OmixMe – Privacy Policy
Effective date: 09.07.2026
Version: 1.0
This Privacy Policy (“Privacy Policy”) describes how OmixMe, operated by SAMETA s.r.o., seated Čulenova 7936/5, 811 09 Bratislava, Slovak Republic, Company ID: 50 706 667, registered with the Commercial Register of the City Court Bratislava III, Insert No. 117160/B (“OmixMe”, “we”, “us”) collects, processes and protects your personal data. OmixMe undertakes to protect your personal data in accordance with the applicable data-protection legislation, in particular Regulation (EU) 2016/679 (the “GDPR”) and Act No. 18/2018 Coll. on the Protection of Personal Data.
Because OmixMe processes health data and genetic data – special categories of personal data under Article 9 GDPR – we apply heightened safeguards across the whole service lifecycle. This Privacy Policy applies to all services, applications and websites operated or provided by OmixMe (including the website https://omixme.com and the client/clinician portal) in which personal data is processed and in which this Privacy Policy is contained or referenced.
Important – nature and purpose of the service
OmixMe is not a medical device and not a healthcare service. The OmixMe service and the report are provided for research and informational purposes only (“Research use only. Not for diagnostic procedures.”) and have an exclusively informational and supporting character for the Client’s treating physician.
OmixMe is not intended as a medical device or as an in-vitro diagnostic medical device within the meaning of Regulation (EU) 2017/746 (IVDR). The service is not intended to diagnose, prevent, monitor, predict, prognose, treat or alleviate any disease or health condition and must not be used for diagnostic procedures.
OmixMe does not provide healthcare and is not a provider of healthcare within the meaning of Act No. 576/2004 Coll. on Healthcare. The report does not constitute the provision of healthcare, a medical diagnosis, a treatment recommendation or medical advice.
The information provided by OmixMe does not replace a professional medical examination, diagnosis or advice. Before any diagnostic, preventive, therapeutic or other health-related decision or intervention, the Client should consult a physician or another qualified healthcare professional.
For more information on this topic, please see Section 14.
In case of any discrepancy between this Privacy Policy and a specific notice, consent text or contractual document applicable to a particular processing operation, the specific document shall prevail. The provisions of this Privacy Policy apply from the effective date stated above.
1. Definitions
| Term | Meaning |
|---|---|
| OmixMe Service | The multi-omics molecular analysis and bioinformatics service, including the website, the client/clinician portal, the resulting report and any consultation. Provided for research/informational use only. |
| Client | The natural person whose health and genetic data is analysed. |
| Treating physician | The physician who refers the Client, supplies medical documentation at the Client’s request and receives the report; the physician is the sole clinical decision-maker, exercised within their own responsibility. |
| Partner laboratory | An independent laboratory that physically handles the biological material and performs the sequencing/omics analysis under its own responsibility. |
| Data subject | An identified or identifiable natural person (client, physician, website visitor, business contact). |
| Personal data | Any information relating to an identified or identifiable natural person. |
| Special-category data | Health, genetic and biometric data and other categories listed in Article 9(1) GDPR. |
| Controller / Processor | As defined in Article 4 GDPR. |
2. About OmixMe and the service
OmixMe provides multi-omics analysis of biological material and AI-assisted bioinformatics, and produces a molecular information report. The report is intended solely as informational and scientific support that the Client’s treating physician may, at their sole professional discretion, take into account within their own independent clinical decision-making. OmixMe itself does not make any diagnostic, preventive or therapeutic decision, does not recommend treatment and does not guarantee any result. The analysis of the biological material is carried out by an independent partner laboratory, and every report is reviewed by a human expert before it is made available. See Section 14 (Research use only).
How the service works
The Client (or their legal representative) contacts OmixMe and registers on the client portal, then links to a collaborating physician.
On the basis of the Client’s signed informed consent, OmixMe requests the necessary medical records from the Client’s treating physician.
