This Privacy Policy (the "Policy") explains how information that is provided and collected in MyGenomeBox’s web platform (the “Platform”) is managed and handled.

This Policy is designed to help you understand better on how we collect, use, store, process, and transfer your information when operating our platform, mobile application, products, software and other services (the "Service" or "Services").

Through compliance with this Policy, MyGenomeBox strives to protect your information and enable safe usage of our Services with security. By accessing or using our Services, you signify your acceptance of this Policy. If you do not agree with our practices and policies, you may choose not to use our Services.

Please read this page carefully. By accessing and/or by using our Services, you agree to our practices described in this Policy.

Please take note that this Policy does not apply to any App Partner`s applications that integrate with our Services through the Platform (the “App Report Services”), or to any other third party products, services and/or businesses.

This Policy will be effective as of May 25, 2018. If there is any modification to the Policy, we will inform you by public notice through the bulletin board of our Platform or individual notice through e-mail.

Contents

1. Main Points About Personal Information: What We Find Most Important

2. The Information We Collect

3. Use of collected information

4. Sharing collected information

5. Cookies

6. Providing personal information to a third party.

7. Protection of Personal Information of Children

8. Data Retention

9. Users' Right to Access and Exercise Options

10. International Data Transfer

11. App Partner’s Information

12. Identifying The Data Controller And The Processor

13. Terms of Consent

14. Security

15. Security Incident Notification

16. Modification of Privacy Policy

17. Contact Information

1. Main Points About Personal Information: What We Find Most Important

When You Become A Member of Our Service:

• We use the minimum amount of your information to provide you our Services. In order for you to easily use the DNA App, your DNA Data can be uploaded to MyGenomeBox, where we will play the role of depository for the uploaded information you provided. Within the scope of your consent and compliance of our policies, the DNA Data will only be used when following your request. In the same manner, the Reports collected by your App purchases are securely managed similarly as your DNA Data.

• You have ownership of the DNA Data you provided for the App purchase. MyGenomeBox keeps secure and confidential both your DNA Data and following Reports. We do not and are prohibited to disclose your DNA Data to any third-party without your written request for us to do so; and unless there exists special restricted circumstances (i.e. forcible execution of a subpoena or your given approval), we do not use the provided DNA Data for any unrelated purposes other than to provide you of our Service.

• We securely manage your information. In all our management processes of collecting, using, saving and transmitting your important personal information, under legitimate standards, we apply pseudonyms, encryptions and related managerial and technical safety measures for security.

• The DNA Data information is stored in a server within the U.S. The data storage and infrastructure of MyGenomeBox‘s Platform service is located in the U.S. On your behalf, we manage your DNA Data according to the request made by you, the user (the account registrant who agreed to the terms of this Policy).

When You Purchase An App Report:

• App Reports are handled by App Partners. By using our Service, App Partners are able to handle and manage the DNA Data of numerous amount of members. Through MyGenomeBox‘s website, we oversee and manage the App Platform. When you purchase an App, to enable easy usage, the DNA Data is provided to the relevant App Partner who then will provide the related Report. MyGenomeBox does not directly extract or generate DNA Data nor does it generate DNA App Reports. When in case of any inquiries you may have about the contents of the DNA Data, you would need to directly conctact the DNA Data analysis company, as MyGenomeBox has no relations to the contents of the DNA Data to answer your questions. DNA Data analysis companies are generally entities (sequencing companies) that collect your body fluid to generate DNA Data. Some have their own separate privacy policies to comply with.

• Is your Report anonymously handled? App Partners who are under contractual agreement with MyGenomeBox are required to immediately delete the DNA Data, received through users' requests (purchases), after the Reports have been generated. Moreover, based on your request (App purchase), we transmit and send the DNA Data to the relevant App Partner and request for the DNA Data processing. It is during this stage where your membership information is separated to be anonymously sent to the App Partner.

• We do not share or provide your Report to any third-party. MyGenomeBox securely store your Report as it is treated as personal information. Unless it is to you, the owner of the information, and under your approval, we do not disclose and/or provide personal information to any third party. Through the use of your DNA Data, MyGenomeBox merely acts as a depository/keeper of information on your behalf in order to easily provide various App services worldwide.

