Privacy

of Smartmelts GmbH
According to Article 13 GDPR

Index

  1. Introduction
  2. General information on data processing
  3. Marketing-relevant data protection provisions
    – Provision of the website and creation of log files
    – Use of Google Analytics, Google AdWords and Google Remarketing
    – Facebook Pixel and Facebook Custom Audiences
    – Newsletter
  4. Account and Payment for Services
    – User AccountsUse of products and services
    – myDigitalTwin
  5. Transfer and disclosure of data
    – Transfer of personal data across borders
    – Transfer of personal data to third parties
    – How we protect your data
    – Data from children
  6. Rights of the data subject
1.0

Introduction

This data protection guideline applies to all services of smartmelts GmbH. This policy describes the type of personal data that we collect from our customers and users in connection with our products and services, and how this data is processed, protected, used and maintained.

The trust of all visitors and customers, the security of your data and the protection of your privacy are of central importance to us.

Name and address of those responsible
The person responsible for processing in relation to the General Data Protection Regulation and other national data protection laws as well as other provisions of data protection law is:

smartmelts GmbH
Rechbauerstraße 31 / 2.OG
8010 Graz
www.smartmelts.at
office@smartmelts.at

Contact
The data protection officer can be reached via the following contact information:

E-mail: office@smartmelts.at

2.0

General information on data processing

a. Scope of the processing of personal data
We collect and use the personal data of our users only to the extent necessary to provide a functioning website and our content and services. The collection and use of our users’ personal data is of course only carried out with their consent. An exception applies in those cases in which, for practical reasons, it is not possible to obtain prior consent and the processing of the data is permitted in accordance with the statutory provisions.

b. Legal basis for the processing of personal data
In so far as we obtain the consent of the data subject for the processing of personal data, Art. 6 (1) point (a) of the General Data Protection Regulation (GDPR) of the EU serves as the legal basis for the processing of personal data.

The legal basis for the processing of personal data, which is necessary for the performance of a contract in which the data subject is a party, is Art. 6 (1) point (b) GDPR. This also applies to processing operations that are required to carry out pre-contractual measures.

If the processing of personal data is necessary to fulfil a legal obligation to which our company is subject, Art. 6 (1) point (c) GDPR serves as the legal basis.

In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 (1) point (d) GDPR serves as the legal basis.

If the processing is necessary to protect a legitimate interest of our company or a third party, and if the interests, fundamental rights and freedoms of the data subject do not override the former interest, Art. 6 (1) point (f) GDPR serves as legal basis for the processing.

c. Deletion of data and storage duration
The personal data of the data subject will be deleted or no longer made available as soon as the purpose of storage no longer applies. In addition, the storage can take place if this is provided for by European or national legislators in Union regulations, or other regulations to which the person responsible for the processing is subject to laws. The data will also not be made available or deleted if a storage period prescribed by the above standards expires, unless further storage of the data is necessary for the conclusion or performance of a contract.

3.0

Marketing-relevant data protection provisions

Provision of the website and creation of log files

a. Description and scope of data processing
Every time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer.

In this context, the following data is collected:

(1) Information about the browser type and version used
(2) The user’s operating system
(3) The user’s Internet service provider
(4) Date and time of access
(5) Websites from which the user’s system is accessed on our website
(6) Websites that the user’s system accesses through our website

We use the services of Webflow, Inc., 398 11th St. Fl 2, San Francisco, California, 94103, USA for web hosting for our websites and have concluded a Data Processing Addendum with Webflow in accordance with Art. 28 GDPR.

