Welcome to the My Personal Therapeutics website, owned and operated by My Personal Therapeutics LTD, incorporated in England and Wales under company number 11520777, with registered address Unit 3, Part First Floor, The Westworks, White City Place, 195 Wood Lane, London, United Kingdom, W12 7FQ (“MPT”, “us”, “we”, or “our”).
We collect, use and are responsible for certain personal information about you. When we do so we are subject to the General Data Protection Regulation, which applies across the European Union (including in the United Kingdom) and we are responsible as ‘controller’ of that personal information for the purposes of those laws.
Personal information we collect about you
Please be advised that before we can provide the PDP Services, you may be asked to provide intake forms which request personal information, such as medical and demographic information (“Personal Information”).
You will also be asked to provide an email address so that we may contact you about the PDP Service that you have subscribed to.
How your personal information is collected
How and why we use your personal information
Under data protection law, we can only use your personal information if we have a proper reason for doing so, eg:
• to comply with our legal and regulatory obligations;
• for the performance of our contract with you or to take steps at your request before entering into a contract;
• for our legitimate interests or those of a third party; or
• where you have given consent.
A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests. For example, our collection of your email address is necessary for our legitimate interest in communicating with our users about the PDP Service and their PDP Results, and we rely on this as a lawful basis to use and process your email address for correspondence related to the PDP Services. For use of your email address for direct marketing purposes, please see the section below ‘Promotional Communications’.
Special categories of Personal Information
The Personal Information we request from you may include, but is not limited to, age, ethnicity, diagnosis, disease history, medical test results, medical treatments, genetic information and data and previous responses to treatments. Under the applicable data protection legislation, this information is known as special categories of data, also referred to as sensitive data.
As this information contains special categories of data, we ask for your explicit consent prior to collection, which we rely on as a lawful basis to use and process this information.
Please note that you are able to object to processing of special categories of personal data at any time, and can withdraw your consent to the processing of this data at any time by contacting us. Please note that if you withdraw your consent to our processing of your special categories of personal data, then this will impact the quality of the PDP Services we are able to supply to you.
You are responsible for providing accurate and complete Personal Information in order to allow provision of the PDP Services. The PDP Services will depend on the accuracy and completeness of the Personal Information that you submit. Accordingly, you hereby certify that all information you provide in the PDP Service will be accurate and complete to the best of your knowledge.
Use of Your Personal Information
By creating an Account, you hereby grant and will grant MPT and its affiliated companies a nonexclusive, worldwide, royalty free, fully paid up, transferable, sublicenseable, perpetual, irrevocable license to copy, display, transmit, distribute, store, modify and otherwise use your de-identified, anonymised and aggregated Personal Information in connection with research and commercial purposes, including but not limited to development, operation, advertising or marketing of the PDP Services, in any form now known or later developed. De-identified, anonymised and aggregated Personal Information means information whereby it is no longer possible to identify you personally, and so such information is no longer covered by the provisions of the applicable data protection legislation provided it remains in an anonymous format.
We may use your personal information to send you updates (by email, text message, telephone or post) about our products and services including exclusive offers, promotions or new products and services.
We have a legitimate interest in processing your personal information for promotional purposes (see above ‘How and why we use your personal information’). This means we do not usually need your consent to send you promotional communications. However, where consent is needed, we will ask for this consent separately and clearly.
We will always treat your Personal Information with the utmost respect and never sell it with other organisations outside the MPT entities for marketing purposes.
You have the right to opt out of receiving promotional communications at any time by:
using the ‘unsubscribe’ link in emails; or
• updating your marketing preferences on the MPT Website
We may ask you to confirm or update your marketing preferences if you instruct us to provide further products or services in the future, or if there are changes in the law, regulation, or the structure of our business.
How Long we Store Personal Information
We only keep your Personal Information for as long as it’s necessary for our original legitimate purpose for collecting the information and for as long as we have your permission to keep it. We will delete your Personal Information when you email us requesting deletion at email@example.com.
Please note that certain medical information is aggregated into statistics that are used in MPT’s algorithm, but this information does not identify individuals in any way.
Disclosure to Third Parties
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We use third parties such as Genewiz, Weill Cornell Qatar, Genatak, and Illumina. These third parties have access to data we share with their platforms.
The only other circumstances under which we would share your personal data are:
• If the third party is a member of our group (which means any subsidiaries or ultimate holding company and its subsidiaries).
• In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets.
• If MPT or substantially all of its assets are acquired by a third party, in which case personal data will be one of the transferred assets and the purchaser will be permitted to use the data for the purposes for which it was originally collected by us.
Where your personal information is held
Personal Information may be held at our offices and those of the other MPT entities, third party agencies, service providers, representatives and agents as described above (see above: ‘Disclosure to Third Parties’).
