Privacy Policy - Genecast Group Inc.

Privacy Notice

1. Introduction

1.1. GENECAST INNOTECH PTE. LTD. (hereinafter referred to as "we", "us", "our", or the "Company"), a genetic testing laboratory incorporated in Singapore, is committed to protecting your privacy and the confidentiality of your Personal Data. This Data Protection Notice (the "Notice") outlines the obligations, policies, and practices of the Company regarding the collection, use, disclosure, storage, protection, access, and correction of your Personal Data in accordance with the Singapore Personal Data Protection Act 2012 (No. 26 of 2012) (the "PDPA") including the Personal Data Protection (Amendment) Act 2020 and other applicable laws.

1.2. This Notice applies to all Personal Data in the possession or under the control of the Company, whether collected before, on, or after the effective date of this Policy, relating to past, present, or prospective customers, service recipients, website visitors, clinical trial participants, business partners, vendors, and any other individuals who interact with us (collectively, "you" or "your").

1.3. Consent and Agreement: By interacting with us, submitting information to us, signing up for or using any of our products or services (including genetic testing, analysis, counselling, and research participation), visiting our website, or by any other act of voluntary provision of data, you:

(a) acknowledge that you have read and understood this Notice.

(b) agree and consent to the Company, its related corporations, affiliates, authorized service providers, agents, and representatives (collectively, the "Company Group") collecting, using, disclosing, and sharing your Personal Data in the manner set forth herein; and

1.4. This Notice supplements but does not supersede or replace any other consents you may have previously provided to us. Your consents herein are in addition to any rights we may have at law to collect, use, or disclose your Personal Data.

2. Definitions and Interpretation

2.1. "Personal Data" means data, whether true or not, about an individual who can be identified (a) from that data; or (b) from that data and other information to which the organisation has or is likely to have access. Common examples include name, NRIC/FIN/Passport number, contact information, and genetic data.

2.2. "Sensitive Personal Data" refers to Personal Data that is subject to stricter protection requirements, including but not limited to: data about an individual's physical or mental health, genetic information, biometric data for the purpose of uniquely identifying an individual, Personal Data relating to children and any other category specified by the PDPC as requiring enhanced safeguards.

2.3. "Data Protection Officer" (DPO) means the individual(s) appointed by the Company to oversee data protection responsibilities and ensure compliance with the PDPA.

2.4. Words importing the singular include the plural and vice versa.

3. Collection of Personal Data

3.1. General Collection: We may collect your Personal Data directly from you or indirectly through various means, including but not limited to:

Our websites and mobile applications.
Service registration forms, test requisition forms, and informed consent documents.
Correspondence (e.g., letters, emails, chat logs).
Telephone calls (which may be recorded for quality and training purposes, as notified at the beginning of the call).
Participation in clinical studies, research collaborations, surveys, seminars, or marketing events.
Third-party sources (e.g., referring healthcare professionals, public databases) where you have consented to such disclosure or it is permitted by law.

3.2. Types of Personal Data Collected: The specific types of Personal Data we collect depend on the nature of your interaction with us. They may include, but are not limited to, the following non-exhaustive categories:

A. Personal Identifiers & Biographical Data:

Full Name (including alias)
Date of Birth
Gender
National Identification Numbers (NRIC, FIN, Passport)
Nationality / Citizenship
Photographs and Video Images (e.g., from identification documents or events)

B. Contact Information:

Residential and/or Mailing Address
Telephone Numbers (Mobile, Home, Office)
Email Address(es)
Emergency Contact Details

C. Financial and Transactional Data:

Bank Account Details for payment/refund
Credit/Debit Card Information (processed via secure gateways)
Billing Address and Invoice History
Insurance Policy Information and Pre-authorization Details
Payment Transaction Records

D. Health, Genetic, and Medical Data (Core to our Services):

Medical History, Diagnosis, and Treatment Information
Prescription Details
Family Medical History (where provided)
Biospecimen Data: Type (blood, saliva, tissue), Collection Date/Time, Unique Sample Identifiers
Genetic/Genomic Data and Analysis Results
Laboratory Test Reports and Interpretations
Clinical Notes and Counsellor Summaries
Research Participant Information and Study-Specific Consent Forms
Adverse Event Reports
Data from Wearable Devices or Health Apps (with explicit consent)