You can find more information in Webflow’s data protection declaration via the link: https://webflow.com/legal/dpa

b. Legal basis for data processing
The legal basis for the temporary storage of the data is our legitimate interest in Article 6 (1) point (f) GDPR.

c. Purpose of data processing
We use the data to optimize the website and to ensure the security of our information technology systems. This is also our legitimate interest in data processing in accordance with Art. 6 (1) Point (f) GDPR.

d. Duration of the storage of the data
The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. When collecting data for the provision of the website, this is the case when the respective session is ended.

e. Right of objection and removal
You have the right to object to this processing. Data processing only has to cease if

Website usage

Cookies

Our website uses so-called cookies. These are small text files that are stored on your device with the help of the browser. They do no harm. We use cookies to make our offer user-friendly. Some cookies remain stored on your device until you delete them. They enable us to recognize your browser the next time you visit. You can control the setting of cookies and their storage duration via the settings of your browser. Deactivating cookies may restrict the functionality of our website. You will find a list of the cookies used by our website and more information in our cookie banner.

2.2.1. Functional cookies
We process functional cookies (session cookies and permanent cookies) on the basis of the exception provision in Section 96 (3) TKG. Your consent is not required.

Session cookies are used to show you our website content. Session cookies are deleted after the session is closed.

Permanent cookies are used to improve user-friendliness, e.g. to be able to save the language you have selected and to be able to show you our website in the language you have selected when you visit us again.

2.2.2. Analysis tools

Legal basis

We process the data within the scope of your express consent in accordance with Section 96 (3) TKG to achieve the stated purposes for improving the website. You can give your consent to the use of the analysis tools via our cookie banner.

You can revoke your consent at any time via our cookie banner or by deleting all or individual cookies in the browser settings. If you revoke your consent or change the browser settings so that cookies are no longer stored, you will no longer be recognised by us when you return to our website.

In the event of revocation, we would like to point out that not all functions and contents of the website can be used to their full extent.

Purposes of processing:

Your data is processed for web usage analysis purposes, in particular to compile reports on website activity and so that we can improve our website.

Transfer of your data to third countries:

As part of the website analysis, your data will be transmitted to third countries. We would like to point out that the transmission of your data to providers in the USA and worldwide, such as Google or YouTube, takes place without an adequacy decision and without suitable guarantees. This transfer takes place on the basis of your consent in accordance with the exemption clause of Article 49 (1) (a) GDPR.

2.3. Social media plugins

We work with various social networks. When using these services, your browser is automatically connected to the relevant network. It transmits your IP address and other information, such as cookies, if you have already visited the platform in question.

We do not collect any personal data via the plugins integrated on our website. The processing of your personal data in the context of the plugins takes place on the basis of your express consent in accordance with Section 96 (3) TKG via our cookie banner. The purpose of these plugins is to be able to offer you more information about our services.

If you give your consent by actively clicking on “I agree” in the cookies banner when you visit our website, your personal data (IP address) can be transmitted to the social network. This happens regardless of whether you have a user account on the social network. If you have a user account with one of the social networks and are logged into your user account while clicking on the cookie banner on our website, the data collected via the respective plug-in will be linked directly to your account. If you do not want a link to your user account, you must log out of your social media account before activating the plug-in. We have no control over:

You can revoke your consent at any time by deleting all or individual cookies in the browser settings.

In the event of revocation, we would like to point out that not all functions and contents of the website can be used to their full extent.

Use of Google Analytics, Google AdWords and Google Remarketing

a. Description and scope of data processing
In order to increase the efficiency of our website, we use the services of Google Analytics, a web analysis service from Google Inc. (“Google”). Google Analytics uses so-called “cookies” or text files that are stored on the user’s computer and enable an analysis of the user’s use of the website. The information generated by the cookie about the use of the website (including the user’s IP address) is transmitted to a Google server in the USA, where it is stored.

In addition, this website uses cookies in order to address users via remarketing campaigns (Google AdWords and Google Remarketing) with online advertising at a later point in time in the Google advertising network. In order to place remarketing advertising, cookies – with the consent of the user – are set / stored on the basis of a visit to our website.

A cookie is only stored on the user’s computer after the user has given consent. As a user, you can also prevent Google from collecting the data generated by the cookie and relating to your use of the website (including your IP address) and from processing this data by downloading the browser plug-in available under and install the following link: tools.google.com/dlpage/gaoptout.

