Website Privacy Policy

Privacy Policy Statement 

We, at Bio-Me, thank you for entrusting us with your personal information; your right to privacy is of the utmost importance to us.  Our privacy policy explains how we look after your personal data and it also details your privacy rights and how the law protects you. 

 

Privacy Policy – Summary 

When you purchase our products or services, send us inquiries, or actively give consent for us to send you marketing material, we will collect, store and use your personal data such as your name, surname, email address and other similar types of identifying information. It is our responsibility to fullfil a range of legal obligations, all aimed to protect your rights to privacy.  These include; only processing the minimal amount of personal data that we need, keeping your personal data secure, up-to-date and accurate, informing you clearly of exactly what we will do with your personal data, what our justification is, how long we will store and use your personal data and how you can ‘opt out’ (unsubscribe), should you wish to. 

The following is a detailed description of our privacy policy.  We ask that you read it carefully as it contains important information on who we are, how and why we collect, store, use and share your personal data, your rights in relation to your personal data and how to contact us and supervisory authorities, in the event that you wish to lodge a complaint. 

 

Privacy Policy – Detailed Description 

Who are we? 

We, Bio-Me, are a Norwegian biotechnology company that operates B2B to sell our Precision Microbiome Profiling (PMP™) solutions (entailing products and services) for microbiome profiling.   

We are both ‘data controller’ and ‘data processor’ 

 

For sales, marketing, customer communications and transactions: we collect, store and use personal data, and we are responsible as data controller and processor’.  

For sample processing, we are ‘data processor’ because we deal with pseudonymized health data; a unique barcode denotes a sample/result but we do not possess the bridge that connects these data to the person from which the sample derives.  The bridge is owned by a separate business (i.e any of our clients) – they are ‘data controller’. 

We are regulated under the Norwegian Data Protection AuthorityWe are also bound by EU’s GDPR regulations. 

 

Our contact details: 

 

Email: info@bio-me.com 

Address: 

Bio-Me 

Oslo Science Park 

Gaustadalléen 21 

N-0349 Oslo 

Norway 

 

Phone: +47 21090302 

 

Which Personal Data do we collect? 

 

Personal data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (i.e. anonymous data). For example – our samples/sample results are processed with only a unique, meaningless barcode  – we do not connect personal data such as name, address etc to our samples/sample results) 

We may collect, store (in our ‘customer relations manager’ system (CRM)), use and transfer different kinds of personal data about you as follows: 

  • Identity data includes first name, middle name, last name, title (e.g., Dr, Prof, Mr, Mrs, etc), business or institute name. 
  • Contact data includes email address, telephone number(s), and in certain cases your website URL. 
  • Financial data includes shipping address, billing address, and details needed to issue an invoice for our services. 
  • Transaction data includes details about payments to and from you and other details of services you have engaged from us. 
  • Profile data includes your focus area in the microbiome field (eg gut, skin, vaginal, etc), and your website URL if relevant . 
  • Marketing and Communications data includes your preferences in receiving marketing from us and your communication preferences (? Eg prefer email vs phone?). We register in our CRM system whether you have opted in or not for receiving marketing related information, and this is recorded as a ticked box in our CRM.  You may opt out at any time, in which case we would untick the box, to denote ‘opted-out’ for marketing.   
  • Professional/career data includes your CV (which will contain identity and contact data, plus profile data and career history), in the case you have applied for a job with us. 

 

How do we collect your personal data? 

 

We use different methods to collect data from and about you, including via: 

 

Direct interactions: You may give us your identity, contact and financial data needed for invoicing by filling in forms or by corresponding with us via post, phone, email, LinkedIn or otherwise. This includes personal data you provide when you: 

  • Apply for our products or services online via our website contact form, or via one of our LinkedIn campaigns. (You may additionally consent to receive marketing) 
  • Apply for a job with us via our website contact form. (Further communication via email may involve collection and storage of your CV). 
  • Meet our team physically at a conference or event and fill in a paper form with your personal data, giving consent for us to contact you (and you may additionally consent to receive marketing). 
  • Meet us via LinkedIn and consent to contact via email, and you provide us with your email address. 
  • Subscribe to receive marketing from us (by ticking the ‘marketing’ box in our online form or requesting or consenting to receive marketing via email). 
  • Contact us directly via email for transactional purposes, such as to buy a product/service, or to ask for product information or a meeting. 

