Try now
EN
Welcome to the privacy policy of Kaleidoscope. This document is designed to inform you about how we handle and safeguard your data. We encourage you to read through it meticulously, as your use of our services signifies your agreement with these terms. If you have any queries or concerns, feel free to reach out to us at support@discoverkaleidoscope.com.
This Privacy Policy outlines the methods by which Discoverkaleidoscope.com, its subsidiaries, related entities, and franchisees (collectively referred to as “Kaleidoscope”, “we” or “us”) ensure the confidentiality of your Personal Information, and the framework for how we collect, process, and utilize any Personal Information provided by you, or third parties to us.
We will protect your Personal Information in compliance with the applicable laws and regulations safeguarding the privacy of personal information in the jurisdictions where we operate (“Applicable Laws”). For this Privacy Policy, “Personal Information” refers to identifiable data about you as an individual, including personal health information or other personal information as defined by the Applicable Laws. “Special Category Personal Data” pertains to Personal Information that reveals racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs or trade union membership, genetic and biometric data (when processed to uniquely identify an individual), data concerning health, sex life, or sexual orientation. Kaleidoscope will only collect, use, store, disclose, and transfer your Personal Information in alignment with this Privacy Policy, any related Privacy Notices, and Applicable Laws including the EU General Data Protection Regulation (EU GDPR).
Please read the following carefully to understand our stance and practices concerning your Personal Information and how we will handle it. By using our service, which includes software applications to read and analyse your genetic and other data to provide insights regarding your genetic and biomarker makeup concerning exercise, mental well-being, nutrition, diet, cardiometabolic health, among other benefits, to assist in making lifestyle decisions and steps towards healthy habit formation, aided by professional, science-based coaching (the “Service”), you confirm that you have read, understood and agree with the collection, use, storage, disclosure and transfer of your Personal Information under this Privacy Policy. If you do not agree or withdraw your consent, you should not use the Service.
If you are under the age of 18, you must not use the Service or submit Personal Information to us unless you have the consent of and are supervised by a parent or guardian. We do not knowingly collect information from individuals under the age of 18 without such consent.
This Privacy Policy was last updated on and is effective as of 26 February 2024. Kaleidoscope reserves the right, at its sole discretion, to modify, revise, delete, and update this Privacy Policy from time to time. We will use reasonable endeavours to notify you in advance of any modifications to the terms of this Privacy Policy. If you do not agree with the modifications, revisions, deletions, or updates, your sole remedy is to cease using the Service. By continuing to use the Service after those changes are made, you shall be deemed to have accepted and agreed to the changes.
The personal information we gather from you plays a crucial role in tailoring our services to your unique needs. When you utilize our service, we collect various types of Personal Information about you, including:
• Identifying details such as your name or nickname, gender, and date of birth;
• Contact information like your email address, telephone number, and physical address (for shipping purposes);
• Biological data, including third-party generated genetic profile (“Genetic Information”) and/or blood biomarkers;
• Behavioural patterns, such as smoking, drinking, or exercise habits;
• Family and personal health history;
• Payment details including bank account or credit card information, which are transmitted to Stripe for payment processing.
Our use of cookies and mobile analytics aids us in recognizing you, enhancing your experience, providing security, and analysing the usage of our Service. We collaborate with third-party partners who employ similar technologies to offer our products and services to you, monitor the success of marketing Services, and serve targeted advertising on our site and other sites around the Internet. Sensitive information, such as Genetic Information, is not used for targeted advertising.
We also automatically collect certain information about our website users and store it in log files. This data may include IP addresses, browser type, ISP, referring/exit pages, operating system, date/time stamp, and/or clickstream data. We combine this information with other data we collect about you, such as your user profile ID or order number, to enhance the services we offer you and improve marketing, analytics, and site functionality.
When accessed via a mobile device, we may receive or collect and store unique identification numbers associated with your device or our mobile application, mobile carrier, device type, model and manufacturer, mobile device operating system brand and model, phone number, and geographical location data, depending on your mobile device settings.
At Kaleidoscope, safeguarding your personal information is paramount. This document outlines how we utilize your data and the reasoning behind it. Following data protection laws, your data can only be used if we have a valid reason, such as:
• Your explicit consent.
• Compliance with our legal and regulatory obligations.
• To fulfil a contract with you or to take preliminary steps at your request before entering a contract.
• For our legitimate interests or those of a third party.
• A legitimate interest pertains to a business or commercial reason that justifies the use of your information, provided this doesn't infringe upon your rights and interests. If we rely on legitimate interests, we will conduct an assessment to balance our interests against yours.