In this context, the following data is collected:

(1) The IP address of the user
(2) Date and time of access
(3) Frequency of opening pages
(4) Use of website functions
(5) Operating system of the user
(6) Internet service of the user provider
(7) Date and time of access
(8) Websites from which the user’s system accesses our website
(9) Websites that the user’s system accesses via our website
(10) Operating systems used by end devices
(11) Age, gender, languages , Interests, country of origin

b. Legal basis for data processing
The legal basis for the processing of personal data by means of cookies is the consent of the user in accordance with Art. 6 (1) Point (a) GDPR.

c. approval
We obtain the user’s consent before we set or save a cookie. This consent is voluntary. This consent can be revoked at any time with effect for the future by sending an email to gdpr (at) smartmelts.at. In addition, users can delete cookies that we have stored in their web browser at any time. Users can find more information about this in the browser instructions (under Help in the browser menu). When accessing our website again, the user is free not to give any more consent.

If the user’s consent is not given, full use of all functions of the website is no longer possible (identification of the user when changing pages, language selection). However, it is still possible to visit the website. If no consent is given, no cookie will be set.

d. Purpose of data processing
The transmission of data to Google serves to increase the efficiency of our website, to evaluate user behavior in this regard and to finance this website. The processing of the data enables us to analyze the surfing behavior of our users. By evaluating the data received, we are able to compile information about the use of the individual components of our website. This helps us to continuously improve our website and its user-friendliness.

e. Transfer of the data
By using Google Analytics, Google AdWords and Google Remarketing from Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA to increase efficiency, the user’s data is sent to Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA broadcast.

Google LLC is a company included in the Privacy Shield List under the Privacy Shield Framework. The EU-US Privacy Shield was adopted by the European Commission as part of an adequacy decision C (2016) 4176 of July 12, 2016. Accordingly, Google LLC offers appropriate security precautions for the transmission of data to the USA. For more information, see the official Privacy Shield website www.privacyshield.gov.

f. Storage duration, right of objection and removal
Cookies are stored on the user’s computer and information is transferred from it to us. As a user, you therefore have complete control over the use of cookies. You can deactivate or restrict the setting / saving / transfer of cookies by changing the settings in your internet browser. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it is possible that not all functions of the website can be used to their full extent.

Facebook Pixel and Facebook Custom Audiences

a. Description and scope of data processing
Our website uses Facebook conversion tracking, the so-called “Facebook Pixel” from the social network Facebook, for the purpose of analysis and to optimize our website. The provider of these services is Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA. If you are based in the EU, the provider of the services is Facebook Ireland Ltd., 4 Grand Canal Square, Port of Grand Canal, Dublin 2, Ireland (hereinafter “Facebook”).

By using the Facebook pixel, Facebook can identify and determine the visitors to our website as a potential target group for the presentation of advertising (so-called “Facebook ads”). We therefore use the Facebook pixel to only display the Facebook ads placed by us for Facebook users who have also shown interest in our website or who have certain characteristics (interests that are determined on the basis of the websites visited, etc.) . We transmit this information to Facebook and thus create so-called “Custom Audiences”.

b. Legal basis for data processing
The legal basis for the processing of personal data with the Facebook pixel is the consent of the user in accordance with Article 6 (1) point (a) GDPR and your express consent in accordance with Article 49 (1) (a) GDPR.

c. approval
You can object to the use of the Facebook pixel and the use of your data to display Facebook ads. To determine which types of advertising are displayed to you on Facebook, you can call up the page set up by Facebook and follow the instructions there on the settings for usage-based advertising: https://www.facebook.com/settings?tab = Ads. The settings are platform-independent, ie they are adopted for all devices such as desktop computers or mobile devices.

d. Purpose of data processing
By using the Facebook pixel, we want to ensure that our Facebook ads correspond to the potential interest of the visitors and are not perceived as annoying. With the help of the Facebook pixel, we can track the effectiveness of Facebook ads for our market research. We analyze whether visitors are redirected to our website after clicking on a Facebook ad, ie whether a so-called “conversion” takes place.

e. Transfer of the data
We would like to point out that there is a possibility that data will be transferred to the USA and processed by US authorities. According to the current legal situation, the USA is an insecure third country with an inadequate level of data protection.

