Data retention Policy

Data Retention Policy

Lifespanning

Data Retention Policy, Updated 14th November 2023

  1. Introduction

This Policy sets out the obligations of Lifespanning ("the Company") regarding the retention of personal data collected, held, and processed in accordance with the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018, and applicable United States data protection laws and regulations, including but not limited to:

  • Health Insurance Portability and Accountability Act of 1996 ("HIPAA")
  • Genetic Information Nondiscrimination Act of 2008 ("GINA")
  • California Consumer Privacy Act ("CCPA")
  • California Privacy Rights Act ("CPRA")
  • Other relevant federal and state laws

The UK GDPR and relevant US laws define "personal data" (or "personal information") as any information relating to an identified or identifiable natural person (a "data subject"). An identifiable natural person is one who can be identified, directly or indirectly, by reference to identifiers such as a name, identification number, location data, online identifier, or factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.

Special considerations are given to "special category" personal data (also known as "sensitive" personal data). This includes, but is not limited to, data concerning a data subject’s:

  • Diet
  • Activity
  • Location
  • Race/ethnicity
  • Family history
  • Genetics
  • Epigenetics
  • Biometrics (if used for identification purposes)
  • Current and historical health information

Under the UK GDPR and applicable US laws, personal data shall be kept in a form that permits the identification of data subjects for no longer than is necessary for the purposes for which it is processed. In certain cases, personal data may be stored for longer periods where it is processed for archiving purposes in the public interest, scientific or historical research, or statistical purposes, subject to appropriate safeguards.

Data subjects have rights under the UK GDPR and applicable US laws, including the right to erasure or "the right to be forgotten" (where applicable), under certain circumstances:

  • When the personal data is no longer necessary for the purpose it was collected or processed.
  • When the data subject withdraws consent.
  • When the data subject objects to processing and there are no overriding legitimate grounds.
  • When the personal data is unlawfully processed.
  • When the personal data must be erased to comply with a legal obligation.

This Policy outlines the types of personal data held by the Company, the retention periods, the criteria for establishing and reviewing these periods, and the methods of deletion or disposal. For further information on data protection and compliance with the UK GDPR and applicable US laws, please refer to the Company’s Data Privacy Policy.

  1. Aims and Objectives

The primary aim of this Policy is to establish limits for the retention of personal data and ensure compliance with these limits, as well as adherence to data subjects' rights under the UK GDPR and applicable US data protection laws. This ensures full compliance with the Company’s obligations and the rights of data subjects.

By preventing the retention of excessive data, this Policy also aims to enhance the efficiency of data management within the Company.

  1. Scope

This Policy applies to all personal data held by the Company and by third-party processors acting on the Company’s behalf, in both the United Kingdom and the United States.

Personal data held by the Company is stored on third-party servers operated by Amazon Web Services (AWS), located in the United Kingdom, Ireland, and the United States.

  1. Data Subject Rights and Data Integrity

All personal data held by the Company is managed in accordance with the UK GDPR, the Data Protection Act 2018, and applicable US data protection laws, as detailed in the Company’s Data Protection Policy.

Data subjects are fully informed of:

  • Their rights.
  • What personal data the Company holds about them.
  • How their personal data is used.
  • How long the Company will hold their personal data (or the criteria for determining retention if no fixed period is established).

Data subjects have control over their personal data, including the rights to:

  • Access: Obtain a copy of their personal data.
  • Rectification: Have incorrect or incomplete data corrected.
  • Erasure: Request deletion of their personal data (subject to legal obligations).
  • Restriction of Processing: Restrict how the Company uses their data.
  • Data Portability: Receive their personal data in a commonly used format (where applicable).
  • Objection: Object to the processing of their personal data (where applicable).
  • Automated Decision-Making: Not be subject to decisions based solely on automated processing, including profiling (under GDPR).
  1. Technical and Organisational Data Security Measures

Technical Measures:

  • Email Security: All emails containing personal data must be encrypted and marked "confidential."
  • Secure Transmission: Personal data may only be transmitted over secure networks. Wireless transmission should be avoided if a wired option is available.
  • Data Handling: Personal data within emails should be securely stored, and the original emails and temporary files deleted.
  • Facsimile Transmission: Recipients should be informed in advance and be ready to receive faxes containing personal data.
  • Physical Transfer: Personal data in hardcopy form should be transferred directly to the recipient in a container marked "confidential."
  • Access Control: No personal data may be shared informally. Access requires formal authorization from the Data Protection Officer.
  • Secure Storage: Hard copies and electronic copies on physical media must be securely stored.
  • Device Security: Computers and devices accessing personal data must be locked when unattended. Personal data should not be stored on mobile devices without written approval.
  • Data Backup: Electronic personal data should be backed up daily. Backups must be encrypted and securely stored.
  • Password Protection: Electronic personal data must be password-protected. Passwords should be secure, changed regularly, and not shared or written down.
  • Software Updates: All software must be kept up-to-date with security patches installed promptly.
  • Software Installation: No unauthorized software installations on Company devices.
  • Marketing Consent: Obtain appropriate consent for using personal data in marketing. Comply with opt-out preferences and applicable laws such as the CAN-SPAM Act in the US and Privacy and Electronic Communications Regulations ("PECR") in the UK.

Organisational Measures:

  • Employee Awareness: All personnel are informed of their responsibilities under the UK GDPR, the Data Protection Act 2018, applicable US laws, and the Company's Data Protection Policy.
  • Access Limitation: Access to personal data is restricted to those who need it for their roles.
  • Training and Supervision: Employees handling personal data receive appropriate training and supervision.
  • Confidentiality: Personnel must exercise care and caution when discussing personal data.
  • Regular Reviews: Methods of data handling are regularly evaluated and reviewed.
  • Performance Evaluation: Employee performance related to data protection responsibilities is regularly evaluated.
  • Contractual Obligations: Contracts with employees and third parties include compliance requirements with the UK GDPR, the Data Protection Act 2018, applicable US laws, and the Company’s Data Protection Policy.
  • Indemnity: Third parties failing to meet data protection obligations must indemnify the Company against resulting liabilities.
  1. Data Disposal

Upon the expiration of retention periods or a data subject's request for erasure, personal data will be securely deleted or destroyed in compliance with the UK GDPR, the Data Protection Act 2018, and applicable US laws:

  • Electronic Data: Secure deletion of personal data and special category data, including all backups.
  • Physical Data: Shredding of hard copy personal data and special category data.
  1. Data Retention

The Company retains personal data only as long as necessary for the purposes for which it was collected, in compliance with the UK GDPR, the Data Protection Act 2018, and applicable US laws. Retention periods are regularly reviewed, considering:

  • The Company's objectives and requirements.
  • The nature of the personal data.
  • The purposes of data collection and processing.
  • The legal basis for processing.
  • The data subject categories.

Data may be retained longer for archiving in the public interest, scientific or historical research, or statistical purposes, with appropriate safeguards.

Retention Schedule:

Type of Data

Purpose of Data

Review Period

Retention Period or Criteria

Personal data including:
- Name
- Address
- Phone number
- Email
- Gender
- Weight
- Height
- Date of birth
- Payment details

To identify and provide services to a person

Annually

Retained until the individual requests deletion, or as required by law. Certain data may be anonymized, encrypted, and used for ongoing epigenetic and DNA medical research projects, in compliance with applicable laws.

Special category/sensitive personal data including:
- DNA and epigenetic profile
- Medical information
- Demographic and lifestyle data

To provide nutrition, health, and fitness recommendations

Annually

Retained until the individual requests deletion, or as required by law. Special category data may be anonymized, encrypted, and used for ongoing epigenetic and DNA medical research projects, in compliance with HIPAA, GINA, and other applicable laws.
  1. Roles and Responsibilities

The Company’s Data Protection Officer (DPO) is responsible for overseeing the implementation of this Policy and ensuring compliance with the UK GDPR, the Data Protection Act 2018, and applicable US data protection laws.

Responsibilities:

  • Compliance Monitoring: Ensure adherence to data retention periods and data protection policies.
  • Guidance: Provide advice on data protection matters.
  • Point of Contact: Serve as the contact for data subjects and regulatory authorities, such as the Information Commissioner's Office (ICO) in the UK and relevant regulatory bodies in the US.
  • Training: Oversee training of staff involved in data processing activities.
  • Data Breach Management: Coordinate response to data breaches in accordance with legal requirements.

Questions regarding this Policy or data protection should be directed to the DPO.

  1. Implementation of Policy

This Policy is effective as of 14th November 2023. It is not retroactive and applies only to matters from this date forward.

Approved and Authorized by:

Jean Fallacara, CEO