Welcome to DXRX - The Diagnostic Network® ("DXRX Platform")
Diaceutics PLC, a company registered in Northern Ireland under company number NI055207, whose registered office is at 55-59 Adelaide Street, Belfast, BT2 8FE, is the entity that owns or operates the DXRX Platform (hereinafter referred to as “Diaceutics”, “we”, “us”, or “our”).
We have created this privacy statement (‘Statement’) in order to reflect the transparency requirements expected of us by law and our own ethics. In this Statement, references to ‘you’ and ‘your’ are references to the registered user on the DXRX Platform to access the DXRX Services, in the capacity of a ‘DXRX Member’ or ‘End User’ as applicable.
Your privacy is extremely important, and we will provide you with clear and transparent information about how we use your Personal Data. We only Process your Personal Data for the purposes outlined. Our aim is not to be intrusive and we undertake not to ask you irrelevant or unnecessary questions. We will try our best to keep your Personal Data accurate and up to date but do help us with this too please! We also have robust measures and procedures in place to minimize the risk of unauthorized access to your Personal Data and to keep it secure. Also, we only share it with a Third Party (see paragraph 3.1 (access and storage)) where we have a right to do so and where we are satisfied that the Third Party shall treat it with the same or higher levels of respect.
This document outlines how we collect and Process your Personal Data through the DXRX Platform and when you use the DXRX Services or otherwise communicate with us including by email, telephone or via DXRX Platform. We are committed to respecting your privacy and protecting your Personal Data.
For the purpose of the Data Protection Legislation, we are the Data Controller (ICO registration number: ZA504761) when we Process your DXRX Membership Data. To the extent Diaceutics Processes any Member Communications that contains any Personal Data, Diaceutics is a Data Processor and we shall Process it only to the extent necessary to enable Diaceutics and its group of companies to provide the DXRX Services to you. Please refer to the DXRX Membership Terms (and Data Processing Addendum).
This Statement incorporates our DXRX Membership Terms (and Data Processing Addendum), End User Terms, Acceptable Use Policy (or AUP), DXRX Security Policy, DXRX Support Policy and DXRX Cookies Policy as applicable by this reference. Unless otherwise stated, any defined terms in here shall have the meaning set out in the DXRX Membership Terms or End User Terms as applicable.
- What Personal Data about you do we collect and for what purposes do we process your Personal Data?
- How do we use your Personal Data to communicate with you?
- Who has access to your Personal Data and where is it stored?
- What are your rights under Data Protection Legislation?
- How can you submit a query or a complaint?
- Important additional information for California residents
- Changes to this Statement
- Definitions and Interpretations
1. What personal data about you do we collect and for what purposes do we process your personal data?
1.1. In order for us to provide you with and continually improve the DXRX Services, we need to Process some of your Personal Data. We understand that your Personal Data belongs to you and you provide it to us on trust that we will use it lawfully i.e. appropriately, proportionately, only in respect of the stated purpose and that we will hold on to it for as short a time as possible. Most important of all, we must have a valid lawful basis for Processing your Personal Data in the first place. Here are the types of information that we Process:
1.1.1. Personal data you provide to us: We receive and store any information you provide in relation to the DXRX Services, such as when you complete your profile, post or upload to the DXRX Services, respond to a questionnaire or submit a Collaboration Opportunity. See below for the list of Personal Data we collect. You can choose not to post or upload certain information but then you might not be able to take advantage of some of the DXRX Services, or, it may limit your ability to network and collaborate with other DXRX Members effectively.
1.1.3. Information from other sources: We might receive information about you from other sources e.g. from your Administrator, information about your interactions with certain services offered by our group companies or via other DXRX Members. Other DXRX Members (including you) may post content that includes information about you (as part of a Collaboration Opportunity, articles, posts, videos) on the DXRX Services. See below for the list of Personal Data we collect.
