INFORMATION GOVERNANCE POLICY

INTRODUCTION

Effective date: January 20, 2020

We are committed to protecting and respecting your privacy.

Capalonga Limited (‘us’, ‘we’, or ‘our’) operates the https://nylos.me website and the Nylos Apps (the ‘Service’).

This page informs you of our policies regarding the collection, use, and disclosure of personal data when you use our Service and the choices you have associated with that data. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it. By visiting https://nylios.me or by installing the Nylos mobile application you are accepting and consenting to the practices described in our privacy policy.

We use your data to provide and improve the Service. By using the Service, you agree to the collection and use of information in accordance with this policy. Unless otherwise defined in this Privacy Policy, terms used in this Privacy Policy have the same meanings as in our Terms and Conditions.

DEFINITIONS

• Personal Data
  Personal Data means data about a living individual who can be identified from those data (or from those and other information either in our possession or likely to come into our possession).
• Usage Data
  Usage Data is data collected automatically either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).
• Cookies
  Cookies are small pieces of data stored on a User’s device.
• Data Controller
  Data Controller means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
  For the purpose of this Privacy Policy, we are a Data Controller of your data.
• Data Protection Officer
  For the purpose of this Privacy Policy, our nominated Data Protection Officer is Florian Schwienbacher.
• Data Processors (or Service Providers)
  Data Processor (or Service Provider) means any person (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller.
  We may use the services of various Service Providers in order to process your data more effectively.
• Data Subject
  Data Subject is any living individual who is the subject of Personal Data.
• User
  The User is the individual using our Service. The User corresponds to the Data Subject, who is the subject of Personal Data.

INFORMATION COLLECTION AND USE

We collect several different types of information for various purposes to provide and improve our Service to you.

Information We Collect from You

• Personal Data
  While using our Service, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you (‘Personal Data’). Personally identifiable information may include, but is not limited to:
• Email address
• First name and last name
• Phone number
• Address, State, Postal code, City
• Cookies and Usage Data
• We may use your Personal Data to contact you with newsletters, marketing or promotional materials and other information that may be of interest to you. You may opt out of receiving any, or all, of these communications from us by sending us an email (at help@nylos.me) with the wording “GDPR Optout / marketing” or by contacting us.
• Health and Lifestyle Information
• This is information from the questionnaires on our site about your health, including your own and your close relatives’ medical history, treatments received or ongoing, known allergies, medications, known long term conditions and relevant lifestyle information such as smoking or alcohol consumption.
• Biological Samples
• These are the stool samples which you provide to us to enable us to perform the testing services.

Information Derived from the Information You Give Us

• Genetic Data
• This is uninterpreted DNA data which we receive from our laboratories and which is stored and displayed to you in your personal account. The raw data can also be downloaded as a *.txt file or as a *.csv file. This information, in anonymised form, is also used for interpretation (see below), and you must agree to that before you submit an order for our testing services.
• Results of Interpretation
• These include nutrition that is derived from interpretation of your health and lifestyle information and raw data and which we display to you in your personal account. All this information is stored on secure servers under our control.

Information We Collect about You

• Usage Data
• We may also collect information that your browser sends whenever you visit our Service or when you access the Service by or through a mobile device (‘Usage Data’).
  This Usage Data may include information such as your computer’s Internet Protocol address (e.g. IP address), your login information, browser type, browser version, browser plug-in types and versions, operating system and platform, time zone setting, clickstream to, through and from our site (including date and time), products you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page, any phone number used to call our customer service number, the time and date of your visit, unique device identifiers and other diagnostic data.
  When you access the Service by or through a mobile device, this Usage Data may include information such as the type of mobile device you use, your mobile device unique ID, the IP address of your mobile device, your mobile operating system, the type of mobile Internet browser you use, unique device identifiers and other diagnostic data.
• Tracking Cookies Data
• We use cookies and similar tracking technologies to track the activity on our and hold certain information.
  Cookies are files with small amount of data which may include an anonymous unique identifier. Cookies are sent to your browser from a website and stored on your device. Tracking technologies also used are beacons, tags, and scripts to collect and track information and to improve and analyze our Service.
  You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Service.
  Examples of Cookies we use:
• Session Cookies. We use Session Cookies to operate our Service.
• Preference Cookies. We use Preference Cookies to remember your preferences and various settings.
• Security Cookies. We use Security Cookies for security purposes.
• Information from Third Parties
• We may be provided personal information from the companies which serve as our sales partners, distributors or are otherwise related to our sales channels. We take all the reasonable efforts to ensure that all these parties comply with all the national and the international legislation in terms of privacy. This information generally includes, but may be not limited to:
• Email address
• First name and last name
• Phone number
• Address, State, Province, ZIP/Postal code, City

USE OF DATA

Capolonga Limited uses the collected data for various purposes:

• To provide and maintain our Service
• To notify you about changes to our Service
• To allow you to participate in interactive features of our Service when you choose to do so
• To provide customer support
• To gather analysis or valuable information so that we can improve our Service
• To monitor the usage of our Service
• To detect, prevent and address technical issues
• To provide you with news, special offers and general information about other goods, services and events which we offer that are similar to those that you have already purchased or enquired about unless you have opted not to receive such information

