Privacy Statement iGene Pharmaco

iGene Pharmaco B.V.

1. Introduction

This is the privacy and cookie statement (hereinafter: statement) of iGene Pharmaco B.V. (Chamber of Commerce number 96176776, establishment number 000061520187), registered in Nijmegen and having its offices at Oude Haven 102, 6511 XH Nijmegen (hereinafter: iGene Pharmaco).

This statement applies to all processing of personal data of users of iGene Pharmaco. 'Personal data' means all data relating to an identified or identifiable natural person. 'Users' include all customers of iGene Pharmaco's products and services, including consumers, business customers and healthcare customers, as well as visitors to iGene Pharmaco's websites.

All processing of personal data is subject to privacy laws and regulations, including the General Data Protection Regulation (hereinafter: GDPR) and the Dutch GDPR Implementation Act. We are responsible for compliance with these laws and regulations.

We consider it important that our services are reliable and transparent. We handle our users' data with discretion and care.

2. Role of iGene Pharmaco

iGene Pharmaco acts as controller for the processing of users' data insofar as iGene Pharmaco itself determines the purposes and means of data processing. Examples include processing activities in the context of offering its products and services, such as performing pharmacogenetic tests, analysing DNA, and making DNA reports available to users.

iGene Pharmaco acts as processor insofar as iGene Pharmaco processes data on behalf of third parties (such as healthcare customers including pharmacists, physicians or healthcare institutions). In such cases, those third parties are the controllers. iGene Pharmaco concludes a data processing agreement with them.

3. What does iGene Pharmaco do?

iGene Pharmaco offers a pharmacogenetic service. The service encompasses performing pharmacogenetic tests, analysing DNA, and making DNA reports available to users and their healthcare providers.

iGene Pharmaco offers pharmacogenetic tests that provide users and their healthcare providers with insight into how genetic variations may affect responses to medications. The reports offer insight into, among other things, drug sensitivity based on enzymatic profiles and pharmacogenetic profiles with medication-specific insights.

The DNA testing process

The user collects biological material in the form of saliva using an iGene kit and sends this to iGene Pharmaco. iGene Pharmaco forwards the material to a certified laboratory, where a large number of genetic variations (SNPs) are identified. The results are analysed and processed into individual DNA reports made available via the iGene application.

The services of iGene Pharmaco are primarily a pharmacogenetic information service and are not intended as a substitute for regular medical diagnostics or treatment. See iGene's General Terms and Conditions for more information about the nature of the service.

4. Purposes and legal bases for processing

iGene Pharmaco processes data only for specified, explicitly described and legitimate purposes, and on the basis of legal grounds:

4.1 Creating, using and managing an account

In connection with ordering products and services, the user may create an account in the iGene application. Legal basis: necessity for the performance of a contract.

4.2 Ordering products and services

The ordering and delivery of products and services, including the iGene kit, and the associated payment processing. Legal basis: necessity for the performance of a contract.

4.3 Performing pharmacogenetic tests and making reports available

The performance of pharmacogenetic tests, the analysis of DNA, and making DNA reports on drug sensitivity and pharmacogenetic profiles available. This involves processing genetic data, which falls under the category of 'special category data' within the meaning of the GDPR. The processing of special category data is prohibited unless a statutory exception applies. iGene Pharmaco processes genetic data exclusively on the basis of the user's explicit consent.

4.4 Visiting and using websites and/or apps

When visiting websites or apps, data may be stored, such as visit data. See section 8 on cookies.

4.5 Direct marketing

The sending of commercial communications to users. If iGene Pharmaco has received electronic contact details in the context of the sale of products or services, these may be used without further consent for marketing of its own similar products and services (Article 11.7 of the Dutch Telecommunications Act). Legal basis: legitimate interest.

The user may unsubscribe from commercial messages at any time, via the unsubscribe link at the bottom of each email or by email to privacy@igene.eu. After unsubscription, iGene Pharmaco will stop sending commercial messages as soon as possible, but no later than within five (5) working days.

