Privacy Policy

Last updated: 2026-05-30

Effective: 2026-05-30

Quick summary

Your genome is never stored. Varia holds only your name, email, and whether you have purchased, never your DNA or your results. The scanner runs in your browser. Your DNA file is read locally and never uploaded to our servers. Your scan results are stored only in your browser unless you generate a PDF. We collect your email address when you unlock, create an optional account, or subscribe to The Variant newsletter, and we store a minimal server-side metadata anchor (email, last scan date, last scan database version, and purchase status) so we can recognize you when you return. We collect payment information when you purchase an unlock (handled by Stripe). We do not sell, share, or trade your information. You have specific rights depending on which state or country you live in, all documented below.

What this policy covers

This policy describes how Kairos Studios LLC ("Varia," "we," "us," or "our"), operator of variagenome.com, handles personal information of users who visit our website, use the Varia genome analysis service, generate or purchase PDF reports, subscribe to The Variant newsletter, or otherwise interact with us. It covers all surfaces of the Varia service, including the dashboard, PDF generation, the Early Adopter program, and customer support.

How Varia processes your genome data

This is the most important section of this policy, so it appears first.

Your raw genome file never leaves your computer. When you upload a raw DNA file (a VCF, a 23andMe or AncestryDNA export, or a similar consumer genome file), the Varia scanner runs entirely in your browser. The file is read locally on your device, matched against the Varia variant database (which is loaded into your browser as part of the application), and interpreted. At no point is the raw genome file transmitted to Varia's servers, to any third-party service, or to any other destination outside your computer. You can verify this in your browser's developer tools: open the Network tab before uploading your file, then upload it, and you will see that no genome data appears in any outbound request.

Your scan results stay on your device by default. The interpretation Varia produces (which variants you have, what they're associated with according to the literature, the curated explanations) is rendered into your browser session as you view your dashboard. By default, these results are not transmitted off your device. They exist in your browser's memory.

Your scan results are not stored server-side. Varia does not keep your scan results on our servers. If you want a portable artifact of your current results, generate a PDF. You can always perform a new scan, which is free, and the result will reflect the current state of the Varia database.

Generating a PDF transmits your scan results to our PDF generator. When you choose to generate a PDF (the Varia Genomic Brief), Varia transmits the interpreted scan results to a Cloudflare Worker, which forwards them to our PDF generation service (hosted on Render). The PDF is generated, returned to your browser, and the scan results are not retained server-side after PDF generation completes. We have verified by code audit that the Cloudflare Worker holds the scan results in memory only for the duration of the forward step; the Render PDF generator processes them in memory only with logging disabled; our analytics events fire only aggregate counts (number of findings, number of pages) and never scan content; and our error monitoring tool (Sentry) is configured to disable session replay and to scrub PDF-endpoint network breadcrumbs to method and status code only. The raw genome file is, as always, never transmitted at any point in this flow.

What we collect

Email address. We collect your email address only when you choose to provide it. Specifically: when you unlock the Varia Genomic Brief (the email is used both for delivery and for Early Adopter tagging if you unlock during the launch period), and when you subscribe to The Variant newsletter. Email is never required to run a free scan or to view the existence-only scan preview within your current browser session.

Scan metadata anchor. When you provide your email address to Varia (when you generate a PDF, subscribe to The Variant newsletter, or otherwise interact with us), we store a small record on our servers consisting of your email address, the timestamp of your most recent scan, and the version of the Varia database used at the time of that scan. This metadata anchor exists so we can recognize you when you return to Varia, preserve your Early Adopter status if you joined during the launch period, ensure continuity of access to features tied to your email, and tell you what has changed in the Varia database since your last scan. The scan metadata anchor does not include your scan results, your genotypes, your variants, or any other genomic content. Even if you lose access to your local browser data, the metadata anchor on our servers allows us to recognize you when you return; to restore your actual scan results after losing browser data, you can re-scan, which is free and runs in seconds.