• Is your DNA Data safe online? MyGenomeBox uses encrypted communications to protect all Service data transmissions of the Platform and even uses encryption to save, securely storing the information. Securely encrypted communications are also used in all transmitting data with App Partners while adding additional security through MyGenomeBox`s distinct security method.

• When in case a DNA App Partner violated our User`s Agreement or if when the DNA App Partner‘s actions are found to be suspicious of infringing upon your privacy rights, please click here (info@mygenomebox.com) to report on such actions.

2. The Information We Collect

Information provided directly by the users

We may collect the information provided directly by the users as listed below.

- Registration Information. When you register an account with MyGenomeBox or purchase our services, we collect personal information, such as your name, User ID(Email) and password, credit card or other payment information(Selective collection when purchasing), and contact information. Your registration information also includes records and copies of any correspondences and details of any transactions you carry out through our Services. MyGenomeBox also receives and uses information from third parties and integrated partners. You can sign-up to our Service through a third party integration, like through your Facebook and/or 23andMe accounts.

- Self-Reported Information. You have the option to provide us with additional information about yourself through surveys, forms, features or applications. For example, you may provide us your picture or other information such as your gender, date of birth, and blood type.

Information related to our genetic application services

- DNA DATA (Genetic Information). When you provide us with your DNA Data in connection with our Services, MyGenomeBox collects, processes and stores the received DNA Data. We make sure to secure your DNA Data beyond the healthcare industry standards to ensure that your information is safe.

-DNA App Report: Your App Reports are stored in your personal storage in MyGenomeBox when you purchase applications.

Information collected through tracking technology (e.g. cookies or similar technologies)

Besides information directly provided by the users, MyGenomeBox may collect information during the course when users use our Services.

As you interact online to our Services, we may use automatic data collection technologies to collect certain information about your equipment, browsing actions, and usage patterns. This data may include the following details below:

- Log Information. As is true of most platforms, we gather certain information automatically and store it in log files. This information may include internet protocol (IP) addresses, browser types, operating system, and date/time stamps. We may combine this automatically collected log information with other information we collected about you, such as your User profile ID or order number. We do this to improve the Services we offer you, and to improve marketing, analytics, and site functionality for your convenience.

- Web Behavior Information. MyGenomeBox uses cookies to help us recognize you, customize and improve your experience, provide security, and analyze usage of our Services. Users can control the use of cookies at the individual browser level. If you reject cookies, you may still use our site, but your ability to use some features or areas of our site may be limited. For more information, please read Section 4 “Cookies”.

Other Types of Information.

MyGenomeBox constantly strives to improve our Services with new products, applications and features that may result in the collection of new and different types of information. Our privacy statement and policies will be updated accordingly and as necessary.

3. Use of collected information

MyGenomeBox will use the collected information of users for the following purposes:

- For member management and identification (e.g. verifying your identity, providing you notices about your account, recognizing you when you return to our Services)
- To open your account, enable purchases, process payments, communicate with you, and implement your requests
- To host MyGenomeBox Platform, provide customized/personalized content and information, and track your usage of our Services
- To provide you appropriate search results and personalized contents
- To process your purchases
- To ship your purchases
- To perform quality control and quality improvement activities
- To provide information on promotional events, as well as, opportunities to participate in them
- To use information given by consent from users for relevant processes
- To detect and deter unauthorized or fraudulent use of or abuse of the Service
- For improvement of existing services and development of new services
- To give functional notice of matters on policy change for the Services of MyGenomeBox
- To comply with applicable laws and legal obligations

4. Sharing collected information

Only after you have explicitly consented us to do so, MyGenomeBox will share your DNA Data, registration information and self-reported information with our partners when purchasing Apps and other products on the MyGenomeBox Platform.

We will only share the DNA Data needed to provide genetic Reports using the Apps and not the complete set of your DNA Data. MyGenomeBox enters into written agreements with each partner where in which requires the partner to do the following:

- Maintain confidentiality and security of the DNA Data, account information and self-reported information provided.
- Only use the DNA Data, account information, and the self-reported information for the specific purposes that the user has authorized.

