Privacy policy
1. Introduction and Scope
Welcome to Ancestral Legacy (“we”, “our”, “us”)). This Privacy Policy outlines how we collect, use, manage, and protect the information of individuals (“customer”, “client”, “you”) who engage with our services. By using our services, you agree to the terms outlined in this Privacy Policy.
Ancestral Legacy (“we”, “our”, “us”) provides a DNA analysis service to its customers. As part of our operations, we collect and process various types of information, including sensitive genetic data, to provide services tailored to your specifications. These services may involve analysing data provided by you or obtained from third-party providers, as well as utilising the information to improve and develop our offerings.
This Privacy Policy covers all aspects of how we handle your information in connection with our services. It applies to data collected directly from you, data you have authorised us to access, and data obtained via third-party sources, including, but not limited to, genetic information, health insights, and genealogy data. Our data practices are designed to support our internal operations and the delivery of high-quality reports, and we may leverage your data to further our business objectives and enhance our services.
We reserve the right to modify, update, or remove portions of this Privacy Policy at any time without prior notice. Any changes to this policy will be effective upon posting, and continued use of our services constitutes acceptance of these terms.
We may, at our discretion, notify you of significant changes through email, our website, or other channels. However, it is your responsibility to review these Terms periodically to stay informed of any updates. Your continued use of our services following any modifications constitutes your acceptance of the revised Terms and your agreement to abide by them.
2. Types of Data Collected
Personal Data
We collect information that personally identifies you when you interact with our services. This may include, but is not limited to, your name, email address, mailing address, IP address, contact details, and other identifiers necessary for the completion and delivery of your reports. We reserve the right to collect, retain, and use this data in accordance with our business needs and operational requirements. By using our services, you acknowledge that we may collect, store, and process any personal information you provide for the purposes of service fulfilment and improvement.
Genetic Data
Our service requires the processing of genetic data, which includes the raw data from your DNA sample as well as any derived data or analysis results. This data will be collected from the DNA sample you provide us when you return your free DNA collection kit, or submit from a third-party service you have previously “tested” at. By consenting to our services, you agree to allow us to store, analyse, and retain your genetic data as we determine necessary for report generation, research, and internal operational purposes. Any requests for modification or deletion of your genetic data may be considered at our sole discretion, based on our technical and business requirements.
Health and Lifestyle Data
Depending on the package or service tier purchased, we may collect optional health and lifestyle information, including but not limited to, general lifestyle choices, self-reported health data, and other details related to your genetic analysis. This information, where provided, is collected voluntarily for research and report refinement purposes. We retain full discretion over how this data is processed, analysed, and integrated into your report. You acknowledge that providing this data does not entitle you to any specific analysis or interpretation of results beyond the scope of the purchased service tier.
Usage Data
To enhance our services and for internal analytical purposes, we collect information on your interactions with our website, services, and any associated platforms. This may include, but is not limited to, your IP address, browser type, usage patterns, and device identifiers. By using our website and services, you consent to our unrestricted use of this data for internal analytics, troubleshooting, and service optimisation. We reserve the right to retain and process usage data as needed for operational, legal, or business purposes.
Retention and Limitations
All data collected is subject to retention in accordance with our internal policies and as necessary to comply with applicable laws or for operational requirements. We reserve the right to limit, restrict, or deny requests related to data access, correction, deletion, or modification at our sole discretion and without obligation. By using our services, you agree to these terms and acknowledge that any requests for data handling may be reviewed on a case-by-case basis, subject to our determination of feasibility and appropriateness.
3. Methods of Data Collection
We, Ancestral Legacy, collect and process customer data to provide our DNA analysis services as defined within our Terms and this Privacy Policy. All data collected by us is handled in a manner consistent with our operational requirements, and we reserve the right to modify, adapt, or expand our data collection practices as we see fit.
Our methods of data collection include, but are not limited to:
Direct Data Submission by the Customer
We may collect data directly provided by the customer through various channels, including online forms, emails, account submissions, and any files uploaded to our website or sent via email. By submitting information or files to us, you consent to our handling, storing, and processing of this data for purposes related to fulfilling your purchase.
DNA Collection Kits
If a customer lacks existing DNA data and opts to receive a free DNA collection kit alongside their report, we provide a third-party kit from MyHeritage. We reserve the right to change our third-party supplier at any time without prior notice to the customer. Such kits are provided solely as a courtesy to facilitate the DNA analysis process, and any such samples, upon receipt, are processed according to the third party’s terms and conditions, over which we have no control. We are not responsible for any delays, loss, errors, or issues related to third-party kit processing. We are not liable for any actions or policies of these third-party service providers, including data handling, processing accuracy, or privacy protections. Data collected via this method will be utilised, stored, and processed solely at our discretion and as needed for the services purchased.
