Genfosis Company Limited
Genfosis Company Limited (the "Company") commits that all the Personal Identifiable Information (the "PII") that you have provided are very importance to us and the Company assure to protect their security and shall only process the PII by adopting the most appropriate information security standard, in particular all of the information gathered shall be kept in strict confidene pursuant to the defined legal framework.
PII being Processed by the Company for the performance of the Services
In order to perform the required Services, the Company may collect, receive, compile, restore and process the User’s PII in 4 main manners:
- General information about the relevant User received from third party, including without limitation the information shared by clinic or hospital that the relevant User may have registered that will be shared upon the prior consent given by the User to the relevant clinic or hospital to disclose those information to the Company;
- Information gathered from the behavior, lifestyle and health questionnaire developed by the Company filled together with the delivery of the sample kits;
- Saliva or other genetic sample kits that the Company shall use to analyze through the laboratory process whose test result shall be used in the assessment and analysis of the health and lifestyle risk and the recommendation on the health and lifestyle improvement of the User; and
- Lifestyle and behavior information that will be collected continuously through the integration and connection of the information from various devices to the Genfosis system application that the User has registered into the system during the creation of the user account with the Company.
Through the channel and manner defined above, the Company may collect, receive, store and process the following PII of the User:
- General information about the relevant User, including without limitation name, age, nationality and date of birth;
- Contact information, including without limitation, address, phone number, and e-mail address;
- Health treatment information that the User will directly submit and manifest to the Company in the questionnaire;
- Information relating to your normal lifestyle and behavior, including without limitation the behavior, habit, preference, dietary information, exercise and other interests;
- Biometric and genetic information as well as other health risk information obtained from the genome analysis of the sample collection kits purchased by the User and deliver to the Company for testing
- Other sensitive PII that may have the affect on the analysis and interpretation of the health risk, including without limitation race and sexual behavior;
- Services transactional data through the use of Genfosis Application, including without limitation username, password, transaction number and history that the User transact on the application;
- Technical PII, including without limitation the IP address number, the Services usage, setting, and web browser connection that have been connected to the Services; and
- Other after-sale or support information, including without limitation the PII that the User may submit to the Company’s customer support during the provision of the service of recommending the products and services to such User.
Objectives for PII Process
- User’s general information and the normal lifestyle as well as behavior shall be used as the key component in the assessment and analysis of the health risk of the relevant User. In order to get the comprehensive and throughout analysis of the User and recommendation that would be most appropriate to each specific User, all of these information shall be used together with the genetic test result since the result may differ based on these variation;
- User’s contact information shall be used to contact the relevant User during the Services provision;
- Sensitive PII, in particular health information, biometric and genetic information, race and sexual behavior shall be used in the risk assessment and recommendation that are the critical Service of the Company;
- Technical PII and Services transactional data shall be recorded and used for the legitimate purpose of monitoring and prevention of the User’s wrongful use, illegal use or other uses that may go beyond the defined objective that may result in any risk on the Company.
- The biometric and genetic information of the User as collected and stored in the DNA sample toolkits shall be analyzed; provided that the saliva sample or other cell sample shall be destroyed immediately after 3 months after the completion of the analysis. The Company would need to collect such sample for the purpose of quality and accuracy assurance. Then, the result from the test that would include the Sensitive PII, in particular the health information and raw genetic information, shall be stored for regular assessment again in order to seek the most appropriate recommendation to the relevant User; provided that the User shall acknowledge that the PII that the Company shall store for this purpose may include the raw genetic information and genome information or the analyzed information from the test and the Company would need to store throughout the Services period.
For this particular type of PII, the Company acknowledge that they are categorized as the Sensitive PII under the applicable law and in order for the Company to process them, the explicit consent shall be given by the relevant User and it is the entitlement of the User as the data subject to determinate whether or not to give such consent. However, the Company would like to inform the User that these PII are the necessary and critical pieces of information for the provision of the Services to the relevant User. Therefore, in case that the User do not give consent to the Company in these PII process, the Company shall not be able to provide the Services to the User.
- The Company would need to collect and analyze the User’s behavior and lifestyle information and the application and Services transactional data in order to assess the User’s interest with an aim to provide customized and personalized privileges or service that would meet your interest and preference and to improve our customer’s experience with each relevant User;
- The Company would need to collect and restore the User’s PII in order to assure the appropriate after-sale service provided by the Company in various forms, including the satisfaction survey or the support and complaint redress function;
- The User would need to collect and restore the User’s PII as obliged under the applicable laws and regulations, for instance, for the withholding tax payment purpose;
- The User’s PII may be anonymized before being used in the further analysis and research purpose that would be beneficial for the general public or for the commercial benefit of the Company; provided that in this circumstance, the Company shall assure that information security of such information and the Company shall use the best effort in assuring that the information disclosed under this circumstance shall not be entitled to reprocessed to identify each specific User.
