Genetic Data and Community Features Addendum

1. Purpose and Relationship to Other Documents

This Addendum supplements and forms part of the Terms & Conditions (“T&C”) and Privacy Policy (“Privacy Policy”) of yourDNA.family (“the Service”, “we”, “us”, or “our”), operated by Numero Pte. Ltd. (“the Owner”). It addresses matters specific to the processing of genetic data, the inclusion of personal data about third parties in user-submitted content, the operation of public-facing community features, and related service-specific risks.

In the event of conflict between this Addendum and the T&C or Privacy Policy with respect to the matters covered here, this Addendum prevails. This conflict-resolution rule applies to all parts of the Privacy Policy and the T&C, including, for the avoidance of doubt, auto-generated content in the Privacy Policy's Notice at Collection (for Users in U.S. states) and the Privacy Policy's sub-processor and place-of-processing entries.

Where the iubenda-generated Privacy Policy or T&C reflects platform template constraints that do not match the substantive operation of the Service — including without limitation the placement of DNA-related processing activities under a generic “Platform services and hosting” heading rather than under a special-category or sensitive-data heading, the absence of a Singapore PDPA jurisdiction module, the absence of a “Place of processing: Singapore” designation on Owner-operated services, and the absence of a “Genetic data” or “Biometric information” entry in the Notice at Collection's Sensitive Personal Information inventory — those platform artifacts do not modify the substantive characterizations established by this Addendum, which govern.

In all other respects, the T&C and Privacy Policy remain in full effect.

By creating an account, uploading genetic data, uploading family tree data, or otherwise using the Service, you (“User” or “you”) acknowledge that you have read, understood, and agree to this Addendum.

2. Definitions

Capitalized terms not defined here have the meanings given to them in the T&C or Privacy Policy. In addition:

“Genetic Data” means raw genetic test result files uploaded by a User, derived genetic markers, computed match results, shared chromosome segment data (autosomal and X-chromosome), predicted relationships, and chromosome map data.

“Family Tree Data” means data uploaded by a User describing genealogical relationships, typically in GEDCOM format, including names, dates and places of birth, marriage, and death, family relationships, contact information, free-text notes, and other genealogical fields.

“Genetic Evidence Statement” means a published reference within the Service linking DNA-tested individuals to an identified Most Recent Common Ancestor (MRCA) through a path in a family tree.

“Third-Party Data Subject” means an individual whose personal data appears in Family Tree Data, Genetic Data, or a Genetic Evidence Statement on the Service, but who is not themselves a User of the Service.

“NPE” (Non-Paternity Event) means any discrepancy between documented family relationships and biological relationships as inferred from Genetic Data, including but not limited to misattributed parentage, undisclosed adoption, undisclosed donor conception, or undisclosed non-biological parentage.

“Triangulated DNA Group” (or “TG”) means a group of three or more Users who have each inherited the same DNA segment from a common ancestor, as confirmed by DNA segment triangulation with a minimum threshold of 8 centiMorgans (cM).

“Discussion Forum” means a discussion thread or set of threads scoped to a specific Triangulated DNA Group, accessible only to Users who are members of that specific TG.

3. Genetic Data — Special Category Processing

3.1 Acknowledgment that Genetic Data is sensitive

You acknowledge that Genetic Data is:

(a) a special category of personal data under Article 9 of the EU General Data Protection Regulation (“GDPR”) and the equivalent UK GDPR provisions;
(b) sensitive personal information under the California Consumer Privacy Act (as amended by the CPRA), the California Genetic Information Privacy Act (“California GIPA”), and analogous laws in Virginia, Colorado, Connecticut, Utah, Oregon, Texas, Tennessee, Montana, and other US states;
(c) personal data subject to the consent and purpose-limitation requirements of the Singapore Personal Data Protection Act 2012 (“PDPA”); and
(d) subject to heightened legal protection under most other applicable data protection regimes.

