Privacy Policy

PRIVACY POLICY – PLATFORM USERS

1. LEGAL INTRODUCTION

At EXHEUS we work to offer you the best possible experience through our products and services and to do so, we need to access and process certain information to achieve it. This information may involve accessing your personal data, but EXHEUS is concerned about your privacy and we believe that we must be transparent about it. Therefore, and for the purposes of the provisions of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 (hereinafter, “GDPR“) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and Law 34/2002 of 11 July, on Information Society Services and Electronic Commerce (hereinafter, “LSSI“),

2. PARTIES INVOLVED IN THE PROCESSING OF YOUR PERSONAL DATA

In order to provide the services offered by the BeyondYou Platform, it is necessary that we process your personal data in order to be able to offer them, since without them we could not analyze your genetic expression and provide the corresponding genetic expression results and the medical assessment through the Health Professional. For this purpose, it is necessary that you are informed at all times who is the Controller of your personal data as well as who is in charge of processing your data under the instructions of the Controller.

• PERSON IN CHARGE OF THE TREATMENT

EXHEUS, as Platform provider, acts as Data Processor of the personal data of the Platform’s interested parties, which are:

• Healthcare Professional: a qualified natural person within the healthcare sector who acts (1) in his/her own name as a self-employed person or (2) on behalf of the MEDICAL CENTER that has contracted the services of Exheus, for the provision of the services agreed upon in the Contract.

• Patient: natural person who accesses the Platform under the authorization of the Health Professional.

The foregoing parties shall be collectively referred to as the “User(s)” as defined in clause 3 of the Platform Terms of Use.[1] 

EXHEUS corporate data is specified below:

• Company: EXHEUS, S.L
• Registered office: Pl. Pau Vila, 1 08003 Barcelona
• C.I.F. No.: B01686518
• E-mail: dpo@exheus.com
• EXHEUS has appointed a Data Protection Officer in its organization. If you want to make a query regarding the processing of your personal data, you can contact us through the email indicated in the previous point.

• PERSON IN CHARGE OF THE TREATMENT

The MEDICAL CENTER or Health Professional that hires the services of Exheus, assumes the role of the Responsible for the Treatment of the personal data of the Users.

The corporate data of the Data Controller will be included in the Service Agreement between Exheus and the MEDICAL CENTER.

3. INTRODUCTION TO EXHEUS PRODUCTS

EXHEUS Products consist in the realization of a genetic report that will be available to Users[2]  through our platform www.beyondyou.life in accordance with the Terms and Conditions published on the Platform itself, which you acknowledge having previously read and accepted.

The sample for genetic analysis can be extracted either (a) in one of the accredited laboratories with which EXHEUS collaborates or; (b) through the MEDICAL CENTER’s own laboratories, if so indicated.

The genetic laboratory contracted by EXHEUS during the processing of your blood sample will isolate your RNA and perform a previous analysis of these data to sequence the expression of genes (RNA) of your blood sample, subsequently this information will be analyzed by artificial intelligence algorithms available to EXHEUS for the issuance of the final report object of the Service.

Neither the laboratory nor EXHEUS will search your blood sample for any other agent, marker or biological or chemical component other than your RNA or DNA. Likewise, the laboratory will have a very restricted access to your personal data since they will have previously undergone a pseudo-anonymization process, a process that consists in the assignment of an alphanumeric and univocal code of your data and that exclusively allows EXHEUS to link to your customer account the genetic data derived from your blood sample and that will be collected in the genetic report object of the Service.

Once the genetic report that is the object of the Service has been completed, Exheus will make the genetic report available to the Data Controller through the Platform, so that the latter may carry out the necessary actions, recommendations or diagnoses.

The information is strictly personal, unless you expressly authorize third parties. If this information may affect any members of your family, you are solely responsible for transmitting this information to them.

4. ACCESS TO YOUR PERSONAL DATA AND PURPOSE OF ITS PROCESSING

In order to provide our Service on the Platform, we need to process your personal data for different purposes, always related to the provision of our services. To this end, we indicate below what data we may process as well as the legal basis that justifies the processing of the same, depending on the role you assume on the Platform:

• Health Professionals

• Registration and access to the Platform: To manage the registration and access to the Platform, it is necessary that you create a user account to access your contracted services. To do so, you will be asked for your email address and the creation of a password.

