Plain English. No legalese.

Your DNA file is the most personal data you'll ever upload anywhere. Here's exactly what we do with it and exactly what we don't.

What we collect

• The raw DNA file you upload (23andMe / AncestryDNA / MyHeritage .txt, .csv, or .zip).
• The label you optionally give it at upload ("Andrew", "Mom", etc.) so the report is identifiable to you.
• The IP address of the upload request, for rate-limit and abuse-prevention purposes (kept in memory only — not stored long-term).
• Your email address, if and when you pay (collected by Stripe at checkout) so we can send you the URL of your report.

We do not collect: name, demographics, browsing history, cookies for tracking, advertising IDs, or anything else.

Where it lives

Your uploaded file, the derived variant-call VCF, the PharmCAT output, and the LLM narration cache all live in a single per-session directory on a persistent volume attached to our app server (hosted on Fly.io in the United States). The volume is encrypted at rest by the host. Only the PharmTwin application can read it.

Each session has a long unguessable URL (128 bits of entropy). The URL is the access token — whoever holds the URL can read the report. We email it only to you at payment time. Treat it like a Google Docs share-by-link.

What gets sent to OpenAI

The plain-English explanations and the conversational chat use OpenAI's gpt-4o-mini. The data we send OpenAI is limited to:

• Your gene-level results — e.g. "CYP2C19 Poor Metabolizer", "RYR1 Uncertain Susceptibility".
• The verbatim CPIC / DPWG / FDA recommendation text for the drug being discussed (which is public-domain, already on cpicpgx.org).
• Your typed question, when you use the chat.

We never send: your raw DNA sequence, individual rsID numbers, your name, your email, your IP, or any other identifying detail. OpenAI's API policy means anything sent through the API is not used to train their models.

What we never do

• We do not sell your data. Not to insurers, not to drugmakers, not to data brokers, not to anybody.
• We do not share your data with 23andMe, AncestryDNA, MyHeritage, or any other consumer-genomics company. Your upload is not "uploaded back" — it stays here.
• We do not use your data to train AI models. Not ours, not OpenAI's. (OpenAI's API tier excludes inputs from training by default.)
• We do not show advertisements or have any advertising business model.
• We do not require an account, demographics, or any identifying information beyond an email at payment time.

Deletion

Email hello@pharmtwin.com with your session URL or the email you used at payment, and we'll delete your raw upload, the derived VCF, the PharmCAT output, the narration cache, and the session record within 48 hours. Confirmation by email.

Disclosure obligations

PharmTwin is not a HIPAA covered entity (we're a direct-to-consumer educational service, not a healthcare provider). If we were ever compelled by a valid US legal process to disclose data about an account, we would. We have no government-facing data-sharing programs and no current or past requests on file.

One last honest thing

We're a small, independent operation. We will publish a notice on this page if any of the above ever changes. If you read something here that feels misleading or under-specified, email us — we'd rather rewrite this page than overpromise.