(hereinafter, “Privacy Policy”)

Dear Customer,

pursuant to articles 13 and 14 of Regulation (EU) 2016/679 – General Data Protection Regulation (hereinafter, the “Regulation”), we inform you that EVA Genetics Srl (hereinafter, “EVA”), in order to provide you with its products and/or services, as the data controller, will process some personal data relating to you for the purposes indicated below.

Who will process the personal data?

The owner of the personal data processing is Eva Genetics Srl (https://evagenetics.com) – VAT number 13665770965- with headquarters in Via Villa, 20 20854, Vedano al Lambro (MB).

What personal data will we process?

The following categories of personal data (the “Data” or “Your Data”) relating to you and/or interested third parties will be collected and processed:

• personal data (name and surname, date and place of birth, residential address, tax code);
• contact details (telephone number and email address);
• bank details (in particular, IBAN or debit/credit card references);
• navigation data (cookies);
• sample data: Identification code (ID); sampling date, registration data;
• special categories of data (in particular, data relating to health: for example, data reported in any anamnestic or self-assessment questionnaires, data relating to symptoms, medications taken, familiarity with pathologies, biometric data relating to the physical characteristics of the person, such as weight, height, circumference measurements, biological samples, results of our genetic tests, as illustrated in other documents on our site, graphometric data, etc.),

This is the Data that you have provided to us, which is essential for providing, in your favor as the Contractor, the services and/or products requested.

Why will we process the Data?

The Data will be processed for the purposes and on the basis of the legal bases indicated below:

Purpose of the processing

Your personal data will be processed for the following purposes:

• Nutrigenetics services : execution of genetic tests by taking a saliva sample to indicate predispositions in the metabolic, nutritional, predisposition to food intolerances, sports performance, aging processes, etc., subject to your explicit consent for the execution of the requested nutrigenetic service. Medical consultancy, prevention, diagnosis and health care services.
• Purchase of products in e-commerce mode : purchase of food supplements in accordance with our “General Terms and Conditions”.
• Payments: management of electronic payments for purchased services
• Self-assessments: management of self-assessment data relating to lifestyle, eating habits, allergies, intolerances, any pathologies in order to generate personalized nutrigenetic or nutritional plans or in order to provide some preventive assessments to the unregistered user;
• Legal obligations : fulfillment of obligations under laws and regulations.
• Protection of rights : defense in court or protection of rights in court.
• Scientific research : participation in research studies, subject to your consent.
• Management of our site : identification, management of requests, technical assistance, administration of the platform.
• Management of consents and advanced electronic signatures .
• Communications : sending service communications, information relating to nutrigenetic treatments, informative material on services similar to those already used.
• Marketing : sending promotional communications, including personalised ones, relating to services or products similar to those purchased (so-called soft spam) or relating to other products and services, subject to your consent.
• Telemedicine : scheduling and management of remote medical visits in compliance with professional secrecy and in accordance with a contract with a healthcare professional.
• User satisfaction : measuring the level of user satisfaction.
• Sending newsletters : periodic sending of informative communications relating to the activities of the data controller and other related regulatory or specialist aspects following registration for the relevant service.
• Data storage and archiving : Electronic storage and archiving of our test results is important because it ensures greater integrity and security of documents, avoiding loss or damage, and because it facilitates access to data by interested parties, increasing their active involvement in managing their health and adherence to treatments.
• Purposes of scientific research or statistical purposes: the data may be processed pursuant to art. 9 par. 2, letter j), of the GDPR and 110-bis paragraph 4 of Legislative Decree 196/2003;

Legal basis for processing

The processing of your personal data is based on:

• Explicit consent: your act of informed, unequivocal and manifest positive consent for the performance of genetic tests and the processing of data belonging to particular categories contained in the self-assessment questionnaires requested from you as an interested party;
• Consent: for marketing purposes and for participation in research studies or self-assessment questionnaires for unregistered users.
• Performance of a contract: for the management of the EVA platform and the provision of the requested e-commerce services.
• Legal obligations: to fulfill obligations under laws and regulations.
• Legitimate interest: to protect the rights of the Data Controller and to improve services.
• Purposes of prevention, diagnosis, therapy, management of health systems and services: under the responsibility of a health professional and in accordance with a contract with the same.

