Privacy policy for Toredo Web App

Toredo MediCom GmbH (hereinafter also referred to as "we", "us" or "Toredo") is the controller for this web app (hereinafter also referred to as "website") within the meaning of the General Data Protection Regulation (GDPR).

Responsible handling of personal data is a high priority for us. It is very important to us that you feel safe when visiting our website. We process your data exclusively on the basis of legal and contractual provisions and in accordance with the GDPR and the Austrian Data Protection Act as amended. Please read this privacy policy carefully.

Automated decision-making, including profiling, does not take place. If we process your personal data for a purpose other than that for which we collected it, we will inform you of this fact.

All non-specific gender references in this data protection information and on the websites follow the unisex principle and therefore apply equally to all genders.

  • General information

Controller according to Art 4 Z 7 GDPR

Toredo MediCom GmbH
St. Jakoberstrasse 1
9020 Klagenfurt
Austria
Tel: +43 (0) 463 20 31 11 30
E-mail: kontakt@toredo.at

If you have any questions in connection with the processing of your personal data and the exercise of your rights in connection with data protection, please contact our data protection officer.

Data Protection Officer:

MMag. Christina Toth, MSc
Laudongasse 12/2
1080 Vienna
Austria
Tel.: +43 (0) 1 994 66 13
E-mail: office@christinatoth.at

  • Data processing when visiting our web app

The Toredo web app collects a range of general data and information each time it is accessed by a data subject or an automated system.

The browser types and versions used, the operating system used by the accessing system, the website from which an accessing system accesses our websites (so-called referrer), the sub-websites which are accessed via an accessing system on our websites, the date and time of access to the websites, a web protocol address (IP address), the Internet service provider of the accessing system and other similar data and information which serve to avert danger in the event of attacks on our IT systems can be recorded.

When using this general data and information, Toredo does not draw any conclusions about the data subject. Rather, this information is required to correctly deliver the content of our web app, to optimize the content of our web app and the advertising for it, to ensure the long-term functionality of our IT systems and the technology of our web app.

In order to use some services of our web app, it is necessary to give us certain authorizations via your device (e.g. smartphone) (in particular access to the camera, location, memory or receipt of push notifications). If you give us the corresponding authorization via your device, you give us your consent (Art. 6 para. 1 lit. a GDPR) to process this data.

  • Google Firebase

This web app uses Google Firebase technology from Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Firebase").

We use the mobile applications of the Google Firebase services "Firebase Authentication", "Cloud Firestore" and "Cloud Functions for Firebase" to process and store the personal data collected. Firebase Authentication is used to generate a pseudonymous identifier for each mobile device when using the mobile applications for the first time. The pseudonymous identifier is used for continuous secure communication between the mobile device with the mobile application and the Google Firebase services. Cloud Firestore is used to store the aforementioned personal data (including the pseudonymous identifier) that is generated when the mobile application is used. The server location is in the European Union. Cloud functions for Firebase are used for the pre- and post-processing of personal data.

Our website also uses Firebase hosting. When you call up a page, your browser loads the required data, such as the HTML file, stylesheets for display, JavaScript for displaying elements and images, and displays them. For this purpose, the browser you use must connect to the Firebase Hosting servers. As a result, Google becomes aware that my website has been accessed via your IP address. To ensure the secure operation of this website, Google records your IP address for a period defined by Google.

The storage is carried out to ensure the operation of and to prevent threats to this website and constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR.

The data processing and security regulations of Firebase can be found at: https://firebase.google.com/terms/data-processing-terms.

You can find further information on Google's terms of use and data protection at: https://www.google.com/analytics/terms/de.html or https://policies.google.com/?hl=de.

  • Data processing in connection with the DNA test kits

Toredo offers DNA test kits for carrying out DNA analyses via various distribution points and web stores. These are exclusively lifestyle analyses and not analyses for medical purposes.

After ordering the DNA test kit, the customer receives instructions on how to register for the web app and take the test. Registration in the web app is required in order to receive the results of the gene sequence analysis. After the analysis, the customer receives an e-mail and the reports are available for him under the Reports subpage when logged in.

The performance and evaluation of the self-tests of Toredo MediCom GmbH are processed for the purpose of fulfilling the contract (Art. 6 para. 1 lit. b GDPR) and on the basis of your consent pursuant to Art. 6 para. 1 lit. a GDPR in conjunction with Art. 9 para. 2 lit. a GDPR for the processing of sensitive data.

  • Data processing in connection with your user account

When you create a user account, the following master data is processed for the purpose of fulfilling the contract: First name, last name, date of birth, gender, social security number (optional), telephone number, address and test ID.

  • b. Data processing in connection with the implementation and evaluation of the self-test

When you purchase such a DNA test kit and perform a self-test, sensitive data is also processed to provide you with our services. We extract your DNA from your DNA sample, process it and perform a genetic analysis to provide you with the DNA analysis report. This data is stored in the laboratory and in the laboratory database. After the analysis, a medical test report is created, which you can access in your user account.

