Privacy Policy

Introduction

Very simply, our aim in this statement is to explain what personal information we hold, why we hold it, what we do with it, and how we protect it.

This statement is divided into Parts as follows:

Part A:

+Details of the information we hold, and how we use it

+General/contact information

+Payment information and financial records

+ Genetic data, and other information related to our services, including DNA tests, data uploads and wellness or trait reports.

+ Additional Information related to Family Matching

+ Additional Information related to our research

+ Further information: Information related to Living DNA accounts, Marketing, & Changes to why we use your information

Part B:

+How we collect your information

Part C:

+Sharing your information

Part D:

+How long we keep your information

Part E:

+Security

Part F:

+General, including information about your rights.


Appendix

When we refer to ‘personal information’ in this statement, we mean any information which you have given us that you could be identified by. We take this very seriously as we know this is valuable to you.

This statement does not include details of information which we collect purely by using our website. Information on this is contained in our Cookie Policy.

It’s important to us that you read our Cookie Policy and any other statements about our privacy practices that we may give you, to make sure you know the depth we go to to make sure your information is protected. We see ourselves as custodians of your personal information, which remains yours at all times; our role is primarily to be your DNA partner.

If you have chosen to take part in our research initiatives, you will have agreed to our research consent, which contains information about how we use your personal information and your options for changing your mind. This Privacy Statement should be read together with our consent form.

Regulatory background: GDPR

The EU General Data Protection Regulations (which are known as GDPR) apply to us when we collect or use personal information. The regulations were introduced to protect people's data. GDPR describes business such as ours, who determine why and how personal information is used, as 'controllers', and the use of personal information as 'processing'. Processing includes collecting information, storing it, disclosing it, using it and destroying it.

The regulations state that information should only be processed in one or more specified circumstances, which are known as 'lawful bases'. The lawful bases on which we may process your personal information include:

  1. Where you have given your consent. We have shortened this to 'consent' in the statement)
  2. Where necessary to carry out the terms of a contract, for example the contract for us to provide services to you. We have shortened this to 'perform contract'.
  3. Where necessary to comply with a legal obligation. We have shortened this to 'comply with law'
  4. Where we or someone else has a legitimate interest which is not overridden by your interests. We must always balance your interests and rights with our interests if we are to process your information on this basis. We have shortened this to 'legitimate interest'.



In this statement we have grouped the types of personal information that we may hold into broad categories. The categories are:

  1. General information including contact information
  2. Payment and transactional information
  3. Information related to administering your account/providing our services including your genetic information

We also create anonymised data (meaning that we remove your name and any other information which can link you to the data), and combine it with data from other customers which has also been anonymised. We use and share this combined data, which is also known as aggregated data.

For example, we may anonymise and combine genetic data and use that information in our laboratories for validation and verification purposes.

Other examples of how we use anonymous/aggregated data are for business management, planning and tracking purposes.



Part A - What personal information we hold, and how we use it

General contact information/communication records

This may include, address, phone number, email address, communications consent, research consent and other information that you may provide to us during routine communications such as when you ask us to respond to a query.

When we obtain this information:

  1. We collect some or all of this information, depending on the circumstances, when you ask us a query, whether by phone, or email, using the contact from on our website, by letter or in person, or when you opt to join one of our mailing lists or provide consent for us to send marketing material to you. We retain copies of all communications, and so will have any personal information which you include in communications you share with us.
  2. We also obtain some of this information (your name and address) if someone orders a DNA test and asks us to send a DNA sampling kit to you. Please be aware, the choice to take a DNA test is always yours.
  3. We record telephone calls to our customer services team, and if you provide your name or contact details and other personal information, these will be recorded.

How we use this general information

Our lawful basis

What is our legitimate interest?

To communicate with you, and to investigate and respond to your queries, including for research purposes where you have opted to take part in our research activities.

Legitimate interest. Perform contract (where you have placed an order or opened an account)

Consent ( in relation to our research activities).

To provide information which you have requested, and to respond to your queries.

We record telephone calls with our customer services team for monitoring, training, supervision and for verification purposes. We may need to refer to these recordings if there is any dispute between us.

Legitimate interest. Perform contract. Comply with law.

To maintain high standards on our calls, and to be able to evidence what occurred in the event of a dispute.

Where you opt to receive information including marketing communications from us, to send this information to you.

Legitimate interest. Consent.

To promote our services and broader industry awareness.