There is the option to directly access the Platform through your Google account. To do so, the Platform will be synchronized with the personal data that Google has about you and that you have previously agreed to share with Exheus by accepting its corresponding Privacy Policy.

• User Profile: in order to manage your user profile as a Health Professional, the following identification data will be processed: name and surname, gender, professional e-mail address, date of birth. You will also be asked for commercial-professional data such as the name of the clinic in which you work or represent, its fiscal ID, country and medical specialty. Optionally you can enter a profile picture.

• Product Purchase and/or Order: to make and process a purchase or new order of Exheus products, it will be necessary to collect your email address to assign the product in question. Once the assignment is verified, our payment gateway will ask you for more information and, once this step is completed, you will receive an email with the confirmation of the purchase of the product.

• Patients

• Registration and access to the Platform: To manage the registration and access to the Platform, it is necessary that you create a user account to access your contracted services. To do so, you will be asked for your email address and the creation of a password.

There is the option to directly access the Platform through your Google account. To do so, the Platform will be synchronized with the personal data that Google has about you and that you have previously agreed to share with Exheus by accepting its corresponding Privacy Policy.

• User Profile: to manage your user profile as a Patient, the following identification data will be processed: name and surname, gender, Patient ID. This data will only be visible to the Healthcare Professional and strictly authorized EXHEUS personnel who adopt the function and role of Administrator in the Platform.

• Life habits questionnaire. In order to better understand your lifestyle habits and your general health, data related to your lifestyle , status health and pathological family history will be processed. Access to the corresponding questionnaire will be restricted to the Health Professional and EXHEUS staff strictly authorized to carry out the purpose of the treatment.

• Blood collection. In order to provide you with the results of the contracted service, our blood collection partners or the one selected by the Customer, as well as partner laboratories, will access your data to make the necessary reports, without EXHEUS being able to access such information.

• RNA sequencing. Once the RNA extraction (genetic data) is performed, RNA sequencing will be performed by our collaborating sequencing centers, without EXHEUS being able to access this information.

• Final report. After sequencing by our collaborators, they will provide EXHEUS with the necessary data so that our specialists can analyze it and subsequently generate the final report, which will be available on the Platform. Access to this information will be available to the Health Professional.

Throughout all these phases in order to provide the contracted services, we will count on collaborators and/or suppliers to offer auxiliary services to the main service. For more information about them, go to clause 7.

Improvement of our Products and/or Services.

Algorithm Training. In order to offer you better results in the provision of our services, we can access your genetic data in a pseudo-anonymized way to train the Algorithm that has the mission to offer the results you get with more accuracy, reliability and scientific efficiency.

It is very important for us to be completely transparent with you, and to inform you that the data we process will not be transferred or sold to third parties and will only be treated confidentially and internally for the purpose of quality and improvement of the contracted services.

5. LEGAL BASIS FOR THE PROCESSING OF YOUR DATA

The legal basis that justifies the processing of your data mentioned above is:

• Consent (art. 6.1.a RGPD): It will be necessary that you give us your express, free and unequivocal consent so that we can process the aforementioned data in order to offer you:
  • To process your personal health data provided to carry out the life habits questionnaire.
  • To offer you lifestyle, health and wellness recommendations through the product.
  • Improving our services by training our algorithm, and consequently providing more accurate and better quality results.

In view of the above processing purposes that have consent as a legal basis, we inform you that you may withdraw your consent to the processing of the same at any time by contacting either your MEDICAL CENTER or EXHEUS through our email @dpo@exheus.com.

• Contractual Relationship with your MEDICAL CENTER (art. 6.1.b RGPD): To offer you the services contracted with your MEDICAL CENTER through the Platform as well as to communicate with you in everything related to the process of the service as well as all the updates of the same and/or solution of problems or incidences of the Platform.

• Fulfillment of a legal obligation (art. 6.1.c RGPD): the present legal basis will be necessary for fraud prevention, communications with public and judicial authorities when required by national and/or international law and for possible claims from third parties.

