Privacy Policy

1. Introduction

Level Genomics LLC ("Level Genomics," "we," "us," or "our") provides direct-to-consumer clinical-grade whole genome sequencing and AI-powered genomic health insights. We are committed to protecting your privacy and your genetic data. This Privacy Policy describes how we collect, use, store, share, and protect information obtained through our website (levelgenomics.com), mobile applications, and services (collectively, the "Services").

We comply with all applicable federal and state laws governing the collection, use, storage, and disclosure of genetic information, including the Genetic Information Nondiscrimination Act (GINA), the Health Insurance Portability and Accountability Act (HIPAA) where applicable, the Federal Trade Commission Act (Section 5), and state-specific genetic privacy laws. Our data practices are designed to meet the most protective standard among all applicable jurisdictions.

By using our Services, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use our Services.

2. Definitions

• "Genetic Data" means any data that results from the analysis of a biological sample provided by you, including raw sequence data (FASTQ, BAM, VCF files), genotype data, variant calls, and any information derived from the processing of such data.
• "Biological Sample" means the physical saliva sample you provide for sequencing.
• "Personal Information" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with you.
• "Sensitive Personal Information" includes your Genetic Data, health information, racial or ethnic origin, and biometric data.
• "AI Health Insights" means the informational reports and analysis generated by your personal genomic research assistant based on your Genetic Data and, where provided, your biomarker or health data.

3. Information We Collect

3.1. Information You Provide

• Account Information: Name, email address, mailing address, date of birth, and payment information when you create an account and place an order.
• Biological Sample: The saliva sample you provide for whole genome sequencing.
• Self-Reported Health Information: Any health data, lab results, or biomarker information you voluntarily provide to enhance your AI Health Insights.
• Communications: Messages, questions, and interactions you have with our personal genomic research assistant and support team.

3.2. Information Generated by Our Services

• Genetic Data: Raw sequence data (FASTQ files), aligned sequence data (BAM files), and variant call files (VCF files) generated from your biological sample through whole genome sequencing.
• AI Health Insights: Analysis reports generated from comparing your Genetic Data against clinical databases including ClinVar, as well as pharmacogenomic, metabolic, cardiovascular, and other health-related interpretations.

3.3. Automatically Collected Information

• Usage Data: IP address, browser type, device identifiers, pages visited, and interaction patterns.
• Cookies and Similar Technologies: We use strictly necessary cookies for site functionality. We do not use advertising or tracking cookies that target you based on your Genetic Data.

4. How We Use Your Information

4.1. Primary Uses (Require Initial Consent)

• Processing your biological sample to generate your whole genome sequencing data.
• Generating your AI Health Insights by analyzing your Genetic Data against clinical databases and peer-reviewed research.
• Providing you access to your Genetic Data and raw data files (VCF, BAM, FASTQ) for download.
• Managing your account and processing transactions.
• Communicating with you about your order, results, and account.

4.2. Uses That Require Separate Express Consent

We will never use your Genetic Data for the following purposes without first obtaining your separate, express, written consent:

• Sharing Genetic Data with any third party (other than our CLIA-certified sequencing laboratory partner for the sole purpose of performing your sequencing).
• Using your Genetic Data for research purposes.
• Using your Genetic Data for marketing, advertising, or promotional purposes.
• Retaining your biological sample after sequencing is complete.
• Any use of your Genetic Data beyond the primary purpose of providing you with your sequencing results and AI Health Insights.

5. How We Protect Your Information

• Encryption: All Genetic Data is encrypted at rest using AES-256 encryption and in transit using TLS 1.3.
• Access Controls: Access to Genetic Data is restricted to authorized personnel on a need-to-know basis, with multi-factor authentication and audit logging.
• Security Program: We maintain a comprehensive information security program that includes regular vulnerability assessments, penetration testing, employee training, and incident response procedures.
• De-identification: When data is used for improving our services (with your consent), we use de-identification and aggregation techniques to minimize privacy risk.
• Infrastructure: Our systems are hosted in SOC 2 Type II certified data centers with physical security controls, redundancy, and disaster recovery.