Payment information. When you purchase a PDF, payment is processed by Stripe. We do not see or store your payment card details. Stripe handles all payment data under its own privacy policy and PCI-DSS compliance posture. We receive a customer record from Stripe containing your email address and a customer metadata flag for Early Adopter status. We do not receive or retain your card number, CVV, or other payment-card information.

Service usage telemetry. We use TelemetryDeck, a privacy-focused analytics provider, to understand how users interact with the Varia service. TelemetryDeck does not use cookies, does not assign persistent user identifiers, and does not collect personally identifying information. The events we record are limited to a defined allowlist published in our codebase under VARIA_CONVENTIONS.md § Observability. Examples include scan completion events, dashboard navigation events, and PDF generation events. No genome data, scan results, or personal identifiers are included in these events.

Error reports. We use Sentry to capture application errors so we can debug and fix them. Sentry session replay is explicitly disabled in our configuration, which means no recording of your browser activity is captured. Error reports include the error message, the application state at the time of the error, and the browser environment information (browser type, version). Sensitive content in error context is scrubbed before transmission.

Newsletter preferences. If you subscribe to The Variant newsletter, we collect your email address and your subscription status. Beehiiv hosts the newsletter and handles delivery, open tracking, and unsubscribe processing. You can unsubscribe at any time using the link in any newsletter issue.

Information we explicitly do not collect. We do not collect, transmit, or retain your raw genome data. We do not store your scan results (variants, genotypes, or interpretive content) on our servers; scan results stay on your device. We retain only the minimal metadata anchor described above to recognize returning users and preserve features tied to your email. We do not collect your demographic information (age, race, ethnicity, gender, ancestry). We do not collect your medical history, your physician's information, or your insurance information. We do not collect your location beyond what is incidentally visible in network metadata (IP address) during normal HTTPS connections, which is used only for security and rate-limiting purposes and not retained beyond operational windows. We do not collect browsing history outside the Varia service. We do not fingerprint your browser for tracking.

Your Varia account

Your Varia account. Creating an account is optional. If you create one, we store only: your email address, your first name, whether you have purchased an unlock (a yes/no record), and basic, non-genetic scan metadata (the date of your most recent scan and which version of our database it ran against). We use this to confirm your purchase, restore your dashboard access on a new device, personalize your experience, and, if you opt in, send The Variant.

We never store your DNA or your results. Your genome file is read and analyzed entirely in your browser and is never transmitted to or stored by us. Your variant findings and interpretations are generated on your device and are not retained on our servers. An account changes none of this.

Your rights. You may access the information in your account, correct it, or delete your account at any time from your account page. Deleting your account permanently removes your email, name, purchase record, and scan metadata from our systems; because we never stored your genome or results, there is nothing further to delete.

How we protect access. We do not use passwords. We verify it is you by sending a one-time code to your email before showing your account or restoring access.

Who processes this data on our behalf. Payment processing: Stripe. Account and metadata storage: Cloudflare. Email and one-time codes: Resend. Newsletter (The Variant), if you opt in: beehiiv. We do not sell or share your personal information, and we never share any health or genetic information with anyone.

How we use what we collect

We use the information we collect strictly for the following purposes:

To provide the Varia service to you, including generating PDFs you purchase, sending The Variant newsletter if you subscribe, and processing your payments. To recognize you when you return to Varia and preserve features tied to your email (Early Adopter status, database-update notifications). To operate the service (rate limiting, abuse prevention, error monitoring, performance optimization, security). To honor your Early Adopter status if you generated a PDF during the launch period and provided your email at that time. To communicate with you about support requests, service updates, and material changes to this policy. To comply with applicable legal obligations.

We do not use your information for cross-context behavioral advertising. We do not profile you for marketing purposes beyond the limited scope of The Variant newsletter (which contains only content you opted into receiving). We do not train machine learning models on your information.

How we share what we collect

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We do not trade, rent, or otherwise commercialize your information.

