AncestrifyArticlesAbout

Privacy Notice

Last updated: June 3, 2026

This notice explains what personal data Ancestrify collects, why we collect it, who we share it with, and how you can exercise your rights. Genetic data is sensitive — we treat it as such.

1. Who we are

The data controller for personal data processed through the Service is Ancestrify ("we", "us"). You can contact us at info@ancestrify.io for any privacy-related question or to exercise the rights described below.

2. What data we collect

Account data

When you sign in via Auth0, we receive your email address, display name, and (if you authenticate with Google) your profile picture. We use this to identify your account, send you transactional messages, and link your purchases and reports to you.

Genetic data

To run an analysis you upload genotype data (for example, a raw-data file from a consumer DNA test or a G25 coordinate set). This is special-category data under Article 9 of the UK GDPR and EU GDPR. We process it only with your explicit consent, only for the purpose of running your analysis and producing your report, and only on infrastructure configured with strict access controls.

Payment data

Card payments are processed by Banka Kombëtare Tregtare Sh.a. ("BKT"), our acquiring bank. BKT collects the card-payment details (card number, expiry, CVV) directly from you on its PCI-DSS-compliant hosted payment page. Ancestrify is the merchant of record. We do not see or store your full card number. We receive a transaction reference, the amount, the country used for tax purposes, and your email so we can match the purchase to your account. BKT's processing of your data is governed by BKT's own privacy notice.

Technical and usage data

Like most websites, we receive technical data when you visit us — IP address, browser type and version, device type, referrer URL, pages visited, and timestamps. We use cookies and similar technologies; see your cookie preferences for details and controls.

Support correspondence

If you contact us we keep a record of the message and our reply so we can help you and improve the Service.

3. How we use your data and our legal basis

  • To provide the Service (run your analysis, generate your report, keep your dashboard working) — performance of our contract with you (Art. 6(1)(b) GDPR), and your explicit consent for the genetic data (Art. 9(2)(a) GDPR).
  • To take payment and prevent fraud — performance of our contract and our and BKT's legitimate interests (Art. 6(1)(b) and (f)).
  • To keep the Service secure (rate-limiting, abuse detection, log review) — our legitimate interests (Art. 6(1)(f)).
  • To communicate with you about your account, purchases, and changes to the Service — performance of our contract (Art. 6(1)(b)) and, for non-essential communications, your consent (Art. 6(1)(a)).
  • To comply with our legal obligations, including tax, accounting, and responses to lawful requests — Art. 6(1)(c).

4. Who we share data with

We do not sell your personal data. We share data only with the following categories of recipients, under written contracts that require them to protect it:

  • Auth0 (Okta) — authentication and identity management.
  • Banka Kombëtare Tregtare Sh.a. (BKT) — card payment processing as our acquiring bank; card authorisation, settlement, and fraud prevention.
  • Cloudflare — application hosting, edge delivery, and DDoS protection.
  • Mapbox — interactive map rendering on dashboard pages.
  • Email and support tools — for transactional email and customer support correspondence.
  • Professional advisers (lawyers, accountants, auditors) where necessary, and regulators or courts where required by law.

5. International transfers

Some of our processors operate in countries outside the UK and the European Economic Area, including the United States. Where we transfer personal data outside those regions, we rely on appropriate safeguards — typically the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or adequacy decisions — and we apply additional measures where the law of the destination country makes them necessary.

6. How long we keep your data

We keep your account data for as long as your account is active and for a reasonable period afterwards to handle disputes and comply with legal obligations. We keep your genotype data only for as long as we need it to deliver and support your analysis; you can request earlier deletion at any time by emailing info@ancestrify.io. Payment and tax records are retained by us and our acquiring bank for the period required by applicable accounting and tax law (typically 6–10 years).

7. Your rights

Depending on where you live, you have rights over your personal data, including:

  • access to your data and a copy of it;
  • correction of inaccurate data;
  • deletion of your data ("right to be forgotten");
  • restriction of, or objection to, certain processing;
  • portability of data you provided to us;
  • withdrawal of consent at any time (without affecting processing carried out before withdrawal);
  • the right to lodge a complaint with your local supervisory authority (in the UK, the Information Commissioner's Office, ico.org.uk; in the EU, your national DPA).

To exercise any of these rights, email info@ancestrify.io. We will respond within the timeframe required by applicable law (typically one month).

8. Cookies

We use a small number of cookies that are strictly necessary to operate the site (authentication, security, load balancing) and, with your consent, optional analytics and marketing cookies. You can review and change your choices at any time via the Cookie preferences link in the footer.

9. Children

The Service is not intended for children. We do not knowingly collect data from anyone under 18. If you believe a child has provided us with data, please contact us and we will delete it.

10. Security

We use technical and organisational measures appropriate to the sensitivity of the data we hold, including encryption in transit, encrypted storage, access controls, authentication via a specialist identity provider, and regular review of our hosting and processor configurations. No system is perfectly secure; if we ever experience an incident affecting your data we will notify you and the relevant authorities as required by law.

11. Changes to this notice

We may update this notice from time to time. When we do, we update the "Last updated" date at the top and, where the changes are material, give you reasonable advance notice (for example, by email or in-app notice).

12. Contact

For privacy questions, requests, or complaints, email info@ancestrify.io or write to Ancestrify.

Ancestrify

Combining cutting-edge genomic science with rich historical records to map your ancestry across generations and continents.

Product
DashboardAncient OriginsHow It Works
Legal
Terms of ServicePrivacy NoticeRefund Policy
Connect
Contact UsSupport
Card payments processed by Banka Kombëtare Tregtare Sh.a. (BKT)
VISAMASTERCARD

© 2026 Ancestrify. All rights reserved.