We ask you to consent to various actions, including us sending you marketing communications, and research, and retain records of the consents that you give.

Comply with law. Legitimate interest

To maintain accurate records of what consents we have to perform our business activities

To deliver any physical products/ a DNA sampling kit to you, and to maintain a record to show that we have done so

Perform contract.

To send you surveys and other requests for information, including for research purposes.

Legitimate interest

Consent ( where contact is for research purposes)

To improve our services

If you use our DNA services, including opening an account with us, we will hold your billing address, and shipping address the following information in addition to the general contact information already described, and we will use your name and contact details for additional purposes as described below.



How we use this information

Our lawful basis

What is our legitimate interest?

We use your name and address for identification purposes

Perform contract.

Legitimate interests

Consent ( where you have opted to take part in our research work)

Using names and address to identify our customers is necessary for the efficient and secure running of our business systems.

We use your general contact information to maintain your account with us, and to maintain our research records.

Perform contract

Consent ( in respect of research records)

We record your name and other contact or identification information on records of your interactions with us, including records of services you order, or participation in our research work.

Perform contract. Comply with law.

Legitimate interest

To maintain records of orders you place, and consents that you have given to us, and to maintain an accurate record of our interactions and of the services that we provide to you

We use your shipping address to send these to you.

Perform contract

We use your general contact information to deliver our services in accordance with our Terms.

Perform contract

We use your general contact information to exercise and if necessary to enforce our rights including under our under our Terms and to handle any complaints or disputes that may arise

Perform contract. Legitimate interest

To responsibly manage our business by enforcing our rights, including defending any claims that may be brought against us

We may also use your contact information and account information to determine what services to promote to you, and what information to display on your account

Legitimate interest

To promote our business interests, and to appropriately target communications

Payment information and financial records

When you make payment by card online, your details are processed by a third party payment provider; we do not receive any details other than the last 4 numbers of your card (in some cases) and your billing address (in some cases).

If you make a card payment by phone or in person, we will receive your card information, but will process it through a third party payment provider, and will receive only the information that we would receive if the payment were made online (see above).

Where possible we process refunds in the same manner as payments, otherwise we make the payment by bank transfer.

If you make a payment, we pay a refund to you by bank transfer, we receive your account name, and payment details. This will be recorded on our bank statement.

We create and retain records of the transactions which you enter into with us, including details of payments owing and made.



How we use this information

Our lawful basis

What is our legitimate interest

We use your name and address for financial record keeping purposes

Comply with law

We use your payment information to process payments and refunds to you

Perform contract. Comply with law

We record details of our financial transactions with you which will include your name, email, address and payments made or owing

Legitimate interest. Comply with law

To maintain accurate financial records

Genetic data, and other information related to DNA tests or data uploads

If you take a DNA test with us, or upload your genetic information to our site we will also collect/hold depending on the circumstances/service:

  • Your age
  • Your biological sex
  • Information about your parents, if you choose to provide this.
  • A barcode (see below for further details)
  • Your mouth swab/other biological sample
  • Your DNA sample which is extracted from your mouth swab
  • Your genetic data
  • Your reports/results including ancestry, wellbeing or trait reports.

How we use this information

Use: We ask for the biological sex of any person being tested or who uploads their data to our site. We use this information as part of our quality control and verification processes by which we check the accuracy of our results. Further, this information helps us to know what reports to provide, as some are specific to a biological sex.

Lawful basis: Perform contract

Use: We use the age of the person being tested to determine if our internal processes in respect of minors should be followed.

We also use it to improve our services and to make them more accurate.

Lawful basis: Perform contract, legitimate interest & comply with law

Use: To maintain effective internal controls, and to improve our services.

We give you the option of providing details about your parents

Lawful basis: Perform contract & legitimate interest

Use: We use a barcode to identify your account as part of our processes for protecting your privacy. Instead of storing your genetic information using your name as the identifying reference, we use a barcode. We keep separate records which link your barcode to your account with us. Our laboratory is not given your name, only the bar code. In this way we are able to limit the number of people who can see your name in connection with your genetic data.

Lawful basis: Legitimate interest & perform contract

Use: To protect the privacy and security of our customers' data, we use the mouth swab that you return to us to extract your DNA Sample.

Lawful basis: Consent

Use: We analyse your DNA sample to derive your genetic data, and if sufficient DNA material remains, we will store your DNA sample.

