SERFI (hereinafter "the Company") and all its partners undertake to ensure the greatest protection of the personal data of the data subject, in accordance with Regulation 2016/679 of the European Parliament and the Council of the European Union ( General Data Protection Regulation, hereinafter "GDPR") and Law No. 78-17 of 6 January 1978 relating to data, files and individual freedoms as amended by Law No. 2018-493 of June 20, 2018 on the protection of personal data.
Customer: the person who orders and pays for the toxSeek or toxSeek Integral analysis.
Tested Person: Person from whom a strand of hair is removed for analysis.
Personne concernée : Data subject: In accordance with Article 4.1 of the GDPR, this refers to the person whose personal data are the subject of a processing operation as relating to Article 4.2 of the GDPR, whether it be the Customer, the Tested Person or a Customer who is also a Tested Person.
- The data collected by the Company,
- The purpose,
- The shelf life of the data,
- The recipients of the data,
- The rights of the data subject,
- Securing the data,
- The transfer of data outside the European Union,
- Data concerning minors.
In order to execute the contract, the delivery of the sampling kits and the transmission of the analysis report, the Company may be required to process the following data:
Customer Data (a)
- First name;
- Postal address;
- Company name;
- Email address;
- IP address;
- Telephone number;
- Bank card number, expiry date and security code (via the provider in charge of the payment processing);
These data are necessary for the conclusion of the contract, the delivery of sampling kits and the payment of the order.
Data concerning the person tested (b)
- Login and Password to access the online account;
- Hair sample;
- Analysis results;
- IP address;
These data are necessary for the proper performance of the service.
When the Customer is also the Tested Person, data (a) and (b) are collected.
The data subject agrees that the personal data are collected and processed for the following purposes:
- Performance of the contract: The data of the tested person are collected in order to allow the performance of the contract and the delivery of the sampling kits;
- Payment of the order: The credit card data are necessary to pay for the order;
- Creation of a customer account: The customer account allows the Tested Person to access their personal data at any time;
- Interpretation of the results of the analyses: The analysis results are reconciled with the scientific data of the laboratory databases;
- Information about the Tested Person: Communication of the results of analysis to the Tested Person;
- Legal proceedings: The personal data of the data subject are kept to enable the Company to assert its rights in the context of legal proceedings.
Duration of retention of personal data
The data are kept for the period strictly necessary for the fulfilment of the purposes set out above.
Thus, the Company undertakes to archive or delete personal data as soon as the purpose and the maximum legal duration of their retention have expired.
The data collected by the Company will not be transmitted to any third party without the consent of the data subject, with the exception of subcontractors used by the Company for the strict and necessary fulfilment of the aforementioned purposes.
The Company undertakes to use only subcontractors who comply with the provisions of the RGPD and ensure a reasonable level of security and pseudonymisation of the personal data of the Data subject.
At the request of the competent judicial or administrative authorities, the Company may be required to provide personal data relating to the data subject.
Lawful base for data processing
All processing of personal data must be justified by legal grounds. The processing of said data may be justified by one of the following legal grounds:
- Consent: The data subject has given consent to the processing of his or her personal data for one or more specific purposes; (art. 6.1.a du RGPD)
- Performance of a contract: the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract(art. 6.1.b du RGPD)
- Legal obligation: processing is necessary for compliance with a legal obligation to which the controller is subject (art. 6.1.c du RGPD)
- Legitimate interest: processing is necessary for the purposes of the legitimate interests of the data subject or of another person (art. 6.1.f du RGPD)
Rights of the data subject
The data subject has the following rights:
- Right of access: The right to access one’s personal data. The Company reserves the right to bill for administrative fees in the event of a request for several copies of information, limited to covering reproduction fees;
- Right to rectification: The right to obtain, without undue delay, the rectification of one’s personal data;
- Right to erasure: The right to obtain, without undue delay, the erasure of one’s personal data;
- Right to restriction of processing: The right to demand the restriction of processing of one’s personal data;
- Right to object: The right to object to the processing of one’s personal data;
- Post-mortem directives: The right to set guidelines for the retention, erasure and disclosure of one's personal data after death.
When the data subject wishes to exercise one of these rights they must send an email to the processing manager at the following address:
In every event the processing manager is committed to allowing the data subject to exercise their rights without undue delay.
The Company has implemented data security methods to guarantee the confidentiality of data collected.
The transfer of personal data between the Company and its partners is carried out using encryption protocols which guarantee the confidentiality of the exchange.
In accordance with articles L.1111-8 et R.1111-9 à R.1111-15-1 of the Public Health Code, the Company’s host holds an accreditation for the hosting of digital health data. The HDS certificate number is FR050438.
The Company is committed to implementing the appropriate technical and organisational measures to prevent the loss, destruction, publication or access by unauthorised persons to the data subject’s personal data.
Transfer of personal data outside the European Union
The Company does not transfer any personal data outside the territory of the European Union.
Personal data of minors
Minors may only place an order with the Company through the intermediary of their legal representative. They do however benefit from previously adapted information, preceding the collection of their personal data.