For the avoidance of doubt: the iubenda-generated Notice at Collection in the Privacy Policy may not list “Genetic data” or “Biometric information” as a Sensitive Personal Information category, because iubenda's data-category inventory does not at present offer those categories as configuration options. The classification of Genetic Data as Sensitive Personal Information (and as a special category of personal data under GDPR Article 9) established by this Section 3.1 governs regardless of how the iubenda Notice at Collection presents Sensitive Personal Information categories.

3.2 Legal basis for processing

We process your Genetic Data on the following legal bases:

(a) For Users in the EU/UK: Your explicit consent under Article 9(2)(a) GDPR, obtained at the point of upload through a dedicated consent flow that is separate from, and does not bundle with, your acceptance of the T&C, the Privacy Policy, or this Addendum at sign-up. Your sign-up acknowledgement that you have read this Addendum is not, by itself, the Article 9(2)(a) explicit consent — the upload flow obtains that separately, after you have read this Addendum.
(b) For Users in California: Your separate written consent under California GIPA, obtained at the point of upload, addressing collection, storage, and the specific transfers necessary to provide the Service.
(c) For Users in other US states with sensitive-data opt-in requirements: Your explicit opt-in consent at the point of upload.
(d) For Users in Singapore: Your consent under the PDPA, with purpose limitation to the matching, analysis, and community features described in this Addendum and the Privacy Policy.
(e) For Users elsewhere: Your consent, subject to local law.

You may withdraw your consent at any time as set out in Section 3.6.

3.3 Purposes of processing

Genetic Data is processed solely for the following purposes:

(a) identifying genetic matches between Users;
(b) calculating relationship predictions and shared chromosome segments;
(c) supporting the identification of Most Recent Common Ancestors;
(d) generating Genetic Evidence Statements;
(e) providing related analytical tools to you and to other Users with whom you share a genetic relationship;
(f) operating and maintaining the technical infrastructure on which the Service runs; and
(g) complying with applicable legal obligations.

Genetic Data is never:

(a) sold for monetary or other valuable consideration;
(b) shared for cross-context behavioral advertising;
(c) used for targeted advertising;
(d) used to make inferences about your health, predisposition to disease, ethnicity beyond what is necessary for the matching service, or other characteristics outside the matching purpose;
(e) provided to insurers, employers, law enforcement (except where compelled by valid legal process as set out in Section 3.7), or any other third parties outside of those acting as processors under contract to deliver the Service.

3.4 Storage and processing location

Initial uploads are temporarily staged on cloud infrastructure operated by a sub-processor before being transferred to infrastructure operated directly by the Owner. The sub-processors used for the temporary staging step are identified in the Privacy Policy under “Hosting and backend infrastructure”. Long-term storage and analytical processing of Genetic Data take place on Owner-operated infrastructure located in Singapore.

For Users in the European Economic Area, the United Kingdom, and Switzerland, the transfer of Genetic Data to Singapore constitutes a transfer to a third country that has not received a Commission adequacy decision under Article 45 GDPR (or the equivalent UK or Swiss adequacy decision) as at the date of this Addendum. The Owner relies on your explicit consent under Article 49(1)(a) GDPR (and the equivalent UK and Swiss derogations) as the legal basis for the transfer, obtained as part of the same upload-time consent described in Section 3.2.

The iubenda-generated Privacy Policy does not display a “Place of processing” designation for Owner-operated services — including “DNA data processing and matching”, “Family tree data processing and GEDCOM imports”, “DNA match data and genetic evidence statements”, “Public CAP (Common Ancestor Points) scoreboard”, “Public surnames index”, “TG-scoped Discussion Forums”, “Direct registration”, and “Mailing list or newsletter” — because iubenda's platform does not support specifying self-hosted infrastructure as a place of processing. This Section 3.4 is the authoritative place-of-processing disclosure for all such Owner-operated services: long-term storage and analytical processing occur on Owner-operated infrastructure in Singapore.