Special categories of personal data, such as health data and genetic data, are also processed for the evaluation of the self-tests. This data is processed for the purpose of analyzing your swab sent by post on the basis of your express consent in accordance with Art. 9 para. 2 lit. a GDPR. Your data will remain with us until you ask us to delete it, revoke your consent to storage or the purpose for data storage no longer applies. Mandatory statutory provisions - in particular statutory retention periods - remain unaffected. If requested by you, we will destroy the DNA samples provided by you. To request the destruction of the DNA samples, please contact us. You also have the option of deleting your DNA analysis from the web app at any time.

  • c. Cooperation with partners

Toredo MediCom GmbH forwards the tests carried out by you to Toredo (hereinafter also referred to as the "laboratory") for evaluation. In the event of a disease diagnosis, the test results will be evaluated by a doctor.

In the event of the presence of a notifiable disease (e.g. Covid-19), the laboratory is obliged to report test results to the competent health authorities (Art. 9 para. 2 lit. i GDPR in conjunction with Section 3 para. 1 EpiG and Section 1 para. 3 of the Ordinance on Electronic Laboratory Notifications to the Register of Notifiable Diseases).

  • We also use cookies

In order to make your visit to our web app attractive and to enable the use of certain functions, we use so-called cookies. Cookies are text files that are stored on your end device and store certain information for exchange with our system.

Many cookies are technically necessary, as certain website functions would not work without them. Other cookies can be used to evaluate user behavior or for advertising purposes.

Cookies that are required to carry out the electronic communication process, to provide certain functions that you have requested (e.g. for the shopping cart function) or to optimize the website (necessary cookies) are stored on the basis of Art. 6 para. 1 lit. f GDPR, unless another legal basis is specified. The website operator has a legitimate interest in the storage of necessary cookies for the technically error-free and optimized provision of its services.

Cookies that are not absolutely necessary to provide the services on this web app and that are necessary for the error-free operation of the application are only used after your consent ("cookie banner").

You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases (in particular cookies from third-party providers) or in general and activate the automatic deletion of cookies when closing the browser. If cookies are deactivated, the functionality of the web app may be restricted. The legal basis for the data processing for cookies that are necessary to enable the function of the web app or to transmit messages is our legitimate interest. Other cookies are processed on the basis of your consent and are only set by us after you have given your consent.

  • Data processing in the context of establishing contact

If you contact us by post, email, via social media or using the form provided or send us an inquiry, we will process the personal data you provide (first name and surname, contact information and other information you provide voluntarily).

We process your request and manage your data in the context of contractual or pre-contractual relationships in order to fulfill our pre-contractual and contractual obligations or to answer inquiries on the basis of Art. 6 para. 1 lit. b GDPR.

  • Legal basis

The processing of your personal data, which is necessary for the fulfillment of the contract or due to pre-contractual measures, is based on Art. 6 para. 1 lit. b GDPR.

If processing is necessary to fulfill a legal obligation, this is done on the basis of Art. 6 para. 1 lit. c GDPR, to comply with legal obligations and to comply with judicial and official orders.

Should vital interests of a person make processing necessary, Art. 6 para. 1 lit. d GDPR serves as the legal basis.

If processing is necessary to safeguard our legitimate interests and if these interests prevail, processing is carried out on the basis of Art. 6 para. 1 lit. f. GDPR. GDPR.

If there is no other legal basis for processing, we process your personal data on the basis of your consent on the basis of Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR. Consent to data processing is voluntary and can be revoked at any time with effect for the future. In the event of express consent to the transfer of personal data to third countries, data processing is also carried out on the basis of Art. 49 para. 1 lit. a GDPR.

  • Note on data transfer to the USA and other third countries

Among other things, we use tools from companies based in the USA or other third countries. If these tools are active, your personal data may be transferred to these third countries and processed there. We would like to point out that no level of data protection comparable to that in the EU can be guaranteed in these countries.

  • Transfer of your personal data to third parties

We use the services of third-party providers to fulfill the contract and to process your personal data securely. We have ensured that they also guarantee the protection of your personal data in accordance with the GDPR and have contractually agreed this accordingly. We have concluded a separate order processing agreement with all partners, which ensures that your data is also processed by our cooperation partners in accordance with the applicable data protection regulations.

  • Storage duration

Your personal data will only be stored by us for as long as we reasonably deem necessary to achieve the stated purposes and as permitted by applicable law.

It is a general criterion for us that we only store personal data for as long as is absolutely necessary for the provision of our services and products. This means that we delete personal data as soon as the reason for the data processing no longer exists. In some cases, we are legally obliged to store certain data even after the original purpose no longer applies, for example for accounting purposes.

