Privacy Policy
Last updated: June 2026
The short version: Your DNA and genome data never leave your device. We only see your email address (to send receipts via Stripe) and your subscription status. That's it.
1. Data Controller
The data controller under GDPR is:
YambaCode AB
Stockholm, Sweden
info@yambacode.com
2. What We Collect — and What We Don't
Data we do collect (via Stripe at checkout):
- –Email address (for subscription receipts and billing communication)
- –Subscription ID and status (active/canceled/expired)
- –Subscription renewal date
Data we never collect:
- ✓Genomic data — stays encrypted on your device, never transmitted
- ✓DNA sequences, SNP data, or health information
- ✓Chat messages or AI query history
- ✓Usage analytics or behavioral tracking
- ✓IP addresses beyond what your internet connection naturally exposes
3. Legal Basis for Processing
We process your email address and subscription data on the legal basis of contract performance (GDPR Art. 6(1)(b)) — it is necessary to manage your subscription. Retention beyond the subscription period is based on legal obligation (Art. 6(1)(c)) under Swedish accounting law (Bokföringslagen), which requires us to retain transaction records for seven years.
4. Data Processors
We use Stripe as our payment processor. Stripe processes your payment information, email, and billing details on our behalf under its own Privacy Policy. Stripe acts as a data processor for the payment data it handles for us.
We do not use any other third-party analytics, advertising, or tracking services.
5. Your LLM API Key
If you configure a cloud LLM API key (Anthropic, OpenAI, Groq) in the app, that key is stored in your operating system's keychain — never on our servers. Queries you send to the AI are routed directly from your device to the AI provider. We do not see them.
6. Data Retention
Your email and subscription records are retained for seven years from your last transaction as required by Swedish accounting law. If you request deletion before that period, we will anonymise your record while retaining the transaction amounts required for accounting compliance.
7. Your Rights Under GDPR
You have the right to:
- –Access (Art. 15): request a copy of your personal data
- –Rectification (Art. 16): correct inaccurate data
- –Erasure (Art. 17): request deletion, subject to legal retention obligations
- –Portability (Art. 20): receive your data in a machine-readable format
- –Object (Art. 21): object to processing where legitimate interests are the basis
To exercise any right, email info@yambacode.com. We will respond within 30 days.
8. Supervisory Authority
If you believe your data has been processed unlawfully you have the right to lodge a
complaint with the Swedish data protection authority:
Integritetsskyddsmyndigheten (IMY)
Box 8114, 104 20 Stockholm, Sweden
www.imy.se
9. Changes to This Policy
Material changes to this Privacy Policy will be communicated via the email address associated with your subscription at least 14 days before taking effect.