Privacy Policy iGene Products
iGene Products B.V.
1.
Introduction
This is the privacy and cookie policy
(hereinafter: policy) of iGene Products B.V. (Chamber of Commerce number
63823764), registered in Nijmegen and with its office at Oude Haven 102, 6511
XH Nijmegen (hereinafter: iGene Products).
Deze verklaring is van toepassing op elke
verwerking van persoonsgegevens van de gebruikers van iGene Products. 'Personal
data' zijn alle gegevens over een geïdentificeerde of identificeerbare
natuurlijke persoon. Onder 'gebruikers' vallen alle afnemers van de producten
en diensten van iGene Products, waaronder consumenten en zakelijke afnemers,
alsook bezoekers van de websites van iGene Products.
Op alle verwerkingen van persoonsgegevens
is privacywet- en regelgeving van toepassing, waaronder de Algemene Verordening
Gegevensbescherming (hierna: GDPR) en de Uitvoeringswet GDPR. Wij zijn
verantwoordelijk voor de naleving van deze wet- en regelgeving.
We consider it important that our services
are reliable and transparent. We handle the data of our users with discretion
and care.
2.
Role of iGene Products
iGene Products is
verwerkingsverantwoordelijke voor het verwerken van gegevens van gebruikers
indien en voor zover iGene Products zelf het doel en de middelen van de
gegevensverwerking vaststelt. Voorbeelden hiervan zijn verwerkingen in het
kader van het aanbieden van haar producten en diensten, zoals het uitvoeren van
DNA-tests, het analyseren van DNA en het beschikbaar stellen van DNA reports
aan gebruikers.
iGene Products acts as data processor to
the extent that iGene Products processes data on behalf of third parties (e.g.
business customers). In that case, those third parties are the data
controllers. iGene Products enters into a data processing agreement with them.
3.
What does iGene Products do?
iGene Products biedt een genetische
informatieservice. De dienstverlening omvat het uitvoeren van DNA-tests, het
analyseren van DNA en het beschikbaar stellen van DNA reports aan gebruikers.
iGene Products offers genetic self-tests
that give users insight into personal traits, lifestyle recommendations,
medication sensitivity, and genetic predisposition for various conditions.
The DNA Testing Process
De gebruiker neemt biologisch materiaal af
in de vorm van speeksel via een iGene-kit en stuurt dit naar iGene Products.
iGene Products stuurt het materiaal naar een gecertificeerd laboratorium, waar
een groot aantal genetische variaties (SNPs) in kaart wordt gebracht. De
resultaten worden geanalyseerd en verwerkt tot individuele DNA reports die via
de iGene-applicatie beschikbaar worden gesteld.
iGene Products' service is primarily an
information service and is not intended to replace regular medical diagnostics
or treatment. Please refer to iGene's General Terms and Conditions for more
information about the nature of the service.
4.
Purposes and legal bases for data processing
iGene Products processes data only for
specified, explicitly described, and justified purposes and on the basis of
legal grounds:
4.1 Creating, using, and managing an account
In connection with ordering products and
services, the user can create an account in the iGene application. Legal basis:
necessity for the performance of the contract.
4.2 Ordering products and services
The ordering and delivery of products and
services, including the iGene kit, and the associated payment processing. Legal
basis: necessity for the performance of the contract.
4.3 Performing DNA tests and providing reports
Het uitvoeren van genetische zelftests, het
analyseren van DNA en het beschikbaar stellen van DNA reports over persoonlijke
kenmerken, leefstijlaanbevelingen, geneesmiddelgevoeligheid en genetische
aanleg. Hierbij worden genetische gegevens verwerkt, die vallen onder de
categorie 'bijzondere gegevens' in de zin van de GDPR. Het verwerken van
bijzondere gegevens is verboden, tenzij aan een wettelijke uitzondering wordt
voldaan. iGene Products verwerkt genetische gegevens uitsluitend op basis van
uitdrukkelijke toestemming van de gebruiker.
4.4 Visiting and using websites and/or apps
When visiting the websites or apps, data
such as visit data may be stored. See section 8 on cookies.
4.5 Direct marketing
Sending commercial communications to users.