The physician arranges collection of the biological material; a courier transports it to a partner laboratory.
The partner laboratory performs the sequencing/omics analysis and returns datasets to OmixMe.
OmixMe combines the medical documentation with the omics data and prepares the molecular information report; every report undergoes mandatory human expert review.
The report is made available to the physician through the portal; the Client is notified and can access it.
An optional consultation is provided to the physician (not directly to the Client).
3. Our role under the GDPR
OmixMe as controller. For the B2C channel – where a Client approaches OmixMe directly – OmixMe determines the purposes and means of processing (including the scope of data requested) and therefore acts as an independent controller of your personal data.
The Client’s treating physician is a separate, independent controller for their own medical documentation and is the sole clinical decision-maker. The physician supplies data at the Client’s request, not as a customer ordering a service from OmixMe.
Joint controllers. Where OmixMe enters into systematic, framework cooperation with a hospital or clinic, the parties may act as joint controllers under Article 26 GDPR. In such cases a joint-controller arrangement sets out each party’s responsibilities and the point of contact; this does not relieve OmixMe of its direct responsibility to you.
Partner laboratories act as our processors with respect to the data they receive, and as independent controllers / regulated entities with respect to the physical material and any biobanking they perform under their own registration.
Website visitors and business contacts. When you browse our website, contact us, or subscribe to our newsletter, OmixMe acts as controller.
4. What data we process, why, and on which legal basis
4.1 Identification and contact data
Client: first name, surname, country, language, e-mail address, and an optional free-text note about the Client’s situation. Treating physician: name and e-mail address. Where a high-value service requires identity verification, an identity-document number may be requested.
Legal basis: performance of a contract and pre-contractual steps taken at your request (Art. 6(1)(b) GDPR); legal obligation for billing/accounting (Art. 6(1)(c)).
4.2 Health data received from the treating physician
A defined, closed set of clinical records necessary for the analysis (e.g. diagnosis, relevant medical history and laboratory results). We apply data minimisation: we request only the categories needed for the agreed purpose. The exact list of categories is fixed in the informed-consent form.
Legal basis: explicit consent for the special category (Art. 9(2)(a) GDPR), together with performance of a contract (Art. 6(1)(b)).
4.3 Genetic and omics data
Sequencing and omics data generated by the partner laboratory from the Client’s biological material, and the derived analytical results (e.g. variant files, the molecular report). Genetic data is pseudonymised from the outset; re-identification occurs only when the partner laboratory returns a specific Client’s results to OmixMe, and is visible only to the Client, the physician and authorised OmixMe staff.
Legal basis: explicit consent (Art. 9(2)(a) GDPR) and performance of a contract (Art. 6(1)(b)). Where the Client opts in to research use, Art. 9(2)(j) may also apply.
4.4 Biological material
OmixMe does not physically hold biological material and does not operate a biobank. The biological material is collected by the healthcare personnel of the relevant healthcare facility and handled by the partner laboratory, which contractually either destroys the material after analysis or retains it under its own biobank registration. OmixMe processes only the resulting data.
4.5 Incidental and germline findings
Where germline variants or incidental findings may arise, the informed-consent form lets the Client choose, by separate option, whether and how they wish to be informed. The Client’s right not to know is respected.
4.6 Payment data
Where the service is paid, payment is handled by a third-party payment provider acting as our processor. PCI-DSS compliance rests with the payment provider; OmixMe does not store full card data.
Legal basis: performance of a contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)).
4.7 Website, technical and cookie data
IP address, device and browser information, and analytics data collected when you use our website – see Section 8 (Cookies).
Legal basis: your consent for non-essential cookies (Art. 6(1)(a)); our legitimate interest in secure operation for strictly necessary cookies (Art. 6(1)(f)).
4.8 Communication and support
Content and metadata of e-mails and portal messages exchanged in connection with the service, and notifications about process status and report delivery.
