1.1 The purpose of this privacy statement is to inform you which personal data (as defined below) is processed, how this data is collected, what is the legal basis for processing, to whom this data has been or may be disclosed. You can also find information about how to exercise your rights and what to do if you have questions about the processing of your data.
1.2 PREPTIC B.V. is responsible for ensuring that your personal data is processed in accordance with the applicable privacy legislation.
1.3 We use the following definitions in this privacy statement: “PREPTIC”, “we” or “us” means “PREPTIC B.V.”.
1.4 By “Personal Data” we mean any information relating to an identified or identifiable natural person, as further defined in the General Data Protection Regulation (EU) 2016/679.
1.5 By “Data Controller” we mean the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data, as further defined in the General Data Protection Regulation (EU) 2016/679.
Please be sure to read this privacy statement before submitting Personal Data.
2. Processing of personal data
2.1 In order to use our Services, we are obliged to process your personal data. In this privacy statement we provide information about the processing of your personal data on a case-by-case basis. In the overview below you can go through the topics relevant to you.
2.2 Visit website. Our Site uses “cookies” and similar technologies. Some cookies are necessary for the Site to function properly and others allow us to analyse the use and users of the Site. Cookies can also be used to provide you with specific information or content that is more relevant to your interests. Some of these cookies may require your prior consent. For additional information and to see which cookies we use, we refer to the cookie statement.
Strictly necessary cookies will always be placed. PREPTIC will ask for your consent before making use of other cookies.
This Site also processes Personal Data sent by your own browser, such as your IP address and browser specifications. This processing is necessary for the proper functioning of the Site. The legal basis for this processing is our ‘legitimate interest’.
2.3 Purchasing Services. When you purchase our Services via our Site, we need your Personal Data to be able to process your order and to schedule the Services (see further “performing services”). For the purchase process we collect your name, surname, address, e-mail address, telephone number and bank details. The legal basis for this processing is the execution of a (purchase) agreement with you.
2.4 Performing services. When you have purchased our Services through our Site, we need your Personal Data to schedule appointments with you and to perform our services, such as laboratory testing. A new (unique) customer number is created for every purchase. For scheduling appointments for blood sampling, we collect your name, address, email address and telephone number.
We also process your customer number for questionnaires. These questionnaires may contain your health data, but are not directly traceable to you (without making a link between your customer number and your Personal Data).
During the laboratory test, your blood will be analysed by a laboratory engaged by us. The laboratory does not receive any direct personal data from you and it is not allowed to conduct research into the DNA in your blood. The laboratory results are sent by us via encrypted e-mail and are only accessible to you and possibly, if you have given your consent during the purchase process, also to your general practitioner.
When purchasing a coaching program, your personal data will be shared with the coach selected by you. This may be an external party (vendor). Your medical data is only accessible to the coach if you started a coaching program.
The legal grounds for the above processing are our ‘legitimate interest’, the execution of an agreement with you and/or your explicit consent.
2.5 Contact. You can contact us by clicking the “Contact Us” link on the Site. A contact form will appear which you can send to us. You can also provide us with your contact details when you register to our newsletters.
PRPTIC will only use the personal information you have provided (your name, telephone number, email address and the content of your message) to contact you and to provide you with the information you have requested. The legal basis for this processing is our ‘legitimate interest’ in proper communication with you.
3. Use and sharing of personal data
3.1 PREPTIC make use of services of external service providers such as nurses, doctors, coaches and IT providers. We use Boyz in the Cloud to host this Site. In addition, we have engaged IM Lounge as a marketing party that has access to statistical data about visitors to our Site. Active Collective will take care of the maintenance of the website. When you use our Services, other third-party suppliers may also have access to your personal data, if this is necessary for the work they perform for us. For example, the Stein Lab laboratory has access to your blood sample and customer number.
3.2 The Personal Data we collect from you:
- can be stored at a destination outside the EEA and/or;
- may be shared with and/or processed by individuals who work for our affiliates or service providers located outside the EEA.
3.3 When your Personal Data is transferred outside of the EEA, we will ensure that it is protected in a manner consistent with how Personal Data is protected in the EEA. This is done in one of the following ways:
- the country to which we send the Personal Data has been approved by the European Commission as providing an adequate level of protection;
- the recipient has signed a contract based on “standard contractual clauses” approved by the European Commission.
3.4 Furthermore, we may take additional precautionary steps before sharing your Personal Data, such as appropriate technical and organizational measures, to protect your confidentiality and integrity, based on industry requirements and case-by-case analysis. In addition, you may request a copy of those Standard Contractual Clauses entered into between Preptic and the recipients of your Personal Data.
3.5 Your Personal Data will not be shared with other parties unless we believe in good faith it is necessary to protect our rights, protect your safety or that of others, respond to a government request or otherwise enforce our legal rights or defend against legal claims.
4.Retention of Personal Data
4.1 We strive to retain Personal Data as short as possible.
4.2 We determine the retention period of your Personal Data on the basis of the following criteria:
- the purpose for which we use your Personal Data: we keep the data as long as necessary for that purpose; and
- legal obligations: various laws and regulations impose minimum retention periods we are obliged to comply with.
5.1 We have taken appropriate administrative, technical and physical measures to protect personal data against unauthorized access, use and loss. For example, we have equipped all our IT devices (such as laptops and tablets) with high-quality SOPHOS security software and we use encryption software SIILO and ZIVVER for the secure exchange of data between us internally and external service providers.
6. Your rights
6.1 In accordance with the General Data Protection Regulation, you have the:
6.2 Right to restriction of processing. You have the right to request us to restrict the processing of your Personal Data in specific situations as foreseen by applicable data protection law (e.g. when the accuracy of your Personal Data is contested by you, for a period enabling us to verify the accuracy of your Personal Data). Restriction of our processing operations may affect the functionality of the Site.
6.3 Right to erasure. You have the right to ask us to erase your Personal Data from our systems if your Personal Data are no longer necessary in relation to the purposes for which they were collected or otherwise processed. Furthermore, you have the right to erasure if you exercise your right to object as meant above, unless we have an overriding legitimate ground to not erase the relevant data. We may not immediately be able to erase all residual copies from our servers and backup systems after the active data have been erased. Such copies shall be erased as soon as reasonably possible.
6.4 Right to data portability. You have the right to receive your Personal Data in a structured, commonly used and machine-readable format and/or request that we transmit those data to a third party where this is technically feasible. Please note that this right only applies to Personal Data which you have provided to us.
6.5 Right to withdraw your consent. You have the right to withdraw your consent for data collection and processing provided to us at any time. Kindly note that a withdrawal of your consent does not affect the lawfulness of processing of your personal data based on your consent before the withdrawal.
6.6 In order to exercise the above-mentioned rights, or if you have any questions, please contact us via [email protected]
6.7 You also have the right to file a complaint before your local data protection authority if you believe that Preptic has processed your Personal Data unlawfully. For the Netherlands, see www.autoriteitpersoonsgegevens.nl.
7. Update of this privacy statement
7.1 We can change or update this privacy statement in whole or in part at any time. We therefore recommend that you consult the privacy statement regularly for updates. The date on which the last update took place is indicated above.