Privacy Policy

Please take the time to read the following information carefully so that you fully understand our views and practices regarding your personal data and how we will use it. You must be over 18 years old to use our site/platform and DNA Services.

We also recommend that you store this document in a safe place.

This privacy policy (together with our T & Cs) and any other documents referred to in it) (collectively referred to as this policy) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. By using our site and platform (collectively referred to as our site), you accept the practices described in this policy.

This policy was last updated on 25 April 2019. It applies to all users of our site and DNA Services (as defined in our T&Cs). We may amend this policy at any time, and whenever we do so we will notify you by posting a revised version on our site. Please review this policy each time you visit our site as it may have been updated since your last visit.

For the purpose of the Data Protection Act 2018 and the General Data Protection Regulation ((EU) 2016/679) (DPA), the data controller is Chronomics Limited of 1 St James Court, Norwich, Norfolk, NR3 1RU (Chronomics, we or our). If you have any questions regarding this policy or believe we have breached the DPA, please contact us at info@chronomics.com.

WHO ARE YOU?

• Just visiting our site
• Using the DNA Services
• Third party clinics, affiliates, distributors or improvement providers that work with us (e.g.,. doctors, health coaches, genetic counsellors and DNA counsellors)
• Contacting us via our Contact page

Children: We ask that persons under the age of 18 (which we treat as children and minors) refrain from using our site and DNA Services or submitting any personal data to us. Persons under the age of 18 years are not eligible to use the DNA Services and if we discover that someone under the age of 18 has registered an account, we will close it. A parent or legal guardian may use the DNA Services, provide personal data about children, and send us the saliva sample of a child for processing using an account for that child that is directly managed by the parent or legal guardian. By activating a DNA collection kit for, or submitting any personal data about, a minor you represent that you are the minor's parent or legal guardian. You also agree that you have discussed the DNA Services with the minor and the minor has agreed to the collection and processing of their saliva.

VISITORS TO OUR SITE (EXCLUDING USERS OF OUR SERVICES – SEE BELOW)

Personal data we collect: With regard to each of your visits to our site, we will automatically collect:

• technical information, including the Internet Protocol (IP) address used to facilitate your connection to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions and hardware information.
• information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our site (including date and time); services, products or articles you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page, and any phone number used to call us.

Cookies:Our site uses cookies to distinguish you from other users of our site. This helps us to provide you with a good experience when you browse our site and also allows us to improve our site. By continuing to browse our site, you are agreeing to our use of cookies. A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer if you agree. Cookies contain information that is transferred to your computer’s hard drive. You can read more about how we use cookies in our Cookie Policy. You can enable or disable cookies by modifying the settings in your browser. You can find out how to do this, and find more information on cookies, at www.allaboutcookies.org.

Using your personal data: We will use this information for the following legitimate interests (whether ours or a third party’s):

• to maintain our site and keep it safe and secure
• to protect the rights, property, or safety of Chronomics, our customers, suppliers, contacts or others (we will also use your information where we are required by law to do so)
• to improve our site and ensure that content is presented in the most effective manner for you and for your device(s)
• for internal operations (including troubleshooting, data analysis, testing, research, and statistical and survey purposes) and/or
• to deal with any issues you have reported with our site

We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by emailing info@chronomics.com.

Sharing your personal data: We will only share personal data with third parties in the following instances:

• our employees, contractors and agents (but their use shall be limited to the performance of their duties and in line with the reason for processing) who are based in Europe and US.
• our website hosting supplier (acting as a processor) to enable them to maintain, develop and host our site and who is based in Europe.
• with analytics and search engine providers (acting as processors) that assist us in the improvement and optimisation of our site and who are based Europe and US.
• in connection with any legal proceedings (including prospective legal proceedings) (including our external lawyers) and/or
• where we are required by law to do so.

Retaining your personal data: This information is kept for up to one year and will then be deleted automatically. However:

• if we are required by law to retain it for longer, we will retain it for the required period and/or
• where the information is being used in connection with legal proceedings (including prospective legal proceedings) it will be retained for the duration of those legal (and any enforcement) proceedings.

Transferring your personal data outside the EEA:Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

• We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
• Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.
• Where we use providers based in the US, we may transfer data to them if they are part of the EU-US Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US.

Your rights: Please see YOUR RIGHTS.

USERS OF OUR DNA SERVICES

Personal data we collect:When you subscribe to, or use, the DNA Services you will need to provide your name, address, email address, date of birth, phone number, debit/credit card and bank account details, and genetic and/or epigenetic data. You will also need to provide a password to enable you to create an account, but we will not have access to, and will therefore not share, your password. You have to create an account to buy the DNA Services.

