Rechtliches

Privacy Policy

Deutsch English Español Français

Privacy Policy for the Gentastic Web App

Gentastic GmbH (hereinafter also "we", "us" or "Gentastic") is the controller responsible for this web app (hereinafter also "website") within the meaning of the General Data Protection Regulation (GDPR).

A responsible approach to personal data is a high priority for us. We want you to feel safe when visiting our websites. We process your data exclusively on the basis of legal and contractual provisions and in accordance with the GDPR and the Austrian Data Protection Act in its applicable version. Please read this privacy policy carefully.

Automated decision-making including profiling does not take place. Should we process your personal data for any purpose other than the one for which we collected it, we will inform you accordingly.

All non-specific gender references in this privacy policy and on the websites follow the unisex principle and apply equally to all genders.

General information

Controller pursuant to Art. 4 (7) GDPR

Gentastic GmbH
St. Jakoberstrasse 1
9020 Klagenfurt
Austria
Tel: +43 (0) 463 20 31 11 30
E-mail: support@gentastic.io

Data protection officer

If you have any questions regarding the processing of your personal data and the exercise of your rights in connection with data protection, please contact our data protection officer.

MMag. Christina Toth, MSc
Laudongasse 12/2
1080 Vienna
Austria
Tel.: +43 (0) 1 994 66 13
E-mail: office@christinatoth.at

Data processing when visiting our web app

Each time our web app is accessed, a series of general data and information is collected. These are stored in the server's log files.

The following may be collected:

  • Browser types and versions used
  • The operating system used by the accessing system
  • The website from which an accessing system reaches our website (so-called referrer)
  • Date and time of access
  • An Internet protocol address (IP address)
  • The Internet service provider of the accessing system

These data are required to deliver the content of our web app correctly, to ensure the permanent functionality of our IT systems and to provide protection in the event of attacks. The processing of this data constitutes a legitimate interest within the meaning of Art. 6 (1) lit. f GDPR.

Technical infrastructure (Amazon Web Services - AWS)

We use the services of Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg ("AWS") for the operation of our web app.

We use the following AWS services with servers located in Frankfurt (Germany) to process and store your personal data:

  • Amazon Cognito: manages your user account and performs logins. Your name and email address are processed.
  • Amazon Aurora / RDS (database): securely stores all your master and analysis data.
  • Amazon S3 (storage): stores the pseudonymized raw data of your analysis as well as the finished analysis reports for you. The raw data are linked to your personal data in the RDS database only via a barcode. The finished reports may contain your name and the barcode.

Using AWS to ensure stable and secure operation of our services constitutes a legitimate interest within the meaning of Art. 6 (1) lit. f GDPR.

Data processing in connection with our services

Gentastic offers DNA test kits for lifestyle analyses via various collection points and webshops. To use our services, you must create a user account in our web app.

a. Your user account

When creating a user account, the following master data are processed for the purpose of fulfilling the contract (Art. 6 (1) lit. b GDPR): first name, last name, date of birth, gender, email address, telephone number, address (street, house number, postal code, city, country) and the respective test ID.

b. Conducting and evaluating the DNA analysis

If you purchase a DNA test kit and send us your sample, sensitive genetic data will be processed to provide you with our services. We extract your DNA, analyze it and provide you with the results in the form of reports in your user account.

The processing of these special categories of personal data (genetic data) takes place solely on the basis of your explicit consent pursuant to Art. 9 (2) lit. a GDPR. You grant this consent either online during the registration process through a separate, active confirmation (for example by ticking a checkbox provided for this purpose) or by signing and returning the written consent form that you receive with the test kit. Without your consent in one of the aforementioned forms, your genetic data will not be processed.

