Living DNA Privacy Statement
Part A - Introduction
Very simply, our aim in this statement is to explain what personal information we hold, why we hold it, what we do with it, and how we protect it. By personal information we mean information from which you can be identified.
We may also provide you with supplemental information about use of your information in particular circumstances or in connection with specific services. An example of this is that if you choose to use our Family Networks service, we will provide additional information on the privacy of your data that is specific to that service.
This statement does not include details of:
- Information which you separately authorize us to use for research purposes.
We see ourselves as custodians of your personal information, which remains yours at all times; our role is primarily to be your DNA partner.
Regulatory background: GDPR
The EU General Data Protection Regulations (which are known as GDPR) apply to us when we collect or use personal information. The regulations were introduced to protect people’s data. GDPR describes business such as ours, who determine why and how personal information is used, as ‘controllers’, and the use of personal information as ‘processing’. Processing includes collecting information, storing it, disclosing it, using it and destroying it.
The regulations say that information should only be processed in one or more specified circumstances, which are known as ‘lawful bases’. The lawful bases on which we may process your personal information include:
- Where you have given your consent. We have shortened this to ‘consent’ in the statement)
- Where necessary to carry out the terms of a contract, for example the contract for us to provide services to you. We have shortened this to ‘perform contract’.
- Where necessary to comply with a legal obligation. We have shortened this to ‘comply with law’
- Where we or someone else has a legitimate interest which is not overridden by your interests. We must always balance your interests and rights with our interests if we are to process your information on this basis. We have shortened this to ‘legitimate interest’.
In this statement we have grouped the types of personal information that we may hold into broad categories. The categories are:
- General information including contact information
- Payment and transactional information
- Information related to administering your account/providing our services including your genetic information
We also collect, use and share aggregated data such as statistical data. Aggregated Data could be derived from your personal data, including your genetic data, but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your genetic data and use that information in our laboratories for validation and verification purposes and we aggregate genetic data from a particular country of origin and use that information to help us improve the accuracy of our testing may and generally to improve our services and to develop new services. Other examples of how we use aggregated data are for business management, planning and tracking purposes.
Part B - What personal information we hold, and how we use it
General contact information/communication records
This may include, address, phone number, email address, communications consent and other information that you may provide to us during routine communications such as when you ask us to respond to a query.
When we obtain this information
We collect some or all of this information, depending on the circumstances, when you ask us a query, whether by phone, or email, using the contact from on our website, by letter or in person, or when you opt to join one of our mailing lists or provide consent for us to send marketing material to you. We retain copies of all communications, and so will have any personal information which you include in communications you share with us.
We also obtain some of this information (your name and address) if someone orders a DNA test and asks us to send a DNA sampling kit to you. Please be aware, the choice to take a DNA test is always yours.
We record telephone calls to our customer services team, and if you provide your name or contact details and other personal information, these will be recorded.
|How we use this general information||Our lawful basis||What is our legitimate interest?|
|To communicate with you, and to investigate and respond to your queries|
Perform contract (where you have placed an order or opened an account)
|To provide information which you have requested, and to respond to your queries.|
|We record telephone calls with our customer services team for monitoring, training, supervision and for verification purposes. We may need to refer to these recordings if there is any dispute between us.|
Comply with law
|To maintain high standards on our calls, and to be able to evidence what occurred in the event of a dispute.|
|Where you opt to receive information including marketing communications from us, to send this information to you.|
|To promote our services and broader industry awareness|
|We ask you to consent to various actions, including us sending you marketing communications, and retain records of the consents that you give.|
Comply with law
|To maintain accurate records of what consents we have to perform our business activities|
|To deliver a sampling kit to you, and to maintain a record to show that we have done so||Perform contract|
|To send you surveys and other requests for information||Legitimate interest||To improve our services|
If you use our DNA services, including opening an account with us, we will hold your billing address, and shipping address the following information in addition to the general contact information already described, and we will use your name and contact details for additional purposes as described below.