You may also provide to us from time to time other sensitive personal data (e.g., racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, biometric data, health data or data concerning your sex life or sexual orientation) (which we will refer to in this policy as other sensitive data) but we will always obtain your explicit consent before any processing takes place.

Where you give permission to a third party improvement provider (e.g.,. doctors, health coaches, nutritionists, dieticians, personal trainers, genetic counsellors and DNA counsellors) from your clinic, from who you purchased your product, or whom you are accessing to discuss or arrange support to access your profile on our platform, they will upload further personal data on your behalf. We are not responsible for any personal data about you that they upload to our platform. Please ensure that you read their statements; we are not responsible for their privacy statements or compliance with data protection laws. If you believe any personal data about you that they have uploaded to our platform is inaccurate or incomplete, please contact your improvement provider.

We may also collect information about you from social media platforms including when you interact with us on those platforms or access our social media content. The information we may receive is governed by the privacy settings, policies, and/or procedures of the applicable social media platform, and we encourage you to review them.

We may also collect information about you through your account, using questionnaires or other means (such as widgets or apps in our platform).

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

We do not record calls.

Using your personal data: We will use your personal data where it is necessary to

• perform our contract with you so that we can provide the DNA Services to you and/or
• pursue our legitimate interests (namely (i) troubleshooting, data analysis, testing, research, and statistical and survey purposes (ii) keeping our systems, customers and information secure, (iii) obtaining customer feedback, (iv) looking into, and responding to complaints, legal matters or (v) any other issues).

We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by emailing info@chronomics.com.

Sharing your personal data: We will share this information with:

• All of your personal data (including genetic and/or epigenetic data) will be shared with
  • our employees, contractors and agents (but their use shall be limited to the performance of their duties and in line with the reason for processing) who are based in UK and US.
  • external lawyers (acting as controllers) that we engage from time to time to help us protect the rights, property, or safety of Chronomics, our customers, suppliers, contacts or others (including enforcing and defending this policy) and who are based in UK.
  • our cloud platform providers (acting as processors) to enable them to maintain, develop and host our platform and who are based in Europe.
  • third party improvement providers (namely doctors, health coaches, nutritionists, dieticians, personal trainers, genetic counsellors and DNA counsellors) (acting as processors, controllers or joint controllers) who you approve access to your personal data via our platform
  • third party affiliates, clinics or distributors that you purchase or register tests through or approve access to your personal data
  • third parties in the event of the sale, acquisition or merger of some or all of our assets if your personal information is part of the transferred assets (we shall notify you in the event of such an occurrence, as well as any choices you may have regarding your personal information, by placing a notice on our site)
  • in connection with any legal proceedings (including prospective legal proceedings) and/or
  • where we are required by law to do so.
• All of your personal data except your genetic and/or epigenetic data will be shared with
  • our website hosting supplier (acting as a processor) to enable them to maintain, develop and host our site and who is based in Europe.
  • our accountants (acting as controllers), to enable them to provide accountancy services to us and who are based in UK. and/or
• Your name, address, email address, date of birth, phone number, debit/credit card and bank account details and certain technical information about your device and location will be shared with our payment processors (acting as processors or controllers) to process your payments and who are based in US.
• Your name, address, email address, date of birth, and debit/credit card and bank account details, will be shared with our bank (acting as a controller) to record your payments and who is based in Europe.
• Only your genetic and/or epigenetic data will be shared with our wet-lab and sequencer providers (acting as processors or controllers) with your sample always anonymised through an intermediate barcode and who are based in Europe

In relation to other sensitive data that you may share with us from time to time, we will inform you at the time of collection who (if anyone) it will be shared with (such sharing will always be done on an anonymous basis, so the third party cannot identify you).

We use telephony services, which would get to see phone numbers if we call you, and a broadband supplier which could see email addresses (but not the content of what you send us, if you encrypt it).

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

Retaining your personal data:All of this information is kept for as long as your account remains open and then up to 6 years thereafter. However:

• in some cases, we may want to keep part of your data for research purposes, in which case we will ask you for your explicit consent to retain it, always anonymised as appropriate;
• if we are required by law to retain it for longer, we will retain it for the required period; and/or
• where the information is being used in connection with legal proceedings (including prospective legal proceedings) it will be retained for the duration of those legal (and any enforcement) proceedings.