If iGene Products has received electronic contact details in the context of the
sale of products or services, these may be used without further consent for the
marketing of similar products and services (Article 11.7 of the Dutch
Telecommunications Act). Legal basis: legitimate interest.
Users can unsubscribe from commercial
messages at any time, via the unsubscribe link at the bottom of each email or
by email to privacy@igene.eu. After unsubscribing, iGene Products will stop
sending commercial messages as soon as possible, but no later than within five
(5) working days.
When collecting electronic contact details,
iGene Products offers users the opportunity to object to the use of their data
for direct marketing. Every commercial message contains a simple,
free-of-charge unsubscribe option.
4.6 Administrative or fiscal purposes
Administrative or fiscal obligations, for
example towards the Tax Authority. Legal basis: legal obligation or legitimate
interest.
4.7 Information requests, questions, and
complaints
Handling of requests, questions, and
complaints. Legal basis: contract, legitimate interest, or legal obligation.
4.8 Scientific research and product development
iGene Products kan geaggregeerde en
geanonimiseerde gegevens gebruiken ten behoeve van wetenschappelijk onderzoek
en productontwikkeling. Voor zover hierbij (voorafgaand aan de onomkeerbare
anonimisering) genetische of andere bijzondere persoonsgegevens worden
verwerkt, geschiedt dit uitsluitend op basis van de uitdrukkelijke toestemming
van de gebruiker (artikel 9, lid 2, sub a GDPR). De gebruiker kan deze
toestemming optioneel verlenen tijdens het activeren van het account of
naderhand via de instellingen in de iGene-applicatie. Consent kan op elk moment
met onmiddellijke ingang worden ingetrokken. Na onomkeerbare anonimisering
gebruikt iGene Products uitsluitend statistische gegevens op populatieniveau;
deze gegevens vallen buiten het bereik van de GDPR. Intrekking van toestemming
heeft geen terugwerkende kracht op gegevens die reeds vóór het moment van
intrekking onomkeerbaar zijn geanonimiseerd.
5.
Data processed by iGene Products
iGene Products ensures that the data
processed is adequate, relevant, and limited to what is necessary.
5.1 Account and registration
When registering and using the app, iGene
Products processes:
– Tube code (unieke, pseudonieme code,
willekeurig gegenereerd)
– Year of birth (no birth month or day)
– Ethnicity (optional; see explanation
below)
– Country of origin
– Language setting of the app
– Meta-information (operating system, app
version, push tokens)
– Optional: email address (for push
notifications, account recovery, or report retrieval)
Indien etnische gegevens worden verwerkt,
geschiedt dit uitsluitend om genetische interpretaties statistisch beter af te
stemmen op bekende populatieverschillen in genfrequenties. Het verstrekken van
etniciteit is optioneel; zonder deze informatie kunnen bepaalde interpretaties
minder nauwkeurig zijn. Gegevens waaruit etnische afkomst blijkt zijn
bijzondere persoonsgegevens; de verwerking hiervan is gebaseerd op
uitdrukkelijke toestemming van de gebruiker (GDPR artikel 9, lid 2, sub a).
5.2 Order and delivery
When ordering products, iGene Products
processes:
– Name, address, and place of residence
– Email address (for track and trace)
– Payment details
5.3 DNA test and reporting
The DNA Testing Process omvat de volgende
stappen:
Step 1: The
user collects biological material and sends it together with the tube code to
iGene Products.
Step 2: Upon
receipt of the return, iGene Products processes the biological material and the
tube code. The tube code is not linked to any other data; iGene Products does
not know which person the material originates from.
Step 3: iGene
Products sends the biological material, labelled with the tube code, to a
certified laboratory.
Step 4: The
laboratory maps the genetic variants (SNPs) and sends the results back to iGene
Products.
Stap 5: De
resultaten worden geanalyseerd en verwerkt tot individuele DNA reports. Hierbij
worden verwerkt: SNPs, buiscode, geboortejaar, etniciteit, land van herkomst en
taalinstelling.
The above separation applies to the
processing of biological material. To the extent technically necessary to give
the user access to their report, enable account recovery, or send
notifications, a functional link exists between the tube code and the user's
app account. This link is stored strictly separately from order and address
data and is only accessible to authorised systems.