|How we use this information||Our lawful basis||What is our legitimate interest?|
|We use your name and address for identification purposes|
|Using names and address to identify our customers is necessary for the efficient and secure running of our business systems.|
|We use your general contact information to maintain your account with us||Perform contract|
|We record your name and other contact or identification information on records of your interactions with us, including records of services you order, and consents you provide to us|
Comply with law
|To maintain records of orders you place, and consents that you have given to us, and to maintain an accurate record of our interactions and of the services that we provide to you|
|If you choose to receive a printed copy of your results, we use your shipping address to send these to you.||Perform contract|
|We use your general contact information to deliver our service in accordance with our Terms||Perform contract|
|We use your general contact information to exercise and if necessary to enforce our rights under our Terms and to handle any complaints or disputes that may arise|
|To responsibly manage our business by enforcing our rights under our Terms, including defending any claims that may be brought against us.|
|We may also use your contact information and account information to determine what services to promote to you, and what information to display on your account||Legitimate interest||To promote our business interests, and to appropriately target communications|
Payment information and financial records
When you make payment by card online, your details are processed by a third party payment provider; we do not receive any details other than the last 4 numbers of your card (in some cases) and your billing address (in some cases).
If you make a card payment by phone or in person, we will receive your card information, but will process it through a third party payment provider, and will receive only the information that we would receive if the payment were made online (see above).
Where possible we process refunds in the same manner as payments, otherwise we make the payment by bank transfer.
If you make a payment, we pay a refund to you by bank transfer, we receive your account name, and payment details. This will be recorded on our bank statement.
We create and retain records of the transactions which you enter into with us, including details of payments owing and made.
|How we use this information||Our lawful basis||What is our legitimate interest|
|We use your name and address for financial record keeping purposes||Comply with law|
|We use your payment information to process payments and refunds to you|
Comply with law
|We record details of our financial transactions with you which will include your name, email, address and payments made or owing|
Comply with law
|To maintain accurate financial records|
Information relating to services, including genetic information
If you take a DNA test with us, or upload your genetic information to our site we will also collect/ hold depending on the circumstances/service:
- Your age
- Your gender
- Information about your parents, if you choose to provide this.
- A barcode (see below for further details)
- Your mouth swab/other biological sample
- Your DNA sample which is extracted from your mouth swab
- Your genetic data
- Your reports/results
- Information that you voluntarily provide to us in response to any questions we may ask you. We will provide you with information about how we will use and retain this data at the time that we ask request it. We do not provide further information in this statement.
|How we use this information||Our lawful basis||What is our legitimate interest|
We ask for the gender of any person being tested or who uploads their data to our site. We use this information as part of our quality control and verification processes by which we check the accuracy of our results. Further, this information helps us to know what reports to provide, as some are gender specific.
We use the age of the person being tested to determine if our internal processes in respect of minors should be followed.
We also use it to improve our services and to make them more accurate.
Comply with Law
|To maintain effective internal controls, and to improve our services.|
We give you the option of providing details about your parents
|To provide a better service to you, and to improve our service generally.|
|We use a barcode to identify your account as part of our processes for protecting your privacy. Instead of storing your genetic information using your name as the identifying reference, we use a barcode. We keep separate records which link your barcode to your account with us. Our laboratory is not given your name, only the bar code. In this way we are able to limit the number of people who can see your name in connection with your genetic data.|
|To protect the privacy and security of our customers’ data.|
|We use the mouth swab that you return to us to extract your DNA Sample.||Consent|
|We analyse your DNA sample to derive your genetic data, and if sufficient DNA material remains, we will store your DNA sample.||Consent|
|We use your genetic data to provide you with your results. If you maintain an account with us, we will store your genetic data for you. We may use it to update your results (if applicable), and to provide further services which may require your data to be further analysed. We will seek your consent before processing this data to provide you with any other services other than to update your results.||Consent|
We produce your results/reports including ancestry reports based on your genetic data, and provide these to you through your account, or by way of printed book.
