Política de privacidad
The protection of your personal data is of particular importance to us. We therefore process personal data exclusively on the basis of the applicable legal provisions (in particular the GDPR and the Austrian Telecommunications Act 2003). In this Privacy Policy, we inform you about the most important aspects of data processing within the scope of our website and online platform.
Important: myBioma® provides a web-based platform with a login area, including a Progressive Web App for Android – all data processing activities described below relate exclusively to the website (including the platform).
Data controller and contact
The controller responsible for data processing is Biome Diagnostics GmbH (myBioma), Handelskai 92, 1200 Vienna (Austria), Email: service@mybioma.com, Phone: +43 1 99 74 276. If you have any questions about data protection, you may contact us at any time. Our Data Protection Officer can be reached at datenschutz@mybioma.com or via the telephone number given above.
Data collected and purposes of processing
Account and Orders: If you create a myBioma customer account or place an order, we process the personal master data you provide (such as name, email address, delivery address, payment details) in order to fulfil the order and deliver your microbiome test results. During the ordering process, we also collect any necessary health-related information (e.g. responses to health questionnaires, details of age, gender, symptoms) and the results of your DNA-based stool sample analysis. These data are required for performance of the contract – without them we cannot carry out the test or produce a results report. Your personal test results are made available in your protected customer account, where you can view and manage them. The legal basis for this processing is Article 6(1)(b) GDPR (performance of a contract) and, for health data, Article 9, paragraph 2(a) GDPR (explicit consent).
Special protected health data: myBioma processes your health data (in particular questionnaire responses and microbiome analysis results) with the utmost confidentiality and solely for the purposes stated (conducting the analysis, providing the results). The processing of these sensitive data is carried out only with your express consent, which we obtain from you during the ordering process (Article 9, paragraph 2(a) GDPR). You may withdraw this consent at any time with effect for the future – in this case we will cease processing your health data (except as required by legal retention obligations) and will not conduct any new analyses. Please note that withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.
Contact enquiries: If you contact us via the website’s contact form or by email, we process the information you provide (e.g. name, email address, enquiry content) in order to handle your request and for any necessary follow-up questions. These enquiries are retained for six months so that we can respond to any subsequent queries. These communication data are not forwarded to third parties without your consent. The legal basis for processing contact enquiries is Article 6 paragraph 1(b) GDPR (pre-contractual measures) and Article 6 paragraph 1(f) GDPR (our legitimate interest in responding to enquiries).
Newsletter: You can sign up for our newsletter on our website to receive news and offers. We only require your email address for this. We use the double-opt-in process – after signing up you will receive a confirmation email with a link which you must click to complete the subscription. For newsletter distribution we use the service providers MailChimp (The Rocket Science Group LLC, 675 Ponce de Leon Ave NE, Atlanta, GA 30308, USA) and Klaviyo Inc. (1209 Orange Street, Wilmington, Delaware 19801, USA). By subscribing, you consent to receive the newsletter (legal basis Article 6 paragraph 1(a) GDPR). You may withdraw your consent at any time by unsubscribing from the newsletter (there is a link in every email, or you can contact us directly). Upon unsubscribing, your data stored for the newsletter will be deleted immediately.
Website visits and technical data: When you visit our website, certain technical data are automatically collected, including your device’s IP address, browser type/version, operating system, referrer URL and the time of the page request. These server log data cannot be linked to a specific person and are used solely to ensure the website’s operation, IT security and to improve our offering. Such access data are evaluated only in an anonymous or pseudonymous form and are not combined with other data sources.
Cookies: Our website uses cookies, which are small text files placed on your device. Cookies do not cause any harm. We use cookies to make our website user-friendly and to enable certain functions (e.g. shopping cart, login recognition). Some cookies are essential for the operation of the site (for example session cookies, which are automatically deleted after your visit ends), while others help us to statistically record usage of the website. On the first visit to the site we ask you via a cookie banner for your consent to non-essential cookies (legal basis Article 6 paragraph 1(a) GDPR). You can delete or block cookies at any time using your browser settings. Please note that disabling certain cookies may restrict the website’s functionality.
Web analytics and marketing services
We wish to continuously improve our website and provide you with relevant content. Therefore, we use the following external web analytics and online marketing services only with your consent:
Google Analytics & Google Ads (Google LLC, USA): These services use cookies to analyse your usage of our website. The information generated (e.g. which pages you visit, click behaviour) is usually transmitted to a Google server in the USA and stored there. We have configured Google Analytics so that your IP address is anonymised by removing the last digits. Google uses this information on our behalf to evaluate website usage and to prepare reports on website activity. We have concluded a contract for data processing with Google in accordance with Article 28 GDPR. Processing is carried out depending on your consent or (if applicable) on the basis of our legitimate interest (Article 6 paragraph 1(f) GDPR) in improving our web offering. User data in Google Analytics are deleted or anonymised after 14 months.
