BloomDNA powerd by BIOGenetics Laboratory — Comprehensive Privacy Policy
Effective Date: May 27, 2025
BloomDNA powered by BIOGenetics Laboratory (“BIOGenetics,” “we,” “us,” or “our”) is committed to protecting the privacy and security of all information entrusted to us. This Privacy Policy (“Policy”) explains how we collect, use, disclose, and safeguard Protected Health Information (“PHI”), Personal Information (“PI”), and Genetic Information in accordance with:
- The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and applicable state medicalprivacy laws;
- U.S. consumerprivacy statutes (e.g., CCPA/CPRA, CPA, VCDPA, etc.);
- The Genetic Information Nondiscrimination Act of 2008 (“GINA”); and
- Applicable international regulations (e.g., GDPR, UK GDPR, Swiss FDPA).
1. Scope & Key Definitions
| Term | Definition |
| PHI | Individually identifiable health information (including genetic data) regulated by HIPAA. |
| PI | Information that identifies, relates to, describes, or could reasonably be linked to a particular consumer or household. |
| Genetic Information | Laboratoryderived data about DNA sequences, gene variants, or other inherited characteristics. |
| Sensitive Information | Health data, Genetic Information, race/ethnicity, precise geolocation, and other data defined as “sensitive” under relevant law. |
| User Content | Data, text, images, audio, video, or other materials you voluntarily submit (e.g., forum posts, messages, testimonials). |
| Inferences | Assumptions or conclusions derived from other PI (e.g., likely health risks or product interests). |
| Automated DecisionMaking | Processing that produces legal or similarly significant effects solely by automated means. BIOGenetics does not engage in fully automated decisionmaking without human review. |
2. Our Legal Duties
We are required by law to:
- Maintain the confidentiality, integrity, and availability of your PHI/PI;
- Provide this Policy and abide by its terms;
- Obtain your written authorization for uses and disclosures not listed here;
- Notify you of any breach of unsecured PHI/PI.
3. Information We Collect & How
| Category | Examples | Sources |
| Registration Info | Name, contact details, payment data, account credentials | You / your provider |
| Genetic Info | DNA sequences, variants, lab reports | Generated by us from your sample |
| Health & SelfReported Info | Medications, lifestyle, family history | Surveys, forms, connected apps |
| User Content & Social Media | Forum posts, chat transcripts, socialmedia interactions | Voluntarily provided |
| Referrals & Contacts | Email/phone of persons you refer or with whom you share data | You |
| WebBehavior Info | IP address, device IDs, cookies, pixel data, geolocation | Automated collection |
| Inferences/Derived Data | Predictive traits, segment membership, ad preferences | Internal analytics & AI tools (with consent) |
No Sale of DNA or IndividualLevel Data: We do not sell, lease, or rent PHI, Genetic Information, or individuallevel PI to third parties for money. We also do not share Genetic Information with employers, insurers, or public databases.
Use & Disclosure: We may deidentify PHI and use or disclose such deidentified data for research, product development, and commercial purposes.
OWNERSHIP OF SAMPLES & GENETIC INFORMATION; WAIVER OF PROPERTY RIGHTS
You hereby grant BIO a worldwide, perpetual, irrevocable, sublicensable, royaltyfree license to use, store, deidentify, analyze, and create derivative works from your biological samples and Genetic Information, including for research, product development, and commercial applications. You waive any right to compensation or ownership in products, services, or discoveries developed from such use.
4. How We Use Information
- Treatment & Laboratory Services – performing tests, consulting with clinicians, preparing reports.
- Payment & Insurance – billing, claims, collections, prior authorizations.
- Operations & Quality – accreditation, auditing, analytics, customer support, staff training.
- Research & Development – deidentified or aggregate data studies; individuallevel data used only with your explicit research consent.
- Marketing & Personalization – providing product updates, promotions, and interestbased content. Devicelevel data may be shared with ad networks; you can opt out (see § 9).
- AIEnhanced Features – If you opt in to our AI tools, deidentified data may be processed to generate insights; identifiable Genetic Information is never used without your specific consent.
- Security & Fraud Prevention – detecting, investigating, and preventing malicious or illegal activity.
