By email: firstname.lastname@example.org
Data Protection Officer
New York, NY 10036
United States of America
The following are our core privacy principles:
- We collect and handle information (i) to provide, analyze and improve our products and services, (ii) as we reasonably believe is permitted by laws and regulations, including for marketing and advertising purposes, (iii) to protect the security and safety of our company, employees, customers, as we reasonably believe is permitted by laws and regulations, (iv) to comply with laws and regulations we are subject to, and (v) for aggregate and anonymous research purposes to improve our genomics algorithm.
- We will not sell, lease, or rent individual-level information (i.e., information about a single individual’s genotypes, diseases or other traits/characteristics) to any third-party or to a third-party for research purposes without the explicit consent or request by users.
- We understand and respect the sensitive nature of information users provide us with, including information about genetic characteristics, disease conditions, racial and ethnic origin, lifestyle, etc. To that end, we strive to be transparent in our collection, use, and disclosure of this information and to ask for explicit consent to share such sensitive information with third parties.
- We are committed to providing a secure and safe environment for our prodiucts and services. LifeNome abides by the Genetic Information Nondiscrimination Act, or GINA, a U.S. federal legislation with bipartisan support that protects Americans from discrimination with respect to health insurance and employment decisions on the basis of genetic information. GINA has passed through Congress and was signed into law by the President on May 21, 2008. As a result, American insurance companies and health plans (including both group and individual insurers, as well as federally-regulated plans) will be prohibited from looking at an individual’s predictive genetic information or genetic services before they enroll; “requesting or requiring” that an individual or their family members take a genetic test; restricting enrollment based on genetic information; or changing premiums based on genetic information. GINA also prohibits U.S. employers (including employment agencies, labor organizations, and training programs) from discriminating against who they hire or how much they pay on the basis of genetic information; “requesting or requiring” that an individual or their family members take a genetic test; or disclosing genetic information in their possession except under specific and specially controlled circumstances.
3. WHAT INFORMATION WE COLLECT AND HOW WE COLLECT IT
Personal data, or Personal Information means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
- Identity Data includes first name, last name, username or similar identifier, marital status, date of birth and gender.
- Contact Data includes a billing address, delivery address, email address, and telephone numbers.
- Financial Data includes bank account and payment card details.
- Transaction Data includes details about payments to and from users and other details of products and services purchased from us.
- Technical Data includes internet protocol (IP) address, login data, browser type, and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices used to access this website.
- Profile Data includes username and password, purchases or orders made, wellness and lifestyle profiles, dietary and exercise preferences, feedback and survey responses.
- Usage Data includes information about the use of our websites, products, and gSaaSTM API outputs.
- Marketing and Communications Data includes references in receiving marketing from us and our third parties and communication preferences.
- Genetic Data includes DNA/genetic data, which is immediately encrypted when stored.
4. HOW WE COLLECT PERSONAL DATA
Information provided directly to us or through a third-party company to which the user has given consent to share information with us
- Registration Information: When users or third parties register an account on behalf of the user with us or purchase our products and services, we collect personal information, such as name, billing address, payment information (e.g., credit card) and contact information such as email addresses.
- Self-Reported Information: Users have the option to provide us with additional information about themselves through surveys, forms, features, applications or API calls. For example, users may provide us with information about personal traits, ethnicity, disease conditions, other health-related information, and family history information. Before disclosing information about a family member, users should make sure that they have permission from the family member to do so.
- Third-Party Sites. If users obtain our products and services through a third-party site to which they have given consent to share their Personal Information with us, we will collect Personal Information such as Identity Data and Genetic Data. We do not control the third-party site’s information practices, so users should review the third party’s privacy statement and their profile settings on the third party’s site carefully.
- User Content: Some of our products and services may allow users to create and post or upload content, such as data, text, software, audio, photographs, graphics, video, messages, or other materials that they create or provide to us through either a public or private transmission (“User Content”). Our website may offer publicly accessible blogs or community forums. Users should be aware that any information they provide (such as reviews) in these areas may be read, collected, and used by others who access them. To request that we remove or anonymize personal information from our blog or community forum, contact us at email@example.com. Please note that whenever user post something publicly, it may sometimes be impossible to remove the information, for example, if someone has taken a screenshot of users’s posting.
