Privacy Policy

Privacy Policy
Genfosis Company Limited

Genfosis Company Limited (the "Company") commits that all the Personal Identifiable Information (the "PII") that you have provided are very importance to us and the Company assure to protect their security and shall only process the PII by adopting the most appropriate information security standard, in particular all of the information gathered shall be kept in strict confidene pursuant to the defined legal framework.
This Privacy Policy has been prepared with an intention to inform you as the user ("User") of the how the Company collects, uses, stores, processes and transfer or discloses your PII during the use of the Company's services, either through offline or online channel (i.e. on Genfosis Application). All the services provided by the Company to the User is to be the health and lifestyle advisor to the User through the health test and anlytic process as well as to provide personalized health recommendation (the "Services").
Please thoroughly study the Privacy Policy, together with the Terms of Services announced by the Company. By signing up and registering to be the User, the Company shall deem that the User acknowledges and understands the Company's process of the User's PII as defined under this Privacy Policy. If the User disagree or does not accept the PII process undertaken by the Company pursuant to the Privacy Policy, it shall be deemed that the relevant User exercises the right not to use the Services since the process of the User's PII defined hereunder is critical to the provision of the relevant Services by the Company.  
This Privacy Policy is only applicable to the performance of the Services and shall not apply to the PII process undertaken by other application or website developed and operated by any other third-party that the Company does not have any control over (the "Third Party") that being displayed or connected to the Services. The User understand and agree that the User shall study and agree on the privacy policy announced by those Third Party that are separated from this Privacy Policy.
If the User does not accept this Privacy Policy and any amendment thereof, the Company reserves the rights to refrain from providing any Services to those Users since the processing of the PII defined hereunder are critical for the provisions of the Services by the Company to the User. By continuing to use the Services, the relevant User shall be deemed to always accept and agree to the Privacy Policy.
The Company may amend or revise this Privacy Policy at any time to assure the compliance with the relevant laws and regulations and to assure the updates in the Services at any time; provided that the Company will communicate the amendments or revisions made and the amendment or revisions shall become effective once communicated and announced.
PII being Processed by the Company for the performance of the Services
In order to perform the required Services, the Company may collect, receive, compile, restore and process the User’s PII in 4 main manners:

  1. General information about the relevant User received from third party, including without limitation the information shared by clinic or hospital that the relevant User may have registered that will be shared upon the prior consent given by the User to the relevant clinic or hospital to disclose those information to the Company;
  1. Information gathered from the behavior, lifestyle and health questionnaire developed by the Company filled together with the delivery of the sample kits;
  1. Saliva or other genetic sample kits that the Company shall use to analyze through the laboratory process whose test result shall be used in the assessment and analysis of the health and lifestyle risk and the recommendation on the health and lifestyle improvement of the User; and
  1. Lifestyle and behavior information that will be collected continuously through the integration and connection of the information from various devices to the Genfosis system application that the User has registered into the system during the creation of the user account with the Company.
Through the channel and manner defined above, the Company may collect, receive, store and process the following PII of the User:
  1. General information about the relevant User, including without limitation name, age, nationality and date of birth;
  1. Contact information, including without limitation, address, phone number, and e-mail address;
  1. Health treatment information that the User will directly submit and manifest to the Company in the questionnaire;
  1. Information relating to your normal lifestyle and behavior, including without limitation the behavior, habit, preference, dietary information, exercise and other interests;
  1. Biometric and genetic information as well as other health risk information obtained from the genome analysis of the sample collection kits purchased by the User and deliver to the Company for testing
  1. Other sensitive PII that may have the affect on the analysis and interpretation of the health risk, including without limitation race and sexual behavior;
  1. Services transactional data through the use of Genfosis Application, including without limitation username, password, transaction number and history that the User transact on the application;
  1. Technical PII, including without limitation the IP address number, the Services usage, setting, and web browser connection that have been connected to the Services; and
  1. Other after-sale or support information, including without limitation the PII that the User may submit to the Company’s customer support during the provision of the service of recommending the products and services to such User.
In case of the PII from the minor, the Company would like to clarify that the Company do not have intention to provide Services to such group of User if the relevant guardian grants no approval or ratification. Therefore, in case the guardian gives the consent and ratification for the process of their relevant minor’s PII, the Company shall deem that the relevant guardian has the direct obligation to assure the rights and entitlements of the minor to enter into and accept the Services from the Company, in particular this Privacy Policy.