• Kaleidoscope, along with any third-party data processors acting on our behalf, may collect, store, and process your personal information for the following reasons:
o To manage and operate the Service, including opening your account, communicating with you, implementing your requests, processing payments for DNA and other tests, subscriptions, in-app purchases (via Stripe SDK), and running our mobile application and website.
o To provide personalized content and information, track your usage of our Services, process and analyse your Genetic Information and other Personal Information.
o To offer health, nutritional, and wellness analysis and recommendations based on your Genetic Information and other Personal Information.
o To connect you with other users of our Service who have similar conditions, enabling the sharing of information and approaches.
o To conduct analytics to improve and enhance our Service.
o To introduce new products, programs, or services to you, subject to applicable laws, and for our internal record-keeping requirements.
o To share your Personal Information with selected third parties following this Privacy Policy.
o To provide you with information about goods or services we believe may be of interest to you, via SMS, email, or other electronic messaging service.
o To anonymize and aggregate the Personal Information for any other purposes, provided that no identifiable personal information can be readily identified.
In cases where we process special category personal data, we will ensure we are permitted to do so under data protection laws, for instance:
• We have your explicit consent.
• The processing is necessary to protect your (or someone else’s) vital interests where you are physically or legally incapable of giving consent.
• The processing is necessary to establish, exercise, or defend legal claims.
We will retain your Personal Information only as long as necessary, considering its original purpose. After this period, unless required by law, we will delete it. However, Kaleidoscope will continue to hold any anonymised and aggregated information.
In this section, the following definitions apply:
• "Applicable Law" refers to the laws that are in effect in Spain
• Terms such as "Controller", "Data Subject", "International Organisation", "Personal Data", "Personal Data Breach", "Processor" and "processing" have the meanings assigned to them in the relevant data protection regulations at any given time. Any related terms, such as "process", "processed", and "processes" should be interpreted accordingly.
• "Data Protection Laws" encompasses all laws relating to the processing, privacy, and use of Personal Data that apply to either party or the services. This includes:
o The General Data Protection Regulation (GDPR), Regulation (EU) 2016/679;
o The Data Protection Act 2018;
o Any laws that implement any such laws;
o Any laws that replace, extend, re-enact, consolidate, or amend any of the foregoing;
o All guidance, guidelines, and codes of practice issued by any relevant Data Protection Supervisory Authority relating to such Data Protection Laws (whether legally binding or not).
• "Data Protection Supervisory Authority" is any regulator, authority, or body responsible for administering Data Protection Laws;
• "Processing End Date" refers to the earlier of two possible dates concerning any Protected Data:
• The end of the provision of the relevant services related to the processing of such Protected Data; or,
• The point at which the Supplier no longer needs to process such Protected Data to fulfil its obligations under this agreement.
• "Protected Data" is Personal Data received from the Customer or on their behalf, or otherwise obtained in connection with the performance of the Supplier’s obligations under this agreement.
• A "Sub-Processor" is any Processor engaged by the Supplier (or by another Sub-Processor) to carry out any processing activities in respect of the Protected Data.
Kaleidoscope will guarantee that all Sub-Processors and Supplier Personnel will consistently adhere to all Data Protection Laws when processing Protected Data and delivering Services. Any action or omission on their part must not lead to the Customer, or any other party, violating any Data Protection Laws. It must be clearly understood that this agreement does not absolve Kaleidoscope from any obligations or liabilities under Data Protection Laws.
Kaleidoscope's data protection protocol ensures the privacy and security of your personal information. This document outlines the specifics of how we process your protected data, following the subject matter, duration, nature, and purpose of the processing.
• Genetic Information: We obtain your genetic data from a buccal (cheek) swab or a saliva collection device through Kaleidoscope's DNA test or from raw data provided by you from a third-party DNA testing provider.
• Contact Information: This includes your name, address, phone number, and email address.
• Self-Reported Personal, Health & Lifestyle Data: Information such as your current diet, stress levels, sleep patterns, weight, medical and family history, goals, smoking and drinking habits, ethnicity, and gender.
• Banking Information: Your bank account or credit card details are required for transactions.
Nature and Duration of the Processing
We aim to provide motivational, inspirational, and educational information to support your healthy habit formation. Your DNA swabs are processed in our ISO-accredited partner laboratory, taking ≥ 10 working days from when the sample reaches our lab. Physical DNA samples are stored for 90 days to allow for re-processing if necessary and are destroyed afterward. Once your results are ready, we notify you via email. We store the raw data anonymously on a secure server, identified only by a unique barcode ID, to provide ongoing updated advice based on changes in your self-reported health and lifestyle data or new DNA insights. You can request us to delete this data and your user profile at any time.
