We create and provide software solutions accessed via https://exatype.com, https://exatype.co.za, http://hyraxbiosciences.com, https://hyraxbio.com, http://hyraxbiosciences.co.za, https://hyraxbio.co.za, https://sanger.exatype.com, https://ngs.exatype.com, https://analyzehiv.com, https://analysehiv.com, or https://analyzehiv.com/sanger, including any related domain name systems and sub-domains (“Platform”) that analyse DNA, and present the results of such DNA analysis in a clear, readable report (“Services”).
The data that we Process may include:
- individual Personal Data and other data collected by us through the Platform;
- de-identified health information uploaded to the Platform by users (“Users”) of our Services (“Anonymised Data”);
- any other Personal Data or other information that may be provided to us during the course and scope of conducting our Business and rendering the Services; and
- de-identified DNA analysis reports presented by us in rendering the Services (“Reports”),
Users of our Services warrant that all Anonymised Data shall be uploaded in a de-identified format that is not capable of being attributed to any individual once uploaded to the Platform. We will only ever use this Anonymised Data for purposes of preparing anonymised Reports and for contributing to anonymised disease or resistance surveillance.
We are committed to implementing appropriate structural, technical and other security measures to protect the integrity and confidentiality of Data. We protect and manage Data by Processing only Anonymised Data where possible, and by using electronic and computer safeguards such as firewalls, data encryption, and physical and/or electronic access control to our buildings. We may authorise access to Data to our employees and/or our consultants, but only where they require it to fulfil their designated responsibilities and only where such employees and/or consultants have been appropriately informed regarding the confidentiality of such Data.
Users of the Platform may be given an access number, username, password and/or personal identification number (“PIN”). Users are responsible for maintaining the secrecy and confidentiality of PINs. Should a User misplace or have these details stolen it is the User’s responsibility to inform us immediately by emailing us at firstname.lastname@example.org.
We will take appropriate technical and organisational measures against the unauthorised or unlawful Processing of Personal Data and against the accidental loss or destruction of, or damage to, Personal Data. In the event of a breach of any Personal Data, Hyrax will notify the affected Users and the relevant supervisory authority (if it poses a threat to the rights and freedoms of natural persons) of the breach without undue delay and no later than 72 hours of becoming aware of the breach.
3. Collecting data
3.1 Methods of Collection
We collect Data as follows:
- via interaction with our Platform, including application forms;
- via communications with us;
- from people or entities who provide Anonymised Data to make use of our Services; and
- from other third parties related to our operations or within our business structure.
We may also record calls as may be required by law, or for quality checks, staff training, for purposes of fulfilling our contractual or legal obligations, or for other legitimate business purposes, but we will always inform the individual at the start of the call if it will be recorded.
The Anonymised Data we collect is health information that has been de-identified prior to being uploaded to the Platform and is used for the purpose of facilitating our Services offered through the Platform. This Anonymised Data does not contain Personal Data, and can therefore not be linked to a specific person. The User is responsible, and warrants in favour of Hyrax, that no Personal Data shall be uploaded to the Platform which may link an individual to the health information submitted to the Platform.
When you use our Platform, we may automatically collect and record certain de-identified information on our server logs from your browser. This information may include your location, Internet Protocol address, domain names, your approximate geographical information and/or a record of the page you requested. This is statistical data about browsing actions and patterns. We may also obtain information about your usage of our platform by using a local storage file which is stored on the hard drive of your computer.
4. Use of your information
4.1 Information we hold
We may generally store and use the following Personal Data of Users (depending on the reason we collected the information):
- name and surname;
- phone numbers, email address;
- organisation for which you work;
- approximate geographical information; and
- IP address and/or tracking information;
We may also store and use the following Data (depending on the reason we collected the information):
- Anonymised Data;
- any other information which we reasonably need to perform our duties for purposes of marketing to Users and potential Users of the Services, but only where the User or potential User has given their consent and has the opportunity to opt-out of such marketing communication;
- any information required by us to perform our legal or contractual obligations; and
- information required to register an account, or fulfil our regulatory and other business obligations.
4.2 Information about children and special personal information
We do not intentionally Process Data of children without the consent of their parents or legal guardians. Anonymised Data uploaded to the Platform by Users shall be uploaded without any reference to the Data subject’s identity. When uploading Anonymised Data, the User undertakes to ensure that all information relating to the Data subject, which may include children, is properly de-identified, and shall only be submitted with the requisite consents.
We do not intend to Process any “special personal information” (as defined in POPI) about you, which includes political, religious or health-related information, except if:
- we are under a legal obligation to do so;
- we receive your consent; or
- we are otherwise legally allowed to Process it.
We do, however, Process the Anonymised Data in the course of our business operations. The User shall be responsible for ensuring that this information is not capable of identifying any Data subject, cannot be used or manipulated by a reasonably foreseeable method to identify any Data subject once uploaded to the Platform, was obtained legally, and cannot be linked by any reasonably foreseeable method to other information that identifies the Data subject once uploaded to the Platform. We cannot be held liable for the Processing of Personal Data as a result of a User’s failure to correctly de-identify the Anonymised Data.
4.3 Information we share
- any person or entity that we may use from time to time to assist us in collecting payments, recovering debts and/or providing technical or other services on our behalf;
- any person or entity that we may use from time to time to provide us with products or services, and/or delivery of those products or services (and who reasonably require access to your information);
- any payment gateway we may use. We cannot guarantee the security measures of such payment gateways, and it is therefore your responsibility to ensure that you have reviewed the policies of such payment gateways prior to making a payment over such gateways;
- regulatory and governmental authorities, ombudsmen, or other authorities, including tax authorities, if we are requested by them to do so; and
- any other third party, if we are legally obliged or entitled to do so.
Notwithstanding the above, no “health data” as defined in GDPR will be shared with any third party prior to it being de-identified and anonymised.
4.4 How we use Data
We undertake to only Process Data insofar it is adequate, relevant and not excessive for the purposes set out below.
We have adopted the following principles with regard to the Processing of Data:
- we only Process Data in a lawful, fair and transparent manner;
- we only collect Personal Data for specified and legitimate purposes;
- the Personal Data that we collect is limited to what is relevant and necessary for the purpose for which it is Processed;
- to the extent that we can, we will ensure that we keep Personal Data accurate, up to date and complete, and furthermore ensure that all inaccurate and incomplete information is rectified or deleted;
- we will only store Personal Data for as long as is necessary for the purposes for which the Data is collected; and
- we will only Process Personal Data in a manner that ensures the appropriate security of such Personal Data.
Furthermore, we may use Data specifically to:
- perform our legal or contractual duties or enforce our contractual or legal rights;
- carry out, monitor and analyse our business;
- contact Users by email, SMS, letter, telephone or in any other way about our products and Services, (unless you inform us that you prefer not to receive marketing communications, in which case you may opt-out by clicking the “unsubscribe” link on any correspondence received from us);
- identify or prevent fraud and money laundering;
- carry out market research, business and statistical analysis;
- carry out audits;
- perform other administrative and operational tasks including the testing of our Platform; and
- comply with our regulatory or other obligations.
Data may also be used for other purposes for which the Data subject has consented.
If specifically consented to by your organisation’s administrator, Anonymised Data may be collated and uploaded to the Platform and may be shared with third parties such as surveillance agencies and affiliates (for research and disease surveillance purposes only).
4.5 Data Subject Rights
Data subjects have the following rights in respect of their Personal Data:
- right of access, which includes the right to request a copy of the Personal Data that we hold about a Data subject (which request may be subject to a reasonable administrative fee);
- right of rectification, which allows the Data subject to request that the Personal Data we hold about them to be corrected;
- right to be forgotten, which allows the Data subject to request that the Personal Data we hold about them to be erased in circumstances where such erasure is permissible (which request may be subject to a reasonable administrative fee);
- right of portability, which includes the right to have the Personal Data that we hold about a Data subject transferred to a third party;
- right to object to certain types of Processing, for instance, to direct marketing, and to object to automatic Processing or profiling of Data;
- right to judicial review, which includes the right to complain to any relevant authority regarding our use of Personal Data; and
- right to withdraw their consent to us for Processing Personal Data.
5. Access to personal data
Requests for Personal Data of a Data subject should be directed to email@example.com. Any administration fees associated with this request will be disclosed in advance, and shall always be reasonable.
6. Retention of data
We will never sell Personal Data without consent.
We will report any security breach to the Information Regulator (or other relevant body), and the individuals or companies involved. Suspected Data breaches should be notified to us immediately by sending an email to firstname.lastname@example.org.
We are not responsible for, give no warranties, nor make any representations in respect of the privacy policies or practices of linked or any third party websites.
9. Transborder flow of information
Personal Data shall only be transferred to, or hosted by, recipients who are subject to laws, binding corporate rules or agreements, that provide an adequate level of protection that upholds principles for processing of information that are substantially similar to those principles as set out in POPI and GDPR.
Updated 2 September 2019