Summary

Privacy Policy

Version 1.1 - [2025-03-18]

1. What is this Privacy Notice about?

This Privacy Notice explains how we process personal data, primarily in relation with our services (incl. Application) and with our website. If you would like more information about our data processing, please feel free to contact us (sec. 2).

2. Who is the controller for the data processing?

For each data processing activity, there is a party that is primarily responsible for ensuring compliance, the “controller”. For the processing described in this Privacy Notice, the controller (also referred to as “we”) is:

Red Drop Lab SARL
Chemin de Clamogne 4
1170 Aubonne

If you have any questions regarding data protection, please feel free to contact us at the above postal address or by email:

support@reddroplab.com

If you provide us with data about other individuals, we assume this data is accurate and that you are authorised to share it with us. As we may not directly contact these individuals or inform them about our data processing, we ask you to do so (e.g., by referring them to this Privacy Notice).

3. How do we process data in relation with our products and services?

When you use our products and services (collectively, “services”), we process data for onboarding, concluding service agreements, and their performance and management:

  • If we are in contact with you in view of an agreement, we process data, for example if you fill out and we analyze medical questionnaires, if you send us biological samples such as blood tests and we analyze such tests. In the course of these processing activities, we process in particular particularly sensitive data such as health data, but also the necessary master data such as your name, contact details or date of birth, phone, email, information collected through applications and forms, consent, details of services requested and the date of agreement. For the provision of our services, we may work together with third parties such as laboratories or health care professionals (see also sec. 5 below). Red Drop Lab may also be required to disclose certain Test Results and Information to the Swiss authorities in compliance with applicable laws and regulations. Such disclosures will be made only to the extent required by law and Red Drop Lab will ensure that only the necessary information is provided. We assume that such disclosures do not conflict with your confidentiality interests.
  • If we enter into an agreement with you, we process the data from the onboarding and information on the agreement (e.g. the date and the content of the agreement).
  • We process personal data during and after the agreement, including details on service purchases, payments, customer service interactions, claims, complaints, returns, for online services, access data and logins, agreement terminations, and any related disputes or proceedings. These data processing activities are necessary for agreement performance. We will moreover process your personal data so as to provide you with more useful recommendations on our App and/or Website and will anonymize your personal data in order to use the (anonymized) personal data for machine learning and AI training purposes.
  • We may advertise our services, e.g., by sending out newsletters. More details are set out in sec. 4.
  • We also process the above data for statistical purposes (e.g., which products sell best, in which regions and at what times, and which customer groups purchase specific products, and/or medical statistics, if any). These statistics help improve and develop products and inform business strategy. We may also use statistical data on an identifiable basis for marketing; see sec. 4 for details.

For corporate partners, we process limited personal data, as data protection law applies only to individuals. However, we handle data of individuals we interact with, such as names, contact details, professional information, communication details, and information about management personnel, as part of the general data on companies we work with.

4. How do we process data in relation with advertising?

We also process personal data in order to advertise our services:

  • Newsletter: We send out electronic information and newsletters, which may include advertising for our services. We will ask for your consent before sending out electronic marketing, except for certain offers to existing customers. In addition to your name and email address, we process data on the services you use, whether you open newsletters, and which links you click. For this, our service provider uses invisible images loaded from a server via a coded link to transmit related information. This common method helps us evaluate and optimize newsletters. You can object by adjusting your email settings (e.g., disabling automatic image loading).
  • Online advertising: where applicable, information on personalized presentation of own website and personalized display of advertising on third-party sites and platforms.
  • Market research: We process data to improve and develop new services, such as information on purchases, reactions to newsletters, customer surveys, polls, social media, media monitoring services, and public sources. We will moreover process your personal data so as to provide you with more useful recommendations on our App and/or Website and will anonymize your personal data in order to use the (anonymized) personal data for machine learning and AI training purposes.

5. How do we disclose personal data?

We may disclose personal data to various bodies within the scope of our activities. These include the following categories:

  • persons associated with you, e.g. authorized representatives, deputies or relatives, and in the case of contact persons of companies, employees and the company itself;
  • if we engage intermediaries for our services, we may share your information with them to enable direct contact with you;
  • insofar as we engage third parties in connection with our services, such as laboratories and health care professionals, we may share sensitive information (in particular health data, see sec. 3 above) with these third parties. Red Drop Lab may be required to disclose certain Test Results and Information to the Swiss authorities in compliance with applicable laws and regulations. Such disclosures will be made only to the extent required by law and Red Drop Lab will ensure that only the necessary information is provided.
  • service providers, in particular for IT services (such as storage providers, IT infrastructure providers…, administration and consulting services, shipping and logistics services, or services of banks, the post office, etc. These service providers may process personal data to the extent necessary. For providers used for our website, see section 8;
  • credit agencies and other databases to which we may disclose the necessary information about you as part of an information request;
  • offices, authorities and courts within the scope of our legal obligations and in connection with proceedings in which we are a party or third party;
  • third parties, e.g. in connection with the acquisition or sale of assets by us.