We use your contact details to deliver your test kit and keep you informed during the process. Informing you when your results are ready, communicating about new features, service updates, terms, and privacy policy, and sending monthly newsletters with personalized content are part of this process. We also process purchases/payments using your contact details.
Self-Reported Personal, Health & Lifestyle Data
We capture and assess this information electronically alongside your DNA data to deliver personalized information and advice. Our team of experts securely stores the information for analysis and interpretation. You must submit this information to benefit from our health coaching advice.
We may need to collect your bank account or credit card details to process payments, subscriptions, and purchases. This could be for purchasing a DNA test, a subscription (which renews annually), or single-item purchases like a meal plan in-app. We use Stripe, a third-party tool, to process payments via our e-commerce platform. Your telephone number, bank account or credit card details, and relevant information will be passed to Stripe for payment processing. Please refer to Stripe's Privacy Policy for their data handling practices.
Kaleidoscope is authorized to process (and ensure Supplier Personnel process) the Protected Data strictly in line with the terms outlined in the Schedule, this Agreement, and any instructions issued by the Customer from time to time. This applies to any data transfer unless otherwise mandated by applicable law. In such cases, Kaleidoscope should inform the Customer of the legal requirement before processing unless prevented by law due to significant public interest considerations. Should any instruction related to the Protected Data infringe or potentially infringe any Data Protection Law, Kaleidoscope is obligated to immediately notify the Customer. All instructions received from the Customer concerning Protected Data must be meticulously recorded by Kaleidoscope.
Kaleidoscope is required to consistently implement and maintain suitable technical and organizational measures to safeguard Protected Data against accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure, or access. These measures must, at a minimum, align with those specified in the Terms and should reflect the nature of the Protected Data.
Throughout the period that Kaleidoscope processes any Protected Data, it should carry out a documented assessment at least once every [12] months to ascertain the effectiveness of the implemented security measures.
Unless both parties agree to a binding variation of this Agreement, Kaleidoscope is prohibited from making any changes to the security measures it applies to the Protected Data that would conflict with the provisions of this Agreement.
Sub-processing refers to a situation where a third-party data processor, known as a Sub-Processor, is engaged by a Data Processor to have access to or process personal data. This can be done under a binding written contract as exemplified by these Terms.
Kaleidoscope, acting as a Data Controller, has certain responsibilities and obligations regarding Protected Data and the engagement of Processors and Sub-Processors. These include:
• Not permitting any processing of Protected Data by any agent, sub-contractor, or other third parties without specific written authorization from the Customer.
• Ensuring that access to Protected Data is limited to authorized persons who need it to supply the Services.
• Appointing each Processors under a binding written contract containing the same obligations in respect of Protected Data.
Kaleidoscope is also obligated to assist the Customer with fulfilling the Customer's obligations under Data Protection Laws, such as responding to requests for exercising the Data Subjects' rights under Chapter III of the GDPR.
Overall, the role of a Sub-Processor and the obligations of a Data Controller like Kaleidoscope are outlined in Data Protection Laws and agreements between the parties to ensure the protection and proper handling of personal data.
Kaleidoscope commits to proactively:
• Supply necessary information and support, including implementing all suitable technical and organizational strategies, as required by the Customer to fulfil the Customer’s obligations in responding to requests for exercising the Data Subjects' rights under Chapter III of the GDPR (and any similar obligations under applicable Data Protection Laws), all at its own expense; and,
• Offer information, collaboration, and additional assistance as reasonably necessitated by the Customer (considering the nature of processing and the information available to the Supplier) to ensure compliance with the Customer's obligations under Data Protection Laws, which include:
o Ensuring security of processing (inclusive of any review of security measures);
o Conducting data protection impact assessments (as defined in Data Protection Laws);
o Engaging in prior consultation with a Data Protection Supervisory Authority about high-risk processing; and,
o Implementing any remedial action and/or notifications in response to any Personal Data Breach and/or any complaint or request relating to either party's obligations under Data Protection Laws relevant to this Agreement. This includes (subject in each case to the Customer's prior written authorization) any notification of the Personal Data Breach to Supervisory Authorities and/or communication to any affected Data Subjects.
Kaleidoscope pledges to document and direct all requests and communications received from Data Subjects or any Data Protection Supervisory Authority to the Customer that relate (or may relate) to any Protected Data promptly (and in any event within three days of receipt). It shall not respond to any such requests without the Customer's express written approval and strictly following the Customer's instructions unless and to the extent required by applicable law, all at no cost to the Customer.