1.2. List of Personal Data collected: Rather than lots of paragraphs of text where all these transparency requirements are scattered throughout this Statement, we hope you find having most of it all in one eyeshot in our tables easier to navigate:
|Type of Personal Data Processed by Diaceutics||Source||Purpose for Processing this Personal Data||(1) Lawful Basis for Processing|
|Membership Data that you provide to us in connection with the creation, administration and management of your DXRX Account, for example:||you or your Administrator, as applicable||We use this information to:||(1) For Processing this Personal Data, we rely on the fact that you have a contract with us. For billing (where applicable), we may also rely on the fact that we have a legal or statutory obligation; and, for the purposes of legal claims, we rely on our fulfilment of our legal obligations). |
(2) 6 years from the end of the relevant tax year after you terminate your DXRX Account with us. We will retain username, password and/or DXRX Account preference settings for 2 years.
|Information communicated to us via the DXRX Platform, email, over the phone, live chats, chat forums, through social media or via any other medium, including:||you, your Administrator, any of Diaceutics’ group companies, or a DXRX Member, as applicable||We may use this information, to:||(1) For Processing this Personal Data, we rely on the fact that you have a contract with us. |
(2) 6 years from the end of the relevant tax year after you terminate your DXRX Account with us.
Information to enable you to receive Marketing Communications, including:
you or your Administrator, as applicable
We use this information to:
(1) For Processing this Personal Data, we rely on legitimate interests in respect of the purpose.
(2) 6 years from the end of the relevant tax year after you terminate your DXRX Account with us.
Technical information about the way you use our DXRX Services including:
We use this information to:
(1) For Processing this Personal Data, we rely on our legitimate interests in respect of the purpose.
(2) 2 years from the end of the relevant tax year after you terminate your DXRX Account with us.
1.3. We are a growing network and we do want to be of value to you during our relationship so if we ever require further Personal Data from you or if we would like to use your Personal Data for a different purpose, then we will always provide you with additional information about this at the point that you are invited to make use of these additional services.
1.4. Our retention rights: How long we keep your Personal Data depends on the context in which you provide it and the purpose for which we use it. See the last column in the table above. Do note that we need to retain sufficient information about you in compliance with certain legal or statutory requirements in the future so that we can identify you.
2. How do we use your personal data to communicate with you?
2.1 Servicing Communications: You acknowledge that your Personal Data may be used by us (or a Service Provider on our behalf) to contact you when necessary in connection with your use of the DXRX Platform and to access our DXRX Services as follows:
Method of receipt
Lawful Basis for general Processing
Relevant notifications may include:
In-platform notifications, telephone, email, live chat.
For Processing this Personal Data, we rely on the fact that you have a contract with us.
2.2 Marketing Communications: From time to time, we (or a Service Provider on our behalf) may send you Marketing Communications (and monitor whether you have opened the communication and clicked on any included links which will enable us to understand your level of engagement/interest in the communication we are sending to you). We want to keep you interested!
(1) Method of receipt
(2) Lawful basis for general Processing
(3) How can you opt out?
DXRX news publications; scientific publications; new DXRX Member joiner notifications; Collaboration Opportunity alerts.
(1) In-platform; telephone, email
(2) Legitimate interests
(3) You can log in to your account at any time to amend your preferences or by clicking on the ‘unsubscribe’ link at the bottom of any Marketing Communication. If you opt out of our Marketing Communications, we will retain your Personal Data on our suppression list so that we comply with your wishes not to be contacted.
2.3 Legitimate interests to process your personal data: We may Process Personal Data about you where we rely on “legitimate interests” as our lawful basis. Where this is the case, we will have carried out an assessment to determine that we have valid and lawful rights to do so. Despite this, if it bothers you, you have the right to object to any of the Processing we undertake by contacting us at firstname.lastname@example.org.
2.4 Profiling: We may from time to time use publicly available demographic information to determine who we target for specific events or marketing campaigns so as to avoid contacting individuals unnecessarily. You have the right not to be subject to a decision based solely on automatic Processing. We undertake profiling when you have interacted with us online via the company website and content, landing pages, DXRX Platform and social media pages. Where this is a result of cookie activity, you can manage this via our Cookie Consent Preference Management Tool.
2.5 Research & statistics: We may use communications information to compile Anonymized statistical reports showing information like the number and type of query and how each has been resolved. Occasionally, we will use information provided to develop case studies for learning and development purposes. We will be very careful to ensure that any information that could re-identify a person is removed or changed to preserve anonymity.