6. Can we disclose data abroad?

Not all data recipients are located in Switzerland. This includes certain service providers, particularly in IT. These providers may be based in the EU or in other countries worldwide. We may also share data with foreign authorities if legally required or in connection with asset sales or legal proceedings (see sec. 10). Not all these countries offer adequate data protection. To address this, we implement appropriate safeguards, particularly the EU standard contractual clauses. In some cases, data may be shared abroad without such safeguards as allowed by applicable law—for instance, with your consent or if necessary to perform a contract, assert or defend legal claims, or serve overriding public interests.

7. How do we use artificial intelligence?

New technologies like artificial intelligence (AI) and machine learning offer significant potential but also present challenges. We ensure these technologies are used in alignment with our values and carefully weigh opportunities and risks in each case. We take responsibility for any content generated or decisions made by AI on our behalf. For decisions with significant impact on individuals, we ensure they can be reviewed by a human. If an AI we use interacts directly with you, we will inform you.

We may use AI to improve our products and services, increase the efficiency of internal processes, enhance security, prevent misuse, or for any other purpose outlined above. AI applications may process personal data, but this is not always the case. Possible uses of AI include:

  • Creating and simplifying access to information about our products and services;
  • Processing customer requests and analyzing customer feedback automatically to address needs more effectively;
  • Improving customer experience when using our products and services through targeted advice and tailored information;

Assisting in carrying out analyses.

8. How do we process data in relation with our website and Application?

For technical reasons, each time you use our website, certain data is temporarily stored in log files, including your device’s IP address, information about your internet service provider, operating system, browser, referring URL, date and time of access, and content accessed. We use this data to operate the website, ensure security and stability, optimize the site, and for statistical purposes.

Our website uses cookies—small files stored by your browser on your device. These allow us to distinguish individual visitors, usually without identifying them. Cookies may contain information about accessed content and visit duration. Some cookies (“session cookies”) are deleted when you close your browser, while others (“persistent cookies”) remain for a set period to recognize returning visitors. We also use other technologies, such as pixels and browser fingerprints. Pixels are invisible images loaded from a server, transmitting information via a coded link. Fingerprints use your device’s configuration to make it distinguishable from others.

You can adjust your browser settings to block certain cookies or delete cookies and other stored data. For more information, refer to your browser’s help pages (usually under “privacy”).

Third parties providing services to us may also use cookies and other technologies. These third parties may be located outside Switzerland and the EEA. For example, we use analytics services to optimize [and personalize] our website.

Cookies and similar technologies from third-party providers may also enable them to target you with personalized advertising on our websites, other websites, or social networks working with these providers, and to measure ad effectiveness (e.g., tracking whether you arrived at our website via an ad and your subsequent actions).

These providers may record website usage and combine it with data from other websites. They may track user behavior across multiple websites and devices to provide us with statistical insights. Providers may also use this data for their purposes, such as personalized advertising on their platforms or other websites. If a user is registered with the provider, the provider can link the usage data to that individual.

Cookies and other technologies may also be used by third parties that provide services to us. These may be located outside of Switzerland and the EEA. For example, we use analytics services so that we can optimize [and personalize] our website. Cookies and similar technologies from third-party providers also enable them to target you with individualized advertising on our websites or on other websites as well as on social networks that also work with this third party and to measure how effective advertisements are (e.g., whether you arrived at our website via an advertisement and what actions you then take on our website).] The relevant third-party vendors may record website usage for this purpose and combine their records with other information from other websites. They can record user behavior across multiple websites and devices to provide us with statistical data. The providers may also use this information for their own purposes, e.g. for personalized advertising on their own website or other websites. If a user is registered with the provider, the provider can assign the usage data to the relevant person.

Two of the most important third-party providers are Google and Facebook. You can find more information about them below. Other third parties generally process personal and other data in a similar way.

  • We use Google Analytics on our website, an analysis service provided by Google LLC (1600 Amphitheatre Parkway, Mountain View, CA, USA) and Google Ireland Ltd (Google Building Gordon House, Barrow St, Dublin 4, Ireland). Google collects certain information about the behavior of users on the website and about the terminal device used. The IP addresses of visitors are shortened in Europe before being forwarded to the USA. Google provides us with evaluations based on the recorded data, but also processes certain data for its own purposes. Information on the data protection of Google Analytics can be found here and if you have a Google account yourself, you can find further details here.
  • We may provide Facebook with user information, such as email addresses, for the purpose of advertising on Facebook. Facebook matches these with corresponding details of its members in order to be able to play advertising specifically to our users (“Custom Audiences”). You can object to this matching at any time. Our websites may [further] use the “Facebook Pixel” and similar technologies of Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”). We use these technologies to display the Facebook ads placed by us only to users on Facebook and on partners cooperating with Facebook who have shown an interest in us. We can further use these technologies to track the effectiveness of the Facebook ads for statistical and market research purposes by seeing whether users were redirected to our website after clicking on a Facebook ad (so-called “conversion measurement”). Further details can be found here. We share responsibility (but not further processing) with Facebook for displaying advertising information that matches users’ interests, improving ad delivery, and personalizing features and content. We have therefore concluded a corresponding supplementary agreement with Facebook. Users can therefore address requests for information and other data subject requests in relation with shared responsibility directly to Facebook.