We will not process your genetic data so as to derive any personal information about you, unless it is necessary to provide you with the service that you have requested us to provide, or as separately and specifically requested by you. This may include if we offer further services that make use of the data, and you specifically choose to make use of these services.
- If you have an account with us, you can make choices about what whether or not we may contact for you for marketing purposes through your Living DNA account.
- You may receive marketing communications from us if you have requested information from us or purchased services from us and you have not opted out of receiving these communications.
- You can ask us or third parties to stop sending you marketing messages at any time through your Living DNA account, or by contacting us, OR by following the opt-out links on any marketing message sent to you.
Changes in why we use your information
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, but only where this in compliance with the above rules, where this is required or permitted by law.
Part C - How we collect your information
We use different methods to collect data from and about you including through:
- Direct interactions. You may give us your personal information by filling in forms or by corresponding with us by post, phone, email, or otherwise. This includes personal information you provide when you
- order our services;
- upload your genetic data to our site, or provide a DNA sample to us
- create an account with us;
- subscribe to one of our publications;
- request marketing to be sent to you;
- enter a competition, promotion or survey; or
- give us feedback or contact us.
- Third parties or publicly available sources. We may receive personal information about you from various third parties and public sources including:
- Information from:
- analytics providers such as Google;
- advertising networks; and
- search information providers
- providers of technical, payment and delivery services
- information from publicly available sources
- Information from:
Part D - Sharing your information
In this section we provide information on who we share your information with, and why.
1. Service providers
We use a range of service providers and consultants in order to help run our businesses and to provide our services. We require all third-party service providers to respect the security of your personal information and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal information for their own purposes and only permit them to process it for specified purposes and in accordance with our instructions.
These service providers include:
Our laboratories & biological storage facilities
We use fully accredited professional laboratories to receive your mouth swab sample, to extract your DNA from the sample and to provide your genetic data. They also receive your gender. They store your DNA sample for us (and may also retain your gender) for up to 10 years.
We have laboratories based in the US and in Europe. Generally, samples sent to us from the USA will be received and processed by our laboratory in the US, and samples sent to Us from the rest of the world will be processed in the EU.
We may send samples from Europe to our laboratory in the USA provided that they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between Europe and the US, For further details, see European Commission: EU-US Privacy Shield.'.
Shipping and printing
We use specialist logistics service providers to deliver sample kits to you, and your results in book format (where you order this service), and to ship other physical products for us. This includes specialist partners who we appoint to receive samples from our customers, and arrange for their secure shipment on to our laboratories.
We also use specialist printers to print results in book format.
‘Cloud’ based service providers
We use ‘cloud’ based storage providers to securely maintain the information held within our databases, and this will include your personal information including your genetic information.
Please see ‘Security of your information’ below [ link] for further information on security aspects of our cloud storage arrangements.
We also use service providers who assist us with our ‘cloud’ based infrastructure, and ‘cloud’ client support tools.
We may share information with our professional advisers including lawyers, accountants and insurance advisers. We do not routinely share genetic information with our professional advisers, but it would be possible that this could happen, for example if court proceedings relating to genetic data were to be brought against us.
Other specialist consultants and service providers
These include IT consultants, and service providers that assist us with marketing, analytics, and cyber security/fraud prevention. We may also in limited circumstances share personal information with our insurer.
Payment service providers
We use the services of payment processing companies to facilitate you making payment. These providers will use your contact and billing information including your credit card details to process your payment. When you make payment on line, your banking details are provided to that payment processing company, and not to us.
2. The Legal Process
There are circumstances in which we may be legally required to disclose information. Examples of this include where a we are subject to a binding court order, subpoena, or a legally binding direction by a regulator, and where we are required to share information with HM Revenue and Customs. We reserve the right to share personal information where we reasonably believe that we are legally required to do so. We may also share information where this is necessary for us to exercise or enforce our rights under our Terms or otherwise at law, or where we reasonably and in good faith consider that it necessary or appropriate to do so in order to protect the security of our site, customers or employees.
3. Change in Control
We may share your information with third parties to whom we may to sell, transfer or merge parts of our business or our assets or alternatively where we, buy or merge with other businesses. If a change happens to our business, then the new owners may only use your personal information in the same way as set out in this privacy statement.
When you share your information
You may also share your personal information including using tools available on our site. We are not responsible if you choose to share your information with other people.
We may share aggregate data with third parties, but only where you cannot be identified from this data. If we share aggregate data, we do not ever receive a payment for the data.
Part E - How long we keep your personal data
In this section we provide guidance on how long we are likely to retain your personal information. This generally depends on how and why the information is collected. Please also be aware that it takes up to a further 6 months from the dates specified in this section for information that is no longer required to be fully removed from our systems because we retain backup and archive files.
We may also retain limited personal information for a longer period than specified including to in the event of a complaint or if we reasonably believe there is a prospect of litigation relating to our relationship with you, or that the information may be needed to exercise or enforce our rights under our terms, or to perform contractual obligations. We may also retain information for a longer period where we are legally required to do so, and for audit and compliance purposes. Additionally, our laboratories may also need to retain information that they hold on our behalf for longer periods to comply with legal or regulatory requirements. We may also retain sufficient information to be able to evidence your account deletion request.
We retain information for the periods below:
1. General Information including contact information and communications will be:
- Information captured in recordings of telephone calls: up to 6 months from the end of the month in which the call happened.
- Information collected when you agree to join one of our mailing lists: we may retain this information so long as you remain on our mailing list.
- Contact information if you place an order/maintain an account with us:
- For so long as you have an account with us, and for 7 years after you close your account.
- Information collected to respond to an email or website query/records of our response (if you do not maintain an account with us): up to 2 years from the date the query is resolved.
- Your communications with us if you maintain an account with us: We may retain this information whilst you maintain an account with us.
2. Payment Information and financial records:
By law we have to retain financial records. This means that if you order a service for which we charge a fee, we must retain your name and contact details, any payment details we have, and transactional information for up to seven years after you place your last order for services, or make payment to us.
3. Information relating to services including genetic information:
We will retain personal information related to your account, gender and genetic data for so long as you retain or have management rights/privileges in respect of data held in an account with us, and for 6 months after that time. You can ask us to delete your genetic data at any time.
We will retain your DNA sample for 10 years after you provide it to us unless you close your account or ask us to destroy it sooner.
You can ask us to destroy your sample, and can still maintain an account and receive updates to your results if you have chosen that service.
If you ask us to also delete your genetic data, you can still maintain an account and access your results, but we will not be able to provide any updates to your result.
If you also ask us to delete your results, we will delete your account information and shut your account. We will destroy the records which link your barcode with your account.
Our laboratory may in certain circumstances retain your genetic data after you have asked us to destroy your data, but neither Living DNA nor the laboratory will be able to identify you from their or our records once we have destroyed the link between the bar code allocated to you, and your account.
We explain above how we may, in certain circumstances retain your information for a longer time than is detailed here, and how it also takes up to 6 months beyond the timeframes we specify for all data to be fully remove form our backup and archive systems.
Part F - Security of your information
Living DNA is committed to being a secure and trusted partner for your personal information, especially your genetic data.
How do we do this?
At the heart of how we protect your information is our commitment to International Standards set by ISO. We are certified to ISO:9001 for quality controls and ISO:27001 for information security. As part of our ISO accreditation, audits and reviews are conducted of all relevant third party service providers to check that they meet our strict requirements. We use a combination of technical, physical and organisational measures to protect the security of your information.
Physical and organisational measures help protect against social engineering attacks whereby an unauthorized person gains access to restricted information or physical location through psychological manipulation of authorised individuals. These measures include security clearances, extensive training and physical security measures and are subjected to rigorous external audits throughout the year.
