Genetic Data Consent Notice
Effective Date: July 1, 2023
Critical Information
This Genetic Data Consent Notice governs the collection and processing of your genetic information—the most sensitive personal data you can provide. Please read this document thoroughly before activating your kit.
This Consent is separate from and in addition to:
Privacy Policy
Terms of Service
Kit Order Terms and Conditions
Why Separate Consent is Required: Under U.S. federal law, state laws (including California Genetic Information Privacy Act), GDPR Article 9, and international data protection regulations, genetic information is classified as "special category" or "sensitive" personal data, requiring explicit, separate consent.
What is Genetic Information?
Genetic Information includes:
Your complete DNA sequence (whole genome sequencing data)
Genetic variants identified from your DNA
VCF (Variant Call Format) file containing your genomic data
Interpretations and analyses derived from your genetic data
Key Characteristics:
Permanent: Cannot be changed.
Familial: Reveals information about biological relatives.
Predictive: May indicate predispositions (not certainties)
Unique: Each person's genome is unique (except identical twins)
What Genetic Data We Collect and Process
Data We Receive
Pseudonymized Whole Genome Sequencing (WGS) Data:
VCF file from a CLIA-certified laboratory partner
Generated using Next Generation Sequencing technology (Complete Genomics T7 with DNBSEQ™ or equivalent)
Approximately 3 billion nucleotides sequenced at an average of 30x coverage.
Aligned to GRCh38/hg38 reference genome
Associated only with the kit number, not your name
Important: The laboratory partner destroys your physical saliva sample immediately after successful sequencing. We never receive or store physical samples.
Associated Data
Kit number and activation date
Secure the crosswalk linking kit number to your account.
Self-reported information you optionally provide
Processing metadata and quality control data
What We Do Not Collect
Physical DNA samples (destroyed by laboratory partner)
Medical records or health history
Family member data (without their separate consent)
Ancestry or genealogical data
How We Process Your Genetic Data
Initial Processing
Data Receipt: Encrypted transfer of pseudonymized VCF file from laboratory partner
Bioinformatics Analysis: Processing through our algorithms to identify lifestyle-relevant variants
Report Generation: Creation of personalized lifestyle reports (nutrition, fitness, sleep, hormones, athletics)
Secure Storage: Encrypted storage on U.S.-based servers (AES-256 encryption)
Ongoing Processing
Additional Reports: Generation of new reports you purchase
Service Delivery: Maintaining data for account access and downloads
Quality Improvement: Use of aggregated, anonymized data for algorithm improvements
Legal Compliance: Processing required for regulatory compliance
What We Do Not Do
Medical diagnosis or clinical interpretation
Research (unless separate consent obtained)
Share with third parties without authorization.
Sell your genetic data.
Legal Basis and Purpose Limitation
Legal Basis: Your explicit consent (required under GDPR Article 9, state genetic privacy laws, and federal regulations)
Purposes Authorized:
Generate lifestyle reports based on genetic variants.
Store genetic data for ongoing service provision.
Process additional reports upon your request
Improve services through anonymized, aggregated data analysis.
Comply with legal obligations.
Purposes Not Authorized (require separate consent):
Research participation
Medical or clinical use
Sharing with third parties for their purposes
Data Storage, Security, and Compliance
Storage Infrastructure
Location: United States data centers only
SOC 2 Type II certified cloud infrastructure
No data storage in foreign jurisdictions
Access is restricted from foreign adversary entities
Security Measures:
Encryption: AES-256 at rest, TLS 1.3 in transit
Access Control: Multi-factor authentication, role-based access
Monitoring: 24/7 security monitoring and intrusion detection
Audits: Regular third-party security assessments
Regulatory Compliance
Federal:
GINA (Genetic Information Nondiscrimination Act): Employment and health insurance protections
In alignment with U.S. government policies regarding bulk sensitive data transfers, including anticipated regulations from the Department of Justice and the Department of the Treasury regarding countries of concern
State:
California Genetic Information Privacy Act (GIPA)
In alignment with the Texas genetic privacy legislation under consideration
Compliance with applicable state consumer protection and genetic privacy laws
International:
GDPR Article 9 (EU/UK special category data)
PIPEDA (Canada)
LGPD (Brazil)
Compliance with local laws where services are offered
Prohibited Access
We prohibit access to your genetic data by:
Foreign adversaries and their entities (per anticipated U.S. regulations)
Employers or prospective employers
Insurance companies (unless legally required)
Marketing companies or data brokers
Law enforcement (except for valid legal process)
Data Sharing and Disclosure
Who Receives Genetic Data
CLIA-Certified Laboratory Partner:
What they do: Analyze your saliva sample and generate a VCF file.
