Privacy and legal

PRIVACY STATEMENT

Nadera Limited, with company registration No. 2835934 and registered office at the World Trust Tower in Hong Kong.

At Nadera Limited, we treat your Information with the importance it deserves. We are committed to protecting your Information, handling it responsibly and securing it with administrative, technical and physical measures and safeguards and only Processing it for the legitimate Purposes disclosed. All genetic and blood test results and any Personal Information are maintained under a strict policy of confidentiality. This Privacy Policy is applicable to all new and existing Users of our Services.

 

Nadera Limited is a Digital Preventative Health Technology Company, combining lab diagnostics and digital technology platforms to make cutting edge scientific information available.

 

We will be transparent with what Information we hold, collect and Process, and, to the extent possible, we will also give you control of the Information you provide us with.

 

Your information will only be used for the Purposes as described in this Privacy Policy and any additional Consent Document or agreement that we may enter with you.

 

To use any Nadera Limited Services, you must agree to this Privacy Policy. You may not use our Services if you do not accept this Privacy Policy as it forms part of the Nadera Limited Terms of Service.

 

KEY DEFINITIONS

Capitalised terms not defined in this Privacy Policy have the same meaning as those defined in the Terms of Service.

 

“Anonymised Information” – means any Information that we have anonymised in a manner to result in the Information no longer being able to identify you, whether directly or indirectly, and is therefore no longer Personal Information.

 

“Applicable Law” – means any law, by-law, ordinance, proclamation and/or statutory regulation which the Parties are required to observe by reason of this Privacy Policy and matters incidental thereto, including, but not limited to, the GDPR.

 

“Data Subject” means the person who is the subject of Personal Information.

“Data Protection Laws” – means, as binding on either party or the Services: the General Data Protection Regulation, Regulation (EU) 2016/679 and the UK General Data Protection Regulation (GDPR); the Data Protection Act 2018; any laws which implement any such laws; and any laws that replace, extend, re-enact, consolidate or amend any of the foregoing

 

“EEA” – means European Economic Area

 

“GDPR” – means the European Union’s General Data Protection Regulation, 2016/679.

 

“Processing”, “Process” and “Processed” – means any operation or set of operations which is performed on Information, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or

 

combination, restriction, erasure or destruction.

 

“Pseudonymised” – means replacing the identifying markers of your Information with artificial identifiers to reduce the association between the data subject and the Information during processing.

 

“Purpose” – means the purposes for which we Process Information.

 

“Sensitive Personal Information” – means Biomarker Information and any Personal Information about race or ethnicity, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health, sexual life, any actual or alleged criminal offences or penalties, national identification number, or any other information that may be deemed to be sensitive under Applicable Law.

 

“Terms of Service” – means the specific terms that apply to our relationship when we provide you with Services.

 

“Controller” means a person who (either along or jointly or in common with other persons) determines the Purpose for which and the manner in which any Information is, or are to be Processed.

 

“Processor” means in relation to personal data, any person or organisation (other than an employee of the Controller) who Processes the data on behalf of the Controller.

 

INFORMATION WE COLLECT

Nadera Limited does not provide direct to consumer Services directly to anyone under the age of 18 (eighteen) years old or as otherwise provided by the rules of Applicable Law, and therefore does not knowingly collect information for such Data Subjects as detailed in the ‘PREREQUISITES’ section of the TOS.

 

Nadera Limited will act as a Controller for your Personal Information and may be collected from the following sources:

 

from you, the User, directly;

through your use of Our Site or Services;

from any public sources where you have chosen to make your Information public, such as social media platforms;

from content and advertising third parties with whom you have interacted on our Site; and

from third parties who lawfully provide it to us.

Nadera Limited collects the following categories and types of Information:

 

Registration Information – when your account is set up, you will be asked to provide certain Personal Information, including your name, contact details and date of birth.

Payment Information – payment card details will be taken at point of sale to facilitate purchases. Card details are not stored by Nadera Limited and are managed by our third-party card processing provider.

Genetic or Biomarker Information– Personal Information generated through the analysis of your saliva or blood test.