3.5 Retention and destruction

(a) Raw genetic data files are removed from temporary cloud staging within twenty-four (24) hours of successful transfer to Owner-operated infrastructure.
(b) Genetic Data retained on Owner-operated infrastructure is kept for the duration of your active account, plus any period required by applicable law.
(c) Upon receipt of a valid deletion request (Section 3.6) or upon account closure, your raw genetic data files will be deleted from all Owner-operated systems within thirty (30) days. Derived data necessary to maintain the integrity of Genetic Evidence Statements relied on by other Users may be retained in pseudonymized form as described in Section 5.
(d) The Owner maintains a documented destruction protocol consistent with California GIPA Section 56.182 and analogous requirements in other jurisdictions.

3.6 Your rights regarding Genetic Data

You may at any time:

(a) withdraw your consent to the processing of your Genetic Data, in which case we will cease all processing other than what is strictly necessary to action your withdrawal;
(b) request access to the Genetic Data we hold about you, including a copy in a portable format;
(c) request deletion of your raw genetic data files;
(d) request restriction of processing while we investigate a query;
(e) request rectification of inaccurate data;
(f) request information about the recipients of your Genetic Data; and
(g) lodge a complaint with your applicable data protection authority, including the Personal Data Protection Commission of Singapore, your EU/UK national data protection authority, the California Privacy Protection Agency, or any other competent regulator.

To exercise any of these rights, contact us at info@yourDNA.family. We will respond within one (1) month, in accordance with applicable law.

3.6.1 Scope of access and portability requests

When you request a copy of your data, we provide:

(a) the raw genetic data file you uploaded;
(b) the account information you provided (display name, email, etc.);
(c) the family tree data you entered;
(d) other data you directly provided to the Service.

We may decline to include, or may pseudonymize, the following in our response:

(a) computed or derived outputs of the Service (for example, predicted relationships, identified common ancestors, calculated chromosome segment overlaps, CAP score calculations) — these are our analytical work product rather than data you provided;
(b) personal data of other Users or Third-Party Data Subjects — for example, the identities of your DNA matches or named individuals in Genetic Evidence Statements involving others — where disclosure would infringe their rights;
(c) proprietary information including internal identifiers, algorithm parameters, and other trade-secret data.

You may always request explanation, correction, or removal of derived data even where we do not provide a copy of it.

3.7 Disclosure to law enforcement and authorities

We do not voluntarily disclose Genetic Data to law enforcement, government agencies, or any other authorities. We will disclose Genetic Data only where required by:

(a) a valid court order, subpoena, or warrant issued by a court of competent jurisdiction;
(b) a binding legal obligation under the law of Singapore or another jurisdiction that has lawful authority over us; or
(c) circumstances necessary to protect against imminent harm to life or safety.

Where lawfully permitted, we will notify the affected User of the disclosure request before complying and will challenge requests that we believe to be overbroad or unlawful.

3.8 Security measures

We protect Genetic Data using:

(a) encryption in transit (TLS 1.2 or higher) and at rest;
(b) access controls limited to personnel with a legitimate operational need;
(c) infrastructure monitoring and logging;
(d) least-privilege administrative access;
(e) regular security review of the systems on which Genetic Data is stored.

No security measure is perfect. In the event of a personal data breach affecting Genetic Data, we will notify affected Users and applicable regulators in accordance with GDPR Article 33–34, Singapore PDPA mandatory breach notification (effective February 2021), California breach-notification law, and any other applicable regime.

3.9 Service-wide commitment: no sale, no targeted advertising

In addition to the specific commitments in Section 3.3 with respect to Genetic Data, the Owner does not sell or share, for monetary or other valuable consideration or for cross-context behavioral advertising, any Personal Data of Users, regardless of whether such Personal Data is categorized as Genetic Data, Sensitive Personal Information, or otherwise. This includes, without limitation: identifiers, internet or network activity information, geolocation data, commercial information, and any other category of Personal Data described in the Privacy Policy.

Where the auto-generated Notice at Collection in the Privacy Policy indicates “Sold or Shared: Yes” or “Targeted Advertising: Yes” as a default configuration value for any category of Personal Data, that indication is incorrect and is superseded by this Section 3.9 (per Section 1).