5. INFORMATION RELATED TO OUR GENETIC ANALYSIS SERVICES
Digital Genetic Data: To use our products and services, users or representative third parties must upload their digital genetic data (features of the DNA that distinguish the user from other people (e.g. the As, Ts, Cs, and Gs at particular locations in the genome) to our websites and applications or provide consent to a third-party company to share their Identity Data and Genetic Data with us by using our gSaaSTM API. If users have not already procured their digital genetic data through the analysis of a sample of their DNA, they must purchase, or receive as a gift, a DNA test kit, register an online account with the third party offering such service, and provide their genetic sample to the third-party to receive a digital copy of their raw DNA data and provide that data to the LifeNome platform. LifeNome is not responsible for the accuracy of the raw data analysis, nor the secure processing of genetic data by third parties. LifeNome only uses the raw data produced by the third party (based on the DNA sample) for generating its wellness websites, applications and gSaaSTM API outputs.
Information collected through tracking technology (e.g. from cookies and similar technologies)
We may receive reports based on the use of these technologies from third party service providers on a de-identified, individual-level or aggregated basis. We and our third party service providers do not use a user’s Sensitive Information, such as Genetic Information for targeted advertising. Third-party service providers, such as Google Analytics, may collect, store, and share information as further dictated by the privacy policies and disclosures of those third parties.
6. HOW WE USE USER INFORMATION
- Where we need to perform the contract we are about to enter into or have entered into with users or a Third-Party intermediary to whom you have given consent.
- Where it is necessary for our legitimate interests (or those of a third party) and user interests and fundamental rights do not override those interests.
- Where we need to comply with a legal or regulatory obligation.
To provide users with products and services and analyze and improve our products and services
- open user account, enable purchases and process payments, communicate with users and implement user requests;
- host our websites, run our applications, authenticate users’ visits, provide custom, personalized content, and information, and track usage of our products and services;
- contact users about their account, and any relevant information about our products and services (e.g. policy changes, security updates or issues, etc.);
- enforce our Terms of Service and other agreements;
- monitor, detect, investigate and prevent prohibited or illegal behaviors on our products and services, to combat spam and other security risks;
- conduct analytics to improve and enhance our products and services;
- offer new products or services to users;
- implement online marketing campaigns and targeted advertising (subject to user’s cookie settings and preferences), and to measure the effectiveness of our marketing and targeted advertising;
- conduct surveys or polls, and obtain testimonials;
- process and deliver users’ results and reports; and
- perform research & development activities, which may include, for example, conducting data analysis and research in order to develop new or improve existing services, and perform quality control activities.
We process users’ Personal Information in this way to provide our products and services to the user in accordance with our Terms of Service. Our legal basis for processing users’ information is to perform our contract with them or a third-party to which users have given consent, and our legitimate interests (to deliver and improve our products and services).
To process, analyze and deliver user’s results and reports
As described above, to receive results and reports, users must create an account and upload user digital Genetic Data or consent to a third party to provide user Identity and Genetic Data by using gSaaSTM API. Once we receive user data, we further analyze it to provide users or third party with our outputs. LifeNome continuously works to improve our products and services based on our research and product-service development, and genetic associations identified in scientific literature. If we are able to offer additional via websites, applications, gSaaSTM API outputs, or otherwise improve in the future, users will be notified of these changes.
We process user’s Personal Information in this way is to provide our products and services to users in accordance with our Terms of Serivce.
Our legal basis for processing user Personal Information for the purposes described above is based on user’s consent and to perform our contract with users or a third-party to which users have given consent. Users may withdraw their consent at any time, however, the withdrawal of user consent will not affect the lawfulness of processing based on consent before its withdrawal.
To allow users to share their Personal Information for LifeNome Research purposes
Users have the choice to participate in LifeNome research by providing your consent. “LifeNome Research” refers to research aimed at publication in peer-reviewed journals and other research, including that funded by the federal government (such as the National Institutes of Health – NIH) conducted by LifeNome. LifeNome Research may be sponsored by, conducted on behalf of, or in collaboration with third-parties, such as non-profit foundations, academic institutions or pharmaceutical companies. LifeNome Research may study a specific group or population, identify potential areas or targets for therapeutics development, conduct or support the development of drugs, diagnostics or devices to diagnose, predict or treat medical or other health conditions, work with public, private and/or non-profit entities on genetic research initiatives, or otherwise create, commercialize, and apply this new knowledge to improve health care. LifeNome Research uses users’ aggregated or individual-level genetic information and self-reported information as specified in the consent document, as explained in greater detail below.