Objectives for PII Process
The Company represent that the Company shall only collect, store and use the User’s PII solely for the purposes and manner as defined under this Privacy Policy. The objectives of the PII process hereunder include:
  1. The Company would need to collect, store and use the PII of the User in order to perform any Services as defined under the Terms of Use. It is understood by User that without these PII, the Company shall not be able to perform the agreed Services. The PII shall be processed in the following manners:
  • User’s general information and the normal lifestyle as well as behavior shall be used as the key component in the assessment and analysis of the health risk of the relevant User. In order to get the comprehensive and throughout analysis of the User and recommendation that would be most appropriate to each specific User, all of these information shall be used together with the genetic test result since the result may differ based on these variation;
  • User’s contact information shall be used to contact the relevant User during the Services provision;
  • Sensitive PII, in particular health information, biometric and genetic information, race and sexual behavior shall be used in the risk assessment and recommendation that are the critical Service of the Company;
  • Technical PII and Services transactional data shall be recorded and used for the legitimate purpose of monitoring and prevention of the User’s wrongful use, illegal use or other uses that may go beyond the defined objective that may result in any risk on the Company.
  1. The biometric and genetic information of the User as collected and stored in the DNA sample toolkits shall be analyzed; provided that the saliva sample or other cell sample shall be destroyed immediately after 3 months after the completion of the analysis. The Company would need to collect such sample for the purpose of quality and accuracy assurance. Then, the result from the test that would include the Sensitive PII, in particular the health information and raw genetic information, shall be stored for regular assessment again in order to seek the most appropriate recommendation to the relevant User; provided that the User shall acknowledge that the PII that the Company shall store for this purpose may include the raw genetic information and genome information or the analyzed information from the test and the Company would need to store throughout the Services period.
For this particular type of PII, the Company acknowledge that they are categorized as the Sensitive PII under the applicable law and in order for the Company to process them, the explicit consent shall be given by the relevant User and it is the entitlement of the User as the data subject to determinate whether or not to give such consent. However, the Company would like to inform the User that these PII are the necessary and critical pieces of information for the provision of the Services to the relevant User. Therefore, in case that the User do not give consent to the Company in these PII process, the Company shall not be able to provide the Services to the User.
  1. The Company would need to collect and analyze the User’s behavior and lifestyle information and the application and Services transactional data in order to assess the User’s interest with an aim to provide customized and personalized privileges or service that would meet your interest and preference and to improve our customer’s experience with each relevant User;
  1. The Company would need to collect and restore the User’s PII in order to assure the appropriate after-sale service provided by the Company in various forms, including the satisfaction survey or the support and complaint redress function;
  1. The User would need to collect and restore the User’s PII as obliged under the applicable laws and regulations, for instance, for the withholding tax payment purpose;
  1. The User’s PII may be anonymized before being used in the further analysis and research purpose that would be beneficial for the general public or for the commercial benefit of the Company; provided that in this circumstance, the Company shall assure that information security of such information and the Company shall use the best effort in assuring that the information disclosed under this circumstance shall not be entitled to reprocessed to identify each specific User.
Except for the DNA sample collected that shall be destroyed within the defined timeline, the Company would need to collect and store the PII of each relevant User for the defined purposes until the User terminates the use the Services in writing.
Disclosure of the PII
In order to assure the performance of the Services as committed, the Company may need to disclose the User’s PII in the following circumstances:
  1. To disclose the User’s PII to the outsourced service providers engaged in the performing direct service to the Services, including without limitation the advisors, outsourced service provider, logistic contractors as well as the service provider who is providing the service of application analysis (i.e. Google Analytics); provided that the Company shall only disclose the User’s PII to the relevant recipient strictly on the need to know basis in strict compliance with the defined objectives for PII process defined;
In case of the disclosure and transfer of any Sensitive PII, in particular the DNA sample, the Company shall use the best standard in order to assure that the recipient of such information shall not be able to identify specifically the relevant Users so the information shall be shared on the anonymous basis.