3.10 Sub-processors

The principal sub-processors engaged by the Owner in connection with the Service are listed below, together with their purpose and the section of the iubenda Privacy Policy under which each is also disclosed. This list complements (and where necessary clarifies) the sub-processor disclosures in the iubenda Privacy Policy, which organizes services by purpose category and therefore does not always make the sub-processor chain obvious to readers.

Sub-processor	Purpose	Privacy Policy cross-reference
Amazon Web Services, Inc. (incl. Amazon S3)	Cloud hosting; temporary staging of raw genetic data files prior to transfer to Owner-operated infrastructure in Singapore	“Hosting and backend infrastructure”
Amazon CloudFront; Amazon Route 53	Content delivery network; DNS resolution	“Traffic optimization and distribution”
Amazon Simple Email Service (SES)	Delivery of transactional and notification emails	“Managing contacts and sending messages”
Mailchimp (Intuit Inc.)	Newsletter distribution and mailing-list management	“Managing contacts and sending messages”
Oracle Cloud Infrastructure	Cloud hosting and backend infrastructure	“Hosting and backend infrastructure”
Datadog, Inc.	Infrastructure monitoring	“Infrastructure monitoring”
Zendesk, Inc.	Customer support and contact-request handling	“Managing support and contact requests” and “Interaction with support and feedback platforms”
Chargebee Inc.	Subscription billing	“Selling goods and services online”
PayPal Inc.	Payment processing	“Handling payments”
Google LLC (Google Analytics 4)	Web analytics	“Analytics”
Google Ireland Limited (Google Tag Manager)	Tag management	“Tag management”
Google LLC (YouTube embeds)	Video content embeds on public pages	“Displaying content from external platforms”
OpenStreetMap Foundation	Map widget on public pages	“Displaying content from external platforms”
Fonticons, Inc. (Font Awesome)	Web fonts	“Displaying content from external platforms”

The newsletter and transactional-email workflow is operated by the Owner using Mailchimp for newsletter distribution and Amazon Simple Email Service (SES) for transactional email delivery; the iubenda Privacy Policy lists Mailchimp and SES under “Managing contacts and sending messages” but cannot, as a platform matter, present them as named sub-processors of the separate “Mailing list or newsletter” service entry.

Genetic Data is processed only by the Owner on Owner-operated infrastructure in Singapore, except for the temporary staging step on Amazon Web Services described in Section 3.4. None of the other sub-processors listed above receives Genetic Data.

The Owner will update this list as sub-processors are added or removed. An up-to-date list may be requested at any time from info@yourDNA.family.

4. Authorization to Upload Genetic Data

4.1 Whose Genetic Data you may upload

You may upload to the Service:

(a) your own raw genetic data, obtained from a direct-to-consumer DNA test conducted on a sample provided by you; or
(b) the raw genetic data of another individual only where:
- (i) you have the explicit, informed, and freely given consent of that individual to upload their data to the Service for the purposes described in this Addendum; or
- (ii) the individual is deceased and you are the legal heir or otherwise lawfully authorized representative of the deceased individual under applicable law; or
- (iii) you are the parent or legal guardian of a minor child, you have determined in good faith that uploading is in the minor's best interest, and the upload is otherwise consistent with the age requirements in Section 8.

4.2 Prohibited uploads

You may not upload:

(a) the genetic data of any living individual without that individual's explicit, informed, and freely given consent;
(b) genetic data obtained from a sample taken without the source individual's knowledge or consent, including but not limited to samples obtained from drinking glasses, eating utensils, cigarette butts, hair, used tissues, discarded items, or any other surreptitious means;
(c) genetic data that you do not have a lawful basis to process and disclose under applicable law;
(d) genetic data of any individual where the upload would breach a court order, custody arrangement, or other binding legal obligation;
(e) genetic data of multiple individuals under a single account in a manner intended to obscure the source individual.