Lawful basis: Consent

We use your genetic data to provide you with your the service/reports you order. What information we hold will depend on the reports you order from us. If you maintain an account with us, we will store your genetic data for you. We may use it to update your results (if applicable), and to provide further services which may require your data to be further analysed. We will seek your consent before processing this data to provide you with any other services other than to update your results.

Consent

Use: We produce your results/reports including Ancestry, Wellbeing or trait reports based on your genetic data, and provide these to you through your account, or by way of printed book.

Lawful basis: Consent

We will also use your genetic data and other information supplied by you in response to our research surveys for our research work, but only where you have consented to this through our research consent from. Our lawful basis for the use of your genetic and other data for research purposes is consent.



Family Matching

We will use your account and genetic information to provide our Family Matching Service, if you choose to participate. For more information about how we use your genetic data, please see [link to genetic data section immediately above]

We will use your genetic data together with the genetic data of other people who participate in Family Matching to identify if and the extent to which you share matching genetic data. This will provide a list of people with whom you share to a greater or lesser degree of matching DNA, your 'matches'. This may result in us knowing the identity of your biological parents, siblings and other relatives.

We will use this information and other information provided by you and other participants in Family Matching (such as dates of birth and sex) to show potential family relationships between you and those with whom you share a level of DNA.

We will share your personal information with other users of the Family Matching in order to alert them that they share genetic data with you. We will share your name or alias (if you have chosen to use an alias), your ethnicity breakdown- if you have chosen this service- and will identify what segments of DNA you and your match share in common if you choose to use this feature. Further information on this feature is provided on our ancestry page of our site. We will also share with your matches all information which you have identified as 'public' in your privacy profile.

Further information on what information we use in providing Family Matching, and how is provided below:

How we use your information

Our Lawful Basis

Legitimate Interest

We will use your genetic data to compare it to other participant's data for the purpose of finding your DNA matches

Consent

We will use your date of birth and biological sex ( where available) to help improve the accuracy of Family Matching

Perform contract

We will share with your Matches your name or alias, country of residence, ethnicity breakdown (if available), and if you chose our DNA segment matching feature, your shared DNA segments, as explained on our Family Matching page.

Perform contract. Consent

We will also share with your Family Networks matches whatever information you have identified as 'public' in your profile with Living DNA.

Consent. Perform contract

We facilitate a messaging service. We will store the messages which you send through the service. We will be able to identify your messages as coming to or from you.

Perform contract. Consent. Comply with Law

We may view communications passing between you and other users of the site for security and safety purposes through our messaging service, and to monitor compliance with our Website Acceptable Use Policy and Website Terms. We may delete such messages in line with our Website Acceptable Use Policy and Website Terms.

Perform contract. Legitimate interest. Comply with law

We have a legitimate interest in taking steps to help prevent our system and service from being used in a way which unlawful, or offensive to other users.

We will maintain records of your activity as a participant in Family Matching including details of matches sent to you, and your matches sent to other users.

Perform Service. Legitimate interest

We have a legitimate interest in maintaining records of the services we provide



Your matches may live in or outside the EU, for example you may 'match' with someone who lives in Australia. Your matching information may therefore be passed outside of the EU (where we store your information), meaning your matches who live outside of the EU will (as with your EU based matches), be able to see your public information, and will be told that you are a match. If your information is transferred outside the EU in this way, you will not have the benefit of the protections of regulatory regime in the EU. If you do not wish your information to be passed outside of the EU to your matches, you should not participate in Family Networks, as we are unable to prevent your data being shared with non EU resident matches.

If you stop using Family Networks, we will remove your matching information from our Family Matching tool. Within 7 days of you opting out of Family Matching we will have removed from our Family Matching system any of your information which is visible to participants. Your matches will no longer be able to see any of your information.

Please be aware that it takes up to a further 6 months for information that is no longer required to be fully removed from our systems because we retain backup and archive files.

We will continue to retain on our system, administrative data in relation to your past use of the Family Matching, and copies of any messages that you have sent or received using our messaging service. Administrative data includes records showing that you opted in and consents given in relation to the service, and your request to withdraw from it.

Information related to our research

If you choose to participate in our research initiatives ( and have not opted out of further contact), we will contact you through your account with us to ask you to take part in surveys to support our research. Our lawful basis for keeping your contact details and making contact in this way is consent.

