§ Privacy
Privacy Policy
This Policy explains what personal data TuringDNA ("TuringDNA", "we", "us") collects through turingdna.com and the directed-evolution engine (the "Service"), why we collect it, who we share it with, and what choices you have. Plain language, no surprises.
Who we are
TuringDNA, Tbilisi, Georgia, is the controller of personal data processed through the Service. Contact: info@turingdna.com.
EU/UK Article 27 representative. Once we have a meaningful number of EU or UK users, we will appoint a representative under Article 27 GDPR / UK GDPR and update this Policy.
Data Protection Officer. A DPO is not required under GDPR Article 37 based on our current processing (we do not engage in large-scale processing of special-category data or large-scale systematic monitoring). If our processing changes, we will appoint a DPO and update this Policy.
Scope
This Policy applies to anyone who visits turingdna.com, uses the engine, places a synthesis order, or contacts us. It does not apply to third-party websites or services we link to (synthesis vendors' own portals, NCBI BLAST, AlphaFold-DB, etc.), which have their own policies.
What we collect
We collect only what we need to run the Service.
You give us directly
- Account data: email address, password (stored hashed using bcrypt), optional display name, optional organization, optional country, and whether you've opted in to product-update emails.
- Order data (when the Marketplace launches): billing name and address, shipping name and address, order contents, communications about an order.
- Support data: anything you include when you contact us.
Collected automatically
- Usage data: pages viewed, features used, timestamps, referring URL, approximate device/browser info.
- Technical data: IP address, user-agent, device identifiers, cookies (see Cookies below).
- Engine telemetry: non-content metrics about runs (e.g., model selected, run duration, success/error counts). This does not include the sequences themselves.
Submitted to the engine
- Protein and DNA sequences ("Sequences"). We treat these as your confidential research material. They are processed to produce engine outputs and, if you place a synthesis order, transmitted to the vendor you select. We do not use Sequences to train, fine-tune, or improve any machine-learning model, and we do not share Sequences with anyone other than the vendor you select for an order, except as required by Sharing below.
- When Sequences become personal data. A protein or DNA sequence generally is not personal data because it describes a molecule, not an identified or identifiable individual. However, if a Sequence is derived from a specific individual's genome or otherwise allows that individual to be identified (directly or by combination with other data we hold), the Sequence is personal data and may be special-category data under Article 9 GDPR (data concerning health / genetic data). Do not submit Sequences traceable to an identifiable individual unless you have a lawful basis (e.g., explicit consent under Article 9(2)(a) GDPR or equivalent under U.S. state law) and you have notified us at the time of submission. We have no obligation to identify on our own which Sequences may qualify.
From third parties
- Payment confirmations (when the Marketplace launches) from our payment processor. We do not store full card numbers.
- Vendor confirmations (Twist, IDT, GenScript) about order status and shipping.
We do not knowingly collect personal data of anyone under 18. If you believe a minor has provided us personal data, contact us at info@turingdna.com and we will delete it.
Why we use it (purposes and legal bases)
| Purpose | Data used | GDPR legal basis |
|---|---|---|
| Provide the Service (run engine, deliver results) | Account, usage, Sequences | Contract (Art. 6(1)(b)) |
| Process synthesis orders (when live) | Account, order, payment, Sequences (to selected vendor) | Contract (Art. 6(1)(b)) |
| Secure the Service, prevent abuse, enforce Terms | Account, technical, usage | Legitimate interest (Art. 6(1)(f)) |
| Comply with legal/biosecurity obligations | As needed | Legal obligation (Art. 6(1)(c)); public interest (Art. 6(1)(e)) |
| Service emails (order updates, security notices) | Account, order | Contract |
| Product analytics, error monitoring | Usage, technical (minimized) | Legitimate interest |
| Marketing emails | Account | Consent (Art. 6(1)(a)); opt-out anytime |
We do not use personal data for automated decision-making with legal or similarly significant effects (Article 22 GDPR).
Sharing
We share personal data only as follows:
- Sub-processors / service providers, under contract and only as needed (see Sub-processor list below).
- Synthesis vendors (when the Marketplace launches) — when you place an order, we transmit the necessary Sequences and shipping/contact details to the vendor you selected to manufacture and ship your order.
- Biosecurity authorities and vendors — where required by law, by our Vendor agreements, or where we reasonably believe disclosure is needed to prevent imminent harm, we may share order details (including the requesting account and the Sequence) with biosecurity authorities, our Vendors, or law enforcement. See Biosecurity Policy.
- Legal and safety — to comply with law, valid legal process, or to protect rights, property, or safety.
- Corporate transactions — in a merger, acquisition, financing, or asset sale, with notice to you.
We do not sell personal information and we do not "share" personal information for cross-context behavioral advertising as those terms are used under California law (CCPA/CPRA) or comparable U.S. state laws.
International transfers
We process personal data in the United States and other countries where our sub-processors operate. If you are in the EU, UK, Switzerland, or another country with data-transfer restrictions, we rely on:
- EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) for transfers from the EEA.
- UK International Data Transfer Addendum (or the UK IDTA where used independently) for transfers from the UK.
- Swiss FDPIC-recognized SCCs for transfers from Switzerland.
- EU-U.S. Data Privacy Framework when and where a sub-processor is certified.
