Security & trust

chat with my body handles some of the most personal data there is — DNA, bloodwork, and honest answers about how someone’s body feels. Here is exactly how that data is protected, in plain English. Practitioners evaluating us for their patients: this page is for you too.

Encryption, everywhere it counts

• All patient personal information is encrypted at rest with AES-256-GCM — names, emails, phone numbers, dates of birth. Not just “the database is encrypted”: each field is individually encrypted before it touches the database.
• DNA files are encrypted at rest the same way, and their contents never appear in logs.
• Everything in transit uses TLS. There is no unencrypted path to our servers.

Every access leaves a mark

Every time anyone — including a practitioner, including us — views, creates, or changes patient data, an entry lands in an immutable, timestamped audit log. Chat messages, file uploads, dashboard views, record access: logged. This isn’t a feature we turn on for enterprise plans. It’s how the system is built.

Consent is granular and timestamped

Before any analysis begins, patients give separate, individually timestamped consent for educational analysis, curated interpretation, AI involvement, and our terms — four checkboxes, four records. Consent records are retained for seven years, even if the underlying data is deleted.

The AI is fact-checked by another AI

Every insight on a patient dashboard is drafted from that patient’s own data, then attacked by a second, independent AI pass whose only job is to find problems: diagnostic language, unsafe recommendations, unexplained jargon, fabricated citations. Content that fails is rewritten and re-checked — up to five attempts — or dropped entirely. Patients never see a claim that didn’t survive review.

Deletion that respects both rights and records

Patients can request permanent deletion of their genetic data and reports at any time. Sensitive data — DNA, analyses, reports, labs, chat logs — is destroyed; the consent trail is retained as required by our privacy policy’s seven-year commitment.

Practitioner accounts are hardened

Practitioner logins require email one-time codes and mandatory two-factor authentication. Sessions use short-lived tokens (15 minutes) with rotating refresh tokens.

What we will never do

• Sell patient data. To anyone. For anything.
• Share genetic data with insurers, employers, or advertisers.
• Use patient data to train AI models.
• Diagnose, prescribe, or treat. We are a functional wellness tool — the lines are drawn into the product, and the AI points patients back to their practitioner for decisions.

Honest about scope

We are not a medical device and not a HIPAA-covered entity — we are an educational wellness platform, and we say so plainly in our terms, privacy policy, and genetic consent documents. Built against the Kansas Consumer Protection Act and the Wayne Owen Act’s genetic-privacy requirements.

Questions

Security questions get answered by the person who wrote the code. Email hello@chatwithmybody.com.

Last updated: 12 June 2026