Geneus DNA Co., Ltd. (“Geneus” or “We”) cares about your privacy and is fully committed to protect your personal data.

This Privacy Policy covers how we deal with your personal data and gives you detailed information on how, what, when, and why we collect, use, disclose, transfer or process your personal data, what steps we take to ensure your personal data stays private and secure, how long we retain your personal data, how you can contact us, and your rights under the Personal Data Protection Act B.E. 2562 (‘PDPA’).

This Privacy Policy applies to customers using Geneus services. through the website and/or application including ordering products and/or receiving a DNA analysis report This Privacy Policy applies only to this website and/or application. This does not include other websites and/or applications or other services that are offered by Geneus DNA Co., Ltd.

This Privacy Policy is written to help users understand how Geneus DNA Co., Ltd. collects, uses, stores and transmits user information when using our products or services.

Please take a moment to read our Privacy Policy to understand more about your rights to the personal data that you have given to or have with us. This Privacy Policy is subject to change at any time; so, you should come back and read this Privacy Policy from time to time. If there is any significant change to our Privacy Policy which may affect the rights to your personal data, we will inform you without delay.

Your personal data means any information relating to you that can identify you, whether directly or indirectly, from that data alone or in a combination with other identifiers we possess or can reasonably access. The types of personal data we collect will depend on the scope of services and/or type of products that you are interested in or that we provide to you.

Depending on the type of products or services you select or your relationship with us, we may collect and hold the following personal data:

• Details about you, such as name, surname, gender, date of birth, educational background, occupation, marital status and nationality
• Contact details, such as home address, email address, phone number and social media accounts
• Identification and authentication details, such as username and password
• Financial details, such as your payments history, credit card numbers and bank account details
• Survey Information is information that you enter into the survey form while signing in to your Geneus account. Survey information has been used for Geneus Research on the website and system and if you have given consent according to the Consent Document.
• User Content is all information collected from users other than General Information, Genetic Information, User-Reported Information, Survey Information (e.g text, video, messages, music, software, audio, photographs, graphics, or other materials – generated by users of Geneus Services to or through Geneus.
• Web Behavior Information is information on how you use the Geneus website (e.g. browser type, domains, page views) collected through log files, cookies, and web beacon technology.
• Aggregated data is Personal Information that has been combined with other users that is used for Product development. This type of data cannot identify the any user identity.
• Other information that you have given to us.

In addition, we may also collect and hold your sensitive data such as:

• Health, medical or treatment information;
• Racial or ethnic origin;
• Sexual preferences or practices;
• Genetic data

If you do not or are unable or decline to provide certain personal data or to consent us to collect, use or disclose certain personal data which is necessary for us to make a relationship with you or provide our services and/or products to you, we may not be able to stay in contact with you, enter into a contract with you or perform our obligations resulting from a contract entered with you. In some cases, where we have legal obligations to collect, use or disclose certain personal data and you do not or are unable or decline to provide certain personal data to us, we may be liable for failure to comply with the legal obligations under the applicable laws.

We only collect, use, disclose or process your personal data by fair and lawful means to the extent necessary for the specific purposes. We have also set out some lawful reasons why we may process your personal data. These depend on what kind of personal data we are processing.

Geneus collects user accounts, genetic information, survey data, other information that customers provide to us, and aggregated data in order to manage, provide service and analyze for the better Geneus services.

A.The use of your personal data under this Privacy Policy includes:

1. create an account, purchase products, manage payments, and communicate with you or other your required actions, such as referrals and refunds.
2. provide usability on websites and mobile applications, including your consent to use or provide information including tracking your use of our services.
3. contact you regarding the user account related to our services including policy changes, advertisements, security modifications, or other issues.
4. accept the terms of service and other agreements
5. track, monitor, and prevent our websites from inappropriate use such as spam and other security safety risks.
6. conduct research and other activities which may include data processing and product development research about new products or optimizing existing products and managing quality control
7. Legal compliance
8. We will rely on the purpose of legal compliance in which the processing of your personal data is necessary for compliance with a legal obligation to which we are subject, for example, personal data protection laws.