Other than your DNA Data, MyGenomeBox may disclose the registration information, self-reported information, and information about your usage of our Services only in the following circumstances:

- To contractors, service providers and other third-party vendors who support our Services (such as, for the payment processing and shipment of DNA collection kits), and who are bound by contractual obligations to keep personal information confidential where such use is only for the purposes of which we disclose to them.
- To buyers or successors in the event of a merger, divestiture, restructuring, reorganization, dissolution or other sale or transfer of some or all of MyGenomeBox’s assets; in which, personal information of users held by MyGenomeBox are treated as assets to be transferred. This Policy continues to apply for any information collected before and after such transfer takes place.
- When disclosure is found to be necessary or appropriate to protect the rights, property and/or safety of MyGenomeBox, our users and/or for the interest of the public. This includes exchanging information with other entities and organizations for the purposes of fraud protection and credit risk reduction.

MyGenomeBox may also disclose your personal information, including your DNA Data if under the following circumstances:

- To comply with a valid court order, law or legal process, provided that we will not disclose your DNA Data without a valid subpoena or search warrant specified to your DNA Data. If we are required to disclose your information, MyGenomeBox will do our best to provide you with advance notice, unless we are prohibited by law from doing so.
- To enforce or apply our Terms of Service and other necessary agreements.

Other than as described above, MyGenomeBox will not share your personal information to any persons or entities for any purpose under any circumstances.

5. Cookies

We may collect collective and impersonal information through 'cookies'. Cookies are very small text files to be sent to the browser of the users by the server used for the operation of the platform of the Company and will be stored in hard-disks of the users' computer.

These functions are used for evaluating, improving services and setting up users' experiences so that much improved services can be provided by MyGenomeBox to the users. The items of cookies to be collected by the Company and the purpose of such collection are as follows:

Strictly necessary cookies. This cookie is a kind of indispensable cookie for the users to use the functions of the platform of the Company. Unless the users allow this cookie, the services such as shopping cart or electronic bill payment cannot be provided. This cookie does not collect any information which may be used for marketing or memorizing the sites visited by the users.

For example:

- Memorize the information entered in an order form while searching other pages during web browser session
- For the page of products and check-out, memorize ordered services
- Check whether login is made on platform
- Check whether the users are connected with correct services of the platform while we change the way of operating its platform
- Connect the users with certain application or server of the services

Functionality cookies. This cookie is used for memorizing the set-ups so that MyGenomeBox provides improved services for users. Any information collected by this cookie does not identify the users individually.

For example:

- Memorize set-ups applied such as layout, text size, basic set-up and colors
- Memorize when the customer respond to a survey conducted by the Company

The users have an option for cookie installation. So, they may either allow all cookies by setting option in web browser, make each cookie checked whenever it is saved, or refuses all cookies to be saved: Provided that, if the user rejects the installation of cookies, it may be difficult for that user to use the parts of services provided by MyGenomeBox.

6. Providing personal information to a third party.

When you purchase an app, your personal information may be provided as required by the developer to create an app report. The scope of personal information may vary by app, and this information will be indicated when you purchase an app.

Examples of personal information: height, weight, blood type, gender, age, name

7. Protection of Personal Information of Children

As a general principle, MyGenomeBox does not collect any information from children under the age of 13 or equivalent minimum age as prescribed in the laws in relevant jurisdictions. The Platform and the Services of MyGenomeBox are meant to be provided to the general public who are mature of age. The Platform and applications of MyGenomeBox have an age limit function to keep children from using our Services; hence, MyGenomeBox does not intentionally collect any personal information from children and minors.

If you learn that anyone younger than 13 has unlawfully provided us with his/her personal data, please do not hesitate to contact us as we will take quick measures to delete such provided information.

If, in order to exercise the above options, you, as an user, use the menu of ‘My Account’ in webpage or contact the Company by using representative telephone or sending a document or e-mails, or using telephone to the responsible department (or person in charge of management of personal information), the Company will take measures without delay: Provided that the Company may reject the request of you only to the extent that there exists either proper cause as prescribed in the laws or equivalent cause.