Except for the DNA sample collected that shall be destroyed within the defined timeline, the Company would need to collect and store the PII of each relevant User for the defined purposes until the User terminates the use the Services in writing.
Disclosure of the PII
In order to assure the performance of the Services as committed, the Company may need to disclose the User’s PII in the following circumstances:
- To disclose the User’s PII to the outsourced service providers engaged in the performing direct service to the Services, including without limitation the advisors, outsourced service provider, logistic contractors as well as the service provider who is providing the service of application analysis (i.e. Google Analytics); provided that the Company shall only disclose the User’s PII to the relevant recipient strictly on the need to know basis in strict compliance with the defined objectives for PII process defined;
In case of the disclosure and transfer of any Sensitive PII, in particular the DNA sample, the Company shall use the best standard in order to assure that the recipient of such information shall not be able to identify specifically the relevant Users so the information shall be shared on the anonymous basis.
- The Services transactional data that may include the User’s PII shall be stored on cloud; provided that in this regard, the Company guarantee to set and configure the special security standards in the storage that would match with the confidential nature and risk of the stored information;
- To disclose the User’ PII to third party in the legal proceedings to protect the Company’s legitimate rights or to detect and prevent any fraud on the Services; provided that such disclosure shall be done on the limited and specific purposes as defined;
- In case that the Company is obliged under the applicable laws, court judgment or administrative order to disclose any PII of any particular users, the Compnay would need to do so only on the necessary basis;
Cookies that the Company is using on the Services?
- Statistic information that has been processed on the anonymous basis may be disclosed to the public or to the research institute for the geneal public interest, the medical preventive and diagnosis purpose, health and society services or health management.
Cookies are text files stored on the User’s computer browser directory or program data subfolder in order to keep data log of the User’s internet usage and the User’s behavior or interaction on the Services. For the performance of the Services, the Company need to use various types of Cookies for various purposes as defined below:
- Functionality Cookies being used to record information about choices the User have made in the Services such as personal settings, languages, and fonts so this would allows the Company to tailor our Services features that would match the User’s preference setting;
- Advertising Cookies being used to record the User’s on-site behavior and history of the Services visited and this would allow the Company to provide the User the services and products that suit the User’s preferences and to assess the success of each function of the Services;
- Strictly Necessary Cookies are essential for the User to browse the Services and use its features, such as accessing secure areas of the Services.
Representation on the Privacy Security
The Company represents and guarantees that the Company shall use the most appropriate security measures to prevent the unauthorized access, amendment or disclosure of the PII in any form or in any circumstance by either internal or external persons and the Company commits to review those measures on the regular basis with the strong commitment to use the best industrial practice and to be in strict compliance with the applicable laws. The applicable security measures to be established include, among other things, the following measures:
- Anonymization to the fullest extent feasible and practicable. Registration Information that can identify the relevant User shall be stripped from other information collected, in particular the Sensitive PII in order to reduce the risk of the person receiving the Sensitive PII from being able to identify the relevant User;
- Encryption. All the Sensitive PII shall be encrypted both when it is stored (data-at-rest) and when it is being transmitted (data-in-flight). Additionally, the Company limit access of information to authorized personnel, both physically or on the system, and the Company establishes the system to audit and check the access log of those personnel;
- Detecting threats and managing vulnerabilities that may lead to the leak, hack or unauthorized access to the PII. The Company have configured and established the regular vulnerability scanning system and have established the emergency / incident management plan and the reporting mechanism to the Personal Data Protection Committee and/or the relevant User as the data subject within the timeline defined under the applicable laws;
Data Subject Rights
- In case of any share, transfer or disclosure of any PII to third party, the Company shall enter into the data processing agreement that will define the rights and obligations of each party in the process of the PII and shall establish the monitoring system to assure the compliance of each party, including the data breach incidence.
The Company acknowledges and accepts the User’s rights as the data subject over their PII as defined under the applicable laws that include the following rights:
- Right to access; to request for the copy of all the PII; and to rectify or update their own PII;
- Right to request for the PII that the Company has processed in the readable forms by the tools or automatic mechanics and to request for the data portability to other data controller;
- Right to object to the PII process being undertaken;
- Right to request for the erasure or de-identification of any PII that does not have any necessary basis to process, i.e. after the consent withdrawal;
- Right to request for the PII process suspension in case that request for erasure is being exercised or when such PII is not necessary;
- Right to withdraw consent that has been given for the PII process for specific purpose.
The User can contact the Company in order to make the request to exercise any defined rights through the defined channel without any charge and the Company will consider and notify the User of the Company’s determination within 30 days after the receipt of the User’s valid request.
Name: Genfosis Company Limited
Address: 101 Soi Rama IX 60 (Soi 7 Seree 7) Phatthanakan Sub-district, Suanluang District, Bangkok
E-Mail: [email protected]