Data Protection Policy

‍

Key Definitions

‍

1. Aggregate Information: Data combined from multiple users, analyzed as a whole, making individual identification impossible.
2. De-identified Information: Data stripped of Registration Information (e.g., name, contact details) and other identifiers, rendering you unidentifiable (also known as pseudonymized information).
3. Individual-level Information: Data about a single individual’s epigenetics, genotypes, diseases, or other traits, not necessarily linked to Registration Information.
4. Personal Information: Information that can identify you alone or in combination with other data. Epix AI collects and stores the following types of Personal Information:
   • Registration Information: Details provided during registration or purchasing Services (e.g., name, email, address, user ID, password, payment information).
   • Epigenetic Information: Data on your methylation biomarkers from blood samples processed by Epix AI or its contractors.
   • Self-Reported Information: Data you provide through questionnaires, Services, or third parties, including health conditions, personal traits, ethnicity, family history, and survey responses.
   • Sensitive Information: Data on health, Epigenetic Information, and certain Self-Reported Information, such as racial and ethnic origins, which require heightened protection.
   • User Content: Content you create, post, or upload via our Services, such as data, text, music, photos, videos, messages, etc.
   • Inferences and Derived Data: Information derived from other Personal Information sources, including assumptions, conclusions, and proprietary algorithms developed by Epix AI.
   • Web-Behavior Information: Data on your Service usage collected through log files, cookies, web beacons, and similar technologies (e.g., device identifiers, IP address, browser type, page views).
   • Social Media Features and Widgets: Features like Facebook’s “Like” or “Share” buttons that may collect your IP address and page visits. These may share information with third-party social media services based on your privacy settings. Interactions are governed by the third party’s privacy policies.
   • Third-Party Services: Data collected when using third-party sites (e.g., Facebook, LinkedIn) for communication within our Services, such as profile pictures, networks, usernames, depending on your privacy settings.
   • Customer Service: Information collected during customer support interactions to track, respond to inquiries, investigate breaches, and improve Services.
   • Information Related to Epigenetic Testing Services: Data on your methylation biomarkers generated during analysis or through your contributions.

‍

Use of Cookies and Similar Technologies

‍

We and our third-party service providers use cookies, web beacons, and similar technologies to:

1. Recognize you when you use our Services.
2. Customize and enhance your experience.
3. Provide security and prevent fraud.
4. Analyze Service usage and performance.
5. Gather demographic information.
6. Deliver Services and features.
7. Monitor marketing program success.
8. Serve targeted advertising on our site and third-party sites.

You may reject cookies through your browser settings, but this may limit access to certain Service features. We may receive reports based on these technologies as De-identified, Individual-level, or Aggregate Information.

‍

How We Use Your Information

‍

Epix AI uses and shares your Personal Information in the following ways, adhering to principles of data minimization and purpose limitation:

To Provide and Improve Our Services

We use your information to:

1. Open and manage your account, process payments, communicate, and fulfill requests (e.g., referrals).
2. Enhance website and mobile app functionality, including authentication, personalized content, and usage tracking.
3. Contact you about your account, Service updates, or relevant information.
4. Enforce our Terms of Service and agreements.
5. Monitor, detect, investigate, and prevent illegal activities, spam, and security risks.
6. Conduct research and development, including data analysis, quality control, and algorithm development to improve our Services.

To Process and Deliver Epigenetic Age Testing Results

To receive biological age reports, you must create an account, register your kit, and submit a blood sample for analysis by our contracted laboratory. We analyze your Epigenetic Information to generate reports, which may include future updates based on scientific advancements. These reports are not intended for medical diagnosis or treatment. Results are accessible via your secure account.

To Facilitate Research Participation

If you opt-in to research notifications, we will inform you of third-party research opportunities. We will not share Individual-level Epigenetic Information or Self-Reported Information without your explicit, informed consent. Research data is de-identified or aggregated to protect your identity.

To Conduct Partnered Research

Epix AI collaborates with third parties (e.g., non-profits, academic institutions) for health-related studies. These studies use Aggregate and/or De-identified Individual-level Epigenetic and Self-Reported Information as outlined in Consent Documents. We ensure robust anonymization processes to prevent re-identification.

