For the sake of your data security, please read the following rules. All terms “we”, “us” will refer to the administrator.
Administrator – also referred to as “Administrator of the data”, that is IMAGENE.ME with the registered office in Białystok, 20 Transportowa Street, 15-399 Białystok
Personal Data – any information that allows an individual to be identified, directly or indirectly, through one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity, including his or her name, surname, device IP, location data, Internet identifier (login), information collected through cookies and other similar technology.
Application – the IMAGENE.ME application in mobile and web form provided by IMAGENE.ME
User – every natural person using the IMAGENE.ME application and its functionalities.
RODO – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
2 Who is responsible for the processing of your personal data?
IMAGENE.ME is the controller of your personal data, which means that it is responsible for the processing of your personal data in connection with the installation and use of the IMAGENE.ME application on your phone or the use of the web application. Contact with the controller is possible by:
a) Directing correspondence to the address indicated in section 1.1,
b) Sending correspondence to the e-mail address: firstname.lastname@example.org
3. where to obtain information on the processing of personal data?
If you would like more information on the processing of your personal data and on your rights, you can contact Katarzyna Wieczorkiewicz, our Data Protection Officer, at email@example.com.
4. on what principles do we process your personal data?
To enable you to use our application, it is necessary to provide you with a certain amount of personal data.
When installing the application on your phone or using the web application, it is necessary to create an account. When you register, we ask you to provide certain personal data that is necessary to create and operate your account. We process personal data:
(a) in order to provide the service electronically in terms of registering you and making the application available to you – the legal basis is then the necessity of the processing for the performance of the contract (Article 6(1)(b) of the RODO) until you delete your account,
b) in order to provide personalized content about your lifestyle, based on data provided in the application, your answers to surveys (including in the areas: physical activity, diet, stress)- the legal basis is your voluntary consent (Article 6.1.a RODO, Article 9.2.a RODO), until its withdrawal, which does not affect the legality of the processing, which we have done before its withdrawal.
c) in order to purchase the Genetic Predisposition Report and provide you with personalized guidance and recommendations based on the generated variants in the report- the legal basis is the necessity to perform the sales contract (Article 6(1)(b) of the RODO) for the period of performance of the contract and use of the application,
d) to comply with our legal obligations (Article 6(1)(c) of the DPA), in particular under accounting and tax law, to receive and process claims in accordance with consumer legislation and when medical services are provided (e.g. DNA testing, teleporadiation, medical When medical services are provided (e.g. DNA testing, teleportation, consultation with a specialist, discussing the results of your report and recommendations with the specialist) also for the purposes of medical diagnosis and preventive health care (Article 9(2)(h) of the DPA) for the period indicated by law in connection with the collection and storage of medical records,
e) in order to possibly establish, assert and defend against claims – the legal basis is then our legitimate interest (Article 6(1)(f) RODO) related to the defense of our rights and claims in connection with the service provided within the application, until the statute of limitations for claims, depending on the type of claim, where this period may be extended in the context of ongoing investigations until the expiration of new claim periods.
f) in order to carry out scientific research (Article 9(12)(j) RODO) on the basis of data generated within the application – if We will use Your personal data within the framework of ongoing research and medical diagnosis then only to the minimum extent and using the principles of pseudonymization of personal data,
g) in order for us and our Partners to provide you with commercial and marketing information (e.g. offers, competitions, promotional campaigns) via electronic means with your consent (Article 6.1.a RODO) to this type of communication, until you withdraw your consent, which does not affect the legality of the processing performed before your consent was withdrawn.
By installing the application on your phone, we may also access information about your device (model, screen resolution, platform you are using, i.e. Android or IOS). If you choose to use fast login to the application we may process information about your use of biometric authentication (fingerprint), but we do not gain access to your fingerprint and this data is stored on your device. The legal basis for processing such data is then your consent to this type of application login (Article 9(2)(a) of the RODO), which you can always change in the settings of your phone. If you use a web application, we process your IP address and information about which operating system you use and which browser you use.