The master data in your user account will be stored until you delete your profile or until you revoke your consent to the processing of your data.

If you wish your data to be deleted or revoke your consent to data processing, the data will be deleted as quickly as possible and insofar as there is no obligation to store it. The withdrawal of consent does not affect the lawfulness of data processing based on consent before its withdrawal.

  • Your rights in connection with your personal data

In principle, you have the right to information about the stored data in accordance with Art. 15 GDPR, to rectification of inaccurate data in accordance with Art. 16 GDPR, to erasure of data in accordance with Art. 17 GDPR, to restriction of processing of data in accordance with Art. 18 GDPR, to object to unreasonable data processing in accordance with Art. 21 GDPR and to data portability in accordance with Art. 20 GDPR.

If you are of the opinion that the processing of your data violates data protection law or your data protection claims have been violated in any other way, please contact our data protection officer first:

MMag. Christina Toth, MSc
Laudongasse 12/2
1080 Vienna
Austria
Tel.: +43 (0) 1 994 66 13
E-mail: office@christinatoth.at

We will process your request as soon as possible and get back to you within 30 days at the latest.

You also have the option of contacting the data protection authority:

Austrian Data Protection Authority
Barichgasse 40-42
1030 Vienna
Tel.: +43 (0) 1 52 15 2 - 0
E-mail: dsb@dsb.gv.at

  • SSL or TLS encryption

This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or inquiries that you send to us as the site operator. You can recognize an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line. If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

  • Children

Persons under the age of 14 should not transmit any personal data to us without the consent of their parents or legal guardians. If you, as a parent, believe that your child has submitted data to us and we have collected data about your child, please contact us.

  • Changes to our data protection information

From time to time it may be necessary to amend or supplement this data protection information. We therefore recommend that you read this data protection information at regular intervals. However, you can rest assured that changes will not take effect retroactively and that we will not fundamentally change the way in which previously collected data is used.

Privacy policy gene analysis

Toredo (hereinafter also referred to as "we", "us" or "Toredo") is the controller for this web app (hereinafter also referred to as "website") within the meaning of the General Data Protection Regulation (GDPR).

Responsible handling of personal data is a high priority for us. It is very important to us that you feel safe when visiting our website. We process your data exclusively on the basis of legal and contractual provisions and in accordance with the GDPR and the Austrian Data Protection Act as amended. Please read this privacy policy carefully.

Automated decision-making, including profiling, does not take place. If we process your personal data for a purpose other than that for which we collected it, we will inform you of this fact.

All non-specific gender references in this data protection information and on the websites follow the unisex principle and therefore apply equally to all genders.

  • General information

Controller according to Art 4 Z 7 GDPR

Toredo MediCom GmbH
St. Jakoberstrasse 1
9020 Klagenfurt
Austria
Tel: +43 (0) 463 20 31 11 30
E-mail: kontakt@toredo.at

If you have any questions in connection with the processing of your personal data and the exercise of your rights in connection with data protection, please contact our data protection officer.

Data Protection Officer:

MMag. Christina Toth, MSc
Laudongasse 12/2
1080 Vienna
Austria
Tel.: +43 (0) 1 994 66 13
E-mail: office@christinatoth.at

  • Data processing in connection with the DNA test kits

Toredo offers DNA test kits for carrying out DNA analyses via various distribution points and web stores. These are exclusively lifestyle analyses and not analyses for medical purposes.

After ordering the DNA test kit, the customer receives instructions on how to register for the web app and take the test. Registration in the web app is required in order to receive the results of the gene sequence analysis. After the analysis, the customer receives an e-mail and the reports are available for him under the Reports subpage when logged in.

The performance and evaluation of the self-tests of Toredo MediCom GmbH are processed for the purpose of fulfilling the contract (Art. 6 para. 1 lit. b GDPR) and on the basis of your consent pursuant to Art. 6 para. 1 lit. a GDPR in conjunction with Art. 9 para. 2 lit. a GDPR for the processing of sensitive data.

  • a. Data processing in connection with your user account

When you create a user account, the following master data will be processed by you for the purpose of fulfilling the contract (Art. 6 para. 1 lit. f GDPR) to process the tests: First name, surname, date of birth, gender, e-mail address, telephone number, address (street, house number, zip code, town, country).

The master data will be stored until the profile is deleted by you or until you revoke your consent to the processing of your data.

  • b. Data processing in connection with the performance and evaluation of the DNA sample

When you purchase a DNA test kit and submit your DNA sample to us, your DNA information will be processed to provide you with our DNA services. DNA-related information is generated and stored when you use our DNA services. We extract your DNA from your DNA sample, process it and perform a genetic analysis to provide you with the requested DNA analysis reports. This data is stored in the laboratory and in the laboratory database.