Kaleidoscope is obligated to provide the Customer with all necessary documentation and information required to demonstrate compliance with data protection obligations and laws promptly. This includes facilitating audits, inspections, and providing access to premises, systems, personnel, and records during standard business hours upon reasonable prior notice (not exceeding 10 business days). Kaleidoscope will ensure full cooperation during these audits and inspections, including those conducted by a third-party auditor appointed by the Customer.
In the event of a suspected, actual, or threatened data breach involving Protected Data, Kaleidoscope must immediately notify the Customer within a 48-hour window. Furthermore, Kaleidoscope is required to provide all necessary information to the Customer so they can report the incident to the relevant Data Protection Supervisory Authority and notify any affected parties under Data Protection Laws.
Kaleidoscope, along with its Processors and Supplier Personnel, is obligated to securely erase the Protected Data (including all duplicates) within a period of 2 to 5 Business Days following the corresponding Processing End Date. The only exception to this rule is when the preservation of certain data is necessitated by relevant laws. In such instances, Kaleidoscope will notify the Customer of the legal requirement and proceed to securely eliminate the data as soon as legally permissible.
Upon receiving requests from the Customer for the secure return or transfer of any Protected Data, Kaleidoscope, along with its Sub-Processors and Supplier Personnel, will swiftly comply. These requests should be in a format and manner that the Customer deems reasonable and should be received within 10 Business Days of the relevant Processing End Date.
Within 10 Business Days of the date set for the performance of any obligation, Kaleidoscope will formally notify the Customer via written communication, detailing:
• Its level of adherence concerning the deletion of Protected Data;
• If applicable, comprehensive details of any failure to fulfil its obligations. Upon rectification, the Supplier will immediately notify the Customer; and,
• If applicable, thorough details of any Protected Data that remains stored as mandated by relevant laws, along with validation of the pertinent law(s).
This Agreement does not affect the rights of Data Subjects under Data Protection Laws, including those outlined in Articles 79 and 82 of the GDPR or any comparable Data Protection Laws, against the Customer, Kaleidoscope, or any Sub-Processor.
Kaleidoscope may share your personal information, collected, or provided by you, with selected third-party entities for the following reasons:
• To facilitate and improve our Service and associated programs.
• To enforce our Service’s Terms, and other agreements, and investigate potential violations.
• To safeguard our rights, assets, and safety, as well as that of our Service users and others (e.g., for fraud prevention).
• To process payments for any purchases made by you (via Stripe.
• To adhere to relevant laws, regulations, governmental or quasi-governmental requests, court orders, or subpoenas.
Your Genetic Information and Personal Information will only be disclosed to provide the Service unless we have your explicit consent. We will not share your Genetic Information and Personal Information with insurance companies or marketing.
Your personal information may be shared with, amongst others:
• Statistical analysis service providers;
• Analytics and search engine providers like Google to enhance and optimize our website;
• Stripe for payment processing.
We ensure that third parties who receive personal information from us maintain a similar level of data protection, using contractual or other means. To the maximum extent allowed by law, we deny all liability arising from third-party use of your personal information. Upon request, we can confirm the names of each third party receiving your data. For payments processed through Stripe, refer to their Privacy Policy.
Unless specified in this Privacy Policy, we won't disclose, sell, distribute, rent, or lease your personal information to third parties without your consent or necessary transaction completion. We won't share identifiable personal information with third parties for direct marketing without your express consent.
In case a third party seeks to acquire our business and/or assets, we may disclose your personal information to them for proposed or actual acquisition purposes. In case of insolvency or similar situations, your personal information may be disclosed to third parties as part of a lawful business or asset sale compliant with applicable laws.
We might also need to:
• Share personal data with external auditors (e.g., for ISO accreditation and account audits).
• Disclose and exchange information with law enforcement and regulatory bodies to comply with legal and regulatory obligations.
• Share some personal data with other parties (like potential buyers during a business restructuring) - usually, the information will be anonymized but not always. However, the information recipient will be bound by confidentiality obligations.
Your data might be stored at our premises or with our third-party associates, service providers, agents, and representatives.
The personal information you provide may be transferred or stored by Kaleidoscope with our overseas affiliates, subsidiaries, and franchisees for service provision. Your data might also be shared with third parties in the UK, Europe, and other jurisdictions as per our Privacy Policy. By submitting your information, you agree to its transfer, storage, and processing outside its original jurisdiction. We will ensure your data is securely managed in line with our Privacy Policy. If we engage international third parties for services, we will ensure they provide comparable protection for your information. However, laws in some jurisdictions may not offer the same level of data protection as your home jurisdiction.