6. Sharing and Disclosure of Information

6.1. We Never Sell Your Genetic Data

We do not sell, lease, rent, or trade your Genetic Data to any third party. We do not provide your Genetic Data to insurance companies, employers, or any entity for underwriting, coverage determination, or employment decisions.

6.2. Limited Sharing for Service Delivery

We share your biological sample and necessary identifying information with our CLIA-certified laboratory partner solely for the purpose of performing your whole genome sequencing. Our laboratory partner is contractually prohibited from using your sample or data for any purpose other than performing the sequencing service, and is required to destroy your biological sample after sequencing unless you provide separate express consent for retention.

6.3. At Your Direction

You may choose to share your Genetic Data or AI Health Insights with healthcare providers, genetic counselors, or other individuals. Any such sharing is at your sole direction and subject to your express consent, which you may revoke at any time.

6.4. Legal Requirements

We may disclose information if required by law, regulation, legal process, or governmental request, or if disclosure is necessary to protect the rights, property, or safety of Level Genomics, our users, or others. We will notify you of such disclosure to the extent permitted by law.

7. Your Rights and Choices

7.1. Access Your Data

You have the right to access your complete Genetic Data at any time through your account. You can download your full raw data files (VCF, BAM, and FASTQ formats) without restriction.

7.2. Delete Your Data

You have the right to request deletion of your account, Genetic Data, and all associated Personal Information. Upon receiving a verified deletion request, we will delete all copies of your Genetic Data from our active systems within 30 days and from backup systems within 90 days. We will provide written confirmation of deletion.

7.3. Destroy Your Biological Sample

You have the right to request destruction of your biological sample at any time. By default, we destroy biological samples after sequencing is complete unless you have provided separate express consent for retention. Upon revocation of any consent for sample retention, we will instruct our laboratory partner to destroy your biological sample within 30 days.

7.4. Withdraw Consent

You may withdraw any consent you have provided at any time by contacting us at privacy@levelgenomics.com or through your account settings. Withdrawal of consent does not affect the lawfulness of processing performed before withdrawal.

7.5. Data Portability

You have the right to receive your Genetic Data in a structured, commonly used, machine-readable format (VCF, BAM, FASTQ). We do not charge a fee for data export.

7.6. Correct Your Data

You have the right to correct inaccurate Personal Information associated with your account.

7.7. Opt Out

You have the right to opt out of the processing of your Personal Information for purposes of targeted advertising, the sale of Personal Information, or profiling in furtherance of decisions that produce legal or similarly significant effects. Note: We do not engage in any of these practices with Genetic Data.

8. Data Retention

We retain your Genetic Data for as long as your account is active and you maintain a personal genomic research assistant subscription. If you close your account or request deletion, we will delete your Genetic Data in accordance with Section 7.2 above.

Automatic Deletion for Non-Subscribers: Every kit purchase includes one free month of personal genomic research assistant access. If you choose not to continue with a paid subscription after your free month, your Genetic Data will be automatically deleted from our servers. No action is required on your part — deletion is the default. You will be notified before your free month ends and given the opportunity to download your raw data files (VCF, BAM, FASTQ) before deletion occurs.

Active Subscriber Deletion: Active subscribers may delete their account and all Genetic Data at any time through their account settings. Deletion is immediate upon request.

Biological samples are destroyed after sequencing is complete unless you have provided separate express consent for retention.

We may retain de-identified, aggregated data that cannot be used to identify you for service improvement purposes, but only where you have provided express consent and the data has been irreversibly de-identified.

9. Federal Genetic Nondiscrimination Protections

9.1. GINA Notice

The Genetic Information Nondiscrimination Act (GINA) is a federal law that protects individuals from genetic discrimination. Under GINA:

• Health Insurance: Health insurers cannot use genetic information to make coverage or premium decisions (Title I of GINA, amending HIPAA, ERISA, and the Public Health Service Act).
• Employment: Employers with 15 or more employees cannot use genetic information in hiring, firing, promotion, or other employment decisions (Title II of GINA).