Self-Reported Information – Personal Information, including medical conditions, sports-related information, ethnicity or family history that you voluntarily share in surveys, forms or features while entering Our Site may be collected by us. Self-Reported Information may be converted into Anonymised Information and used in approved Nadera Limited Research which is subject to separate consent.

Web behaviour Information – we may collect Information on how Users make use of Our Site, Nadera Limited backend portals or Nadera Limited software solutions. This Information is collected through log files, cookies, and web beacon-, analytical- and advertising technologies. You can find more information at https://www.dna37.com/legals/cookies.asp

Device and IP locations collected will determine the regional version of Our Site to be displayed relevant to the country from which you are accessing Our Site. You can manage your location settings from your device or computer but please note if these are switched off, the default version of Our Site (United Kingdom version) will be displayed.

 

HOW INFORMATION IS USED

 

TO PROVIDE YOU WITH SERVICES:

 

We will process your Information to provide you with our Services, creating your account, dispatching your kit, processing your payment, analysing your Biological Sample and providing your Nadera Limited results.

 

PROCESSING OF YOUR SENSITIVE PERSONAL INFORMATION:

 

We will only Process your Sensitive Personal Information with your prior, written and express consent in order to provide you with the Services in terms of the agreement entered with you.

 

On receipt at the returns centre, your sample will be validated against your online activation to ensure we have your consent before any laboratory processing begins. Samples returned without activation will be securely held at the returns centre until activation is successful, or for no longer than 3 months when the sample will be securely destroyed.

 

At the lab, Blood samples are securely destroyed as soon as the analysis is complete due to the limited life of the sample quality. Saliva samples may be retained for a maximum of 4 weeks should any necessity arise to re-analyse during that time, after which the sample is then securely destroyed.

 

Sensitive Personal Information processed by our lab and further stored on the Nadera Limited database is maintained in a Pseudonymised format.

 

MARKETING AND ADVERTISING:

 

From time to time we may send you communications, across our brands, within the Nadera Limited group, about new services available to you, discounts, events, invite you to participate in relevant Nadera Limited Research or obtain testimonials for promotional purposes.

 

We may also direct advertising to you via third party sites including social media. We will only send marketing material to you in accordance with this Privacy Policy, where we have a legitimate interest to do so, where you have opted-in to such communications or as determined by your web browser/cookie settings. You may change your marketing preferences at any time via your account settings.

 

RESEARCH AND DEVELOPMENT:

 

We may Process your Information if you have provided prior, express and voluntary consent for your Biomarker Information and Self-Reported Information to be used in any Nadera Limited product developent and R&D. This Processing may include sharing your Information with contracted suppliers for Purposes of Nadera Limited Research and R&D only. We assure you that your information is not sold to any third parties for any other purposes.

 

For any Nadera Limited Research you will be contacted beforehand to opt in as a participant for any studies we hope to perform. We will obtain your consent before authorising any scientific publications that includes your Information, even if only Anonymised Information, and for any such scientific publication, this will be subject to full IRB (Institutional Review Board) approval.

 

IMPROVING OUR PRODUCTS OR SERVICES:

 

We collect Information when you send, receive, or engage in messaging with Nadera Limited . We do this to delegate your inquiries to the correct department.  We may use your Personal Information to investigate, respond to and resolve complaints and Service issues.

 

If you interact with Nadera Limited via telephone, your call may be recorded for training and monitoring purposes.

 

We also use analytics to determine ongoing service and resource needs and perform quality control checks to maintain best standards of practice.

 

INFORMATION DISCLOSURE

Except as otherwise stated in this Privacy Policy, Terms of Service or Consent Document we will never share your Information with a third party without getting your consent to do so, unless we are required by law. If we are legally required to disclose any Information, we will make reasonable efforts to notify you unless we are legally prohibited from doing so.

 

We will only share your Personal Information with those categories of third parties listed below and under these circumstances or as detailed in the Consent Document:

 

Current or future Nadera Limited global entities. As Nadera Limited grows, restructuring may take place and it may be appropriate for more than one entity to control and process Information. This Privacy Policy will apply to all Nadera Limited entities unless otherwise stated;

Contracted consultants, suppliers and partners used to undertake fundamental activities to enable us to provide our services, enhance the User experience; and to effectively operate and manage our organisation;

Card processing service providers;

Companies that do services to get your purchases to you, such as payment service providers, warehouses, order packers and delivery companies.

