Information Collected by Our Services
Information we receive when you use our Services. We collect Web-behaviour Information via cookies and other similar tracking technologies when you use and access our Services (our website, mobile apps, products, software and other services). Generally, our Services automatically collect usage information such as the number and frequency of visitors to our Services, its components, and how you interact with and use the Services. We only use this data in aggregate form, that is, as a statistical measure, and not in a manner that would identify you personally. This type of aggregate data enables us to figure out how you use parts of the Services so that we can make the Services useful for as many users as possible, and improve upon those Services.
Information You Provide to us directly
Information you share with us. We collect and process your information when you place an order, create an account, register your CareXera DNA Collection Kit, complete surveys, post on our platform or use other messaging features, and contact Customer Care. This information can generally be categorized as Registration Information, Self-Reported Information, and/or User Content such as your name, date of birth, billing and shipping address, payment information (e.g., credit card) and contact information (e.g. email, phone number and license number). All sensitive information you supply is encrypted via Secure Socket Layer (SSL) technology.
Self-Reported Information. You have the option to provide us with additional information about yourself through surveys, forms, features and applications. For example, you may provide us with information about your personal traits (e.g., eye color, height), ethnicity, disease conditions (e.g. Type 2 Diabetes), and other health-related information (e.g. pulse rate, cholesterol levels, visual acuity), and, where applicable, family history information (e.g. information similar to the foregoing about your family members). Before you disclose information about a family member, you should make sure you have permission from the family member to do so.
User Content. Some of our Services allow you to create and post or upload content, such as data, text, software, music, audio, photographs, graphics, video, messages, or other materials that you create or provide to us through either a public or private transmission (“User Content”). For example, User Content includes any discussions, posts, or messages you send on CareXera’s platforms.
Social media features and widgets. Our Services include Social Media Features. These Features may collect your IP address, which page you are visiting on our site, and may set a cookie to enable the feature to function properly. They may also allow third-party social media services to provide us with information about you, including your name, email address, and other contact information. The information we receive is dependent upon your privacy settings with the social network. Features are either hosted by a third party or hosted directly on our site. Your interactions with these Features are governed by the privacy statements of the third-party companies providing them. You should always review and, if necessary, adjust your privacy settings on third-party websites and services before linking or connecting them to our website or Services.
Third-party services (e.g., social media). If you use a third-party site, such as Facebook or Twitter, in connection with our Services to communicate with another person (e.g., to make or post referrals or to request that we communicate with another person), then in addition to that person’s name and contact information, we may also collect other information (e.g., your profile picture, network, gender, username, user ID, age range, language, country, friends lists or followers) depending on your privacy settings on the third-party site. We do not control the third-party site’s information practices, so please review the third party’s privacy statement and your settings on the third party’s site carefully.
Referral information and sharing. When you refer a person to CareXera, we will ask for that person’s email address. We will use their email address solely, as applicable, to make a referral to them, and we will let your contact know that you requested the communication. By participating in a referral program or by choosing to share information with another person, you confirm that the person has given you consent for us to communicate (e.g., via email) with him or her. The person you referred may contact us at firstname.lastname@example.org to request that we remove this information from our database.
Gifts. If you provide us with Personal Information about others, or if others give us your information, for the purpose of ordering the Service as a gift, we will only use that information for the specific reason for which it was provided to us. Once a gift recipient registers for his or her Services and agrees to our Privacy Statement, our Terms of Service, and if applicable, provides certain consent, his or her Personal Information will be used in manners consistent with this Privacy Statement, and will not be shared with the purchaser, unless they independently choose to share their own Personal Information through the Services with the purchaser.
Customer service. When you contact Customer Care or correspond with us about our Service, we collect information to: track and respond to your inquiry; investigate any breach of our Terms of Service, Privacy Statement or applicable laws or regulations; and analyze and improve our Services.
How is the collected information used?