E. Digital and Technical Data:

IP Address
Device Identifiers (e.g., IMEI, MAC address)
Browser Type, Version, and Language
Operating System
Cookies and Similar Tracking Technology Data (see Section 9)
Website/App Usage Data: Pages visited, Time Spent, Clickstream Data
Log Files and Access Timestamps

F. Professional and Demographic Data (Optional, where relevant):

Occupation, Job Title, Employer
Professional Qualifications and Certifications

3.3. Collection of Sensitive Personal Data: We recognise the heightened sensitivity of genetic and health data. The collection and use of such Sensitive Personal Data will be conducted with explicit, informed consent (or parental/guardian consent for minors), for clear and specific purposes, and with enhanced security measures as detailed in Sections 4 and 8.

3.4. Providing Personal Data Belonging to Others: If you provide the Personal Data of another individual (e.g., a family member for whom you are arranging testing), you represent and warrant that you have (i) obtained the necessary consent from that individual for the collection, use, and disclosure of their Personal Data by us as described in this Notice, and (ii) provided them with a copy of this Notice.

3.5 Personal Data relating to Children: Our websites are not directed at, nor intended to attract children under the age of 18 years old. We do not knowingly collect personal information from children under the age of 18 years old or request such information from them.

4. Purposes for Collection, Use, and Disclosure

We collect, use, and disclose your Personal Data only for purposes that a reasonable person would consider appropriate in the circumstances and which have been notified to you. These purposes include, but are not limited to:

4.1. Primary Service Delivery & Administration:

To provide, process, administer, and manage the genetic testing and related services you have requested (e.g., sample collection, laboratory analysis, report generation).
To verify your identity and eligibility for services or programs.
To communicate with you regarding your service account, test status, appointments, and results delivery.
To provide post-test genetic counselling and support services.
To process payments, refunds, and handle billing enquiries.
To manage our contractual relationship with you.

4.2. Customer Service, Quality & Business Operations:

To respond to your enquiries, requests, feedback, or complaints.
To conduct quality control, audits, and service improvement initiatives.
To train our staff and monitor service standards (including call recordings).
To protect the security of our premises, personnel, and information systems (including CCTV).
For internal record-keeping, accounting, and business analytics.

4.3. Compliance, Legal, and Regulatory Obligations:

To comply with applicable laws, regulations, court orders, or lawful requests from government, regulatory, or law enforcement agencies (including the Ministry of Health, Singapore).
To establish, exercise, or defend legal claims.
To conduct internal investigations or audits.
To comply with retention requirements for medical and health records as stipulated by Singapore law.

4.4. Research and Development (with Appropriate Safeguards):

To conduct scientific research, data analysis, and method development to advance the field of genetics and improve our services. This will typically involve the use of de-identified or anonymised data. Where identifiable data is used for research, separate and specific informed consent will be obtained.
To participate in or collaborate on multi-centre clinical studies or research projects.

4.5. Marketing and Communications (with Consent/Opt-Out):

To send you marketing, promotional, and informational materials about our services, events, and scientific developments via postal mail, email, SMS, or telephone, only if you have given us your separate, clear, and unambiguous consent. You may opt-out of such communications at any time (see Section 11.5).

4.6. Business Transfers:

In connection with any proposed or actual merger, acquisition, sale of assets (including our business or database), financing, or restructuring, subject to confidentiality agreements.

5. Disclosure of Personal Data to Third Parties

5.1. We do not sell, rent, or trade your Personal Data to third parties for their marketing purposes.

5.2. We may disclose your Personal Data to the following categories of third parties where necessary for the purposes outlined in Section 4, and always subject to appropriate confidentiality and data protection obligations:

A. Within the Company Group: To our related corporations, affiliates, and subsidiaries for centralized administrative, operational, and service delivery purposes.

B. Authorized Service Providers & Agents (Data Intermediaries): We engage third parties to perform functions on our behalf. Disclosure is limited to what is necessary for them to perform their contracted services. These include:

Laboratory & Scientific Partners: Referral laboratories for specialized tests, sequencing service providers, bioinformatics analysis partners.
IT & Cloud Service Providers: Hosting providers, data center operators, software vendors, cybersecurity firms.
Professional Service Providers: Lawyers, auditors, consultants, insurers.
Operational Support Providers: Courier and logistics companies for sample transport, payment gateway providers, printing and mailing houses, customer relationship management (CRM) platform providers.
Marketing & Communications Agencies: Only where you have consented to marketing communications.