We may use your bar code, genetic data, account information (including name, biological sex, place of birth, parent’s place of birth), and any information you provide in response to our surveys for our research. Further information about our research is provided in our Research Consent. Wherever practicable your information will be anonymised before it is used. Our lawful basis for using your information for research purpose is consent.





Further information

Information related to your Living DNA account and your use of it

You may upload personal information including a photograph to your account. We will store and use this information in order to provide our services, so our lawful basis is ‘perform contract’.

Marketing

  1. If you have an account with us, you can make choices about what whether or not we may contact for you for marketing purposes through your Living DNA account.
  2. You may receive marketing communications from us if you have requested information from us or purchased services from us and you have not opted out of receiving these communications.
  3. You can ask us to stop sending you marketing messages at any time through your Living DNA account, or by contacting us, OR by following the opt-out links on any marketing message sent to you.

Changes in why we use your information

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.

If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal information without your knowledge or consent, but only where this in compliance with the above rules, where this is required or permitted by law.

Part B - How we collect your information

We use different methods to collect data from and about you including:

  1. Direct interactions. You may give us your personal information by filling in forms or by corresponding with us by post, phone, email, or otherwise. This includes personal information you provide when you
    1. order our services;
    2. upload your genetic data to our site, or provide a DNA sample to us
    3. create an account with us;
    4. Respond to one of our research surveys
    5. subscribe to one of our publications;
    6. request marketing to be sent to you;
    7. enter a competition, promotion or survey; or
    8. give us feedback or contact us.
  2. Automated technologies or interactions. As you interact with our website, we may automatically collect information about your equipment, browsing actions and patterns. Please see our Cookie Policy for further details.
  3. Third parties or publicly available sources. We may receive personal information about you from various third parties and public sources including:
    1. Information from:
    2. analytics providers such as Google;
    3. advertising networks; and
    4. search information providers
    5. providers of technical, payment and delivery services
    6. information from publicly available sources
  4. Through providing our services or our research
    1. Many of our services will produce or reveal your personal information, for example, a DNA test will provide your genetic data, and when we analyse that data, depending on which service you choose, it will reveal information about you such as your ancestry breakdowns and information identified on our site in relation to our wellbeing reports.

Part C: Sharing your information

In this section we provide information on who we share your information with, and why.

1. Service providers

We use a range of service providers and consultants in order to help run our businesses and to provide our services. We require all third-party service providers to respect the security of your personal information and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal information for their own purposes and only permit them to process it for specified purposes and in accordance with our instructions.

These service providers include:

Our laboratories & biological storage facilities

We use fully accredited professional laboratories to receive your mouth swab sample, to extract your DNA from the sample and to provide your genetic data. They also receive your biological sex information. They store your DNA sample for us (and may also retain your biological sex) for up to 10 years.

We have laboratories based in the US and in Europe. Generally, samples sent to us from the USA will be received and processed by our laboratory in the US, and samples sent to Us from the rest of the world will be processed in the EU.

We may send samples from Europe to our laboratory in the USA provided that they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between Europe and the US, For further details, see European Commission: EU-US Privacy Shield.'

Shipping and printing

We use specialist logistics service providers to deliver sample kits to you, and your results in book format (where you order this service), and to ship other physical products for us. This includes specialist partners who we appoint to receive samples from our customers, and arrange for their secure shipment on to our laboratories.

We also use specialist printers to print results in book format.

'Cloud' based service providers

We use 'cloud' based storage providers to securely maintain the information held within our databases, and this will include your personal information including your genetic information.

Please see 'Security of your information' below [link] for further information on security aspects of our cloud storage arrangements.

We also use service providers who assist us with our 'cloud' based infrastructure, and 'cloud' client support tools.

Professional advisers

We may share information with our professional advisers including lawyers, accountants and insurance advisers. We do not routinely share genetic information with our professional advisers, but it would be possible that this could happen, for example if court proceedings relating to genetic data were to be brought against us.

Other specialist consultants and service providers

These include IT consultants, and service providers that assist us with marketing, analytics, and cyber security/fraud prevention. We may also in limited circumstances share personal information with our insurer.

Payment service providers

We use the services of payment processing companies to facilitate you making payment. These providers will use your contact and billing information including your credit card details to process your payment. When you make payment on line, your banking details are provided to that payment processing company, and not to us.

2. Our Partners

If you buy our services through one of our partners, we will provide to that partner the information that you consent to them receiving at the time you place your order.

