Last Updated and Effective: 2024-05-24
1. Introduction
ELSI Skin Health, Inc. (hereinafter, the “Company”, “HelloBiome”, “Dr. Elsa Jungman”, “DR-EJ”, “we”, “us”, “our”) is a legal entity incorporated under the laws of the State of Delaware (USA), file number 6784855.
This Privacy Policy (the “Privacy Policy”) applies to the websites listed below (collectively, the “Websites”), as well as other online products and services that fall under this Privacy Policy (collectively, the “Services”) or when you otherwise interact with us, and explains how HelloBiome collects, processes, and discloses personal information in the following use cases:
(i) “Dr. Elsa Jungman Brand” through:
- https://dr-ej.com/, an e-commerce website that sells cosmetic products under Dr. Elsa Jungman brand, as well as microbiome test kits; and
- https://my.dr-ej.com/, a microbiome test website on which the user registers their account to activate microbiome tests and complete quizzes that accompany each test and, as a result, receives reports with Dr. Elsa Jungman’s brand product recommendations for each test.
(ii) “HelloBiome White-Label Platform” through the websites the particular domains of which shall be defined by the clients of the HelloBiome White-Label Platform (the “Client(s)”). For example, such Clients’ client-branded microbiome test websites can be located either on one of HelloBiome sub-domains (*.hellobio.me) or the Client’s own domain/sub-domain. In any case, such HelloBiome White-Label Platform websites shall contain references to this Privacy Policy.
(iii) “Claim Study & Research and Analysis” through:
- https://hellobio.me/, a B2B focused website, explaining different services of HelloBiome; and
- https://my.hellobio.me (or other subdomains under the main Domain Name, *.hellobio.me), a microbiome test website on which the research study participants register their account to activate microbiome tests and complete quizzes that accompany each test, and receive reports for each test.
Your privacy is important to us. This Privacy Policy outlines how we collect, process, and manage the personal data we collect from your use of our Services, through your interaction with us on social media or your other dealings with us.
Should you have any questions or concerns regarding your personal data, please contact us at the contact details provided in the Contact Information section of the Privacy Policy.
2. Information We Collect About You
HelloBiome is responsible for the protection of privacy and safeguarding of the personal data of the following categories of data subjects (hereinafter, each separately or collectively referred to as “you”, “your” or the “Data Subject(s)”):
Website | Data Subject Categories | Personal Data Categories |
---|---|---|
https://dr-ej.com/ | – website visitors – customers | – email – first name – last name – password – address – age – location – non-identifying information about website visits – payment event data |
– https://my.dr-ej.com/ – https://my.hellobio.me – *.hellobio.me – other subdomains – client-branded microbiome test websites | – website visitors – website users | – email – first name – password – year of birth – health, beauty, and skin-related information – data revealing ethnic origin – location (zipcode) – other special categories of personal data (as defined in Art. 9(1) GDPR) depending on the set of questions of a particular client quiz – questions about the lifestyle and conditions of the specific body area – microbiome data (containing information about the absolute abundance of the fungi and bacteria detected in the test sample) |
client-branded microbiome test websites | – website visitors – website users | additional data specified by the Client, collected directly from users or from 3rd party systems, and authorized to be accessed – as a part of custom development (e.g., heart rate variability (HRV) from the fitness bracelet) |
https://hellobio.me/ | – website visitors – website users | – email – company name – first name – last name – automatically check if returning visit |
3. Purposes For Which We Use Personal Data
HelloBiome, as a data controller, may only use your personal data if there is a lawful basis for such use. The most common lawful bases used by HelloBiome are:
- consent: in some cases, we may process your personal data only if we obtain your prior consent;
- performance of a contract: we will require your personal data to be able to offer you the Services in accordance with the contract terms between you and us;
- compliance with a legal obligation: due to the nature of the Services we provide, the laws applicable to our activities require us to collect and store certain data about you; and
- legitimate interests: sometimes we rely on our legitimate interests to process your data (e.g., to improve our Services) and we will do so except where such interests are overridden by your interests or fundamental rights and freedoms.
Below you will find a table describing how we may use your personal data and which of the legal bases are used by the Company to ensure lawful data processing.