Including collection use and/or disclosing your personal data and sensitive personal data to the authorized organization

Analyze data and generate your genetic report To generate your genetic results via our services, you will need to create an account and register your DNA test kit ID into our system before sending your sample back to our company. Our laboratory will analyze the sample then the laboratory will provide raw data to us. After that, our bioinformatics team and doctors will process the raw data and submit you an analysis report on Geneus platform (website and/or mobile application) depending on the services your purchased. Geneus will keep improving our services continuously i.e. product research and development, and the latest genetic scientific studies. Submit a questionnaire and conduct a poll. We value your opinion. A questionnaire or a survey on our products and services may be sent to you to review in order for product development. You may accept or decline this invitation. Communication and marketing services Once you have created an account on Geneus, you have agreed that we may send promotions and other referrals to you via email or app notification. This may include periodic notifications including promotions, new products and services offerings, and promotions. You can unsubscribe from our marketing services at any time. How we use and share your information and your other choices

1. Geneus will not share your genetic data or personal information with your employers or insurance companies.
2. Your genetic report may be disclosed by doctors, specialists, or anyone you consent to as your health coach while using our service.
3. Geneus will never disclose your results to anyone else, we must do so to comply with a legal obligation.
4. In case of reselling, your consent must be given to your representatives to collect personal information in order to maintain legal consequences.
5. We may use your DNA code only in the form of special numbers together with genetic data, information from questionnaires, and personal privacy data which are anonymous or are not specified in any other contact information and may be encrypted for internal use only, such as to verify the authenticity of genetic data, improve quality and accuracy of Geneus reports and develop genetic reports and/or other services
6. We may disclose your personal information in case that disclosure was ordered by court decree, law, or other obligations.
7. Using our genetic analysis service, you will be required to purchase products or services or given as a gift from us. A DNA test kit will be sent to you and you must register a DNA test kit ID and send your sample back to us. When our laboratory has analyzed your sample completely, we will get your raw data showing only the barcode through a secure system. Your sample and your genetic material will be destroyed after the lab has finished analyzing the sample depending on the Laboratory policy and practices.

Consent Apart from the above lawful bases, we may process your personal data with your consent. We will only ask for your consent if there is no other lawful basis to process your personal data, especially, in the case where our processing activities have potential impact on your sensitive personal data. If we need to ask for your consent, we will make it clear what we are asking for and ask you to confirm your choice to give us that consent. If we cannot provide a product and/or service without your consent to process your personal data, we will make this clear when we ask for your consent.

We may request your consent to process your personal data for the following purposes:

1. Operating, maintaining and providing subsequent services in relation to the applications for services and/or products;
2. Providing services and products to you, and administering, implementing, maintaining, managing and operating such services and products, including but not limited to other healthcare products or service or other company products in the case where we need to process your sensitive personal data;
3. Identifying and providing you with the information about services, products or any events that may benefit you or may be of interest to you;
4. Analysing and conducting data analytics, surveys and feedbacks to develop, build and implement our business models, products, services and systems which help us to provide high standard services or enhance the benefits to you;
5. Internal administration including generating internal reports, accounting and handling in the case where we need to process your sensitive personal data; and
6. Offering our services, premiums and products or other offers to you; and
7. Being a part of the research and study of healthcare to integrate develop of Thailand.

Note that when the data subject is a minor, quasi-incompetent or incompetent, consent will be requested from their legal representatives, guardians or curators.

We will always notify you, before or at the time of collecting your personal data, about our purposes of processing. However, in some circumstances as specified under the PDPA, it is not necessary for us to inform you about our processing of your personal data, such as when:

you are already aware of such new purposes or details of our processing;

we believe that notice of such new purposes or the details of our processing is impossible or will obstruct the use or disclosure of your personal data, where we have taken suitable measures to protect your rights, freedoms and interests;

it is urgent to use or disclose your personal data as required by law and we have implemented suitable measures to protect your interests; or

we are aware of or acquire your personal data from our duty, occupation or profession, and we have used your personal data in accordance with such professional purposes and maintained the confidentiality as required by law.

We collect your personal data in different ways which include in writing, by electronic or hard copy form, by telephone, email, in person, and over the internet such as via our website and application, cookies, online forms or social media.

We may collect your personal data directly from you. For example, you provide us with your personal data when you fill in an application form, request form, communicate with us over the telephone, send us a letter or use our website and application.

We may also collect your personal data indirectly from publicly available sources of information and/or from other parties including:

• organisations that we have an arrangement with to jointly offer products
• our related entities
• third parties who, at the time of collection, have notified you that your information will be provided to us
• government, statutory or regulatory body and law enforcement bodies
• other third parties; and
• our agent, or anyone that you have authorised to deal with us.

If you provide personal data about another individual to us, you agree to:

• inform them that you are disclosing their personal information to us;
• collect their consent to do so;
• direct them to the Geneus Privacy Policy; and
• make them aware of the content of this Privacy Policy.

Generally, this Privacy Policy applies to Geneus and all Geneus Group members, including all business units, departments, personnel, and third parties that handle personal data with a contractual arrangement with Geneus and/or with Geneus affiliated entities.

