Our Commitment to Privacy
Core Principle: At GenoBank.io, privacy is not about hiding data or making it fuzzy. Privacy is about giving patients complete control over their authentic, high-quality data, with full transparency about its use and fair compensation for its value.
GenoBank.io ("we," "us," "our") operates the GenoBank.io platform, including the Health Vault, genomic data management services, and associated applications accessible at genobank.io, *.genobank.app, and related domains. This unified document covers our Privacy Policy, Terms of Service, Health Data Disclosure, and regulatory compliance across all applicable jurisdictions.
Terms of Service
1. Acceptance of Terms
By accessing or using GenoBank.io and its associated services ("Services"), including the Health Vault, genomic data management, and biosample tracking platforms, you agree to be bound by these Terms. If you do not agree, do not use the Services.
2. Description of Services
GenoBank.io provides a patient-owned health and genomic data platform that enables individuals to:
- Import and consolidate clinical health records via FHIR-compliant APIs
- Store and manage genomic data (VCF, FASTQ, BAM files) from CLIA-certified laboratories
- Control access to their data through blockchain-verified consent mechanisms
- Access educational tools including variant annotation and pharmacogenomics insights
- Share selected data with researchers or care providers with explicit, revocable consent
3. User Accounts and Authentication
Access requires Web3 wallet authentication. You are responsible for maintaining the security of your wallet credentials. GenoBank.io does not store passwords or private keys. Authentication is performed through cryptographic message signing.
4. Not Medical Advice
Important: The Services are for educational and informational purposes only. GenoBank.io does not provide medical diagnoses, treatment recommendations, or clinical advice. Variant annotations, pharmacogenomics insights, and AI-generated educational content support — but never replace — conversations with your healthcare provider.
5. Limitation of Liability
GenoBank.io provides the Services "as is" without warranties of any kind. We are not liable for damages arising from your use of the Services, including decisions made based on data displayed in the platform.
6. Prohibited Uses
You may not: attempt unauthorized access to other users' data; reverse-engineer the platform; use automated systems to scrape data; or violate any applicable law or regulation.
Data We Collect
Information You Provide
- Wallet Address — Your Ethereum-compatible blockchain address (public, pseudonymous)
- Genomic Files — VCF, BAM, FASTQ, and raw genomic data you upload from laboratories
- Health Records — Clinical data you import from your hospital via FHIR (see Health Records section)
- Biosample Information — DNA kit activation data and biosample metadata
- Email — Optional, only if you choose Google OAuth authentication
Information Collected Automatically
- Usage Data — Pages visited, features used, timestamps (no personal identifiers)
- Device Information — Browser type, operating system (for compatibility)
Information We Do NOT Collect
- Passwords or private keys (Web3 authentication is keyless)
- Government IDs or Social Security numbers
- Location data beyond country-level (for regulatory compliance)
- Behavioral profiles for advertising
How We Use Data
- Display & Access — Show your health and genomic data in your personal dashboard
- Education — Provide plain-language explanations of medical and genomic terms
- Analysis — Run variant annotation, pharmacogenomics, and ancestry analysis tools you initiate
- Consent Management — Track and enforce your data sharing preferences
- Service Improvement — Aggregate, de-identified usage statistics only
We NEVER: sell your data, use it for advertising, share it without your explicit consent, or train AI models on your data without your authorization and fair compensation.
Storage & Security
- All data transmitted via TLS 1.3 encryption
- Data at rest encrypted using AES-256
- Infrastructure hosted on Google Cloud Platform (SOC 2, ISO 27001 compliant)
- Access controlled via cryptographic wallet authentication (no passwords stored)
- Consent records stored on blockchain for immutable audit trail
- Regular security audits and penetration testing
Data Sharing
Your data is shared only when:
- You explicitly authorize it — through the consent management interface
- Required by law — in response to valid legal process (we will notify you unless prohibited)
- Service providers — infrastructure partners (Google Cloud, Cloudflare) who process data on our behalf under strict data processing agreements
We do not sell, rent, or trade your personal or health data to any third party.
