Privacy Policy: Custom Genetic Report

Last updated: 15/01/26

This Privacy Notice explains how http://www.SecondLifeGuide.com (“we”, “us”, “our”) collects and uses personal data when you use our website and DNA reporting service (the “Service”). It also explains your rights under the UK GDPR and how to contact us.

Because we process genetic information, which is “special category data” under UK GDPR, we apply additional safeguards and require your explicit consent before you upload any DNA data.

1. Who we are

Controller: SecondLifeGuide
Email: message.secondlifeguide@gmail.com

If you have questions about this notice or want to exercise your rights, contact us using the details above.

2. What the Service does (in plain English)

If you choose to use the Service, you can upload a raw DNA data file you have downloaded from a DNA provider (for example, 23andMe, AncestryDNA, or MyHeritage). We automatically analyse selected genetic markers in that file and generate a personalised PDF report. The report is available to you via a secure, time-limited download link.

You must accept our Terms and provide explicit consent before uploading genetic data.

3. The personal data we collect

3.1 Account and usage information

Your account identifier (e.g., username, email address, user ID).
Login/session information (cookies used to keep you logged in).
Basic technical information such as device/browser type and logs.

3.2 Consent records (evidence of permission)

Whether you consented to genetic data processing.
Date/time you gave consent.
Version of the terms you accepted.
IP address [only if you choose to record it / if recorded].

3.3 Genetic data (special category)

Your raw DNA data file (genotype data such as SNP identifiers and allele calls).
Provider selection (e.g., “23andMe” / “AncestryDNA” / “MyHeritage”), where relevant to parsing.

3.4 Generated report and related data

Your personalised PDF report (derived output).
Temporary download link information (time-limited URL).
File metadata such as report filename and generation timestamp.

4. How we use your data (purposes)

We use your information to:

Provide the Service
- Verify your account and consent status
- Enable upload of your raw DNA file
- Analyse genetic markers and generate a report
- Provide access to your report through a time-limited link
Security and fraud prevention
- Protect accounts, prevent abuse, and maintain service integrity
- Keep audit logs to detect unauthorised access or errors
Compliance and recordkeeping
- Maintain records of consent and user requests (e.g., deletion requests)
- Respond to legal requests where we are required to do so

5. Legal bases for processing

5.1 UK GDPR Article 6 (personal data)

We rely on:

Consent (Article 6(1)(a)) for providing the genetic report service where you opt in.

We may also rely on:

Legitimate interests (Article 6(1)(f)) for essential security, fraud prevention, and maintaining the reliability of the website (where applicable and balanced against your rights).

5.2 UK GDPR Article 9 (special category data – genetic data)

We process genetic data only with:

Explicit consent (Article 9(2)(a))

You may withdraw consent at any time (see section 9).

6. How the processing works (technical overview)

To minimise handling of sensitive data on our website servers, we use a workflow designed for privacy and security:

Consent gate: You must explicitly consent before upload is enabled.
Direct upload to secure storage: Your browser uploads your file directly to a private AWS S3 bucket using a short-lived secure upload authorisation.
Automated processing: When the file arrives, an AWS function reads the file, matches relevant markers against our reference dataset, and generates a PDF report.
Secure delivery: The report is stored in a private area of the bucket and made available to you via a time-limited secure link.
Deletion: Files are automatically removed after a short retention period and may be deleted earlier if you withdraw consent.

7. Who we share your data with

We do not sell your personal data.

We share data only with trusted service providers (“processors”) who help us deliver the Service, including:

Amazon Web Services (AWS) (S3 and Lambda) for secure storage and processing
WordPress hosting for hosting and operating the website

These providers are contractually required to protect your data and use it only to provide services to us.

8. International transfers

If your data is processed or stored outside the UK, we ensure appropriate safeguards are in place, such as the UK International Data Transfer Agreement/Addendum or other recognised transfer mechanisms.

Primary processing location: Stockholm (eu-north-1)

9. How long we keep your data (retention)

We keep data only as long as necessary for the purposes described.

Raw DNA uploads and generated reports in AWS S3: typically retained for up to 24 hours before automatic deletion.
Report download links: valid for approximately 60 minutes from the time the report is generated. After expiry, the link will no longer work.
Consent records: retained for as long as your account remains active and for a limited period after account deletion where needed for compliance and legal defence.
Support communications: retained indefinitely.

You can request deletion at any time (see section 10).

10. Your rights (UK GDPR)

You have rights over your personal data, including:

Access: request a copy of your personal data
Rectification: correct inaccurate data
Erasure (“right to be forgotten”): request deletion of your data
Restriction: restrict certain processing
Data portability: receive certain data in a structured format
Withdraw consent: at any time, without affecting prior lawful processing
Object: to processing based on legitimate interests (where applicable)

How to exercise your rights

Withdrawal of consent

If you withdraw consent, we will stop further processing and will delete stored raw uploads and reports where applicable (subject to short technical delays and legal obligations).

11. Security measures

We take security seriously and use a combination of technical and organisational controls:

Encryption in transit: HTTPS/TLS for uploads, downloads, and website access
Encryption at rest: S3 server-side encryption (e.g., AES-256 and/or KMS)
Access control: private storage, least-privilege permissions, and restricted administrative access
Time-limited access: short-lived download links
Monitoring: logging and monitoring to detect errors and suspicious activity
Data minimisation: we avoid storing raw DNA data on the WordPress server
Deletion controls: automatic expiry and user-initiated deletion options

No internet service is completely secure; however, we work to maintain appropriate safeguards for the sensitivity of genetic information.

12. Automated decision-making

The Service performs automated analysis of genetic markers to generate your report. This is an automated process, but it is provided as an educational report and is not intended to make decisions with legal or similarly significant effects about you. You should not use the report as a substitute for professional medical advice.

13. Important disclaimer (medical / health)

Our reports are provided for educational and research purposes only. They do not provide medical diagnosis, treatment, or prescribing advice. Always speak to a qualified healthcare professional before making health or medication decisions.

14. Cookies

We use cookies to keep you logged in, maintain site security, and support core website functionality.

15. Complaints

If you are unhappy with how we use your data, please contact us first so we can help.

You also have the right to lodge a complaint with the UK supervisory authority:

Information Commissioner’s Office (ICO)
Website: ico.org.uk
Telephone: 0303 123 1113

16. Changes to this notice

We may update this Privacy Notice from time to time. When we do, we will update the “Last updated” date and, where appropriate, notify you of significant changes.