Privacy Policy

Privacy Policy for Gentastic Web App

Gentastic GmbH (hereinafter also referred to as “we,” “us,” or “Gentastic”) is responsible for this web app (hereinafter also referred to as “website”) within the meaning of the General Data Protection Regulation (GDPR).

The responsible handling of personal data is a high priority for us. It is very important to us that you feel secure when visiting our websites. We process your data exclusively on the basis of legal and contractual provisions and in accordance with the GDPR and the Austrian Data Protection Act in its current version. Please read this privacy policy carefully through.

Automated decision-making, including profiling, does not take place. Should we process your personal data for a purpose other than that for which we collected it, we will inform you of this fact.

All non-specific gender references in this privacy policy and on the websites are based on the unisex principle and apply therefore apply equally to all genders.

General information

Responsible party pursuant to Art. 4 (7) GDPR:

Gentastic GmbH
St. Jakoberstrasse 1
9020 Klagenfurt
Austria
Tel.: +43 (0) 463 20 31 11 30
Email: support@gentastic.io

If you have any questions regarding the processing of your personal data and the exercise of your rights, please contact our data protection officer.

Data protection officer:

MMag. Christina Toth, MSc
Laudongasse 12/2
1080 Vienna
Austria
Tel.: +43 (0) 1 994 66 13
Email: office@christinatoth.at

Data processing when visiting our web app

The Gentastic web app collects a range of general data and information each time it is accessed by a data subject or an automated system. This

The browser types and versions used, the operating system used by the accessing system, the website from which an accessing system reaches our websites (so-called referrers), the subwebsites that are accessed via an accessing system on our web pages, the date and time of access to the web pages, a web log address (IP address), the Internet service provider of the accessing system, and other similar data and information that serve to protect against attacks on our IT systems.

When using this general data and information, Gentastic does not draw any conclusions about the person concerned. Rather, this information is required to deliver the content of our web app correctly, to optimize the content of our web app and the advertising for it, and to ensure the long-term functionality of our IT systems and the technology of our web app.

In order to use some of the services of our web app, it is necessary to grant us certain permissions via your device (e.g., smartphone) (in particular access to the camera, location, storage, or the receipt of push notifications). By granting us the appropriate permission via your device, you thereby grant us your consent (Art. 6 para. 1 lit. a GDPR) to process this data.

Google Firebase

This web app uses Google Firebase technology from Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Firebase”).

We use the mobile applications of the Google Firebase services “Firebase Authentication,” “Cloud Firestore,” and “Cloud Functions for Firebase” to process and store the personal data collected. Firebase Authentication is used when you use the mobile applications to generate a pseudonymous identifier for each mobile device. The pseudonymous identifier is used for ongoing secure communication between the mobile device with the mobile application and the Google Firebase services. Cloud Firestore is used to store the aforementioned personal data (including the pseudonymous identifier) that is collected when using the mobile application. The server location is in the European Union. Cloud functions for Firebase are used to pre-process and post-process personal data.

Our website also uses Firebase Hosting. When you visit a page, your browser loads the necessary data, such as the HTML file, stylesheets for display, JavaScript for displaying elements and images, and displays them. For this purpose, the browser you are using must connect to the Firebase Hosting servers. This allows Google to know that my website has been accessed via your IP address. To ensure the secure operation of this website, Google records your IP address for a period of time defined by Google .

The storage is carried out to ensure the operation and to defend against threats to this website and constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR.

Firebase's data processing and security provisions can be found at: firebase.google.com/terms/data-processing-terms .
Further information on Google's terms of use and privacy policy: google.com/analytics/terms/en.html or policies.google.com.

Data processing in connection with DNA test kits

Gentastic offers DNA test kits for DNA analysis via various distribution points and online shops. These are exclusively lifestyle analyses and not analyses for medical purposes.

After ordering the DNA test kit, the customer receives instructions on how to register for the web app and take the test. Registration in the web app is required in order to receive the results of the gene sequence analysis. After the analysis, the customer receives an email and the reports are available to them on the Reports subpage when they are logged in.

