CommonSense is built to know as little about you as possible. Most of this page is what we don't have, and why.
Your DNA file, your parsed variants, the results of any analysis you run — all of it stays on the device you installed CommonSense on. We don't have servers that receive it, we don't have a database that stores it, we don't see it pass through.
Even the algorithms you install run inside a sandbox on your machine, with no network access. They can read the genomic data you've handed them; they can't send it anywhere.
Everything CommonSense keeps — your profiles, the results of analyses you've run, and which reports you've installed — lives in one encrypted file (your vault) on your machine. It's locked with a password you choose, and the app shows you a one-time recovery phrase during setup. Neither the password nor the phrase is ever sent anywhere.
Because there's no account and no copy on our servers, recovery is entirely in your hands, and it takes two things together:
This is unlike a crypto wallet: the phrase on its own can't rebuild anything, because the actual data lives inside the backup file. You need both the file and the phrase to restore on a new machine. With both, it takes seconds — the app re-locks the vault under a fresh password and you're back exactly where you were, reports and all.
The flip side of "nobody can see it" is that nobody can recover it for you. If you lose both the backup file and the recovery phrase, there's no reset link and no support copy — the data is gone. We'd suggest keeping your original DNA data file somewhere safe too, so you can always re-import it from scratch.
commonsc.io is hosted on a single small server in London. nginx logs incoming requests in the usual fashion (IP address, user-agent, URL, status). Logs are rotated and retained for 14 days for operational debugging, then deleted. We don't use analytics, advertising trackers, or third-party JavaScript on this site. No cookies are set unless you make a purchase (see below).
api.commonsc.io)The desktop app fetches the algorithm catalog from api.commonsc.io/registry/index.json and downloads signed algorithm bundles when you install them. These requests carry only your IP address and a generic user-agent — they don't carry your genome, any installed-item history, or anything that identifies you across sessions.
If you publish an algorithm via commonsc-devkit publish, the marketplace stores the name and contact you provided during registration (so reviewers can write back) plus your bundles. Publishers can request deletion at any time using the contact route at the bottom of this page.
When you buy a paid algorithm, payment is processed by Stripe. The card form is hosted by Stripe and rendered inside a sandboxed window in the app: your card number, CVC, name, address, and email are never visible to CommonSense code. The window's cookies are isolated from any browser you have open on the same machine.
The marketplace records each purchase as a row containing the Stripe session id, the algorithm id and version, the amount and currency, and a timestamp. That row is not linked to a user identity — there is no user identity to link it to. The app stores the same session id locally as your purchase receipt so it can prove you bought the algorithm when it re-verifies on each load.
Stripe applies its own privacy practices to the data you give it. If you opt in to Stripe Link inside the payment window, Stripe stores your card and email for one-tap reuse across other Stripe-using sites. That's a relationship between you and Stripe; we don't see the resulting data.
Three categories of data we have chosen not to collect:
If any of these change in a future version, that change will be called out in the release notes for that version. We commit to never altering this posture silently.
DruidaLabs is registered in England (the operator behind commonsc.io and api.commonsc.io). Under UK GDPR and EU GDPR you have the right to access, correct, port, or delete personal data we hold about you. Realistically the only personal data we hold about most users is in two places:
To exercise any of these rights, email the contact below. We'll respond within 30 days.
Privacy questions, deletion requests, or anything about this page: druidas@druidalabs.com.
We aim to reply within a working day; statutory responses within 30 days.