Privacy Policy

BGI Genomics Co., Ltd. and its affiliated companies (hereinafter referred to as “BGI” or “we”) is committed to protecting and respecting your privacy.

This Privacy Policy outlines how we process your personal data. We collect, use, disclose, transfer, and store your Personal Data when you use our websites, and/or our genetic testing and sequencing services (collectively the “Services”). Please read this Privacy Policy carefully to understand how we treat your Personal Data and/or Genetic Data that we may obtain in the course of providing our Services.

This Privacy Policy will help you understand the following:

1. Definitions
2. The Personal Data We Collect and How We Process It
3. How We Use Your Personal Data
4. How Long We Keep Your Personal Data
5. How We Share and Disclose Your Personal Data
6. How Your Personal Data is Transferred
7. How We Protect Your Personal Data
8. Your Rights
9. How We Process Children’s Personal Data
10. How This Privacy Policy Is Updated
11. Contact Us

• Definitions

 “Affiliated Company” refers to a company that is related to BGI due to joint ownership or control.

“Third Party” refers to a company or person who does not have a related relationship arising out of joint ownership or control with BGI (i.e., a non-affiliated company) or other non-related person, or the Customer who engage the Services from BGI (i.e., Clinician, Hospital, Health Professional, Healthcare Service Provider, University, Research Institution, Pharmaceutical Companies)

“Genetic Data” refers to personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question

 “Personal Data” refers to any information relating to an identified or identifiable natural person (“Data Subject”), including Genetic Data. An identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location information, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Personal Data Breach”is a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

• The Personal Data We Collect and How We Process It

The Personal Data can be collected by BGI directly from the Data Subject, or from a Third Party with the consent of the Data Subject or where permitted by law.

BGI is responsible for the processing and treatment of your Personal Data regarding the Services entrusted to BGI.

The Personal Data BGI processes include but is not limited to:

• full name, address and contact details
• date of birth
• gender
• weight
• height
• nationality
• sample material involving Genetic Data
• any clinical information necessary for the purpose of the services or tests required, such as medical history (including any condition for which medical advice or treatment was sought, any form of consultation, investigation, prescription or treatment), allergies, current medication
• family medical history
• other medical test results or findings necessary for conducting genetic testing or sequencing services
• Information You Directly Provide to Us

Certain Personal Data concerning you, including Genetic Data, are collected directly from you by BGI.

BGI might collect the Personal Data in the following circumstances:

• When you use this website (https://www.niftytest.com/)
• When you use our genetic testing and sequencing services
• When you use our customer services
• When you cooperate with us

The information above may be necessary for the adequate performance of the contract or purchase order between you and BGI and to allow us to comply with our legal obligations. Without it, we may not be able to provide you with relevant requested Services.

• Information We Collect from Third Parties

To enable us to provide better Services to you, where permitted by applicable laws, we may collect your Personal Data indirectly from a Third Party.

We will put efforts to ensure the legitimacy of the source of your Personal Data. However, please note that we do not control, supervise or respond to how the Third Party processes your Personal Data. Any request regarding the disclosure of your Personal Data to us should be directed to such Third Party.

• How We Use Your Personal Data

We process your Personal Data so that we can:

• perform our Services
• improve our Services
• keep you updated about our Services
• contact you with other relevant Services we think you might be interested in.

The following tables provide processing purposes, type and legal basis for certain uses of your Personal Data.

When you use this website (https://www.niftytest.com), BGI is the data controller:

Data Processing Purposes	Type of Personal Data	Legal Basis for Processing
Submit a request for quote or send an enquiry via the contact forms	Salutation, Name, Email, Organization, Country, species of interest, Service of Interest,  Communication and interactions information including your request details	Use upon your consent
Sign up for our newsletter	Salutation, Name, Email, Organization, Country, Species of interest, Service of interest, Communication and interactions information including your request details	Use upon your consent
Apply for position	Email address, Resume	Use upon your consent

When you use our genetic testing and sequencing services, BGI is the data processor:

Data Processing Purposes	Type of Personal Data	Legal Basis for Processing
Fill in a test request form for the purposes of conducting a genetic test	Full name, Email, Phone number, Address and contact details, Date of birth, Gender, Weight, Height, BMI, Nationality, Any clinical information necessary for the purpose of the services or tests required, such as medical history ( including any condition for which medical advice or treatment was sought, any form of consultation, investigation, prescription or treatment), Allergies, Current medication, Family medical history, Other medical test results or findings necessary for conducting genetic testing or sequencing services	Perform out obligations based on a contract concluded with you
Conduct genetic testing or sequencing services	Sample material involving genetic data, Sample name, Sample type,  Sample number, Customer name, Customer contact information	Perform out obligations based on a contract concluded with you

When you use our customer services, BGI is the data controller:

Data Processing Purposes	Type of Personal Data	Legal Basis for Processing
Sign up on our website for a BGI Customer Account (our website refers to any website owned by BGI Genomics, except for https://www.niftytest.com)	Name, Email address, Organization, Country, Business phone number, Login ID, Encrypted passwords	Use upon your consent
Submit a request for quote or send an enquiry via the contact forms on our website (our website refers to any website owned by BGI Genomics, except for https://www.niftytest.com)	Name, Email, Phone number, Region, Organization,   Communication and interactions information including your request details	Use upon your consent
Purchase insurance for genetic testing	Testee name, Telephone number, Passport/ID card number, Authorized relative of testee, Relationship with testee	Perform out obligations based on a contract concluded with you
Request us to claim insurance compensation on behalf of you	The insured’s information, Relationship between applicant and the insured, Applicant’s information, Relationship between payee and the insured, Payee’s information, Incident overview, Authorizer’s information, Claim authorization statement, Documents needed for claim application	Perform out obligations based on a contract concluded with you
Fill in a contact form or consent to have your details recorded by us at a conference/ event/ tradeshow	Title, Name, Email Address, Company name, Country, Phone Number, Service/ Field of Interest	Use upon your consent
Reply to an email from BGI that you have previously consented to be sent to you	Contact information, including Name, email address, Phone number, company name, Communication and interactions information, including your request details	Use upon your consent

When you cooperate with us , BGI is the data controller:

Data Processing Purposes	Type of Personal Data	Legal Basis for Processing
When you are our business partners and potential business partners	Contact person name, Title, Company name, Company address, Email, Phone number, The copy of company BR/CR	Perform out obligations based on a contract concluded with you
When you are our supplier and potential supplier	Contact person name, Email, Phone number, Company name, Company address, Corporate bank account and details, Nature of business, The copy of company BR/CR, The copy of QMS certificate	Perform out obligations based on a contract concluded with you

Genetic data, data concerning health, or other special categories of Personal Data under article 9 of the GDPR or other applicable laws and regulations will only be processed based on the explicit consent you provide to us.

• How Long We Keep Your Personal Data

BGI will retain the Personal Data for no longer than it is necessary for the purposes as long as needed to provide the Services requested from BGI or requested by applicable laws and regulations. Beyond the above retention period, we will delete or anonymize your Personal Data.

• How We Share and Disclose Your Personal Data

Within BGI, the Personal Data collected are only accessible to the members of BGI who, within the scope of their specific tasks, are responsible for it and whose access to these data is expressly required for the performance of their tasks.

After receiving your consent, BGI may also share the Personal Data collected with its affiliated companies, trusted third parties, suppliers and sub-contractors through which you have ordered one of our services and consented to receive your Personal Data, as well as the Insurance Company if their intervention is required.

We will never share or disclose your Personal Data without obtaining your consent unless when:

• It is directly relevant to public health or significant public interest;
• It is directly relevant to investigation, prosecution, trial and execution of judgment of crimes;
• It is for the purpose of protecting life, property or other significant legal rights and interests of Personal Data subjects or others, and it is difficult to obtain consents from such person;
• The Personal Data collected has been disclosed by the Personal Data Subject to the public actively; or
• It is otherwise provided by applicable laws and regulations.
• How Your Personal Data is Transferred

Subject to applicable local legal requirements, your Personal Data may be transferred, stored and processed outside of the country where you live or have ordered our Services from, including to our subsidiaries, affiliated companies and service providers located in other jurisdictions, and may become subject to the laws of such jurisdictions. The primary location of where your Personal Data will be stored or processed for the Services you have ordered from BGI will be stated in the governing contract and/ or the test request form.

We only provide your Personal Data to our subsidiaries, affiliated companies and services providers where it is necessary to meet the purpose for which you have submitted your Personal Data and in particular if necessary, for the provision of services and support. We take steps to ensure that BGI companies follow our data protection policy, this privacy notice and applicable local law when handling Personal Data and that service providers put in place adequate safeguards to protect the Personal Data entrusted to them, as outlined below.

• Transfer outside of EU

For Personal Data of the EU Data Subjects: BGI will implement appropriate measures to ensure that Personal Data remain protected and secure when transferred outside EU, in accordance with applicable data protection and privacy laws, such as:

• The country to which the Personal Data are transferred has benefited from an adequacy decision by the European Commission under Article 45 of the GDPR; or
• Standard data protection contractual clauses as approved by the European Commission pursuant to Article 47 of the GDPR have been established.

In the absence of the above appropriate safeguards, we will ask you for your explicit consent for cross-border transmission of your Personal Data. In the meantime, security measures such as encryption or de-identification will be adopted for the safety of your Personal Data.