De DNA reports kunnen uitslagen bevatten
over:
– Personal traits (such as genetic
variants potentially associated with nutrient metabolism)
– Medication sensitivity based on
enzymatic profiles
– Genetic predisposition for conditions
5.4 Website visits
When visiting websites or apps, visit data
may be stored, including URL, IP address, browser type, date and time of visit,
and click and usage behaviour. See section 8 on cookies.
5.5 Marketing and communications
For direct marketing purposes, iGene
Products processes data such as email address, name, and address.
6.
Third parties that process data
The starting point is that iGene Products
does not share data with third parties. In the following situations, iGene
Products may share data:
– With affiliated companies, to the
extent necessary for the described purposes.
– With processors (parties that process
data on behalf of iGene Products, such as IT suppliers), solely on the
instructions of iGene Products and with appropriate safeguards.
– With certified laboratories that
perform the DNA analysis.
– With Shopify Inc., which provides the
ordering platform and payment processing. Shopify processes order data as a
processor of iGene Products, but may also process certain data as an
independent data controller for its own legal obligations (including fraud
prevention and security). See Shopify’s privacy policy for more information.
– With Intuit Mailchimp, which provides
the email platform for sending newsletters.
– With a healthcare professional, solely
if the user grants consent for this in the app.
– With employees of iGene Products, to
the extent necessary for the performance of their duties and bound by a
confidentiality obligation.
– If required by law, court order, or
other legal process.
– In connection with a business
transaction, such as a merger or sale of assets.
– With professional advisers (including
lawyers, accountants, auditors, insurers, and certifying bodies), to the extent
necessary for legal advice, audit, certification, insurance, security,
compliance, or the establishment or substantiation of legal claims.
If consent is required for sharing data,
iGene Products will request this from the user in advance.
7.
Security
iGene Products takes the security of data
very seriously and has implemented appropriate technical and organisational
measures to protect personal data against unauthorised access, loss, or misuse.
iGene Products is ISO 27001:2022 certified.
The key security principles are:
– The storage of genetic data and the
analyses and reports are strictly separated from each other.
– Genetic data zijn uitsluitend gekoppeld
aan een pseudonieme code (buiscode), niet aan andere persoonsgegevens.
– All data is stored and processed within
the European Economic Area.
– Encrypted backups are made
periodically.
– Payments are processed via a certified
Payment Service Provider over an encrypted connection.
iGene Products heeft een
gegevensbeschermingseffectbeoordeling (DPIA) uitgevoerd voor de verwerking van
genetische gegevens, overeenkomstig artikel 35 GDPR. Deze wordt periodiek
herzien.
8.
Cookies
iGene Products may use cookies and similar
technologies (such as JavaScripts, tracking pixels, and web beacons) on its
websites and apps. Cookies are small text files that store data when visiting
the website. iGene Products distinguishes the following categories:
Functional cookies
Necessary for the operation of the website,
such as session cookies and language preferences. No consent is required for
these. Retention period: duration of the session or a maximum of 12 months.
Analytical cookies
For measuring and analysing website usage
(e.g. via Google Analytics). These cookies are only placed after the user has
given consent. Retention period: a maximum of 26 months.
Marketing cookies
For displaying personalised advertisements.
These cookies are only placed after the user has given explicit consent.
Retention period: a maximum of 12 months.
Users can adjust their cookie preferences
at any time via the cookie settings on the website. The cookie policy is
available on the iGene Products website.
9.
Links to third parties
iGene Products' websites and apps may
contain links to third-party websites. iGene Products is not responsible for
the way in which third parties handle user data. The privacy policies of those
parties apply to those websites.
10.
User rights
The user has the following rights with
regard to their data. For any request, the user may send an email to
privacy@igene.eu or a letter by post to Oude Haven 102, 6511 XH Nijmegen.
iGene Products preferably verifies the
identity of the user via the iGene application (logged-in session) or by email
(verification code). Only if there is reasonable doubt about the identity may
iGene Products additionally request a copy of a valid identity document
(portrait photo and citizen service number may be redacted). The copy is
deleted immediately after identification.
Right to information
We inform the user about which data we
process, for what purposes, on what legal basis, and to whom we provide data.
All of this information can be found in this policy.