9. How do we process data via social media?

We maintain presences on social networks and platforms (e.g., Instagram, LinkedIn, Facebook fan pages, YouTube channel). If you communicate with us, comment on, or share content there, we collect information for communication, marketing, and statistical purposes (see sec. 4 and 10). Please note that platform providers also collect and use data (e.g., user behavior) independently, potentially combining it with other data they hold (e.g., for marketing or content personalization). Where joint responsibility with the provider applies, we enter into an agreement, details of which can be obtained from the provider.

10. Are there other processing purposes?

Yes. Typical (though not necessarily frequent) cases are as follows:

  • Communication: When we are in contact with you (e.g. when you call customer service or when you communicate with us on social media), we process the content as well as information about the nature, time, and location of the communication. For your identification, we may also process information about proof of identity. Telephone conversations with us may be recorded and listened to; we will inform you of this at the beginning of each conversation. If you do not want us to record such conversations, you have the option at any time to terminate the conversation and contact us by other means (e.g. by e-mail).
  • Job applications: We process personal data provided by applicants during the application process, including contact details, CVs, references, and other supporting documents. This data is used to assess suitability for the position, communicate with applicants, and manage the recruitment process. If necessary, data may be shared with third parties, such as background check providers, in accordance with applicable law. Applicant data is stored securely and retained only as long as necessary for the recruitment process or as required by law. Unsuccessful applications are deleted after an appropriate retention period unless consent is given for longer storage.
  • Compliance with legal requirements: We may disclose data to authorities as required by law or to meet internal regulations.
  • Prevention: Data is processed to prevent crime or misuse, such as fraud prevention or internal investigations.
  • Legal proceedings: If involved in legal proceedings (e.g., court or administrative), we process and disclose data about parties, witnesses, and others involved to courts, authorities, or other relevant entities, including abroad.
  • IT security: We process data to monitor, control, analyze, secure, and assess IT infrastructure and manage backups and archives.
  • Competition: We process data on competitors and the market (e.g., political environment, associations) and key individuals, including names, contact details, roles, and public statements.
  • Transactions: In asset, business unit, or company sales or acquisitions, we process data to prepare and execute transactions, including disclosing customer or employee data to potential buyers or sellers.
  • Other purposes: Data is processed for training, administration (e.g., contract management, accounting, claims management, process improvement), anonymous statistics, or securing other legitimate interests.

11. How do we protect your data?

We implement appropriate technical and organizational measures to ensure the security of your personal data is commensurate with the respective risk. However, absolute data security cannot be guaranteed, and some residual risks may remain.

12. How long do we process personal data?

We process your personal data as long as necessary for the relevant purpose (e.g., for contracts, typically the duration of the contractual relationship), as long as we have a legitimate interest in its retention (e.g., to enforce legal claims, for archiving, or IT security), or as required by statutory retention obligations (e.g., a ten-year retention period for certain data). Once these periods expire, we delete or anonymize your data.

13. Anything else to consider?

Depending on the applicable law, data processing is permitted only if explicitly authorized. This restriction does not apply under the Swiss Data Protection Act but does apply under the European General Data Protection Regulation (GDPR), if applicable. In such cases, we rely on the following legal bases for processing your personal data:

  • 6 para. 1 lit. b GDPR for processing necessary to perform a contract with the data subject or to take pre-contractual measures (see para. 3).
  • 6 para. 1 lit. f GDPR (and Art. 9 para. 2 lit. f GDPR for special-category data, if applicable) for processing necessary to protect our or third parties’ legitimate interests, unless overridden by the data subject’s fundamental rights and freedoms. This includes compliance with Swiss law, ensuring sustainable, user-friendly, secure, and reliable operations, and the purposes outlined in Section 7.
  • 6 para. 1 lit. c GDPR for processing necessary to comply with a legal obligation under the laws of an EEA Member State. The EEA includes EU member states, Iceland, Norway, and Liechtenstein.

 

In general, you are not required to disclose data to us, except in specific cases (e.g., fulfilling contractual obligations that necessitate data disclosure). However, we may need to process data for legal or contractual purposes. The use of our website would also not be possible without some data processing (see sec. 8).

14. What are your rights?

You have certain rights, subject to conditions and restrictions under applicable law:

  • You can request a copy of your personal data and further information about our data processing.
  • You can object to our data processing, especially in relation with direct marketing.
  • You can have incorrect or incomplete personal data corrected or completed or supplemented by a note of dispute.
  • You also have the right to receive the personal data that you have provided to us in a structured, common, and machine-readable format, insofar as the corresponding data processing is based on your consent or is necessary for the performance of the contract.
  • To the extent that we process data based on your consent, you can withdraw your consent at any time. The withdrawal is only valid for the future, and we reserve the right to continue to process data based on another basis in the event of a withdrawal.

If you wish to exercise such a right, please feel free to contact us (sec. 2). We will usually have to verify your identity (e.g. by means of a copy of your ID card). You are also free to file a complaint against our processing of your data with the competent supervisory authority, in Switzerland the Federal Data Protection and Information Commissioner (FDPIC).