We remind you that, where the processing of your data is based on the consent you have given, such consent may be revoked without prejudice to the lawfulness of the processing based on the consent given before the revocation. We also inform you that the processing of Data, not falling into special categories, may still be legitimately carried out, without your consent for the execution of contractual services requested by you or foreseen in your favor, for the fulfillment of legal obligations, for the performance of administrative-accounting activities related to the management of the contractual relationship and for the pursuit of other legitimate interests. Furthermore, the processing of your special data may also take place without explicit consent, where carried out in the context of a relationship with a healthcare professional.

How will we process your data?

Your Data will be processed using logic and methods, including computerised ones, strictly relevant to the purposes indicated above, after adopting security measures deemed appropriate to the risks. The Data will be made accessible only to authorised personnel, within the limits of what is strictly necessary for carrying out the activities for which they are responsible. Genetic data will be processed using encryption techniques or through the use of identification codes or other solutions that make them temporarily unintelligible even to those authorised to access them and allow the interested parties to be identified only in case of need, in order to reduce to a minimum the risks of accidental knowledge and abusive or unauthorised access. The aforementioned techniques also allow the separate processing of genetic and health data from other personal data that allow the interested parties to be directly identified.

Advanced storage and backup systems are adopted, as well as document encryption capable of guaranteeing the integrity and availability of data over time.

Cloud storage solutions will also be adopted to provide additional security guarantees for data storage.

To whom will we communicate the Data?

The Data will not be subject to disclosure, but may be communicated to third parties, solely for the purposes set out above. In particular, the Data may be communicated to:

• third parties: within the scope of a contractual or conventional relationship with the Data Controller, to allow the performance of certain healthcare services in favor of the interested party by external subjects highly qualified for that specific service, or to carry out analyses at external laboratories in “service”, who will typically act as data controllers pursuant to art. 28 of the GDPR or, in specific situations, as data controllers or joint data controllers;
• public administration bodies: public security authorities, judicial authorities and other entities, acting in their capacity as independent data controllers, to whom it is mandatory to communicate the Personal Data pursuant to provisions of law or orders of the authorities;
• providers of services strictly related and functional to the activity of the Data Controller: they typically act as data controllers pursuant to art. 28 of the GDPR, including IT service providers for the management of the technological infrastructure, information systems and telecommunication networks;
• consultants of the Owner for commercial, administrative and accounting purposes: meaning those connected to the organizational-commercial, administrative, financial and accounting and contractual activities related to the services.

How long will we process the Data?

Your Personal Data will be retained only for the time necessary for the purposes for which they are collected, respecting the principle of minimization pursuant to Article 5, paragraph 1, letter c) of the GDPR, as well as in compliance with the legal obligations to which the Data Controller is subject. In particular, after the test has been performed, your biological samples will be retained at the Laboratory only for the period of time strictly necessary for any verification of the results and will subsequently be disposed of. The documents containing Personal Data uploaded by the Interested Parties when requesting a possible consultation/video visit (such as, for example, clinical tests, etc.) will be retained by the Data Controller for a period of one (1) year from the date of closure of the account on the Platform. At the end of this period, the documents will be archived, always in encrypted form, for legal purposes only and for the duration of the civil statute of limitations; after this additional period they will be irreversibly deleted.

Place of treatment

Your data will be processed within the European Union. If we transfer your personal data outside the European Union, we will ensure that it is adequately protected, as required by the GDPR. We will use appropriate transfer mechanisms, such as standard contractual clauses approved by the European Commission, to ensure that your personal data is secure.

Your rights

The privacy legislation (articles 15 to 22 of the Regulation) guarantees you the right to access at any time the Data concerning you, to obtain their rectification and/or integration, if inaccurate or incomplete, their cancellation, if processed unlawfully, and the portability of the Data that you have provided us, if processed automatically on the basis of your consent or for the contractual services requested by you, within the limits of what is provided for by the Regulation (article 20).

The privacy policy also grants you the right to request the limitation of the processing of your Data, if the conditions are met, and to oppose the processing for reasons related to your particular situation.

Where the processing of the Data is based on your consent, you have the right to revoke it at any time, without prejudice to the lawfulness of the processing based on the consent given before the revocation.

For clarifications on the processing of your data and to exercise your rights, you can write to the email address: privacy@evagenetics.com .

Your right to contact the Privacy Guarantor remains intact, including by submitting a complaint, where deemed necessary, for the protection of your data and your rights.

EVA reserves the right to modify its Privacy Policy to adapt it to legislative or regulatory changes or on the instructions of the Data Protection Authority. Users are advised to review it periodically.