Consent process for research: Users’ genetic and self-reported information may be used for LifeNome Research only if users have consented to this use by completing a consent document. If users have completed a consent document:
- LifeNome may use individual-level genetic information and self-reported information internally at LifeNome for research purposes. If users have completed the individual level data sharing consent, LifeNome and select third-party research partners may use individual-level genetic information and self-reported information for research purposes.
- When the user’s genetic information and/or self-reported information is being used for research purposes, it will not be linked to the user’s registration information.
Withdrawing User Consent: Users may withdraw your consent to participate in research at any time by emailing firstname.lastname@example.org.
LifeNome will not include users’ genetic information or self-reported information in new research occurring after 30 days from the receipt of a user request. Any research involving user data that has already been performed or published prior to our receipt of user request will not be reversed, undone, or withdrawn. If users withdraw their consent for research users’ genetic information and self-reported information may still be used by us and shared with our third-party service providers to provide and improve our products and services and shared as aggregate information that does not identify users as an individual.
Our legal basis for processing user’s Sensitive Information for the purpose described above is based on user consent. Users may withdraw their consent at any time, however, the withdrawal of user consent will not affect the lawfulness of processing based on consent before its withdrawal. If users do not complete a consent document with LifeNome, their identifiable, individual-level personal information will not be used for LifeNome Research.
To recruit users for external research
Academic institutions, healthcare organizations, and other groups are always conducting interesting new research projects. We want to make users aware of these opportunities. While we do not share individual-level genetic information or self-reported information with third-parties without user consent, from time to time we may inform a user of third-party research opportunities for which users may be eligible. For example, if a university tells us about a new cancer research project, we may send an email to LifeNome members who potentially fit the relevant eligibility criteria based on their self-reported information to make them aware of the research project and provide a link to participate with the research organization conducting the study. We will not share Individual-level Genetic Information or Self-Reported Information with any third party without user consent. Also, if user does not wish to receive these alerts, users can request to no longer receive notifications by emailing email@example.com.
Our legal basis for processing user’s Sensitive Information for the purpose described above is based on user consent. Users may withdraw their consent at any time, however, the withdrawal of their consent will not affect the lawfulness of processing based on consent before its withdrawal.
To provide users with customer support
When users contact Customer Support, we may use or request Personal Information and/or Sensitive Information as necessary to answer user questions, resolve disputes, or troubleshoot problems. Our legal basis for processing Personal Information for the purposes described above depends on the nature of the customer support request. Our legal basis can be based on consent, to satisfy our contractual or legal obligations and/or based on our legitimate interest to improve our Services.
Our legal basis for processing user Personal Information for the purpose described above is based on our legitimate interest to develop our business.
7. INFORMATION WE MAY SHARE WITH THIRD-PARTIES
When users order our Services through a third-party company and provide them consent to share user Personal Information (including Genetic Data and other Sensitive Information) with us, we share user’s results with the third-party so they can deliver their products to the user.
General Service Providers
We share the information described above with our third-party service providers, as necessary to provide their services to us and help us provide our service to the user. Service providers are third-parties (other companies or individuals) that help us to provide, analyze and improve our Services. For example, we may order DNA kits from GenebyGene (FamilyTreeDNA) or other lab partners for purposes of them generating user genetic information.
We may share de-identified, aggregate information, which is information that has been stripped of username and contact information and combined with information of others so that users cannot reasonably be identified as an individual, with third-parties. This information is different from “individual-level” information and is not personal information because it does not identify any particular individual or disclose any particular individual’s data. For example, aggregate information may include a statement that “20% of our male users share a particular genetic trait,” without providing any data or testing results specific to any individual user. In contrast, Individual-level Genetic Information or Self-Reported Information consists of data about a single individual’s genotypes, diseases or other traits/characteristics information and could reveal whether a specific user has a particular genetic trait or consist of all of the Genetic Information about that user. LifeNome will ask for users’ consent to share Individual-level Genetic Information or Self-Reported Information with any third party, other than our service providers as necessary for us to provide the Services to users.
Information We Share With Commonly Owned Entities
Disclosures Required By Law
NOTE: If users are participating in LifeNome Research, LifeNome will withhold disclosure of user personal information involved in such research in response to judicial or other government subpoenas, warrants or orders in accordance with any applicable Certificate of Confidentiality that LifeNome has obtained from the National Institutes of Health (NIH). There are limits to what the Certificate of Confidentiality covers so please visit the Certificates of Confidentiality Kiosk (http://grants.nih.gov/grants/policy/coc/index.htm).