Research contractors where you have given consent to participate in Nadera Limited Research and R&D. Research contractors will only be granted access to your Genetic Information and Self-Reported Information through online channels and at Nadera Limited’s offices for approved scientific research purposes. Research contractors will be screened and will be subject to the rules established by Nadera Limited, any Information sharing agreements that we may implement, this Privacy Policy and the Consent Document;

Where we are required by Applicable Law and by the appropriate authorities to do so; or

With anyone else as provided for in terms of your explicit prior consent to do so.

Any Processors or other third-party service providers will be required to contractually comply with the principles and objectives of any Nadera Limited policies, including this Privacy Policy, as well as the requirements of the EU GDPR, the UK GDPR and DPA 2018  and other Applicable Law and will be required to sign a data processing agreement to confirm that Information will not be collected, used, shared, stored or otherwise for any Purpose other than those instructed by Nadera Limited .

 

SELF-DIRECTED SHARING AND DISCLOSURE:

 

We may provide you with the ability to engage with other Users and share your Information through Our Site and social media channels.

 

You may choose which Information to share in this manner and may include your Sensitive Personal Information, such as your Genetic Information. Sharing Information in terms of this clause is voluntary and you control what you share. Please do not post any Information that you do not want publicly accessible.

 

INFORMATION DISCLOSURE AS REQUIRED BY LAW:

 

Under some circumstances, we may need to disclose certain information when required by law, subpoena, or other legal process or if we believe that disclosure is reasonably necessary.

 

These details that we may share in terms of this clause may include your Sensitive Personal Information. You understand and accept that Nadera Limited will only share these details if we are compelled by law to do so, or in good faith believe that such disclosure is necessary in such cases, but this disclosure is not limited to:

 

Investigation, prevention or action regarding suspected or actual illegal activities or to assist government enforcement agencies;

Enforce the Nadera Limited Terms of Service;

Respond to claims or allegations made by third parties against Nadera Limited ; or

Protect the rights, property or Nadera Limited ’s safety and the public.

Unless prohibited by law or court order, and where time permits, we will let you know when we must share any Information in terms of this clause. We will verify demands as genuine and challenge demands if we feel the request is not appropriate.

 

CROSS-BORDER TRANSFERS OF INFORMATION:

 

We make Our Site and Services available to Users globally and similarly, make use of service providers in jurisdictions outside the EEA. Therefore, your Information may be transferred outside the EEA to Processors for various Processing Purposes.

 

Where we transfer Information to countries outside the EEA, the Processors who Process the Information will be required to enter into a data processing agreement setting out how they may Process the Information and further requiring them to comply with the GDPR and DPA 2018 as well as other relevant Applicable Laws to protect your individual rights. We require all Processors to have appropriate technical and security safeguards and measures to protect that Information.

 

PROCESSING INFORMATION

Providing Personal Information other than Registration Information is voluntary. You can access and control your Personal Information through your app.dna37.com account profile, set your browser settings to determine how we track your web behaviour and opt-out of direct marketing.

 

 

YOUR RIGHTS:

 

Subject to Applicable Law, you may have certain rights regarding the Processing of your Information, including:

 

the right not to provide your Information to us (exercising this right may result in us not being able to provide you with the full benefits of Our Site and/or Services);

objecting to the Processing of your Information;

requesting access to, or copies of, your Information, along with information about the nature, Processing and disclosure of your Information;

requesting that your Information be corrected and/or updated;

requesting erasure of or restriction of Processing of your Information (this right may be limited on certain legal grounds as discussed in this Privacy Policy);

the right to have your Information transferred to another Controller, to the extent applicable;

withdrawing consent that was given to us for Processing your Information (exercising this right does not affect the lawfulness of any Processing performed prior to the date on which we receive notice of such withdrawal, and does not prevent the Processing of your Information based on any other available legal bases); and

the right to lodge complaints with a Protection Authority regarding the Processing of your Information by us or on our behalf.

To exercise one or more of the rights described in this Privacy Policy, or to ask a question about these rights or any other provision of this Policy, or about our Processing of your Personal Information, please contact compliance@DNA37.com.