Purpose/activity | Personal Data Categories | Lawful Basis for Processing |
---|---|---|
To create your account and provide the Services to you |
– email – first name – last name – password – age – year of birth – address – location – company name – non-identifying information about website visits – automatically check if returning visit | Performance of a contract when we provide our Services to you |
To deliver microbiome test kits and test products & routines | – Performance of a contract when we provide our Services to you – Consent | |
To communicate with you To contact you with information about: – account info/related emails; – updates about the Company/ marketing; – surveys | – Performance of a contract when we provide our Services to you – Consent – Our legitimate interests to promote our Services | |
To market the products | Performance of a contract when we provide our Services to you | |
– To improve the Website, the Services, revenues – To implement reasonable security measures – To better understand the interests of the consumers in our products | Our legitimate interests to improve our Services | |
To share data with our partners where required (e.g., laboratories, ad serving partners) | – Explicit consent – Performance of a contract when we provide our Services to you | |
banks/providers for payment processing | Our legitimate interests to improve our Services | |
law enforcement authorities for legal reasons | Compliance with a legal obligation | |
To process payments | payment event data | Performance of a contract when we provide our Services to you |
– To provide automated recommendations of the routines and recommendations of the Client’s suitable products. – To develop innovation in the field of personal care, beauty, and wellness products based on advanced microbiome studies. – To conduct at-scale research studies to improve the science of the microbiome for the different body areas – To assess the impact of the specific products on the skin microbiome and issue claim reports for the Clients. |
– health, beauty, and skin-related information – data revealing ethnic origin – other special categories of personal data (as defined in Art. 9(1) GDPR) depending on the set of questions of a particular client. – quiz questions about the lifestyle and conditions of the specific body area – microbiome data (containing information about the absolute abundance of the fungi and bacteria detected in the test sample) – additional data specified by the Client, collected directly from users or from 3rd party systems and authorized to be accessed – as a part of custom development (e.g., heart rate variability (HRV) from the fitness bracelet) – contact details (e.g., email, first name, last name, address, company name) |
– Explicit consent – Performance of a contract when we provide our Services to you – Our legitimate interests to improve our Services |
If you fail or refuse to provide your personal data, we need to provide the Services to you, you will not be able to access the Services.
4. Cookies
We may use cookies for various purposes when you access or use the Services:
- to recognize you whenever you use the Website (this speeds up your access as you do not have to log in each time);
- to prevent fraud on our Website;
- remember your preferences and your device so the Website works as expected;
- to provide visitors with the relevant version of the Website;
- to assist with our promotional and marketing efforts;
- to carry out research and statistical analysis to help improve our content, products, and services and to help us better understand our users’ requirements.
For further information on cookies generally, visit www.aboutcookies.org or www.allaboutcookies.org.
You can adjust your cookie choices using the cookie banner on the Websites, which will appear during your first visit to the Websites.
We will ask for your consent for the use of all non-essential cookies, for instance, functional cookies, targeting cookies, or analytical/performance cookies.
Strictly necessary cookies are essential cookies, and they cannot be disabled on the Websites. Unless you choose otherwise, we can store and process only those cookies that are necessary for the operation of our Websites without obtaining your consent. If you don’t want to be tracked by other types of cookies, you can refuse to give your initial consent or opt out later.
5. Sources Of Personal Data
Most of the personal data we process about you is received directly from you. For example, when you register to use the Services or communicate with us, we may receive your account data from you.
In other cases, we may receive personal data about you from various third parties and publicly accessible sources, including, but not limited to, laboratories, banks, payment service providers, advertising networks, analytics providers, etc.
When you use the Services, we may also automatically collect usage data through the use of cookies and similar technologies.
6. How Do We Protect Your Personal Data?
We take all reasonable and appropriate technical and organizational measures to protect all personal data collected by us from loss, theft, misuse, unauthorized access, disclosure, alteration, and destruction.
6.1 Security
Security implemented by design: is realized from the very beginning by controlling all layers of data exchange and storage.
From the Client side, we:
- ensure customers access to the reports with strong passwords and secure authentication;
- transmit data over HTTPS with up-to-date SHA-256 with RSA Encryption;
- minimize security flaws, by implementing the highest security settings as defaults for each user;
- avoid Cross-Site Scripting (XSS) attacks by validating all the data input from the users to our servers.
From the server side, we:
- strictly separate data and control instructions, and never process control instructions received from untrusted sources;
- ensure all data are explicitly validated before processing and storage;
- identify sensitive entries in the customer data and how they should be handled;
- never store passwords and access credentials in plain;
- never track access credentials in code versioning;
- avoid SQL injection (SQLi) attacks by validating and formatting all the data input from the client-side request to our servers before using it in a database query.