We share information only with service providers who help us operate Varia, only to the extent necessary for them to perform their function, and only under contractual obligations that prohibit them from using your information for any other purpose. The third-party service providers we use are:

Cloudflare hosts our website, provides our content delivery network, runs our serverless Workers for payment verification and PDF generation routing, and hosts our KV storage for rate limiting and the scan metadata anchor described above. Cloudflare may log connection metadata (IP address, request URL, timestamp) for security and operational purposes per its own privacy policy.

Stripe processes payments for PDF purchases. Stripe receives your email address and your payment card details, which Stripe handles directly. Stripe stores customer metadata for Early Adopter tagging.

Render hosts the PDF generation service. Render receives interpreted scan results transiently during PDF generation and does not retain them after generation completes.

TelemetryDeck receives cookieless, identifier-free usage analytics events on a defined allowlist. TelemetryDeck does not receive any personal information.

Sentry receives application error reports with session replay explicitly disabled. Sentry does not receive your genome data, scan results, email, or other personal information beyond what is necessary to debug application errors.

Beehiiv hosts and delivers The Variant newsletter. Beehiiv receives your email address and subscription preferences if you choose to subscribe.

We may disclose your information if required to do so by law, valid legal process, or to protect the rights, property, or safety of Varia, our users, or others. If we are compelled to disclose your information by legal process, we will notify you to the extent permitted by law.

Cookies and tracking

Varia uses a minimal set of cookies for essential service functions. Stripe Checkout uses cookies during the payment session. No cookies are used for cross-site tracking. No cookies are used for advertising. TelemetryDeck is cookieless. We do not use Google Analytics, Facebook Pixel, or similar tracking technologies.

Data retention

Scan results: stored only in the active browser session on your device. Varia retains no scan results on our servers. If you switch browsers, switch devices, or clear your browser data, you can perform a new scan, which is free.

Scan metadata anchor: retained as long as you maintain an active relationship with Varia. If you have not scanned, purchased, or interacted with Varia for 24 months, we delete the metadata anchor. You can request immediate deletion at any time at privacy@variagenome.com.

Email addresses: retained for as long as you maintain an active interaction with Varia (generated PDFs, newsletter subscription). You can request deletion of your email at any time. Early Adopter status flags are retained as long as the associated email is retained.

Payment records: retained by Stripe according to Stripe's own retention policies, which are typically governed by financial recordkeeping obligations (generally 7 years for tax purposes).

Telemetry and error reports: retained for up to 90 days for operational purposes.

Newsletter subscription records: retained as long as you remain subscribed. Unsubscribed records are retained for 30 days to honor your unsubscribe request and then deleted, except for the minimum metadata required to prevent re-subscription without your consent (your email and the fact that you unsubscribed).

Security

We use industry-standard security measures to protect your information. All connections to Varia use HTTPS with TLS 1.2 or higher. Stored data is encrypted at rest. Access to production systems is restricted and logged. We do not store your raw genome data or your scan results, which is the most consequential security posture: the data we don't have, we can't lose.

No system is perfectly secure. If we become aware of a security incident affecting your information, we will notify affected users in accordance with applicable law.

Your federal rights

Genetic Information Nondiscrimination Act (GINA). GINA is a federal law that prohibits discrimination based on genetic information in health insurance (Title I) and employment (Title II). GINA does not currently extend to life insurance, disability insurance, or long-term care insurance. Varia does not share your genetic information, scan results, or any other information with any insurer, employer, or related entity, in any context, for any purpose. We are aware of GINA and we operate consistent with its protections.

Children's Online Privacy Protection Act (COPPA). Varia is not intended for users under 13 years of age, and we do not knowingly collect personal information from children under 13. Varia is not intended for users under 18 in any capacity. If you believe we have collected information from a child under 13 in error, contact us at privacy@variagenome.com and we will delete it.

Your state-specific rights

This section addresses the rights of users who reside in states with comprehensive consumer privacy laws or specific genetic privacy laws. State law is evolving rapidly, and we update this section as new laws take effect.

