Privacy notice

Status (v0.1.2 ACTIVE — 2026-05-01): This notice is published for transparency during pre-MVP operations. Formal effective version (v1.0) follows post-MVP go-live within 30 days, after Vadim corporate-controller signoff per LSC Art 233-234. Material content here is authoritative for the disclosures it makes; pending TBD items (DPO contact details, NIF/Registro Mercantil) are flagged inline.

§1 — Data we collect

§1.1 Data collected directly (Art 13)

When you interact with the genetichistory.es website, Genetic History SLU (the “Controller”) collects the following categories of personal data:

A. Contact-form submissions (Art 13(1)(a)+(c)+(e); Art 13(2)(a))

Identification data: full name, business email address, company name, professional role
Contact data: phone number (optional), preferred response language
Free-text content: your inquiry, technical questions, partnership proposals
Technical metadata: submission timestamp, IP address (logged for security + abuse prevention per Art 32 TOMs), user-agent string

B. Account-related data (if applicable for B2B partner integrations post-MVP)

Account credentials (email + password hash; never plaintext per AEPD-ISMS-APEP NIVEL 4 cryptography)
Integration metadata: API keys (hashed), endpoint configuration, sub-processor chain disclosure

C. Technical + analytics data (Art 13(1)(c) + LSSI-CE Art 22)

Strictly-necessary cookies: session identifier, CSRF token, language preference (Art 6(1)(f) legitimate-interest exemption from consent per LSSI-CE Art 22 + EDPB Opinion 9/2014)
Functional cookies (default-OFF; opt-in via cookie-preferences center per AEPD May 2024 active-opt-in mandate + Caixabank A-2 €6M+€2M precedent + EDPB Guidelines 5/2020 specific consent + Art 7(4) bundled-consent prohibition): UI-preference cookie, accessibility-setting cookie
Analytics cookies (default-OFF; opt-in per AEPD May 2024 active-consent + Caixabank A-2 €6M+€2M precedent): aggregated traffic patterns, page-flow analytics — Wave 1 minimal scope
Marketing/advertising cookies: NONE in Wave 1 architecture; future deployment requires explicit DPIA + consent-banner re-design

§1.2 Data NOT collected directly (Art 14 — third-party sources)

If Genetic History SLU contacts you as a B2B prospect via outreach communication (email, telephone, business-event follow-up), and your contact data was obtained from a source OTHER than this website’s contact form, this notice constitutes the Art 14(1)+(2) disclosure required at first communication per Art 14(3)(b):

Source categories (Art 14(2)(f)): public business registries, professional networking platforms (LinkedIn / Sales Navigator under business-grade subscription where applicable; per memory feedback: NOT used in current Wave 1), industry-conference attendee lists where you publicly registered, partner-referral introductions where the referring party confirmed your interest, publicly available B2B marketplace listings (e.g., genomics-platform partner directories)
Categories of personal data processed (Art 14(1)(d)): full name, business email, company affiliation, professional role
Lawful basis (Art 14(1)(c)): Art 6(1)(f) legitimate interests (B2B prospect outreach to genomics-platform decision-makers) — accompanied by Legitimate Interests Assessment (LIA) on file per ICO 3-prong test (purpose / necessity / balancing) + KNLTB C-621/22 narrow-construction
Right to object (Art 14(2)(c) + Art 21): you may object at any time without justification per Art 21(2); we will cease all direct-marketing processing immediately upon receipt of objection
Source-specificity (per AEPD Marina Salud PS/00475/2021 €500K precedent — substantive-depth required, vague “publicly available sources” inadequate): on request via the channels in §7, we will identify the specific source-category from which your contact data was obtained for any individual outreach communication

§1.3 Recipients + sub-processors (Art 13(1)(e) + Art 28)

Internal recipients: Genetic History SLU corporate personnel acting on documented Controller instructions (currently: Vadim, sole corporate administrator per LSC Art 233-234).