When collecting electronic contact details, iGene Pharmaco gives the user the opportunity to object to the use of such data for direct marketing. In each commercial message, iGene Pharmaco again offers a simple, free means of unsubscription.

4.6 Administrative or fiscal purposes

Administrative or fiscal obligations, for example towards the Dutch Tax and Customs Administration. Legal basis: legal obligation or legitimate interest.

4.7 Information requests, enquiries and complaints

Handling requests, enquiries and complaints. Legal basis: contract, legitimate interest or legal obligation.

4.8 Scientific research and product development

iGene Pharmaco may use aggregated and anonymised data for scientific research and product development. To the extent that genetic or other special category personal data are processed (prior to irreversible anonymisation), this is done exclusively on the basis of the user's explicit consent (Article 9(2)(a) GDPR). The user may optionally grant this consent during account activation or at a later stage via the settings in the iGene application. Consent may be withdrawn at any time with immediate effect. After irreversible anonymisation, iGene Pharmaco uses only population-level statistical data; such data fall outside the scope of the GDPR. Withdrawal of consent has no retroactive effect on data that have already been irreversibly anonymised prior to the moment of withdrawal.

4.9 Reimbursement of covered care

If the iGene test is used in the context of covered healthcare, iGene Pharmaco processes the patient's citizen service number (BSN) on the invoice for reimbursement purposes with the health insurer. The BSN is provided to iGene Pharmaco by the healthcare customer and is not retained longer than necessary for the reimbursement process. Legal basis: legal obligation (Act on the use of the citizen service number in healthcare).

5. Data processed by iGene Pharmaco

iGene Pharmaco ensures that the data processed are adequate, relevant and limited to what is necessary.

5.1 Account and registration

Upon registration and use of the app, iGene Pharmaco processes:

–       Tube code (unique, pseudonymous code, randomly generated)

–       Year of birth (no birth month or day)

–       Ethnicity (optional; see explanation below)

–       Country of origin

–       App language setting

–       Meta information (operating system, app version, push tokens)

–       Optionally: email address (for push notifications, account recovery or requesting a report)

Where ethnic data are processed, this is done exclusively to statistically better align genetic interpretations with known population differences in gene frequencies. Providing ethnicity is optional; without this information, certain interpretations may be less accurate. Data revealing ethnic origin are special category personal data; the processing thereof is based on the user's explicit consent (GDPR Article 9(2)(a)).

The user may consent in the app to sharing data with a certified professional (such as a physician or pharmacist) via the professional's code.

5.2 Ordering and delivery

When ordering products, iGene Pharmaco processes:

–       Name, address and place of residence

–       Email address (for track-and-trace)

–       Payment details

5.3 DNA test and report

The DNA testing process involves the following steps:

Step 1: The user collects biological material and sends it together with the tube code to iGene Pharmaco.

Step 2: Upon return receipt, iGene Pharmaco processes the biological material and the tube code. The tube code is not linked to any other data; iGene Pharmaco does not know from which person the material originates.

Step 3: iGene Pharmaco sends the biological material, labelled with the tube code, to a certified laboratory.

Step 4: The laboratory maps the genetic variations (SNPs) and sends the results back to iGene Pharmaco.

Step 5: The results are analysed and processed into individual DNA reports. The DNA analysis is performed by iGene Products B.V., acting as processor for iGene Pharmaco on the basis of a data processing agreement. Data processed in this step include: SNPs, tube code, year of birth, ethnicity, country of origin and language setting.

The above separation applies to the processing of biological material. To the extent technically necessary to give the user access to their report, enable account recovery, or send notifications, a functional link exists between the tube code and the user's app account. This link is stored strictly separately from order and address data, and is only accessible to authorised systems.

In the context of services to healthcare customers, a link between genetic data and the patient's personal data may arise:

–       Linking code: the user or the healthcare professional may create a linking code via the iGene application or the iGene healthcare professional dashboard respectively, which links the DNA report to the patient's identity. This linking is necessary for the integration of test results into patient care.