Limitations of GINA: Please be aware that GINA does not apply to life insurance, disability insurance, or long-term care insurance. Some states provide additional protections in these areas (see Section 10). Additionally, GINA does not apply to employers with fewer than 15 employees, members of the military, or federal employees covered by separate statutes.

9.2. HIPAA

To the extent that Level Genomics acts as a covered entity or business associate under the Health Insurance Portability and Accountability Act (HIPAA), we comply with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule in our handling of protected health information (PHI), including genetic information.

9.3. FTC Act

The Federal Trade Commission (FTC) has identified genetic data privacy as an enforcement priority under Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices. We commit to:

• Honoring all representations made in this Privacy Policy.
• Never making retroactive changes to how we use previously collected Genetic Data without providing adequate notice and obtaining your consent.
• Maintaining data security measures commensurate with the sensitivity of genetic information, including third-party security assessments.
• Instructing our laboratory partners to destroy biological samples that have been retained beyond 180 days unless separate express consent for retention has been obtained.

9.4. DOJ Bulk Data Rule

Effective April 8, 2025, the U.S. Department of Justice prohibits bulk transfers of sensitive personal data — including genomic data — to designated countries of concern (currently China, Cuba, Iran, North Korea, Russia, and Venezuela). Level Genomics does not store Genetic Data in, or permit access to Genetic Data from, any country of concern. We do not use genetic sequencing software sourced from countries of concern.

10. State-Specific Genetic Privacy Rights

In addition to federal protections, many states have enacted laws that provide additional protections for genetic information. The following disclosures are provided to comply with these state laws. Where state law provides greater protections than our standard practices, we follow the more protective standard.

10.1. California

California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA): Under California law, genetic information is classified as "sensitive personal information." California residents have the right to:

• Know what personal information is collected and how it is used.
• Delete personal information held by businesses.
• Opt-out of the sale or sharing of personal information.
• Limit the use and disclosure of sensitive personal information, including genetic data.
• Non-discrimination for exercising privacy rights.

We do not sell or share your personal information as defined under the CCPA/CPRA. To exercise your rights, contact us at privacy@levelgenomics.com.

California Genetic Information Nondiscrimination Act (CalGINA, Cal. Gov. Code §12940): CalGINA extends genetic nondiscrimination protections beyond GINA to cover housing, mortgage lending, education, and emergency services. California law also prohibits life, disability, and long-term care insurers from using genetic information in coverage decisions (Cal. Ins. Code §10149.1).

California Genetic Information Privacy Act (CalGIPA, SB-41): CalGIPA requires express consent for collection, use, or disclosure of genetic data with specific disclosure of who has access and how data may be shared. Separate express consent is required for biological sample storage after initial testing, each use beyond the primary purpose, and each transfer to third parties. We will destroy biological samples within 30 days of consent revocation. California residents may file complaints with the California Attorney General. Penalties range from $1,000 per negligent violation to $10,000 per intentional violation.

10.2. Illinois

Illinois Genetic Information Privacy Act (GIPA, 410 ILCS 513/): Illinois law requires that we obtain written informed consent before collecting, storing, or disclosing genetic information. Under GIPA:

• No person may collect a genetic sample without the written, informed consent of the individual.
• Genetic information may not be disclosed without the individual's written consent.
• An individual may recover damages for unauthorized collection, retention, or disclosure.

We obtain your express written consent before collecting your biological sample and processing your genetic information.

10.3. New York

New York Civil Rights Law §79-l: New York law requires written informed consent before performing genetic testing and prohibits unauthorized disclosure of genetic test results. Genetic information may not be used for insurance underwriting purposes. Results of genetic tests are confidential and may only be released to the individual tested or to persons specifically authorized by such individual. As required by New York law, we advise you that you may wish to obtain professional genetic counseling prior to consenting to genetic testing. Willful violations of New York genetic privacy law constitute a misdemeanor.