8. USER CHOICES
Access to own account
At LifeNome, users control their data and profile and can access, correct, delete, or update their data and profile at any time. Users may also modify and delete their entire user account and profile, which will erase their raw genetic data from our databases.
Please note that users may not be able to delete user content that has been shared with others through the products and services and that users may not be able to delete information that has been shared with third-parties. Users can request access to all of the user’s personally identifiable information, and ask questions about our privacy practices by sending an email to LifeNome’s Privacy Administrator at firstname.lastname@example.org, or send a letter to:
1460 Broadway, 6th Floor
New York, NY 10036
United States of America
Information users choose to share with others
In general, Personal Information once shared or disclosed, can be difficult to contain or retrieve. LifeNome will have no responsibility or liability for any consequences that may result because users have released or shared Personal Information with others. Likewise, if user have access to the Personal Information of a LifeNome customer through a multi-profile account, we urge them to recognize your responsibility to protect the privacy of each person within that account. Users with multi-profile accounts (e.g., where family member accounts are linked) should use caution in setting profile-level privacy settings.
If users no longer wish to participate in our Services or no longer wish to have their personal information be used, users may delete their profile and or email customer care at email@example.com. This will erase user raw genetic data from LifeNome’s databases. LifeNome will not thereafter share any personally identifiable genetic information with any third-party entities. LifeNome may use user genotype and phenotype data as part of an aggregate and anonymous research analysis to improve its genomics algorithm.
Your California privacy rights
If you are a California resident, California law provides you with the following rights with respect to your Personal Information, subject to certain exceptions:
- The right to know what Personal Information we have collected, used, disclosed and sold about you. To submit a request to know, send an email to LifeNome’s Privacy Administrator at firstname.lastname@example.org, or send a letter to:
1460 Broadway, 6th Floor
New York, NY 10036
United States of America
You also may designate an authorized agent to make a request for access on your behalf.
- The right to request that we delete any Personal Information we have collected about you. To submit a request for deletion, send an email to LifeNome’s Privacy Administrator at email@example.com, or send a letter to:
1460 Broadway, 6th Floor
New York, NY 10036
United States of America
You also may designate an authorized agent to make a request for deletion on your behalf.
When you exercise these rights and submit a request to us, we will verify your identity by asking you for your email address, and/or information about your account with LifeNome. We also may use a third-party verification provider to verify your identity. LifeNome will endeavor to honor client’s requests unless such a request conflicts with certain lawful exemptions under the California Consumer Privacy Act of 2018. Please note that LifeNome is only required to honor such requests twice in a 12-month period.
Your exercise of these rights will have no adverse effect on the price and quality of our goods or services.
9. PROTECTING USER DATA
LifeNome takes the security of data seriously. We use state of the art security measures and encryption technologies to safeguard user’s personal information. Users will be responsible for safeguarding login information and should not share authentication information with any third party. Please notify us of any unauthorized use of user password. LifeNome cannot secure personal information that users release on their own or that users request us to release.
- De-identification/Pseudonymization. Registration Information is stripped from Sensitive Information, including Genetic and Self-Reported Information. This data is then assigned a randomly generated ID so an individual cannot reasonably be identified.
- Security Measures. We use industry standard security measures to encrypt Sensitive Information both at rest and in transit.
- Separation of Environments. We ensure processing, production, and research environments are separated and access is restricted. Information is de-identified using randomly assigned IDs. Categories of data, including Registration Information, Genetic Information, and Self-Reported Information are segmented across logical database systems to further prevent re-identifiability.
- Limiting access to essential personnel. We limit access to Personal Information to authorized personnel, based on job function and role. Our access controls include multi-factor authentication, single sign-on, and strict least-privileged authorization policy.
- Detecting threats and managing vulnerabilities. We use state of the art intrusion detection and prevention measures to stop any potential attacks against our networks. We have integrated continuous vulnerability scanning in our processes and regularly engage third-party security experts to conduct penetration tests.
- Incident Management. We maintain a formal incident management program designed to ensure the secure, continuous delivery of our Services. We have implemented an incident management program using industry best practices, including guidance from the National Institute of Standards and Technology (NIST).
- Managing third-party service providers. We require service providers to implement and maintain accepted industry standard administrative, physical and technical safeguards to protect Personal Information.
