Privacy Statement
Introduction
1.1 General
BioRICS NV (hereinafter “We” or “Our” or “Us”) understands that your privacy is important to you and that you have concerns about how your personal data are used. We respect and value the privacy of everyone who uses our Website, Platform and Applications (hereinafter ¨Services¨). When you use Our Services, We will only collect and use personal data in a manner described here and in a manner consistent with Our obligations and rights under applicable privacy laws.
This Privacy Statement applies when We act as a data controller for the processing of personal data of Our Services, in other words, when We determine the purpose and means of processing the personal data.
Transparency in the processing of personal data is a crucial part of the General Data Protection Regulation (EU Regulation 2016/679 the “GDPR”) and all other applicable national laws that affect the processing of personal data, such as the Belgium Law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data (the “Law of 30 July 2018¨) The premise of this Privacy Statement is that your personal data will be processed in accordance with the relevant laws and regulations. It also takes into account principles such as proper and careful processing.
Please read this Privacy Statement carefully and make sure you understand it.
1.2 What are personal data?
Personal data are defined in the GDPR as “any information relating to an identifiable person who can be identified, directly or indirectly.” Personal data, in simpler terms, are any information about you that allows you to be identified. Personal data refers to obvious information, such as your name and contact details, as well as less obvious information, such as identification numbers, electronic location data, and other online identifiers.
2. Contact details
Our Services are offered and operated by BioRICS NV. We are registered in Belgium under registration number 0880.194.826 and our registered office is located at Technologielaan 3
3001 Heverlee.
You can contact us:
- by email, to info@biorics.com
- via the contact form on our website
- by telephone, at 016 39 58 54
The contact details of our Data Protection Officer are:
Name: de Juristen
Address: Heernislaan 19, 9000 Gent, Belgium
Tel: +32 09 298 04 58
Email address: dpo.biorics@dejuristen.be
3. What personal data are processed?
Depending on your use of Our Services, We may collect and store the personal data listed in the categories below, specifying for each category the method used to collect the data. See Our Cookie Statement for more information on Our use of cookies and similar technologies.
Fitbit data
- Heart rate
- Activity and exercises (steps)
How do we collect the data?
We will receive the data from Fitbit when you log in via your Fitbit account. We will assign an ID to your data (the data will be processed in a pseudonymized manner).
Mindstretch data:
- Fitbit data
Data concerning your mental energy, recovery and sleep quality
How do we collect the data?
We will receive the data from Fitbit when you log in via your Fitbit account. By analyzing the data, we will create data concerning your mental energy,recovery and sleep quality.
Comparison data:
- Gender;
- Year of birth;
- Height;
- Weight;
- Work industry (optional).
We receive these data directly from you when you provide the information through the Mindstretch Application.
Gender, year of birth, height and weight are required fields, the work industry is only optional for you to provide.
Profile data:
- Events & emotions to detect the main energy-takers
How do we collect the data?
You can ‘label’ events & emotions in our Mindstretch Application to detect Your main energy-takers. These data are provided by you. The more context is added, the better the system can give feedback.
Coach Contact data (optional):
- First name or nickname;
- Surname.
We receive these data directly from you when you provide the information through the Mindstretch Application. These Coach Contact data are only optional for you to provide.
Infection data (when you use the application BioRICS InfectAlert):
- Mindstretch;
- Symptoms;
- Test results;
- Whether the algorithm detects an infection (infection results);
How do we collect the data?
We will receive the Fitbit data from Fitbit when you log in via your Fitbit account. The other data will be provided by you to us so We can analyze and give you information whether you are infected.
Technical Data:
- IP address
- browser type and version
- operating system
- reference source
- duration of Your visit page views and website navigation paths, as well as information about the timing, frequency, and pattern of Your use of the Services
How do we collect the data?
We process these data by using cookies. Please see our Cookie Statement
Communication data:
includes the content of the communication (usually email address name and last name) and the metadata associated with the communication.
How do we collect the data?
We process these data when you contact us via Our application, contact forms, or email.
Direct marketing data:
- First Name;
- Last Name;
- E-mail address.
How do we collect the data?
We process these data when you give us consent to send you direct marketing e-mails.
4. How do we use personal data?
According to the GDPR, We must always have a lawful basis for the use of personal data. The underneath list describes how We may use your personal data, and which legal basis We rely on.
1. To register you on our applications and to provide and manage your account, we use Fitbit data.
– Legitimate basis is the Consent you give.
– Retention period of the data is from the date you last logged in to your account. Your personal data is kept for 2 years. After this period, your personal data is fully anonymized and used for scientific research.
2. In particular for BioRICS Mindstretch, we provide information on energy use, based on objective measurements from the body and make analyses of these data so that you can see the results in Our Application.
– We use Mindstretch data and profile data.
– Legitimate basis is the consent you give.