The information we gather from you enables us to (i) personalize and improve our Services, including but not limited to giving you other information, (ii) allow you to set up an account and profile that can be used to participate in our Services, which includes processing payments, shipping kits to customers, creating customer accounts and authenticating logins, analyzing DNA samples and DNA, and delivering results and powering tools that benefit our customers. (iii) provide you with information, updates, offers and other communications related to our Services, (iv) analyze and report on the results of the Services in an aggregate manner for the benefit of our partners and (v) support your use of the Services. We may use your email address to inform you about our services, such as letting you know about upcoming changes or improvements.
When you contact Customer Care, we may use or request Personal Information, including Sensitive Information, as necessary to answer your questions, resolve disputes, and/or investigate and troubleshoot problems or complaints. In some instances, we may be required to process one customer’s Personal Information to resolve another customer’s dispute or request. For example, if a customer reports behaviour that violates our Terms of Service, we will separately process both customers’ Personal Information and respond separately to each individual as appropriate. We will not share your Personal Information with another customer without your consent.
We value your feedback and may send you surveys, polls, or requests for testimonials to improve and optimize our Services. You are in control of the information you would like to share with us. If you do not wish to receive these requests, you can manage them in your Account Settings. Our legal basis for processing your Personal Information for the purpose described above is based on our legitimate interest. We think it is important to continue improving our Services to ensure your continued enjoyment.
By creating a CareXera account, you are agreeing that we may send you product and promotional emails or notifications about our services and offers on new products, services, promotions or contests. You can unsubscribe from receiving these marketing communications at any time. To unsubscribe, click the email footer “unsubscribe” link or go to the “Preferences” section of your Account Settings to edit your email notification preferences. You may not opt out of receiving non-promotional messages regarding your account, such as technical notices, purchase confirmations, or Service-related emails.
Information Related to Our Genetic Testing Services
DNA/Epigenetic samples. To use our genetic testing services, you must purchase, or receive as a gift, a CareXera DNA Sample Collection kit, create an online account and register your kit, and ship your DNA sample to our laboratory. Our laboratory will extract your DNA from your DNA sample for analysis. Your DNA sample and DNA are destroyed after our laboratory completes its work, subject to legal and regulatory requirements. Information from our DNA testing services. With your consent, we extract your DNA from your DNA sample and analyze it to produce your Genetic Information (the As, Ts, Cs, and Gs at particular locations in your genome) in order to provide you with reports.
As described above, to receive results through the Personal Genetic Service, you must create a CareXera account, register your kit, and submit your DNA sample to our laboratory. Your sample to provide us would be analyzed to generate your raw Genetic Information. Once we have your raw Genetic Information, we further analyze it to provide you with our reports, dependent on the Service purchased. CareXera continuously works to improve our Services based on our research and product development, and genetic associations identified in scientific literature. If you are eligible to receive additional reports or updates in the future, you may be notified of or may directly access these updates. We may process your biological sample with our partner laboratories which reside in the UK, Singapore, South Korea & Japan. NO sample or personal data will be processed in the People’s Republic of China and the State of Israel.
If you choose to consent to participate in our research, our principal researcher company “Prima Nexus” can include your anonymised Genetic Information and Self-Reported Information in a large pool of customer data for analyses aimed at making scientific discoveries. Research is also an important aspect of genetic testing services and we want to ensure interested participants are aware of additional opportunities to contribute to interesting, novel scientific research conducted by academic institutions, healthcare organizations, pharmaceutical companies, and other groups. If you have chosen to participate in the Research, from time to time we may inform you of third-party research opportunities for which you may be eligible. For example, if a university tells us about a new cancer research project, we may send an email to CareXera’s participants who potentially fit the relevant eligibility criteria based on their Self-Reported Information to make them aware of the research project and provide a link to participate with the research organization conducting the study. However, we will not share Individual-level Genetic Information or Self-Reported Information with any third party without your consent. If you do not wish to receive these notifications, you can manage them by editing your preferences in your Account Settings. If you choose not to provide consent to us or complete any additional agreement with CareXera, your Personal Information will not be used for any research. However, your Genetic Information and Self-Reported Information may still be used by us and shared with our third-party service providers in order for us to provide our Services to you as outlined in this Privacy Statement. Our legal basis for processing your Sensitive Information for the purpose described above is based on your consent. You may withdraw your consent at any time, however, the withdrawal of your consent will not affect the lawfulness of processing based on consent before its withdrawal.