Right of access
The user has the right to access their
data, including information about purposes, recipients, retention periods, and
origin.
Right to rectification
The user may request iGene Products to
rectify their data or complete incomplete data.
Right to erasure
In certain cases, iGene Products is obliged
to delete data, for example when it is no longer needed or consent has been
withdrawn. iGene Products always weighs up the circumstances, as processing may
sometimes remain necessary for legal obligations.
Right to restriction
The user has the right to request
restriction of processing, for example when the accuracy of the data is
contested.
Right to data portability
Under certain conditions, the user has the
right to receive the data they have provided and the raw DNA data in a
structured, commonly used format and to transfer it to another company. This
right does not apply to the analyses, interpretations, and reports generated by
iGene Products, which are protected by intellectual property rights.
Withdrawal of consent
Indien de verwerking berust op toestemming,
kan de gebruiker deze op elk moment intrekken. Intrekking van de toestemming
voor het verwerken van genetische gegevens heeft tot gevolg dat iGene Products
de DNA reports niet langer kan aanbieden. Het account wordt in dat geval
beëindigd en alle genetische gegevens worden binnen dertig (30) dagen
verwijderd. De intrekking laat de rechtmatigheid van eerdere verwerkingen
onverlet.
Right to object
The user may object to the processing of
their data. Following an objection, iGene Products will in principle cease the
processing. The user may also object to the use of contact details for
marketing by unsubscribing via the link in emails or by email to
privacy@igene.eu.
Complaint to supervisory authority
De gebruiker heeft het recht een klacht in
te dienen bij de Autoriteit Personal data of naar de rechter te stappen.
If the user is under the age of 16, consent
from parent(s) or guardian(s) is required.
The above rights are not absolute. iGene
Products may refuse a request in whole or in part if this is necessary for
compliance with legal obligations, security, fraud prevention, evidence
gathering, or the establishment or substantiation of legal claims. iGene
Products will inform the user of the reason for any refusal.
11.
Retention periods
iGene Products does not retain data for
longer than is necessary for the purposes for which it is processed. After
that, data is deleted or anonymised.
– Order data (name, address, email):
deleted no later than 6 months after delivery of the kit.
– Biological material: destroyed by the
laboratory upon completion of the DNA analysis, in accordance with the
agreements in the data processing agreement with the laboratory.
– Raw DNA data, analyses, and reports:
available for as long as the user has an active account. The raw DNA data is
necessary for updates and expansions of the reports. Upon termination of the
account, all genetic data will be deleted within thirty (30) days.
– Visit data and cookies: a maximum of 26
months, depending on the type of cookie (see section 8).
– Administrative data: 7 years after the
financial year, in accordance with the statutory retention obligation (Article
52 of the Dutch General Tax Act).
– Marketing data (email address for
newsletter): until unsubscribed by the user.
– Consentslogs, beveiligingslogs,
incidentdossiers en audit trails: zolang als noodzakelijk voor beveiliging,
bewijsvoering, fraudepreventie, compliance of juridische procedures. Waar
mogelijk worden deze gegevens gepseudonimiseerd.
Data still present in encrypted backups is
retained solely for security and recovery purposes and is no longer actively
processed. Backups are automatically replaced in accordance with the regular
backup schedule and deleted no later than twelve (12) months.
See Article 6 of the General Terms and
Conditions for the retention period for inactive accounts.
12.
Data breachken
Bij een inbreuk in verband met
persoonsgegevens (datalek) meldt iGene Products dit binnen 72 uur aan de
Autoriteit Personal data, tenzij het onwaarschijnlijk is dat het datalek een
risico oplevert. Bij een hoog risico wordt ook de gebruiker geïnformeerd.
Security incidents or data breaches can be
reported via privacy@igene.eu or by telephone at +31 (0)10 310 4200.
13.
Transfer outside the EEA
All biological material, raw DNA data,
analyses, and reports are stored and processed within the European Economic
Area (EEA) or in countries for which the European Commission has issued a valid
adequacy decision.
Some operational and analytical data (not
genetic data) may be transferred outside the EEA, for example for website
analytics or email services. This concerns only non-genetic data such as visit
data and email addresses. Transfers are made on the basis of an adequacy
decision of the European Commission or, in the absence thereof, EU Standard
Contractual Clauses. Additional safeguards are implemented, including
encryption of data in transit and at rest.