Your personal data may be transferred or disclosed to, accessed by or shared on a need to know basis with the following parties and for the following purposes

1. Group members or business partners:
• group members of Geneus in order to provide our products and services to you;
• any business partners of Geneus that we have an agreement with including the members of those partners
2. Agents or contractors
• any person or companies wh
ich is acting for or on behalf of Geneus, or jointly with Geneus, in respect of a purpose or a directly related purpose for which your personal data was required;
• any service providers who provide administrative, credit reference, debt collection, telecommunications, computer, payment, printing, redemption, courier or other services in relation to the operation of businesses of Geneus;
3. Professionals
• any physicians, hospitals, clinics, medical practitioners, laboratories, technicians, who are engaged by Geneus in connection with Geneus business;
4. Others
• any person or company to whom Geneus is obliged or expected to make disclosure under the requirements of laws, rules, regulations, codes of practice or guidelines (applicable in or outside Thailand) including any legal, regulatory, governmental, tax, law enforcement or other authorities, self-regulatory or industry bodies.

We deal with many international organisations and use global information systems. As a result, we transfer your personal data to countries outside Thailand for the purposes set out in this Privacy Policy. Not all countries outside Thailand have data protection laws that are similar to those in Thailand. Where data security standards are deemed inadequate, we will provide appropriate safeguards to protect your interest or the transfer will take place if one of the exceptions defined by the PDPA is met.

These exceptions are:

1. if the transfer is necessary for compliance with the law;
2. if you have explicitly consented to the proposed transfer after having been informed of the possible risks due to the absence of an adequacy decision or adequate safeguards;
3. if the transfer is necessary for the performance of a contract with you or the implementation of pre-contractual measures taken at your request;
4. if the transfer is necessary for the conclusion or performance of a contract in your interest between Geneus and another natural or legal person and
5. if the transfer is necessary for important reasons of public interest.

You have rights to your personal data, and according to the PDPA these rights include:

1. Right to access
   You have a right to access and obtain a copy of your personal data that we hold about you. You may ask us to disclose the sources of where we obtained your personal data to which you have not consented to.
2. Right to data portability
   You have a right to request us to transfer your personal data to other persons/organisations, or request to see the personal data that we have transferred to other persons/organisations, unless it is impossible for us to carry out your request due to technical circumstances.
3. Right to object to the processing of your personal data
   You have the right to object to the processing of your personal data, unless there are circumstances that do not allow you to make the objection. These may include cases where we have compelling legitimate grounds or when the processing of your personal data is carried out to comply, exercise or defend legal claims or for the public interest.
4. Right to erasure
   You have a right to request us to delete, destroy or anonymise your personal data in the following circumstances:
• The personal data is no longer necessary for the purpose for which it was collected, used or disclosed;
• You have withdrawn your consent on which the collection, use or disclosure was based and we no longer have legal grounds to collect, use or disclose the personal data;
• You have objected to the collection, use or disclosure of the personal data and we do not have legal grounds to reject the request; and/or
• When the personal data has been lawfully collected, used or disclosed under the PDPA.
5. Right to restrict the processing of your information
   You have a right to request us to restrict the processing of your personal data in the following circumstances:
• It is under a pending examination process to check if the personal data is accurate, up-to-date, complete and not misleading;
• The personal data should be deleted or destroyed as it does not comply with the law and you request to restrict it instead;
• The personal data is no longer necessary for the purpose for which it was collected, used or disclosed, but you have the necessity to request the retention for purposes of establishing, complying, exercising or defending legal claims;
• We are pending verification of a basis to reject the objection request for the collection, use or disclosure of personal data.
6. Right to rectification
   You have a right to rectify inaccurate personal data in order to make it accurate, up-to-date, complete and not misleading.
7. Right to lodge a complaint
   You have the right to make a complaint to the Personal Data Protection Committee in the case where we, our data processors, employees or contractors do not comply with the PDPA or other announcements under the PDPA.
8. Right to withdraw consent
   You may withdraw your consent at any time, unless we have a lawful basis to deny your request.

If you change your mind about how you would like us to have or process your personal data, you can tell us anytime by following the process under “Exercising your rights” section.

In order to exercise your rights stated above, you may refer to our contact’s details under “How to contact us” stated hereinbelow. If you make a request, we will ask you to confirm your identity (if necessary), and to provide information that helps us to understand your request better. We expect to respond to your request within 30 days of the receipt of your request.

We have full rights and sole discretion to either fulfil or decline your request or charge a reasonable fee to fulfil your request in the case where you have made more than 3 consecutive requests within 10 working days, or in the event that the requests are obviously excessive or unfounded. We are entitled to refuse your request on statutory grounds and we will notify you of the refusal and our grounds.

