Commitment to the protection and security of personal information, including genetic information is of paramount importance to us.
The purpose of this Policy is to inform you about our privacy practices and to ensure that you understand the purposes for which we process your personal data. The following is a brief summary of our privacy practices.
This Policy does not apply to any data insofar as it is held, processed, disclosed or published in a form which cannot be linked to a living individual (such as anonymised data, aggregated data, or coded data which, in a given form, cannot effectively be used to determine your personal data) ("Anonymised and Aggregated Data").
DnaNudge is responsible for the processing of your personal data insofar as we collect it as part of the Service including personal data we obtain through registration forms or other communications with you, the genetic data we receive from Users for analysis and the genetic reports and product recommendations that we generate through the Service and give to the Users.
If you have any questions or if you wish to make a complaint or have other queries relating to the Service, please write to us to the following address: DnaNudge Limited, Scale Space, Imperial College White City Campus, 58 Wood Lane, W12 7RZ, United Kingdom, or by email to: email@example.com.
Enquiries relating to our use of your personal data should be made for the attention of our data protection officer.
Information about your account can be found in our subscription terms and conditions. To use our Service, you must create an account. To create an account, you are asked to submit details such as name (which may be a pseudonym of your choice), email address and telephone number, age, and a password you create.
As outlined in our subscription terms and conditions we do not store your DNA. To enable us to generate your DnaNudge test report, users provide a DNA sample using a swab which is inserted into a DnaNudge Cartridge and analysed by the “on the spot” testing unit (NudgeBox). When the test is completed the cartridge containing the DNA sample is destroyed. There is no genetic information in the NudgeBox. Your DNA sample is tested against a location-coded pattern. The NudgeBox sends an encrypted format of the pattern measurement to the DnaNudge Cloud. The encrypted DNA test results are then analysed in our database where the general relationships between product ingredients, DNA information and certain corresponding traits have previously been stored. Your resulting traits are then sent to your Mobile App and/or DNA capsule so that product recommendations and alternatives are made by either scanning product barcodes or by a search facility on the App. Accordingly, there is no genetic code or genetic variation data transmitted or stored on the User’s DnaBand or DnaNudge App or in the DNA Cloud, only data relating to your traits that are relevant to product recommendations.
Note that only information such as product-recommendations can be shared between Users.
This includes information that we may ask Users to provide from time to time for research processes, quality control and to improve the Service. For example, we may collect such information through direct correspondence, surveys, other activities through the Mobile App, Capsule or the website etc.
From time to time, we may use automatic data collection technologies to collect anonymised product data for research, development and statistical purposes.
We use personal data for the following purposes:
- To meet our obligations to you, to provide you with access to the Service and with product recommendations and to deliver the Service to you, to support Users’ use of the Service and to enable us to handle enquiries and complaints;
- To manage your account and from time to time to communicate with you including by sending you promotional offers or other marketing information or to invite you to participate in surveys, questionnaires or research projects. You can opt out of promotional communications through our Service;
- For research and development purposes (including machine learning) in order to improve or personalise the Service and to help us understand our customers and how our Service is used;
To aggregate data to allow it to be used for statistical and research purposes;
- To personalise Users’ access to the Service, to test, monitor, improve and upgrade the Service;
- To meet our legal obligations and the regulatory requirements to which we are subject, for loss prevention purposes and to protect and enforce our rights and meet our obligations to third parties;
- For our internal business purposes such as keeping records of our communications with Users, compiling statistical data concerning the use of the Service and performing analytics relating to the use of the Service by Users.
The processing of your personal data is lawful based on the following:
- Your express consent, where you consent for us to process your genetic data for the purpose of receiving the Service or when you use the NudgeShare or the NudgeMatch feature to share your product recommendations with other users;
- The fulfilment of our contractual obligations to you in accordance with our subscription terms and conditions;
- Our legitimate interests in (among other things) operating and administering the Service, conducting commercial research, improving and maintaining our Service, personalising and tailoring content made available to you through the Service, protecting the security or integrity of our databases or the Service, protecting our business or reputation, taking precautions against legal liability, protecting and defending our rights or property, or for resolving disputes, investigating and attending to inquiries or complaints with respect to your use of the Service.
Examples of cases where personal data may be shared with Related Parties (subsidiaries, parent companies and other affiliates, our subcontractors, service providers, representatives and agents that provide services to us or act for or on our behalf)
- Data is transferred to our database which is held ‘in the cloud’ on servers operated by a third party service provider (however, the encrypted DNA data – which on its own is meaningless - is held in a form that cannot be linked to the user except through the user’s account);
- Related Parties that we use to assist us in delivering the Service (including administration services, technical services relating to the maintenance, servicing and upgrading of the Service hosting and cloud computing services, data migration and analytical services, marketing and customer service, payment processing services, and other outsourced services);
- Related Parties that help us to test, monitor, improve and develop the Service;
- Related Parties that help us compile, aggregate and analyse personal data in order to produce Anonymised and Aggregated Data that we use, sell and publish;
- Related Parties that help us perform analytical studies and research. We will not disclose the results of such analysis or research to third parties or publish it except in the form of Anonymised and Aggregated Data.