Sharing of the information
Personal Information about our customers is an integral part of our business. We neither rent nor sell your Personal Information in personally identifiable form to anyone. We share your Personal Information in personally identifiable form only as described below. Services users (including personal or party): We may share personal information to other Services users after you have agreed to set up connection with them when accessing certain or all Services.
Agents: We employ other companies and people to perform tasks on our behalf and as a result, we may need to share your Personal Information with them to provide these Services to you. Unless we tell you differently, our agents do not have any right to use the Personal Information we share with them beyond.
Business Transfers/Corporate Transactions: In some cases, we may choose to buy or sell assets, conduct merger or acquisition, joint venture or other corporate transactions. In these types of transactions, customer information is typically one of the business assets that is transferred. Moreover, if CareXera, or substantially all of its assets were acquired, or in the unlikely event that we go out of business or enter bankruptcy, customer information is one of the assets that is transferred or acquired by a third party. You acknowledge that such transfers may occur and that any acquirer of CareXera may continue to use your Personal Information as set forth in this policy.
Information We Share with Third Parties
With Your Consent: Except as set forth above, you will be notified when your Personal Information may be shared with third parties, and you will be able to prevent the sharing of this information.
Order fulfillment and shipping. When you purchase a CareXera’s kit from the www.carexera.com online store, our payment processor processes certain Registration information, such as your billing address and credit card information, as necessary to enable you to purchase a CareXera kit online. Our logistic services providers ship your kit(s) to you, and help return your kit safely to our laboratory so your sample can be processed. If you purchase a CareXera kit from retail outlets, our logistic services providers help return your kit to our laboratory.
Cloud storage, IT, and Security. Our cloud storage and other services providers provide secure storage for information in CareXera databases, ensure that our infrastructure can support continued use of our Services by CareXera customers, and protect data in the event of a natural disaster or other disruption to the Service. Our IT and security providers assist with intrusion detection and prevention measures to stop any potential attacks against our networks. We have these third party experts perform regular penetration tests and periodically audit CareXera’s security controls. You may decide to share your Personal Information with friends and/or family members, doctors or other health care professionals, and/or other individuals outside of our Services, including through third party services such as social networks and third-party apps that connect to our website and mobile apps through our application programming interface (“API”). These third parties may use your Personal Information differently than we do under this Privacy Statement. Please make such choices carefully and review the privacy statements of all other third parties involved in the transaction. We do not endorse or sponsor any API applications, and does not negate the accuracy or validity of any interpretations made by third party API applications. In general, it can be difficult to contain or retrieve Personal Information once it has been shared or disclosed. CareXera will have no responsibility or liability for any consequences that may result because you have released or shared Personal Information with others.
We may share Aggregate Information, which is information that has been stripped of your name and contact information and combined with information of others so that you cannot reasonably be identified as an individual, with third parties. This Information is different from “Individual-level” information and is not Personal Information because it does not identify any particular individual or disclose any particular individual’s data. For example, Aggregate Information may include a statement that “45% of our male users share a particular genetic trait,” without providing any data or testing results specific to any individual user. In contrast, Individual-level Genetic Information or Self-Reported Information consists of data about a single individual’s genotypes, diseases or other traits/characteristics information and could reveal whether a specific user has a particular genetic trait, or consist of all of the Genetic Information about that user. CareXera will ask for your consent to share Individual-level Genetic Information or Self-Reported Information with any third party, other than our service providers as necessary for us to provide the Services to you.