Data From Third-Party Platforms
In order to enhance the accuracy and comprehensiveness of our analysis, we may also collect data by transferring it from third-party platforms, such as GEDmatch. This includes the transfer of genetic data necessary for running diagnostics, relative matching, or other purposes relevant to the services we provide. By using our service, you consent to our transfer of your data to these platforms, over which we hold no responsibility for any third-party policies, data breaches, or unforeseen issues.
Data collection methods are subject to change at our sole discretion, and we reserve the right to implement additional data collection mechanisms or alter existing methods to meet our evolving operational needs. At no point are we obligated to notify customers of modifications in our data collection methods, and it remains the customer's responsibility to ensure their understanding of how data may be collected and utilised within the scope of our services.
4. Purpose of Data Usage
We collect and process various types of personal and genetic data to provide the services outlined in our Terms of Service, improve our business operations, and enhance customer experiences. By using our services, you acknowledge and agree to the following purposes for which we collect your data:
Generation of DNA Reports: We collect your genetic data to generate personalised DNA analysis reports based on the service package(s)/tier(s) you purchase.
Sharing Genetic Relatives a DNA diagnostics: We may use your genetic data to identify potential genetic relatives or run diagnostics on your data through the use of third-party services such as GEDmatch. We may share this information with you, subject to our discretion and the terms of service of GEDmatch or other third parties, but we cannot be held responsible for any actions taken by these third parties or for any data shared through them.
Improvement of Services: We may use the data you provide, including genetic and personal data, for purposes of improving our services, including but not limited to analysis of customer trends, enhancing product offerings, and refining customer support. This usage may also extend to internal business purposes, and we reserve the right to use your data for any other purpose deemed necessary to improve our services and business operations.
Marketing and Communications: Your data may be used to contact you for marketing purposes, to notify you of changes to our services, or for other business communications. This communication may occur at our discretion, and we are not obligated to limit its frequency or nature. By agreeing to this policy, you consent to receive such communications from us, with no obligation for us to cease or restrict such contact unless legally required.
We reserve the right to modify or change the usage of your data as necessary, without prior notice, and at our sole discretion. You acknowledge that by continuing to use our services, you consent to the potential use of your data for any purposes we deem appropriate, subject to applicable laws.
5. Data Sharing and Disclosure
We may, at our sole discretion, share or disclose your data, including genetic information, with third parties for purposes including but not limited to service delivery, operational needs, and legal compliance. By using our services, you consent to such data sharing in accordance with this policy.
Third-Party Services:
Your genetic data may be shared with external service providers, including but not limited to MyHeritage, for the purpose of DNA sequencing, and GEDmatch, for genetic matching and diagnostic purposes. These third parties are not obligated to follow the same privacy standards as we do, and we make no guarantees regarding their practices or compliance with your privacy preferences. You acknowledge that any data shared with these third parties is subject to their respective terms of service and privacy policies, which we strongly recommend you review.
Research and Development:
We may, at our discretion, use anonymised or de-identified data for, but not limited to, research, analysis, and the development of new services or enhancements to existing services. This use of data may include, but is not limited to, improving our algorithms, expanding service offerings, and furthering our own scientific research. By agreeing to this policy, you agree that we reserve the right to use data in this manner without providing further notice or consent from you, as long as the data is anonymised.
Legal Obligations:
We reserve the right to disclose your data, including personal and genetic information, when required to do so by law, regulation, or legal process (such as a subpoena, court order, or government request), though we will typically only disclose your data if it is an absolute necessity. We are under no obligation to inform you of such disclosures, though at our sole discretion, we typically choose to do so.
6. Data Security Measures
Ancestral Legacy takes reasonable precautions to protect the security of your data. However, despite our efforts, we cannot guarantee absolute security due to the inherent risks associated with the transmission and storage of data, especially when it involves third-party services. By using our services, you acknowledge and accept these risks.
We employ data encryption during transmission (via secure protocols such as HTTPS) and while data is at rest in our systems. We also restrict access to sensitive data strictly to authorised personnel who have a legitimate business need, but we cannot fully ensure that unauthorised parties will not gain access under certain unforeseen circumstances. While we strive to implement appropriate safeguards, we are not liable for any breaches or unauthorised access, regardless of the reason.