2.6 Other websites or applications & their policies: The DXRX Platform may contain links to other websites or applications. We are not responsible for the privacy practices or policies or for the content of such websites or applications of such third parties, so you should be careful to read and understand those policies independently.
3. Who has access to your data & where is it stored?
3.1 We may engage or collaborate with a Third Party for a variety of different reasons. This may be in relation to the performance of our business and daily operational functions on our behalf to enable us to fulfil our DXRX Services to you (including making improvements to our DXRX Services). For example, we use AWS for data hosting and security improvements, Zoho Marketing for some of our marketing and various IT support service providers to help us to build and maintain the DXRX Platform.
3.2 We may transfer your Personal Data to a related company, agent or contractor (also known as an independent Data Controller) e.g. where we introduce you to a complimentary service or, in order to fulfil our legal and statutory obligations, we may need to transfer your Personal Data to our legal advisors or legal authorities or enforcement bodies (e.g. to comply with a court order, or where disclosure is necessary to exercise, establish or defend the legal rights of Diaceutics, our DXRX Members or any other third party); or, to assist our security, credit risk or fraud protection activities (including sharing with our auditors for auditing purposes and HMRC for accounting purposes).
3.3 Where it is necessary to share your Personal Data, we will limit the Personal Data that we share to the minimum required to provide the DXRX Service and the Data Processor (or Data Controller) we share it with will only be able to use it for the specific purposes for which it was shared. If we stop using the service of a Data Processor, we ensure that your Personal Data is deleted or is securely returned to us.
3.4 Transfer of Personal Data in the Event of the Sale of Diaceutics or its Assets
In the event that Diaceutics is sold or transfers some of its assets to another party, your Personal Data could be one of the transferred assets. If your Personal Data is transferred, its use will remain subject to this Statement. Your Personal Data will be passed on to a successor in the event of a liquidation or administration.
3.5 To enable or support us in providing the DXRX Platform and the DXRX Services, we may share your information, including Personal Data within our group of companies that are related by common ownership or control. We are located in the United Kingdom and our group of companies are located throughout the world. They are listed here:
Diaceutics Ireland Limited
Diaceutics Pte. Ltd.
Diaceutics Pte. Ltd. - Japan branch
Diaceutics Pte. Ltd. - South Korea branch
Diaceutics Precision Medicine Technology (Guangzhou) Limited
During your use of our DXRX Platform to access the DXRX Services including your interactions with us, your Personal Data may be transferred outside of your home country and may be stored in, and accessed from, multiple countries. We will not transfer your Personal Data to any Third Parties based in other countries outside of the EEA unless there is a European Commission adequacy decision or the EU Commission approved Standard Contractual Clauses are in place.
4. What are your rights under data protection legislation?
4.1 You have a number of rights that you can exercise free of charge and on request in certain circumstances, however, if your requests are obviously unfounded or excessive, we reserve the right to charge a reasonable fee or to refuse to act. You have the right:
- to be informed about the collection and use of your Personal Data. This is what this Statement fulfils;
- to access your Personal Data and supplementary information (‘DSAR’);
- to have inaccurate Personal Data corrected, or completed (if it is incomplete);
- to have your Personal Data erased;
- to restrict our Processing of your Personal Data;
- to receive a copy of any Personal Data you have provided to us, in a machine-readable format, or have this information ported to a third party;
- to object AT ANY TIME to Processing of your Personal Data for direct marketing purposes;
- to object in certain other situations to the continued Processing of your Personal Data.
For more information on these rights and when you can exercise them, see the Information Commissioner’s Guide
4.2 If you wish to exercise any of these rights, please contact us at email@example.com We will respond to you within one month from when we receive your request and have verified your identification, unless the complexity and number of requests we receive means that we need more time. If we do need more time (up to two further months), we will tell you why within the first month.
5. How can you submit a query or a complaint?
Query: We are happy to provide any additional information or explanation needed in respect of our Processing activities upon request. For all matters relating to privacy and data protection, please contact our DPM by email to firstname.lastname@example.org
Complaint: We try to meet the highest standards when Processing your Personal Data. For this reason, we take any complaints we receive about this very seriously and we encourage you to bring it to our attention. While we hope to be able to resolve any concerns you have about the way that we are Processing your Personal Data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) (or with the supervisory authority of the European Member State where you work, normally live or where the alleged infringement of Data Protection Legislation occurred) if you believe that your Personal Data has been Processed in a way that does not comply with the Data Protection Legislation or have any wider concerns about our compliance. You can do so by calling the ICO helpline on 0303 123 1113 or via their website here.