We cooperate with a specialized partner for the laboratory analysis:

  • Eurofins Genomics AS, Norway (member of the EEA): DNA extraction and analysis are carried out by Eurofins. We transmit only your sample to Eurofins, labeled with a barcode and your gender. No names or other direct identifiers are transferred. Eurofins returns the pseudonymized raw data to us and automatically deletes them after 3 months.

c. Epigenetic clock (Clock Foundation)

If you order an analysis of the epigenetic clock, we transmit the data necessary to create the report to the servers of the Clock Foundation in Frankfurt. The following data are shared: methylation data, your date of birth, the sampling date and your name. Processing is carried out to fulfill the contract (Art. 6 (1) lit. b GDPR).

d. Personalized supplements

To create personalized supplements, you fill out a questionnaire about your lifestyle. These answers are combined with your genetic data to create an individual formulation. The information you provide in the questionnaire is processed solely for the purpose of fulfilling the contract (creating the formulation) and is visible only to you in your user account.

Cookies

We use cookies on our website. These are small text files that are stored on your end device.

  • Necessary cookies: required for the technical operation of the site and for basic functions (e.g. login). Processing is based on our legitimate interest (Art. 6 (1) lit. f GDPR).
  • Other cookies: any other cookies (e.g. for analytics or marketing purposes) are set only after your explicit consent via our cookie banner (Art. 6 (1) lit. a GDPR).

You can configure your browser to inform you about the setting of cookies and to allow cookies only in individual cases. If cookies are deactivated, the functionality of the web app may be restricted.

Contact

If you contact us by email or via a form, the data you provide (e.g. name, email, content of the inquiry) will be stored by us for the purpose of processing your request and in case of follow-up questions. Processing takes place to fulfill (pre-)contractual obligations (Art. 6 (1) lit. b GDPR).

Legal bases of processing

  • Art. 6 (1) lit. a GDPR (consent): for the processing of data for which we obtain specific consent (e.g. non-essential cookies).
  • Art. 9 (2) lit. a GDPR (explicit consent): for the processing of special categories of data (genetic data, health data).
  • Art. 6 (1) lit. b GDPR (contract performance): for the processing of data necessary to provide our services and to carry out pre-contractual measures.
  • Art. 6 (1) lit. c GDPR (legal obligation): when we must comply with legal obligations (e.g. tax retention periods).
  • Art. 6 (1) lit. f GDPR (legitimate interest): for processing to ensure IT security and stable operation of our website.

Transfer of your personal data to third parties

We use processors (e.g. AWS, Eurofins, Clock Foundation) to fulfill the contract and to process your data securely. We have concluded data processing agreements with all partners pursuant to Art. 28 GDPR to ensure that your data are processed in accordance with the applicable data protection regulations. No further transfer of your data to third parties takes place.

Storage period

Your personal data are stored only as long as necessary to achieve the stated purposes or as long as legal retention periods require.

  • User account: your master data are stored until you delete your profile or withdraw your consent.
  • DNA samples and data: your data remain with us until you request deletion or withdraw your consent. At your request, we will destroy your DNA data. Please contact us for this.

Revoking consent does not affect the lawfulness of processing carried out before the revocation.

Your rights

You have the right to access (Art. 15 GDPR), rectification (Art. 16 GDPR), erasure (Art. 17 GDPR), restriction of processing (Art. 18 GDPR), objection (Art. 21 GDPR) and data portability (Art. 20 GDPR).

If you believe that the processing of your data violates data protection law, please contact our data protection officer first. You also have the right to lodge a complaint with the supervisory authority.

Austrian Data Protection Authority
Barichgasse 40-42
1030 Vienna
Email: dsb@dsb.gv.at

SSL or TLS encryption

For security reasons this site uses SSL or TLS encryption. You can recognize an encrypted connection by the "https://" in the address line and the lock symbol in your browser.

Children

Persons under 14 years of age may not transmit any personal data to us without the consent of their parents or legal guardians.

Changes to our privacy information

From time to time it may be necessary to adapt this privacy information. We recommend that you read it regularly. Changes do not take effect retroactively.