In terms of third-party services, we utilise platforms such as GEDmatch and MyHeritage for DNA sequencing, analysis, and related services. These platforms may implement their own security measures, but we are not responsible for their practices or the security of your data once it is transmitted to them. You are encouraged to review their privacy and security policies, but we make no guarantees about the security standards they maintain. We are not liable for any data breaches, loss, or theft that may occur within third-party platforms.
We reserve the right to modify, discontinue, or suspend any security measures at our sole discretion, at any time, without prior notice, as we see fit for our operational or business needs. You agree that we are not liable for any consequences resulting from the suspension, alteration, or modification of our security protocols.
By providing your data to us, you acknowledge that you accept all potential risks associated with the collection, storage, and transmission of your data, and you agree not to hold Ancestral Legacy responsible for any loss, theft, or misuse of your information, under any circumstances.
7. Data Rights
You have the right to access your genetic data and analysis report at any time. To do this, please contact us via email, and we will process your request where our legitimate interests apply, within a time frame we deem appropriate, on a case-by-case basis, at our sole discretion. You may also request deletion of your data from either our systems, from GEDmatch, or from MyHeritage. To do this, please contact us, and we will process your request where our legitimate interests apply, within a time frame we deem appropriate, on a case-by-case basis, at our sole discretion.
You may revoke your consent to our handling or sharing of your genetic data at any time by sending us an email; however, this may limit the services we can provide, and we will process your request where our legitimate interests apply, within a time frame we deem appropriate, on a case-by-case basis, at our sole discretion.
GDPR-Specific Rights
We are committed to protecting your rights under the GDPR, and the following rights apply specifically to EU and EEA residents.
Right to Access and Data Portability
You may request access to the personal data we hold, as well as a copy in a format of our choice for portability purposes, subject to our internal review. We will evaluate requests for data access and portability based on practical feasibility and, where appropriate, provide data as available within our systems.
Right to Rectification
If any of your data appears inaccurate, you may ask for corrections. We will review such requests to determine feasibility and appropriateness, and changes will be made at our discretion in line with internal practices. Timelines for corrections may vary based on data availability.
Right to Restrict Processing
You may request that we limit processing of your data under certain conditions. While we will review requests on a case-by-case basis, some limitations may apply, and restriction may not always be possible or practical. Restricting processing may affect the services we can offer, and certain processing activities may continue as we determine necessary at our sole discretion.
Right to Object
You may object to data processing in cases where our legitimate interests apply. Objections will be reviewed individually, and processing may continue if deemed necessary for our business purposes or other justifications.
Right to Withdraw Consent
Where data processing relies on consent, you may withdraw it at any time. Withdrawal may impact the services we are able to provide, and we may retain data where necessary for operational or legal reasons. Requests to withdraw consent will be addressed as circumstances allow.
Right to Erasure (“Right to Be Forgotten”)
You may request that we delete your personal data. We will review requests individually and, where feasible, delete data from our systems and coordinate removal from relevant third parties, with deletion subject to technical and operational limitations. Complete deletion timelines and confirmation may vary.
Right to Lodge a Complaint
If you believe that your data protection rights have not been adequately respected, you may contact your local data protection authority to lodge a complaint. However, we encourage direct communication with us first, as we prioritise constructive resolution whenever possible.
The above rights may be subject to limitations, and response timelines are determined based on internal procedures, data availability, and other relevant factors. We retain the right to prioritise requests or deny them where legally permissible, and not all requests may result in immediate action.
8. Data Retention
We securely store our copy of your genetic data on a physical encrypted hard drive, as well as on MyHeritage and GEDmatch's servers. We do not accept any liability for breaches of data, either in our storage, or those of third-party services, such as MyHeritage or GEDmatch. The third parties in question do meet high data protection standards, so such an event is very unlikely. We store your data for 1 calendar year after you receive your report, in case you wish to upgrade to a higher tier service, or in case we have potential updates to your results to inform you of. After this 1 years period passes, we delete your data from our systems as well as requesting its removal on your behalf from those of MyHeritage and GEDmatch, within an additional 365 calendar days period. We do not accept any liability in the very unlikely circumstance that MyHeritage or GEDmatch do not remove your data from their servers upon our request on your behalf.
9. Data Transfer
Your data, including personal and genetic information, may be stored, processed, and transferred to facilities and third-party service providers located outside your country of residence, including but not limited to the United States and the European Economic Area (EEA). Such transfers are necessary to facilitate the services you purchase and to meet our operational requirements.