3. The Legal Process

There are circumstances in which we may be legally required to disclose information. Examples of this include where we are subject to a binding court order, subpoena, or a legally binding direction by a regulator, and where we are required to share information with HM Revenue and Customs. We reserve the right to share personal information where we reasonably believe that we are legally required to do so. We will not share your personal information with law enforcement agencies unless we believe that we are legally compelled to do so. We may also share information where this is necessary for us to exercise or enforce our rights under our Terms or otherwise at law, or where we reasonably and in good faith consider it necessary or appropriate to do so in order to protect the security of our site, customers or employees.

4. Change in Control

We may share your information with third parties to whom we may to sell, transfer or merge parts of our business or our assets or alternatively where we, buy or merge with other businesses. If a change happens to our business, then the new owners may only use your personal information in the same way as set out in this privacy statement.

When you share your information

You may also share your personal information including using tools available on our site. We are not responsible if you choose to share your information with other people.

We may share anonymous data with third parties including for research purposes where customers have opted in to take part in our research initiatives. This is data which combines data from a pool of customers. We will only do this where no person cannot be identified from this data. If we share this ‘aggregate’ data, we do not ever receive a payment for the data. We do not sell customer data, ever.

Part D: How long we keep your personal information

In this section we provide guidance on how long we are likely to retain your personal information. This generally depends on how and why the information is collected. Please also be aware that it takes up to a further 6 months from the dates specified in this section for information that is no longer required to be fully removed from our systems because we retain backup and archive files.

We may also retain limited personal information for a longer period than specified including to in the event of a complaint or if we reasonably believe there is a prospect of litigation relating to our relationship with you, or that the information may be needed to exercise or enforce our rights under our terms, or to perform contractual obligations. We may also retain information for a longer period where we are legally required to do so, and for audit and compliance purposes. Additionally, our laboratories may also need to retain information that they hold on our behalf for longer periods to comply with legal or regulatory requirements. We may also retain sufficient information to be able to evidence your account deletion request.

We retain information for the periods below:

1. General Information including contact information and communications will be:

Information captured in recordings of telephone calls: up to 6 months from the end of the month in which the call happened.

Information collected when you agree to join one of our mailing lists: we may retain this information so long as you remain on our mailing list.

Contact information if you place an order/maintain an account with us:

For so long as you have an account with us, and for 7 years after you close your account.

Information collected to respond to an email or website query/records of our response (if you do not maintain an account with us): up to 2 years from the date the query is resolved.

Your communications with us if you maintain an account with us: We may retain this information whilst you maintain an account with us.

2. Payment Information and financial records:

By law we have to retain financial records. This means that if you order a service for which we charge a fee, we must retain your name and contact details, any payment details we have, and transactional information for up to seven years after you place your last order for services, or make payment to us


3. Information relating to services including genetic information:

We will retain personal information related to your account, biological sex and genetic data for so long as you retain or have management rights/privileges in respect of data held in an account with us, and for 6 months after that time. You can ask us to delete your genetic data at any time.

We will retain your DNA sample for 10 years after you provide it to us unless you close your account or ask us to destroy it sooner.

You can ask us to destroy your sample, and can still maintain an account and receive updates to your results if you have chosen that service.

If you ask us to also delete your genetic data, you can still maintain an account and access your results, but we will not be able to provide any updates to your result.

If you also ask us to delete your results, we will delete your account information and shut your account. We will destroy the records which link your barcode with your account.

Our laboratory may in certain circumstances retain your genetic data after you have asked us to destroy your data, but neither Living DNA nor the laboratory will be able to identify you from their or our records once we have destroyed the link between the bar code allocated to you, and your account.

We explain above how we may, in certain circumstances retain your information for a longer time than is detailed here, and how it also takes up to 6 months beyond the timeframes we specify for all data to be fully remove form our backup and archive systems.

4 We will retain information collected or used to assist us with our research work (including genetic data and responses to our surveys) for so long as is required by our research work, which may be indefinitely.



Part E: Security of your information

Living DNA is committed to being a secure and trusted partner for your personal information, especially your genetic data.

How do we do this?

At the heart of how we protect your information is our commitment to International Standards set by ISO. We are certified to ISO:9001 for quality controls and ISO:27001 for information security. As part of our ISO accreditation, audits and reviews are conducted of all relevant third party service providers to check that they meet our strict requirements. We use a combination of technical, physical and organisational measures to protect the security of your information.