The self-tests carried out by Gentastic GmbH are processed for the purpose of fulfilling the contract (Art. 6 para. 1 lit b GDPR) and on the basis of your consent in accordance with Art. 6 para. 1 lit a GDPR in conjunction with Art. 9 para. 2 lit. a GDPR for the processing of sensitive data.

a. Data processing in connection with your user account

When you create a user account, the following master data is processed for the purpose of fulfilling the contract: first name, last name, date of birth, gender, social security number (optional), telephone number, address, and test ID.

b. Performance and evaluation of the self-test

If you purchase such a DNA test kit and perform a self-test, sensitive data will also be processed in order to provide you with our services. We extract your DNA from your DNA sample, process it, and perform a genetic analysis in order to provide you with the DNA analysis report. This data is stored in the laboratory and in the laboratory database. After evaluation, a medical test report is created, which you can access in your user account.

For the evaluation of the self-tests, special categories of personal data, such as health data and genetic data. This data is processed for the purpose of analyzing your swab sent by mail on the basis of your express consent in accordance with Art. 9 (2) lit. a GDPR. Your data will remain with us until you request its deletion, revoke your consent to its storage, or the purpose for data storage no longer applies. Mandatory legal provisions – in particular statutory retention periods – remain unaffected. We will destroy the DNA samples you have provided at your request. To request the destruction of the DNA samples, please contact us. You also have the option of deleting your DNA analysis from the web app at any time .

c. Cooperation with partners

Gentastic GmbH forwards the tests you have carried out to Gentastic (hereinafter also referred to as “laboratory”) for evaluation. In the event of a disease diagnosis, the test results are evaluated by a physician.

In the event of a notifiable disease (e.g., COVID-19), the laboratory is obliged to report test results to the competent health authorities (Art. 9 (2) (i) GDPR in conjunction with § 3 (1) EpiG and § 1 (3) of the Ordinance on Electronic Laboratory Reports in the register of notifiable diseases).

We also use cookies

We use cookies to make visiting our web app attractive and to enable the use of certain functions. Cookies are text files that are stored on your device and store certain information for exchange with our system.

Numerous cookies are technically necessary because certain website functions would not work without them. Other cookies may be used to evaluate user behavior or for advertising purposes.

Cookies that are used to carry out the electronic communication process, to provide certain functions you have requested (e.g., for the shopping cart function) or to optimize the website (necessary cookies) are stored on the basis of Art. 6 para. 1 lit. f GDPR, unless another legal basis is specified. The website operator has a legitimate interest in storing necessary cookies for the technically error-free and optimized provision of its services.

Cookies that are not strictly necessary to provide the services on this web app and that are necessary for the error-free operation of the application are only used after your consent (“cookie banner”).

You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance cookies for certain cases (in particular third-party cookies) or generally, and to activate the automatic deletion of cookies when closing the browser. If cookies are deactivated, the functionality of the web app may be limited. The legal basis for the processing of data for cookies that are necessary to enable the function of the web app or to transmit messages is our legitimate interest. Other cookies are processed on the basis of your consent and are only set after you have given your consent .

Data processing when contacting us

If you contact us by post, email, social media, or using the form provided, or if you send us an send us an inquiry, the personal data you provide (first and last name, contact information, and other information you voluntarily disclose) will be processed by us.

We process your inquiry and manage your data within the scope of contractual or pre-contractual relationships in order to fulfill our pre-contractual and contractual obligations or to respond to inquiries on the basis of Art. 6 (1) lit. b GDPR.

Legal basis

The processing of your personal data that is necessary for the fulfillment of the contract or based on pre-contractual measures is carried out on the basis of Art. 6 (1) lit. b GDPR.

If processing is necessary for compliance with a legal obligation, it is carried out on the basis of Art. 6 para. 1 lit. c GDPR, for compliance with legal obligations and fulfillment of judicial and official orders.

If vital interests of a person require processing, Art. 6 para. 1 lit. d GDPR serves as the legal basis.

If processing is necessary to safeguard a legitimate interest of ours and these interests outweigh your interests, the processing is carried out on the basis of Art. 6 para. 1 lit. f GDPR.

If there is no other legal basis for processing, we process your personal data on the basis of your consent pursuant to Art. 6 (1) lit. a GDPR or Art. 9 (2) lit. a GDPR. Consent to data processing is voluntary and can be revoked at any time with future effect. In the event of express consent to the transfer of personal data to third countries, data processing shall also be carried out on the basis of Art. 49 (1) lit. a GDPR.

Note on data transfer to third countries

We use tools from companies based in the USA or other third countries, among others. When these tools are active, your personal data may be transferred to these third countries and processed there. We would like to point out that these countries cannot guarantee a level of data protection comparable to that of the EU .