Sub-processors disclosed per Art 28(3) + Marina Salud €500K substantive-disclosure precedent:

Sub-processor	Role	Jurisdiction	DPA basis
Scaleway SAS	Cloud infrastructure hosting (France-EU datacenter, DC2 Vitry-sur-Seine, Val-de-Marne)	EU (France-EU, DC2 Vitry-sur-Seine, Val-de-Marne — Paris metropolitan area)	Art 28(3) DPA executed; Module 2 SCC NOT-applicable (no third-country transfer)
Resend (Resend.com Inc.)	Transactional + outreach email dispatch	EU email-routing region eu-west-1 (Ireland; account metadata + logs in US per Resend public docs)	Art 28(3) DPA executed (effective 2025-12-31; 8 of 8 clauses verified 2026-04-30); Module 2 SCC for US metadata transfer per DPF/Schrems III standing-monitoring
No third-country sub-processors Wave 1	(Wave 2+ jurisdiction expansion may introduce SCC-required transfers per Art 44-49)	n/a	n/a

YFull (haplogroup-tree data provider) is an upstream data-source partner under a separate controller-to-controller arrangement; YFull does NOT process your B2B prospect data and is not a sub-processor for the purposes of this notice.

§1.4 Retention (Art 13(2)(a))

Data category	Retention period	Legal basis
Contact-form submissions	24 months from last interaction (renewable on continued business relationship)	Art 6(1)(f) legitimate-interest in commercial-relationship continuity; Art 5(1)(e) storage-limitation discipline
Account credentials (B2B partners)	Duration of partnership + 6 years post-termination per Spain commercial-record legal-obligation	Art 6(1)(c) legal obligation (Código de Comercio Art 30)
Technical logs (security/abuse)	12 months from collection	Art 6(1)(f) legitimate-interest in network security
Analytics aggregated data	26 months post-anonymization	Art 6(1)(a) consent + Art 5(1)(e)
Email-marketing opt-in records	Duration of subscription + 3 years post-objection (proof-of-prior-consent retention per AEPD enforcement guidance)	Art 7(1) demonstrability discipline

Note on Ley 14/2007 Art 50-52 5-year-MINIMUM genetic-data retention: this provision does NOT apply to data collected via this website. Genetic-data processing (haplogroup labels) occurs exclusively server-side via the Genetic History API under separate controller-to-controller agreements with B2B client platforms (24Genetics, MyHeritage, etc.), with Ley 14/2007 retention discipline applied at the API processing layer per EU-only ephemeral-abstracted architecture.

§2 — Legal basis (Art 6(1) per-flow framework)

Pursuant to Art 6 GDPR + Art 9 GDPR (where applicable) + LOPDGDD Art 7, Genetic History SLU processes your personal data on the following lawful bases, applied per-flow:

Processing flow	Lawful basis	Specific legitimate interest pursued (Art 13(1)(d) explicit)	Cite
Contact-form submission processing	Art 6(1)(b) contract / pre-contractual measures (your inquiry constitutes a request to engage in B2B partnership discussion)	n/a (Art 6(1)(b) basis; not 6(1)(f))	GDPR Art 6(1)(b)
B2B account creation + integration management	Art 6(1)(b) contract performance + Art 6(1)(f) legitimate-interest in service provision	Service-provision continuity + integration-management for B2B partner relationships	GDPR Art 6(1)(b)+(f) + Art 13(1)(d)
Strictly-necessary cookies	Art 6(1)(f) legitimate-interest + LSSI-CE Art 22 strictly-necessary exemption	Maintenance of session-state + CSRF protection + service availability	LSSI-CE Art 22 + EDPB Opinion 9/2014 + Art 13(1)(d)
Functional + analytics cookies	Art 6(1)(a) consent (active opt-in via cookie-preferences center per AEPD May 2024 + Caixabank A-2 €6M+€2M precedent)	n/a (Art 6(1)(a) basis; not 6(1)(f))	GDPR Art 6(1)(a) + LSSI-CE Art 22
B2B prospect outreach (data not collected directly)	Art 6(1)(f) legitimate-interest (B2B prospect outreach) + LIA on file per ICO 3-prong test	B2B prospect outreach to genomics-platform decision-makers (24Genetics, MyHeritage, LivingDNA, etc.) for partnership discussion + market-research	GDPR Art 6(1)(f) + Recital 47 + KNLTB C-621/22 + Art 13(1)(d) + Art 14(2)(b)
Security + fraud prevention	Art 6(1)(f) legitimate-interest in network + service integrity	Detection + mitigation of fraudulent submissions, brute-force credential attacks, abuse of contact-form, automated scraping; security log-retention for incident-response	GDPR Art 6(1)(f) + Art 32 + Art 13(1)(d)
Legal-obligation compliance (record-keeping, regulatory inquiries)	Art 6(1)(c) legal obligation (Spain commercial-record + AEPD investigation-cooperation)	n/a (Art 6(1)(c) basis; not 6(1)(f))	GDPR Art 6(1)(c) + Código de Comercio Art 30 + LECrim Art 588 sept (warrant-only LEA cooperation)

