PRIVACY STATEMENT OF MIJNLABTEST.NL

The personal data we collect about you and how we use it

1. The term 'personal data' is understood to mean all information that can be traced back to a person who can be identified (directly or indirectly), such as a first and last name, telephone number, postal and electronic addresses, date of birth, payment information and bank details. Data that cannot be traced back to a person (anonymous data) is not considered personal data.
2. In the course of providing our services to you, we process personal data in various ways. We process your health data with your consent if you use a test kit. The sample of the test kit will be destroyed after examination. We only process the (health) data that is needed to provide you with your requested report. All other data that could be derived from the sample of the test kit is not examined or processed in any way.
3. To provide our services we also process your gender, age and nationality because this is necessary to value your test results. We will also process your contact details to be able to contact you about your test results. We also process your personal data for other purposes, which we explain in the table below. Many of the personal data we collect are provided by yourself, for instance when setting up an account, using our services or by corresponding with us. If we receive personal data from third parties, we will inform you of this in the overview below.
4. We will only process your personal data when we have a legal ground to do so. Thus, we will only process your data when this is necessary (i) for the establishment and execution of the agreement we have with you to provide our Services, (ii) to comply with our legal obligations (e.g. regulatory obligations), or (iii) to pursue our own legitimate interests (but always on the condition that your interests and fundamental rights do not outweigh our legitimate interests).
5. We process personal data of children under the age of 16 if they use a test kit and want us to provide them with the result of the test at hand. We only process personal data (including health data) of children under the age of 16 if their parent or their guardian has given consent for the processing.
6. If we want to process personal data and cannot base this on one of the aforementioned legal grounds, we will always ask for your prior consent to such processing (and only if this is possible and allowed under the GDPR). You can withdraw your consent at any time, either in the same way you consented or by contacting us at [email protected]. Upon withdrawal of your consent, we will stop processing that data. The withdrawal of your consent does not affect the lawfulness of the processing operations that we carried out before the withdrawal.
   
   The situations in which we will process your personal data are listed below. You can also read which personal data we process for a certain purpose, on which legal basis we do this and how long we will keep your personal data for that purpose.

