Privacy Statement BioRithm app – Swiss Vitality Clinics

Last updated on April 9, 2025

Introduction

This is the privacy and cookie statement (hereafter: statement) of Swiss Vitality Clinics for the BioRithm app (hereafter: Swiss Vitality Clinics), located in Baden-Baden with offices at Lichtentaler Straße 27, (76530) Baden-Baden, Germany.

This statement applies to all processing of personal data of users of Swiss Vitality Clinics. ‘Personal data’ refers to all data about an identified or identifiable natural person (hereinafter also: data). Users of Swiss Vitality Clinics include all customers of its products and services, such as intermediaries and end users, small and large customers, as well as visitors to its websites. The user hereby declares to have read this statement.

All processing of personal data is subject, among other things, to privacy laws and regulations, including the General Data Protection Regulation (hereinafter: GDPR) and applicable national legislation. We are responsible for ensuring that every data processing complies with these laws and regulations.

We believe it is important that our services are reliable and transparent. Therefore, we handle our users’ data discretely and carefully.

This statement provides information about how we handle the data we process from our users. Additionally, we provide information about our security policy and the user’s rights.

Position of Swiss Vitality Clinics

Swiss Vitality Clinics is the controller for the processing of user data if and insofar as Swiss Vitality Clinics itself determines the purposes and means of data processing. Examples include data processing in the context of offering products and services, such as performing DNA tests, analyzing DNA, and delivering DNA reports to users.

Swiss Vitality Clinics is a processor if and insofar as it processes data on behalf of third parties. Those third parties are then the controllers. Swiss Vitality Clinics enters into a data processing agreement with controllers, which, among other things, regulates security, confidentiality, and user rights. This statement does not apply when Swiss Vitality Clinics acts as a processor.

What Does Swiss Vitality Clinics Do Primarily?

Swiss Vitality Clinics primarily performs DNA tests, analyzes DNA, and delivers DNA reports to users via the BioRithm app.

Deoxyribonucleic acid (hereinafter: DNA) is a molecule that functions as the main carrier of genetic information in organisms, including humans. A DNA strand is essentially a collection of nearly all your hereditary information, built from smaller segments called genes. Each gene contains the information for the specific formation of a protein, passing on all your hereditary traits like hair and eye color.

DNA is present in every cell of all humans, animals, plants, and fungi. DNA forms the blueprint for the existence of organisms. While much human DNA is the same, certain sections differ from person to person. These are DNA variants.

Some variants can be used to analyze where your ancestors come from or whether you are related to someone. Other variants increase the likelihood of specific traits or diseases. Often, a single variant has little effect, or multiple variants influence health or characteristics. Sometimes, little evidence exists that a variant is the cause of a trait or disease, requiring further research.

Swiss Vitality Clinics’ DNA tests can be purchased online. Upon purchase, you receive a kit with instructions. You must provide some biological material in the form of saliva and send it to Swiss Vitality Clinics.

Swiss Vitality Clinics then sends the biological material to a certified laboratory where the DNA is extracted using high-quality equipment. Over 700,000 different DNA variations are mapped (single-nucleotide polymorphisms, or SNPs, pronounced ‘snips’). These are the raw DNA data.

The laboratory returns the raw DNA data to Swiss Vitality Clinics, which analyzes them and produces an individual report with results on various health topics such as personal characteristics, drug sensitivity, and genetic predispositions to certain conditions.

Purposes and Legal Grounds for Data Processing

Swiss Vitality Clinics only processes data for clearly defined, explicitly described, and legitimate purposes and based on legal grounds, as described below. A legal ground is the basis provided by law for processing specific user data for particular purposes.

Creating, Using, and Managing an Account For the creation, use, and management of an account related to ordering products and services from Swiss Vitality Clinics via the BioRithm app. Legal ground: necessity for the execution of the agreement.

Ordering Products and Services For ordering kits and related payments. Legal ground: necessity for the execution of the agreement.

Performing DNA Tests, Analyzing DNA, and Delivering DNA Reports Processing genetic data only with user consent, as these are considered special categories of data under GDPR and require explicit consent.

Visiting and Using Websites and/or Apps Legal ground depends on the purpose; see the section on cookies.

Direct Marketing Sending commercial communications (direct marketing), such as newsletters, email marketing, or advertisements. If electronic contact details were obtained in connection with product/service sales, they may be used for marketing similar products/services. Users can always object to such use. Legal ground: legitimate interest.

Administrative or Fiscal Purposes For compliance with administrative or fiscal obligations, e.g., tax authorities. Legal ground: necessity to comply with legal obligations or legitimate interest.

Requests for Information, Questions, and/or Complaints Legal ground depends on purpose: necessity for contract execution, legitimate interest, or compliance with legal obligations.