4.3 Your representations and warranties

By uploading any Genetic Data, you represent and warrant that:

(a) you have read and understood Section 4.1 and 4.2;
(b) you have the lawful right under applicable law to upload the Genetic Data and to permit its processing by the Service for the purposes described in this Addendum;
(c) the upload does not infringe any third party's rights;
(d) you will, on request from us, provide documentation demonstrating your authority to upload (such as proof of the source individual's consent, proof of guardianship, or proof of legal heir status).

4.4 Enforcement

We reserve the right, in our sole discretion, to:

(a) remove Genetic Data and any associated derived data where we have a credible report or reasonable belief that the data was uploaded in breach of this Section 4;
(b) suspend or terminate accounts of Users found to have breached this Section 4;
(c) cooperate with law enforcement and data protection authorities investigating credible reports of unlawful genetic data uploads.

5. Family Tree Data and Third-Party Personal Data

5.1 Acknowledgment

You acknowledge that Family Tree Data routinely contains personal data about individuals who are not Users of the Service, including:

(a) living relatives, friends, and other connections of the User;
(b) deceased individuals whose data may still be subject to legal protection in some jurisdictions;
(c) living minors, including children, grandchildren, nieces, nephews, and other descendants.

5.2 Your representations regarding third-party data

By uploading Family Tree Data, you represent and warrant that you have a lawful basis under applicable law to process the personal data of each living individual identified in the data. Lawful bases may include, depending on jurisdiction:

(a) the consent of the individual concerned;
(b) your legitimate interest in genealogical research, provided that the individual's fundamental rights and freedoms do not override that interest;
(c) other lawful bases recognized by the law of the User's and the individual's respective jurisdictions.

Where the law of any applicable jurisdiction requires you to inform the individual of the processing, you represent that you have done so or will do so within a reasonable period.

5.3 Our role as processor

In respect of Family Tree Data containing personal data of Third-Party Data Subjects, the Owner acts as a processor on your behalf, processing the data only on your documented instructions and only for the purposes you have authorized through your use of the Service.

Where the Privacy Policy designates the Owner as “Data Controller”, that designation applies to the Owner's processing of Users' own Personal Data. For the limited purpose of Family Tree Data containing personal data of Third-Party Data Subjects, the Owner's role is that of a processor acting on the User's documented instructions, as described in this Section 5. This dual role is a deliberate consequence of the user-generated nature of family-tree content and is consistent with the position taken by other genealogy services that operate on uploaded family-tree data.

5.4 Rights of Third-Party Data Subjects

Living individuals (or, in the case of minors, their parents or legal guardians) whose personal data appears in Family Tree Data on the Service may at any time request:

(a) information about how their data is being processed;
(b) rectification of inaccurate data;
(c) removal of their data from the Service;
(d) exclusion of their data from future matching, public indexing, or display in Genetic Evidence Statements.

Such requests may be submitted to info@yourDNA.family.

We will action such requests within one (1) month. Where the request affects data uploaded by a specific User, we will inform that User of the request to the extent appropriate, and we will give priority to requests from parents or legal guardians of minors.

In some cases — particularly where data appears in Genetic Evidence Statements relied upon by other Users — removal may take the form of pseudonymization (replacing the individual's name with initials or a placeholder) rather than complete deletion, in order to preserve the integrity of the genealogical record. Where this is the case, we will explain our approach to the requester.

6. Public Features of the Service

The Service includes both public-facing features and features only accessible to authenticated Users. We apply privacy-by-design principles to limit the public exposure of personal information about living individuals, particularly Third-Party Data Subjects.

6.1 Public CAP scoreboard

Your chosen display name and accumulated Common Ancestor Points (CAP) score appear, in full, on a publicly accessible scoreboard. The scoreboard exists to provide recognition for Users who contribute to the collaborative genealogical research that is the core purpose of the Service.

You may at any time:

(a) change your display name to a pseudonym of your choosing;
(b) opt out of public scoreboard inclusion entirely by contacting info@yourDNA.family.