In relation to other sensitive data that you may share with us from time to time, we will inform you at the time of collection how long it will be retained for.

Transferring your personal data outside the EEA:Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

• We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
• Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.
• Where we use providers based in the US, we may transfer data to them if they are part of the EU-US Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US.

In relation to other sensitive data that you may share with us from time to time, we will inform you at the time of collection if it will be transferred outside the EEA.

Your rights: Please see YOUR RIGHTS.

If you have visited our site, please also see VISITORS TO OUR SITE.

THIRD PARTY CLINICS, AFFILIATES, DISTRIBUTORS OR IMPROVEMENT PROVIDERS

Personal data we collect: If you:

• use our platform;
• contact us or we contact you (by phone, email, form or otherwise) in connection with our platform or the services you offer; and/or

We will hold your name, job title/profession, specialties, employer details, qualifications, registration numbers, email address(es), phone number(es), location and bios and photos where you provide these.

You will also need to provide a password to enable you to create an account, but we will not have access to, and will therefore not share, your password. You have to create an account to use our platform.

We may also collect information about you from social media platforms including when you interact with us on those platforms or access our social media content. The information we may receive is governed by the privacy settings, policies, and/or procedures of the applicable social media platform, and we encourage you to review them

We may also collect information about you through your account, using questionnaires or other means (such as widgets or apps in our platform).

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

We do not record calls

Using your personal data: We will use your personal data where it is necessary to:

• perform our contract with you so that we can provide you with access to platform and
• pursue our legitimate interests, namely:
  • to enable us to perform our contract with the company who is supplying services to us, or to take steps to enter into such contract
  • to manage payments, fees and charges due under our contract
  • to manage our relationship with the company who is supplying service to us including notifying changes to our terms or this Policy and keeping our records updated]
  • for troubleshooting, data analysis, testing, research, and statistical and survey purposes
  • obtaining provider and customer feedback
  • verification of qualifications or references
  • keeping our systems, customers and information secure
  • looking into, and responding to complaints, legal matters or any other issues (including enforcing any terms that apply to your use of our platform) and/or

We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by emailing info@chronomics.com.

Sharing your personal data: We will share this information with:

• our employees, contractors and agents (but their use shall be limited to the performance of their duties and in line with the reason for processing) who are based in UK and US.
• our website hosting supplier (acting as a processor) to enable them to maintain, develop and host our site and who is based in Europe
• our cloud platform providers (acting as processors) to enable them to maintain, develop and host our platform and who are based in Europe and US.
• third parties in the event of the sale, acquisition or merger of some or all of our assets if your personal information is part of the transferred assets (we shall notify you in the event of such an occurrence, as well as any choices you may have regarding your personal information, by placing a notice on our site)
• your name, address, email address, date of birth, and debit/credit card and bank account details, will be shared with our bank (acting as a controller) to record your payments and who is based in the UK
• in connection with any legal proceedings (including prospective legal proceedings) (including our external lawyers)
• where we are required by law to do so

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

Retaining your personal data: This information will be kept for the duration of our contract with (as applicable) you or the company who is supplying services to us and then for 7 years in the event on legal claims. However:

• if we are required by law to retain it for longer, we will retain it for the required period and/or
• where the information is being used in connection with legal proceedings (including prospective legal proceedings) it will be retained for the duration of those legal (and any enforcement) proceedings.

Transferring your personal data outside the EEA: Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

• We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
• Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.
• Where we use providers based in the US, we may transfer data to them if they are part of the EU-US Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US.

In relation to other sensitive data that you may share with us from time to time, we will inform you at the time of collection if it will be transferred outside the EEA.

Your rights: Please see YOUR RIGHTS.

If you have visited our site, please also see VISITORS TO OUR SITE.

CONTACTING US VIA OUR CONTACT PAGE OR JOINING OUR NEWSLETTER

Personal data we collect: If you contact us via our “Contact” page or join our newsletter and we respond (by phone, email or otherwise), we will hold your email address and any other information you give us.

We do not record calls.

Using your personal data: We will use this information for the following legitimate interests:

• to provide you with the information you have requested from us or to follow up on your enquiry and/or
• to keep our systems, customers and information secure, look into, and respond to complaints, legal matters or any other issues.

We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by emailing info@chronomics.com.