Data Processed by Swiss Vitality Clinics

Swiss Vitality Clinics ensures that the processed data are adequate, relevant, and limited to what is necessary. The following data categories are processed:

Account Creation, Use, and Management

To create an account, users must provide their data. Data processed during registration and use of the BioRithm app:

  • Tube code (a unique, randomly generated anonymous code, entered on the return sticker)
  • Year of birth (not month or day)
  • Ethnicity
  • Country of origin
  • App language setting
  • Meta-information (e.g., device OS, OS version, app version, pushtokens)
  • Optional: Email address (for push emails, account recovery, delivery of DNA reports; email is not stored for this purpose)

Users may consent to sharing data with certified professionals (e.g., hospital doctors) via a code connection in the app.

Ordering Products and Services

  • Name, address, and residence
  • Email address for tracking
  • Payment details

Kits are ordered online and delivered to the provided address.

Performing DNA Tests, Analyzing DNA, and Delivering DNA Reports

Step 1: User provides biological material (saliva) and sends it in a tube with the tube code.

Step 2: On receipt, Swiss Vitality Clinics processes:

  • Biological material
  • Tube code (not linked to other user data, so identity remains unknown)

Step 3: Sent to a certified laboratory with:

  • Biological material labeled with tube code and barcode

Step 4: Swiss Vitality Clinics receives:

  • Genome studio file mapping the material per tube code in SNPs

Step 5: Swiss Vitality Clinics processes:

  • SNPs, tube code, year of birth, ethnicity, country of origin, app language

Reports include results about traits (e.g., food intolerance), drug sensitivity, genetic predispositions.

Website/App Visits

Servers may store visit data: URL, IP address, browser type, browser language, date/time, click/usage data (see Cookies section).

Direct Marketing

For commercial communications: email, first/last name, address, phone number.

Administrative or Fiscal Purposes

Data necessary for obligations, e.g., account number, name.

Requests for Information, Questions, Complaints

Data provided for the request, e.g., name, address, phone, email.

Third Parties Processing Your Data

In principle, Swiss Vitality Clinics does not share your data with third parties. However, data may be shared in the following situations:

  • With affiliated companies, subsidiaries, operational groups if necessary for the above purposes.
  • With processors (e.g., IT suppliers) acting under Swiss Vitality Clinics’ instructions.
  • With partner laboratories.
  • If the user consents in-app to data sharing with a certified professional.
  • With employees for task execution, with access only as necessary, under confidentiality.
  • When required by law, court order, or in legal proceedings.
  • In business transactions (e.g., merger, bankruptcy).
  • If consent is required, Swiss Vitality Clinics will request it.
  • Processors must comply with Swiss Vitality Clinics’ data protection policies.

Cookies

If we use cookies to collect, combine, or analyze your website and app usage data to offer a better experience, we process your data. For every data processing activity, a legal ground applies and this privacy statement is applicable.

Links to Other Parties

Websites/apps of Swiss Vitality Clinics may contain links to third-party websites/apps. When visiting them, their privacy statements apply. Swiss Vitality Clinics is not responsible for how third parties handle user data.

If third parties (such as media agencies and ad networks) process data for their own purposes and using their own means, they do so as controllers. For example, these controllers can build their own profiles based on user behavior on websites where media agencies and ad networks purchase ad space. These profiles are then sold to advertisers for (re)targeting purposes.

Swiss Vitality Clinics is neither directly nor indirectly liable for the acts or omissions of third parties, including other controllers.

User Rights

General Below is an explanation of the rights users have regarding the processing of their data by Swiss Vitality Clinics. For every request, users can email Swiss Vitality Clinics or send a letter by post.

If and to the extent legally permitted, Swiss Vitality Clinics may request a copy of a valid identification document for identification purposes. Portrait photos and social security numbers can be redacted. The copy of the ID will be deleted immediately after identification.

If the user is under 16 years old, the user needs permission from their parent(s) or guardian(s) to provide data to Swiss Vitality Clinics. Swiss Vitality Clinics will require such consent and the parent(s) or guardian(s) can always request to modify, shield, or delete the data provided to Swiss Vitality Clinics.

Right to Information We are obligated to inform users of our identity, which data we process, for how long, for which purposes, on what legal ground, and with whom we share the data. This statement contains all that information. If users need more information, we will provide it free of charge in principle.

Right of Access Users have the right to access their own data. They may request confirmation of whether Swiss Vitality Clinics processes their data, and, if so, which data, the processing purposes, involved parties, retention periods, and the source of the data (if not provided by the user). Users are not required to give a reason for an access request. This is limited to their own data.