–       Reimbursement of covered care: if the iGene test is used in the context of covered healthcare, the healthcare customer provides the patient's citizen service number (BSN) to iGene Pharmaco. iGene Pharmaco includes the BSN on the invoice for reimbursement purposes with the health insurer, in accordance with the Act on the use of the citizen service number in healthcare (Wbsn-z). The BSN is not retained longer than necessary for the reimbursement process.

In both cases, the healthcare customer is the controller for the processing of personal data in the context of patient care and reimbursement. iGene Pharmaco processes these data as processor on the basis of a data processing agreement with the healthcare customer (see section 6). The separation between genetic data and personal data described above remains fully applicable to standard consumer services.

The DNA reports may contain results on:

–       Drug sensitivity based on enzymatic profiles

–       Pharmacogenetic profile with medication-specific insights

5.4 Website visits

When visiting websites or apps, visit data may be stored, including URL, IP address, browser type, date and time of the visit, and click and usage behaviour. See section 8 on cookies.

5.5 Marketing and communications

For direct marketing purposes, iGene Pharmaco processes data such as email address, name and address.

6. Third parties processing data

The default position is that iGene Pharmaco does not share data with third parties. iGene Pharmaco may share data in the following situations:

–       With affiliated companies, to the extent necessary for the purposes described.

–       With processors (parties that process data on behalf of iGene Pharmaco, such as IT suppliers), exclusively on the instructions of iGene Pharmaco and with appropriate safeguards.

–       With certified laboratories that perform DNA analysis.

–       With iGene Products B.V., which performs DNA analysis and reporting as processor on the basis of a data processing agreement.

–       With Shopify Inc., which provides the ordering platform and payment processing. Shopify processes order data as processor for iGene Pharmaco, but may also process certain data as an independent controller for its own legal obligations (including fraud prevention and security). See Shopify's privacy policy for further information.

–       With Intuit Mailchimp, which provides the email platform for sending newsletters.

–       With a healthcare professional, exclusively if the user grants consent in the app.

–       With employees of iGene Pharmaco, to the extent necessary for the performance of their duties and subject to a confidentiality obligation.

–       If required by law, a court order or other legal proceedings.

–       In connection with a business transaction, such as a merger or sale of assets.

–       With professional advisers (including lawyers, accountants, auditors, insurers and certifying bodies), to the extent necessary for legal advice, audit, certification, insurance, security, compliance, or the establishment or substantiation of legal claims.

Where consent is required for sharing data, iGene Pharmaco will request this from the user in advance.

7. Security

iGene Pharmaco takes data security very seriously and has implemented appropriate technical and organisational measures to protect personal data against unauthorised access, loss or misuse. iGene Pharmaco is ISO 27001:2022 certified.

The main security principles are:

–       The storage of genetic data and the analyses and reports are strictly separated from each other.

–       Genetic data are linked exclusively to a pseudonymous code (tube code), not to other personal data.

–       All data are stored and processed within the European Economic Area.

–       Encrypted backups are made periodically.

–       Payments take place via a certified Payment Service Provider via an encrypted connection.

iGene Pharmaco has conducted a Data Protection Impact Assessment (DPIA) for the processing of genetic data, in accordance with Article 35 GDPR. This is reviewed periodically.

8. Cookies

iGene Pharmaco may use cookies and similar technologies (such as JavaScripts, tracking pixels and web beacons) on its websites and apps. Cookies are small text files that store data when a website is visited. iGene Pharmaco distinguishes the following categories:

Functional cookies

Necessary for the functioning of the website, such as session cookies and language preference. No consent is required for these. Retention period: duration of the session or a maximum of 12 months.

Analytical cookies

For measuring and analysing website usage (for example via Google Analytics). These cookies are only placed after the user's consent. Retention period: a maximum of 26 months.

Marketing cookies

For displaying personalised advertisements. These cookies are only placed after the user's explicit consent. Retention period: a maximum of 12 months.

The user may adjust their cookie preferences at any time via the cookie settings on the website. The cookie policy is available on the iGene Pharmaco website.