For information about cookies and how they are used on the DXRX Platform, please visit our Cookie Consent Preference Management Centre accompanied by our DXRX Cookies Policy.
7. Important additional information for california residents
7.1 The CCPA requires that we provide California residents with certain specific information about how we handle their Personal Information, whether collected online or offline.
7.2 Categories of Personal Information that We Collect, Disclose, and Sell
The table below sets out generally the categories of Personal Information (as defined by the CCPA) about California residents that we collect, disclose and sell to others for a business purpose. We collect these categories of Personal Information from the sources and for the purposes explained in this Statement. Our collection, disclosure and use of Personal Information about a California resident will vary depending upon the circumstances and nature of our interactions or relationship with such resident.
Categories of Personal Information
Do we collect?
Do we disclose for a business purpose(s)?
Do we sell?
Name, Contact Info and other Identifiers: identifiers such as a real name, alias, address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, or other similar identifiers.
Customer Records: paper and electronic customer records containing personal information, such as name, signature, address, telephone number, education, current employment, employment history, bank account number, credit card number, debit card number, or any other financial or payment information.
Protected Classifications: characteristics of protected classifications under California or federal law such as race, color, sex, age, religion, national origin, disability, citizenship status, and genetic information.
Purchase History and Tendencies: commercial information including records of personal property, products or services purchased, obtained, or considered, or other purchasing or use histories or tendencies.
Biometric Information: physiological, biological or behavioral characteristics that can be used alone or in combination with each other to establish individual identity, including DNA, imagery of the iris, retina, fingerprint, faceprint, hand, palm, vein patterns, and voice recordings, keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.
Usage Data: internet or other electronic network activity information, including, but not limited to, browsing history, clickstream data, search history, and information regarding a resident’s interaction with an internet website, application, or advertisement, as well access logs and other activity information related to your use of any company websites, applications or other online services.
Geolocation Data: precise geographic location information about a particular individual or device.
Audio, Video and other Electronic Data: audio, electronic, visual, thermal, olfactory, or similar information such as, CCTV footage, photographs, and call recordings and other audio recording (e.g., recorded meetings and webinars).
Employment History: professional or employment-related information.
Education Information: information about education history or background that is not publicly available personally identifiable information as defined in the federal Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
Profiles and Inferences: inferences drawn from any of the information identified above to create a profile reflecting a resident’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
7.3 California resident rights
7.3.1 Do-Not-Sell. California residents have the right to opt-out of the sale of their personal information. However, Diaceutics does not sell personal information as contemplated by California law and therefore such opt-out rights are not applicable.
7.3.2 Notice at Collection. At or before the point of collection, notice must be provided to California residents of the categories of Personal Information collected and the purposes for which such information is used.
7.3.3 Verifiable Requests to Delete & Requests to Know. Subject to certain exceptions, California residents have the right to make the following requests, at no charge:
Request to Delete: California residents have the right to request deletion of their Personal Information that we have collected about them and to have such Personal Information deleted, except where an exemption applies.
Request to Know: California residents have the right to request and, subject to certain exemptions, receive a copy of the specific pieces of Personal Information that we have collected about them in the prior 12 months and to have this delivered, free of charge, either (a) by mail or (b) electronically in a portable (and, to the extent technically feasible, readily useable format that allows the individual to transmit this information to another entity without hindrance). California residents also have the right to request that we provide them with certain information about how we have handled their Personal Information in the prior 12 months, including the:
- categories of Personal Information collected;
- categories of sources of Personal Information;
- business and/or commercial purposes for collecting and selling their Personal Information;
- categories of third parties with whom we have disclosed or shared their Personal Information;
- categories of Personal Information that we have disclosed or shared with a third party for a business purpose; and
- categories of third parties to whom the residents’ Personal Information has been sold and the specific categories of Personal Information sold to each category of third party.