Facebook Pixel / Instagram (Meta Platforms, USA): Our website integrates the Facebook Pixel, an analytics tool of Meta Platforms (Facebook Ireland Ltd. for EU users). This allows Facebook/Instagram to track visitor behaviour if you reached our website via a Facebook/Instagram advertisement. This helps us measure the effectiveness of our ads and to show you interest-based content. The data collected are anonymous to us (we do not see any personal data of individual users), but they may be used by Facebook for its own purposes. If you are logged into Facebook/Instagram, Facebook may associate your visit to our website with your account. Here too we rely on your consent (Article 6(1)(a) GDPR). For details on data processing by Facebook/Instagram, please refer to the Facebook/Instagram Data Policy.
For all of the above analytics and marketing tools: data transfer to third countries (especially the USA) takes place – where possible – on the basis of adequacy decisions (e.g. the EU–US Data Privacy Framework) or standard contractual clauses, to ensure an adequate level of data protection. We have also concluded data processing agreements with all providers, obligating them to comply with European data protection standards. You can refuse the use of these tools at any time via our cookie banner or the Do-Not-Track settings in your browser. Our website is also usable in principle without these analytics/marketing cookies.
Transfer of data to third parties
In general, we do not pass on your personal data to third parties unless this is necessary for contract performance, we are legally obliged to do so, or you have given your explicit consent. Below we inform you which external service providers are involved and what data they receive:
Analysis laboratory: For conducting the microbiome diagnostics, we collaborate with leading laboratory partners. Your stool sample is analysed in a certified laboratory and the data obtained are transmitted to myBioma for evaluation. Only the information necessary for the lab analysis and reporting is exchanged. The laboratory treats your samples and data confidentially and uses them solely to perform the analysis within the scope of the test you have commissioned with us. Logistics provider (Quivo/Logsta GmbH): The shipping of test kits to you and the return shipment of samples to our laboratory are handled by our logistics partner Quivo (Quivo Fulfillment). Quivo receives the necessary shipping information (name, address) for this purpose. Quivo may use this data only for handling the delivery and not for any other purpose. We also engage postal or courier services (e.g. Austrian Post, DHL, UPS, GLS) for package delivery; these carriers use your shipping data exclusively for delivery.
Payment service providers: For payment of your order, we use external payment service providers depending on the chosen payment method. These may include credit card companies (Mastercard/Visa/etc.), PayPal, Klarna Sofort (instant bank transfer) or banks. The data required for processing the payment (e.g. purchase amount, name, payment information) are transmitted to the respective provider. The providers are independently responsible for your data; their privacy policies apply. We only transmit the minimum data necessary for processing the payment, and we receive from the payment providers only information to confirm or reject the payment.
Tax advisors and auditors: To fulfil our legal obligations (e.g. to tax authorities), it may be necessary to disclose certain data from your contractual relationship (e.g. billing data) to our tax advisor or auditor. These recipients are also bound to confidentiality and use the data only as necessary for their services to us. Newsletter service providers (MailChimp and Klaviyo): As mentioned above, we use the providers MailChimp and Klaviyo for sending newsletters and specific updates. Both providers receive your email address and any other voluntary information if you have consented to receive the newsletter. Both providers process these data as our processors and may use them exclusively for sending our newsletter, providing status updates about your sample, and evaluating the newsletter (e.g. open and click rates), not for their own purposes.
Our service providers are carefully selected and contractually bound to process the data according to our instructions and the standards of the GDPR. They are not permitted to use or disclose your data for any other purposes. Where service providers are located outside the EU/EEA (e.g. some of the above-mentioned US providers), we ensure by means of appropriate contracts or official assurances that an adequate level of data protection is maintained.
Scientific use of your data (Consent for studies)
myBioma aims to continuously advance gut health through research. Therefore, we would like – only with your consent – to use the data obtained during your microbiome test in anonymised or pseudonymised form for scientific studies.
What does this involve?
If you consent, we may evaluate your analysis results and questionnaire data in de-identified form (without name, contact or identifying information) and make them available to selected research institutions, in order to gain insights about the microbiome and its impact on health. These data contain no information that would identify you personally; the research partners receive the data only under an identification code (pseudonym) or fully aggregated.
Voluntariness: Consent to this scientific use is voluntary. You can of course use our services and tests without consenting to research. A refusal or later withdrawal of consent has no negative effect on the performance of the contract or on receiving your results.
Revocability: You have the right to withdraw any given consent to the scientific use of your data at any time with effect for the future. Simply send us an informal notice (by email to service@mybioma.com). In the event of withdrawal, we will no longer use your data for research purposes from that point onwards. Data that have already been anonymised and included in studies cannot be removed from them; however, we will ensure that no further data of yours are included in new research projects after withdrawal.