What they share with us: Pseudonymized VCF file only
What we share with them: Kit number, minimal shipping information
Sample handling: Destroyed immediately after successful sequencing
Essential Service Providers:
Cloud infrastructure (U.S. data centers)
Security monitoring services
All under strict data processing agreements
Payment Processors:
Do not receive genetic data (only transaction information)
We Never Share Genetic Data With (without your explicit consent or legal requirement):
Research organizations
Pharmaceutical companies
Insurance companies
Employers
Marketing companies
Data brokers
Social media platforms
Family members
Law enforcement (except for valid court orders, warrants, or subpoenas)
Legal Requests
We resist invalid or overly broad requests.
Provide only the minimum data legally required.
Notify you unless legally prohibited.
Publish annual transparency reports.
Business Transfers (Merger/Acquisition/Bankruptcy)
30-day advance notice to all users
Option to delete data before transfer
New owner must honor existing privacy commitments.
Per applicable law, genetic data cannot be sold or transferred to foreign adversaries in the event of bankruptcy.
Data Retention and Deletion
Retention Period
Minimum: 6 years to support ongoing services and additional reports
Maximum: Until you request deletion
Financial records: 7 years for tax/legal compliance (separate from genetic data)
Your Right to Delete
You can request deletion at any time:
How: Through account settings or email support@mosaicbio.io
Timeline: Deletion completed within 30 days
Confirmation: Written confirmation provided
Irreversible: Cannot be undone.
Impact: Loss of access to reports and services
What Gets Deleted:
VCF file (complete genetic data)
All lifestyle reports
Genetic interpretations and analysis
Derived genetic insights
Data removed from all systems, including backups
What May Be Retained:
Transaction records (7 years for tax compliance)
Kit number for regulatory tracking
Aggregated, anonymized statistics (cannot identify you)
Data subject to legal hold or valid court order
International Data Transfers
For Non-U.S. Residents:
Genetic data is transferred to and stored in the United States.
Protected by appropriate safeguards:
EU/UK: Standard Contractual Clauses (SCCs)
Other jurisdictions: Equivalent legal mechanisms
Enhanced security measures for cross-border transfers
Important: All genetic data is stored in U.S. data centers regardless of your location. This is our operational standard for all customers, ensuring compliance with U.S. regulations regarding the security of genetic data.
Your Rights and Controls
Access Rights
Download the complete VCF file anytime (during active access periods)
View all genetic reports.
Access processing history
No fees for access
Rectification Rights
Correct account information
Update preferences
Note: Raw genetic data reflects actual sequencing and cannot be "corrected"
Deletion Rights (Right to Erasure)
Request complete deletion anytime.
30-day completion timeline
Irreversible process
Written confirmation provided
Data Portability Rights
Receive data in standard formats (VCF, PDF, JSON)
Transfer to other services
No lock-in or artificial barriers
Objection and Restriction Rights
Object to specific processing activities
Restrict processing during disputes.
Opt out of future uses.
Consent Withdrawal Rights
Withdraw consent anytime
No penalties or fees
May affect service access
Does not affect prior lawful processing
Non-Discrimination Rights
No penalties for exercising rights
Same service quality regardless of choices
No additional fees for rights requests
How to Exercise Rights:
Account Dashboard (24/7 self-service):
Download data
Manage preferences
Request deletion
Response Time: Within 30 days (may extend to 60 days under GDPR for complex requests)
Risks and Limitations
Privacy Risks
Data Permanence:
Genetic information cannot be altered once it has been disclosed.
Lifetime implications
Unknown future uses or applications.
Re-identification Risks:
Even pseudonymized genetic data may be re-identifiable
Advanced techniques or database matching could reveal identity.
Family members' genetic data may enable identification
Security Risks:
No system is perfectly secure.
Data breaches can still occur despite robust protections.
Sharing with third parties increases exposure.
Psychological and Emotional Risks
Reports may reveal unexpected traits or predispositions.
Information may affect self-perception
May impact family relationships
Consider genetic counseling if needed (we do not provide counseling services, but can refer you to qualified professionals)
Family Implications
Your genetic data reveals information about biological relatives.
Relatives have not consented to this disclosure.