Transfer of your personal data to third parties

We use third-party providers to fulfill our contracts and to process your personal data securely. We have ensured that they also guarantee the protection of your personal data in accordance with the GDPR and have agreed this in our contracts with them. We have concluded a separate data processing agreement with all our partners to ensure that your data is also processed by our cooperation partners in accordance with the applicable data protection regulations.

Storage period

We only store your personal data for as long as we reasonably deem necessary to fulfill the stated purposes and as permitted by applicable law.

Our general criterion is that we only store personal data for as long as is absolutely necessary for the provision of our services and products. This means that we delete personal data as soon as the reason for data processing no longer . In some cases, we are legally obliged to store certain data even after the original purpose has ceased to exist, for example for accounting purposes.

The master data in the user account will be stored until you delete your profile or revoke your consent to the processing of your data.

If you wish to have your data deleted or withdraw your consent to data processing, the data will be deleted as quickly as possible and insofar as there is no obligation to store it. The withdrawal of consent does not affect the lawfulness of the data processing carried out on the basis of the consent until the withdrawal.

Your rights in relation to your personal data

You have the right to obtain information about the data stored about you in accordance with Art. 15 GDPR, to have inaccurate data corrected in accordance with Art. 16 GDPR, to have inaccurate data corrected in accordance with Art. 17 GDPR, to have data deleted in accordance with Art. 18 GDPR, to restrict the processing of data in accordance with Art. 18 GDPR, to object to unreasonable data processing in accordance with Art. 21 GDPR, and to data portability in accordance with Art. 20 GDPR.

If you believe that the processing of your data violates data protection law or that your data protection rights have been violated in any other way, please contact our data protection officer first:

MMag. Christina Toth, MSc
Laudongasse 12/2
1080 Vienna
Austria
Tel.: +43 (0) 1 994 66 13
Email: office@christinatoth.at

We will process your request as soon as possible and get back to you within 30 days at the latest.

You also have the option of contacting the data protection authority:

Austrian Data Protection Authority
Barichgasse 40-42
1030 Vienna
Austria
Tel.: +43 (0) 1 52 15 2 – 0
Email: dsb@dsb.gv.at

SSL/TLS encryption

For security reasons and to protect the transmission of confidential content, such as orders or inquiries that you send to us as the website operator, this website uses SSL or TLS encryption. You can recognize an encrypted connection by the fact that the address line of your browser changes from “http://www.example.com” to “https://www.example.com” and by the lock symbol in your browser line. You can recognize an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser line. If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

Children

Persons under the age of 14 should not transmit any personal data to us without the consent of their parents or legal guardians. If you as a parent believe that your child has transmitted data to us and we have collected data about your child, please contact us.

Changes to our privacy policy

From time to time, it may be necessary to change or supplement this privacy policy. We therefore recommend that you read this privacy policy at regular intervals. However, you can be assured that changes will not take effect retroactively and that we will not fundamentally change the way in which data collected in the past is used.

Privacy Policy for Genetic Analysis

Gentastic (hereinafter also referred to as “we,” “us,” or “Gentastic”) is the controller responsible for this web app (hereinafter also referred to as the “website”) within the meaning of the General Data Protection Regulation (GDPR).

Automated decision-making, including profiling, does not take place. Should we process your personal data for a purpose other than that for which we collected it, we will inform you of this fact.

All non-specific gender references in this privacy policy and on the websites follow the unisex principle and apply therefore apply equally to all genders.

General information

Responsible party pursuant to Art. 4 (7) GDPR:

Gentastic GmbH
St. Jakoberstrasse 1
9020 Klagenfurt
Austria
Tel.: +43 (0) 463 20 31 11 30
Email: support@gentastic.io

If you have any questions regarding the processing of your personal data and the exercise of your rights in relation to data protection, please contact our data protection officer.

Data Protection Officer:

MMag. Christina Toth, MSc
Laudongasse 12/2
1080 Vienna
Austria
Tel.: +43 (0) 1 994 66 13
Email: office@christinatoth.at

Data processing in connection with DNA test kits

Gentastic offers DNA test kits for DNA analysis through various distribution points and online shops. These are exclusively lifestyle analyses and not analyses for medical purposes.

The self-tests carried out by Gentastic GmbH are processed for the purpose of fulfilling the contract (Art. 6 para. 1 lit b GDPR) and based on your consent in accordance with Art. 6 para. 1 lit a GDPR in conjunction with Art. 9 para. 2 lit. a GDPR for the processing of sensitive data.

a. Data processing in connection with your user account

When creating a user account, the following master data is processed by you for the purpose of fulfilling the contract (Art. 6 para. 1 lit. f GDPR) and for processing the tests : first name, last name, date of birth, gender, email address, telephone number, address (street, house number, postal code, city, country).