Legal basis (EU/UK): legitimate interest under Art. 6(1)(f) GDPR — specifically, the legitimate interest of recognizing community contribution. You have the right to object to this processing under Art. 21 GDPR.

6.2 Public surnames index

Surnames present in your Family Tree Data may be included in a publicly accessible surnames index, supporting the discovery of Users with overlapping genealogical research interests. The index does not by itself link a specific surname to a specific User, but specific surname combinations may be indirectly identifying.

You may exclude specific surnames or entire branches of your family tree from the public surnames index by contacting info@yourDNA.family.

Legal basis (EU/UK): legitimate interest under Art. 6(1)(f) GDPR — supporting the core matching purpose of the Service.

6.3 Public Genetic Evidence Statements — privacy-by-design

Where a User contributes to the identification of a Most Recent Common Ancestor, the path through the family tree from the MRCA down to DNA-tested individuals may be referenced on public pages of the Service (accessible to anyone, without login).

On these public pages, names of living individuals are shown only as abbreviations (typically initials, e.g., “AW” rather than “Andreas West”). Full names of living individuals are not displayed on public pages under any circumstance.

Full names within a Genetic Evidence Statement are revealed only to logged-in Users who have themselves inherited the relevant ancestral DNA segment from the identified MRCA, demonstrating a genuine genealogical and biological connection through DNA segment triangulation.

This triangulation-gated visibility is a deliberate privacy-by-design control intended to limit the exposure of living individuals to those who have a genuine genetic claim to the shared ancestry.

6.4 Two-gate access to family trees and Discussion Forums

Within the authenticated application, access to data and content belonging to other Users — including their family tree data and discussion content — is governed by two cumulative gates. Both gates must be satisfied for access.

Gate 1 — Triangulated DNA Group membership. Access to another User's family tree or discussion content is permitted only where the requesting User and the other User are members of the same Triangulated DNA Group. Membership in a TG requires that both Users (together with at least one independent third User) have inherited the same ancestral DNA segment from a common ancestor.

To be recognized as a triangulated match, a shared DNA segment must:

(a) measure at least 8 centiMorgans (cM) in length; and
(b) be independently confirmed through DNA segment triangulation with at least one additional User who shares the same segment from the same common ancestor.

This threshold and method are designed to exclude statistical noise and to require that matches reflect genuine biological inheritance (identical by descent) rather than coincidental DNA similarity (identical by state).

Gate 2 — Specific TG selection. Once Gate 1 is satisfied, the requesting User may view the family tree, or participate in the Discussion Forum, of a specific DNA cousin only within the context of a single specific TG that they share with that cousin. Where the same two Users share more than one TG, content and discussion remain scoped to each specific TG separately; there is no merged or aggregated view across multiple TGs.

No global search. The Service does not provide functionality to search across, browse, or otherwise access the family tree data or discussion content of Users with whom the requesting User does not share a triangulated DNA match. There is no “all users” search.

Within an authorized view, full names and details of individuals — including living individuals — are displayed in unredacted form. This is necessary for genealogical research to be functionally useful: a tree with abbreviated names cannot be meaningfully analyzed by a relative seeking to identify a common ancestor. The Service's privacy architecture places the protection at the access gate (genetic triangulation) rather than at the display layer (name redaction). Together, the two gates ensure that the personal data of any individual in a User's family tree is visible only to other Users who have a measured, biologically-verified genetic relationship establishing a genuine genealogical interest.

Users may additionally request that specific entries in their own family tree — such as those concerning specific living individuals — be excluded from the views available to their TG cousins, by contacting info@yourDNA.family.

6.5 TG-scoped Discussion Forums

The Service provides Discussion Forums that are scoped to specific Triangulated DNA Groups. Posts and replies in a Discussion Forum are visible only to Users who are members of the specific TG to which the Discussion Forum is attached. Discussion content is not accessible to:

(a) Users who are not in the relevant TG;
(b) Users who share a different TG with the posting User but not this specific TG;
(c) the public.