At the moment there is no adequacy decision according to Art. 45 GDPR, nor can suitable guarantees according to Art. 46 GDPR be offered.

General information on processing the data by Facebook can be found here.

Further information and details about the Facebook pixel can be found here.

Newsletter

a. Description and scope of data processing
Our website offers the possibility to subscribe to free newsletters. When you register for the newsletter, the data from the input mask is transferred to us.

In addition, the date and time of registration are collected during registration.

Your consent to the processing of your data will be obtained during the registration process and reference will be made to this data protection declaration.

b. Legal basis for data processing
The legal basis for processing the data after the user has registered for the newsletter is Art. 6 (1) point (a) GDPR and Section 107 TKG, if the user has given his consent.

c. Purpose of data processing
The user’s email address is recorded to deliver the newsletter.

The collection of other personal data as part of the registration process serves to prevent misuse of the services or the email address used and to generate a personalised salutation.

d. Storage period
The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. The user’s email address is therefore stored for as long as the newsletter subscription is active.

e. Right of objection and removal
The subscription to the newsletter can be canceled at any time by the user concerned. There is a corresponding link in every newsletter for this purpose.

4.0

Account and Payment for Services

User accounts

a. Description and scope of data processing
Our website offers the possibility to create an online account. When registering for the account, the data from the input mask is transferred to us.

Legal capacity
First name
Last name
Username
E-Mail
Password (hidden)

In addition, the following data, date and time of registration, are collected during registration.

Your consent to the processing of your data will be obtained during the registration process and reference will be made to this data protection declaration.

b. Legal basis for data processing
The legal basis for the processing of data after registration for the account by the user is Art. 6 (1) point (a) GDPR, if the user has given his consent or is necessary for the performance of a contract in the context of the use of our products and services is, is Art. 6 (1) point (b) GDPR.

c. Purpose of data processing
The collection of the user’s email address, username and password is used to access a secure account.

The collection of other personal data as part of the registration process serves to prevent misuse of the services or the email address used and to generate a personalised salutation.

The purpose of the user account is to purchase products and services from smartmelts GmbH, to get an overview of previously purchased products and services and to access the product “myDigitalTwin”.

d. Storage period
The data will be deleted as soon as they are no longer required to fulfil the purpose for which they were collected. The user’s email address, username and password are therefore stored as long as the user’s account is active.

e. Right of objection and removal
Access to the user account can be canceled at any time by the user concerned. There is a corresponding link in the account settings for this purpose.

5.0

Use of products and services

In order to be able to offer our products to our customers in the best possible way, we process personal data for the following products:

myDigitalTwin

a. Description and scope of data processing
The software solution (stationary and mobile) myDigitalTwin as a product of smartmelts GmbH offers our customers the possibility to call up and view the results from offered DNA analyzes in a personalised “digital twin”.

In addition to the data collected for the creation of the user account, the following data is transmitted to us by our partners after our customers have sent their DNA test kit to our partner laboratory.

(1) Gender
(2) Height
(3) Weight
(4) Ethnicity
(5) Results of DNA analysis
(6) Telephone number

We use the services of Amazon Web Services Inc. (AWS) for our Digital Twin and have concluded a Data Processing Addendum with AWS in accordance with Art. 28 GDPR.

You can find more information in AWS’s data protection declaration here.

b. Partner laboratory for lifestyle genetic analyses within the framework of myDigitalTwin
Is the contractual partner for the implementation of our lifestyle genetic analyses:

Novogenia GmbH
Strass 19
5301 Eugendorf
Austria

Managing Director: Dr. Daniel Wallerstorfer
Place of jurisdiction: Salzburg
Bank: Salzburger Sparkasse Bank AG
IBAN AT85 2040 4000 4253 9429
BIC: SBGSAT2SXXX

The data protection provisions of Novogenia GmbH can be found here.

b. Legal basis for data processing
The legal basis, which is necessary for the processing of data after submission of a DNA sample by the user for the performance of a contract, is Article 6 (1) point (b) GDPR.

c. Purpose of data processing
The purpose of recording the gender of the user is to give the digital twin physical characteristics in order to improve the user experience for our customers.