5. Disclosures We May Make
| Recipient | Purpose | Safeguards |
| Healthcare Providers | Coordination of care | HIPAAcompliant channels |
| Health Plans | Payment & audits | HIPAA BAAs |
| Accreditation Bodies | CLIA, CAP inspections | Minimum necessary data |
| Service Providers | Cloud hosting, payment, analytics, customer support, targeted advertising | Written contracts; no secondary use; limited PI |
| Research Partners | Scientific studies | Deidentified unless you consent |
| Law Enforcement | Valid subpoena, warrant, or court order | Rigorous legal review (Certificates of Confidentiality where applicable) |
| Business Transfers | Mergers, acquisitions | Policy continues to bind successor |
We never disclose Genetic Information or other Sensitive Information to insurers or employers, nor do we contribute to public DNA databases without your explicit, prior consent.
6. Your Privacy Rights & Choices
| Right | Scope | How to Exercise |
| Access & Portability | Obtain copy of PHI/PI; download raw genetic data | Submit request via portal/email; verification required |
| Correction | Amend inaccurate or incomplete records | Contact Privacy Officer |
| Deletion | Delete account & data (subject to CLIA/GxP retention) | Account settings or written request |
| Restriction / Objection | Limit certain processing (e.g., marketing, analytics) | Preference center; DNT/Global Privacy Control respected |
| OptOut of Targeted Ads & CrossContext Sharing | Devicelevel identifiers used for interestbased ads | Cookie banner, AdChoices links |
| OptIn / OptOut of Research & AI | Participation in research studies or AI features | Consent forms; dashboard toggles |
| No Automated Decisions | Request human review of any significant automated outcome | Privacy Officer |
| State/RegionSpecific Rights | CA, CO, CT, FL, IN, IA, MT, OR, TN, TX, UT, VA, WA; GDPR rights | See Appendix A |
7 Security Measures
- Encryption – TLS for data in transit; AES256 at rest.
- Access Controls – Least privilege, MFA, rolebased permissions.
- Network Security – IDS/IPS, vulnerability scanning, thirdparty penetration testing.
- Independent Certifications – ISO/IEC 27001, SOC 2 (Type II) datacenter partners.
- Incident Response – 24/7 monitoring, containment, notification within legal timeframes.
8 Data Retention
- Clinical Records – Retained for at least 7 years (or longer per state law & CLIA).
- Account Data – Retained while account is active; deleted within 30 days of confirmed deletion request, except:
- research data already included in completed studies;
- limited logs retained for legal, audit, or fraudprevention purposes.
9 Cookies, Tracking, & Targeted Advertising
We and our service providers use first and thirdparty cookies, pixels, SDKs, and similar technologies to:
- authenticate sessions and remember preferences;
- measure site usage and improve performance;
- deliver interestbased ads on our sites and elsewhere.
You can manage cookies via browser settings, optout via cookie banner, Global Privacy Control, or industry optout pages (DAA/NAI). Disabling cookies may impair some site features.
10. Children’s Privacy
Our Services are not directed to children under 13. A parent or legal guardian may create an account for a minor patient only with appropriate consent.
11. International Transfers
We store data primarily in the United States. For transfers from the EEA/UK/Switzerland we rely on Data Privacy Framework certification and Standard Contractual Clauses.
12. Changes to This Policy
We may revise this Policy periodically. Material changes will take effect 30 days after posting unless you indicate otherwise. The “Last Revised” date at the top signifies the most recent update.
13. Contact Us
Privacy Officer
John Rigakos
BIOGenetics Laboratory
805 Executive Center Dr. W, Suite 300
St Petersburg, FL 33702
☎ (727)-440-0090 | ✉ Privacy@BloomDNA.com
You may also file a complaint with the U.S. Department of Health & Human Services, Office for Civil Rights. We will not retaliate against you for exercising your rights.
Appendix A State & Regional Privacy Rights Snapshot (Effective 2025)
| Jurisdiction | Key Rights |
| California (CCPA/CPRA) | Access, correction, deletion, portability, optout of sale/share, limit use of sensitive PI |
| Colorado (CPA) | Access, correction, deletion, portability, optout of sale & targeted ads |
| Virginia (VCDPA) | Access, correction, deletion, portability, optout of sale & targeted ads |
| Others (CT, FL, IN, IA, MT, OR, TN, TX, UT, WA) | Similar rights; see website for full table |
| EEA/UK/Switzerland (GDPR) | Access, rectification, erasure, portability, restriction, objection, human review |
© 2025 BIOGenetics Laboratory. All rights reserved.