California residents may make Requests to Know up to twice every 12 months.
7.3.4 Submitting Requests. Requests to Know, and Request to Delete may be submitted by emailing us at email@example.com or by mail marked for the attention of Compliance at: Diaceutics PLC, Titanic Suites, Enterprise House, 55-59 Adelaide Street, Belfast, Antrim BT2 8FE. We will respond to verifiable requests received from California residents as required by law.
7.3.5 Right to Non-Discrimination. The CCPA prohibits discrimination against California residents for exercising their rights under the CCPA.
8. Changes to this statement
We keep our Statement under regular review and may make changes but if we do, we will, where appropriate, notify you by email, or, when you next log in, the amended version will be displayed on-screen and you may be required to read and accept them to continue. This Statement was last updated on 26 August 2020.
9. Definitions & interpretations
Administrator: means the DXRX Member or one or more End Users who have been allocated administrative privileges to access and use the DXRX Platform. An Administrator can undertake various tasks on behalf of the principal DXRX Member entity.
CCPA: means the California Consumer Privacy Act of 2018 (CCPA);
Data Controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data (Article 4(7)).
Data Processor: means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller (Article 4(8)).
Data Protection Legislation: means, as applicable, any law, rule, regulation, decree, statute, or other enactment, order, mandate or resolution, to the extent applicable to either Party relating to data security, data protection and/or privacy, including:
- the General Data Protection Regulation ((EU) 2016/679) (GDPR);
- the Data Protection Act 2018;
- the Privacy and Electronic Communications (EC Directive) Regulations 2003;
- the California Consumer Privacy Act of 2018 (CCPA);
- the Federal Trade Commission Act (FTC);
- the Health Insurance Profitability and Accountability Act (HIPAA);
- the Personal Data Protection Act 2012 (Singapore);
- the Personal Information Protection and Electronic Documents Act (PIPEDA);
- any other applicable law relating to the Processing, privacy and/or use of Personal Data including security;
- any implementing, derivative or related legislation thereof, rule, regulation, and regulatory guidance or codes of practice issued by any governmental authority with jurisdiction over you or us; and,
- any laws or otherwise that replace, extend, re-enact, consolidate or amend any of the foregoing.
Data Protection Manager (DPM): firstname.lastname@example.org.
Data Subject Access Request or ‘DSAR’: refers to right of access as further described in paragraph 4.
DXRX Account: refers to the online account accessible by way of your unique login credentials via the DXRX Platform.
DXRX Services: refers to our proprietary software-as-a-service solution, including the DXRX Platform, designated areas within the DXRX Platform where you communicate and collaborate, for example with respect to Collaboration Opportunities, any tools and services made available by us or our group companies, and technical user documentation, provided to you via the DXRX Platform. DXRX Services do not include any software (including machine images), hyperlinks, website links, data, text, audio, video or images made available to you by any other DXRX Members on the DXRX Platform or in conjunction with the DXRX Services.
EEA: refers to the European Economic Area which consists of all EU member states, plus Norway, Iceland, Liechtenstein.
Electronic Mail: includes but is not limited to email, text, video, voicemail, picture and answerphone messages (including push notifications and in-platform notifications).
General Data Protection Regulation or GDPR: the General Data Protection Regulation ((EU) 2016/679) (GDPR)
Marketing Communication(s): refers to any communication whether by an Electronic Mail method or otherwise that we send to you (either directly or via a Service Provider) which may include but are not necessarily limited to relevant scientific publications, newsletters and magazines, information about Collaboration Opportunities, products, services, events and other relevant information.
Personal Data: has the meaning set out in the Data Protection Legislation.
Personal Information: under the CCPA, refers to any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household. It does not include publicly available data as defined by the CCPA.
Service Provider(s): refers to a Third Party with whom we work with from time to time as a necessary part of providing our DXRX Services and with whom we may need to share your Personal Data.
Servicing Communication(s): refers to any communications that are not Marketing Communications, which are transactional, service-based and/or administrative in nature.
Technical Data: refers to that at paragraph 1.1.2 which is capable of being considered Personal Data.
Third Party: refers to a Data Processor or Data Controller with whom we may need to share your Personal Data. This includes Service Providers as further described at paragraph 3.