Legal basis: The legal basis for scientific use is Article 6 paragraph 1(a) GDPR and Article 9 paragraph 2(a) GDPR (consent of the data subject). You can decide whether you want to support medical research by participating in the myBioma community – we will specifically ask for this consent during the ordering process or in your account settings.
Data retention and deletion
We store personal data only as long as it is necessary for the respective purposes and as we are legally allowed or required to do so. In detail, the following retention periods apply:
Profile data & order data: If you place an order, we keep the master and order data stored in your customer account for at least the duration of the contract. After full performance of the contract or deletion of your account, the data will initially be kept in restricted form to comply with tax and commercial law obligations. According to legal requirements, contract and billing data are kept for 7 years from the end of the year of contract fulfilment (tax retention period under Austrian law). Information about purchased products and the time of purchase is kept for 3 years to handle any potential product liability claims.
Medical data & samples: The health-related data resulting from your microbiome test (analysis results, questionnaire responses) are also stored by us for up to 10 years. This serves to make your results available to you in the long term and for medical traceability (similar to a patient record). Your submitted stool sample (DNA material) is stored in the laboratory for a maximum of 1 year and then disposed of properly. Enquiries: Data from contact enquiries (see above) are deleted 6 months after the conclusion of the communication, provided no further retention is required.
Newsletter: Your data for newsletter distribution are stored until you cancel the subscription. After you unsubscribe from the newsletter, we delete these data promptly.
Analysis and tracking data: Data collected for web analytics or marketing purposes (see above) are deleted or anonymised according to the settings of the respective services. For example, with Google Analytics usage data are automatically deleted after 14 months. Other third-party providers also have fixed deletion periods or anonymous aggregation. More details can be found in the privacy notices of the respective providers.
After the periods mentioned above expire, we routinely delete the relevant data, provided they are no longer required for performing the contract or for asserting, exercising or defending legal claims. In cases where we process data solely on the basis of your consent, we delete those data after you withdraw your consent, provided that no other legal basis applies.
Data security
We implement comprehensive technical and organisational security measures to protect your personal data from unauthorised access, loss or misuse. All data you enter via our website are transmitted over a secure SSL connection. Storage also takes place on secure servers in Europe that conform to the current state of the art. Our employees are bound to confidentiality, and we regularly review our security measures. Please also treat your access data confidentially and close your browser window when you have finished using the myBioma platform – especially if you share your computer with others. Despite all efforts, absolute security in internet data transmission cannot be guaranteed; however, we assure you that we will protect your data with the utmost care.
Your rights as a data subject
Under the GDPR, you have the following rights regarding your personal data: Right of access: You may request information at any time about which data we have stored about you and receive a copy of this data.
Right to rectification: If we process data that is incorrect or incomplete about you, you can request that such data be corrected or completed.
Right to erasure: You have the right to request deletion of your personal data, provided the legal conditions are met (for example, if the data are no longer needed for the purposes and no retention obligation exists).
Right to restrict processing: Under certain conditions (for example, during the examination of a contested data processing), you can request restriction of the processing of your data. In this case, apart from storage, your data will only be processed with your consent or to assert legal claims.
Right to data portability: You have the right to receive the personal data you have provided to us in a commonly used, machine-readable format, and (if technically feasible) to request that we transmit it to another controller.
Right to withdraw consent: Where we process data on the basis of your consent, you may withdraw that consent at any time with effect for the future.
Right to object: Where we process your data on the basis of legitimate interests, you have the right to object to this processing if there are reasons arising from your particular situation which speak against the data processing. You may object to direct marketing at any time, without giving reasons.
To exercise your rights, you may contact us informally (by email at service@mybioma.com or by post at the address above). Please include your name and a description of your concern. We will process your request promptly in accordance with legal requirements and will inform you of the measures taken at the latest within one month.
If you believe that our processing of your personal data violates applicable data protection law or that your data protection rights have been breached, you also have the right to file a complaint with a data protection supervisory authority. You may file a complaint with the supervisory authority of your usual place of residence, your workplace or the place of the alleged infringement. In Austria, the competent authority is the Data Protection Authority (Datenschutzbehörde), Barichgasse 40-42, 1030 Vienna.
Changes to this Privacy Policy
This Privacy Policy may be updated from time to time to reflect changes in our services or new legal requirements. We will inform you of any material changes in an appropriate manner. The current version of the Privacy Policy is always available on our website at mybioma.com/datenschutz. Please review these notices periodically, especially if you provide us with personal data.
Contact:
Biome Diagnostics GmbH
Handelskai 92, 1200 Vienna (Austria)
service@mybioma.com | +43 1 99 74 276
Our Data Protection Officer is DI Johann Steszgal, CMC, datenschutz@mybioma.com, Phone: +43 1 99 74 276.
Last updated: October 2025