Categories of Personal Data processed: post content (text, written by Users), timestamps, the identity of the posting User as displayed within the TG, and reaction or engagement metadata.

The iubenda Privacy Policy's “Comment system managed directly” entry under “Content commenting” refers to the comments and replies posted within these TG-scoped Discussion Forums. Comments and replies share the same Gate 1 + Gate 2 access controls and the same TG-scoping as the posts to which they attach; comments and replies are not visible outside the specific TG to which the underlying post belongs.

Users are responsible for the content of their own posts and should exercise care not to disclose personal data about Third-Party Data Subjects (such as living relatives) beyond what is reasonably necessary for the genealogical discussion at hand. The Owner reserves the right to remove posts that breach this Section 6.5, the Terms & Conditions, or applicable law.

6.6 Demo mode

The Service includes an optional “demo mode” that replaces all displayed names with abbreviations throughout the user interface, allowing you to share your screen, present, or record the Service without exposing personal information about yourself or others.

6.7 Removal from public features

You may at any time:

(a) request exclusion from the public scoreboard;
(b) request exclusion of specific surnames or branches of your family tree from the public surnames index;
(c) request removal of your participation in any specific Genetic Evidence Statement.

Send requests to info@yourDNA.family. We will action such requests within a reasonable period, balancing your privacy interests with the integrity of the genealogical record relied upon by other Users.

7. Disclaimers Specific to Genetic Genealogy

7.1 No warranty of accuracy

The Service's relationship predictions, common ancestor identifications, shared chromosome segment calculations, and Genetic Evidence Statements are based on algorithms, user-submitted data, and inherent biological variability. We make no warranty, express or implied, that any such result is accurate, complete, or fit for any particular purpose.

Genealogical and genetic research involves uncertainty. Results may be incorrect for many reasons, including but not limited to: errors in user-submitted family tree data; limitations of the underlying genetic test; the inherent statistical nature of relationship prediction; the existence of multiple plausible common ancestors; and identical-by-state (IBS) versus identical-by-descent (IBD) ambiguity.

7.2 Non-Paternity Events and unexpected discoveries

You acknowledge that genetic genealogy services can reveal:

(a) Non-Paternity Events (NPEs), including misattributed parentage;
(b) undisclosed adoption;
(c) undisclosed donor conception;
(d) previously unknown biological relatives;
(e) previously unknown family history, including circumstances surrounding birth, death, or family relationships;
(f) information that contradicts your prior understanding of your family or identity.

Such discoveries can be emotionally significant and may affect family relationships. We accept no liability for any emotional, familial, psychological, reputational, or consequential harm arising from such discoveries, including harm to you, to members of your family, or to any Third-Party Data Subject.

You acknowledge that you use the Service in full awareness of this risk.

7.3 No professional advice

The Service is a research and discovery tool. Nothing on the Service constitutes medical, legal, financial, psychological, or other professional advice. You should not make medical, legal, or financial decisions based on results from the Service without consulting an appropriately qualified professional.

7.4 No warranty against misuse by other Users

While we take reasonable measures to limit misuse of the Service by Users (including the privacy-by-design controls in Section 6), we cannot guarantee that another User will not misuse information made available to them through legitimate use of the Service. We are not liable for the conduct of other Users.

7.5 Limitation of liability

To the maximum extent permitted by applicable law, the Owner's total aggregate liability arising out of or relating to your use of the Service or to the matters covered by this Addendum is limited to the greater of:

(a) the total fees paid by you to the Owner in the twelve (12) months preceding the event giving rise to the claim; or
(b) one hundred US dollars (USD 100.00).

Nothing in this Section 7 excludes or limits liability that cannot be excluded or limited under applicable law (such as for death, personal injury, fraud, or gross negligence).

8. Age Requirements

The Service is intended exclusively for individuals aged eighteen (18) years or older.

By registering for or using the Service, you represent and warrant that you are at least eighteen years of age. Users under 18 are not permitted to register, upload Genetic Data, or otherwise use the Service.