   Purpose	Personal data	Legal basis	Retention period
   To provide you with account functionality.	Contact details (such as your (sur)name, telephone number, address and e-mail address) Account information, such as username and password	Necessary for our legitimate interests (to provide you with easier access to your personal data and a better customer experience and our commercial interest to provide you with a better customer experience).	5 years after your last account activity.
   To be able to sell you our products and ship them to you.	Contact details (such as your (sur)name, telephone number, address and e-mail address) Date of birth Account information, such as username and password Financial data, such as payment data and details of transactions	Necessary for the performance of our contract with you and necessary to comply with our legal administrational obligations.	For the duration of the contract with you and, for the data we are legally obliged to retain for administrative or tax-related purposes, for the duration of 7 years after the end of the contract with you.
   To provide you with the test services, test related correspondence and test result of your test kit, to prepare a personalised health report or to assist you with your appointment with a health care professional. Your information will be transferred to and received from European laboratories we engaged to assist with the provision of the services. The data will be shared only on anonymous basis and laboratories are contractually obliged to handle your data with care and for no other purpose than the provision of our services.	Contact details Report, sample and/or client ID Date of birth Gender Medical test results only if strictly necessary (such as allergy information, blood levels, diseases). The specific health data we process about you can be found in the personalised health report. Other health data that you share with us (such as when you provide us with a description of your health issue prior to your consultation with a lifestyle coach). Account information, such as username and password (only if you take a DNA test). This data is processed of the person registering the test (the test subject), which can be different from the purchaser of the test and the owner of the account as mentioned above. It is not required to have a Mijnlabtest account to register and use testkits.	Your regular personal data is processed for the performance of our contract with you or because it is necessary for our legitimate interest to perform our contract with someone else to provide you with our services. Your health data is processed based on your explicit consent given for the purposes specified.	In case we are legally obliged to store your health data for your medical record, we will do so for a duration of 20 years. All other data will be stored for a duration of maximum 2 years after collection or until the moment you withdraw your consent (whichever is earlier).
   To anonymize the test result in general statistics. The processing activity is the anonymization. After anonymization, the data can no longer be related to the customer (for example, the general statistic that x% of our customers has a vitamin D deficit).	Date of birth Gender Medical test results (such as allergy information, blood levels, diseases) Other health data that you share with us (such as when you provide us with a description of your health issue prior to your consultation with a lifestyle coach).	Your test results are only anonymized in general statistics if you have given us your consent to do so.	The personal data is anonymized. The general statistical results are no longer considered personal data and therefore no retention period applies to that data.
   To manage our relationship with you and communicate with you regarding our services, your questions or comments, support and to notify you about changes to our terms or the privacy statement.	Contact details Other personal data that you share with us (such as via chat messages)	Necessary for our legitimate interests (to provide support and respond to your questions and comments).	For the duration of 2 years after termination of our contract with you. If we did not enter into a contract with you (yet), we retain the personal data for a period of 2 years since we had contact for the last time.
   Business management and (financial) planning, including accounting, auditing, and in connection with our tax obligations.	Contact details Date of birth Gender Account information, such as username and password Financial data, such as payment data, credit card details, wallet details, bank account details, details of transactions and fulfilment of any order	Necessary for our legitimate interests (to provide support and respond to your questions and comments).	For the duration of 2 years after termination of our contract with you. If we did not enter into a contract with you (yet), we retain the personal data for a period of 2 years since we had contact for the last time.
   By taking the quiz on our website, we aim to help you find the most fitting test for you. If you give consent, we will also use your answers to provide you with personalised marketing. The answers you give will not be linked to any test results.	Cookie ID Answers given when taking the quiz, relating to: Lifestyle questions, Health questions (e.g. health issues, etc.) Contact details (only if provided)	Your personal data is processed based on your explicit consent. When giving consent you can specify if you only want to be provided with the most fitting test result or if you also want to receive personalised marketing.	For a duration of maximum 1 year, or until the moment you withdraw your consent (whichever is earlier).
   Business management and (financial) planning, including accounting, auditing, and in connection with our tax obligations.	Contact details Date of birth Gender Account information, such as username and password Financial data, such as payment data, wallet details, bank account details, details of transactions and fulfilment of any order	Necessary to fulfil our tax obligations, regulatory compliance obligations, accounting obligations and other relevant legal obligations (such as cooperating with regulators) and/or necessary in view of our legitimate interests (proper management of our business).	For the duration of 2 years after termination our contract or longer if required by law. For example, where required for regulatory compliance obligations, we retain your personal data for the duration of 5 years after the end of our contract with you.
   To measure interest in and improve our website and customise your user experience.	Data about your device and browser type (including IP address and MAC address) Data about your use of our Services, such as the web pages you have viewed, the hyperlinks you clicked on and websites you visited before you opened our Services	Necessary for our legitimate interest (to keep our website updated and relevant) or your consent for collecting personal data through cookies.	For a duration of maximum 6 months or, where the processing is based on your consent, until the moment you withdraw your consent (whichever is earlier).
   Ensuring network and information security, including preventing unauthorised access to our premises, systems and fraud prevention, and implementing, monitoring and enforcing our internal (security) policies	Contact details Data about your device and browser type (including IP address and MAC address) Account information, such as username and password Data about your use of our Services, such as the web pages you have viewed, the hyperlinks you clicked on and websites you visited before you opened our Services	Necessary for our legitimate interests (i.e. to ensure network and information security, prevent unauthorised access and fraud, and implement, monitor and enforce our policies).	For a duration of maximum 2 months or, in case of an incident, until 2 months after the incident has been handled.
   To notify you about promotions and special offers, as well as the services we offer that may be of interest to you.	Contact details Your marketing preferences Other personal data that you share with us (such as via chat messages)	Necessary for our legitimate interests (i.e. to be able to carry out marketing-related activities) if you make a purchase. An opt-out is provided during the purchase or by clicking on the unsubscribe link in every marketing message. If you voluntarily subscribe for marketing messages, we process your personal data based on your consent.	For the duration of 3 years after the end of our contract with you or, if the processing is based on your consent, until the moment you withdraw consent.
   To administer our site and diagnose problems, to protect our business, to resolve disputes or troubleshoot problems, to prevent potentially prohibited or illegal activities.	Contact details Date of birth Account information, such as username and password Financial data, such as payment data, credit card details and details of transactions.	Necessary for our legitimate interest to protect our business and rights or necessary to comply with our legal obligations (e.g. to cooperate with law enforcement and regulators).	For the duration of 5 years after the end of our contract with you, unless a longer retention period is required to comply with regulatory requirement or defend or prosecute legal claims.
   To ask you to write a review about our services.	Contact details Purchased services The content of the review (received from Kiyoh)	Necessary for our legitimate interest to improve our services and build our brand.	For a duration of maximum 6 months after we provided our service to you.
   To reply to and communicate about job interviews	Contact details Date of birth CV Information posted on your LinkedIn profile Any additional information that you provide to us	Necessary for our legitimate interest to be able to assess your compatibility with our organisation and the intended job position.	For a duration of maximum 4 weeks after the job application process has been handled, or until 1 year after the job application process has been handled if you requested us to retain your personal data.

Data processors

1. We may use so-called data processors to process your personal data on our behalf. We conclude data processing agreements with these processors, to assure they only process your personal data on our instruction. As processors we engaged the following processors:
   • hosting providers;
   • secure email providers
   • companies that provide storage of (personal) data and database management, and;
   • maintenance and software providers.
2. If you provide additional information to these processors yourself, we are not responsible for this. It is wise to inform yourself properly about the processor and his company before you provide your personal data.