We may share some or all of your Personal Information with other companies under common ownership or control of us, which may include our subsidiaries, our corporate parent, or any other subsidiaries owned by our corporate parent in order to provide you better service and improve user experience. Generally, sharing such information is necessary for us to perform on our contract with you. We may provide additional notice and ask for your prior consent if we wish to share your Personal Information with our commonly owned entities in a materially different way than discussed in this Privacy Statement.
Under certain circumstances your Personal Information may be subject to processing pursuant to laws, regulations, judicial or other government subpoenas, warrants, or orders. For example, we may be required to disclose Personal Information in coordination with regulatory authorities in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. CareXera will preserve and disclose any and all information to law enforcement agencies or others if required to do so by law or in the good faith belief that such preservation or disclosure is reasonably necessary to: (a) comply with legal or regulatory process (such as a judicial proceeding, court order, or government inquiry) or obligations that CareXera may owe pursuant to ethical and other professional rules, laws, and regulations; (b) enforce our Terms of Service and other policies; (c) respond to claims that any content violates the rights of third parties; or (d) protect the rights, property, or personal safety of us, its employees, its users, its clients, and the public.
In the event that we go through a business transition such as restructuring, merger, acquisition by another company, or sale of all or a portion of its assets, your Personal Information will likely be among the assets transferred. In such a case, your information would remain subject to the promises made in any pre-existing Privacy Statement.
We collect the following types of information from you:
Your information is only accessible by a limited number of persons who have special access rights, and are required to keep the information confidential. All sensitive information you supply is encrypted via Secure Socket Layer (SSL) technology.
Personal Data Collected, Held, and Processed. The following personal data is collected, held, and processed (for details of data retention, please refer to our Data Retention Policy):
|Type of Data
|Purpose of Data
Personal Information You Provide to Us:
We receive and store any information you enter in connection with our Services or provide to us in an authorized way. The types of Personal Information that is collected may include the following:
Registration Information is information that we collect from you when you purchase or sign up for the CareXera services. Examples of such information include your name, age, mailing address, phone number and contact information, such as an email address. We also collect your credit card information to process payment for CareXera.
Self-Reported Biomarker Information includes not only your DNA/genetics test result information, blood test result information, but also other information you provide on the CareXera platform, such as ethnicity, gender, height, weight, pulse rate, and other health and well-being related information (including without limitation other sensitive medical information).
User Content is all information other than health-related test information or self-reported information provided by the users of the CareXera services and transmitted, whether publicly or privately, to CareXera. User content may include data, text, software, music, audio, photographs, graphics, video, messages, or other materials. For example, user content includes posts made to the CareXera Health community forums or emails to customer support.
Web Behavior Information is information on how you use the website (e.g. browser type, domains, pageviews) collected through log files, cookies, and web beacon technology. Those information will be provided by you through the Services, so that we will support you to deliver messages, in the way of email or SMS, to the personnel for operating full Services) . If you have purchased any hardware from CareXera and are using it in connection with the Services, we will also collect the serial number of the hardware. You can choose not to provide us with certain information, but then you may not be able to register with us or take advantage of all of our Services offerings.
Personal Information Collected Automatically:
We may receive a confirmation when you open an email or text message from us if your computer or cellular device supports this type of program. We use this confirmation to help us make our emails more interesting and helpful and to improve our Service. If you do not want to receive email, text messages, or other mail from us, please contact us at email@example.com . Please note that if you have opted out of receiving email or other messages from us, we may still need to contact you via email, but only with regard to the status of your account (for example, to notify you when your subscription is about to expire); you cannot opt-out of these emails unless you cancel your account entirely.