6. PRESERVATION OF YOUR PERSONAL DATA

The processing of data for the purposes described will be maintained for the time necessary to fulfill the purpose of collection, as well as to comply with legal obligations arising from the processing of data. Without prejudice to the conservation is necessary for the formulation, exercise or defense of potential claims and / or whenever permitted by applicable law.

EXHEUS has a Data Retention Policy in accordance with the RGPD and the LOPDGDD. For more information please contact us: dpo@exheus.com

7. RECIPIENTS WE COMMUNICATE YOUR DATA TO

In some cases, only when necessary, EXHEUS will provide your data to third parties as introduced in clause 4 “Access to your personal data and purpose of processing“. Even if there is a possibility of access to third parties, we guarantee that your data will not be sold to anyone.

The possible access to third parties, are our external service providers (e.g. payment providers, extraction centers, hosting-cloud services, among others) contracted by EXHEUS that will process your data in accordance with the instructions indicated by EXHEUS and with the sole purpose of properly executing the contractual relationship that exists between EXHEUS and its suppliers.

EXHEUS, complies and guarantees the principle of transparency to users so that to know more accurately which suppliers and partners we have contracted, you can contact your CENTER or directly to our email (dpo@exheus.com).

EXHEUS has been responsible for regularizing the access and processing of personal data covered by this Privacy Policy, with each of the suppliers in accordance with Article 28 of the GDPR and, in the event that there may be international transfers outside the European Economic Area (EEA) with such suppliers, EXHEUS guarantees to have implemented the corresponding safeguards contained in Articles 45 and 46 of the GDPR, either by signing Standard Contractual Clauses or other legal safeguards.

EXHEUS endeavors to ensure the security of personal data when it is sent outside the company and ensures that third party service providers respect confidentiality and have adequate measures in place to protect personal data. These third parties are obliged to ensure that the information is handled in accordance with data privacy regulations.

In some cases, the law may require that personal data be disclosed to public bodies or other parties, only what is strictly necessary for the fulfillment of such legal obligations will be disclosed.

8. STORAGE OF YOUR PERSONAL DATA

In general, data is stored within the EU. However, in the event that the processing of your data means an international transfer of data outside the European Economic Area (EEA), EXHEUS undertakes to implement the necessary security measures to ensure an adequate level of safeguarding of such transfers by means of processor contracts and, where appropriate, will ensure that they provide an adequate level of protection, either because they have Binding Corporate Rules (BCR) or because we have subscribed to the model clauses of the European Commission. In the event of international data transfers, EXHEUS shall be obliged to inform the data subjects of such transfers.

For more information about our service providers and their guarantees regarding international transfers, you can contact your CENTRO or directly to our e-mail dpo@exheus.com. 

9. EXERCISE OF RIGHTS AND HOW YOU CAN EXERCISE THEM

You can send your communications and exercise your rights by sending a request to the following e-mail address dpo@exheus.com.

Under the GDPR you can request the following rights

:

• Right to information: you may request information about the personal data we hold about you.
• Right of rectification: you can communicate any change in your personal data.
• Right of deletion and right to be forgotten: you can request the prior blocking of the deletion of personal data.
• Right to limitation of processing: this is to restrict the processing of your personal data.
• Right to data portability: in some cases, you may request a copy of personal data in a structured, commonly used, machine-readable format for transmission to another data controller.
• Right to object and automated individual decision-making: you may request that decisions based solely on automated processing, including profiling, that produce legal effects or significantly affect the data subject not be made.

In some cases, the request may be denied if you request the deletion of data necessary for compliance with legal obligations. Also, if you have a complaint about the processing of data, you can file a complaint with the competent data protection authority: Spanish Data Protection Agency (“AEPD“) with address at Calle Jorge Juan, 6. 28001 – Madrid, Spain.

10. SECURITY MEASURES APPLIED TO THE PROCESSED PERSONAL DATA

EXHEUS has adopted the legally required personal data protection security levels, and tries to install those additional technical means and measures within its reach to prevent the loss, misuse, alteration, unauthorized access and theft of personal data provided to EXHEUS.

EXHEUS is concerned about the personal data of its customers and has therefore implemented a series of technical and organizational measures (“TOMS“) in accordance with recital 29 of the GDPR.

For more information you can contact your center or directly to our e-mail dpo@exheus.com.