In our team, we:
- work with reliable partners who value the privacy and security of the customer data;
- ensure all members of our team are well-instructed;
- conduct cybersecurity self-assessment regularly;
- perform regular software updates and code refactoring as a part of our product development lifecycle;
- enforce 2-factor Authentication on key corporate resources.
6.2 Privacy & Confidentiality
- we implement a strict policy towards who can access personal data;
- we minimize personal data collection to only allow the provision of the service;
- we keep personal data confidential and never share it with any third party without the user’s consent;
- we only use personal collected information for the purpose we collect it;
- provide a transparent, clean, user-friendly, and understandable Privacy Policy;
- only designated members of our team have access to customer data.
6.3 Reliability
- we use AWS, a trusted and certified cloud computing provider (https://aws.amazon.com/security/?nc1=f_cc);
- if the system detects a problem with one of the computing nodes, it proactively launches the application to the new computing node, so they are restored to a running and accessible state;
- we guarantee 99.5% availability of the service uptime;
- we use an automated backup of our customer data.
7. How Long Do We Keep Your Personal Data?
Generally, we will retain your personal data for as long as necessary to fulfill the specific purpose we collected it for, including the purpose of satisfying any legal, accounting, and reporting requirements and our legitimate interests. For example, most of your data will be retained up to 3 years after the end of the business relationship with us. However, we may need to keep certain information (e.g., payment information) for longer in order to comply with our legal obligations.
In certain cases, the authorities may require us to store the personal data longer if they deem it necessary (e.g., in case of an ongoing investigation).
You may send us a request to delete your personal data using the form, specified in the Contact Information section. We will consider it and delete your data if none of the above grounds obliging us to keep it longer apply.
8. Your Rights
8.1 EEA Residents’ Rights
If you are a resident of the EEA, with regards to our collection and processing of your personal data, under the GDPR you have the right to (subject to applicable exceptions):
- Obtain confirmation from us as to whether we process your personal data.
- Access your personal data processed by HelloBiome.
- Correct your personal data.
- Withdraw consent and remove your personal data we collected on the basis of your consent (e.g., to opt out from marketing communications from us).
- Obtain restriction of processing, for instance, where you contest the accuracy of your personal data for a period enabling us to verify the accuracy of the personal data.
- Have your personal data transmitted directly from one controller to another, where technically feasible and when doing so does not adversely affect the rights and freedoms of others.
- Erasure of your personal data under certain circumstances. See more information about our data retention obligations in the section “How long do we keep your personal data” above.
- Object to our processing of your personal data, when the processing is related to the performance of our task, carried out in the public interest, or the exercise of official authority vested in us.
If you wish to make use of any of the above rights, please contact us stating your name and question related to any of the above rights at the contact details provided in Section 11 of the Privacy Policy.
HelloBiome will endeavor to provide you with information on the actions it has taken on your request related to your rights, specified above, within 1 (one) month of receipt of the request. That period may be extended by 2 (two) further months if the request is complex, or if HelloBiome is in the process of resolving a large number of requests. We will inform you if any such extension is required within 1 (one) month of receipt of the request, together with the reasons for the delay.
8.2 California Residents’ Privacy Rights
Pursuant to the California Consumer Privacy Act (the “CCPA”) as amended by the California Privacy Rights Act, this section applies to certain personal data collected about California individuals where HelloBiome controls how and why the personal data is processed (which the CCPA calls a “business”) and supplements the rest of our Policy above.
The CCPA requires that we detail the categories of personal information that we disclose for certain “business purposes”, such as to service providers that assist us with securing our services or marketing our products, and to such other entities. We collect personal information for business and commercial purposes as described in the “Purposes for which we use personal data” section above. We share this information as described in the “How do we share your personal data?” section below.
We do not knowingly sell or share any personal data of minors under the age of 16. We do not collect or process “sensitive personal information”, as defined by the CCPA, to infer characteristics about you.
Subject to legal limitations, California residents may have the below rights:
- Right to know. You have the right to request information about the categories of personal data we have collected about you, the categories of sources from which we collected the personal data, the purposes for collecting the personal data, the categories of third parties to whom we have disclosed your personal data and the purpose for which we disclosed your personal data. You may also request information about the specific pieces of personal data we have collected about you.
- Right to delete. You have the right to request that we delete personal data that we have collected from you.