5. are you obliged to provide personal data?
The use of the web and mobile application, including ordering the DNA Testing Service and receiving the Genetic Predisposition Report is voluntary. Similarly, the related provision of personal data by the user using the application is voluntary, subject to two exceptions:
Statutory obligations of the Administrator – providing personal data is a statutory requirement resulting from universally binding legal regulations imposing an obligation to process personal data on the Administrator (e.g. when you order a Genetic Predisposition Report and we perform a DNA test, your data is processed in order to keep tax or accounting books, settlements in accordance with the binding legal regulations), and failure to provide such data will prevent the Administrator from fulfilling those obligations.
In cases where the provision of personal data to us is required, we try to clearly indicate in the application which data is necessary, and their failure to provide will prevent the use of the application. Where the provision of data is voluntary, we do not mark it as mandatory. When you register, we require you to provide information such as your name, surname, gender, date of birth so that we can create an account and enable you to use the app. When you fill out surveys about your lifestyle (e.g., physical activity, stress) we only collect this information if you have given your prior consent to profiling – only then can we provide you with personalized guidance. Without this consent, you will not be able to complete the survey and take full advantage of the application.
6 Who has access to your data?
We try to keep access to your personal information in the application to a minimum number of entities. When you use the Genetic Predisposition Report service, your personal data (your sample) will be disclosed to entities that provide laboratory services and perform genetic testing for us (including scientific and medical centers).In terms of the provision of health services, the necessary data will be able to be disclosed to entities performing medical activities as defined by law to centers based on the framework of contracts we have signed with these entities and facilities in the provision of health services.
With respect to proper delivery and billing of the service, the necessary data may be disclosed to payment intermediaries, banks, postal operators and couriers with respect to proper billing and delivery of the order.
The necessary data will also be able to be disclosed to entities authorized to do so under applicable law, in particular to tax and audit authorities, as well as to entities with whom we cooperate under applicable cooperation agreements, where these agreements relate in particular to ICT support, HR and accounting services, data centers, as well as law firms, consulting and auditing companies, auditors and insurers.
We ensure that when transferring your personal data and communicating with you, we use appropriate technical, organizational and IT safeguards, including cryptographic techniques, which we develop and test and periodically perform a risk analysis to ensure that we make every effort to process your personal data in a secure manner.
7. do we transfer data to third countries and outside the European Union?
Our app is available on all devices using Android (Google Play store) and IOS (Appstore). When using the application we save the data on our own servers in data centers in Poland. We do not transfer personal data to third countries unless such transfer may be necessary. If such a transfer does take place, we will apply appropriate safeguards to ensure the necessary level of data protection at the recipient or in the recipient’s country prior to such transfer to a third country. Appropriate safeguards may include, in particular, the publication of a decision by the European Commission that a particular third country, territory or specific sector(s) within that country, or international organization, provides an adequate, appropriate level of protection – such transfers do not require specific authorization and have been found for Japan New Zealand, Switzerland, Canada, Andorra, Israel, among others. In case the European Commission has not published such a decision, the transfer of data may be carried out with the application of appropriate safeguards which may include, among others, the use of standard contractual clauses adopted by the European Commission or by the supervisory authority (if approved), and in case there are no appropriate safeguards, the so-called exceptions in specific situations are applied – then we will inform you about such a transfer, about possible risks of such a transfer or on what legal basis the transfer of such data is possible.
If you contact us, the personal data and correspondence collected in your case may be disclosed to third countries as part of cloud services we use – Google LLC California (USA) and Google Ireland Ltd in the European Union. The transfer of data to the USA is based on an agreement regarding the processing of personal data, which includes Standard Contractual Clauses approved by the European Commission.
8. do we perform profiling? On what terms?