We primarily use the following types of information for the following purposes:

• Information We Collect from You
• We will use your personal details:
• to provide you with the testing services that you request from us;
• to notify you about changes to our Service; and
• to ensure that content from our site is presented in the most effective manner for you and for your computer.
• We will use your health information and biological samples to provide you with the testing services you request from us.
• Information Derived from Information You Give Us
• We will use your raw data and the results of interpretation to provide you with the testing services that you request from us.
• We may use anonymised and aggregate raw data. Anonymised and aggregate raw data has been stripped of your name and other contact information and aggregated with other customers’ raw data so that you cannot reasonably be identified as an individual from that information.
• Information We Collect about You
• We will use this information:
• to administer our site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
• to improve our site to ensure that content is presented in the most effective manner for you and for your computer;
• to allow you to participate in interactive features of our service, when you choose to do so; and
• as part of our efforts to keep our site safe and secure; and
• to provide you with the results of interpretation.
• Information from Third Parties
• The data we obtain from these sources is will further be used by us:
• to provide you with the testing services that you request from us; and
• to notify you about changes to our Service.

RETENTION OF DATA

Capalonga Limited will retain your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use your Personal Data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.

Capalonga Limited will also retain Usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of our Service, or we are legally obligated to retain this data for longer time periods.

• Where We Store Your Information
  The data that we collect from you will be stored at a destination within the UK. It will also be processed by our staff. This includes staff engaged in, among other things, the fulfilment of your order, the processing of your payment details and the provision of support services. By submitting your personal data, you agree to this transfer, storing or processing. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy.
  All information you provide to us is stored on secure servers. Any payment transactions will be encrypted using SSL technology. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
  Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
  Biological samples are stored at our partner laboratories, which are accredited to ISO standards, which include industry standards for the storage of samples taken from humans. We store the samples for 1 year, although we retain the right to store the samples for an indefinite period.

TRANSFER OF DATA

Your information, including Personal Data, may be transferred to — and maintained on — computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from your jurisdiction.

If you are located outside the United Kingdom and choose to provide information to us, please note that we transfer the data, including Personal Data, to United Kingdom and process it there.

You have given informed consent to this Privacy Policy when you initially accessed our services, that informed consent is also consent for us to make these transfers.

Capalonga Limited will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy and no transfer of your Personal Data will take place to an organization or a country unless there are adequate controls in place including the security of your data and other personal information.

DISCLOSURE OF DATA

• Disclosure for Law Enforcement
  Under certain circumstances, Capalonga Limited may be required to disclose your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).
• Legal Requirements
  Capalonga Limited may disclose your Personal Data in the good faith belief that such action is necessary to:
• To comply with a legal obligation
• To protect and defend the rights or property of Capalonga Limited
• To prevent or investigate possible wrongdoing in connection with the Service
• To protect the personal safety of users of the Service or the public
• To protect against legal liability
• Service Providers
  We may employ third party companies and individuals to facilitate our Service (‘Service Providers’), to provide the Service on our behalf, to perform Service-related services or to assist us in analyzing how our Service is used.
  These third parties have access to your Personal Data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.
• Analytics
  We may use third-party Service Providers to monitor and analyze the use of our Service.
• Google Analytics
  Google Analytics is a web analytics service offered by Google LLC. that tracks and reports website traffic. Google uses the data collected to track and monitor the use of our Service. This data is shared with other Google services. Google may use the collected data to contextualize and personalize the ads of its own advertising network.
  For more information on the privacy practices of Google, please visit the Google Privacy Terms web page: http://www.google.com/intl/en/policies/privacy
• Firebase
  Firebase is analytics service provided by Google LLC. You may opt-out of certain Firebase features through your mobile device settings, such as your device advertising settings or by following the instructions provided by Google in their Privacy Policy: http://www.google.com/intl/en/policies/privacy
  We also encourage you to review the Google’s policy for safeguarding your data: https://support.google.com/analytics/answer/6004245. For more information on what type of information Firebase collects, please visit please visit the Google Privacy Terms web page: http://www.google.com/intl/en/policies/privacy
• Google AdWords
  Google AdWords remarketing service is provided by Google LLC. You can opt-out of Google Analytics for Display Advertising and customize the Google Display Network ads by visiting the Google Ads Settings page: http://www.google.com/settings/ads
  Google also recommends installing the Google Analytics Opt-out Browser Add-on - https://tools.google.com/dlpage/gaoptout - for your web browser. Google Analytics Opt-out Browser Add-on provides visitors with the ability to prevent their data from being collected and used by Google Analytics.
  For more information on the privacy practices of Google, please visit the Google Privacy Terms web page: http://www.google.com/intl/en/policies/privacy
• Facebook
  Facebook remarketing service is provided by Facebook Inc. You can learn more about interest-based advertising from Facebook by visiting this page: https://www.facebook.com/help/164968693837950
  To opt-out from Facebook’s interest-based ads follow these instructions from Facebook: https://www.facebook.com/help/568137493302217
  Facebook adheres to the Self-Regulatory Principles for Online Behavioral Advertising established by the Digital Advertising Alliance. You can also opt-out from Facebook and other participating companies through the Digital Advertising Alliance in the USA http://www.aboutads.info/choices, the Digital Advertising Alliance of Canada in Canada http://youradchoices.ca or the European Interactive Digital Advertising Alliance in Europe http://www.youronlinechoices.eu, or opt-out using your mobile device settings.
  For more information on the privacy practices of Facebook, please visit Facebook’s Data Policy: https://www.facebook.com/privacy/explanation
• Payments
  We may provide paid products and/or services within the Service. In that case, we use third-party services for payment processing (e.g. payment processors).
  We will not store or collect your payment card details. That information is provided directly to our third-party payment processors whose use of your personal information is governed by their Privacy Policy. These payment processors adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, Mastercard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of payment information.
  The payment processors we work with are:
• Apple Store In-App Payments
  Their Privacy Policy can be viewed at https://www.apple.com/legal/privacy/en-ww
• Stripe
  Their Privacy Policy can be viewed at https://stripe.com/us/privacy
• Logistics Companies
  The logistics companies enable delivery of our test kits to you or deliver your biological samples to our partner laboratories.
• Poste Italiane
• Web services
  We use certain web services for the following purposes:
• To provide and maintain our Service
• To notify you about changes to our Service
• To allow you to participate in interactive features of our Service when you choose to do so
• To provide customer support
• To gather analysis or valuable information so that we can improve our Service
• To monitor the usage of our Service
• To detect, prevent and address technical issues
• To provide you with news, special offers and general information about other goods, services and events which we offer that are similar to those that you have already purchased or enquired about unless you have opted not to receive such information
• Our Partner Laboratories
  Our partner laboratories are located in the European Union and may be located outside the United Kingdom. we never provide any personal data to laboratories, they recieve your biological samples only and process them anonymously.