The master data will be stored until you delete your profile or revoke your consent to the processing of your data .

b. Data processing in connection with the performance and evaluation of the DNA sample

When you purchase a DNA test kit and send us your DNA sample, your DNA information will be processed in order to provide you with our DNA services. DNA-related information is generated and stored when you use our DNA services. We extract your DNA from your DNA sample, process it, and perform a genetic analysis in order to provide you with the desired DNA analysis reports . This data is stored in the laboratory and in the laboratory database.

Special categories of personal data, such as genetic data, are processed for the purpose of performing DNA analysis. The processing of this data is carried out for the purpose of analyzing your sample sent by post on the basis of your express consent in accordance with Art. 9 (2) lit. a GDPR. Your data will remain with us until you request its deletion, revoke your consent to its storage, or the purpose for which it was collected no longer applies. data storage no longer applies. Mandatory legal provisions – in particular statutory retention periods – remain unaffected. If you request, we will destroy the DNA samples you have provided. To request the destruction of the DNA samples, please contact us. You also have the option of deleting your DNA analysis from the web app at any time.

c. Data processing in connection with the ordering of personalized supplements

After you order a subscription for personalized supplements, we will send you a questionnaire. In it, we ask you to answer numerous questions about yourself and your lifestyle. Based on your answers and the analysis of your DNA, supplements tailored to your needs will be created .

The personal data obtained in this survey will only be processed for the purpose of fulfilling the contract and will not be passed on to third parties .

d. Cooperation with partners

The evaluation of the tests you have carried out is carried out by our own laboratory.

Apart from this, the DNA analysis reports are not passed on to third parties, but are only made available to you in your user account in the web app for retrieval.

Legal basis

The processing of your personal data that is necessary for the fulfillment of the contract or based on pre-contractual measures is carried out on on the basis of Art. 6 para. 1 lit. b GDPR.

If processing is necessary for the fulfillment of a legal obligation, it is carried out on the basis of Art. 6 para. 1 lit. c GDPR, for the compliance with legal obligations and fulfillment of judicial and official orders.

If vital interests of a person require processing, Art. 6 para. 1 lit. d GDPR serves as the legal basis.

If processing is necessary to safeguard a legitimate interest of ours and these interests outweigh the interests of the data subject, processing is carried out on the basis of Art. 6 para. 1 lit. f GDPR.

Transfer of your personal data to third parties

We use third-party providers to fulfill the contract and to process your personal data securely. We have ensured that they also guarantee the protection of your personal data in accordance with the GDPR and have agreed this in a contract . We have concluded a separate data processing agreement with all partners, which ensures that your data is also processed by our cooperation partners in accordance with the applicable data protection regulations.

Use of data for research purposes

Gentastic is committed to further development in the field of medical research. For this purpose, your data may be used research purposes. In doing so, we take the utmost care and take extensive organizational and technical measures to ensure that only the most necessary data is processed in a de-identifiable form. In the context of research work, neither your name nor any other identifiable information is processed together with your genetic data, so that no conclusions can be drawn about your person .

Storage period

We will only store your personal data for as long as we reasonably deem necessary to achieve the stated purposes and as permitted by applicable law. This means that we will delete personal data as soon as the reason for data processing no longer exists. In some cases, we are legally obliged to store certain data even after the original purpose has ceased to exist , for example for accounting purposes.

The master data in the user account will be stored until you delete your profile or revoke your consent to the processing of your data.

Your rights in relation to your personal data

If you believe that the processing of your data violates data protection law or that your data protection rights have been violated in any other way, please contact our data protection officer first:

MMag. Christina Toth, MSc
Laudongasse 12/2
1080 Vienna
Austria
Tel.: +43 (0) 1 994 66 13
Email: office@christinatoth.at

We will process your request as soon as possible and get back to you within 30 days at the latest.

You also have the option of contacting the data protection authority:

Austrian Data Protection Authority
Barichgasse 40-42
1030 Vienna
Austria
Tel.: +43 (0) 1 52 15 2 – 0
Email: dsb@dsb.gv.at

Children

Persons under the age of 14 should not transmit any personal data to us without the consent of their parents or legal guardians. If you, as a parent, believe that your child has transmitted data to us and we have collected data about your child, please contact us.