Links to other third-party sites
CareXera is committed to protecting the privacy of children as well as adults. Neither CareXera nor any of its Services are designed for, or directed toward children under the age of 18. A parent or guardian, however, may collect a DNA sample from, create an account for, and provide information related to, his or her child who is under the age of 18. The parent or guardian assumes full responsibility for ensuring that the information that he/she provides to CareXera about his or her child is kept secure and that the information submitted is accurate.
Your privacy is important to us. We comply with the applicable requirements of the Personal Data Protection Act 2010 (Act 709) in Malaysia and other applicable regulations specific to Malaysia.
CareXera implements physical, technical, and administrative measures to prevent unauthorized access to or disclosure of your information, to maintain data accuracy, to ensure the appropriate use of information, and otherwise safeguard your Personal Information.
- CareXera produces secure applications by design. CareXera incorporates explicit security reviews in the software development lifecycle, quality assurance testing and operational deployment.
- Anonymisation. Registration Information is stripped from Sensitive Information, including Genetic and Self-Reported Information. This data is then assigned a randomly generated ID so an individual cannot reasonably be identified.
- Encryption. CareXera uses industry-standard security measures to encrypt Sensitive Information both at rest and in transit.
- Separation of Environments. CareXera ensures processing, production, and research environments are separated and access is restricted. Data, including Registration Information, Genetic Information, and Self-Reported Information are segmented across logical database systems to further prevent re-identifiability.
- Limiting access to essential personnel. We limit access to Personal Information to authorized personnel, based on job function and role. CareXera access controls include strict least-privileged authorization policy.
- Detecting threats and managing vulnerabilities. CareXera uses state of the art intrusion detection and prevention measures to stop any potential attacks against its networks. We have integrated continuous vulnerability scanning in our processes and regularly engage third-party security experts to conduct penetration tests.
- Incident Management. CareXera maintains a formal incident management program designed to ensure the secure, continuous delivery of its Services. CareXera has implemented an incident management program using industry best practices.
- Managing third-party service providers. CareXera requires service providers to implement and maintain accepted industry standard administrative, physical and technical safeguards to protect Personal Information.
Your information collected through the Service may be stored and processed in countries (The UK, Singapore, South Korea & Japan ONLY) in which CareXera or its subsidiaries, affiliates or service providers maintain facilities and, therefore, your information may be subject to the laws of those other jurisdictions which may be different from the laws of Malaysia and your country of residence.
Your Responsibility. Your Personal Information is protected by a password for your privacy and security. You need to prevent unauthorized access to your account and Personal Information by selecting and protecting your password appropriately and limiting access to your computer, mobile device, and browser by signing off after you have finished accessing your account. You should not disclose your authentication information to any third party and should immediately notify CareXera of any unauthorized use of your password. CareXera cannot secure Personal Information that you release on your own or that you request us to release.
Storage. We ensure that the following measures are taken with respect to the storage of personal data:
- All electronic copies of personal data are stored securely using passwords and passwords are encrypted with MD5 data encryption;
- All hardcopies of personal data, along with any electronic copies stored on physical, removable media are stored securely in a locked box, drawer, cabinet, or similar;
- All personal data stored electronically is backed up weekly with backups stored onsite. All backups are encrypted using MD5.
- No personal data is stored on any mobile device (including, but not limited to, laptops, tablets, and smartphones), whether such device belongs to the Company or otherwise without the formal written approval of Richard Layton, firstname.lastname@example.org and, in the event of such approval, strictly in accordance with all instructions and limitations described at the time the approval is given, and for no longer than is absolutely necessary; and
- No personal data is transferred to any device personally belonging to an employee and personal data may only be transferred to devices belonging to agents, contractors, or other parties working on behalf of the Company where the party in question has agreed to comply fully with the letter and spirit of this Policy and of the GDPR (which may include demonstrating to the Company that all suitable technical and organisational measures have been taken).