Sharing your personal data: We will only share personal data with third parties in the following instances:

• our employees, contractors and agents (but their use shall be limited to the performance of their duties and in line with the reason for processing) who are based in UK and US.
• when your personal data is stored in our cloud platforms (acting as processors) to enable them to maintain, develop and host our platform and who are based in Europe.
• in connection with any legal proceedings (including prospective legal proceedings and/or our external lawyers)
• where we are required by law to do so and/or
• with our telephone supplier (which would get to see phone numbers if we call you) and our broadband supplier (which could see email addresses but not the content of what you send us, if you encrypt it).

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

Retaining your personal data: This information will be kept for the duration of your enquiry and for up to one year thereafter. However:

• if we are required by law to retain it for longer, we will retain it for the required period and/or
• where the information is being used in connection with legal proceedings (including prospective legal proceedings) it will be retained for the duration of those legal (and any enforcement) proceedings.

In relation to other sensitive data that you may share with us from time to time, we will inform you at the time of collection how long we will retain it for.

Transferring your personal data outside the EEA: Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

• We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
• Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.
• Where we use providers based in the US, we may transfer data to them if they are part of the EU-US Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US.

In relation to other sensitive data that you may share with us from time to time, we will inform you at the time of collection if it will be transferred outside the EEA.

Your rights: Please see YOUR RIGHTS.

If you have visited our site, please also see VISITORS TO OUR SITE.

YOUR RIGHTS

In relation to personal data we hold about you, you have the right to:

• where we process your personal data based on your consent, to withdraw your consent easily and at any time
• get access to your personal data that we hold and receive information about our processing of it
• ask us to correct the record of your personal data maintained by us if it is inaccurate or to complete incomplete personal data
• ask us, in certain instances, to erase your personal data or cease processing
• object to us processing your personal data for direct marketing purposes
• challenge us processing your personal data which has been justified on the basis of our legitimate interests
• ask us, in certain instances, to restrict processing personal data to merely storing
• ask us, in certain instances, to transfer your personal data to another online provider
• request a copy of an agreement under which your personal data is transferred outside of the EEA
• in certain instances, not be subject to automated decision-making (including profiling)
• prevent processing that is likely to cause damage or distress to you and seek compensation from us for any damages caused to you by us breaching the DPA
• be notified of a personal data breach which is likely to result in high risk to your rights and freedoms and
• complain to a data protection authority (contact details for data protection authorities in the European Economic Area, Switzerland and certain non-European countries (including the US and Canada) are available here) (you may complain to a data protection authority in the EU Member State of your residence, your place of work or of the alleged breach of DPA Laws).

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

If you would like to exercise any of these rights, please contact info@chronomics.com (we may ask you to verify your identity - please cooperate with us in our efforts to verify your identity). Please note that we may need certain personal data to enable us to provide the DNA Services and/or information you ask for, so changes you make to your preferences, or restrictions you ask us to make on how we use personal data, may affect what information we can provide.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

We try to respond to all legitimate requests within one calendar month (starting from the day after we receive your request). Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

HOW WE PROTECT YOUR PERSONAL DATA

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We update and test our security technology on an ongoing basis. In addition, we train our staff about the importance of confidentiality and maintaining the privacy and security of your personal data. Any payment transactions will be encrypted.

Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

Unfortunately, the transmission of information via the internet isn’t completely secure. Although we will do our best to protect your personal data, we can’t guarantee the security of your personal data transmitted to our site; any transmission is at your own risk.

Once we have received your personal data, we will use physical, technical and administrative safeguards to try to prevent unauthorised access. Our cloud platforms use state-of-the art encryption technologies for data in transit and at rest and are among the most secure providers available in the market.

DIRECT MARKETING

We will inform you (before collecting your personal data) if we intend to use your personal data for such purposes or if we intend to disclose your information to any third party for such purposes. You can exercise your right to prevent such processing by contacting us at info@chronomics.com. Furthermore, if you are on our mailing list for periodic email updates including about the DNA Services, and no longer want to receive such information, you can also contact us on the above details or by clicking the “unsubscribe” link in our marketing communications. We will honour your choice and refrain from sending you such direct marketing and email updates. Please note that if you ask us not to contact you by email at a certain email address, we will retain a copy of that email address on a “suppression list” in order to comply with your no-contact request. You are free to change your marketing choices at any time.

LINKS TO OTHER WEBSITES

Our site may, from time to time, contain links to and from the websites of third party websites. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we don’t accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

Our site uses interfaces with social media sites such as Facebook, LinkedIn, Twitter and others. If you choose to "like" or share information from our site through these services, you should review the privacy policy of that service. If you are a member of a social media site, the interfaces may allow the social media site to connect your site visit to your personal data.