Privacy Policy

This Privacy Policy explains how (will provide later), operating www.cairna.health ("Website"), processes personal data, including genetic data, in accordance with the EU General Data Protection Regulation ("GDPR").

1. Data Controller

(will provide later)

Tartu mnt 67/1-13b, 10115 Tallinn, Estonia

Contact entity: (will provide later)

Email: (will provide later)

2. Categories of Personal Data

We may process the following categories of data:

• Identification data (name, date of birth)

• Contact details (email, address)

• Order and payment data

• Biological and genetic data submitted for testing

• Technical data (IP address, device information)

3. Legal Bases for Processing

We process personal data based on:

• Article 6(1)(b) GDPR – performance of a contract

• Article 6(1)(c) GDPR – legal obligations

• Article 6(1)(a) GDPR – consent

• Article 9(2)(a) GDPR – explicit consent for genetic data

4. Purpose of Processing

Personal and genetic data are processed solely for:

• Providing the contracted DNA/genetic Services

• Delivering reports (including PDF reports via secure email)

• Customer support and service improvement

• Compliance with legal obligations

5. Email and PDF Delivery

By consenting to the Services, you acknowledge that genetic test results may be delivered as password-protected PDF files via email. This constitutes explicit consent to electronic transmission of sensitive personal data.

6. Data Storage and Retention

Personal data is retained only as long as necessary for the purposes described.

Biological samples are destroyed after completion of Services unless extended storage is explicitly consented to.

7. Data Recipients

Data may be shared with:

• Accredited laboratories

• Technical and hosting service providers

• Regulatory authorities where legally required

All recipients are bound by confidentiality and data protection agreements.

8. International Transfers

If data is transferred outside the EEA, appropriate safeguards under Chapter V GDPR are applied.

9. Data Subject Rights

You have the right to access, rectify, erase, restrict, and port your data, and to withdraw consent at any time without affecting prior lawful processing.

10. Complaints

You may lodge a complaint with the Estonian Data Protection Inspectorate (AKI) or your local supervisory authority.