Privacy policy

1. Introduction

Welcome to the Privacy Policy of Hyrax Biosciences Proprietary Limited (Registration No. 2015/155425/07) (“Hyrax Bio”, " us" or " we“) (” Privacy Policy").

We create and provide software solutions accessed via https://exatype.com, https://exatype.co.za, http://hyraxbiosciences.com, https://hyraxbio.com, http://hyraxbiosciences.co.za, https://hyraxbio.co.za, https://sanger.exatype.com, https://ngs.exatype.com, https://analyzehiv.com, https://analysehiv.com, or https://analyzehiv.com/sanger, including any related domain name systems and sub-domains (“Platform”) that analyse DNA, and present the results of such DNA analysis in a clear, readable report (“Services”).

We take data privacy seriously and are committed to data protection in accordance with all relevant laws which, for purposes of this Privacy Policy, include the Protection of Personal Information Act 4 of 2013 (“POPI”), the Electronic Communications and Transactions Act 25 of 2002 (“ECTA”) and the General Data Protection Regulation EU 2016/679 (“GDPR”) (where the processing of information concerns individuals of the European Union). For the purposes of GDPR, we are a data processor but not a data controller.

This Privacy Policy (which must be read with our Terms of Use) sets out how we collect, use, store, record, disclose and destroy (“Process”) information.

We may amend this Privacy Policy from time to time, in line with changes required by legislation or our internal business operations.

Any reference in this Privacy Policy to “Personal Data” includes any data and/or information relating to an identified or identifiable natural or juristic person, including (by way of example only) a person’s name, identity number, or information relating to their medical, financial or criminal history.

The data that we Process may include:

  • individual Personal Data and other data collected by us through the Platform;
  • de-identified health information uploaded to the Platform by users (“Users”) of our Services (“Anonymised Data”);
  • any other Personal Data or other information that may be provided to us during the course and scope of conducting our Business and rendering the Services; and
  • de-identified DNA analysis reports presented by us in rendering the Services (“Reports”),

(collectively, “Data”).

Users of our Services warrant that all Anonymised Data shall be uploaded in a de-identified format that is not capable of being attributed to any individual once uploaded to the Platform. We will only ever use this Anonymised Data for purposes of preparing anonymised Reports and for contributing to anonymised disease or resistance surveillance.

Questions or concerns about this Privacy Policy should be directed to info@hyraxbio.com.

2. Security

We are committed to implementing appropriate structural, technical and other security measures to protect the integrity and confidentiality of Data. We protect and manage Data by Processing only Anonymised Data where possible, and by using electronic and computer safeguards such as firewalls, data encryption, and physical and/or electronic access control to our buildings. We may authorise access to Data to our employees and/or our consultants, but only where they require it to fulfil their designated responsibilities and only where such employees and/or consultants have been appropriately informed regarding the confidentiality of such Data.

Users of the Platform may be given an access number, username, password and/or personal identification number (“PIN”). Users are responsible for maintaining the secrecy and confidentiality of PINs. Should a User misplace or have these details stolen it is the User’s responsibility to inform us immediately by emailing us at support@hyraxbio.com.

We will take appropriate technical and organisational measures against the unauthorised or unlawful Processing of Personal Data and against the accidental loss or destruction of, or damage to, Personal Data. In the event of a breach of any Personal Data, Hyrax will notify the affected Users and the relevant supervisory authority (if it poses a threat to the rights and freedoms of natural persons) of the breach without undue delay and no later than 72 hours of becoming aware of the breach.

3. Collecting data

3.1 Methods of Collection

We collect Data as follows:

  • via interaction with our Platform, including application forms;
  • via communications with us;
  • from people or entities who provide Anonymised Data to make use of our Services; and
  • from other third parties related to our operations or within our business structure.

We may also record calls as may be required by law, or for quality checks, staff training, for purposes of fulfilling our contractual or legal obligations, or for other legitimate business purposes, but we will always inform the individual at the start of the call if it will be recorded.

The Anonymised Data we collect is health information that has been de-identified prior to being uploaded to the Platform and is used for the purpose of facilitating our Services offered through the Platform. This Anonymised Data does not contain Personal Data, and can therefore not be linked to a specific person. The User is responsible, and warrants in favour of Hyrax, that no Personal Data shall be uploaded to the Platform which may link an individual to the health information submitted to the Platform.

3.2 Tracking

We do not use cookies to track your use of our Platform or any other internet use. We do however use HTML5 local storage to store information that maintains your active session on our Platform.

When you use our Platform, we may automatically collect and record certain de-identified information on our server logs from your browser. This information may include your location, Internet Protocol address, domain names, your approximate geographical information and/or a record of the page you requested. This is statistical data about browsing actions and patterns. We may also obtain information about your usage of our platform by using a local storage file which is stored on the hard drive of your computer.

4. Use of your information

4.1 Information we hold

We may generally store and use the following Personal Data of Users (depending on the reason we collected the information):

  • name and surname;
  • phone numbers, email address;
  • organisation for which you work;
  • approximate geographical information; and
  • IP address and/or tracking information;

We may also store and use the following Data (depending on the reason we collected the information):

  • Anonymised Data;
  • Reports;
  • any other information which we reasonably need to perform our duties for purposes of marketing to Users and potential Users of the Services, but only where the User or potential User has given their consent and has the opportunity to opt-out of such marketing communication;
  • any information required by us to perform our legal or contractual obligations; and
  • information required to register an account, or fulfil our regulatory and other business obligations.

4.2 Information about children and special personal information

We do not intentionally Process Data of children without the consent of their parents or legal guardians. Anonymised Data uploaded to the Platform by Users shall be uploaded without any reference to the Data subject’s identity. When uploading Anonymised Data, the User undertakes to ensure that all information relating to the Data subject, which may include children, is properly de-identified, and shall only be submitted with the requisite consents.