C. Healthcare Professionals & Institutions: To the referring doctor, clinic, or hospital that ordered the test or is involved in your care, for the purpose of diagnosis, treatment, and continuity of care, unless you have explicitly objected.

D. Governmental & Regulatory Authorities: As required by law to agencies such as the Ministry of Health, Singapore, the Health Sciences Authority (HSA), or other competent bodies.

E. Potential Transaction Counterparties: To a prospective buyer, investor, or successor entity in the event of a business transfer as per Section 4.6.

5.3. Contractual Safeguards: Prior to engaging any third-party service provider (whether located in Singapore or overseas) that will handle Personal Data on our behalf, we conduct due diligence to assess their data protection capabilities. Our contracts with them mandate that they:

(a) Use the data only for the specified purposes and in accordance with our instructions;

(b) Implement appropriate technical and organizational security measures;

(d) Notify us promptly of any data breach. We regularly review their compliance.

6. Transfer of Personal Data Outside Singapore

6.1. In the course of our operations, your Personal Data may be transferred to and stored in countries outside Singapore ("Overseas Transfer"). This may occur, for example, when:

Our cloud servers or IT service providers are located overseas.
We engage an overseas laboratory for specialized testing or collaborative research.
Our affiliated companies in other jurisdictions require the data for centralized functions.

6.2. We will ensure that any Overseas Transfer is performed in compliance with the PDPA's transfer limitation obligation. Our safeguards include:

Transferring data only to countries/territories recognised by the PDPC as having comparable data protection laws; or
Entering into legally binding agreements (e.g., data transfer agreements incorporating standard contractual clauses or binding corporate rules) with the recipient to provide a standard of protection comparable to the PDPA.
Conducting risk assessments of the destination country's legal framework and the recipient's practices.

6.3. By using our services, you acknowledge and consent to the possibility of such Overseas Transfers to countries which may include, but are not limited to: [The United States of America, The United Kingdom, Member States of the European Economic Area, India, Australia, Japan, Indonesia, Thailand, Malaysia, Philippines, Middle East, Korea, Vietnam, Central Asia, Latin America, Canada, Africa, Türkiye, Hong Kong (China) and China (Mainland)].

7. Protection and Security of Personal Data

7.1. We implement a comprehensive set of physical, technical, and administrative safeguards to protect your Personal Data from unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks.

7.2. Security Measures (Illustrative):

Physical Security: Controlled access to our facilities, secure storage for physical records, and destruction of physical media.
Technical Security: Encryption of data in transit (using TLS/SSL) and at rest for sensitive data; firewalls, intrusion detection/prevention systems; secure coding practices; regular vulnerability assessments and penetration testing; stringent access controls based on the principle of least privilege; multi-factor authentication for critical systems.
Administrative Security: Regular data protection training for employees; clear internal data handling policies; confidentiality agreements with employees and contractors; a designated DPO and incident response team; regular reviews of security policies and practices.

7.3. Special Protection for Sensitive Data: Genetic and health data are accorded with the highest level of security. Access to such data is strictly limited to authorized personnel who require it for their specific job functions (e.g., geneticists, counsellors, authorized lab personnel).

7.4. Limitation of Liability: While we employ commercially reasonable efforts to secure your data, please be aware that no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security against all breaches. You provide your data at your own risk. We do not warrant that your Personal Data will never be accessed, disclosed, altered, or destroyed in a breach of our safeguards.

7.5 Data Breach Notification: While we have implemented stringent security measures, in the event of a personal data breach that is likely to result in significant harm, we will assess and notify the affected individuals as well as the Personal Data Protection Commission (PDPC) as required under the PDPA, as soon as practicable.

8. Accuracy of Personal Data

8.1. We endeavour to ensure that the Personal Data we hold about you is accurate, complete, and up-to-date for the purposes for which it is used.

8.2. Your Role: You are responsible for ensuring that the information you provide to us is accurate and current. Please inform us promptly of any changes to your Personal Data (e.g., change of address, phone number) by contacting our DPO.

