Privacy Policy

Last updated: January 2026

1. Introduction

Gene Healthcare GmbH ("Gene Studio", "we", "us", or "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and services.

We process your personal data in compliance with the General Data Protection Regulation (GDPR - EU 2016/679), the German Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG), and other applicable data protection laws.

2. Data Controller

The data controller responsible for your personal data is:

Gene Healthcare GmbH
Süderstraße 294
20537 Hamburg, Germany
Email: [email protected]

Managing Director: Moritz Schuster

3. Personal Data We Collect

3.1 Account Information:

  • Name (first and last name)
  • Email address
  • Password (stored in encrypted form)

3.2 Assessment Data:

When you complete our questionnaire-based assessments, we collect self-reported information including:

  • Demographic information (date of birth, ethnicity)
  • Health-related questionnaire responses
  • Lifestyle information
  • Self-reported family medical history

Note: This is self-reported questionnaire data, not genetic test results or DNA analysis.

3.3 Payment Information:

Payment processing is handled by third-party payment providers (e.g., Stripe). We do not store complete credit card numbers or banking details on our servers.

3.4 Technical Data:

  • IP address
  • Browser type and version
  • Device information
  • Usage data and interaction patterns

3.5 Communication Data:

Information you provide when contacting us, including email correspondence and contact form submissions.

4. Legal Basis for Processing

We process your personal data based on the following legal grounds under GDPR Article 6:

  • Contract Performance (Art. 6(1)(b)): Processing necessary to provide our services, including account management and generating assessments.
  • Consent (Art. 6(1)(a)): Where you have given explicit consent, particularly for processing health-related questionnaire data under Article 9(2)(a).
  • Legitimate Interests (Art. 6(1)(f)): For website security, fraud prevention, and service improvement, where such interests are not overridden by your rights.
  • Legal Obligation (Art. 6(1)(c)): Where processing is necessary for compliance with legal requirements (e.g., tax documentation, fraud prevention).

5. Health-Related Information

Important Notice Regarding Health Data

The questionnaire responses you provide may include information about your health and family medical history. Under GDPR, this constitutes "special category data" requiring additional protection.

We process this information based on your explicit consent (Article 9(2)(a) GDPR), which you provide when completing our assessments. You may withdraw this consent at any time.

Please note: We collect self-reported questionnaire data only. We do not collect, process, or analyze genetic material, DNA samples, or conduct any form of genetic testing as part of our risk assessment service.

6. How We Use Your Data

We use your personal data for the following purposes:

  • Creating and managing your user account
  • Generating hypothetical risk assessments based on your questionnaire responses
  • Processing payments for purchased services
  • Communicating with you about your account and our services
  • Responding to your inquiries and providing support
  • Improving and optimizing our services
  • Ensuring the security of our platform
  • Complying with legal obligations

7. Data Sharing and Third Parties

7.1 We do not sell your personal data to third parties.

7.2 We may share your data with:

  • Service Providers: Third-party companies that assist us in operating our website and services (e.g., hosting providers, payment processors). These providers are contractually bound to protect your data.
  • Legal Requirements: When required by law, court order, or governmental authority.
  • Business Transfers: In connection with a merger, acquisition, or sale of assets, with appropriate data protection safeguards.

7.3 Third-party service providers include:

  • Stripe Inc. (Payment processing) - Privacy Policy
  • Cloud hosting providers within the EU/EEA

8. International Data Transfers

Your data is primarily processed within the European Economic Area (EEA). If data is transferred outside the EEA, we ensure appropriate safeguards are in place, such as:

  • EU Standard Contractual Clauses
  • Adequacy decisions by the European Commission
  • Binding Corporate Rules where applicable

9. Data Retention

We retain your personal data only as long as necessary for the purposes outlined in this policy:

  • Account Data: Until you delete your account, plus any legally required retention period.
  • Assessment Data: Until you request deletion or delete your account.
  • Payment Records: 10 years as required by German commercial and tax law (§257 HGB, §147 AO).
  • Communication Records: 3 years from the date of communication.

10. Your Rights Under GDPR

Under the GDPR, you have the following rights regarding your personal data:

  • Right of Access (Art. 15): Request a copy of the personal data we hold about you.
  • Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
  • Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
  • Right to Restriction (Art. 18): Request limitation of processing in certain circumstances.
  • Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
  • Right to Object (Art. 21): Object to processing based on legitimate interests.
  • Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days.

11. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption of data in transit (TLS/SSL)
  • Encryption of sensitive data at rest
  • Regular security assessments and updates
  • Access controls and authentication measures
  • Employee training on data protection

12. Cookies and Tracking

Our website uses cookies and similar technologies to ensure functionality and improve your experience. We use:

  • Essential Cookies: Required for basic website functionality (e.g., authentication, session management). These do not require consent.
  • Functional Cookies: Remember your preferences to enhance your experience.

You can control cookie settings through your browser. Note that disabling certain cookies may affect website functionality.

13. Right to Lodge a Complaint

If you believe that we have violated your data protection rights, you have the right to lodge a complaint with a supervisory authority. The competent authority for complaints in Germany is:

Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit
Ludwig-Erhard-Str. 22
20459 Hamburg
Germany
Website: https://datenschutz-hamburg.de

14. Children's Privacy

Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete such information.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through our website or by email. We encourage you to review this policy periodically.

16. Contact Us

For questions or concerns about this Privacy Policy or our data practices, please contact:

Gene Healthcare GmbH
Süderstraße 294
20537 Hamburg, Germany
Email: [email protected]