To Develop Proprietary Algorithms

Epix AI may use De-identified or Aggregate Information to develop proprietary algorithms for improving Services or conducting research. These algorithms are the intellectual property of Epix AI and will not be used to re-identify individuals.

To Provide Customer Support

We use Personal Information to resolve issues, answer questions, and investigate problems. In some cases, processing one customer’s information is necessary to resolve another’s issue, but only to the extent required.

To Conduct Surveys and Obtain Testimonials

We may send surveys, polls, or testimonial requests to improve Services. Participation is optional, and you can manage these communications via Account Settings.

To Provide Marketing Communications

By creating an account, you consent to receive product and promotional emails or notifications. You can unsubscribe via email links or Account Settings. Non-promotional messages regarding your account (e.g., service updates) are mandatory.

‍

Third-Party Information Sharing

‍

We engage third-party service providers for:

• Order Fulfillment: Payment processors handle billing and credit card information for purchases.
• Shipping: Distribution centers manage kit shipping and returns for sample processing.
• Clinical Examinations: Partners connect you with specialists based on identified health risks, with your consent.
• Data Processing: Secure cloud providers and analytics firms process data on our behalf under strict data protection agreements.

We ensure third parties comply with applicable data protection laws and use your information only for specified purposes. We do not sell your Personal Information to third parties.

‍

Cross-Border Data Transfers

Your data may be stored and processed in the EU or other jurisdictions with differing data protection laws. We implement safeguards, such as Standard Contractual Clauses (SCCs) and Data Processing Agreements (DPAs), to ensure compliance with GDPR and other regulations for cross-border transfers.

‍

Data Breach Notification

In the event of a data breach that may compromise your Personal Information, we will notify you and relevant authorities within 72 hours, as required by GDPR and other applicable laws. Notifications will include details of the breach, potential impacts, and steps to mitigate risks.

‍

Account Access and Management

Access your Epix AI data via your secure account. Additional identity verification may be required for lost access. You may update or correct your Personal Information through Account Settings.

‍

Sharing Outside of Epix AI Services

You may share Personal Information with others, including third-party services like social networks. Once shared, Epix AI is not responsible for how third parties use your data. Protect the privacy of individuals within multi-profile accounts.

‍

Account Deletion

To delete your Epix AI account and data, submit a request via Account Settings and confirm via email. Deletion is irreversible and occurs within 30 days, except for data retained for legal or research purposes (e.g., data in completed studies or required by law). We will confirm completion of the deletion process.

‍

Data Retention

We retain Personal Information only for as long as necessary to fulfill the purposes outlined in this Policy or as required by law. For example:

• Registration Information is retained while your account is active.
• Epigenetic Information is retained for service delivery and research (if consented) but deleted upon account deletion, except for anonymized data in completed studies.
• Legal retention periods may apply (e.g., tax or health regulations).

‍

Security Measures

Epix AI implements robust technical and organizational measures to protect your Personal Information, including:

• Encryption of data in transit and at rest.
• Regular security audits and vulnerability assessments.
• Access controls to limit data access to authorized personnel.
• Anonymization techniques for research data to prevent re-identification.

Despite these measures, no system is completely secure. We cannot guarantee absolute security but strive to maintain industry-standard protections.

‍

Your Responsibilities

You are responsible for safeguarding your authentication details (e.g., username, password). Epix AI is not liable for data you release or request us to release to third parties.

‍

Children’s Privacy

Epix AI Services are not intended for individuals under 18. Parents or guardians may create accounts and submit samples for their children, provided they obtain verifiable parental consent and assume responsibility for data security and accuracy.

‍

Linked Websites

Epix AI links to third-party websites not governed by this Policy. Review the privacy statements of linked sites before sharing Personal Information.

‍

Direct Marketing

We require explicit consent for electronic marketing communications, as per GDPR and other regulations. You may withdraw consent at any time via Account Settings or unsubscribe links. Marketing may also occur based on legitimate interests, where permitted.

‍

Changes to This Policy

We may update this Policy to reflect changes in our Services, data practices, or legal requirements. Significant changes will be communicated via email or account notifications, and your continued use of Services constitutes acceptance. For material changes affecting Sensitive Information, we will seek your explicit consent.

‍

Last Updated: August 7th 2025

‍

‍