Legal basis: performance of a contract (Art. 6(1)(b)); our legitimate interest in service administration (Art. 6(1)(f)).
5. Use of artificial intelligence
OmixMe uses AI/ML to help analyse omics data and prepare the report. Our approach is designed to keep you protected:
AI models run locally / on infrastructure controlled by OmixMe. We do not transmit client data to third-party AI APIs (e.g. OpenAI, Anthropic, Google).
Every analysis and report is confirmed by a human expert before it is made available – there is no decision based solely on automated processing.
Client data may be used to validate or calibrate models only with your separate, optional consent; declining does not affect the service you receive.
Because every output is subject to mandatory human review and the clinical decision rests with the treating physician, OmixMe does not carry out automated decision-making producing legal or similarly significant effects within the meaning of Article 22 GDPR. You may nevertheless object to AI-assisted processing as described in the consent documents.
6. Data retention
Personal data is kept only for as long as necessary for the purpose for which it was processed, and the period depends on the applicable legal basis:
| Category | Indicative retention | Basis |
|---|---|---|
| Contract and report data | Duration of the relationship + statutory limitation period, then erased | Contract / legal claims |
| Health data from physician | For the purpose of the analysis; erased / returned after, unless law requires otherwise | Consent / contract |
| Genetic & raw sequencing files (FASTQ/BAM/VCF) | 5–10 years for potential re-analysis; the Client may restrict this in the portal | Consent |
| Accounting / tax records | As required by law | Legal obligation |
| Consent records | End of purpose + limitation period | Legal obligation / legitimate interest |
| Marketing data | Until consent is withdrawn | Consent |
7. Withdrawal of consent (where applicable)
Where processing is based on your consent, you may withdraw it at any time, as easily as you gave it. On withdrawal we stop further processing and erase or anonymise the relevant data, unless we are required or entitled to keep it on another legal basis (e.g. legal obligations or the defence of legal claims). Because the same data may be processed on more than one legal basis, withdrawing consent may not always result in full erasure. A “Withdraw consent” option is available in the client interface and by e-mail to the contact in Section 16.
8. Cookies and similar technologies
Our website uses cookies and similar technologies (web beacons, pixels) to enable core functionality, understand usage and – with your consent – support analytics and marketing. A cookie-consent banner is presented on your first visit; you can manage or withdraw your choices at any time via the Privacy Settings link. A separate Cookie Policy provides full details.
Why we use cookies
Essential (necessary) cookies – enable secure operation and core features; processed on the basis of our legitimate interest (Art. 6(1)(f) GDPR).
Analytical & performance cookies – help us understand usage; processed only with your consent.
Personalisation / advertising cookies – only with your consent, and never used to target individuals on the basis of a health condition (see Section 13).
Examples of cookies
| Cookie / Technology | Provider | Purpose | Category |
|---|---|---|---|
| _ga | Google Analytics | Distinguishes users for usage analytics | Analytical |
| _gid | Google Analytics | Stores a value per page visited | Analytical |
| Consent record | Cookie management tool | Stores your cookie preferences | Essential |
You can manage or delete cookies in your browser settings (Microsoft Edge, Firefox, Chrome, Safari). Disabling essential cookies may affect website functionality.
9. Data sharing and recipients
Your personal data is not shared with third parties except where: it is necessary to provide the OmixMe Service; you have consented; it is entrusted to processors acting on our behalf and on our instructions; or we are obliged to provide it under the law or upon a lawful order of a public authority.
Categories of recipients: (a) your treating physician (separate controller); (b) partner laboratory and courier; (c) hosting / IT and backend providers; (d) payment provider; (e) regulators and public authorities; (f) research partners, only where you have given consent.
We do not sell, rent or otherwise commercially share personal data.
Categories of processors (sub-processors)
hosting and data centre (EU region preferred);
client-portal backend and database;
partner laboratories and sample courier;
payment processing;
e-mail, notification and (planned) CRM tools;
web analytics and cookie management;
legal, tax, accounting and audit services.