Patient Data Ownership
You own your data. GenoBank.io acts as a custodian, not an owner. Your rights include:
- Right to Access — View all your data at any time
- Right to Export — Download in standard formats (FHIR JSON, VCF, PDF)
- Right to Delete — Request complete erasure of your data
- Right to Revoke — Withdraw any previously granted consent instantly
- Right to Attribution — Receive credit when your data contributes to research
- Right to Compensation — Participate economically when your data generates value
Health Records — FHIR Patient Access FHIR R4
GenoBank.io Health Vault uses the FHIR Patient Access API (HL7 FHIR R4, SMART on FHIR) to import your clinical records from participating hospital systems (e.g., Epic MyChart). This section explains what data we access, how, and your controls.
What Data We Access
When you connect your hospital patient portal, we request read-only access to:
| FHIR Resource | Data |
|---|
| Patient | Demographics (name, DOB, contact) |
| Condition | Active and resolved diagnoses (ICD-10) |
| MedicationRequest | Current and past prescriptions |
| Observation | Lab results, vitals, reference ranges |
| AllergyIntolerance | Known allergies and adverse reactions |
| Immunization | Vaccination history |
| Procedure | Surgical and clinical procedures |
| DiagnosticReport | Pathology and radiology reports |
| DocumentReference | Clinical notes, discharge summaries |
| Encounter | Visit history |
How We Access Your Data
- You initiate the connection by selecting your hospital and clicking "Connect"
- You authenticate directly with your hospital — GenoBank.io never receives your portal username or password
- Your hospital asks your authorization before sending any data
- Data is transmitted via secure, encrypted FHIR API directly to your personal vault
Your Controls
- Disconnect anytime — Revoke access through your hospital portal or GenoBank dashboard
- Delete imported data — Remove all health records from GenoBank.io
- Export — Download your records in FHIR JSON format
- Granular sharing — Share specific records with specific parties
- Revoke sharing — Withdraw shared access at any time
GDPR Compliance EU
For individuals in the European Economic Area (EEA), United Kingdom, and Switzerland, we comply with the General Data Protection Regulation (EU) 2016/679:
Legal Basis for Processing
- Consent (Article 6(1)(a)) — You explicitly consent to data processing when connecting your wallet, uploading files, or importing health records
- Contract Performance (Article 6(1)(b)) — Processing necessary to provide the Services you requested
- Legitimate Interest (Article 6(1)(f)) — Service security and fraud prevention
Your GDPR Rights
- Right of Access (Art. 15) — Obtain a copy of all your personal data
- Right to Rectification (Art. 16) — Correct inaccurate data
- Right to Erasure (Art. 17) — Request deletion of your data ("right to be forgotten")
- Right to Restriction (Art. 18) — Limit processing of your data
- Right to Data Portability (Art. 20) — Receive your data in machine-readable format
- Right to Object (Art. 21) — Object to processing based on legitimate interest
- Right to Withdraw Consent (Art. 7(3)) — Withdraw consent at any time without affecting prior lawful processing
Data Protection Officer
Contact our DPO at [email protected]. You also have the right to lodge a complaint with your local supervisory authority.
International Transfers
Data may be processed on servers in the United States (Google Cloud Platform). We rely on Standard Contractual Clauses (SCCs) approved by the European Commission for data transfers outside the EEA.
CCPA / CPRA Compliance California
For California residents, we comply with the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
Your CCPA Rights
- Right to Know — What personal information we collect, use, and disclose
- Right to Delete — Request deletion of your personal information
- Right to Opt-Out of Sale — We do not sell your personal information. Period.