Some of these third parties may be based outside the European Economic Area. For more information, including on how we safeguard your personal information when this occurs, see below: ‘Transferring your personal information out of the EEA’.
Transferring your personal information out of the EEA
To deliver services to you, it is sometimes necessary for us to share your personal information outside the EEA, eg:
• to the MPT entities and offices outside of the EEA;
• with your and our service providers located outside the EEA; or
• if you are based outside the EEA.
These transfers are subject to special rules under European and UK data protection law.
Sometimes, non-EEA countries do not have the same data protection laws as the United Kingdom and EEA. We will, however, ensure the transfer complies with data protection law and all personal information will be secure. Our standard practice is to use standard data protection contract clauses that have been approved by the European Commission. To obtain a copy of those clauses, please contact us.
If you would like further information please contact us (see ‘How to contact us’ below).
Keeping your personal information secure
We have appropriate security measures to prevent personal information from being accidentally lost, or used or accessed unlawfully. We limit access to your personal information to those who have a genuine business need to access it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
Personal Information collected through the PDP Service will be stored on a secure server and subject to applicable laws, rules, regulations, and guidelines relating to the handling of Personal Information. However, please note that the transmission of information via the internet is not completely secure and we cannot guarantee the security of data transmitted to our website; any transmission is at your own risk. Once we have received your information, we use strict procedures and security features described above to try to prevent unauthorised access.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
If you want detailed information from Get Safe Online on how to protect your information and your computers and devices against fraud, identity theft, viruses and many other online problems, please visit www.getsafeonline.org. Get Safe Online is supported by HM Government and leading businesses.
Your Rights Under the GDPR
We will ensure that your personal data is processed lawfully, fairly, and transparently and that it will only be processed if at least one of the following bases applies:
• You have given your clear consent to the processing of your personal data for a specific purpose.
• Processing is necessary for the performance of a contract to which you are a party (or for us to take steps at your request prior to entering into a contract with you).
• Processing is necessary for our compliance with the law.
• Processing is necessary to protect someone’s life.
• Processing is necessary for us to perform a task in the public interest or in the exercise of official authority and the task/function has a clear basis in law.
• Processing is necessary for our legitimate interests or the legitimate interests of a third party, except where there is a good reason to protect your personal data which overrides those legitimate interests, such as allowing us to effectively and efficiently manage and administer the operation of our business, maintaining compliance with internal policies and procedures, monitoring the use of our copyrighted materials, offering optimal, up-to-date security and obtaining further knowledge of current threats to network security in order to update our security.
Under the GDPR, EU citizens have the right to:
• Withdraw your consent to the processing of your personal data at any time. Please note, however, that we may still be entitled to process your personal data if we have another legitimate reason for doing so (such as to comply with a legal obligation).
• Be informed of what data we hold and the purpose for processing the data, as a whole or in parts.
• Be forgotten and, in some circumstances, have your data erased by ourselves and our affiliates (although this is not an absolute right and there may be circumstances where you ask us to erase your personal data but we are legally entitled to retain it).
• Correct or supplement any information we hold about you that is incorrect or incomplete.
• Restrict processing of the information we hold about you (for example, so that inaccuracies may be corrected—but again, there may be circumstances where you ask us to restrict processing of your personal data but we are legally entitled to refuse that request).
• Object to the processing of your data.
• Obtain your data in a portable manner and reuse the information we hold about you.
• Challenge any data we use for the purposes of automated decision-making and profiling (in certain circumstances—as above, there may be circumstances where you ask us to restrict our processing of your personal data but we are legally entitled to refuse that request).
• Complain to a supervisory authority (e.g. the Information Commissioner’s Office (ICO) in the UK) if you think any of your rights have been infringed by us.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights) unless your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
You have the right to ask us not to process your personal data for marketing purposes. We will get your express opt-in consent before we use your data for such purposes or share your personal data with any third parties for such purposes, but you can exercise your right to prevent such processing by contacting us at firstname.lastname@example.org or by unsubscribing using the links contained in the marketing emails.
You may revoke your consent for us to use your personal data as described in these terms at any time by emailing us at email@example.com, and we will delete your data from our systems. To enforce any of the above rights, please contact us at firstname.lastname@example.org.
How to complain
We hope that we can resolve any query or concern you may raise about our use of your information. and we would appreciate the chance to address your concerns directly before contacting any supervisory authority.
However, you right to lodge a complaint with a supervisory authority, in particular in the European Union or EEA state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in the UK is the Information Commissioner who may be contacted at https://ico.org.uk/concerns or telephone: 0303 123 1113.
This privacy notice was published on August 1, 2019 and last updated on October 28, 2019. We may change this privacy notice from time to time—when we do we will inform you via the MPT Website. Please ensure you are always up to date of the most-current version.
How to contact us