Privacy policy

1. Who we are

GNLAB / myGNLab is a trading name of Sumner B.V. ("we", "us"), a company registered in the Netherlands (KVK: 66485991, BTW: NL856575252B01). We are the data controller for the personal and health data described in this policy.

Contact for privacy matters: contact@mygnlab.com

2. What data we collect

From your purchase

• Name, email address, phone number, shipping address.
• Payment information (handled by Stripe — we never see or store full card numbers).

From your health profile questionnaire

• Date of birth, biological sex, height, weight.
• Lifestyle data (activity, smoking, sleep, stress, sun exposure).
• Diet profile and dietary restrictions, allergies, intolerances.
• Health conditions, current medications, current supplements.
• Optional: blood test values you upload or enter.
• Your digital signature confirming consent.

From your DNA test

• Genetic data generated from the saliva sample you provide.
• Approximately 60+ genetic markers used to determine your personalised supplement formula.

3. Why we collect this data

• To analyse your genetic profile and create your personalised supplement formula.
• To place lab orders with our European laboratory partner.
• To produce, ship, and renew your supplement.
• To send transactional emails about your order, kit, and formula.
• To answer your questions when you contact us.

4. Legal basis

Personal data is processed on the basis of your explicit consent (Art. 6(1)(a) GDPR) and to fulfil the contract you enter when placing an order (Art. 6(1)(b) GDPR).

Health and genetic data is processed only on the basis of your explicit consent for special category data (Art. 9(2)(a) GDPR).

5. Who we share data with

We share data only with the third-party processors that make the service work. Each operates under a data processing agreement with us as required by Art. 28 GDPR.

• European laboratory partner (Novogenia GmbH, Austria) — DNA analysis, supplement manufacturing, shipping fulfilment.
• Stripe — payment processing.
• Supabase (EU region) — database hosting and storage.
• Resend — transactional email delivery.
• SendCloud — shipping label generation and tracking.
• Vercel — website hosting (CDN edge nodes).

We do not sell your data to anyone. We do not share your data for advertising, profiling, or any purpose unrelated to delivering your supplement.

6. International transfers

Your data is processed primarily within the EU/EEA. Where any processor uses infrastructure outside the EEA, transfers are governed by Standard Contractual Clauses or an adequacy decision.

7. How long we keep your data

• Order, shipping, and contact information: 7 years (Dutch tax law retention requirement).
• Health profile questionnaire data: as long as you are an active customer plus 5 years.
• Genetic data and DNA test results: as long as you are an active customer plus 5 years, unless you request earlier deletion.
• Email transactional logs: 12 months.

8. Your rights

Under the GDPR you have the right to:

• Access the personal data we hold about you (Art. 15).
• Correct inaccurate data (Art. 16).
• Have your data erased (Art. 17).
• Restrict processing (Art. 18).
• Receive your data in a portable format (Art. 20).
• Object to processing (Art. 21).
• Withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, email contact@mygnlab.com. We respond within one month.

9. Cookies

This website uses only strictly necessary first-party cookies (session management, checkout state). These cookies are essential for the website to function and do not require a consent banner under the ePrivacy Directive. We do not use advertising cookies, tracking pixels, or third-party analytics that profile individual users.

10. Children

GNLAB is intended for users 18 years and older. We do not knowingly collect data from children under 18. If you believe a child has provided data to us, please contact contact@mygnlab.com.

11. Changes to this policy

We will notify you by email of material changes to this policy at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

12. Complaints

If you believe we have mishandled your data, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl).

← Back to GNLAB