Users should recognize that protecting user Personal Information is also their responsibility. We ask users to be responsible for safeguarding their password, and other authentication information they use to access our products and services. Users should not disclose their authentication information to any third party and should immediately notify us of any unauthorized use of their password. We cannot secure Personal Information that users release on their own or that users request us to release.
User information collected through the products and services may be stored and processed in the United States of America or any other country in which LifeNome or its subsidiaries, affiliates or service providers maintain facilities and, therefore, user information may be subject to the laws of those other jurisdictions which may be different from the laws of user’s country of residence.
User data is stored in Google Clouds. We cannot control whether the cloud will be in a European Economic Area (EEA) territory or not and therefore whether data will be transferred out of the EEA or any other jurisdiction.
LifeNome is committed to protecting the privacy of children as well as adults. Neither LifeNome nor any of its Services are designed for, intended to attract, or directed toward children under the age of 18. A parent or guardian, however, may collect a DNA sample from, create an account for, and provide information related to, his or her child. The parent or guardian assumes full responsibility for ensuring that the information that he/she provides to LifeNome about his or her child is kept secure and that the information submitted is accurate.
This website’s, application or gSaaSTM API outputs may include links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about users. We do not control these third-party websites and are not responsible for their privacy statements. When users leave our website, we encourage them to read the privacy notice of every website they visit.
10. USERS’ LEGAL RIGHTS
Users have the right to:
- Request access to their personal data (commonly known as a “data subject access request”). This enables users to receive a copy of the personal data we hold about the user and to check that we are lawfully processing it.
- Request correction of the personal data that we hold about the user. This enables the user to have any incomplete or inaccurate data we hold about the user is corrected, though we may need to verify the accuracy of the new data provided to us.
- Request erasure of personal data. This enables users to ask us to delete or remove personal data where there is no good reason for us continuing to process it. Users also have the right to ask us to delete or remove their personal data where users have successfully exercised their right to object to processing (see below), where we may have processed information unlawfully or where we are required to erase personal data to comply with local law. Note, however, that we may not always be able to comply with user request of erasure for specific legal reasons of which users will be notified, if applicable, at the time of their request.
- Object to processing of user personal data where we are relying on a legitimate interest (or those of a third party) and there is something about a user’s particular situation which makes the user want to object to processing on this ground as they feel it impacts on their fundamental rights and freedoms. Users also have the right to object where we are processing their personal data for direct marketing purposes.
- Request restriction of processing of user’s personal data. This enables users to ask us to suspend the processing of their personal data in the following scenarios: (A) if users want us to establish the data’s accuracy; (B) where our use of the data is unlawful but users do not want us to erase it; (C) where users need us to hold the data even if we no longer require it as users need it to establish, exercise or defend legal claims; or (D) users have objected to our use of their data but we need to verify whether we have overriding legitimate grounds to use it.
- Request the transfer of user’s personal data to them or to a third party. We will provide users, or a third party they have chosen, their personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which they initially provided consent for us to use or where we used the information to perform a contract with them.
- Withdraw consent at any time where we are relying on consent to process user’s personal data. However, this will not affect the lawfulness of any processing carried out before the user withdraws consent. If user withdraws consent, we may not be able to provide certain products or services to the user.
- Automated individual decision-making, including profiling. Users have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects on them, except as allowed under applicable data protection laws. We do not use any profiling algorithms.
- Retention of Personal Information. Unless users make a request for us to delete their account or delete certain Personal Information we will store their Personal Information as long as the user account is open. If users request to delete their account, we will delete all of their Personal Information, unless a longer retention period is required or permitted by law.
No Fee Usually Required
Users will not have to pay a fee to access their personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if the request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with user requests in these circumstances.
What We May Need From Users
We may need to request specific information from users to help us confirm user identity and ensure their right to access their personal data (or to exercise any of the user’s other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact the user to ask you for further information in relation to their request to speed up our response.
Time Limit to Respond
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if the request is particularly complex or users have made a number of requests. In this case, we will notify users and keep them updated.
If users believe that we have infringed on their rights, we encourage them to contact us so that we can try to address their concerns or dispute informally. Please email LifeNome’s Privacy Administrator at firstname.lastname@example.org, or send a letter to:
1460 Broadway, 6th Floor
New York, NY 10036
United States of America
Users also have a right to lodge a complaint with the competent supervisory authority situated in a State of their habitual residence, place of work, or place of the alleged infringement.
Users from the EU can find the relevant supervisory authority name and contact details here:
1460 Broadway, 6th Floor
New York, NY 10036
United States of America