Sharing personal data with data controllers

1. We may share personal data with other data controllers if you give us permission to do so. For example if you ask us to share your results with your doctor or coach or if you want to use certain services that require us to share your personal data. Before we do this, you will always be expressly asked for your consent.
2. 3.2 We may also share personal data with third parties on an incidental basis, such as lawyers, courts, auditors and authorities if this is strictly necessary to:
   • comply with our legal obligations;
   • comply with legal requests from authorities;
   • respond to any legal claims;
   • protect the rights, property or safety of us, our users, our employees or the public;
   • protect ourselves or our users against fraudulent, abusive, inappropriate or unlawful use of our services.
3. We will inform you prior to sharing your personal data, unless we are not legally allowed to do so or doing so would damage the purpose for which we are sharing your personal data.
4. It may happen that we disclose, share or transfer your personal data when we transfer part of our business or in the unlikely event of bankruptcy. Examples include (negotiations about) a merger, sale of parts of the company or obtaining loans. We will of course try to limit the impact for you as far as possible by transferring personal data only when necessary and anonymizing where possible. We will never share your health data for these purposes, unless you explicitly consent to us doing so. For example because you wish the new company to continue the provision of its services to you.
5. We will not sell your personal data to third parties.

Data transfer

1. We process your personal data only in the European Economic Area.

Data security

1. We take the security of your personal data very seriously. We have therefore implemented appropriate technical and organisational security measures to prevent your personal data from being lost, used, accessed by unauthorised persons, modified or disclosed in an unauthorised manner. These measures include, but are not limited to:
   • we only engage trusted providers of databases to store data, which have taken adequate physical and electronic measures to minimize the risk of unauthorized access, loss or misuse of personal data;
   • we use TLS (Transport Layer Security) technology to encrypt sensitive information or personal data, such as account passwords and test results (via Zivver);
   • we make backups of personal data;
   • sensitive information is stored encrypted;
   • vulnerabilities in the software are dealt with as quickly as reasonably possible;
   • access to your personal data is only authorised for people who have a need to know basis to access your personal data. We ensure that the people who can access your personal data are bound by confidentiality obligations, and;
   • access to special categories of personal data is logged and those logs are checked on regular intervals.

Your rights

1. It is important that the personal data we process about you is accurate and up to date.
2. In accordance with the GDPR, you have the right to access, rectify and delete your personal data, the right to restrict and object to the processing of your personal data and the right to data portability.
3. Below you will find more details and information on how and when to exercise your rights:
   • The right to access your personal data. This gives you the right to receive a copy of the personal data we process about you, in order to check whether the data is correct and whether we process it lawfully.
   • The right to request that your personal data be corrected or updated. You can have any incomplete or incorrect personal data that we hold amended or completed.
   • The right to request the deletion of your personal data. You can request deletion of your personal data, but only if:
     • your personal data are no longer needed for the purposes for which they were collected;
     • you withdraw your consent if the processing of your personal data is based on consent and no other legal basis exists;
     • you object to the processing of your personal data and we do not have a compelling legitimate ground for processing;
     • your personal data are processed unlawfully; or
     • your personal data must be removed to comply with a legal obligation.

     If we grant your request, we will, to the extent reasonably possible, inform the parties with whom we share your personal data.

   • The right to object to the processing of your personal data. If we process your personal data on the basis of a legitimate ground for processing, you may object to us processing your personal data for such legitimate ground. We will comply with your request, unless our legitimate interest outweighs your interests or if we need to continue processing your personal data to establish, exercise or defend a legal claim or to comply with our legal obligations.
   • The right to restrict the processing of your personal data. You can request us to restrict the processing of your personal data, in the event that:
     • the accuracy of your personal data is disputed by you, during the period in which we need to verify the accuracy of the personal data;
     • the processing is unlawful and you oppose the deletion of your personal data and request its restriction;
     • we no longer need your personal data for the purposes of processing, but your personal data are necessary for you in the context of a legal claim; or
     • you have objected to the processing, during the period in which we have to verify compelling legitimate grounds.
   • The right to data portability. You can request us to receive your personal data and/or to send it to a third party, as far as this is feasible. You only have this right if it concerns personal data that you have provided to us and the processing is based on consent or based on the necessity for the performance of our contract with you.
4. We do not take decisions based solely on automated processing.
5. 6.5 You can exercise your rights as set out above by submitting a request by e-mail to [email protected]. We will endeavour to respond to your request within one month of receipt. However, this one month period may be extended by two months, for example, in the case of a large or complex request. In this case, we will notify you within one month of receiving your request and explain why the extension is necessary.
6. You also have the right to lodge a complaint with the supervisory authority (in the Netherlands: Autoriteit Persoonsgegevens) about the way we process your personal data. However, we would appreciate the opportunity to address your complaint before you turn to the supervisory authority.

Changes to this privacy statement