Full use of the application requires your consent to profiling. Based on your answers in the surveys we try to provide you with personalized recommendations. If you do not provide your consent we will not be able to provide you with personalized health and lifestyle tips or request status updates. When we perform the Genetic Predisposition Report service for you, profiling (including genomic profiling) is necessary in order to provide you with the service and then provide you with personalized health recommendations based on your variant. From time to time we will also want to provide you with a survey in order to make recommendations based on your genetic profile and other indicators in the application (physical activity, stress, diet). In your user profile, you can manage your consents and withdraw your consent to profiling at any time, and once withdrawn, you will not receive any more surveys or additional recommendations from us unless you re-consent to receive them. The process of providing you with personalized recommendations based on your survey responses and the data you upload to your account, including the results of your Genetic Predisposition Report, is a partially automated process. This means that Our technology allows Us to provide you with personalized guidance based on your answers (including the personal information you provide within the application) and the metrics generated. The results of this process may influence you and your possible decisions regarding your lifestyle, health, physical activity and self-assessment and possible consultations with specialists (doctors, nutritionists).
9 How long do we have access to your personal information?
In general, we have access to your personal data as long as you use our application and depending on the purpose of the processing for which the data was collected (see section 4 of this policy).
We process any information relating to your health and the provision of health care services in accordance with medical record retention laws. Where we have processed your data on the basis of your consent – until you withdraw it.
10. what rights do you have regarding the processing of your personal data?
You are entitled to:
10.1. Access to your personal data and obtain a copy of it – if you request the exercise of this right, we will provide you with information about the categories of personal data processed, the purpose of processing, the categories of recipients to whom your personal data will be or have been disclosed, as far as possible the planned period of storage of personal data, and if this is not possible, the criteria for determining this period, your rights, information about automated decision-making, including profiling (we will inform you about the principles of their making, their meaning for you and the expected consequences of such processing); if your data will be transferred to a third country, we will also inform you about this and the security mechanism used; a copy of your personal data will generally be transmitted electronically to an e-mail address verified by us, unless you specify another method of transmission and it is technically possible to transmit a copy of your data to you in this way;
10.2 Correcting your personal data – you have the right to request us to correct inaccurate data; for an easy and fast modification process, you can change your contact information in your profile settings;
10.3 Deletion of your data (“right to be forgotten”) – you have the right to ask us to delete your personal data immediately and we will delete your data if there is no legal reason to do so (e.g. the processing of your personal data is not necessary for the purposes of the processing);
10.4 Withdrawal of consent – you have the right to withdraw your consent (e.g. to profiling, receipt of marketing information) at any time without affecting the lawfulness of the processing carried out prior to withdrawal of consent, once consent is withdrawn we will not process your personal data which you have previously provided to us with your consent;
10.5 Restriction of processing – you have this right when e.g. you question the correctness of your personal data (after receiving notification from you the processing of your data will be limited until the case is clarified), we no longer need your personal data but you need them to establish, assert or defend your claims, you object to the processing of your data in connection with our legitimate interest (until the case is clarified the processing of your data will be limited);
10.6 Data portability – you have the right to receive from us the personal data provided to us in a structured, customary machine-readable format where we process your personal data on the basis of consent or a contract; when exercising this right, you have the opportunity to decide whether to transfer the personal data directly to another controller (as far as technically feasible);
10.7 Objection – you have the right to object to the processing of your personal data where it is based on your particular circumstances and we are processing your personal data on the basis of our legitimate interests; this right also applies to profiling; where your data is used for direct marketing purposes, you also have the right to object;
10.8 Not subject to profiling and automated decision-making – you have the right not to be subject to a decision that is based solely on automated processing, including profiling, and produces legal effects on you or similarly significantly affects you; the right does not apply. if the decision is necessary for the performance of a contract to which you are a party or is based on your explicit consent – you do, however, have the right to express your own position and challenge that decision and the right to human intervention by the controller;
Notifications of the exercise of rights are accepted at firstname.lastname@example.org . In order to ensure that your request is handled properly, to adequately verify your identity and to determine what information you are requesting from us, we may send you a right exercise questionnaire or a feedback message asking you for more detailed information to allow us to handle your request in a timely and reliable manner. Each of your requests will be dealt with on an individual basis (one request – exercise of one right) and in relation to the applicable law. Your ability to exercise a particular right may depend on the legal basis on which we process your personal data, e.g. whether the processing is not our legal obligation or is necessary for the performance of a contract.