May affect family dynamics or relationships
Discrimination and Legal Risks
GINA Protections (U.S.):
Prohibits genetic discrimination in health insurance and employment (employers with 15+ employees)
GINA Does NOT Protect:
Life insurance
Disability insurance
Long-term care insurance
Small employers (fewer than 15 employees)
Military members (employment provisions)
State Protections:
Vary significantly by state.
Some states provide additional protections.
California and Illinois have stronger protections.
Important: Sharing genetic data with third parties (including potential insurers) may expose you to discrimination not covered by GINA.
Scientific and Technical Limitations
Sequencing Coverage:
Some genomic regions have low or no coverage (centromeres, repetitive sequences, complex structural variants)
"No-calls" in areas not meeting quality thresholds
Not all variant types were detected.
Interpretation Limitations:
Lifestyle reports are for informational purposes only.
Not medical advice, diagnosis, or treatment
Most genetic variants have small effect sizes.
Environmental and lifestyle factors often override genetics.
Research continuously evolving
Population Bias:
Most genetic research conducted on European ancestry populations
It may be less accurate for other populations
Third-Party Sharing (Your Choice)
If You Choose to Share Your VCF File
You may download your VCF file and share it with third-party applications for additional analysis.
Critical Warnings:
Loss of Control: Once shared, we cannot retrieve your genetic data
Different Policies: Third parties have their own privacy policies and security standards
Commercial Use: Third parties may use data for commercial purposes
Data Permanence: Third parties may retain data indefinitely
Different Legal Protections: May not have the same protections as Mosaic
Our Recommendations:
Carefully review the privacy policies of third parties before sharing.
Understand why a third party needs genetic data.
Assess third-party security practices.
Share only the minimum necessary data.
Consider professional advice before sharing with medical providers
We Are Not Liable:
For third-party data handling practices
For third-party security breaches
For third-party commercial use
For any other third-party actions
Children and Minors
Age Requirement: You must be 18 years or older to provide genetic information.
For Minors Under 18:
Parent or legal guardian must provide consent.
Guardian maintains control until the minor reaches age 18
The guardian is responsible for understanding the implications.
If We Discover Unauthorized Minor Data:
Immediate account suspension
Data deleted within 30 days.
Parent/guardian notification
Withdrawal of Consent
You Can Withdraw Consent at Any Time
How to Withdraw:
Log in to your account and select "Delete Genetic Data."
Email support@mosaicbio.io with subject "Genetic Consent Withdrawal"
Written request to: Mosaic Biodata Inc., Attn: Privacy Officer, 919 Congress Ave, Suite 525, Austin, TX 78701, USA
Effects of Withdrawal:
Processing stops immediately
Genetic data deletion begins.
Loss of access to reports
Service termination
Completion within 30 days
Irreversible
What Continues:
Account may remain active (personal info only, no genetic data)
Transaction records retained for legal compliance (7 years)
Anonymized statistical data may be retained.
Important: Withdrawal does not affect the lawfulness of prior processing before withdrawal.
Changes to This Consent Notice
For Material Changes:
60-day advance notice via email
Explanation of changes and impact
Opportunity to delete data before changes take effect
Material Changes Include:
New processing purposes
New categories of recipients
International transfer changes
Retention period changes
Your rights modifications
For Non-Material Changes:
Updated notice posted with new "Effective Date"
Account notification
Company Dissolution or Bankruptcy
In the unlikely event Mosaic ceases operations:
90-day advance notice to all users (if feasible)
Option to download and delete data before dissolution
Genetic data will be destroyed in accordance with this Consent Notice.
Will not be sold or transferred to foreign adversaries
Per applicable law, genetic data cannot be transferred in bankruptcy proceedings.
Transaction records are retained only as required by law (7 years)
Succession/Acquisition: See provisions in §6 (Business Transfers).
Your Explicit Consent
What You Are Consenting To
By checking the box below, you explicitly and unambiguously consent to:
Collection and Processing:
Collection and processing of my genetic information from whole genome sequencing
Bioinformatics analysis to identify genetic variants
Generation of lifestyle reports (nutrition, fitness, sleep, hormones, athletics)
Secure storage of my genetic data (VCF file) in U.S. data centers
Ongoing Services:
Use of genetic data for additional reports, I may purchase
Retention of genetic data for a minimum of 6 years to support ongoing services
Use of aggregated, anonymized data for service improvements
Data Management:
International transfer of genetic data to the U.S. with appropriate safeguards (Standard Contractual Clauses where required)
Sharing with essential service providers under data processing agreements (CLIA-certified laboratory partners, cloud infrastructure)
Required Acknowledgments
I confirm that:
I have read and understand this complete Genetic Data Consent Notice.
