated healthcare data
• You should consult legal counsel if uncertain about compliance

9. Children's Privacy

9.1 Age Requirements

The Service is not intended for children under 13 years of age (or under 16 in the EEA).

We do not knowingly collect personal information from children under the applicable age without parental consent.

9.2 Parental Consent

For users aged 13-17 (or 13-15 in the EEA):

• Parental or guardian consent is required
• Parents may review and delete their child's information
• Contact us at privacy@genogramai.com

9.3 Educational Use

Teachers and educational institutions using the Service with students:

• Must obtain appropriate parental consents
• Should use accounts with pseudonyms or student IDs
• Should enable the strictest privacy settings

9.4 If We Learn of Child Data

If we discover we have collected information from a child without consent:

• We will delete the information as quickly as possible
• We will terminate the account
• We will notify parents if we have contact information

If you believe we have collected data from a child, contact us immediately: privacy@genogramai.com

10. Cookies and Tracking Technologies

10.1 What Are Cookies?

Cookies are small text files stored on your device when you visit our website. We use cookies and similar technologies (web beacons, pixels, local storage) to provide and improve the Service.

10.2 Types of Cookies We Use

Strictly Necessary Cookies (Essential)

Required for the Service to function. These cannot be disabled.

• Authentication (keep you logged in)
• Security (prevent fraud)
• Load balancing (distribute traffic)
• Session management

Functional Cookies (Optional)

Enhance functionality and remember your preferences.

• Language preferences
• Display settings
• Recently used features
• UI customization

Analytics Cookies (Optional)

Help us understand how users interact with the Service.

• Google Analytics
• Mixpanel
• Hotjar (session recordings)
• Page views and navigation patterns
• Feature usage statistics

Marketing Cookies (Optional)

Track visitors across websites for advertising purposes.

• Google Ads conversion tracking
• Facebook Pixel
• LinkedIn Insight Tag
• Retargeting pixels

10.3 Third-Party Cookies

We use third-party services that may set their own cookies:

• Google Analytics (analytics)
• Stripe (payment processing)
• Intercom (customer support chat)
• Social media platforms (if you share content)

These third parties have their own privacy policies.

10.4 Managing Cookies

You can control cookies through:

Our Cookie Preference Center

• Access via the cookie banner on first visit
• Adjust preferences at: genogramai.com/cookies
• Enable/disable non-essential cookies

Your Browser Settings

• Block all cookies
• Delete existing cookies
• Set preferences per website
• Enable "Do Not Track" signals

Note: Disabling cookies may affect Service functionality (e.g., staying logged in).

Opt-Out Links

• Google Analytics: tools.google.com/dlpage/gaoptout
• Network Advertising Initiative: optout.networkadvertising.org
• Digital Advertising Alliance: optout.aboutads.info

10.5 Do Not Track Signals

Some browsers support "Do Not Track" (DNT) signals. We currently do not respond to DNT signals, but you can disable tracking cookies via our preference center.

10.6 Mobile Device Identifiers

Our mobile apps may use device identifiers for:

• App analytics
• Crash reporting
• Push notifications

You can reset your advertising ID or limit ad tracking in your device settings:

• iOS: Settings > Privacy > Advertising > Reset Advertising Identifier
• Android: Settings > Google > Ads > Reset advertising ID

11. International Data Transfers

11.1 Data Location

Your data may be transferred to, stored in, and processed in countries other than your own, including the United States.

These countries may have different data protection laws than your country of residence.

11.2 Safeguards for International Transfers

We ensure appropriate safeguards are in place for international data transfers:

For EEA/UK/Swiss Users:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• UK International Data Transfer Agreement (IDTA) for UK transfers
• Swiss Federal Data Protection Act compliance for Swiss transfers
• Data Processing Agreements with all processors

For Other Jurisdictions:

• Compliance with applicable cross-border data transfer laws
• Contractual protections with service providers
• Security measures appropriate to the sensitivity of data

11.3 Your Consent

By using the Service, you consent to the transfer of your information to the United States and other countries where we operate.

12. Third-Party Links and Services

12.1 External Links

The Service may contain links to third-party websites, applications, or services. We are not responsible for:

• Privacy practices of third-party sites
• Content or accuracy of third-party sites
• Any damages resulting from your use of third-party sites

We encourage you to review the privacy policies of any third-party sites you visit.

12.2 Social Media Integration

If you use social media features (share buttons, logins):

• Your interaction is governed by the social media platform's privacy policy
• The platform may collect information about your activity
• Information may be publicly displayed per your platform settings

12.3 Third-Party AI Services

When you use AI features, your prompts are sent to:

• Anthropic (Claude AI) - anthropic.com/privacy
• OpenAI (GPT models) - openai.com/privacy

These services have their own privacy policies and data practices.

