Privacy Policy GDPR

Client: person who orders and pays for one or more toxSeek analyses.

Tested Person: person from whom a strand of hair is taken for analysis purposes.

Data Subject: In accordance with Article 4.1 of the GDPR, this refers to the person whose personal data are the subject of a processing operation within the meaning of Article 4.2 of the GDPR, whether it be the Client, the Tested Person or a Client who is also a Tested Person.

The operations described in this personal data protection policy are carried out under the direction of toxSeek S.A.S., a simplified joint stock company, registered in the trade and companies register under SIREN number 852954072, whose registered office is located at 20 B Avenue des Bonshommes, 95290 L'Isle-Adam, France.

In the course of its activities, the Company is required to collect a certain amount of personal data relating to tested persons. The purpose of this personal data protection policy is to inform the tested person about the personal data collected by toxSeek S.A.S., particularly concerning:

• Data collected by the Company,
• Purposes,
• Data retention period,
• Data recipients,
• Rights of the Data Subject,
• Data security,
• Transfer of data outside the European Union,
• Minor's data.

In the context of contract conclusion, delivery of sampling kit(s) and transmission of the analysis report, the Company may be required to process the following data:

Data concerning the Client (a)

• Civility;
• Last name;
• First name;
• Postal address;
• Company name;
• Registered office;
• Email address;
• IP address;
• Phone number;
• Bank card number, expiry date and security code (through the service provider responsible for payment management);

This data is necessary for contract conclusion, delivery of sampling kits and payment of the order.

Data concerning the Tested Person (b)

• Login and Password to access the online account;
• Hair sample;
• Analysis results;
• IP address;

This data is necessary for the proper execution of the service.

When the Client is also the tested person, data (a) and (b) are collected.

The Data Subject agrees that personal data may be collected and processed for the following purposes:

• Contract conclusion: The tested person's data is collected to allow contract conclusion and delivery of sampling kits;
• Order payment: Bank card data is necessary for order payment;
• Customer account creation: The customer account allows the Tested Person to access their personal data at any time;
• Analysis results interpretation: Analysis results are matched with scientific data from laboratory databases;
• Information to the tested person: Communication of analysis results to the tested person;
• Legal proceedings: Personal data of the Data Subject is retained to enable the Company to assert its rights in legal proceedings.

Data is retained for the period strictly necessary to accomplish the purposes outlined above.

Thus, the Company undertakes to archive or delete personal data as soon as the purpose and maximum legal duration of their retention have expired.

Data collected by the Company will not be transmitted to any third party without the consent of the interested parties, except for subcontractors used by the Company for the strict and necessary realization of the aforementioned purposes.

The Company undertakes to use only subcontractors who comply with GDPR provisions and ensure a reasonable level of security and pseudonymization of the Data Subject's personal data.

Upon request from competent judicial or administrative authorities, the Company may be required to communicate personal data relating to the Data Subject.

The Company may transfer personal data of the Tested Person to the TOXSEEK URGENCE association, governed by the 1901 law and registered in the national directory of associations under number W953011223, whose registered office is located at 5 rue Ferrié – 95300 Ennery – France, in the case where the latter has given consent to this transfer by accepting the Practical Conditions of Use and Privacy Policy of the TOXSEEK URGENCE association. The conditions for processing the Tested Person's personal data by the association are determined within the association's Privacy Policy.

For international data transfer, data may be transmitted to the EDH group, after information and consent from the client.

All processing of personal data must be justified by a legal reason. The processing of said data may be justified by one of the following legal reasons:

• Consent: the Data Subject has consented to the processing of their personal data for one or more specific purposes (art. 6.1.a of the GDPR)
• Contract execution: processing is necessary for the execution of a contract to which the data subject is party or for the execution of pre-contractual measures taken at the request of the data subject (art. 6.1.b of the GDPR)
• Legal obligation: processing is necessary for compliance with a legal obligation to which the data controller is subject (art. 6.1.c of the GDPR)
• Legitimate interest: processing is necessary for the safeguarding of the vital interests of the data subject or of another natural person (art. 6.1.f of the GDPR)

The Data Subject has the following rights:

• Right of access: the right to access their personal data. The Company reserves the right to charge administrative fees in case of request for multiple copies of information, within the limit of reproduction cost;
• Right to rectification: the right to obtain, without undue delay, rectification of personal data;
• Right to erasure: the right to obtain, without undue delay, erasure of personal data;
• Right to restriction of processing: the right to require restriction of processing of their personal data;
• Right to data portability: the right to require portability of all or part of their personal data;
• Right to object: the right to object to the processing of their personal data;
• Post-mortem directives: the right to define directives relating to the conservation, erasure and communication of their personal data after death.

When the Data Subject wishes to exercise one of these rights, they should send an email to the data controller at the following address: reclamation@toxseek.com.

In all cases, the data controller undertakes to allow the Data Subject to exercise their rights without undue delay.

The Company implements data security methods to guarantee the confidentiality of collected information.

Personal data transfers between the Company and its partners use encryption protocols that guarantee the confidentiality of the exchange.

In accordance with articles L.1111-8 and R.1111-9 to R.1111-15-1 of the Public Health Code, the Company's host benefits from accreditation for hosting health data on digital media. The HDS certification number is FR050438.

The Company undertakes to implement appropriate technical and organizational security measures to combat loss, destruction, publication or access by unauthorized persons to the Data Subject's personal data.

The Company does not transfer any personal data outside the territory of the European Union, except in the case where, after information and consent from the client, data would be transmitted to the EDH group.

Minors can only place orders with the Company through their legal representative. However, they benefit from appropriate prior information, which precedes the collection of their personal data.