Publicly available sources:  We may obtain identity, contact and profile data through online publicly available sources for example, corporate websites, corporate profile sites such as LinkedIn, research institutions such as universities and hospitals, conferences and peer-reviewed publications accessed via PubMed. 

Why do we process your personal data? (lawful basis) 

 

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances: 

  • Where you have given consent for us to contact you, for example at a conference, or during an interaction via LinkedIn, or you have consented to receiving direct marketing communications (by ticking the opt-in box in our online form, or by consenting via email in communication with us).   
  • Where it is necessary to perform the contract we are about to enter into, or have entered into with you. For example, when you agree to purchase our product(s) and/or service(s), or if you submit a CV for recruitment purposes. 
  • Where we need to comply with legal or regulatory obligations (e.g., maintaining financial records and compliance checks).  
  • Where it is necessary for our legitimate interests, where your privacy rights are concluded not to override those interests. Our legitimate interests involve primarily direct marketing, aimed to grow our business and present novel solutions that we think could be relevant for you. 

Below is a description of the ways we plan to use your personal data, and which of the legal bases we rely on to do so. Note that we may process your personal data for more than one lawful ground. 

Personal data processing for customer care and business transactions: 

When you click on ‘contact us’ on our website and fill in a message template, you are required to tick the box providing consent for us to store your name, email address (and if relevant – research focus) in our customer relations manager (CRM) system.  The purpose of this is for us to keep records of our interaction with you, so that we can optimize our customer service.  We log our email interactions with you in our CRM, connected to your personal contact details, to ensure optimal continuity of care when you communicate with us. The lawful basis of processing here is your consent. 

If we respond to a request by you to prepare a quote and/or sell you a product/service, we will need to collect, store and use your first name, surname, email address, business or institute name and physical address.  We may also collect, store and use your phone number. The lawful basis for processing here is necessity:  we need to collect, store and use the personal data, in order to fulfil our contract to you, be it to prepare your quote and/or sell and/or ship a product/service to you. (You will also have consented to this, because such a business transaction will be mutually agreed upon.) 

 

Personal data processing for marketing purposes: 

When you click on ‘contact us’ on our website or when you interact with us for a business transaction, you have the choice to decide whether or not you would like to ‘opt in’ to receive marketing.  This is purely optional and it is motivated by our desire to grow our business, share with you our new products and keep you updated about our offers and events. We may also contact you for market research purposes. If you do decide to opt in for marketing, we will tick a separate and specific box in your profile, in our CRM.  Marketing will occur via email, at a maximum of 4 times per year and the content will involve product information, brochures, event information, newsletters and/or questionnaires for market research. The lawful basis of processing here is consent 

In some cases we may contact you by email (direct marketing purposes) if we have met you in person at a conference, if we have had previous business communications with you, or if we have determined from our research of publicly available information that you (or your business/research organisation) might have interest in our services.  We may send a marketing email to you that includes a brief reminder about who we are, the reason we are contacting you and we will include an unsubscribe link at the bottom of the email, so that you may unsubscribe immediately, if you wish.  The lawful basis of processing for this situation will be a legitimate interest, where we have documented a balance test and concluded that there is a legitimate business reason for sharing our information and marketing material with you, and we have judged that the personal data of yours that we have processed is minimal in amount and time stored, and the potential negative impact on your privacy is judged to be outweighed by the potential positive benefits of you being informed about our marketing material.  You can obtain further information about how we assess our legitimate interests against any potential impact on you by contacting us. 

 

Opting out from marketing

You have the right to opt out from marketing. You may unsubscribe at any time by contacting us or by clicking on the unsubscribe button on the bottom of all our marketing emails.  Once we receive your request, we will unsubscribe you by unticking the ‘marketing’ box in your profile in our CRM, within 72 hours. 


Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.  If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.  


How do we use your personal data? 