13. Marketing Communications

13.1 Types of Communications

We may send you:

Transactional Emails (Cannot opt-out)

• Account confirmations
• Password resets
• Billing receipts
• Security alerts
• Service updates

Marketing Emails (Can opt-out)

• Product news and updates
• New feature announcements
• Tips and best practices
• Special offers and promotions
• Newsletters

13.2 Opting Out

You can opt out of marketing communications:

• Click "Unsubscribe" in any marketing email
• Adjust email preferences in account settings
• Email privacy@genogramai.com with "Unsubscribe" in subject

We will process opt-out requests within 10 business days.

You will continue to receive transactional emails necessary for the Service.

13.3 SMS/Text Messages

If you opt in to SMS notifications:

• You can opt out by replying "STOP"
• Standard message and data rates apply
• We will only send service-related SMS (account alerts, security notices)

14. California "Shine the Light" Law

California residents may request information about our disclosure of personal information to third parties for their direct marketing purposes.

We do not share personal information with third parties for their direct marketing purposes.

If you have questions, contact: privacy@genogramai.com

15. Changes to This Privacy Policy

15.1 Updates

We may update this Privacy Policy from time to time to reflect:

• Changes in our practices
• Legal or regulatory requirements
• New features or services
• User feedback

15.2 Notice of Changes

We will notify you of material changes by:

• Posting the updated policy on this page
• Updating the "Last updated" date at the top
• Sending email notification to your registered address
• Displaying an in-app notification

15.3 Effective Date

Changes become effective:

• 30 days after notice for material changes
• Immediately for non-material changes (clarifications, formatting)

15.4 Your Options

If you do not agree to the updated Privacy Policy:

• Stop using the Service
• Delete your account before the effective date
• Contact us with concerns at privacy@genogramai.com

Your continued use after the effective date constitutes acceptance of the updated policy.

15.5 Version History

View previous versions at: genogramai.com/legal/privacy/history

16. Data Breach Notification

16.1 Our Commitment

In the event of a data breach affecting your personal information, we will:

Within 72 hours of discovery:

• Assess the scope and impact of the breach
• Notify affected users via email
• Notify applicable regulatory authorities (GDPR, CCPA, etc.)

In the notification, we will include:

• Description of what happened
• Types of information affected
• Date or timeframe of the breach
• Steps we are taking to address it
• Recommended actions you should take
• Contact information for questions

16.2 Your Actions

If you receive a breach notification:

• Follow the recommended security steps
• Monitor your accounts for suspicious activity
• Consider changing your password
• Enable two-factor authentication
• Contact us with questions

17. Contact Information

17.1 Privacy Inquiries

For questions, concerns, or requests regarding this Privacy Policy or your personal data:

General Privacy:

• Email: privacy@genogramai.com
• Address: GenogramAI, Inc., 177 E Colorado Blvd, Pasadena, CA 91105

Data Protection Officer:

• Email: dpo@genogramai.com

EU Representative (if applicable):

• Email: eu-representative@genogramai.com

UK Representative (if applicable):

• Email: uk-representative@genogramai.com

17.2 Data Subject Requests

To exercise your privacy rights (access, deletion, correction, etc.):

• Email: privacy@genogramai.com
• Subject line: "Data Subject Request - [Your Request Type]"
• Include: Your name, email, and description of request

We will respond within:

• 30 days (GDPR, CCPA)
• May extend to 90 days for complex requests with notice

17.3 Complaints

If you believe we have not adequately addressed your privacy concerns:

EU/EEA Users:

Lodge a complaint with your national supervisory authority: edpb.europa.eu/about-edpb/board/members_en

UK Users:

Information Commissioner's Office (ICO): ico.org.uk/make-a-complaint

California Users:

California Attorney General: oag.ca.gov/privacy/ccpa

We encourage you to contact us first so we can address your concerns directly.

18. Additional Disclosures

18.1 No Sale of Personal Information

We do NOT sell your personal information as defined by CCPA and other privacy laws.

In the past 12 months, we have NOT:

• Sold personal information
• Shared personal information for cross-context behavioral advertising
• Sold personal information of minors under 16

18.2 Sensitive Personal Information

We do NOT collect "sensitive personal information" as defined by CCPA, including:

• Social Security numbers
• Driver's license numbers
• Precise geolocation
• Racial or ethnic origin
• Religious or philosophical beliefs
• Union membership
• Genetic data
• Biometric data for identification
• Health information (we prohibit this in our Terms)
• Sex life or sexual orientation

If you upload such data in your diagrams, you do so in violation of our Terms of Service.

18.3 Aggregate and Anonymized Data

We may create aggregated, anonymized data from your information that:

• Cannot reasonably be used to identify you
• Is not subject to this Privacy Policy
• May be used for any purpose, including research and public disclosure