Discipline notes:

We do NOT invoke Art 6(1)(f) legitimate-interest as a basis for processing Art 9 special-category data; Art 9(2)(a) explicit consent is the sole pathway for any Art 9 processing per KNLTB C-621/22 + EDPB Guidelines 1/2024.
Where Art 6(1)(f) is invoked, a documented LIA is on file per ICO 3-prong test (purpose / necessity / balancing) and is available to data subjects on request via §7 channels. The specific legitimate interest pursued is enumerated in the 3rd column above per Art 13(1)(d) explicit-disclosure discipline.

§2.bis — Statutory or contractual requirement (Art 13(2)(e))

Pursuant to Art 13(2)(e) GDPR, we explicitly disclose whether the provision of personal data is a statutory or contractual requirement, and the consequences of failure to provide such data:

Data category	Mandatory or voluntary?	Source of obligation	Consequences of refusal to provide
Contact-form submissions (name, email, company, role, inquiry text)	Voluntary (you choose whether to submit)	Neither statutory nor contractual — provided at your initiative for the purpose of engaging in B2B partnership discussion	If you do not submit the form, we cannot respond to your inquiry. No other consequence. You retain all rights to access, browse, and use publicly available content on genetichistory.es without submitting any form.
B2B account credentials (email + password) post-MVP	Contractual for B2B partners who execute partnership agreement	Bilateral B2B partnership agreement between Genetic History SLU and the partner	If you decline to provide account credentials, we cannot establish the B2B partner integration. Partnership terms remain available for re-execution at any time.
Identity-verification data (Field 2 of `/en/legal/dsar-request/` form, Tier 3 only)	Conditional (required only for HIGH-risk DSAR requests)	Art 12(2) GDPR identity-verification proportionate-discipline	If you decline to provide HIGH-risk-tier verification, we may be unable to process the HIGH-risk DSAR request per Art 12(6) GDPR (right of controller to refuse to act when unable to identify the data subject); we will explain in writing within 1 month per Art 12(4) GDPR. LOW-risk and MED-risk DSAR requests do NOT require this verification.
Email confirmation for DSAR processing (Tier 1 baseline)	Mandatory for DSAR processing	Art 12(2) GDPR identity-verification baseline	If you do not respond to the email-verification request within 30 days, we will close the DSAR ticket without processing per Art 12(6) GDPR (cannot identify data subject). You may re-submit the DSAR at any time.
Cookie consent (analytics + functional opt-in)	Voluntary	Art 7 GDPR + LSSI-CE Art 22	If you decline analytics + functional cookies, the website remains fully functional with strictly-necessary cookies only; no consequence to access or content. We do NOT operate a “consent-or-pay” model (see §6.3).

Discipline note: This disclosure implements Art 13(2)(e) explicit-requirement transparency. We do not request data beyond what is necessary for the purposes disclosed in §2 above, per Art 5(1)(c) data-minimization principle.

§3 — Special-category data (Art 9 applicability determination)

§3.1 Art 9 NON-APPLICABILITY at website layer

Genetic History SLU does NOT process special-category data (Art 9 GDPR) through this website. Specifically:

The website collects ordinary B2B contact data (name, email, company, role, inquiry text) — none of which falls within Art 9(1) categories (racial/ethnic origin, political opinions, religious-philosophical beliefs, trade-union membership, genetic data, biometric data for unique identification, health data, sex life, sexual orientation).
Inferences derivable from voluntary content of inquiry text (e.g., a prospect mentioning their company’s research focus) are NOT treated as Art 9 data unless the prospect explicitly designates the content as such, in which case Art 9(2)(a) explicit-consent processing applies.

