The Gene Box

Last updated: March 2026

Privacy Policy

1. Introduction

The Gene Box (“TGB”, “we”, “us”, “our”) is committed to protecting the privacy of our partners and their patients. This Privacy Policy explains how we collect, use, store, and protect personal and genomic data processed through our platform, and describes the rights available to data subjects under applicable law.

Our platform is provided on a business-to-business basis. We act as a data processor for our healthcare and wellness partners, who are the data controllers responsible for their patients’ data. This policy applies to all data processed through the TGB platform and associated services.

2. Data We Collect

We process the following categories of data on behalf of our partners:

  • Genomic data — raw genotyping output, variant calls, and derived genetic markers from saliva or blood samples.
  • Health questionnaire data — self-reported health history, lifestyle information, medications, and family history collected by our partners.
  • Blood panel data — laboratory values from blood tests, including metabolic markers, hormones, and nutrient levels, where the Lens product is in use.
  • Microbiome data — gut microbiome sequencing results and derived microbiome composition scores, where the Flora product is in use.
  • Usage and analytics data — platform access logs, feature usage patterns, and technical diagnostics used to maintain and improve our services.

3. How We Use Data

Data processed through the TGB platform is used for the following purposes:

  • Generate reports — producing the genomic, microbiome, and multi-omic reports ordered by our partners for their patients.
  • Power AI interpretation — running variants and biomarkers through our Evolveme.ai knowledge graph to generate clinically contextualised insights.
  • Improve the knowledge graph — contributing anonymised, aggregated signals to improve the accuracy and coverage of our reference database. No personally identifiable data is used for this purpose without explicit consent.
  • Fulfil contractual obligations — delivering the services described in our partner agreements, including data storage, report archiving, and audit logging.

4. Data Storage & Security

All data processed through the TGB platform is encrypted at rest using AES-256 and in transit using TLS 1.3. Access to patient data is strictly role-based and controlled through our internal access management systems. Every data access event is audit-logged and retained for compliance purposes.

Our infrastructure is hosted on ISO 27001-certified cloud providers. We conduct regular security assessments and penetration testing. Data centres are located in jurisdictions consistent with applicable data transfer requirements.

5. Third-Party Sharing

We do not sell, rent, or share patient data with third parties for commercial purposes. Where we engage subprocessors (for example, cloud infrastructure providers or laboratory sequencing partners), we maintain data processing agreements with each subprocessor and ensure they meet equivalent data protection standards.

A current list of our subprocessors is available on request from our privacy team. We will notify our partners of any changes to our subprocessor list in advance.

6. GDPR Rights

For data subjects whose data is processed under GDPR, the following rights apply. Requests should be directed to the partner organisation (the data controller) who will engage us as required:

  • Right of access — the right to obtain confirmation that your data is being processed and to receive a copy of that data.
  • Right to rectification — the right to have inaccurate personal data corrected.
  • Right to erasure — the right to request deletion of your personal data, subject to legal retention obligations.
  • Right to portability — the right to receive your personal data in a structured, machine-readable format.
  • Right to restriction — the right to request that processing of your data be restricted in certain circumstances.
  • Right to object — the right to object to processing based on legitimate interests or for direct marketing purposes.

7. Genomic Data Specifics

Genomic data constitutes special category data under Article 9 of the GDPR. Processing of genomic data requires explicit consent from the data subject, obtained by the partner organisation prior to sample collection. TGB processes genomic data only on the documented instructions of our partners and only for the purposes specified in the data processing agreement.

Where genomic data is used to improve our knowledge graph or for research purposes, it is anonymised to a standard that prevents re-identification. No re-identifiable genomic data is used for research without separate explicit consent from the data subject.

8. Data Retention

We retain patient data for the duration of our partnership with the relevant organisation, plus any additional period required by applicable legal or regulatory obligations. Upon termination of a partnership, data is exported to the partner and deleted from our systems within 60 days, unless a longer retention period is required by law.

Partners may request deletion of specific patient records at any time. We will process such requests within 30 days, subject to any legal retention obligations that prevent immediate deletion.

9. Contact

For privacy-related enquiries, to exercise data subject rights, or to report a potential data breach, please contact our privacy team at privacy@thegenebox.com.