- Right to Non-Discrimination — We will not discriminate against you for exercising your rights
- Right to Correct — Request correction of inaccurate information
- Right to Limit Use of Sensitive Personal Information — Your genomic and health data is classified as sensitive; we use it solely for the purposes you authorize
Categories of Personal Information Collected
| Category | Collected | Sold | Purpose |
|---|
| Identifiers (wallet address, email) | Yes | No | Authentication |
| Health information | Yes (user-initiated) | No | Health Vault display |
| Genetic information | Yes (user-initiated) | No | Genomic analysis |
| Internet activity | Minimal | No | Service functionality |
| Geolocation | No | No | N/A |
To exercise your rights, contact [email protected] or use the in-app data management tools.
HIPAA US Health
GenoBank.io receives Protected Health Information (PHI) through the FHIR Patient Access API under the HIPAA Right of Access (45 CFR 164.524). Key points:
- When you authorize your hospital to share records with GenoBank.io, the data is transmitted under your individual right of access
- GenoBank.io implements administrative, technical, and physical safeguards consistent with HIPAA Security Rule requirements
- We maintain access logs and audit trails for all PHI access
- PHI is encrypted in transit (TLS 1.3) and at rest (AES-256)
- We do not use or disclose PHI for marketing, fundraising, or underwriting purposes
21st Century Cures Act Federal
GenoBank.io Health Vault is designed in accordance with:
- 21st Century Cures Act (2016) — Mandates patient access to electronic health information without special effort
- ONC Patient Access Final Rule (CMS-9115-F) — Requires health plans and providers to share data via FHIR APIs
- Information Blocking Rule — Prohibits practices that interfere with patient access to their health data
- USCDI v3 — United States Core Data for Interoperability standard for health data exchange
- SMART on FHIR — OAuth 2.0 authorization framework for healthcare applications
Genomic Data Privacy
Genomic data requires special protection due to its uniquely identifying and hereditary nature:
- Privacy-preserving Bloom filters — We use probabilistic data structures for access control, not zero-knowledge proofs (which are technically impossible for probabilistic genomic data)
- No federated learning — We reject approaches that degrade data quality or erase patient attribution. Your complete, authentic data is used with integrity
- Full attribution — Every use of your data is tracked and credited to you
- Revocable consent — Unlike permanent blockchain transactions, your consent is revocable at any time through our BioPIL (Programmable IP License) system
GINA Protections
The Genetic Information Nondiscrimination Act (GINA) of 2008 protects individuals from discrimination based on genetic information:
- Title I — Prohibits health insurers from using genetic information in coverage or premium decisions
- Title II — Prohibits employers from using genetic information in employment decisions
GenoBank.io does not share your genetic data with insurers, employers, or any entity that could use it for discriminatory purposes. Your genomic data is accessible only by parties you explicitly authorize.
Consent & Revocation
GenoBank.io implements Metamorphic Consent — consent that transforms from a static permission into an ongoing economic relationship:
- Grant consent — Authorize specific parties to access specific data for specific purposes
- Revoke consent — Withdraw access instantly; downstream data access is blocked in real-time
- Audit consent — View a complete, blockchain-verified log of who accessed your data and when
- Time-limited consent — Set expiration dates on data access grants
- Purpose-limited consent — Restrict use to specific purposes (research, clinical, educational)
Cookies & Tracking
We use minimal cookies necessary for service operation:
- Authentication cookies — Session management across GenoBank subdomains (HttpOnly, Secure, SameSite=Lax)
- Preference cookies — Profile selection, language, display settings
We do not use: advertising cookies, cross-site tracking pixels, social media trackers, or behavioral analytics beyond aggregate page views.
Children's Privacy
GenoBank.io does not knowingly collect personal information from individuals under 18 years of age. The Services are intended for adults who can provide their own informed consent. If you believe a minor has provided data to us, contact [email protected] and we will promptly delete it.
For newborn genomic screening services (where applicable), data is managed under the parent or legal guardian's wallet and consent.
Policy Changes
We may update this policy to reflect changes in our practices, technology, or legal requirements. We will:
- Update the "Last updated" date at the top of this page
- Notify registered users via email for material changes
- Provide a 30-day notice period before significant changes take effect
Continued use of the Services after the effective date constitutes acceptance of the updated policy.