Use of Personal Data. We ensure that the following measures are taken with respect to the use of personal data:
- No personal data is shared informally and if an employee, agent, sub-contractor, or other party working on behalf of the Company requires access to any personal data that they do not already have access to, such access should be formally requested from Richard Layton, email@example.com
- No personal data is transferred to any employees, agents, contractors, or other parties, whether such parties are working on behalf of the Company or not, without the authorisation of Richard Layton, firstname.lastname@example.org;
- Personal data is handled with care at all times and is not be left unattended or on view to unauthorised employees, agents, sub-contractors, or other parties at any time;
- If personal data is being viewed on a computer screen and the computer in question is to be left unattended for any period of time, the user locks the computer and screen before leaving it; and
- Where personal data held by the Company is used for marketing purposes, it is the responsibility of Richard Layton, email@example.com to ensure that the appropriate consent is obtained and that no data subjects have opted out, whether directly or via a third-party service such as the TPS.
Outlined below is the scope of our Google Fit integration that we use within the App to track and display your Lifestyle Tracking Data. All these datasets are used to enhance the user experience and provide you with insightful recommendations based on their unique makeup and lifestyle choices:
- auth/fitness.sleep.read : this is used to read your sleep history. The sleep history of the past one week is shown through the app
- auth/fitness.heart_rate.read : is used to read and display daily heart rate data to you through the app.
- auth/fitness.nutrition.read : is used to read and display your daily water intake and calorie intake.
- auth/fitness.nutrition.write : is used to update the water intake value to google fit through the lifestyle tracking section of the app.
- auth/fitness.activity.read : is used to track the active time of the day and the separate time spent for any exercise performed.
- auth/fitness.location.read: is used to read the daily walked distance from Google Fit.
Access, changes, or deactivation of personal information
Our Services aim to provide you with access to the personal information you submit and the means to update it. If you wish to access, inquiry, review, amend, correct, suppress or request a copy of or delete Personal Information about you or request that we cease collecting, processing or using it as permitted by applicable, you should log into our Services or contact us using the contact information below. Under certain circumstances, we may ask you to verify your identity before your request is processed. This will be done free of charge except where it would require a disproportionate effort. We may reject requests that are unreasonably repetitive, require disproportionate technical effort (for example, developing a new system or fundamentally changing an existing practice), risk the privacy of others, or would be extremely impractical (for instance, requests concerning information residing on backup tapes). If you desire to deactivate your account please contact us using the contact information below. Upon your request, your account will be deactivated and your Personal Information and Records will be securely archived. We retain archived information for a period of ten years (or longer if required by law) as necessary to comply with legal obligations, resolve disputes and enforce our agreements and other authorized uses under this Policy. Further, we will retain the aggregated, non-personally identifiable information and data, which may be generated from or based on the information relevant to your account, even after you deactivate or terminate your account.
Legal Retention Requirements. CareXera and our laboratory will retain your Genetic Information, date of birth, and sex as required for compliance with applicable legal obligations. CareXera will also retain limited information related to your account and data deletion request, including but not limited to, your email address, account deletion request identifier, and record of legal agreements for a period of time as required by contractual obligations, and/or as necessary for the establishment, exercise or defence of legal claims and for audit and compliance purposes.
Delete Account Process. If you have registered on the CareXera app and would like to delete
your account, please follow the instructions below:
- Login to the CareXera app using your email address and password.
- Select “Genetic Results” from the main menu.
- Open the Menu button by clicking the three horizontal bars in the top left hand corner.
- Select “Delete Account” from the options available.
You will be asked to confirm that you want to delete your account by re-entering your password
and pressing the “Delete” button. Please note your account will remove all of your personal
information from our databases and this process cannot be undone.
This process shall be deemed effective as of 15th September 2023. No part of this process shall
have retroactive effect and shall thus apply only to matters occurring on or after this date. This
process has been approved and authorised by:
|Aizuddin Bin Aguse
|Head of Business Development
|14th September 2023
If you have questions or concerns regarding this policy, please contact us at firstname.lastname@example.org