 

NOTE:  Before we can give effect to these rights, we will contact you to verify your identity and discuss your needs fully before completing your request within 30 (thirty) calendar days from the date of our validation process. Any request to access your Information might be limited and/or subject to a reasonable fee in terms of Applicable Law where the request is manifestly unfounded or excessive.

 

RETENTION OF INFORMATION:

 

Upon closure all Information will be deleted from your account and the Nadera Limited database with the following exceptions:

 

Genetic or Biomarker Information and/or Self-Reported Information for which you have provided explicit consent to use in Nadera Limited Research and/or R&D will not be removed from ongoing or completed studies that use such Information unless you expressly revoke your consent in respect of such Information being used for those Purposes. We will however inform any recipient of your Information for Nadera Limited Research or R&D that you have closed your account and not use the Information in any new Nadera Limited Research and/or R&D after your account is closed. We will keep a record of any Processors that will retain your information for this Purpose;

Electronic Consent Documents (e.g. scanned paper forms or online consent history) will be retained indefinitely under strict access control on our database to maintain the record that DNA testing was completed with your permission. Paper Consent Documents will be securely destroyed 5 years from the date of account closure;

Any Information required to meet legal or regulatory obligations in terms of Applicable Law as necessary.

All Processors will be instructed to delete any Personal Information stored by them with the exceptions as mentioned above.

 

OTHER

SECURITY

 

While we cannot guarantee that unauthorised access, disclosure, misuse or loss of Information will never occur, Nadera Limited is certified to ISO/IEC 27001:2013 Information Security Management System Standard and frequently reviews and implements physical, technical, and administrative measures to prevent information security incidents and to maintain the confidentiality, integrity and availability of information.

 

All connections to Our Site and our mobile applications are encrypted using Secure Socket Layer (SSL) technology and internal systems protected with anti-virus software.

 

Only authorised personnel of Nadera Limited and contracted third parties have access to Information that is necessary for them to perform their jobs or services.

 

You must keep your account credentials secure and not share them with anyone. Your password for your account will be used only for online login. We will not ask for your password under any other circumstances. Inform Nadera Limited immediately of any unauthorised use of your account. Should you wish to reset or change your password, you can do so by clicking on the relevant links on Our Site.

 

Sharing Self-Reported Information through surveys, or other features on Our Site, is voluntary and done at your sole risk. Nadera Limited cannot take responsibility for Information that you release or that you request us to release publicly.

 

In the event of a security incident, Nadera Limited ‘s internal procedures and those prescribed by the GDPR and DPA 2018 will be followed. You will be notified of any material impacts or direct consequences to you as a User without undue delay

 

BUSINESS TRANSITIONS

 

If Nadera Limited or an entity of Nadera Limited is bought, sold, transferred, spun-out or merged with another entity, you will be given notice and your Information will be transferred to such entity, along with the other assets of Nadera Limited. In this case, your Information would remain subject to this Privacy Policy until such a time as a replacement privacy policy is issued. If you do not agree to any new policies and terms published or to the transfer of your Information in terms of this clause, you have the right to terminate your relationship with us, close your account and request that your Information be deleted (in so far as your right to deletion is not limited).

 

PRIVACY POLICY CHANGES:

 

This Privacy Policy may be amended from time to time as necessary and/or required by Applicable Law. Any material changes to the Privacy Policy will be notified either via Our Site or Services, by notice posted to User accounts or by email to existing Users if appropriate.

 

If you do not agree to any changes, you may request to discontinue your use of the Nadera Limited Services and Our Site.

 

Previous versions of this Privacy Policy are available on request by emailing compliance@dna37.com.

 

IMPORTANT CONTACTS

 

If you have questions regarding how Nadera Limited handles your Information, or to request access or deletion of your Information held by Nadera Limited, please email our Data Protection Officer at compliance@DNA37.com.

 

If you are dissatisfied with how Nadera Limited handles your information or would like to provide any other feedback relating to your experience with us, then please contact complaints@dna37.com

 

In terms of Applicable Laws, you have the right to lodge a complaint about how we handle your Information with your relevant regulatory authority in terms of the applicable law that applies to you.