– Retention period of these data is from the date you last logged in to your account. Your personal data is kept for 2 years. After this period, your personal data is fully anonymized and used for scientific research.
3. In particular for BioRICS InfecAlert (infection monitoring): we provide feedback on infection vulnerability and the detection of infection and make analyses of these data so that you can detect infections at an early stage via Our Application.
– We use Mindstretch data and Infection data.
– Legitimate basis is the consent you give.
– Retention period of your personal data is 2 years. After this, the data is anonymized and used for scientific purposes only.
4. We give you personalized advice based on the analysis of the data. This motivates you to take action and manage the individual energy balance in a result-oriented way.
– We use either Infection monitoring data or Mindstretch data (depending on the application that you are using).
– Legitimate basis is the consent you give.
– Retention period of your personal data is 2 years. After this, the data is anonymized and used for scientific purposes only.
5. To provide you with more tailored reports, where your results are compared with the average results of persons of a similar target group (based on gender, year of birth, height, weight and optionally work industry).
– We use comparison data.
– Legitimate basis for this is the consent.
– Retention period is 2 years from the date you last logged into your account. After this period your personal data will be fully anonymized and used for scientific research only.
6. To allow the coach – only when you have consented to share data with a coach – to address you appropriately. Note that it is not always clear from the e-mail address who you are.
– We use Coach contact data.
– Legitimate basis for this is the consent.
– Retention period is 2 years from the date you last logged into your account. After this period your personal data will be fully anonymized and used for scientific research only.
7. To manage our services, including quality control, the improvement and development of our services,
– We use technical data.
– The legitimate basis for this is twofold: your consent (for strictly necessary cookies) and our legitimate interests (for not strictly necessary cookies), so that the application functions technically in accordance with nthe ecessary cookies as referred to in Our Cookie Statement.
– Retention period: we refer to this Cookie Statement.
8. To communicate with you, we use communication data.
– Legitimate basis is the interest to respond to requests, questions, or comments or to contact you for inquiries of any kind (e.g., when you contact us via phone or email). We keep your personal data for 2 years.
9. We provide you with information via email for which you have given permission (direct marketing). You may opt-out at any time via the link in the e-mail.
– We use direct marketing data.
– Legitimate basis is the consent you give. Your data will be processed until you unsubscribe.
As you can see, there are several activities where personal data are processed. We endeavor to pseudonymize data in activities where we don’t need to know who the data subject is.
In addition, We may process your personal data where necessary to comply with a legal obligation to which We are subject. Besides, BioRICS may process the data in a completely anonymous way (this means that the data cannot be linked back to you) for scientific research.
5. Processors
A processor is a natural or legal person who processes personal data at our request or on our behalf. We may sometimes contract with this party to provide certain products and/or services. In other words: We use processors because it is necessary for the provision of Our Services. In this case, We will enter into a written agreement with the processor whereby the security of your personal data is guaranteed by the processor. The processor will always act in accordance with Our instructions.
We use the following categories of processors:
- Companies we have engaged for marketing purposes;
- Companies we have engaged for ICT -technical support and hosting purposes;
- Companies we have engaged for administrative purposes (e.g., CRM system);
- Companies we have engaged for communication purposes (e.g., live chat on the website);
- Companies we have engaged for logistics purposes (e.g., order picking, delivery, etc.);
- Companies we have engaged for analytical purposes, which will analyze the personal data for Us;
- Companies we have engaged for payment purposes.
6. Providing your personal data to third parties
We will not share your personal data with third parties other than processors, for any purpose, subject to the exceptions below.
When your Account on Our Application is linked to an employer, We will be contractually required to share anonymous statistical reports about the result with your employer. These reports will not contain identifying personal data of you but only average balance scores within the company. That is, only average results calculated over all participating employees within the company or within a certain department of the company.
In some situations, We may be required by law to share certain personal data, including yours, if We are involved in legal proceedings or to comply with legal obligations, a court order, or the instructions of governmental authority.
7. International transfer (outside EEA) of your personal data
We will only store or transfer your personal data within the European Economic Area (the “EEA”). The EEA consists of all EU member states plus Norway, Iceland, and Liechtenstein. This means that your personal data will be fully protected under the AVG or according to equivalent legal standards.
8. Security of your personal data
We will take appropriate technical and organizational measures to secure your personal data and to prevent the loss, misuse, or alteration of your personal data.
When processors have access to your personal data, it is always pseudonymized, except when it is necessary to identify data subjects (for example, to disclose results or to give personalized advice). This means that the processor receives and processes the personal data so that the personal data cannot be linked to a specific data subject without the use of additional data. Only BioRICS has the additional data to identify a person.
9. Changes
We may update this policy from time to time. This may be necessary, for example, if the law changes, or if We expand or modify Our Service in a way that affects the protection of personal data. Any changes will be posted on Our website. We recommend that you check this page occasionally to ensure that you are happy with any changes to this privacy statement.
If We have your email address (e.g. because you have an account for Our Services or because you have subscribed to our online newsletter) We will undertake to notify you of any significant changes to our Privacy Statement by email.
10. Your Rights
Some rights are complex and not all details are included here. Therefore, please read the relevant provisions and guidelines of supervisory authorities for a full explanation of these rights.
Your most important rights under the AVG are:
A. the right to information and access;
B. The right to correction;
C. The right to erasure (oblivion);
D. The right to restrict processing;
E. The right to object to the processing;
F. The right to data portability;
G. The right to lodge a complaint with a supervisory authority, and
H. The right to withdraw your consent.
You may exercise your rights with respect to your personal data by written notification to us. See Chapter 2 for contact information.
We will respond to your request within one month after receipt of your request. Normally, We strive to provide a complete response within that time. However, in some cases, especially if your request is more complex, more time may be required, up to a maximum of three months from the date We receive your request. You will be kept fully informed of your progress.
10.1 The right to information and access
You have the right to confirm whether or not We are processing your personal data and, where We are doing so, to access the personal data, together with certain additional information. This additional information includes details of the purpose of the processing, the relevant categories of personal data, and the recipients of the personal data. Provided that the rights and freedoms of others are not affected, We will provide you with a copy of your personal data. The first copy will be provided free of charge, but additional copies may be provided for a reasonable fee.
10.2 The right to correction
You have the right to have inaccurate personal data about you corrected and, taking into account the purposes of the processing, to have incomplete personal data about you completed.
10.3 The right to erasure
In some circumstances, you have the right to have your personal data deleted without undue delay. These circumstances include: the personal data are no longer necessary in relation to the purposes for which it was collected or otherwise processed; you withdraw your consent to processing based on consent; you object to the processing under certain rules of applicable data protection law; the processing is for direct marketing purposes, and the personal data have been unlawfully processed. However, there are exclusions to the right to erasure. The general exclusions include where processing is necessary: for the exercise of the right to freedom of expression and information; for compliance with a legal obligation; or for the establishment, exercise, or defense of legal claims.
10.4 The right to restrict processing
In some circumstances, you have the right to restrict the processing of your personal data. These circumstances are: you dispute the accuracy of the personal data; the processing is unlawful, but you oppose its erasure; We no longer need the personal data for our processing, but you need personal data for the establishment, exercise, or defense of legal claims; and you have objected to the processing, pending verification of that objection. If processing is restricted on this basis, We may continue to store your personal data. However, We will only process them in other ways: with your consent; for the establishment, exercise, or defense of legal claims; for the protection of the rights of another natural or legal person; or for reasons of substantial public interest.
10.5 The right to object to the processing
You have the right to object to Our processing of your personal data for reasons relating to your particular situation, but only to the extent that the legal basis for the processing is that the processing is necessary for the purposes of the legitimate interests pursued by Us or a third party. If you raise such an objection, We will cease processing the personal data unless We can demonstrate that there are compelling legitimate grounds for the processing that outweigh your interests, rights, and freedoms, or that the processing is for the establishment, exercise, or defense of legal claims.
In addition, you have the right to object to our processing of your personal data for direct marketing purposes (including profiling for direct marketing purposes). If you object, We will cease processing your personal data for this purpose.
Furthermore, you have the right to object to our processing of your personal data for scientific or historical research purposes or statistical purposes for reasons relating to your particular situation, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
10.6 The right to data portability
To the extent that the legal basis for our processing of your personal data is based on:
(a) consent; or
(b) that the processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract, and such processing is carried out by automated means, you have the right to receive your personal data from us in a structured, commonly used and machine-readable format. However, this right does not apply where doing so would compromise the rights and freedoms of others.
10.7 The right to lodge a complaint with a Supervisory Authority
If you believe that our processing of your personal data is in breach of data protection legislation (GDPR), you have the right to lodge a complaint with a Supervisory Authority responsible for data protection. In Belgium, the Supervisory Authority is the Gegevensbeschermingsautoriteit (GBA).
GBA Contact Details
Data Protection Authority
Rue du Printing 35, 1000 Brussels
+32 (0)2 274 48 00
contact@apd-gba.be
https://www.gegevensbeschermingsautoriteit.be
If you are a resident of another Member State, you can contact your national Supervisory Authority for the protection of personal data.
10.8 The right to withdraw your consent
To the extent that the legal basis for our processing of your personal data is consent, you have the right to withdraw such consent at any time. Revocation does not affect the lawfulness of the processing before the revocation.
11. Personal data of minors
We only process personal data of persons under the age of 13 if written consent has been given by the parent, guardian, or legal representative.
If we have reason to believe that we are holding the personal data of a person under that age in our databases, we will delete that personal data.