§3.2 Position calibration

We articulate this NON-APPLICABILITY position with explicit reference to the two professionally defensible Art 9 calibration positions:

Position A (AEPD Restrictive — Report 0098/2022 + Yoti €950K precedent): would treat any ancestry-adjacent or health-adjacent inference broadly as Art 9 trigger. Position A is the appropriate posture for clinical-adjacency / IVDR-shadow scenarios and customer-facing literal-language scenarios. It does NOT apply at the B2B website layer because there is no inference-pathway from B2B prospect contact data to any Art 9 attribute.
Position B (EDPB Nuanced — Opinion 11/2024 + KNLTB C-621/22 inference-pathway analysis): ancestry-only or B2B-relationship data without health-implication-inference falls OUTSIDE Art 9. Position B is the principal reading for this website’s data-processing scope.

We apply Position B for B2B prospect data collected via this website. We continue to apply Position A (AEPD Restrictive) at the API processing layer where haplogroup-label data (Art 4(13) genetic data per definition) is processed under separate controller-to-controller arrangements with client platforms — covered by the applicable Data Processing Agreement, NOT by this website notice.

§3.3 Genetic-data processing scope clarification

Should you, as a B2B prospect, also be an end-user of a genetic-ancestry product offered by one of our client platforms (e.g., 24Genetics, MyHeritage, LivingDNA), the processing of your genetic data in that product is governed by the client platform’s own privacy notice + consent flow, not this notice. Genetic History SLU acts as a processor or sub-processor in that context per the controller-to-controller / controller-to-processor arrangement disclosed in the relevant DPA.

You have the following rights regarding your personal data processed by Genetic History SLU:

Right	Article	Scope
Right of access	Art 15 + LOPDGDD Art 13	Receive a copy of personal data being processed (faithful reproduction per CJEU C-487/21 Österreichische Datenschutzbehörde); first copy free per CJEU C-307/22
Right to rectification	Art 16	Correct inaccurate data; complete incomplete data
Right to erasure (“right to be forgotten”)	Art 17	Subject to Art 17(3) exemptions (legal obligation, public interest, legal claims); Note: data falling under Spain commercial-record legal-obligation per Código de Comercio Art 30 will be blocked rather than deleted per LOPDGDD Art 32 conflict-resolution discipline
Right to restriction	Art 18	4 grounds: accuracy contested / unlawful processing + erasure-objection / no-longer-needed-but-legal-claims / objection pending verification
Right to data portability	Art 20	Receive personal data in structured, commonly used, machine-readable format (JSON/CSV) where Art 20(1) conditions met
Right to object	Art 21	General objection on particular-situation grounds (Art 21(1)); absolute objection to direct marketing without justification (Art 21(2)) — explicit at first commercial communication per Art 21(4) + Recital 47
Right not to be subject to automated decision-making	Art 22	Genetic History SLU does NOT perform Art 22 ADM via this website (Schufa narrow-construction; ancestry-narrative API output at server-side is informational-only, not legal/significant effect)
Right to withdraw consent	Art 7(3) + Art 13(2)(c)	Withdraw consent at any time without affecting lawfulness of prior processing; equivalent ease as opt-in (LSSI-CE Art 22 + AEPD May 2024)
Right to lodge complaint	Art 13(2)(d) + LOPDGDD Art 64	Submit complaint to Agencia Española de Protección de Datos (AEPD) at https://sedeagpd.gob.es/ (Sede Electrónica) or by post to C/ Jorge Juan, 6, 28001 Madrid, Spain

How to exercise: see §7 channels. Response timeline: within 1 month of receipt per Art 12(3); extensible by 2 additional months for complex/numerous requests with explanation per Art 12(3) second sub-paragraph. Exercise is free of charge per Art 12(5), except for manifestly unfounded or excessive requests (Art 12(5) abuse-of-rights-fee exception, narrowly construed).