- Right to correct. You have the right to request that we correct inaccurate personal data that we maintain about you.
- Right to opt out of sale or sharing. We do not sell personal data to third parties in exchange for money. You may still email us using the information below to exercise your right to opt out of the sale under applicable law. You may still email us using the information below to exercise your right to opt out of the sale under applicable law. California residents may make a request pursuant to their rights under the CCPA by contacting us at the contact details provided in Section 11 of the Privacy Policy. We will verify your request using the information associated with your account, including your email address. Government identification may be required. You can also designate an authorized agent to exercise these rights on your behalf. Authorized agents must submit proof of authorization.
9. How Do We Share Your Personal Data?
We do not share your personal information with third parties, except as described in this Privacy Policy.
HelloBiome does not share any health-related information (i.e., data concerning health, beauty, skin, lifestyle, conditions of the specific body area), microbiome-related information (i.e., data about the absolute abundance of the fungi and bacteria detected in the test sample), data revealing ethnic origin or other special categories of personal data (as defined in Art. 9(1) GDPR) in association with personal data without the explicit consent of the Data Subject.
All personal data is de-identified before sharing. Consent may be collected when sharing of the data that contains identifiers is required to provide personalized Services. Sharing of the de-identified test results is happening for the research projects and projects where the Data Subjects provide their consent to improve our Services.
The Clients of the HelloBiome White-Label Platform may have access to the personal data because in this case, the Data Subjects directly interact with the Client’s brand while HelloBiome conducts data processing. The Clients in this case will be the controllers of the data and HelloBiome may be both a processor and a controller of the data.
HelloBiome may engage service providers and partners to assist with the delivery of the Services:
Category | Purpose |
---|---|
Support/communication tools | – Email/messengers communication – Internal communication and task management – Social media management |
Hosting providers | – Hosting of personal data – File storage – DNS management |
IT service providers | – IT outsourcing – Monitoring and access to cloud services – Storage/Backup – Design – E-signature |
CRM | – Automation of customer support processes |
Analytics | – Product analytics – Marketing analytics and reporting |
Payment service providers | – Payment processing – Application logs for the payment system – Payrolls – Accounting |
Ad service providers | – Advertising |
Clients | – Fulfilment of microbiome test kits and test routine products (concerns contact details only) |
Fulfilment Partners | – Fulfilment of microbiome test kits and test routine products (concerns contact details only) |
Other |
– Accounting – Participant Recruitment Services – End-user Support – Shipment – Laboratory(-ies) Analysis |
In case your personal data is provided to service providers outside the EEA and where applicable, we will implement appropriate safeguards to protect your personal data, including Standard Contractual Clauses as adopted by the European Commission. Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA. Moreover, HelloBiome requires its service providers to implement appropriate security measures to ensure the protection of your personal data in accordance with applicable data protection legislation.
In other cases, we may disclose your personal data:
- to the relevant government agencies and regulatory authorities when required by the applicable laws;
- with affiliates and subsidiaries within the HelloBiome entities, which includes parent and ultimate holding companies, affiliates, subsidiaries, business units, and other companies that we acquire in the future after they are made part of the HelloBiome entities;
- in the event of any merger, acquisition, sale, or change of control or a similar transaction or proceeding;
- with professional advisors, such as lawyers, accountants, and auditors;
- if you have consented to the disclosure;
- to establish, exercise or defend legal claims.
10. Privacy Policy Updates
HelloBiome may update this Privacy Policy from time to time. In the event we materially change this Privacy Policy, including how we collect, process, or use your personal information, we will notify you by means of the publication of the updated Privacy Policy on our Website or by any other acceptable means.
11. Contact Information
If you have questions about this Privacy Policy or our privacy practices, or if you are seeking to exercise any of your rights, you may contact us at:
Mailing Address | ELSI Skin Health, Inc 181 2nd St, San Francisco, CA 94105 USA |
Email if your request relates to Dr. Elsa Jungman (*.dr-ej.com) products and Dr. Elsa Jungman’s microbiome test kits. | [email protected] |
Email if your request relates to HelloBiome (*.hellobio.me) products and services, as well as client-branded microbiome test websites (you may also use the contact information provided by the Client website). | [email protected] |
Online form if you want to exercise your data rights (DSR form) | https://hellobio.me/privacy/data-requests |
If you are a resident of the EEA, you have the right to lodge a complaint with the data protection supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement.