Privacy Policy

1. Introduction and Scope

GeneChef, LLC ("GeneChef," "Company," "we," "our," or "us") operates the bioinformatics platform accessible at genechef.io and all associated subdomains, APIs, mobile applications, and related services (collectively, the "Service"). This Privacy Policy ("Policy") describes how we collect, use, process, store, disclose, and protect your personal information when you access or use our Service, visit our website, communicate with us, or otherwise interact with our platform.

This Policy applies to all individuals who access or use the Service, including registered users, trial users, demo account users, team members, administrators, and visitors (collectively, "Users" or "you"). By accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Policy.

We are committed to compliance with applicable data protection laws, including but not limited to: the General Data Protection Regulation (EU) 2016/679 ("GDPR"); the UK General Data Protection Regulation ("UK GDPR"); the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 ("CCPA/CPRA"); the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA"); and other applicable federal, state, and international privacy and data protection laws.

2. Definitions

For the purposes of this Policy, the following terms shall have the meanings set forth below:

"Personal Data" means any information relating to an identified or identifiable natural person, as defined under the GDPR, or "Personal Information" as defined under the CCPA/CPRA.
"Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
"Controller" or "Business" means the entity that determines the purposes and means of Processing Personal Data. GeneChef acts as the Controller/Business with respect to User account data.
"Processor" or "Service Provider" means an entity that Processes Personal Data on behalf of the Controller. GeneChef acts as a Processor with respect to research data uploaded by Users.
"Protected Health Information" or "PHI" means individually identifiable health information as defined under HIPAA, including demographic data, that relates to an individual's past, present, or future physical or mental health condition.
"Research Data" means any datasets, workflows, analysis results, genomic sequences, or other scientific data uploaded to or generated through the Service.
"Sub-processor" means any third-party entity engaged by GeneChef to Process Personal Data on behalf of Users.

3. Data Controller and Contact Information

GeneChef, LLC is the data controller responsible for your Personal Data. If you have any questions, concerns, or requests regarding this Policy or our data practices, you may contact us using the following information:

GeneChef, LLC
Email: support@genechef.io
Data Protection Officer: support@genechef.io

Our Data Protection Officer ("DPO") oversees compliance with applicable data protection laws and serves as the primary point of contact for data subjects, supervisory authorities, and internal stakeholders on matters relating to the Processing of Personal Data.

4. Categories of Personal Data We Collect

4.1 Information You Provide Directly

We collect Personal Data that you voluntarily provide when you register for an account, subscribe to a plan, use the Service, or communicate with us:

Account registration data: name, email address, password, and organization affiliation
Profile information: job title, research interests, institutional affiliation, and professional role
Billing and payment data: subscription tier, billing address, and payment method details (processed and stored by our payment processor, Stripe, Inc.; we do not store full credit card numbers)
Research Data: datasets, genomic sequences, workflow definitions, analysis parameters, and results that you upload, create, or generate through the Service
AI interaction data: queries submitted to our AI-powered workflow generation and chat features
Team management data: team names, member email addresses, roles, and permissions
Communications: messages, feedback, support requests, and correspondence you send to us
GDPR consent records: your cookie preferences and consent choices

4.2 Information Collected Automatically

When you access or use the Service, we automatically collect certain technical and usage information:

Device and browser information: device type, operating system, browser type and version, screen resolution, and language preferences
Network information: IP address, approximate geolocation (city/region level), internet service provider, and referring URL
Usage and interaction data: pages visited, features used, buttons clicked, time spent on pages, navigation paths, search queries, and session duration
Performance metrics: Core Web Vitals (Largest Contentful Paint, First Input Delay, Cumulative Layout Shift, Interaction to Next Paint, Time to First Byte), page load times, and error rates
Service usage metrics: workflow execution counts, dataset sizes, AI query counts, GPU compute hours, storage utilization, and concurrent job counts
Log data: server logs, error logs, access logs, and audit trail records
Distributed tracing data: request traces across service components for performance monitoring and debugging

4.3 Information from Third Parties

Authentication providers: identity verification data from Amazon Cognito (our identity provider)
Payment processor: transaction status, subscription status, and billing events from Stripe
Error tracking: anonymized error reports and session replay data from Sentry

4.4 Sensitive Data and Special Categories

We do not intentionally collect sensitive personal data or special categories of data (such as racial or ethnic origin, political opinions, religious beliefs, genetic data for identification purposes, or biometric data for identification). However, Research Data uploaded by Users may contain genomic or health-related information. Such data is treated with the highest level of protection and is processed solely as instructed by the User in their capacity as the data controller of their Research Data. Where Research Data constitutes PHI under HIPAA, additional safeguards apply as described in Section 14.

5. Purposes and Legal Bases for Processing

We process your Personal Data for the following purposes, each supported by a lawful basis under the GDPR (Article 6) and, where applicable, Article 9:

5.1 Performance of Contract (Article 6(1)(b))

Providing, operating, and maintaining the Service, including account creation, authentication, and access management
Processing and executing bioinformatics workflows, AI-powered analysis, and dataset management
Managing your subscription, processing payments, enforcing usage limits, and handling billing inquiries
Providing customer support and responding to your requests
Enabling team collaboration features, including workspace permissions and workflow sharing

5.2 Legitimate Interests (Article 6(1)(f))

Analyzing usage patterns and performance metrics to improve the Service, optimize infrastructure, and enhance user experience
Monitoring system health, detecting anomalies, and troubleshooting technical issues through distributed tracing and log analysis
Preventing fraud, abuse, and unauthorized access to the Service
Enforcing our Terms of Service and acceptable use policies
Conducting internal research and development to improve our AI models and bioinformatics capabilities (using aggregated, de-identified data only)
Communicating with you about service updates, security alerts, and administrative notices

5.3 Consent (Article 6(1)(a))

Placing non-essential cookies and similar tracking technologies (analytics and marketing cookies)
Sending promotional communications and product announcements (where required by law)
Processing session replay data for user experience improvement (via Sentry)

5.4 Legal Obligation (Article 6(1)(c))

Maintaining audit logs and access records as required by HIPAA (6-year retention period)
Responding to lawful requests from regulatory authorities, law enforcement, or courts
Complying with tax, accounting, and financial reporting obligations
Fulfilling data subject rights requests under GDPR, CCPA/CPRA, and other applicable laws

5.5 Vital Interests (Article 6(1)(d))

In exceptional circumstances, we may process Personal Data to protect the vital interests of a data subject or another natural person, such as in the event of a security breach that poses a risk to individuals.

6. Cookies and Tracking Technologies

We use cookies and similar technologies (including local storage, session storage, and pixel tags) to collect information about your interactions with the Service. Cookies are small text files placed on your device that enable us to recognize your browser and remember certain information.

6.1 Categories of Cookies

Strictly Necessary Cookies: Essential for the operation of the Service, including authentication tokens, session management, CSRF protection, and security headers. These cookies cannot be disabled. Legal basis: Legitimate interest / performance of contract.
Performance and Analytics Cookies: Collect information about how you use the Service, including page views, navigation paths, Core Web Vitals, and error rates. This data is used to improve Service performance and user experience. Providers include our self-hosted monitoring stack (InfluxDB/Telegraf). Legal basis: Consent.
Functional Cookies: Enable enhanced functionality and personalization, such as remembering your preferences, language settings, and display options. Legal basis: Consent.
Error Tracking Cookies: Used by Sentry for error reporting, performance monitoring, and session replay to identify and resolve technical issues. Legal basis: Consent.

6.2 Managing Cookie Preferences

Upon your first visit, we present a cookie consent banner that allows you to accept or reject non-essential cookies. You may modify your cookie preferences at any time through the cookie settings accessible in the footer of our website. You may also configure your browser to block or delete cookies; however, doing so may impair certain features of the Service. Strictly necessary cookies cannot be disabled as they are required for the Service to function.

We do not sell, rent, or trade your Personal Data to third parties. We may share your Personal Data only in the following circumstances and with the following categories of recipients:

7.1 Infrastructure and Hosting Providers

Amazon Web Services, Inc. ("AWS") provides the cloud infrastructure on which the Service operates, including compute (Amazon EKS), database (Amazon Aurora PostgreSQL), storage (Amazon S3, Amazon EFS), AI services (Amazon Bedrock), identity management (Amazon Cognito), and monitoring services (Amazon CloudWatch, AWS CloudTrail). AWS processes data in the United States (us-east-2 region) and is bound by the AWS Data Processing Addendum and Standard Contractual Clauses.

7.2 Payment Processing

Stripe, Inc. processes all payment transactions. Stripe receives your billing information, payment method details, and transaction data necessary to process subscriptions and metered billing. Stripe is PCI DSS Level 1 certified. We do not store full credit card numbers on our systems. Stripe's privacy policy is available at https://stripe.com/privacy.

7.3 Error Tracking and Monitoring

Sentry (Functional Software, Inc.) receives error reports, performance data, and session replay information to help us identify and resolve technical issues. Session replay data is collected only with your consent and is subject to data masking to exclude sensitive inputs.

7.4 AI Services

Amazon Bedrock processes AI queries submitted through our workflow generation and chat features. Queries are processed using Anthropic's Claude models via Amazon Bedrock's cross-region inference. Amazon Bedrock does not use your inputs or outputs to train foundation models. All model invocations are logged to CloudWatch with 6-year retention for HIPAA audit compliance.

7.5 Legal and Regulatory Disclosures

We may disclose your Personal Data if required to do so by law, regulation, legal process, or governmental request, or when we believe in good faith that disclosure is necessary to: (a) comply with a legal obligation; (b) protect and defend our rights or property; (c) prevent fraud or other illegal activity; (d) protect the personal safety of Users or the public; or (e) protect against legal liability.

7.6 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your Personal Data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Service of any change in ownership or uses of your Personal Data, as well as any choices you may have regarding your Personal Data.

8. Data Security

We implement comprehensive technical and organizational measures designed to protect your Personal Data against unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to:

Encryption at rest using customer-managed AWS KMS keys (AES-256) for all databases, file systems, and object storage
Encryption in transit using TLS 1.2 or higher for all data transmissions
Multi-factor authentication (MFA) required for all user accounts
OAuth 2.0 with PKCE authentication flow via Amazon Cognito
JWT-based session management with signature verification against Cognito JWKS
Web Application Firewall (AWS WAF v2) with managed rule sets for common vulnerabilities, SQL injection, and known bad inputs
Rate limiting on all API endpoints to prevent abuse and denial-of-service attacks
Nonce-based Content Security Policy (CSP) and comprehensive security headers (HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy)
Network isolation via Amazon VPC with private subnets, VPC endpoints, and security groups
Principle of least privilege for all IAM roles and service accounts
Comprehensive audit logging via AWS CloudTrail with log file validation
Automated vulnerability scanning and dependency monitoring
Circuit breaker patterns and resilience controls for all external service integrations
Non-root container execution (UID 1001) for all application workloads
Secrets management via AWS Secrets Manager with automatic rotation capabilities

While we strive to use commercially acceptable means to protect your Personal Data, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to promptly addressing any security incidents in accordance with our incident response procedures and applicable breach notification laws.

9. Data Retention

We retain your Personal Data only for as long as necessary to fulfill the purposes for which it was collected, to comply with our legal obligations, to resolve disputes, and to enforce our agreements. The specific retention periods are as follows:

Account data: Retained for the duration of your account and for 30 days following account deletion to allow for recovery, after which it is permanently deleted
Research Data and workflows: Retained for the duration of your account. Upon account deletion or your request, Research Data is deleted within 30 days unless retention is required by law
Billing and transaction records: Retained for 7 years as required by tax and accounting regulations
Audit logs and access records: Retained for 6 years (2,192 days) as required by HIPAA compliance obligations
S3 access logs: Retained for 6 years with automatic transition to Amazon S3 Glacier storage after 90 days
AI model invocation logs: Retained for 6 years in CloudWatch for HIPAA audit trail compliance
Server and application logs: Retained for 90 days for operational purposes
Cookie consent records: Retained for 3 years as evidence of consent under GDPR
Support communications: Retained for 3 years following resolution
Temporary upload staging data: Automatically deleted after 24 hours via S3 lifecycle policy

When Personal Data is no longer required, it is securely deleted or anonymized in accordance with our data destruction procedures. Backup copies may persist for up to an additional 30 days before being overwritten.