As per data protection law, we can only transfer your data to a non-EU country or international organization if:
• The EU rules consider the country or organization to provide adequate data protection (an 'adequacy decision').
• Appropriate safeguards are in place with enforceable rights and effective legal remedies for data subjects.
• A specific exception under data protection law applies.
We may transfer your data to certain countries based on an adequacy decision. These include all EU countries, Iceland, Liechtenstein, Norway (collectively known as the 'EEA'), Gibraltar, Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, South Africa, Switzerland, UAE, and Uruguay. The list may change over time.
We might transfer your data to countries or organizations without an adequate decision. In such cases, we will ensure appropriate safeguards are in place or rely on an exception.
In the absence of an adequacy decision, we may transfer your data to another country or organization if it complies with data protection laws, appropriate safeguards are in place, and data subjects have enforceable rights and effective legal remedies. Usually, these safeguards involve using legally approved standard data protection contract clauses. To obtain a copy of these clauses and more information on relevant safeguards, please contact us at support@discoverkaleidoscope.com.
Without an adequate decision or suitable safeguards, data transfer to a third country or international organization can occur under certain exceptions as per relevant data protection laws. These exceptions include:
• Your explicit consent after understanding the associated risks.
• The necessity of transfer for contract execution or pre-contract measures per your request.
• The necessity of transfer for a contract beneficial to you between us and another party.
• The necessity of transfer for the establishment, defence, or exercise of legal claims.
Furthermore, we may transfer data for our compelling legitimate interests, provided they do not infringe on your interests, rights, and freedoms. Specific conditions apply to such transfers, and we'll provide relevant information in case we need to transfer your data under this premise.
Kaleidoscope employs robust security measures to ensure the secure storage of all collected and received Personal Information. We utilize technical, organizational, administrative, and physical measures to protect your Personal Information from accidental damage, misuse, loss, unauthorized access, or alteration. While we strive to guarantee your Personal Information's security, we cannot assure the safety of data transmitted to us by a third party.
Once we receive your Personal Information, we implement various procedures and security features to prevent unauthorized access, use, or disclosure. Access to your data is limited to those with a genuine business need. Those handling your information are obligated to do so in an authorized manner, adhering to confidentiality.
We have established procedures to address any suspected data security breach. In case of a suspected data security breach, we will notify you and any relevant regulator as legally required.
Your responsibility also extends to protecting your Personal Information. You're responsible for safeguarding your password, secret questions, answers, and other authentication information used to access our Service. You should not disclose your authentication information to any third party and should immediately notify us about any unauthorized use of your password. We cannot secure Personal Information that you release on your own or request us to release.
You can access, correct, or update your Personal Information as per the relevant procedures. You're also entitled to request a written detail of your Personal Information that we keep and ask for its rectification or erasure if the law permits.
You can revoke your consent regarding the use, disclosure, and transfer of your Personal Information according to this Privacy Policy by reaching out to us. If you withdraw your consent for us to process your Personal Information, it may impact our ability to offer all or parts of the Service.
In certain situations, you can ask us to limit the processing of your personal data, such as when you question the data's accuracy.
You're entitled to obtain your provided personal data in a structured, commonly used, machine-readable format and/or transmit it to a third party under certain conditions.
To stop receiving communications from us, reply UNSUBSCRIBE to any communication from us. To unsubscribe from our emails, follow the instructions in the email; however, this won't prevent us from sending account or transaction-related emails or other essential Service information. In certain situations, you can object to our continued processing of your data.
If you believe there's been a breach of the relevant laws, you can lodge a complaint with us. We will consider and respond to your complaint promptly. You can also file a complaint about your Personal Information treatment with the supervisory authority in your jurisdiction, if permitted by law.
You have the right not to be subject to a decision based solely on automated processing (including profiling) with significant legal effects on you.
To exercise these rights, contact us at the address provided below.
We may use your data to send updates about services, including exclusive offers, promotions, or new services.
Our legitimate interest allows us to use your data for marketing purposes without typically requiring your consent. However, when consent is necessary, we will request it separately and clearly.
You can opt out of receiving marketing communications at any time by:
• Contacting us at support@discoverkaleidoscope.com; or,
• Using the ‘unsubscribe’ link in emails or the ‘STOP’ number in texts.
If further services are requested or if laws, regulations, or our business structure changes, we may ask you to confirm or update your marketing preferences.
We will always handle your data with the utmost respect and never sell or share it with other organizations for marketing purposes.