Requests will be processed without undue delay, within a maximum of one month of receipt, however, it is possible that due to, for example, the complex nature of the request or the number of requests, we will not be able to meet this deadline. In such situations, we will contact you and inform you of such delay, the reasons for it and the expected completion date, which should not exceed another two months. If we do not act on your request, we will also inform you of this and indicate the reasons why we have not acted on your request together with your right to lodge a complaint with the supervisory authority.
10.9 Lodging a complaint to the supervisory authority – if you have reasonable doubt as to the legality of our processing of your personal data, your personal data has been breached or if we have been unable to take action on your request to enforce a right, you have the right to lodge a complaint with the supervisory authority dealing with personal data protection in the given country of service provision. In Poland such authority is the President of the Office for Personal Data Protection (ul. Stawki 2, 00-193 Warsaw).
Do we collect cookies? On what principles?
By cookies we mean computer data, in particular text files, stored in the users’ terminal equipment and intended for use on the websites. These files allow us to recognize the device from which you use the application and appropriately display the website (within the application) tailored to your individual preferences and increase the comfort of using the application. Cookies usually contain the name of the website they come from, the time they are stored on your terminal device and a unique number. On the other hand, “similar technologies” are technologies (e.g. local storage) that can be used for the same purposes as cookies. They are also used to create anonymous, aggregated statistics that help to understand how the user uses websites, which allows to improve their structure and content, excluding personal identification of the user. We are the entity that places cookies on your end device and accesses them. With the help of cookies we try not to store any personal data that could uniquely identify you.
Below we have compiled for you the most important information for our services using cookies and similar technologies:
Type Brief characteristics
Session cookies Installed on a device for the duration of a session and deleted when the browser is closed,
Persistent cookies are not deleted when the browser is closed, they remain on the device for a certain period (depending on the browser),
First-party cookies Placed by us to enable the proper functioning of the site, ensure proper functionality (e.g. appropriate display of pages, bookmarks), configuration, verification of authenticity and reliability of the service.
Third-party cookies We may use external tools provided by third parties, in particular for statistical purposes (e.g. as part of our use of Google Analytics (especially when using the web application).
The cookies installed do not cause any configuration changes on your device. If you want to learn more about how cookies work, we encourage you to visit sites such as:
12. can you manage your cookies? How?
Acceptance of cookies is set by default in most web browsers, but you can always change the settings and determine the conditions for storing and accessing your data so that cookies are blocked or you are informed that they are being sent to your device. You can change your settings at any time by configuring your browser settings accordingly. You can use the instructions below:
Internet Explorer: https://support.microsoft.com/pl-pl/help/17442/windows-internetexplorer-delete-manage-cookies
Microsoft Edge: https://support.microsoft.com/pl-pl/help/4027947/microsoft-edge-delete-cookies
Mozilla Firefox: http://support.mozilla.org/pl/kb/ciasteczka
Google Chrome: http://support.google.com/chrome/bin/answer.py?hl=pl&answer=95647
13.2 Changes in consents. In case of a material change to the content of consents, the system will inform you about it in an appropriate message. If you do not accept the content of the consent in the new version, it does not affect the consent given for the previous version. The complete withdrawal of consent (for all previous versions) is possible by e-mail notification in accordance with Section 10. You can always contact us in this regard.
Detailed information regarding the service provided for the management of your account can be found in the Terms of Service provided by IMAGENE.ME