Collection of the user’s height, weight, ethnicity and DNA sample is collected as part of the DNA data process and is used to provide knowledge and insight into their genetics for the user and provide actionable insights that can be used to optimise the user Lifestyle can be used.

The recording of the user’s telephone number is used to be able to contact the customer during the ordering process. In addition, the customer needs his telephone number in order to be able to log in to his personalised digital twin using secure two-factor identification.

Anonymised DNA data is aggregated for statistical and research-relevant purposes and stored on our servers.

Statistical information obtained from the DNA analyzes is used for marketing purposes and to suggest relevant products and services to our customers.

Users can request a change in their data. We may not be able to implement such requests if doing so is against the law or may result in the information being incorrect. It may also not be possible to retrieve, remove, or correct data from a database if that data is no longer aggregated or sorted.

d. Duration of storage
The data will be deleted as soon as the user decides to terminate his account. If the user’s subscription to myDigitalTwin has expired, the data will be saved for a further grace period of 12 months so that the user can reactivate his account without losing his data. Data deleted by the user at the user’s request or after expiration cannot be retrieved and a new DNA sample is required for processing.

e. Storage and use of the samples
Samples will be destroyed no later than 30 days after the completion of the analysis.

f. Right of objection and removal
Access to the digital twin can be canceled by the user concerned at any time by sending the data officer an email via office@smartmelts.at.

6.0

Transfer and disclosure of data

Transfer of personal data across borders

We use cloud services from Amazon Web Services (AWS), which are hosted in Frankfurt am Main, Germany.We can use servers and cloud services in other countries and transfer the anonymised product / DNA data to other countries for storage and data management. Countries include Great Britain and the EU. We ensure that we comply with the law when transferring personal data across borders, including (for data exported from the EU) by establishing contractual terms between us and the party receiving the data for the protection of the interests of the data subjects in compliance with the form approved by the European Commission.

Passing on personal data to third parties

Smartmelts GmbH does not transfer any data from the DNA analysis or from the data of the digital twin to third parties. In particular, the data is not offered to insurance companies for calculating premiums, for example.

How we protect your data

Saliva smears that are sent to the laboratory to extract DNA data are destroyed after processing.

To ensure that user data is protected, users must provide a strong password when creating a user account. In addition, we only use two-factor authentication so that our customers can access their digital twin.

We restrict and control access to personal data to employees and selected contractual partners who need such access in order to carry out their tasks and services through the use of passwords.

Employees and contractual partners of smartmelts GmbH are obliged to use two-factor authentication when accessing data from smartmeltsDNA – Digital Twin.

We have put in place security measures to ensure the security and integrity of your data, including encryption, firewalls, and physical security.Our website and web app use SSL encryption to ensure that transferred data cannot be read by unauthorised third parties.

DNA data is anonymized and stored in separate databases from other personal data. A user’s DNA data can only be linked to the user for the purpose of providing the service with a unique identifier.

We enter into confidentiality agreements (NDAs) whenever necessary with contractors that we work with to provide the service.

Data from children

Anyone under the age of 18 must have the consent of a parent or legal guardian and have them sign the application form. This privacy policy applies to both adults and children. We recommend smartmeltsDNA – Digital Twin from the age of 15 years.

7.0

Rights of the data subject

If your personal data is processed, you have the following rights vis-à-vis the person responsible for processing:

In principle, you have the right to information, correction, deletion, restriction and data portability, unless statutory or contractual provisions conflict with these rights.

Complaints can be submitted to the Austrian Data Protection Authority, Barichgasse 40-42, -1030 Vienna,  dsb@dsb.gv.at , (www.dsb.gv.at).

By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.