• How We Protect Your Personal Data

BGI uses a variety of security measures and technologies to help protect Personal Data from unauthorised access, use, disclosure, alteration or destruction with applicable data protection and privacy laws. The following measures are taken:

• We establish a department and appoint personnel to be responsible for protection of Personal Data, conducting self-evaluation on security of Personal Data, organization of training on relevant staff, etc.
• We take practical measures to ensure that the Personal Data is minimally collected and relevant to the purposes. Your Personal Data is retained for no longer than the necessary for the purposes as long as needed to provide the Services requested from BGI or requested by applicable laws and regulations.
• We use firewalls, encryption technologies to ensure the confidentiality and security of data transmission and storage, protect data and data storage servers from attacks.
• We utilize access control mechanisms to permit only authorized access to your Personal Data. The access to Personal Data will be logged and reviewed by authorized personnel at a regular interval. In addition, personnel who have the authorized access will be required to sign confidential agreement.
• We carefully select external suppliers/ subcontractors or services providers of Personal Data processing, and will put in place a written agreement which contain the requirements of Personal Data protection.
• We organise security and privacy protection training courses and publicity activities at a regular interval to raise employees’ awareness.
• In response to potential risks, such as Personal Data breaches, damage, and loss, we have developed contingency plans and conduct regular emergency drills.
• In case of Personal Data breach, we will without undue delay inform you about the basic conditions and possible influence of the data breach, response measures that are already taken or to be taken by us, suggestions for you regarding precautions and risk control, corrective measures for you, etc. To the extent permitted by law, we will inform you about relevant situations of the Personal Data Breach in a timely manner via email, fax, telephone or push notification, or any other means of communication we deem appropriate. When it is difficult to notify every Data Subject individually, we will properly and effectively issue a public announcement.
• Your Rights

We respect your legal rights with regards to your Personal Data. Below are the rights you may exercise before us by sending an email to BGI_INTL_GDPR@bgi.com . Please note that for the sake of security, we may ask you to verify your identity before further processing your request.

• To access the Personal Data BGI holds about you: You are entitled to access and request copies of Personal Data that you provided to us, unless applicable laws provide otherwise.
• To be informed about how BGI uses your Personal Data: We strive to be transparent about how we use your data. We keep you informed as to what we do with your Personal Data through this Privacy Policy.
• To have these data rectified promptly in case of inaccuracy/incompleteness: If you find that your Personal Data processed by us is inaccurate or incomplete, you are entitled to ask us to make rectifications.
• To have your Personal Data erased in specific circumstances: You can request us to delete your Personal Data. Depending on the circumstances, BGI will have to implement the right to data deletion.
• To restrict the processing of your Personal Data: You have the right to ask us to restrict how we process your Personal Data. If you restrict our processing, we will not further process but are still permitted to store the data.
• To object to the processing of your Personal Data: You have the right to object to our processing your data when the processing is based on our legitimate interests, the exercise of official authority, direct marketing (including data aggregation), and processing for the purpose of statistics.
• The right to data portability: To the extent permitted by laws and regulations, you have the right to request for the receipt of the transfer to another firm/organization in a structured, commonly used and machine-readable form of the Personal Data provided to BGI.
• To lodge a complaint to Data Protection Authority: You have the right to lodge a complaint to the local data protection authority if your privacy rights are violated or if you have suffered as a result of the unlawful processing of your Personal Data.
• Possibility of withdrawal of the consent/ subsequent refusal to transmit Personal Data: If you wish to withdraw your previous consent or withdraw the consent to transfer of your Personal Data, you can send a written statement to BGI. BGI will respect that choice in accordance with its own legal obligations. This could mean that BGI may not be able to perform the actions necessary to achieve the purposes as set out in this Privacy Policy and affect the way in which BGI deals with you and/or for any related entities. Moreover, this withdrawal will not affect the lawfulness of processing based on consent before its withdrawal. In this case, BGI will not be responsible for any direct or indirect damage of any kind that might occur as result of the withdrawal of the consent.

However, please note that BGI is contractually obliged to retain certain information as necessary for our legitimate business interests, to comply with our legal interest, or in accordance with legislation.

• How We Process Children’s Personal Data

Although the definition of children varies according to laws and customs in different jurisdictions, we treat anyone under 16 years old (or equivalent minimum age in relevant jurisdiction) as a child.

We will only collect and process Children’s Person Information after we have obtained explicit consent of their guardian. When we find that a child’s Personal Data is collected without explicit consent of his or her guardian, we will delete the relevant data as soon as possible.

1. How This Privacy Policy Is Updated

BGI reserves the right to modify this Privacy Policy at any time in accordance with this provision. The circumstances where we may change our Privacy Policy include but not limited to: there is major change of our service mode, e.g. purpose of processing Personal Data, type of processed Personal Data, usage mode of Personal Data; major change in terms of our ownership structure, organization structure, e.g. change of owners due to business adjustment, bankruptcy, merging, etc.; change of main object to which the Personal Data is publicly disclosed, shared, or transferred; change of your rights involved in Personal Data processing and their exercises; change of our responsible department, contacts and complaint channels for security of Personal Data; when there is high risk according to the Personal Data impact assessment report, etc.

If we make major changes to this Privacy Policy, we will post the revised Privacy Policy on our website and update the “Last Updated” date at the top of this Privacy Policy.

1. Contact Us

For any privacy concern, you may, at any time, contact BGI through BGI_INTL_GDPR@bgi.com and generally you will get our reply in thirty (30) working days or such shorter period as provided by law.

Last Updated: 14^th December 2023