In the case where we reject your request, we will record the rejection with reasons according to the PDPA.

If you have any questions or would like to exercise any rights relating to your personal data, please contact us via the provided details in the ‘How to contact us’ section.

The period we keep your personal data is often linked to the prescription and enforcement periods under law. We will not keep your personal data longer than is necessary for the purposes for which that personal data was collected, held and processed, except when the retention period is determined by other laws and regulations, which in many cases is up to 11 years after the end of our relationship with you.

After this time, we might keep your personal data if we must do so to comply with a legal obligation, or if existing claims or complaints reasonably require us to keep your personal data, or for regulatory or technical reasons. If we do need to keep your personal data for a longer period, we will continue to protect that personal data.

We will delete, destroy, permanently anonymise, or otherwise dispose of all personal data at the end of the retention period, or when we must comply with your request for erasure of your personal data.

If you have any questions, please contact us at the provided details in the ‘How to contact us’ section.

As part of our products and/or service, we may use your personal data to identify a product and/or service that may benefit you. We may contact you occasionally to let you know about new or existing products or services.

We may also disclose your personal data to our related entities or business partners to enable them to tell you about a product or service. The marketing delivery channels may be through electronic means, email, telephone, text and other forms of communication.

For direct marketing, Genius intends:

1. to use your name, contact details, service and product portfolio information, financial background and demographic data held by Geneus in direct marketing;
2. to market the following classes of services and products offered by Geneus , Geneus Group and/or our partners:
• selling, cross selling or upselling of services and products;
• reward, promotion, campaign, loyalty or privilege programmes and related services and products
• donations and contributions for charitable and/or non-profit making purposes.
• Services and products of business partners
3. to provide your personal data described in 1) above to any members of Geneus and/or our partners for their use in direct marketing the classes of services and products described in 2) above.

If you change your mind about how you would like us to contact you or you no longer wish to receive any of the above information, you can tell us anytime by following the process under “Exercising your rights” section.

To keep your personal data safe and secure, we use a range of measures, which include encryption and other forms of security. We require our employees and third parties who carry out work on our behalf to comply with appropriate privacy standards including obligations to protect against the leakage of information and to apply appropriate security measures for the processing of information.

We maintain and update our security procedures and measures to ensure a level of security for the personal data appropriate to the respective risk and the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing, including to prevent loss and unauthorised collection, access, use, modification, correction or disclosure of personal data. Our security measures apply to all types of data processing regardless of whether the personal data is processed electronically or in paper form.

We certify that all personal data collected will be safely and securely stored with strict security standards. If you have reason to believe that your personal data has been breached or if you have any questions regarding this Privacy Policy, please contact us. See the ‘How to contact us’ section for contact details.

Geneus’s website and application may include hyperlinks to third party websites. Geneus has no control over the content, accuracy, expressed opinions and links provided at these third party websites or how these third party websites deal with your personal data. You should visit these third party websites for details of their privacy policies in relation to their handling of your personal data.

Geneus may use ‘cookies’ to improve our internet service. A cookie is a small file of letters and numbers that are automatically stored on your computer’s browser and can be viewed by Geneus’s website and application. Cookies also help Geneus’s website and application to recognize you and your list of favourites or most common use when visiting the website, as well as assisting Geneus in customizing the website to suit your needs.

The data collected by cookies are customization of anonymous data. Therefore, there are no data concerning your name, address or any data that can enable other parties to contact you via telephone, email address and other forms of contact. There are also no personal data of customers stored in cookies. However, you may block the use of cookies by customizing your browser setting, but blocking our cookies may impact your usage on our website or online services, causing difficulty in entering transactions with us via Geneus’s website and application and taking longer to request additional data.

We reserve the right to change, amend or update the Privacy Policy at any time we deem appropriate. We will notify you of any change, amendment or update on our Corporate Website, which you can check at any time.

If you have any comments, suggestions, questions, complaints or want to exercise your rights regarding your personal data, please contact:

Data Protection Officer

Address: 1 Park Silom Tower ,15th floor, Unit No. 1503-1504 Convent Rd, Silom, Bang Rak, Bangkok 10500

Contact details:

Email address: [email protected]

Telephone: 020 010 0489

By virtue of Royal Decree Prescribing Organisations and Businesses of which Personal Data Controllers are not Subject to Personal Data Protection Act B.E 2563 postponing the PDPA effective date, you may exercise your rights regarding your personal data from 1 June 2021 onwards.

Updated on 12 May 2022