Right to Rectification Users can ask to have their data corrected immediately. They also have the right to complete incomplete data.

‘Right to be Forgotten’ In certain cases, we are required to delete data without undue delay, for example, if data are no longer necessary for the purposes for which they were processed, or if the user withdraws consent and there is no other legal ground for processing. If Swiss Vitality Clinics has shared data with other parties and is required to delete the data, it will take all reasonable measures to inform those parties that links and copies of the data must also be deleted.

Note: We cannot always delete all data if it is still needed, for example to fulfill legal obligations or for legal claims. We will always weigh this when such requests are made.

Right to Restriction of Processing Users generally have the right to have the processing of their data restricted, for example, if they contest the accuracy of their data.

Notification of Rectification, Deletion, or Restriction Unless impossible or involving disproportionate effort, we will inform recipients of the data about any correction, deletion, or restriction. Swiss Vitality Clinics will provide information about these recipients on request.

Right to Data Portability Under certain conditions, users have the right to data portability: this applies only to data the user has provided to Swiss Vitality Clinics and where processing is based on consent or a contract with the user. Portability allows users to request their data from Swiss Vitality Clinics for their own use or to transfer it to another company, or request Swiss Vitality Clinics to do so.

Right to Withdraw Consent Where processing is based on consent, users have the right to withdraw it at any time. After withdrawal, Swiss Vitality Clinics will cease processing data for that purpose, but processing prior to withdrawal remains lawful.

Right to Object Users generally have the right to object to the processing of their data. Upon objection, Swiss Vitality Clinics will, in principle, stop processing unless there are compelling legitimate grounds for processing.

Users can easily and freely object to the use of their electronic contact details for newsletters, for example, by clicking ‘unsubscribe’ at the bottom of any email or otherwise making a request. Your email address will then no longer be used.

To object to the placement or reading of cookies or to delete cookies, users should consult their browser’s settings or help functions. Some website and app functions may no longer work if cookies cannot be placed.

Complaint to Supervisory Authority or the Courts If a user believes that data processing violates the law, they may contact us. Users also have the right to lodge a complaint with the supervisory authority (in this case, Germany’s data protection authority), or take legal action.

Limitations of Rights Sometimes we may limit users’ rights, for example, for the prevention, investigation, detection, and prosecution of criminal offenses, such as fraud.

Retention Periods

Swiss Vitality Clinics does not retain data longer than necessary for the purposes for which the data are processed. Afterwards, Swiss Vitality Clinics will delete or anonymize the data, unless certain data must be kept for another purpose, in which case a legal ground will exist and data will be accessible only for that purpose. Key retention periods:

  • Order data: deleted at latest 6 months after collection.
  • Biological material: destroyed by the laboratory at latest 6 months after SNPs are mapped, in line with agreements with the laboratory.
  • Raw DNA data, analyses, and reports: available only until the user deletes their account; then, all such data are deleted immediately.
  • For accounting and tax purposes, certain documents must be retained for minimum periods (typically 5 or 7 years). Only data needed for legal compliance is kept this long, after which it is deleted or anonymized.

Security

Swiss Vitality Clinics takes data security very seriously and has implemented appropriate technical and organizational measures to ensure data is securely processed and only for specified purposes. The security measures are informed by data processing risks, especially from data loss or misuse. Access to data is limited to those employees who need it for their tasks and only for the relevant purpose, and who are under confidentiality obligations.

  • Storage of genetic data and of analyses/reports is strictly separated:
    • Storage takes place on internal, secure servers in a database designed by iGene (iGene Products B.V., Oude Haven 102, 6511 XH, Nijmegen), located in iGene’s secure facilities. Only specific software by iGene can access the genetic data.
    • Analyses and reports are processed on external, secure servers operated by a certified third party within the EEA, with no connection to public internet for analysis data servers. Reports are stored on servers with minimal information required for user access, with the tube code stored only as a hash (a pseudonymized/encrypted form).
  • Internal and external servers communicate via application programming interface (API), used only for analysis.
  • Genetic data are linked only to tube code and/or year of birth, and not to any other personal data.
  • Daily encrypted backups (AES 256 standard) are made and stored with a certified EEA cloud provider, without other identifiers.
  • Users access their own data in the BioRithm app via unique tube code and year of birth.
  • Payments are processed through secure payment providers via SSL/TLS encrypted connections.
  • Security measures are reviewed and updated continuously.

Data Breaches

If there is a data breach (hereafter: breach), we must report it to the competent supervisory authority within 72 hours, unless it is unlikely the breach poses a risk to users’ rights and freedoms.

If it is likely to pose a high risk, we are also obligated to notify the users. A data breach includes incidents such as system hacks or loss/illegitimate processing of data.