Special categories of personal data such as genetic data are processed in order to carry out the DNA analysis. This data is processed for the purpose of analyzing your sample sent by post on the basis of your express consent in accordance with Art. 9 para. 2 lit. a GDPR. Your data will remain with us until you ask us to delete it, revoke your consent to storage or the purpose for data storage no longer applies. Mandatory statutory provisions - in particular statutory retention periods - remain unaffected. If requested by you, we will destroy the DNA samples provided by you. To request the destruction of the DNA samples, please contact us. You also have the option of deleting your DNA analysis from the web app at any time.

  • c. Data processing in connection with the ordering of personalized supplements

After ordering a subscription for personalized supplements, we will send you a questionnaire. In it, we ask you to answer a number of questions about yourself and your lifestyle. Based on your answers and the analysis of your DNA, we will create supplements tailored to your needs.

The personal data received as part of this survey will only be processed to fulfill the contract and will not be passed on to third parties.

  • d. Cooperation with partners

The evaluation of your tests is carried out by our own laboratory.

Apart from this, the DNA analysis reports are not forwarded to third parties, but are only made available to you in your user account in the web app for retrieval.

  • Legal basis

The processing of your personal data, which is necessary for the fulfillment of the contract or due to pre-contractual measures, is based on Art. 6 para. 1 lit. b GDPR.

If processing is necessary to fulfill a legal obligation, this is done on the basis of Art. 6 para. 1 lit. c GDPR, to comply with legal obligations and to comply with judicial and official orders.

Should vital interests of a person make processing necessary, Art. 6 para. 1 lit. d GDPR serves as the legal basis.

If processing is necessary to safeguard our legitimate interests and if these interests prevail, processing is carried out on the basis of Art. 6 para. 1 lit. f. GDPR. GDPR.

If there is no other legal basis for processing, we process your personal data on the basis of your consent on the basis of Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR. Consent to data processing is voluntary and can be revoked at any time with effect for the future. In the event of express consent to the transfer of personal data to third countries, data processing is also carried out on the basis of Art. 49 para. 1 lit. a GDPR.

  • Transfer of your personal data to third parties

We use the services of third-party providers to fulfill the contract and to process your personal data securely. We have ensured that they also guarantee the protection of your personal data in accordance with the GDPR and have contractually agreed this accordingly. We have concluded a separate order processing agreement with all partners, which ensures that your data is also processed by our cooperation partners in accordance with the applicable data protection regulations.

  • Use of data for research purposes

Toredo is committed to the further development of medical research. To this end, your data may be used for research purposes. Extreme care is taken and extensive organizational and technical measures are taken to ensure that only the most necessary data is processed in de-identifiable form. In the context of research work, neither your name nor other identifiable information is processed together with your genetic data, so that no conclusions can be drawn about your person.

  • Storage duration

Your personal data will only be stored by us for as long as we reasonably deem necessary to achieve the stated purposes and as permitted by applicable law. This means that we delete personal data as soon as the reason for the data processing no longer exists. In some cases, we are legally obliged to store certain data even after the original purpose has ceased to exist, for example for accounting purposes.

The master data in your user account will be stored until you delete your profile or until you revoke your consent to the processing of your data.

If you wish your data to be deleted or revoke your consent to data processing, the data will be deleted as quickly as possible and insofar as there is no obligation to store it. The withdrawal of consent does not affect the lawfulness of data processing based on consent before its withdrawal.

  • Your rights in connection with your personal data

In principle, you have the right to information about the stored data in accordance with Art. 15 GDPR, to rectification of inaccurate data in accordance with Art. 16 GDPR, to erasure of data in accordance with Art. 17 GDPR, to restriction of processing of data in accordance with Art. 18 GDPR, to object to unreasonable data processing in accordance with Art. 21 GDPR and to data portability in accordance with Art. 20 GDPR.

If you are of the opinion that the processing of your data violates data protection law or your data protection claims have been violated in any other way, please contact our data protection officer first:

MMag. Christina Toth, MSc
Laudongasse 12/2, 1080 Vienna
Tel.: +43 (0) 1 994 66 13
E-mail: office@christinatoth.at

We will process your request as soon as possible and get back to you within 30 days at the latest.

You also have the option of contacting the data protection authority:

Austrian Data Protection Authority
Barichgasse 40-42, 1030 Vienna
Tel.: +43 (0) 1 52 15 2 - 0
E-mail: dsb@dsb.gv.at

  • Children

Persons under the age of 14 should not transmit any personal data to us without the consent of their parents or legal guardians. If you, as a parent, believe that your child has submitted data to us and we have collected data about your child, please contact us.

  • Changes to our data protection information

From time to time it may be necessary to amend or supplement this data protection information. We therefore recommend that you read this data protection information at regular intervals. However, you can rest assured that changes will not take effect retroactively and that we will not fundamentally change the way in which previously collected data is used.