9. Links to third parties

The websites and apps of iGene Pharmaco may contain links to third-party websites. iGene Pharmaco is not responsible for the manner in which third parties handle users' data. The privacy statements of those parties apply to those websites.

10. User rights

The user has the following rights with regard to their data. For any request, the user may send an email to privacy@igene.eu or a letter by post to Oude Haven 102, 6511 XH Nijmegen.

iGene Pharmaco verifies the user's identity preferably via the iGene application (logged-in session) or by email (verification code). Only in cases of reasonable doubt about the user's identity may iGene Pharmaco additionally request a copy of a valid identity document (portrait photo and BSN may be redacted). The copy is deleted immediately after identification.

Right to information

We inform the user about which data we process, for what purposes, on what legal basis and to whom we provide data. All this information can be found in this statement.

Right of access

The user has the right to access their data, including information about purposes, recipients, retention periods and origin.

Right to rectification

The user may request iGene Pharmaco to rectify their data or to complete incomplete data.

Right to erasure

In certain cases, iGene Pharmaco is obliged to erase data, for example when they are no longer necessary or consent has been withdrawn. iGene Pharmaco always makes a balancing assessment, as processing is sometimes still necessary for legal obligations.

Right to restriction

The user has the right to have processing restricted, for example when the accuracy of data is disputed.

Right to data portability

Under certain conditions, the user has the right to receive the data they have provided and the raw DNA data in a structured, commonly used format and to transfer these to another organisation. This right does not apply to the analyses, interpretations and reports generated by iGene Pharmaco, which are protected by intellectual property rights.

Withdrawal of consent

Where processing is based on consent, the user may withdraw this at any time. Withdrawal of consent for the processing of genetic data has the consequence that iGene Pharmaco can no longer offer the DNA reports. In that case the account is terminated and all genetic data are deleted within thirty (30) days. Withdrawal does not affect the lawfulness of prior processing.

Right to object

The user may object to the processing of their data. After an objection, iGene Pharmaco will in principle cease the processing. The user may also object to the use of contact details for marketing by unsubscribing via the link in emails or by email to privacy@igene.eu.

Right to lodge a complaint

The user has the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or to go to court.

If the user is under 16 years of age, consent from parent(s) or guardian(s) is required.

The rights set out above are not absolute. iGene Pharmaco may refuse a request in whole or in part if this is necessary for compliance with legal obligations, security, fraud prevention, evidence purposes, or the establishment or substantiation of legal claims. iGene Pharmaco will inform the user of the reason for any refusal.

11. Retention periods

iGene Pharmaco does not retain data for longer than necessary for the purposes for which they are processed. Thereafter, data are deleted or anonymised.

–       Order data (name, address, email): deleted no later than 6 months after delivery of the kit.

–       Biological material: destroyed by the laboratory after completion of the DNA analysis, in accordance with the arrangements in the data processing agreement with the laboratory.

–       Raw DNA data, analyses and reports: available for as long as the user has an active account. The raw DNA data are necessary for updates and expansions of the reports. Upon termination of the account, all genetic data are deleted within thirty (30) days.

–       Visit data and cookies: a maximum of 26 months, depending on the type of cookie (see section 8).

–       Administrative data: 7 years after the financial year, in accordance with the statutory retention obligation (Article 52 of the Dutch General Tax Act).

–       Marketing data (email address for newsletter): until unsubscription by the user.

–       Consent logs, security logs, incident files and audit trails: for as long as necessary for security, evidence purposes, fraud prevention, compliance or legal proceedings. Where possible, these data are pseudonymised.

Data still present in encrypted backups are retained exclusively for security and recovery purposes and are no longer actively processed. Backups are automatically replaced in accordance with the regular backup schedule and deleted no later than twelve (12) months.

See Article 6 of the General Terms and Conditions for the retention period applicable to inactive accounts.

12. Data breaches

In the event of a personal data breach, iGene Pharmaco will notify the Dutch Data Protection Authority within 72 hours, unless it is unlikely that the breach poses a risk. In the event of a high risk, the user will also be informed.