10.4. Florida

Florida Genetic Information Privacy Act (Fla. Stat. §760.40): DNA analysis results are the exclusive property of the person tested and may not be disclosed without the individual's consent. Florida law provides that genetic information may not be used as a basis for insurance coverage decisions.

10.5. Virginia

Virginia Consumer Data Protection Act (VCDPA) and Virginia Genetic Data Privacy Law (Va. Code §59.1-590 et seq.): Virginia law requires express consent before collecting, using, or disclosing genetic data through direct-to-consumer genetic testing. Express consent must be in clear and prominent language that an ordinary consumer would notice and understand, and may not be inferred from inaction. Separate express consent is required for each use of genetic data beyond the primary purpose of genetic testing.

10.6. Colorado

Colorado Privacy Act (CPA, C.R.S. §6-1-1301 et seq.): Colorado law classifies genetic and biological data as sensitive data requiring affirmative consent before collection and processing. Consent must be freely given, specific, informed, and unambiguous. Acceptance of broad terms of service does not constitute consent under the CPA.

10.7. Connecticut

Connecticut Data Privacy Act (CTDPA, Conn. Gen. Stat. §42-515 et seq.): Genetic data is classified as sensitive data under the CTDPA. Controllers must obtain consumer consent before processing sensitive data, including genetic information. The 2025 amendments removed the requirement that genetic data be used to uniquely identify an individual, broadening protections.

10.8. Utah

Utah Genetic Information Privacy Act (GIPA, Utah Code §13-60): Utah law requires express consent for the collection, use, or disclosure of genetic information from direct-to-consumer genetic testing companies. Separate express consent is required for: (a) transfers or disclosures of genetic data to any third party; (b) use of information beyond the primary purpose of testing; and (c) retention of biological samples after testing. Consumers have the right to access their genetic data, delete their account and genetic data, and request destruction of their biological sample. Companies must maintain a comprehensive security program to protect genetic data.

10.9. Tennessee

Tennessee Genetic Information Privacy Act (Tenn. Code §47-18-4901 et seq.): Tennessee law requires initial express consent for the collection, use, or disclosure of genetic data. Separate express consent is required for marketing, research, and third-party sharing. Genetic information may not be shared with insurers or employers without consent. Consumers have the right to access and delete their genetic data.

10.10. Indiana

Indiana Genetic Data Privacy Law (HB 1521, Ind. Code §24-14): Effective May 6, 2025, Indiana law requires DTC genetic testing providers to obtain freely given, specific, informed, and unambiguous consent for additional testing, alternative uses, or third-party sharing. Companies must provide clear, written disclosure of privacy policies. Consumers have the right to access data, revoke consent, and request destruction of samples within specified timeframes. Indiana law prohibits genetic discrimination based on testing use or results and requires commercially reasonable security measures. Enforcement is through the Indiana Attorney General with penalties up to $7,500 per violation.

10.11. Texas

Texas Genetic Privacy Act (Tex. Health & Safety Code §58A): Texas law requires informed consent before collecting and analyzing a genetic sample. Genetic information may not be disclosed without the written consent of the individual. Direct-to-consumer genetic testing companies must provide a clear privacy notice, obtain separate consent for uses beyond primary testing, and provide access, deletion, and sample destruction rights. Under the Texas Genomic Act of 2025 (HB 130), effective September 1, 2025, genetic data of Texas residents may not be stored in or made accessible from countries of concern, and may not be transferred to foreign adversaries during bankruptcy or acquisition proceedings.

10.12. Montana

Montana Genetic Information Privacy Act (Mont. Code §44-6-101 et seq.): Montana law requires express consent for the collection and use of genetic data by direct-to-consumer genetic testing companies. Consumers have the right to access, delete, and request destruction of biological samples.

10.13. Arizona, Kentucky, Maryland, and Wyoming

These states have enacted genetic information privacy laws that require DTC genetic testing companies to provide privacy notices, obtain express consent before collection and use of genetic data, and provide consumer rights of access and deletion. We comply with the requirements of each of these states.