Physical and organisational measures help protect against social engineering attacks whereby an unauthorized person gains access to restricted information or physical location through psychological manipulation of authorized individuals. These measures include security clearances, extensive training and physical security measures and are subjected to rigorous external audits throughout the year.

Technical measures implemented to protect your information include:

  1. Security by design
  2. Encryption
  3. Separation of Concerns & Pseudonymization
  4. Monitoring and Alerting
  5. Proactive Vulnerability and Penetration testing

What is security by design?

Software has been designed and implemented with a security first process with the expectation that malicious third parties will attempt to exploit the system. This includes minimising permissions and access to data for internal secure systems.

What is encryption?

Data is scrambled so it is unreadable by humans or computers without a unique decryption key which is kept separate and secure. Encryption of data occurs as it flows through our system to yourselves (HTTPS) and while it is stored by ourselves (Encrypt at Rest). This significantly increases the difficulty of accessing data in the event of unauthorised access to our systems.

What is separation of concerns & pseudonymization?

Personally identifiable information, such as name and address, are only accessed in isolation and are not routinely stored alongside information which may be used by other parts of the system. This means that stored genetic data will have no information co-located that will allow identification of the individual. These disparate records are joined up as needed by the system using artificial identifiers which are pseudonymized to not be personally identifiable. This continues throughout the system to ensure that services only have access to the minimal data they need to function.

What is monitoring and alerting?

We actively monitor our systems and all communication with the outside world, collecting and analysing the available data for indicators of potential threats and breaches. These are automatically triaged and alerted to our security team for appropriate action.

What is proactive vulnerability and penetration testing?

We periodically employ the services of third party specialists to act as malicious parties and attempt to breach our security in a controlled and safe way. This enables us to identify and assess potential attack vectors before they are identified by monitoring and alerting tools and to address and harden appropriately.

What should I do to keep my data safe?

  1. Never share passwords with anyone, including people you trust
  2. Never use a password on more than one site
  3. Keep virus protection up to date and scan periodically
  4. Install all operating system security patches as soon as possible
  5. Be extra vigilant opening links and attachments in emails, even from known senders

Making choices about your information

We respect that your information is yours, and so we want to give you as much choice as possible regarding our use of your data, particularly around marketing. You can view your options as regards the privacy of your information and make choices through your Living DNA account.

Part F: General

Your rights

Under certain circumstances, you have rights under data protection laws in relation to your personal data.

Please click on the links below to find out more about these rights:

  1. Request access to your personal data
  2. Request correction of your personal data
  3. Request erasure of your personal data
  4. Object to processing of your personal data
  5. Request restriction of processing your personal data
  6. Request transfer of your personal data
  7. Right to withdraw consent

If you wish to exercise any of the rights above, please contact us.

No fee:

You will not have to pay a fee to access your personal data or to exercise any of the rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

What we may need from you:

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond:

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Contact Details:

We are Living DNA Limited, of Unit G1, Frome Business Park, Manor Road, Marston Trading Estate, Frome, Somerset, UK, BA11 4BL

If you have any queries about the privacy of your information, or about the information in this statement, or if you think the information is in any way incomplete, please contact us at:

help@livingdna.com

or call our customer services team on +44 203 424 3482

We also have a Data Protection Manager who can be contacted at: privacy@livingdna.com

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

Changes to this statement, and your duty to tell us of changes

We keep this statement under regular review. This version was last published on 2018/07/16 Historic versions can be obtained by contacting us.

It is important that the personal information we hold about you is accurate and current. Please let us your personal data changes during your relationship with us.







Appendix

You have the right to:

Request access to your personal information (commonly known as a "data subject access request"). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.

Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal information to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal information for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

Request restriction of processing of your personal information. This enables you to ask us to suspend the processing of your personal information in the following scenarios:

  1. If you want us to establish the accuracy of the information.
  2. Where our use of the information is unlawful but you do not want us to erase it.
  3. Where you need us to hold the information even if we no longer require it as you need it to establish, exercise or defend legal claims.
  4. You have objected to our use of your information but we need to verify whether we have overriding legitimate grounds to use it.

Request the transfer of your personal information to you or to a third party. We will provide to you, or a third party you have chosen, your personal information in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

Withdraw consent at any time where we are relying on consent to process your personal information . However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services to you. We will advise you if this is the case at the time you withdraw your consent.