Security incidents or data breaches may be reported via privacy@igene.eu or by telephone on +31 (0)10 310 4200.

13. Transfers outside the EEA

All biological material, raw DNA data, analyses and reports are stored and processed within the European Economic Area (EEA) or in countries for which the European Commission has adopted a valid adequacy decision.

Some operational and analytical data (not genetic data) may be transferred outside the EEA, for example for website analysis or email services. This concerns only non-genetic data such as visit data and email addresses. Transfers take place on the basis of an adequacy decision of the European Commission or, in the absence thereof, on the basis of EU Standard Contractual Clauses. Additional appropriate safeguards are implemented, including encryption of data in transit and at rest.

The main service providers outside the EEA that may receive non-genetic data are:

–       Google LLC (United States) -- for website analysis (Google Analytics) and tag management (Google Tag Manager).

–       Intuit Mailchimp (United States) -- for sending newsletters.

–       Shopify Inc. (Canada/United States) -- for the ordering platform and payment processing.

If international cooperation in the future requires the transfer of genetic data outside the EEA, iGene Pharmaco will request the user's explicit prior consent and implement additional technical and contractual safeguards, including a Data Protection Impact Assessment.

14. Changes

We may amend this statement if developments give rise to doing so. The most current version can be found on our website. In the event of material changes to the processing of personal data, we will notify the user in advance, for example by email or via a notification in the iGene application.

15. Contact details

For questions, requests, suggestions or complaints about this statement or data processing:

–       iGene Pharmaco B.V. | Chamber of Commerce number 96176776

–       Email: privacy@igene.eu

–       Post: Oude Haven 102, 6511 XH Nijmegen

–       Data Protection Officer: Mr W. Limpens

–       Telephone: +31 (0)10 310 4200

16. Glossary

The following terms are used in this statement:

Anonymisation

The irreversible processing of personal data in such a way that they can no longer be attributed to an identifiable natural person. Anonymised data fall outside the scope of the GDPR.

GDPR

General Data Protection Regulation (Regulation (EU) 2016/679), the European privacy legislation governing the protection of personal data.

Data subject

The natural person to whom the personal data relate. In this statement referred to as 'user'.

Special category personal data

Personal data revealing, among other things, racial or ethnic origin, genetic data, or data concerning health. Stricter rules apply to the processing of such data under the GDPR.

Tube code

A unique, randomly generated pseudonymous code used to identify biological material and DNA data without linking them to the identity of the user.

Cookie

A small text file stored on the user's device when visiting a website, which can be read on a subsequent visit.

Data breach

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

DNA report

The report containing the results of the DNA analysis, providing insight into, among other things, pharmacogenetic profiles and drug sensitivity.

DPIA

Data Protection Impact Assessment: an assessment of the consequences of a data processing operation for the protection of personal data, required for processing activities with a high risk (Article 35 GDPR).

Genetic data

Personal data relating to the inherited or acquired genetic characteristics of a natural person, which provide unique information about the physiology or health of that person.

Personal data

All information relating to an identified or identifiable natural person, such as name, email address, tube code or genetic data.

Pseudonymisation

The processing of personal data in such a way that they can no longer be attributed to a specific individual without the use of additional information, provided that such additional information is kept separately.

SNP

Single Nucleotide Polymorphism: a variation at a single position in the DNA that occurs in a significant proportion of the population. SNPs form the basis of DNA analysis by iGene Pharmaco.

Consent

Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which they signify agreement to the processing of their personal data (Article 4(11) GDPR).

Processor

A party that processes personal data on behalf of the controller, without independently determining the purpose and means of the processing.

Processing

Any operation performed on personal data, including collecting, recording, organising, storing, updating, modifying, retrieving, consulting, using, disclosing, disseminating, erasing or destroying data.

Data processing agreement

An agreement between the controller and the processor setting out the terms for data processing, as required by Article 28 GDPR.

Controller

The party that determines the purpose and means of the processing of personal data. In the context of direct services, this is iGene Pharmaco.

Last amended: 29 May 2026