If you are located in the European Economic Area or the United Kingdom, you have the following rights under the GDPR and UK GDPR, subject to applicable exceptions and limitations:

Right of Access (Article 15): You have the right to obtain confirmation as to whether your Personal Data is being processed and, if so, to access that data along with information about the purposes of processing, categories of data, recipients, retention periods, and the existence of automated decision-making.
Right to Rectification (Article 16): You have the right to obtain the correction of inaccurate Personal Data and to have incomplete data completed.
Right to Erasure (Article 17): You have the right to request the deletion of your Personal Data where: (a) it is no longer necessary for the purposes for which it was collected; (b) you withdraw consent; (c) you object to processing and there are no overriding legitimate grounds; (d) the data has been unlawfully processed; or (e) erasure is required by law. This right is subject to exceptions, including where retention is necessary for compliance with legal obligations (e.g., HIPAA audit logs).
Right to Restriction of Processing (Article 18): You have the right to restrict processing where: (a) you contest the accuracy of the data; (b) processing is unlawful and you oppose erasure; (c) we no longer need the data but you require it for legal claims; or (d) you have objected to processing pending verification of legitimate grounds.
Right to Data Portability (Article 20): You have the right to receive your Personal Data in a structured, commonly used, and machine-readable format (JSON or CSV) and to transmit that data to another controller without hindrance.
Right to Object (Article 21): You have the right to object to processing based on legitimate interests or for direct marketing purposes. Where you object, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
Right to Withdraw Consent (Article 7(3)): Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
Right Not to Be Subject to Automated Decision-Making (Article 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. Our AI-powered features provide recommendations and suggestions but do not make automated decisions with legal or similarly significant effects.

To exercise any of these rights, please visit your account settings (which provides self-service data export and account deletion) or contact us at support@genechef.io. We will respond to your request within 30 days, or within the timeframe required by applicable law. We may request verification of your identity before processing your request.

You also have the right to lodge a complaint with your local supervisory authority. A list of EEA supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

11. Your Rights Under the CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

Right to Know: You have the right to request that we disclose the categories and specific pieces of Personal Information we have collected about you, the categories of sources, the business or commercial purposes for collection, and the categories of third parties with whom we share your data.
Right to Delete: You have the right to request deletion of your Personal Information, subject to certain exceptions.
Right to Correct: You have the right to request correction of inaccurate Personal Information.
Right to Opt-Out of Sale/Sharing: We do not sell your Personal Information. We do not share your Personal Information for cross-context behavioral advertising purposes.
Right to Limit Use of Sensitive Personal Information: To the extent we process sensitive Personal Information, you have the right to limit its use to purposes necessary to provide the Service.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To exercise these rights, contact us at support@genechef.io or use the self-service tools in your account settings. We will verify your identity before processing your request and respond within 45 days, with a possible 45-day extension upon notice.

12. International Data Transfers

The Service is hosted on AWS infrastructure in the United States (us-east-2 region, Ohio). Your Personal Data may be transferred to, stored in, and processed in the United States or other countries where our sub-processors operate. These countries may have data protection laws that differ from those in your jurisdiction.

For transfers of Personal Data from the EEA, UK, or Switzerland to countries that have not received an adequacy decision from the European Commission, we rely on the following safeguards:

Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision (EU) 2021/914), supplemented by transfer impact assessments where required
The UK International Data Transfer Agreement or UK Addendum to the EU SCCs, as applicable
Data Processing Agreements with all sub-processors that include appropriate data protection obligations
Additional technical measures including encryption, pseudonymization, and access controls

You may request a copy of the applicable transfer safeguards by contacting support@genechef.io.

13. Children's Privacy

The Service is not directed to, and we do not knowingly collect Personal Data from, children under the age of 16 (or such higher age as may be required by applicable law in your jurisdiction). If we become aware that we have collected Personal Data from a child under the applicable minimum age without verified parental consent, we will take steps to delete that information promptly. If you believe that a child has provided us with Personal Data, please contact us at support@genechef.io.