If you discover a security incident or data breach on our sites or apps, please report it immediately by emailing info@swissvitalityclinics.com or calling +49 7221 3950170.

Transfers

All biological material, raw DNA data, DNA analyses, and DNA reports are stored and (further) processed within the European Economic Area (EEA).

Some data, such as statistical analytics on orders, may be transferred and processed outside the EEA, for example, data collected via cookies or similar techniques.

Such transfers only occur to countries with an adequate level of protection, or with appropriate safeguards in place (e.g., EU-approved model contracts). If neither is possible, data may only be transferred with a legal exception, such as explicit user consent.

For more information on safeguards, users may contact us.

Contact Details

For questions, requests, suggestions, or complaints concerning this statement or data processing, contact Swiss Vitality Clinics at info@swissvitalityclinics.com or at Lichtentaler Straße 27, 76530 Baden-Baden, Germany.

You may also contact our Data Protection Officer at privacy@swissvitalityclinics.com.

Changes

We may change this statement if developments warrant it. The latest version is always available on our website. We recommend users check it regularly. Continued use of our products or services or our websites implies you have read the updated statement.

Glossary

Anonymization An irreversible process to ensure that data can no longer be traced back to individuals (users).

Apps All applications and platforms of Swiss Vitality Clinics, including the BioRithm app.

Special Categories of Data Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership; genetic data, biometric data (for unique identification), health data, or data on sex life or orientation. Processing is forbidden unless an exception applies (e.g., explicit user consent for genetic data).

Cookies Small text files sent by a server to a browser when products and services are used. Cookies remember data a user enters for future visits so the content can be tailored to the user and reentry of data is not necessary. In addition to cookies, Swiss Vitality Clinics may use ‘similar techniques,’ such as JavaScripts, tracking pixels, and web beacons. These are techniques that allow a system to collect, store, and then send information. In this statement, cookies and similar techniques are collectively referred to as ‘cookies’.

Users All (potential) clients of Swiss Vitality Clinics’ products and services whose data is processed. This includes website and app visitors and newsletter recipients.

Data ‘Personal data’ is any information that can be directly or indirectly traced to an individual, even without knowing that person’s name. Examples include name, address, city of residence, email address, phone number, genetic data, cookie IDs, tracking data, advertising cookies, and financial data. These are referred to in this statement as ‘data’.

Legal Grounds For the lawful processing of user data, Swiss Vitality Clinics requires a legal ground. This is the legal basis for processing user data. The legal grounds are:

  • Consent: Prior consent of the user for one or more specific purposes. Consent is any freely given, specific, informed, and unambiguous indication of the user’s wishes, by which they signify agreement to the processing of personal data.

  • Necessity for Performance of a Contract: Processing is necessary to take steps at the request of the user prior to entering into a contract or for the performance of a contract with the user. For example, processing data (name, address, place of residence) when a user orders Swiss Vitality Clinics’ products or services.

  • Legal Obligation: Processing is necessary to comply with legal obligations incumbent upon Swiss Vitality Clinics (e.g., obligations toward tax authorities).

  • Legitimate Interest: Processing is necessary for the purposes of legitimate interests pursued by Swiss Vitality Clinics or a third party, except where these interests are overridden by the interests or fundamental rights and freedoms of the user. To rely on this ground, a balancing test will be conducted to weigh both sides’ interests before proceeding.

Recipient A natural or legal person, public authority, agency, or other body, whether a third party or not, to whom data are disclosed.

Products and Services All products and services provided by Swiss Vitality Clinics to a user, including all websites and apps, such as the BioRithm app. The general terms and conditions of Swiss Vitality Clinics apply.

Pseudonymization Processing data in such a way that it can no longer be attributed to a specific individual without the use of additional information, which is kept separately and subject to technical and organizational measures. Encryption is a form of pseudonymization.

Controller The organization that determines the purposes and means of data processing. For example, Swiss Vitality Clinics acts as the controller when performing DNA tests, analyzing DNA, and providing DNA reports to users.

Processing Any operation (or series of operations) performed on data, whether or not by automated means. Examples include collecting, recording, organizing, storing, modifying, retrieving, consulting, sharing, transmitting, sharing, and deleting data.

Processor An organization that processes data on behalf of the controller.

Deletion Erasing data so that it cannot be retrieved directly or indirectly.

Websites All websites owned or controlled by Swiss Vitality Clinics, including, but not limited to, swissvitalityclinics.com.

© 2025 Swiss Vitality Clinics

Book your free consultation today and start your journey to a healthier you.

Book a free consultation

Swiss Vitality Clinics AG
Seestrasse 5B
8598 Bottighofen 
Switzerland

arrow