The 18+ requirement is global and applies regardless of any lower age of digital consent in your jurisdiction. This requirement reflects the heightened sensitivity of Genetic Data and the public-facing nature of the Service's community features.

Family Tree Data routinely includes information about living relatives, including, in some cases, minors. The processing of such data in the context of genealogical research is recognized as a legitimate activity under most data protection regimes, including under Article 6(1)(f) GDPR (legitimate interest in genealogical research) and recognized exceptions for genealogical, archival, or research purposes.

Users should nevertheless exercise care in respect of data about living individuals, particularly minors:

(a) include only information that is reasonably relevant to genealogical research (such as names, dates, places, and family relationships);
(b) avoid including sensitive information about living individuals (such as medical conditions, financial information, or other private details);
(c) prefer information drawn from public records (such as birth announcements, marriage records, obituaries, census records, and similar sources) where available;
(d) honor any request from a living individual (or a parent or guardian on behalf of a minor) to limit, modify, or remove information about them.

The Owner applies privacy-by-design controls — including triangulation-gated visibility and abbreviated public display — to limit the public exposure of living individuals in Family Tree Data. The Owner will give priority to requests from parents or legal guardians for the removal of a minor's data and may, on its own initiative, restrict access to or remove data about living minors where the Owner identifies a concern.

9. Information for Users in Singapore

This section supplements the Privacy Policy and applies to Users in Singapore.

In addition to the rights set out in this Addendum and the Privacy Policy, you have the following rights under the Singapore Personal Data Protection Act 2012:

(a) the right to withdraw consent to the collection, use, or disclosure of your personal data;
(b) the right to request access to your personal data and information about how it has been used or disclosed in the past year;
(c) the right to request a copy of your personal data in a structured, commonly used format, subject to the same limitations described in Section 3.6.1;
(d) the right to request correction of inaccurate personal data;
(e) the right to lodge a complaint with the Personal Data Protection Commission of Singapore at www.pdpc.gov.sg.

In addition, the Owner acknowledges and complies with the following PDPA obligations:

(f) the Consent Obligation under section 13 of the PDPA — the Owner collects, uses, and discloses your personal data only with your consent (express or deemed) or as otherwise permitted by the PDPA;
(g) the Notification Obligation under section 20 of the PDPA — the purposes for which the Owner collects, uses, and discloses your personal data are described in this Addendum (in particular Section 3.3) and in the Privacy Policy, and the Owner will notify you of any new purpose before collecting, using, or disclosing your personal data for that purpose; and
(h) the mandatory data breach notification obligations under sections 26A–26D of the PDPA (effective 1 February 2021) — where a personal data breach is a notifiable breach as defined in section 26B, the Owner will notify the Personal Data Protection Commission (PDPC) as soon as practicable, and in any case no later than three (3) calendar days after the Owner has assessed that the breach is notifiable, and will notify affected individuals as soon as practicable thereafter, subject to the exceptions in section 26D.

To exercise any of these rights, contact us at info@yourDNA.family.

10. Changes to This Addendum

We may amend this Addendum from time to time. We will notify Users of material changes via email or in-Service notification at least thirty (30) days before the changes take effect.

Where a change affects processing for which we have relied on your consent, we will collect fresh consent before the change takes effect with respect to your data.

You may at any time review previous versions of this Addendum by contacting info@yourDNA.family.

11. Contact and Complaints

For any questions about this Addendum, to exercise any rights described in it, or to lodge a complaint, contact us at:

Numero Pte. Ltd.
68 Circular Road, #02-01
Singapore 049422
Email: info@yourDNA.family

You may also lodge complaints with:

Singapore: Personal Data Protection Commission — www.pdpc.gov.sg
EU: your national data protection authority (a list is available at edpb.europa.eu)
UK: Information Commissioner's Office — www.ico.org.uk
California: California Privacy Protection Agency — cppa.ca.gov
Other US states: your state attorney general's office