14. HIPAA Compliance and Protected Health Information

GeneChef recognizes that certain Users, particularly those in healthcare and clinical research, may upload or process Protected Health Information (PHI) through the Service. We have implemented the following safeguards to support HIPAA compliance:

Encryption at rest (AES-256 via AWS KMS) and in transit (TLS 1.2+) for all PHI
Multi-factor authentication required for all user accounts
Role-based access controls with principle of least privilege
Comprehensive audit logging with 6-year (2,192-day) retention via AWS CloudTrail
Bedrock model invocation logging to CloudWatch with 6-year retention
S3 access logging with 6-year retention and Glacier archival after 90 days
Automatic session timeout and account lockout policies
Incident response and breach notification procedures

For Enterprise customers who require a Business Associate Agreement (BAA) under HIPAA, please contact sales@genechef.io. The BAA will define the permitted uses and disclosures of PHI, establish safeguards, and outline breach notification obligations. GeneChef will not use or disclose PHI except as permitted or required by the BAA and applicable law.

Users are responsible for determining whether their use of the Service involves PHI and for ensuring that they have obtained all necessary authorizations and consents from data subjects before uploading PHI to the Service.

15. Artificial Intelligence and Automated Processing

The Service incorporates AI-powered features, including workflow generation, dataset analysis, and a conversational chat interface powered by large language models (Anthropic Claude via Amazon Bedrock). When you use these features:

Your queries and prompts are transmitted to Amazon Bedrock for processing. Amazon Bedrock does not use your inputs or outputs to train or improve foundation models.
AI responses may be augmented with information from our Retrieval-Augmented Generation (RAG) system, which uses Galaxy documentation stored in Amazon Aurora PostgreSQL with pgvector.
We log all AI model invocations (including prompts and responses) to CloudWatch for audit, compliance, and quality assurance purposes, with a 6-year retention period.
AI features provide recommendations and suggestions only. No automated decisions with legal or similarly significant effects are made solely by AI without human review.
We do not use your Research Data or AI interaction data to train, fine-tune, or improve AI models.

16. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will:

Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33
Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Article 34
Notify affected individuals as required by HIPAA Breach Notification Rule (45 CFR §§ 164.400-414) for breaches involving unsecured PHI
Notify the California Attorney General if a breach affects more than 500 California residents, as required by the CCPA
Document all breaches, including facts, effects, and remedial actions taken, regardless of whether notification is required

17. Third-Party Links and Services

The Service may contain links to third-party websites, services, or resources that are not operated or controlled by GeneChef, including Galaxy Project documentation, public dataset repositories, and scientific databases. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access through the Service. This Policy applies solely to information collected by GeneChef through the Service.

18. Do Not Track Signals

Some browsers transmit "Do Not Track" (DNT) signals to websites. Because there is no universally accepted standard for how to respond to DNT signals, we do not currently respond to DNT signals. However, you may manage your cookie preferences through our cookie consent banner and browser settings as described in Section 6.

19. Changes to This Privacy Policy

We may update this Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will: (a) update the "Last Updated" date at the top of this Policy; (b) provide notice via email to the address associated with your account; and (c) post a prominent notice on the Service. We encourage you to review this Policy periodically. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Policy. If you do not agree with the changes, you should discontinue use of the Service and request deletion of your account.

20. Governing Law and Dispute Resolution

This Policy shall be governed by and construed in accordance with the laws of the State of Delaware, United States, without regard to its conflict of law provisions, except to the extent that mandatory data protection laws of your jurisdiction apply (including the GDPR for EEA/UK residents). Any disputes arising out of or relating to this Policy shall be resolved in accordance with the dispute resolution provisions set forth in our Terms of Service.

21. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

GeneChef, LLC
Email: support@genechef.io
Data Protection Officer: support@genechef.io
Legal Department: support@genechef.io

For EEA and UK residents, you have the right to lodge a complaint with your local data protection supervisory authority if you believe that our processing of your Personal Data violates applicable data protection law.

For California residents, you may also contact the California Attorney General at https://oag.ca.gov/contact.