  1. The health risk assessment or the test result of the relevant User shall be shared and disclosed to the clinic or hospital who sells the sample collection kits to the relevant User so that those clinic or hospital to reach and interpret the test result to the User. For this particular disclosure and transfer, the User shall be entitled to give specific instruction which clinic or hospital that the User would like the Company to disclose those information to. After the disclosure or transfer made by the Company, in case that the clinic or hospital will collect and use the disclosed PII for the performance of other services o the User, the User acknowledge and understand that the User shall study and accept the privacy policy announced by those clinic or hospital that are separate from this Privacy Policy and the Company shall not be liable for the process of the PII by the clinic or hospital;
  1. The Services transactional data that may include the User’s PII shall be stored on cloud; provided that in this regard, the Company guarantee to set and configure the special security standards in the storage that would match with the confidential nature and risk of the stored information;
  1. To disclose the User’ PII to third party in the legal proceedings to protect the Company’s legitimate rights or to detect and prevent any fraud on the Services; provided that such disclosure shall be done on the limited and specific purposes as defined;
  1. In case that the Company is obliged under the applicable laws, court judgment or administrative order to disclose any PII of any particular users, the Compnay would need to do so only on the necessary basis;
  1. Statistic information that has been processed on the anonymous basis may be disclosed to the public or to the research institute for the geneal public interest, the medical preventive and diagnosis purpose, health and society services or health management.
Cookies that the Company is using on the Services?
Cookies are text files stored on the User’s computer browser directory or program data subfolder in order to keep data log of the User’s internet usage and the User’s behavior or interaction on the Services. For the performance of the Services, the Company need to use various types of Cookies for various purposes as defined below:
  1. Functionality Cookies being used to record information about choices the User have made in the Services such as personal settings, languages, and fonts so this would allows the Company to tailor our Services features that would match the User’s preference setting;
  1. Advertising Cookies being used to record the User’s on-site behavior and history of the Services visited and this would allow the Company to provide the User the services and products that suit the User’s preferences and to assess the success of each function of the Services;
  1. Strictly Necessary Cookies are essential for the User to browse the Services and use its features, such as accessing secure areas of the Services. 
Even though the use of Cookies would enhance the performance in providing services in any features of the Services to the User, the User shall be entitled to disable the Cookies setting on the User’s browser at their own will; provided that the User shall acknowledge that the Cookies-disabled setting may impact the efficiency and the performance of the Services as defined in details for each type of Cookies above.
Representation on the Privacy Security
The Company represents and guarantees that the Company shall use the most appropriate security measures to prevent the unauthorized access, amendment or disclosure of the PII in any form or in any circumstance by either internal or external persons and the Company commits to review those measures on the regular basis with the strong commitment to use the best industrial practice and to be in strict compliance with the applicable laws. The applicable security measures to be established include, among other things, the following measures:
  1. Anonymization to the fullest extent feasible and practicable. Registration Information that can identify the relevant User shall be stripped from other information collected, in particular the Sensitive PII in order to reduce the risk of the person receiving the Sensitive PII from being able to identify the relevant User;
  1. Encryption. All the Sensitive PII shall be encrypted both when it is stored (data-at-rest) and when it is being transmitted (data-in-flight). Additionally, the Company limit access of information to authorized personnel, both physically or on the system, and the Company establishes the system to audit and check the access log of those personnel;
  1. Detecting threats and managing vulnerabilities that may lead to the leak, hack or unauthorized access to the PII. The Company have configured and established the regular vulnerability scanning system and have established the emergency / incident management plan and the reporting mechanism to the Personal Data Protection Committee and/or the relevant User as the data subject within the timeline defined under the applicable laws;
  1. In case of any share, transfer or disclosure of any PII to third party, the Company shall enter into the data processing agreement that will define the rights and obligations of each party in the process of the PII and shall establish the monitoring system to assure the compliance of each party, including the data breach incidence.
Data Subject Rights
The Company acknowledges and accepts the User’s rights as the data subject over their PII as defined under the applicable laws that include the following rights:
  1. Right to access; to request for the copy of all the PII; and to rectify or update their own PII;
  2. Right to request for the PII that the Company has processed in the readable forms by the tools or automatic mechanics and to request for the data portability to other data controller;
  3. Right to object to the PII process being undertaken;
  4. Right to request for the erasure or de-identification of any PII that does not have any necessary basis to process, i.e. after the consent withdrawal;
  5. Right to request for the PII process suspension in case that request for erasure is being exercised or when such PII is not necessary;
  6. Right to withdraw consent that has been given for the PII process for specific purpose.

The User can contact the Company in order to make the request to exercise any defined rights through the defined channel without any charge and the Company will consider and notify the User of the Company’s determination within 30 days after the receipt of the User’s valid request.
Contact Us
Data Controller
Name:              Genfosis Company Limited        
Address:          101 Soi Rama IX 60 (Soi 7 Seree 7) Phatthanakan Sub-district, Suanluang District, Bangkok
Telephone:      02-0302624
E-Mail:             [email protected]