We also reserve the right to disclose and transfer personal data to other entities in connection with the sale or transfer of our business or those business activities relating to the Service. We will ensure that such acquirer will continue to process the personal data in accordance with this Policy (as it may be updated from time to time).
Other circumstances in which your personal data may be used or disclosed include the following:
- If we believe that such disclosure is reasonably necessary to enforce or apply our subscription terms and conditions or to protect our rights, property, the safety or integrity of our services, software or products;
- To protect the Service against abuse or unauthorised access and to protect the personal data of our Users in general;
- Where necessary to satisfy a legitimate request or order of a government body, public authority, regulator or enforcement agency, in response to a third-party subpoena (if on legal advice such response is required) or otherwise as provided by law or required by any court of competent jurisdiction or any regulatory authority acting under statutory powers; or if necessary to defend us or our subscribers (for example, in a lawsuit).
- We will fully co-operate with regulators, law enforcement agencies and other authorities to identify anyone who uses our products, service or software for illegal activities. We reserve the right to report to regulators and law enforcement agencies any activities that are believed to be unlawful.
We may use servers and cloud services in other countries and may transfer the anonymized product/ DNA trait data to other countries for the purpose of storage and data management. Our Related Parties may have access to our database in different countries including, without limitation, the UK, the EU and the USA. We ensure that when personal data is transferred across borders, we do so in compliance with the law including (in the case of data exported from the EU) by putting in place, as between us and the party receiving the data, contractual terms for the protection of the interests of data subjects in the form approved by the European Commission.
We use a range of technical and organisational measures to protect your personal data including the following:
- DnaNudge will destroy your DNA sample.
- We only collect and maintain personal data insofar as is necessary for the proper functioning of the Service;
- The results of Users’ genetic data processed on our servers are not linked to the individual User (except to the User’s anonymous account details, to allow us to provide the Service);
- We limit and control access to records of personal data to members of staff and Related Parties that require such access to perform their duties and services, through passwords, variable log-in rights and other technical and organisational access controls;
- The DnaNudge test results are available on your Mobile App and Capsule and are protected by a password which you are required to set up in order to access this information;
- We apply security measures (including as part of the cloud services we use and when using the services of Related Parties to process your data) including encryption, firewalls and physical security for our servers and information centres.
- We ensure confidentiality obligations are put in place when dealing with our Related Parties and other third parties;
- We avoid the collection or storage of personal data when it is unnecessary or for longer than reasonably needed or legally permitted or required and erase it (or anonymise it) once we no longer need it or are no longer required to keep it as personal data;
- User’s DnaNudge test results and the User’s account details are held in our records for as long as the User maintains his or her account. The data is erased when the User’s account is closed down.
- Data collected from monitoring Users’ use of the Service is aggregated and anonymised before we share it with third parties.
We cannot guarantee that these protections will always successfully prevent unauthorised access to, corruption or loss of personal data. Please bear in mind that transmissions over the Internet are not completely secure, and information you send to or from this Service may be accessible by others. More specifically, electronic communications sent to or from the Service may not be secure.
We ask that you do not share your account password or log-in credentials with anyone. Please contact DnaNudge immediately if you suspect unauthorised use of your account.
You can contact our customer care team to request access to, edit or delete any personal information you have provided to us. We cannot guarantee we will be able to grant a request to change information, for example, if we believe granting such a request would violate the law or cause the information to be incorrect. It may not be possible to retrieve, remove or correct data from any database where the data had been de-identified and/or aggregated.
If you no longer wish to receive the Service, you can close your account by sending an email request to firstname.lastname@example.org. Your account including registration information and user profile will then be deleted.
Users have the following legal rights in respect of their personal data:
- The right to require us to advise you of the categories of your personal data that we process, the purpose of any such processing, the identity of third parties who receive your data from us, the period for which your personal data is stored and whether any automated decision-making processes are being used in relation to your personal data. You also have the right to ask for a copy of your personal data records.
- The right to require us to rectify inaccurate personal data records.
- The right to request the erasure of your personal data records. You have the right to require us to erase your personal data records where:
- The data is no longer necessary in relation to the purpose for which it was collected, such as where you choose to close your account (in which case, it is our policy to delete your data even without your request);
- Where the processing of the data is based on your consent and such consent is withdrawn (provided that the other circumstances described in the sections ‘When do we disclose your personal data to third parties?’ and ‘Lawful basis for processing users’ personal data’ above no longer apply); or
- You object to the processing of your data and there are no overriding legitimate grounds for justifying the data processing.
- The right to restrict the processing of your personal data in certain circumstances (for example, where an objection has been raised and is being investigated); and
- The right to object to the processing of your data in certain circumstances.
This Policy was last changed on 28 June 2023. If we make changes to the Policy, the new version will be posted on the Service. We may change, modify, add or remove portions of this Policy at any time, and any changes will become effective immediately upon being posted unless stated otherwise.