We may transfer data to countries or regions that may not provide the same level of data protection as your home country. By using our services, you consent to these international transfers and agree that we may use any legal, contractual, or operational mechanisms we deem appropriate, at our sole discretion, to protect your data during such transfers. This may include implementing measures as deemed necessary under applicable laws, although we retain discretion over what methods, if any, are utilised. Any data transfer protections we use are subject to revision or discontinuation without prior notice.
All data transfers and processing by our company and our authorised third-party partners, including but not limited to MyHeritage and GEDmatch, are conducted with our overarching goal of ensuring efficient service delivery. We do not warrant or guarantee uninterrupted or error-free data access, transfer, or processing by these third-party partners, nor do we accept any liability for data breach incidents or unauthorised access that may occur in transit, storage, or processing.
To provide our services, we may store or back up your data on servers located outside of your country of residence, without obligation to notify you of each instance or country involved. Your data may also be stored or retained in locations selected by our third-party service providers at their discretion, for which we accept no liability. Any claims arising from differences in local data protection laws are waived to the fullest extent permitted by applicable law.
We may, but are not required to, take reasonable steps to ensure that third-party partners comply with applicable data transfer regulations. However, we make no representations or guarantees regarding third-party compliance with international data protection requirements, and we disclaim all responsibility for the actions or omissions of third-party providers with whom we may share your data.
Any requests regarding the deletion or transfer of your data will be addressed according to our internal policies and at our sole discretion. We may, but are not obligated to, facilitate such requests within international jurisdictions. Any associated timelines or limitations in executing such requests are established by us as we see fit and may be subject to extension based on technical or operational factors.
By agreeing to our Privacy Policy, you acknowledge and accept that data transfers may result in risks related to different data privacy regulations or standards, including but not limited to the risk of unauthorised access by foreign governments. We accept no liability for any potential risks, including but not limited to identity theft, data breach, or unauthorised third-party access arising from cross-border data transfers or third-party data storage. Any legal recourse you may pursue for privacy concerns related to such data transfers is limited to the extent permissible by applicable law.
10. Minors’ Data
Our services are strictly intended for individuals meeting the minimum age requirement of 13, as per applicable laws and regulations. For users aged 13-17, explicit parental or legal guardian consent is mandated before any use of our services. This consent process includes providing a fully completed parental consent form as part of the purchase process, which is non-negotiable and is required for continued access to our services.
Upon receiving a minor’s parental consent form, we will retain the details of this consent solely for our internal documentation, using this information only as required to fulfil legal obligations related to the minor’s data. We are not responsible for confirming the accuracy of information provided by the parent or guardian. It is the sole responsibility of the minor’s parent or guardian to provide accurate information in the consent form, and we retain full discretion to cancel, suspend, or terminate any accounts associated with minors under 13 years of age.
We reserve the right to request additional verification of age or parental consent at any time, and we retain the sole discretion to determine the adequacy of this verification. Furthermore, we do not assume any responsibility for any interactions between minors and our services, should the verification requirements be violated.
By using our services, you, as a minor's parent or guardian, assume full responsibility for overseeing the minor's compliance with these terms. We do not assume liability for any inaccuracies or errors arising from the parental consent process, and we retain absolute authority to adjust or terminate access to our services should any discrepancies or breaches occur.
All decisions regarding the collection, processing, and verification of minors' data will be carried out as deemed appropriate by our company at its sole discretion.
11. Modification to the Privacy Policy
We reserve the right, at our sole and absolute discretion, to modify, alter, update, or remove portions of this Privacy Policy at any time, with or without prior notice to you. Such modifications may encompass, but are not limited to, adjustments to our data collection, usage, storage, sharing, retention practices, and any other aspects relevant to the handling of data. These changes are implemented based on evolving business requirements, operational needs, and legal compliance, as determined solely by Ancestral Legacy.
In the event of any modification, we may, at our discretion, notify you through one or more channels, including but not limited to email, our website, or other methods. However, it remains your sole responsibility to periodically review this Privacy Policy to stay informed of any updates or changes. Continued use of our services after any such modifications are made shall constitute your acceptance of the revised Privacy Policy and your agreement to be bound by its terms.
Ancestral Legacy assumes no liability or responsibility for informing you of any such changes beyond what is expressly stated herein. Any modifications to this Privacy Policy are final and non-negotiable, and Ancestral Legacy shall bear no obligation to accommodate requests for exemptions, modifications, or other adjustments following any update. This Policy may be modified without recourse to prior agreements, statements, or policies, and we reserve the right to prioritise business needs over individual user preferences at all times.