§5 — International transfers (Art 44-49)

Genetic History SLU operates a Wave 1 EU-only data architecture. No personal data collected via this website is transferred outside the European Economic Area at the time of this notice’s effective date.

If, in future Wave 2+ jurisdiction expansion, transfers to third countries become necessary, Genetic History SLU will:

Apply the Art 44-49 Chapter V framework: adequacy decision (Art 45) where available; Standard Contractual Clauses (Module 2 / Module 3 SCC per Decision 2021/915) for processor relationships; supplementary measures per Schrems II 6-step Transfer Impact Assessment (CJEU C-311/18 + EDPB Recommendations 01/2020).
Update this notice in advance of any such transfer, identifying the destination country, transfer mechanism, supplementary measures applied, and TIA conclusion.
Maintain a pre-transfer risk-tiered review including external-counsel verification.

Schrems III posture: the EU-US Data Privacy Framework (DPF) is currently subject to pending CJEU validation (Latombe T-553/23). Genetic History SLU does not currently rely on the DPF and will assess any future US-destination transfer arrangement only after Schrems III resolution and external-counsel binding opinion.

Category	Default state	Toggle	Lawful basis	Cookies in use Wave 1
Strictly necessary	Active	Cannot be disabled	Art 6(1)(f) + LSSI-CE Art 22 strictly-necessary exemption	Session ID (server-side session-management); CSRF token (security); language-preference cookie (functional default)
Functional	Default-OFF	Opt-in via cookie-preferences center	Art 6(1)(a) consent (active opt-in per AEPD May 2024 + Caixabank A-2 €6M+€2M precedent + EDPB Guidelines 5/2020 specific consent + Art 7(4) bundled-consent prohibition)	UI-preference cookie; accessibility-setting cookie
Analytics	Default-OFF	Opt-in via cookie-preferences center	Art 6(1)(a) consent (active opt-in per AEPD May 2024 + Caixabank A-2 €6M+€2M precedent)	First-party aggregated traffic analytics (Wave 1: minimal; specific provider TBD by Coder Phase 5 spec)
Marketing / advertising	NONE Wave 1	n/a	n/a (not deployed)	None — Wave 1 architecture explicitly excludes marketing/advertising cookies

The cookie-banner displayed on first visit to genetichistory.es presents three equally-prominent options:

“Accept all” — opt-in to all toggleable categories
“Reject all” — refuse all toggleable categories (equivalent visual prominence + position parity per Caixabank precedent)
“Manage preferences” — granular per-category toggle access

You may modify your cookie preferences at any time via the cookie-preferences center (link in site footer + via this notice), with equivalent ease as opt-in per LSSI-CE Art 22 + AEPD 2024 guidance. We do NOT use pre-ticked checkboxes (per AEPD May 2024 + Caixabank A-2 active-opt-in mandate).

Genetic History SLU does NOT operate a “consent-or-pay” model. Refusal of analytics or functional cookies does not restrict access to website content per EDPB Opinion 8/2024 nuanced framework (Wave 1 architecture explicitly forecloses consent-or-pay until external-counsel binding opinion + EDPB framework finalization).

§7 — DSAR + DPO contact

§7.1 Data Protection Officer designation

Pursuant to Art 37(1)(c) GDPR + LOPDGDD Art 34 sector 11 (health-adjacency for the broader Genetic History SLU genetic-data processing operation, including the Genetic History API which processes Art 4(13) genetic data server-side), Genetic History SLU has designated a Data Protection Officer.

DPO designation status (v0.1 transparency disclosure):

Pre-MVP interim posture: External-AEPD-certified DPO engagement is in progress; Vadim, as corporate-controller per LSC Art 233-234, acts as primary data-protection-contact during the interim.
Post-MVP target: External-DPO contact details will be published in the v0.1.1+ revision of this notice within 30 days of formal DPO engagement.

