Plain-English breakdown of what Human Substrate stores about you, where it lives, who can read it, and how to make it go away. Last updated 2026-05-15.
Account data: email, password hash (bcrypt), and — if you sign in with Google — your Google account ID and display name. Nothing else from Google.
Assessment responses: answers to the seven-layer questionnaire (genetics, physical, neuro, psych, lifestyle, situation, triggers). These are the inputs the model runs on.
Chat messages: everything you type into the chat, plus the model’s replies. Used to update findings, run crisis detection, and produce session summaries. Not shared, not used to train external AI models.
Daily telemetry: mood, energy, sleep, anxiety, food flags, caffeine, alcohol — only what you log on /track.
Optional enrichments: 23andMe raw-data file if you import one, lab values you enter, medications you list, family-history you add. You control all of these.
Billing: if you upgrade, Stripe handles the card. We never see the card number. We store a Stripe customer ID and your subscription tier.
Operational telemetry: page-view counts, rough timestamps, error logs. No third-party analytics tracker (no Google Analytics, no Meta Pixel, no Segment).
Database: PostgreSQL hosted on Railway (US region). Encrypted at rest. Network-restricted — only the application can read it.
Application: Next.js running on Railway, with some helper services on Fly.io and Hetzner (the Medicine knowledge API). Logs are retained 30 days for debugging then rotate out.
23andMe imports: the raw file is parsed into per-variant rows in the database. The original file is not retained after parsing.
Backups: encrypted database backups, retained 30 days, deleted on rolling schedule.
You — full access to everything you’ve entered, via /dashboard, /findings, /track, and the export endpoint below.
The developer — can access the database for support and debugging. Single-person operation, no employees, no contractors, no analytics vendors with backdoor access.
Anthropic — your chat messages are sent to Anthropic’s Claude API to generate replies. Per Anthropic’s commercial terms, API content is not used to train their models and is retained at most 30 days for abuse monitoring. See Anthropic’s privacy policy.
Stripe — handles payment. Sees email and card; does not see your chat or health data.
Nobody else. We do not sell, share, or license your data to advertisers, brokers, researchers, insurers, or anyone else.
If you import 23andMe data, you’re uploading the most identifying biological information you have. Treat that seriously.
Variant rows are stored against your account. They are not shared with research consortia, ancestry services, insurers, or law enforcement absent a valid subpoena. We do not sell or aggregate genetic data.
Genetic data has implications for blood relatives. You decide whether to upload yours; we recommend you understand what 23andMe’s terms say about familial data before you do.
You can delete the imported variants any time via /genetics and they are removed from the database immediately. They are not preserved in backups beyond the 30-day rolling window.
Every chat message runs through a crisis-detection layer that scores for acute risk (self-harm, suicidal ideation). When a high score fires, the model’s reply includes safety resources (988 in the US, 9-8-8 in Canada). The score and the message stay in your account; they are not reported to any external service or authority.
This is not a substitute for emergency care. If you are in immediate danger, call 911 or 988.
Export everything we have on you, as JSON: /account → Export data. Includes responses, findings, chat history, genetics, lab values.
Delete your account from /account → Delete account. All rows tied to your user ID are removed from the live database immediately. Backups containing your data age out within 30 days.
Change your email or password from /account.
Cancel billing via the Stripe customer portal (link inside /account). Cancellation stops future charges; existing data stays unless you also delete the account.
One cookie: a NextAuth session cookie that keeps you signed in. HTTP-only, secure, SameSite=lax. We do not use tracking cookies, advertising pixels, or third-party analytics scripts.
The browser caches some UI state in localStorage (theme, last-viewed tab). You can clear it from your browser; nothing on the server depends on it.
Human Substrate is for adults. We do not knowingly collect data from anyone under 18. If you believe a minor has created an account, email hello@humansubstrate.com and the account will be deleted.
Operated from British Columbia, Canada. Subject to Canadian privacy law (PIPEDA) and, where applicable, GDPR for EU users and CCPA for California users. Those laws give you rights to access, correct, and delete your data — Substrate gives those rights to everyone regardless of jurisdiction.
When this policy changes materially, signed-in users will see a notice on next sign-in and have to acknowledge it before continuing.
Questions, requests, or complaints: hello@humansubstrate.com. One human reads that inbox.