10.14. Other States

Many additional states have genetic nondiscrimination laws, comprehensive data privacy laws that cover genetic data as sensitive information, or genetic testing consent requirements. These include but are not limited to Alaska, Delaware, Georgia, Louisiana, Massachusetts, Michigan, Minnesota, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, North Carolina, Ohio, Oregon, Rhode Island, South Carolina, Vermont, Washington, and Wisconsin. We comply with all applicable state laws regarding the collection, use, storage, and disclosure of genetic information.

Where any state law provides protections greater than those described in this Privacy Policy, we apply the more protective standard to all users, regardless of their state of residence.

11. personal genomic research assistant Disclaimers

Our personal genomic research assistant provides informational analysis by comparing your Genetic Data against clinical databases (including the NIH ClinVar database), pharmacogenomic guidelines (CPIC), and published peer-reviewed research. The following important disclaimers apply:

• Not Medical Advice: The AI Health Insights provided by Level Genomics are for informational and educational purposes only. They do not constitute medical advice, diagnosis, or treatment. Always consult a qualified healthcare provider before making any medical decisions based on your genetic information.
• Not a Diagnostic Service: Level Genomics is not a clinical diagnostic laboratory. Our AI Health Insights are not clinical diagnostic test results and should not be used as a substitute for professional genetic counseling or clinical genetic testing.
• Limitations of Analysis: Whole genome sequencing, while comprehensive, has inherent technical limitations. Rare variant calls from consumer sequencing have documented false-positive rates and should be confirmed through clinical-grade confirmatory testing in a CLIA/CAP-accredited laboratory before clinical action is taken.
• Not Comprehensive: The absence of a finding in your AI Health Insights does not mean you are not at risk for a particular condition. Many health conditions are influenced by environmental factors, lifestyle, and genetic variants not covered by current analysis.
• Evolving Science: Genetic science is rapidly evolving. Interpretations may change as new research is published.

12. Children's Privacy

Our Services are not directed to children under the age of 18. We do not knowingly collect genetic information or personal information from children under 18. If a parent or guardian wishes to obtain genetic testing for a minor, the parent or guardian must provide consent and manage the minor's account. If we learn that we have collected personal information from a child under 18 without parental consent, we will delete that information promptly.

13. International Users

Our Services are currently available only in the United States. If you access our Services from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction.

14. Data Breach Notification

In the event of a data breach involving your Genetic Data or Personal Information, we will notify you in accordance with applicable federal and state breach notification laws. We will provide notice as promptly as practicable and without unreasonable delay, including a description of the breach, the types of information involved, steps we are taking to address the breach, and steps you can take to protect yourself.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice on our website and, if the changes involve how we use your Genetic Data, by sending you an email notification at least 30 days before the changes take effect. Where required by law, we will obtain your consent before applying material changes to the way we process your Genetic Data.

16. Do Not Track

Our website honors Do Not Track (DNT) signals. When we detect a DNT signal, we disable non-essential analytics and tracking.

17. Authorized Agent

In states where permitted, you may designate an authorized agent to make privacy requests on your behalf. The authorized agent must provide proof of authorization and we may require you to verify your identity directly with us.

18. Non-Discrimination

We will not discriminate against you for exercising any of your privacy rights. We will not deny services, charge different prices, provide a different level of service, or suggest that you will receive a different level of service for exercising your rights under this Privacy Policy or applicable law.

19. Contact Us

If you have questions about this Privacy Policy, wish to exercise any of your rights, or have concerns about our data practices, please contact us:

• Email: privacy@levelgenomics.com
• Mail: Level Genomics LLC, Attn: Privacy Officer, [Address]

We will respond to verified requests within the timeframes required by applicable law (generally within 45 days, or 30 days where required by state law).

20. Consent Acknowledgment

By ordering a Level Genomics kit and providing your biological sample, you acknowledge that you have read and understood this Privacy Policy and provide your express consent for the collection, sequencing, and analysis of your Genetic Data as described in Section 4.1 (Primary Uses). Any additional uses of your Genetic Data as described in Section 4.2 will require your separate, express consent, which you may provide or withhold at your sole discretion.