8. Data Retention

MyGenomeBox may retain information pertaining to you for as long as it is necessary for the purposes described in this Policy. This may include, and is not limited to, keeping parts of your information after you have deactivated your MyGenomeBox account for the period of time needed for MyGenomeBox to pursue legitimate business interests, conduct audits, comply with (and demonstrate compliance with) legal obligations, resolve disputes and enforce relevant agreements.

If you ask us to unsubscribe from your account on our Membership Page, we will immediately delete and process your data. We will block online exposure of your personal information such as your membership information and reports, and your personal information will be permanently deleted at the end of the settlement with our app partner for compliance with our legal obligations or for settlement of disputes.
However, genomic files will be preserved for research and statistical purposes in a form that can not be identified by individuals through an intangible process. The withdrawn member's data is immediately deleted after membership withdrawal. However, the data can be kept for 35 days as a backup copy in case for urgent system recovery. At this time, backups are not exposed online and user access is not allowed.

9. Users' Right to Access and Exercise Options

You, the user, or your legal representative, as a main agent of the information, may exercise the following options you are entitled to regarding the collection, use, and share of personal information by MyGenomeBox:

- Data access rights
- Right to restrict processing
- Right of rectification
- Right to erasure (right to be forgotten)
- Right to object to processing
- Right to withdraw consent; and
- Data portability rights

For you to exercise the above options, please go into ‘My Account’ in the webpage, or contact our MyGenomeBox Information Department by telephone, post-mail, or e-mail. MyGenomeBox will take quick measures without delay, provided that, we have the discretion to reject your request only to the extent that proper cause exist under laws and regulations or for a cause equivalent.

For those of you who are European users or users under the E.U.-U.S. Privacy Shield, you have certain legal rights: to obtain information about whether we hold your personal information, to access personal information we hold about you, and to obtain its correction, update, amendment or deletion under appropriate circumstances. Please bear in mind that some of these rights may be subject to some exceptions or limitations. We will do our best to process your request to exercise these rights within reasonable time (and in all cases within 30 days of receiving the request). Please take into account that in some cases, due to the complexity and overflow of requests, it may take more than 30 days to complete your request. In such cases, we will notify you of the necessary extension and the reasons for such delay.

10. International Data Transfer

The IT Infra Service Platform of MyGenomeBox is based on the Amazon Web Service (AWS). AWS abides by the Privacy Shield, and MyGenomeBox is jointly responsible with Amazon in keeping secure the international data transfer and storage. We also protect your personal information through strict access control and encrypted communications and storage.

Your personal information MyGenomeBox collects is saved and stored in a data center situated in the U.S. which is provided by a cloud service provider.
Your registration to our Services signifies your consent and agreement to us storing your personal data in our data center. However, without your explicit consent, we do not transfer your stored data cross borders. (Articles 44~49)

∙ Reference Link
AWS Security & Compliacne: https://aws.amazon.com/ko/compliance/pci-data-privacy-protection-hipaa-soc-fedramp-faqs/

11. App Partner’s Information

To purchase an App Report means you are ordering the App Partner to carry out the relevant service by providing the App Partner your DNA Data. It is during this process where international data transfer may happen depending on where the App Partner is located. If in case an App Partner is one beyond the scope of our Service Platform, we suggest you to check if they provide proper safety measures.

What kind of information do APP Partners collect?

DNA Data. Instead of collecting the whole set of DNA Data, App Partners only collect a part of the DNA Data needed to provide the specific App Report. Such collection of data depends on your explicit consent to purchase the App Service, where, then, the data stored in MyGenomeBox is technically transmitted safely to the relevant App Partner. Also, as we do not provide the App Partners your registered information, we handle the transmitted information in order that the App Partners cannot distinguish or recognize the subjects of the provided DNA Data.

To send your DNA Data to an App Partner may mean that your DNA Data may be internationally transferred to the App Partner depending on where the App Partner is located. If you cannot check whether there are appropriate security measures regarding the cross border transfer of your DNA Data, you have the option to not purchase the specific App. For any inquiries regarding this matter, please contact our Customer Service as we will be happy to assist you.

Information on Payment Confirmation of App Purchase. App Partners do not collect complete information relevant to the methods of payment, such as credit card information, nor any information distinguishing an individual user. However, they are permitted to read information that has been handled with anonymity to confirm on the approval of requests, processed results, and the purchased contents, etc.