For customer care or transactional purposes: 

  • Keep records of our interactions with you in our CRM, to provide you with optimal customer care. 
  • Answer your enquiry or conduct a business transaction with you (e.g., prepare you a quote and/or sell a product or service to you). 
  • Inform and update you about your order or shipment. 
  • Enforce our terms, conditions and policies. 
  • Follow up and ask for your feedback after a business transaction (to ensure we can support you, act on any complaints and continuously improve our service to you). 
  • Follow up on a job application or interview (if you have expressed interest to work for us). 

For marketing: 

  • Send you marketing emails up to 4 times per year about new or existing products, special offers, events or other information that we think you may find interesting.   
  • Contact you for market research purposes. 

 

Who do we share your personal data with? 

Certain organisations who process information on our behalf, such as providers of software that we use for data management services. Those organisations are working for us and cannot use your personal information for their own purposes and will only use your personal information where requested by us and on terms consistent with this privacy policy and applicable data protection laws, law enforcement or other authorities if required by applicable law. 

We will not share your personal information with any other third party.   


International transfers 

You have the right to request that we transfer your personal data out of the EEA. 

We may transfer your personal data to the USA to organisations who process information on our behalf, such as providers of software that we use for certain data management or e-mail marketing services. Such organisations are working for us and cannot use your personal information for their own purposes and will only use your personal information where requested by us and on terms consistent with this privacy policy and applicable data protection laws. 

If you are in the European Economic Area (being the European Union members states plus Norway, Iceland and Liechtenstein) (“EEA”), your Personal Information will only be transferred outside the EEA where either the transfer is to a country which the EU Commission has decided ensures an adequate level of protection for your personal information, or measures have been put in place to ensure adequate security as required by data protection laws. These measures include ensuring that your personal information is kept safe by carrying out security checks on these overseas partners and suppliers, backed by strong contractual undertakings approved by the relevant regulators such as the EU style model clauses. The EU Commission approved EU-US Privacy Shield may also be used when Personal Information is transferred to the US. 

You can find out more information about standard contractual clauses as detailed by the ICO. Visit their website at ico.org.uk and search for ‘International transfers’. You can find out more information about the EU-US Privacy Shield by visiting https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/eu-us-privacy-shield_en

 

Data security 

We have appropriate security measures in place to prevent personal information from being accidentally lost, used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality. 

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

 

How long will we retain your personal data?
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. General data retention periods are as follows (but this may vary in specific cases): 

  • By law we have to keep basic information about our customers including Contact, Identity, Financial and Transaction Data for 6 years after they cease being customers for tax and legal purposes.  
  • For pre-existing customers who have received a quote or product information but have not purchased anything, we will retain personal data for 3 years following the last communication. 
  • For direct marketing, where legitimate interest is the legal basis for personal data processing, and where the data subject is not a pre-existing customer, we will retain personal data for a maximum of 6 months following the first email, if there is no reply.
     

What are your rights? 

  • Fair processing and full transparency of how we collect, store and use your use personal data. 
  • Withdrawal of your consent to our use of your personal data. 
  • Access to your personal data. 
  • Correction of your personal data. 
  • Erasure of your personal data (in certain situations). 
  • Data transfer and portability – You have the right to receive your personal data in a structured, commonly used and machine-readable format and you have the right to transfer those data to a third party (in certain situations). 
  • Object at any time to processing of your personal data, such as for direct marketing. 
  • Otherwise restrict our processing of your personal data (in certain circumstances). 
  • Claim compensation for damages caused by our breach of any data protection laws.

How can you exercise your rights? 

Email, call or write to us (see above for our contact details). We will be very keen to help you. 

If you would like to unsubscribe from any marketing email, you can also click on the ‘unsubscribe’ button at the bottom of the marketing email. (We will unsubscribe you within 72 hours). 

 

How can you complain? 

We hope that we can resolve any query or concern you raise about our use of your personal data. 

The General Data Protection Regulation also gives you the right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, normally live or where any alleged infringement of data protection laws occurred.

 

Will we change our privacy policy? 

We may change this privacy policy from time to time; when we do we will inform you via our website. It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us. 

This privacy policy was published on 23rd September, 2024.