Technical measures implemented to protect your information include:
- Security by design
- Separation of Concerns & Pseudonymization
- Monitoring and Alerting
- Proactive Vulnerability and Penetration testing
What is security by design?
Software has been designed and implemented with a security first process with the expectation that malicious third parties will attempt to exploit the system. This includes minimising permissions and access to data for internal secure systems.
What is encryption?
Data is scrambled so it is unreadable by humans or computers without a unique decryption key which is kept separate and secure. Encryption of data occurs as it flows through our system to yourselves (HTTPS) and while it is stored by ourselves (Encrypt at Rest). This significantly increases the difficulty of accessing data in the event of unauthorised access to our systems.
What is separation of concerns & pseudonymization?
Personally identifiable information, such as name and address, are only accessed in isolation and are not routinely stored alongside information which may be used by other parts of the system. This means that stored genetic data will have no information co-located that will allow identification of the individual. These disparate records are joined up as needed by the system using artificial identifiers which are pseudonymized to not be personally identifiable. This continues throughout the system to ensure that services only have access to the minimal data they need to function.
What is monitoring and alerting?
We actively monitor our systems and all communication with the outside world, collecting and analysing the available data for indicators of potential threats and breaches. These are automatically triaged and alerted to our security team for appropriate action.
What is proactive vulnerability and penetration testing?
We periodically employ the services of third party specialists to act as malicious parties and attempt to breach our security in a controlled and safe way. This enables us to identify and assess potential attack vectors before they are identified by monitoring and alerting tools and to address and harden appropriately.
What should I do to keep my data safe?
- Never share passwords with anyone, including people you trust
- Never use a password on more than one site
- Keep virus protection up to date and scan periodically
- Install all operating system security patches as soon as possible
- Be extra vigilant opening links and attachments in emails, even from known senders
Making choices about your information
We respect that your information is yours, and so we want to give you as much choice as possible regarding our use of your data, particularly around marketing. You can view your options as regards the privacy of your information and make choices through your Living DNA account.
Part G - General
Under certain circumstances, you have rights under data protection laws in relation to your personal data.
Please click on the links below to find out more about these rights:
- Request access to your personal data
- Request correction of your personal data
- Request erasure of your personal data
- Object to processing of your personal data
- Request restriction of processing your personal data
- Request transfer of your personal data
- Right to withdraw consent
If you wish to exercise any of the rights above, please contact us.
No fee: You will not have to pay a fee to access your personal data or to exercise any of the rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
What we may need from you: We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Time limit to respond: We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
We are Living DNA Limited, of K10 The Courtyard Jenson Avenue, Commerce Park, Frome, Somerset, United Kingdom, BA11 2FG.
If you have any queries about the privacy of your information, or about the information in this statement, or if you think the information is in any way incomplete, please contact us at:
or call our customer services team on +44 203 424 3482
We also have a Data Protection Manager who can be contacted at: email@example.com
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
Changes to this statement, and your duty to tell us of changes
We keep this statement under regular review. This version was last published on 2018/07/16 Historic versions can be obtained by contacting us.
It is important that the personal information we hold about you is accurate and current. Please let us your personal data changes during your relationship with us.
You have the right to:
Request access to your personal information (commonly known as a "data subject access request"). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal information to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal information for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
- If you want us to establish the accuracy of the information.
- Where our use of the information is unlawful but you do not want us to erase it.
- Where you need us to hold the information even if we no longer require it as you need it to establish, exercise or defend legal claims.
- You have objected to our use of your information but we need to verify whether we have overriding legitimate grounds to use it.
Request the transfer of your personal information to you or to a third party. We will provide to you, or a third party you have chosen, your personal information in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
Withdraw consent at any time where we are relying on consent to process your personal information . However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services to you. We will advise you if this is the case at the time you withdraw your consent.