- Supplementary measures (encryption in transit and at rest, access controls, transfer-impact assessments).
You may request a copy of the relevant transfer mechanisms by emailing info@turingdna.com.
Retention
We keep personal data only as long as needed:
- Account data: while your account is active, plus up to 24 months after closure for legal, tax, and audit purposes.
- Order and payment records: at least 7 years to meet tax and accounting obligations.
- Sequences: kept in your account workspace while you choose; deleted on request, or 90 days after your last access, whichever is sooner. Sequences transmitted to a vendor for an order are retained per that vendor's policy.
- Logs and security records: typically 12 months; security-incident records may be kept longer where needed to investigate or comply with law.
- Analytics: typically 12 months, then aggregated/anonymized.
- Support correspondence: 36 months after the matter is resolved.
After the retention period we delete, anonymize, or aggregate the data.
Security
We use administrative, technical, and physical safeguards designed to protect personal data, including:
- Encryption in transit: TLS 1.2+ for all connections to the Service.
- Encryption at rest: AES-256 (or equivalent) for stored Sequences, account data, and database backups.
- Access controls: role-based access, least privilege, multi-factor authentication for administrative access.
- Environment segregation: production, staging, and development environments are isolated.
- Secret management: credentials and keys held in a dedicated secrets manager, never in source code.
- Dependency and vulnerability monitoring: automated scanning of third-party libraries.
- Backups: routine encrypted backups with tested restore procedures.
No system is perfectly secure. If we learn of a personal-data breach, we will notify affected users and regulators as required by law (within 72 hours of awareness under Article 33 GDPR; on the timelines required by U.S. state breach-notification laws).
Cookies and similar technologies
We use a small number of cookies and similar technologies:
| Category | Purpose | Can disable? |
|---|---|---|
| Strictly necessary | Authentication, session security, load balancing | No |
| Functional | Remember preferences (UI theme, host organism) | Yes |
| Analytics | Aggregate product usage (privacy-friendly, no advertising cookies) | Yes (consent required in EU/UK) |
We do not use cookies for cross-site advertising or targeting. EU/UK visitors will see a consent banner for non-essential cookies; you can change your choices at any time via the cookie preferences link in the footer.
Your rights
Depending on where you live, you may have rights to:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Delete your data (subject to legal retention requirements).
- Restrict or object to processing (e.g., for marketing or legitimate-interest processing).
- Portability — receive your data in a structured, machine-readable format.
- Withdraw consent at any time where processing is based on consent.
- Opt out of marketing emails (use the unsubscribe link in any marketing message).
EU / UK / Switzerland rights
You may exercise the rights above and also lodge a complaint with your local data-protection authority (e.g., the ICO in the UK, your national DPA in the EU, the FDPIC in Switzerland).
California (CCPA/CPRA) rights
If you are a California resident, you have rights to know, access, delete, correct, and limit use of sensitive personal information, and a right to non-discrimination for exercising your rights. We do not sell or share personal information for cross-context behavioral advertising. To exercise these rights, email info@turingdna.com. You may use an authorized agent (we will verify the agent's authority). You may also lodge a complaint with the California Privacy Protection Agency or the California Attorney General.
Other U.S. states
Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MTCDPA), and other states with comparable laws may have similar rights (access, correction, deletion, portability, opt-out of targeted advertising / sale / certain profiling). Submit requests via info@turingdna.com and we will route them appropriately. You may also lodge a complaint with your state Attorney General.
How to exercise rights
Email info@turingdna.com with your request. We will verify your identity (typically by confirming control of the account email) and respond within the timeframes required by law — generally 45 days under CCPA/CPRA and U.S. state laws (extendable once by 45 days with notice), and 30 days under GDPR/UK GDPR (extendable by 60 days for complex requests).
Children
The Service is intended for users 18 and older. We do not knowingly collect personal data from anyone under 18, and our Terms prohibit users under 18. Consistent with the U.S. Children's Online Privacy Protection Act (COPPA), we do not knowingly collect personal data from anyone under 13. If you believe we have collected data from someone under 18, contact info@turingdna.com and we will delete it.
Sub-processor list
A current list of our sub-processors is published below and kept up to date. EU/UK customers will receive prior notice of new sub-processors as required by Article 28 GDPR, with at least 30 days to object before the new sub-processor is engaged.
| Sub-processor | Purpose | Location |
|---|---|---|
| Hugging Face | Hosting and compute for the engine (Spaces, ZeroGPU) | United States |
| Hostinger | Static-site hosting for marketing pages | European Union |
| Supabase | Account database, authentication (email + password), password reset, and Storage for generated variant libraries | European Union (Ireland) |
| Resend | Transactional email delivery (verification, password reset, account notifications) | United States |
| Twist Bioscience | DNA synthesis (when you order from Twist) | United States |
| Integrated DNA Technologies (IDT) | DNA synthesis (when you order from IDT) | United States |
| GenScript | DNA synthesis (when you order from GenScript) | United States / China |
Additional sub-processors (analytics, payment processing, customer support) will be added when those services are introduced; we will update this list at the same time.
Changes to this Policy
We may update this Policy. If changes are material, we will notify you (email or in-app notice) at least 30 days before they take effect. The "Updated" date above reflects the most recent revision. Material prior versions are kept available on request.
Contact
TuringDNA
Tbilisi, Georgia
info@turingdna.com