SECURITY OF DATA

The security of your data is important to us, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.

DO NOT TRACK SIGNALS

We do not support Do Not Track (‘DNT’). Do Not Track is a preference you can set in your web browser to inform websites that you do not want to be tracked.

You can enable or disable Do Not Track by visiting the Preferences or Settings page of your web browser.

YOUR RIGHTS

Nylos Limited aims to take reasonable steps to allow you to correct, amend, delete, or limit the use of your Personal Data.

Whenever made possible, you can update your Personal Data directly within your account settings section. If you are unable to change your Personal Data, please contact us to make the required changes.

If you wish to be informed what Personal Data we hold about you and if you want it to be removed from our systems, please contact us.

You have the right at any time:

• To access and receive a copy of the Personal Data we hold about you. You can request to obtain a copy of your Personal Data in a commonly used electronic format so that you can manage and move it. Please note that we may ask you to verify your identity before responding to such requests.
• To rectify any Personal Data held about you that is inaccurate

You have the right at any time to request that:

• we remove your sample at any time by sending an email to help@nylos.me with the word ‘Withdraw’ in the email title
• we delete your Personal Data, health information and individual level genetic data by sending an email to help@nylos.me with the word ‘Forget me’ in the email title.

Please note that:

- if you request the removal or deletion of any data before the testing services have been completed, this may affect our ability to provide your results to you; and

- there may be certain information that we are required by law to retain for a definite period, in which case we will only be able to delete the information once that period has expired.

Please also note that:

- we aim to maintain our services in a manner that protects information from accidental or malicious destruction. Because of this, after you delete information from our services, we may not immediately delete residual copies from our active servers and may not remove information from our backup systems

- we will aim to delete your Personal Data after your request within the shortest time possible and within a maximum period of one month. However, there may be some latency in deleting your Personal Information from our backup systems after it has been deleted from our production, development, analytics, and research systems. Also, our partner laboratories may retain information they receive from us in order to comply with laws or regulations that may require them to do so

YOUR USE OF INFORMATION

You should be very careful about sharing or discussing your results on social media or with friends, family, employers or third parties such as insurers. The information could be used to your disadvantage and/or passed on to other parties to whom you did not intend to disclose your results.

LINKS TO OTHER SITES

Our Service may contain links to other sites that are not operated by us. If you click on a third party link, you will be directed to that third party’s site. We strongly advise you to review the Privacy Policy of every site you visit.

We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.

CHILDREN’S PRIVACY

Our Service is not available to anyone under the age of 18 (‘Children’).

We do not knowingly collect personally identifiable information from anyone under the age of 18. If you are a parent or guardian and you are aware that your Children has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from children, we take steps to remove that information from the servers.

CHANGES TO THIS PRIVACY POLICY

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page.

We will let you know via email and/or a prominent notice on our Service, prior to the change becoming effective and update the ‘effective date’ at the top of this Privacy Policy.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

CONTACT US

If you have any questions about this Privacy Policy, please contact us:

• By email: help@nylos.me