Information Following App Report Analysis. Information such as the technical log information needed in the analysis process to make App Reports, and the data transmission records needed to communicate with MyGenomeBox are collected. However, within these information, there is not one information where the subject of the DNA Data can be distinguished and identified.

How does an App Partner use the collected information?
Collected information is used only under restricted purposes. MyGenomeBox and App Partners take firm technical, physical and managerial measures to protect personal information. The purpose of the approved (by you) transmission of your DNA Data is to issue the App Report after you have purchased the App by explicit consent. The purpose is completed when your App Report is issued to you. Other than such purposes, App Partners are no longer allowed to use your DNA Data.

Length of Period for Temporary Data Storage. The App Reports made under your requests are safely transmitted to MyGenomeBox to your storage, where you can always log-in and access/download your App Report in ‘My Page’. Moreover, App Partners are required to immediately delete your DNA Data and App Reports that were temporarily saved with the App Partners during the period of DNA analysis until the successful delivery of the App Reports to you.

With Whom Do App Partners Share Information?
App Partners are only restricted to handle personal information for the purpose to provide you the App Report. Therefore, any other disclosure and sharing of information to third parties, other than for the aforementioned purpose, is strictly prohibited,

Are App Partners Processors?
App Partners are the Controllers of App Report Services and the Processors of your DNA Data. However, you, the user, is the Controller of your own DNA Data.

How Do You Exercise Your Rights With App Partners?
App Partners are under contractual obligations with MyGenomeBox, where they are prohibited from storing personal information of our users. Moreover, the information related to processed App Reports that App Partners have are in formats where no individual can be identified.

You may inquire to an App Partner whether your personal information has been deleted after the completion of the service; however, in that case, you may need to directly provide additional information to the App Partner regarding your App Report purchase history.

Besides the option to exercise your rights by directly communicating with an App Partner, you can inquire the MyGenomeBox Customer Service Team to check the terms with the specific App Partner on how your personal information is to be managed.

List of App Partners
You may check the updated list of our App Partners by referring to the link below.
Current App Partners (link)

12. Identifying The Data Controller And The Processor

In certain jurisdictions, the data protection laws differentiate between the “Controller” and the “Processor” of information. In general, the user is the controller of his/her DNA Data.

MyGenomeBox is the processor of our users’ data, while being the controller of other information needed.
The App Partner is the controller of the App Report Service and you, the user, is the controller of your own DNA Data.

For your reference:

Data Controller:

A Data Controller can be an individual, corporation, government institution, agency or similar entity who can either decide individually or in association to the purpose and the means to handle personal information (When in case the Controller directly handles personal information, the Controller then has a dual status to being both the Controller and the Processor.)

-Controller’s Duties: Guarantee compliance of GDPR standards when managing personal information in general settings and optimizing personal information protection; and implement appropriate technical and managerial measures to demonstrate the compliance (compliance of approved Code of Conduct or to a system of certification).

Joint Controller: When in case more than two Controllers jointly decide on the purpose and the handling of personal information, the Joint Controllers must decide in transparency, through negotiations between the Controllers, what each roles and duties are to comply by under the GDPR (the core contents of negotiations must be provided to the owner of the information. Regardless of the negotiated content, the owner of the information is allowed to exercise his/her rights directly to each individual Controller; however, extraneously, joint responsibility will exist.)

Data Processor :
A Data Process can be an individual, corporation, government institution, agency or similar entity that manages and handles personal information on behalf of the Controller.
On behalf of : means to handle something entrusted by the Controller or for the benefit of the Controller
** When in case a Processor violates the GDPR regulation by deciding on its own how and for what the personal information should be handled, the Processor shall be considered as a Controller regarding the relevant personal information.

The third party
Third Party: Defined as a party (individual, corporation, government institution, agency or similar entity) who is provided the personal information that is not the owner of information, Controller, Processor, or an entity granted direct rights from Controller and/or Processor to handle the information (someone who is not a Controller, Processor, nor one who has any rights to the information).
ex: marketing agency, outsourcing company, outsourcing developer, etc.