The main service providers outside the EEA
that may receive non-genetic data are:
– Google LLC (United States) — for
website analytics (Google Analytics) and tag management (Google Tag Manager).
– Intuit Mailchimp (United States) — for
sending newsletters.
– Shopify Inc. (Canada/United States) —
for the ordering platform and payment processing.
If international cooperation in the future
necessitates the transfer of genetic data outside the EEA, iGene Products will
request explicit prior consent from the user and implement additional technical
and contractual safeguards, including a Data Protection Impact Assessment.
14.
Changes
We may amend this policy if developments
give reason to do so. The most current version can be found on our website. In
the event of material changes to the processing of personal data, we will
inform the user in advance, for example by email or via a notification in the
iGene application.
15.
Contact details
For questions, requests, suggestions, or
complaints about this policy or data processing activities:
– iGene Products B.V. | Chamber of
Commerce number 63823764
– Email: privacy@igene.eu
– Post: Oude Haven 102, 6511 XH Nijmegen
– Data Protection Officer: Mr W. Limpens
– Telephone: +31 (0)10 310 4200
16.
Glossary
The following terms are used in this
policy:
Anonymisation
The irreversible processing of personal
data in such a way that it can no longer be traced back to an identifiable
natural person. Anonymised data falls outside the scope of the GDPR.
GDPR
General Data Protection Regulation
(Regulation (EU) 2016/679), the European privacy legislation governing the
protection of personal data.
Data subject
The natural person to whom the personal
data relates. Referred to as 'user' in this policy.
Special category data
Personal data waaruit onder meer ras of
etnische afkomst, genetische gegevens of gegevens over gezondheid blijken. Voor
de verwerking hiervan gelden strengere regels onder de GDPR.
Tube code
A unique, randomly generated pseudonymous
code used to identify biological material and DNA data without linking it to
the identity of the user.
Cookie
A small text file stored on the user’s
device when visiting a website, which can be read on a subsequent visit.
Data breach
A breach of personal data security leading
to the accidental or unlawful destruction, loss, alteration, unauthorised
disclosure of, or access to personal data.
DNA report
The report containing the results of the
DNA analysis, providing insight into, among other things, personal traits,
lifestyle recommendations, medication sensitivity, and genetic predisposition.
DPIA
Data Protection Impact Assessment
(gegevensbeschermingseffectbeoordeling): een beoordeling van de gevolgen van
een gegevensverwerking voor de bescherming van persoonsgegevens, vereist bij
verwerkingen met een hoog risico (artikel 35 GDPR).
Genetic data
Personal data relating to the inherited or
acquired genetic characteristics of a natural person which provide unique
information about the physiology or health of that person.
Personal data
Any information relating to an identified
or identifiable natural person, such as name, email address, tube code, or
genetic data.
Pseudonymisation
The processing of personal data in such a
manner that it can no longer be attributed to a specific person without the use
of additional information, provided that such additional information is kept
separately.
SNP
Single Nucleotide Polymorphism: a variation
at a single position in the DNA that occurs in a significant proportion of the
population. SNPs form the basis of the DNA analysis by iGene Products.
Consent
Elke vrije, specifieke, geïnformeerde en
ondubbelzinnige wilsuiting waarmee de betrokkene aanvaardt dat zijn
persoonsgegevens worden verwerkt (artikel 4, lid 11 GDPR).
Processor
A party that processes personal data on
behalf of the controller, without itself determining the purpose and means of
the processing.
Processing
Any operation carried out with regard to
personal data, including collecting, recording, organising, storing, updating,
modifying, retrieving, consulting, using, disclosing, disseminating, erasing,
or destroying data.
Processorsovereenkomst
Een overeenkomst tussen de
verwerkingsverantwoordelijke en de verwerker waarin de voorwaarden voor de
gegevensverwerking zijn vastgelegd, zoals vereist door artikel 28 GDPR.
Processingsverantwoordelijke
The party that determines the purpose and
means of the processing of personal data. In the context of direct service
provision, this is iGene Products.
Last updated: 29 May 2026