I understand genetic information is sensitive and permanent.
I am aware of the risks described in this notice.
I understand my rights and how to exercise them.
I can withdraw consent at any time by deleting my genetic data.
I understand genetic testing is for lifestyle purposes only, not medical diagnosis.
I have considered the implications for my biological family members.
I understand that sharing my genetic data with third parties means losing control.
I am consenting freely without coercion.
I am 18 years or older (or parent/guardian providing consent for minor)
Special Situations
If Providing Consent for a Minor:
I am the parent/legal guardian consenting on behalf of the minor.
I understand the implications of genetic testing for the minor.
I will maintain control over the minor's genetic data until they reach age 18
If Providing a Sample for Someone Else:
I have legal authorization to provide consent for this individual.
I am acting in the best interests of the individual.
The individual lacks the capacity to consent independently
Genetic Counseling Resources
While we do not provide genetic counseling services, we can provide information about:
National Society of Genetic Counselors (https://www.nsgc.org)
"Find a Genetic Counselor" directory.
Telehealth genetic counseling services
Local genetic counseling resources
Contact support@mosaicbio.io with "Genetic Counselor Referral" in the subject line if you would like information about genetic counseling resources.
Final Consent Declaration
By checking this box and proceeding with kit activation, I explicitly consent to the processing of my genetic information as described in this Genetic Data Consent Notice:
Yes, I consent to the processing of my genetic information as described above.
Electronic Signature:
Full Name: _________________________________
Date: _________________________________
Email Address: _________________________________
Kit Number: _________________________________
Consent Recorded:
Consent ID: [System Generated] IP Address: [Recorded for verification] Timestamp: [Date and time of consent] Document Version: Genetic Data Consent Notice, Effective September 12, 2025
Questions and Contact Information
Before You Consent
Do Not Proceed If:
You have unanswered questions.
You are uncertain about the implications.
You have privacy or security concerns.
You don't understand your rights.
You feel pressured or coerced.
Contact Us:
Email: support@mosaicbio.io Subject: "Genetic Consent Question" Response Time: 24-48 hours
After Providing Consent
Ongoing Support:
Account Dashboard: Data management tools available 24/7
Exercising Your Rights:
Access: Download data through the account portal anytime
Deletion: Delete data through account settings or contact support
Corrections: Update information through account settings
Regulatory Contacts
United States:
Federal Trade Commission: www.ftc.gov
Your state attorney general
European Union/UK:
Irish Data Protection Commission: www.dataprotection.ie
UK Information Commissioner's Office: www.ico.org.uk
Your local supervisory authority
Other Countries:
Canada: Office of the Privacy Commissioner - www.priv.gc.ca
Australia: Office of the Australian Information Commissioner - www.oaic.gov.au
Brazil: Autoridade Nacional de Proteção de Dados - www.gov.br/anpd
Company Contact Information
Mosaic Biodata Inc.
Mailing Address:
Mosaic Biodata Inc. Privacy and Genetic Data Consent 919 Congress Ave, Suite 525 Austin, TX 78701 United States
Business Information:
Incorporated: Delaware, United States
Principal Place of Business: Texas, United States
Business Hours: Monday-Friday, 9:00 AM - 6:00 PM Central Time
Important Final Reminders
Before You Consent, Remember:
This is Optional: You can choose not to proceed with genetic testing.
Ask Questions: Contact us with any questions before consenting.
Read Completely: Ensure you understand all sections.
Consider Implications: Think about privacy, family, and future implications.
You Control Your Data: You can delete your genetic data at any time.
Professional Advice: Consider genetic counseling for concerns
Not Medical: This testing is for lifestyle purposes, not medical diagnosis
Family Impact: Your genetic data reveals information about relatives
Permanent Data: Genetic information cannot be changed once disclosed
Your Rights: You have comprehensive rights to control your genetic data
Your genetic information is uniquely sensitive. We are committed to protecting it with the highest standards of security and privacy. If you have any doubts or concerns, please contact us before proceeding.
By providing consent through this notice, you acknowledge that you have carefully read and understood this complete document, you have had the opportunity to ask questions, and you freely and voluntarily consent to the processing of your genetic data as described herein.