Interim contact (Art 13(1)(b) functional contact for data-protection inquiries):

Email: privacy@genetichistory.es (TBD by Coder Phase 5 deploy spec; published-email subject to verification at MVP go-live 2026-05-05)
Postal: TBD by Vadim per Spain registered-office address publication

§7.2 Data subject access request (DSAR) channels

To exercise any of the rights described in §4:

Online form: /en/legal/dsar-request/ (post-MVP; per UX skeleton WF-102 + 7-field structure)
Email: privacy@genetichistory.es (TBD per §7.1)
Postal: TBD per §7.1
Right to lodge complaint with AEPD: see §4 above

§7.3 Identity verification (Art 12(2))

For DSAR processing, Genetic History SLU may request additional verification information proportionate to the risk of the requested processing operation per Art 12(2) + EDPB Guidelines 01/2022:

Low-risk requests (e.g., access to contact-form submission history): email-confirmation sufficient
Higher-risk requests (e.g., erasure with downstream impact, account-credential changes): additional ID verification may be requested per AEPD-ISMS-APEP NIVEL 4 cryptographic discipline

We will not impose disproportionate verification burdens; identity-verification is calibrated to processing-risk per Art 5(1)(c) data-minimization principle.

§7.4 Response timeline

Standard: within 1 month of receipt per Art 12(3)
Extended: up to 2 additional months for complex/numerous requests, with explanation provided within the original 1-month period

§7.5 Escalation channels

If you, as a data subject, believe that any data-protection request has not been adequately addressed via the channels above, you may escalate via:

AEPD direct complaint (Art 13(2)(d) + LOPDGDD Art 64) at https://sedeagpd.gob.es/
Judicial review per LJCA (Spain administrative-court framework) per LOPDGDD Art 65

§8 — Policy version + update protocol

§8.1 Version log

Version	Date	Change summary
v0.1 DRAFT	2026-04-28	Initial authoring; pre-MVP draft pending Vadim signoff.
v0.1.1 ACTIVE	2026-04-30	Scaleway location factual correction applied (§1.3 sub-processor table: France-EU / DC2 Paris). Compliance posture materially unchanged: France ≈ Spain — both EU member states under GDPR + EDPB; Art 28(3) DPA basis identical. Spanish-language §9 ratified as authoritative per LSSI-CE Art 10.
v0.1.2 ACTIVE	2026-05-01	Email-delivery sub-processor identity disclosed: Resend (Resend.com Inc.); EU email-routing region eu-west-1 (Ireland) confirmed; Art 28(3) DPA effective 2025-12-31 with 8 of 8 clauses verified per `agents/coder/work/compliance/resend-dpa-verified.md`. Module 2 SCC + DPF/Schrems III standing-monitoring posture for US account-metadata transfer disclosed.
v0.1.3 ACTIVE	2026-05-06	Scaleway location geographic-precision applied (§1.3 sub-processor table: «DC2 Paris» → «DC2 Vitry-sur-Seine, Val-de-Marne — Paris metropolitan area»). Specific datacenter location per Business Plan §C §4.4 + §I §4 (external primary-facts audit 2026-05-06). Compliance posture materially unchanged: same France-EU jurisdiction; Art 28(3) DPA basis identical; no third-country transfer.
v1.0 (target post-MVP)	TBD post-MVP-go-live + 30 days	DPO contact details finalized; NIF / domicilio / Registro Mercantil published; first effective version after Wave 1 deploy; supersedes all v0.x DRAFTs.

§8.2 Update protocol (Art 13 + LOPDGDD Art 11(2))

Material updates (changes to data-categories collected, lawful basis, recipients, retention, or rights-mechanisms): notified at least 30 days in advance via email to data subjects with active accounts + via prominent banner on the website homepage; affected data subjects may withdraw consent or exercise Art 21 objection during the notice period
Non-material updates (typographical corrections, contact-info refresh, translation parity): published immediately with version-log entry; no individual notification
Annual review cadence: privacy-notice reviewed minimum annually + on each material regulatory change (e.g., AEPD enforcement guidance update, EDPB Guidelines new release, EU AI Act effective 2026-08-02 implications)

§8.3 Effective-version archive

Prior effective versions of this Privacy Notice are archived at /legal/privacy-notice/archive/ and remain accessible for reference per Art 13 transparency continuity discipline (LOPDGDD Art 11(2) interpretive-application). Each archived version retains its effective-date stamp + supersession-by-date.