California (CCPA / CPRA / CalGINA). California residents have the right to know what personal information we collect, to access and receive a copy of that information, to correct inaccurate information, to delete that information, to opt out of any sale or sharing of personal information (we do not sell or share), and to limit the use of Sensitive Personal Information (SPI). Genetic information is classified as SPI under CPRA. Because Varia processes your genetic data only on your device and only to provide the service you have requested, our use of SPI is already limited to the necessary purpose. California residents also benefit from CalGINA, which extends GINA's protections to additional contexts within California.

Virginia (VCDPA). Virginia residents have rights to access, correct, delete, and obtain a portable copy of their personal data, and to opt out of processing for targeted advertising or sale. Genetic data is classified as sensitive data under VCDPA, and processing requires opt-in consent, which you provide by uploading your genome file and using the service.

Colorado (CPA). Colorado residents have rights of access, correction, deletion, portability, and opt-out (targeted advertising, sale, profiling with legal effects). Genetic data is classified as sensitive data, requiring affirmative consent.

Connecticut (CTDPA). Connecticut residents have rights consistent with VCDPA and CPA, including specific protections for sensitive data including genetic information.

Utah (UCPA + Utah Genetic Information Privacy Act). Utah residents have rights of access, deletion, and opt-out under UCPA. The Utah Genetic Information Privacy Act (2021) imposes additional informed consent requirements on direct-to-consumer genetic testing companies. Varia operates with explicit informed consent at the point of upload and through this privacy policy. You can delete your email at any time.

Texas (TDPSA). Texas residents have rights consistent with the VCDPA/CPA/CTDPA framework, including sensitive data protections.

Florida (FDBR + HB 833 + §760.40). Florida residents have rights under the Florida Digital Bill of Rights consistent with other state privacy laws. Florida HB 833 (2020) and Florida Statutes §760.40 prohibit the use of genetic information in life insurance, long-term care insurance, and disability income insurance underwriting decisions in Florida. Varia does not share your information with insurers in any capacity.

Massachusetts (MGL c.111 §70G). Massachusetts requires informed consent for genetic testing. While Varia is not "testing" your genes (we interpret data you provide from testing already performed), we operate as if §70G applies, and your consent is captured at upload and through acceptance of this policy and the Varia Terms of Service.

Other states with genetic privacy laws. Alaska (AS 18.13), Arizona (ARS §12-2801), Vermont, New Jersey, and other states have specific genetic information privacy statutes. Varia's general posture honors the principles of these statutes: informed consent at point of upload, no disclosure to third parties beyond named service providers operating under contractual restrictions, individual ownership of genetic information, and deletion rights on request.

To exercise any of these rights, contact us at privacy@variagenome.com. We will respond within the timeframe required by applicable law (typically 30 to 45 days). We may need to verify your identity before processing certain requests.

International users

Varia is operated from the United States. At present, the Varia service is intended for users in the United States only. Users in the European Union, the United Kingdom, and other jurisdictions with stringent data export requirements are not the intended audience for this V1 release.

If you are in the EU or UK and are using Varia, please be aware that your data is processed in the United States, and you are responsible for understanding the implications under your local law. We expect to expand to additional jurisdictions in future versions with appropriate compliance posture for each.

How to exercise your rights

For any privacy-related request (access, correction, deletion, portability, opt-out, complaint, or general question), contact privacy@variagenome.com. Identify yourself with the email address associated with your Varia usage, and describe the request. We will respond as soon as practicable, and in any event within the timeframe required by applicable law.

If you have a complaint we have not resolved to your satisfaction, you may also contact your state attorney general's office. Residents of states with dedicated privacy enforcement bodies (such as the California Privacy Protection Agency) may also contact those agencies directly.

Changes to this policy

We may update this policy from time to time to reflect changes in our practices or in applicable law. Material changes will be communicated through The Variant newsletter (if you are subscribed) and through a notice on the Varia website. The "Last updated" date at the top of this policy reflects the most recent revision.

Contact

For privacy-related inquiries: privacy@variagenome.com

For general support: support@variagenome.com

For postal correspondence: Kairos Studios LLC, [Massachusetts address to be confirmed], Amherst, MA 01002