We do not intend to Process any “special personal information” (as defined in POPI) about you, which includes political, religious or health-related information, except if:

  • we are under a legal obligation to do so;
  • we receive your consent; or
  • we are otherwise legally allowed to Process it.

We do, however, Process the Anonymised Data in the course of our business operations. The User shall be responsible for ensuring that this information is not capable of identifying any Data subject, cannot be used or manipulated by a reasonably foreseeable method to identify any Data subject once uploaded to the Platform, was obtained legally, and cannot be linked by any reasonably foreseeable method to other information that identifies the Data subject once uploaded to the Platform. We cannot be held liable for the Processing of Personal Data as a result of a User’s failure to correctly de-identify the Anonymised Data.

4.3 Information we share

We will keep Data confidential and will only share it with others for the purposes set out in this Privacy Policy. We have trusted relationships with carefully selected third parties who perform services on our behalf. All service providers are bound by contract to maintain the security of Data and to use it only to the extent and for the purposes permitted by us.

Subject to this Privacy Policy, we may share Data with:

  • our affiliates, in which case we will ensure that our affiliates abide by the provisions of this Privacy Policy;
  • any person or entity that we may use from time to time to assist us in collecting payments, recovering debts and/or providing technical or other services on our behalf;
  • any person or entity that we may use from time to time to provide us with products or services, and/or delivery of those products or services (and who reasonably require access to your information);
  • any payment gateway we may use. We cannot guarantee the security measures of such payment gateways, and it is therefore your responsibility to ensure that you have reviewed the policies of such payment gateways prior to making a payment over such gateways;
  • regulatory and governmental authorities, ombudsmen, or other authorities, including tax authorities, if we are requested by them to do so; and
  • any other third party, if we are legally obliged or entitled to do so.

Notwithstanding the above, no “health data” as defined in GDPR will be shared with any third party prior to it being de-identified and anonymised.

4.4 How we use Data

We undertake to only Process Data insofar it is adequate, relevant and not excessive for the purposes set out below.

We have adopted the following principles with regard to the Processing of Data:

  • we only Process Data in a lawful, fair and transparent manner;
  • we only collect Personal Data for specified and legitimate purposes;
  • the Personal Data that we collect is limited to what is relevant and necessary for the purpose for which it is Processed;
  • to the extent that we can, we will ensure that we keep Personal Data accurate, up to date and complete, and furthermore ensure that all inaccurate and incomplete information is rectified or deleted;
  • we will only store Personal Data for as long as is necessary for the purposes for which the Data is collected; and
  • we will only Process Personal Data in a manner that ensures the appropriate security of such Personal Data.

Furthermore, we may use Data specifically to:

  • perform our legal or contractual duties or enforce our contractual or legal rights;
  • carry out, monitor and analyse our business;
  • contact Users by email, SMS, letter, telephone or in any other way about our products and Services, (unless you inform us that you prefer not to receive marketing communications, in which case you may opt-out by clicking the “unsubscribe” link on any correspondence received from us);
  • identify or prevent fraud and money laundering;
  • carry out market research, business and statistical analysis;
  • carry out audits;
  • perform other administrative and operational tasks including the testing of our Platform; and
  • comply with our regulatory or other obligations.

Data may also be used for other purposes for which the Data subject has consented.

If specifically consented to by your organisation’s administrator, Anonymised Data may be collated and uploaded to the Platform and may be shared with third parties such as surveillance agencies and affiliates (for research and disease surveillance purposes only).

4.5 Data Subject Rights

Data subjects have the following rights in respect of their Personal Data:

  • right of access, which includes the right to request a copy of the Personal Data that we hold about a Data subject (which request may be subject to a reasonable administrative fee);
  • right of rectification, which allows the Data subject to request that the Personal Data we hold about them to be corrected;
  • right to be forgotten, which allows the Data subject to request that the Personal Data we hold about them to be erased in circumstances where such erasure is permissible (which request may be subject to a reasonable administrative fee);
  • right of portability, which includes the right to have the Personal Data that we hold about a Data subject transferred to a third party;
  • right to object to certain types of Processing, for instance, to direct marketing, and to object to automatic Processing or profiling of Data;
  • right to judicial review, which includes the right to complain to any relevant authority regarding our use of Personal Data; and
  • right to withdraw their consent to us for Processing Personal Data.

5. Access to personal data

Requests for Personal Data of a Data subject should be directed to info@hyraxbio.com. Any administration fees associated with this request will be disclosed in advance, and shall always be reasonable.

6. Retention of data

We retain Data in accordance with required retention periods in law and for our legitimate business purposes. We will however only retain Data for the purposes explicitly set out in this Privacy Policy. Should we keep Data longer than is strictly necessary for purposes of conducting our business or complying with our legal obligations, we will either de-identify the Data, or keep it for statistical purposes only.

We will never sell Personal Data without consent.

7. Breach

We will report any security breach to the Information Regulator (or other relevant body), and the individuals or companies involved. Suspected Data breaches should be notified to us immediately by sending an email to support@hyraxbio.com.

8. Limitation

We are not responsible for, give no warranties, nor make any representations in respect of the privacy policies or practices of linked or any third party websites.

9. Transborder flow of information

Some of our Services are hosted ‘in the cloud’, in which case certain Data will travel across country borders. We will only transfer Data transborder for purposes of fulfilling our legal or contractual obligations, performing the Services, or as otherwise set out in this Privacy Policy.

Personal Data shall only be transferred to, or hosted by, recipients who are subject to laws, binding corporate rules or agreements, that provide an adequate level of protection that upholds principles for processing of information that are substantially similar to those principles as set out in POPI and GDPR.

Version 2.0.1

Updated 2 September 2019