8.3. Our Verification: Where necessary, we may verify the information you provide against pre-existing records or require supporting documents (e.g., for identity or proof of address).

9. Cookies and Tracking Technologies

9.1. Our websites and applications use cookies and similar technologies (e.g., web beacons, pixels) to enhance functionality, analyze trends, administer the site, track users' movements around the site, and gather demographic information.

9.2. Types of Cookies Used:

Essential/Strictly Necessary: Required for basic site operation (e.g., secure login). Cannot be disabled.
Performance/Analytical: Collect anonymous data on how visitors use our site (e.g., Google Analytics). Helps us improve.
Functionality: Remember your preferences (e.g., language, region) to personalize your experience.
Targeting/Advertising: Used to deliver ads relevant to you (we use these sparingly and typically with your separate consent).

9.3. Consent and Control: In accordance with best practices, we implement a cookie consent banner. You can manage your cookie preferences via the banner or your browser settings. Disabling cookies may affect website functionality.

10. Retention of Personal Data

10.1. We retain your Personal Data only for as long as is necessary to fulfill the purposes for which it was collected, or as required or permitted by applicable laws and regulations.

10.2. Retention Periods: Retention periods vary depending on the data type and purpose:

Genetic and Health Data: Retained in accordance with statutory requirements for medical records in Singapore or as per MOH guidelines) and for legitimate scientific or business purposes.
Financial and Transaction Records: Retained for the number of years required by accounting and tax laws.
Marketing Data: Retained as long as you remain subscribed, or for a short period after you opt-out for record-keeping.

10.3. Disposal: Upon expiry of the retention period, or when the data is no longer needed, we will securely destroy or anonymize the Personal Data using industry-standard methods to prevent recovery.

11. Your Rights and Choices (Access, Correction, Withdrawal)

11.1. Right to Access: You have the right to request access to a copy of your Personal Data held by us. We will provide the data within 30 days, or notify you of an extension. The PDPA permits us to charge a reasonable fee for the cost of responding to an access request.

11.2. Right to Correction: You have the right to request correction of any error or omission in your Personal Data. We will correct it as soon as practicable, or provide reasons if we do not make the correction. Correction requests are generally processed free of charge.

11.3. Identity Verification: To protect your privacy, we will need to verify your identity before processing any access or correction request. This may require you to provide specific identifiers.

11.4. Withdrawal of Consent: You may withdraw your consent for the collection, use, or disclosure of your Personal Data at any time by giving reasonable notice to our DPO. Please note:

Withdrawal may affect our ability to continue providing you with certain services or fulfill contractual obligations, and may result in the termination of your relationship with us.
Withdrawal does not affect our right to continue collecting, using, or disclosing Personal Data where permitted or required without consent under the PDPA or other laws.
Withdrawal may not be retrospective.

11.5. Opting Out of Marketing: You can opt-out of receiving marketing communications from us at any time by:

Clicking the "unsubscribe" link in any marketing email.
Contacting our DPO using the details in Section 13.

11.6. Do Not Call (DNC) Registry: If your Singapore telephone number is registered with the DNC Registry, we will not send you promotional telemarketing messages unless you have given us clear and unambiguous consent to do so.

12. Data Protection Officer (DPO) and Contact Details

12.1. We have appointed a Data Protection Officer who is responsible for ensuring our compliance with the PDPA and this Notice.

12.2. If you have any questions, concerns, feedback, or requests regarding this Notice or your Personal Data, including requests for access, correction, or withdrawal of consent, please contact our DPO:

Email: DPO@genecast.com.sg

13. Notice Updates and Governing Law

13.1. Updates: We may revise this Notice from time to time to reflect changes in our practices, technology, legal requirements, or business needs. The updated version will be posted on our website with a new "Last Updated" date. Material changes that affect your rights will be communicated to you via email or a prominent notice on our website. Your continued use of our services after such changes constitutes your acceptance of the updated Notice.

13.2. Governing Law and Dispute Resolution: This Notice shall be governed by and construed in accordance with the laws of the Republic of Singapore. You agree to submit to the non-exclusive jurisdiction of the courts of Singapore in the event of any dispute arising out of or in connection with this Notice.

13.3. Precedence: In the event of any inconsistency between the English version of this Notice and any translation, the English version shall prevail.

Last Updated: 1 January 2026