Fortuna Helix Privacy Policy

Effective Date: May 14, 2025

1. Introduction

At Fortuna Helix, Inc. ("Company," "we," "us," or "our"), we are committed to protecting your privacy and ensuring the security of your personal information and genetic data. This Privacy Policy explains how we collect, use, store, share, and protect your information when you use our genetic testing services, including DNA analysis, health risk assessment reports, lifestyle recommendations, and related offerings (collectively, the "Services"), provided through our website (www.fortunahelix.com) or mobile applications.

This Privacy Policy is designed to comply with our ISO 27001 certification, the international standard for Information Security Management Systems (ISMS), and aligns with our Terms of Service. If you have questions or concerns, contact us at support@fortunahelix.com.

2. Information We Collect

We collect the following categories of information to provide and improve the Services:

2.1 Personal Information

  • Contact Information: Name, email address, phone number, and shipping address (for sending sample collection kits).
  • Account Information: Username, password, and account preferences.
  • Payment Information: Credit card details or other payment method data, processed securely by third-party payment providers.
  • Health and Lifestyle Information: Optional data you provide, such as age, gender, family health history, or lifestyle details (e.g., diet, exercise habits), to enhance your reports.

2.2 Genetic Data

  • DNA Sample: Information derived from your saliva sample, including raw DNA sequence data and polygenic risk scores (PRS) for 37 major diseases and BMI-related obesity risks.
  • Derived Data: Analytical results, such as health risk assessments and lifestyle recommendations, generated from your genetic data.

2.3 Usage Data

  • Device Information: IP address, browser type, operating system, and device identifiers.
  • Service Interaction: Pages visited, features used, time spent on the Services, and clickstream data.
  • Cookies and Tracking: We use cookies and similar technologies to improve functionality, analyze usage, and personalize content. You can manage cookie preferences through your browser settings.

2.4 Other Information

  • Support Communications: Information you provide when contacting our support team (e.g., emails, chat logs).
  • Surveys and Feedback: Optional responses to surveys or feedback forms to improve our Services.

3. How We Use Your Information

We use your information to:

  1. Provide the Services:
    • Process your DNA sample and generate health risk assessment reports.
    • Deliver personalized lifestyle recommendations.
    • Manage your account and process payments.
  2. Improve the Services:
    • Analyze usage data to enhance functionality and user experience.
    • Conduct internal research to refine our genetic testing algorithms.
  3. Communicate with You:
    • Send Service-related notices (e.g., account updates, security alerts).
    • Respond to your inquiries or support requests.
    • Provide promotional offers, newsletters, or surveys (with your consent, where required).
  4. Research (Optional):
    • Use de-identified genetic data to advance scientific knowledge or improve our Services, as described in Section 6.
    • You may opt out of research use without affecting your access to the Services.
  5. Ensure Security and Compliance:
    • Detect and prevent fraud, unauthorized access, or illegal activities.
    • Comply with legal obligations, such as responding to court orders.

4. Data Protection and Security

We prioritize the security of your personal information and genetic data, adhering to ISO 27001 standards and leveraging Amazon Web Services (AWS) for secure hosting.

4.1 ISO 27001 Compliance

Our ISO 27001-certified ISMS includes:

  • Risk Assessments: Regular evaluations to identify and mitigate security threats.
  • Encryption: Data is encrypted in transit (TLS 1.2 or higher) and at rest (AES-256).
  • Access Controls: Multi-factor authentication and role-based access limit data exposure to authorized personnel only.
  • Audits: Annual third-party audits ensure compliance with ISO 27001 requirements.
  • Incident Management: A robust process for detecting, responding to, and reporting security incidents.

4.2 AWS Hosting

Your data is stored in AWS U.S. data centers, which provide:

  • Physical Security: 24/7 monitoring, restricted access, and environmental controls.
  • Network Security: Firewalls, DDoS protection, and intrusion detection systems.
  • Redundancy: Backups and disaster recovery mechanisms to ensure data availability.
  • ISO 27001 Alignment: AWS's infrastructure supports our compliance with ISO 27001 standards.

4.3 Data Minimization

We collect only the information necessary to provide the Services and retain it only as long as needed to fulfill the purposes outlined in this Policy or as required by law.

4.4 Data Breach Response

In the event of a data breach, we will:

  • Investigate and mitigate the issue promptly.
  • Notify affected users within 72 hours of discovery, or as required by law.
  • Provide guidance on protective steps, such as monitoring for identity theft.