Sub-Processor
To support efficient delivery of our Services, MyGenomeBox may engage with and use Data Processors, where we grant them access to certain data of users (such Data Processors shall be called, “Sub-Processors"). Please refer to the table below for information about each Sub-Processor we cooperate with.

MyGenomeBox currently uses third party Sub-Processors to provide our users infrastructure services and to assist in providing efficient email services. Nonetheless, prior to engaging with any third party Sub-Processors, we evaluate on their privacy, security and confidentiality practices and diligence, and henceforth, execute contractual agreements enforcing applicable obligations and duties.

Infrastructure Sub-Processors
We may use the following Sub-Processors to host our users’ data and/or provide other infrastructures that support and facilitate us in the delivery of our Services:

13. Terms of Consent

You, the user, consent to the use, sharing and deletion of your personal information by the use of cookies, IP addresses and log files as described under this Policy.

As the MyGenomeBox server is located in the U.S., you agree and consent to that your personal data will be saved and stored in the U.S.

Following your request and order for an App Report, your data will be transmitted to the App Partner. The region where your Data will be processed may vary depending on where the specific App Partner is situated.
You agree that your personal data may be transmitted and handled within the U.S. in specific locations mentioned in the List of App Partners.

You agree and consent to your data being transmitted to a Data Processor in countries, including the U.S., that do not have data protection laws under similar protection standards as the E.U. Your consent is voluntary, and you may cancel or revoke your consent any time you want. Please take note that once you revoke your consent, we may not be able to provide you the Services any longer.

When you activate cookies in the web browser, you are consenting to the use of cookies by MyGenomeBox as explained previously.

14. Security

MyGenomeBox uses various methods in keeping your information as private and secure as we can by being up to date with the current industry standards. Our methods include encryption of data being transferred (when sending) and when it is at rest (when being stored). We also have strict authentication requirements when granting access to any data. MyGenomeBox occasionally runs test drives to check how secure our system is in order that we may be updated and discover to find areas of weakness to fix. We will also undergo tests of our partner systems to check their security.

MyGenomeBox limits access to your information to it’s employees and contractors, who are granted restricted access in order to process their specific roles to provide you of our Services. In addition, we go beyond the industry standards to physically, technically, and procedurally secure your account information, self-reported information, DNA Data, and other personal information to prevent from accidental loss, unauthorized access, use, alteration and disclosure of personal information.

The transmission of information by the internet is not a 100% guarantee of security. Thus, MyGenomeBox continues to evaluate and identify improved security techniques and measures to protect your personal information. Nevertheless, we cannot guarantee you that your information will not be accessed, altered or lost through a breach of any of our physical and electronic safeguards. We also cannot guarantee a Partner’s ability to secure and protect your information. You should bear in mind to review with care each Partner’s privacy policy and security practices.

15. Security Incident Notification

MyGenomeBox notifies the relevant user in the event of any unauthorized access to the user Data, processing equipment and/or facilities resulting in loss, disclosure, or alteration of personal data.

The Content of User Notification are as follows:

- Description of the incident
- Time period
- Results of the incident
- Name of the reporter
- To whom the incident was reported
- Steps taken to resolve the incident (including the person in charge and the data recovered)

If there are any incidents of security, we will make a notification on the bulletin board of the Platform or send individual notice through e-mails within 72 hours of the incident.

16. Modification of Privacy Policy

MyGenomeBox has the right to amend or modify this Policy as requires; and in such cases, we will notify our users through the Platform’s bulletin board (or through individual notice sent by written letter or document, fax, and/or e-mail) and obtain relevant consent from users when required by law.

Whenever the Policy is modified in a material way, a notice about the modification will be posted for 30 days on the log-in page of the account of users. After 30 days, the changes will become effective. All users will receive a notification email about the changes prior to the change becoming effective.

17. Contact Information

In order to handle complaints and protect personal information of its customers and/or users, MyGenomeBox designates the following department and representative to be in-charge of such matters of personal information:

- Department: Customer Service
- Tel: +82-32-715-6335
- E-mail: info@mygenomebox.com
- Chief Information Security Officer (CISO), Chief Privacy Officer (CPO): Young Tae, Park
- CISO Tel: +82-32-715-6335
- CISO E-Mail: yt.park@mygenomebox.com

Link: Please refer to the previous version of the document.