5. How We Share Your Information

We do not sell your personal information or genetic data. We may share your information in the following circumstances:

  1. Service Providers:
    • Third-party vendors (e.g., laboratories for DNA analysis, payment processors, cloud storage providers) process data on our behalf.
    • These providers are bound by contracts requiring ISO 27001-compliant security measures and confidentiality.
    • A list of key service providers is available upon request at support@fortunahelix.com.
  2. Research Partners (De-Identified Data Only):
    • We may share de-identified genetic data with academic or healthcare partners for research, as described in Section 6.
    • De-identified data cannot be linked to you.
  3. Legal Obligations:
    • We may disclose your information to comply with applicable laws, regulations, or legal processes (e.g., subpoenas, court orders).
    • We will notify you of such disclosures unless prohibited by law.
  4. Business Transfers:
    • In the event of a merger, acquisition, or sale of assets, your information may be transferred to the successor entity, subject to equivalent privacy protections.
  5. With Your Consent:
    • We may share your information for other purposes if you provide explicit consent.

6. Research Use of De-Identified Data

We may use de-identified genetic data to improve our Services or contribute to scientific research, such as:

  • Enhancing polygenic risk score accuracy.
  • Developing new genetic testing methods.
  • Collaborating with research institutions to study disease predispositions.

De-Identification Process:

  • We remove all personally identifiable information (e.g., name, email, address) using industry-standard anonymization techniques.
  • De-identified data is aggregated to prevent re-identification.

Opt-Out:

  • Participation in research is optional. You can opt out at any time via your account settings or by emailing support@fortunahelix.com.
  • Opting out does not affect your access to the Services.

7. Your Rights and Choices

You have the following rights regarding your information:

  1. Access: Request a copy of your personal information and genetic data in a portable format.
  2. Correction: Update inaccurate or incomplete information.
  3. Deletion: Request deletion of your data, subject to legal retention requirements (e.g., financial records).
  4. Opt-Out:
    • Decline research use of your de-identified data.
    • Opt out of marketing communications via email preferences or by contacting us.
  5. Withdraw Consent: Stop the processing of your genetic data by requesting account deletion.

To exercise these rights, email support@fortunahelix.com with your request. We will respond within 30 days, or sooner if required by law. We may verify your identity to protect your data.

8. Data Retention

We retain your information as follows:

  • Personal Information: Kept for as long as your account is active or as needed to provide the Services.
  • Genetic Data: Retained until you request deletion or withdraw consent, unless required by law (e.g., for audit purposes).
  • Usage Data: Aggregated and anonymized after 12 months of inactivity.

Upon account deletion, we securely erase your data within 30 days, except where retention is required by law. De-identified data used for research may be retained indefinitely but cannot be linked to you.

9. Cookies and Tracking Technologies

We use cookies and similar technologies to:

  • Authenticate users and maintain session security.
  • Analyze Service usage and improve performance.
  • Personalize content and ads (with your consent).

Cookie Types:

  • Essential Cookies: Required for core functionality (e.g., login, payment processing).
  • Analytics Cookies: Track usage patterns to optimize the Services.
  • Marketing Cookies: Deliver personalized ads or promotions.

Your Choices:

  • Manage cookie preferences through your browser settings or our cookie consent tool.
  • Disabling cookies may limit some Service features.

10. International Users

The Services are hosted in the United States and designed for U.S. residents. If you access the Services from outside the U.S.:

  • Your data will be processed and stored in AWS U.S. data centers, subject to ISO 27001 standards.
  • You are responsible for complying with local data protection laws.
  • We do not guarantee compliance with non-U.S. regulations.

11. Children's Privacy

The Services are not intended for individuals under 18. We do not knowingly collect personal information from minors. If you believe we have collected a minor's data without parental consent, contact us at support@fortunahelix.com, and we will delete it promptly.

12. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes at least 30 days in advance via email or in-Service notifications. Continued use of the Services after the effective date constitutes acceptance of the updated Policy.

13. Contact Us

For questions, requests, or complaints, contact our Privacy Officer at:

  • Email: support@fortunahelix.com
  • Phone: (+82) 2-6008-0647 (Monday–Friday, 9 AM–5 PM KST)(888) 555-1234 (Monday–Friday, 9 AM–5 PM KST)
  • Mail: Fortuna Helix, Inc., Seoul BioHub Global Center #502 , 117-3, Hoegi-ro, Dongdaemun-gu, Seoul, South Korea

We aim to respond within 48 hours. If you are not satisfied with our response, you may file a complaint with your local data protection authority.

14. Commitment to Ethical Data Use

Fortuna Helix is dedicated to the responsible and ethical handling of your data. We strive to:

  • Provide transparency about our data practices.
  • Empower you with control over your information.
  • Use de-identified data to advance genetic research while prioritizing your privacy.