A list of specific sub-processors will be maintained and made available – LINK TO LIST OF SUB-PROCESSORS.
10. International transfers
OmixMe prefers EU/EEA-based hosting and keeps backups within the EU; AI compute is performed on EU-hosted / on-premise infrastructure. Where a transfer of personal data outside the EU/EEA is necessary (for example, a team member or contractor located in a third country such as India), we carry it out only where it is GDPR-compliant – on the basis of an adequacy decision, Standard Contractual Clauses (SCC) accompanied by a transfer impact assessment (TIA), or another valid transfer mechanism, with additional safeguards where needed.
Transfers to high-risk jurisdictions and sanctioned countries (e.g. Russia, Iran) are excluded. You have the right to receive a copy of the SCCs relevant to a particular transfer of your data by contacting us at [PRIVACY E-MAIL].
11. How we protect your personal data
Technical measures
data encrypted in transit and at rest; passwords, tokens and keys are encrypted and never stored in plaintext;
two separate databases – identification/contact data and medical/analytical data – with pseudonymisation of genetic data;
every application logs its actions (audit logs);
strong password policy and MFA wherever possible; reliable password managers enforced;
least-privilege and need-to-know access; production access limited to staff actively supporting it under appropriate contractual clauses.
Organisational and people measures
role-based access control (RBAC) and regular access reviews;
confidentiality clauses (NDA) with all staff and contractors, extended for health data;
mandatory security training for technical staff and background checks proportionate to the role;
a documented data-breach response process with notification within 72 hours (Art. 33 GDPR).
12. Your rights
Under the GDPR you have the rights set out below. To exercise them, contact us using the details in Section 16.
Right of access – to confirmation of processing and a copy of your data, plus information on purposes, categories, recipients, retention, your rights, the source of the data and any automated decision-making.
Right to rectification – to correct inaccurate or incomplete data.
Right to erasure – subject to our legal obligations and the defence of legal claims.
Right to restriction of processing – in the cases set out in Article 18 GDPR.
Right to data portability – for data you provided, processed by consent or contract, in a structured, machine-readable format.
Right to object – on grounds relating to your particular situation, to processing based on legitimate interest, including profiling.
Right not to be subject to solely automated decision-making – see Section 5; OmixMe applies mandatory human review and the clinical decision rests with the physician.
Right to withdraw consent – at any time, without affecting the lawfulness of prior processing.
Right to lodge a complaint – with the supervisory authority (see Section 17).
13. Marketing
OmixMe does not market directly to clients on the basis of a health condition. Marketing is addressed to physicians and institutions (B2B) and, where applicable, to newsletter subscribers, always with an appropriate legal basis (consent or, for existing business contacts, soft opt-in supported by a legitimate-interest assessment). Behavioural targeting that could reveal an individual’s health condition is not used. Every marketing e-mail contains a one-click unsubscribe option. Communications are tailored to a vulnerable audience and avoid therapeutic claims, promises of results or misleading statistics.
14. Research use only – OmixMe is not a medical device and not a healthcare service
The purpose of the OmixMe service is not the provision of healthcare. The service and the report are provided for research and informational purposes only and are marked “Research use only. Not for diagnostic procedures.” The information provided by OmixMe has an exclusively informational and supporting character for the treating physician; it is intended to support the physician’s own independent professional decision-making and in no case replaces a professional medical examination, diagnosis or advice.
Not a medical device / IVD. OmixMe is not intended as a medical device or as an in-vitro diagnostic medical device within the meaning of Regulation (EU) 2017/746 (IVDR). It is not intended to diagnose, prevent, monitor, predict, prognose, treat or alleviate any disease or health condition, and must not be used for diagnostic procedures.
Not a healthcare service. OmixMe does not provide healthcare and is not a provider of healthcare within the meaning of Act No. 576/2004 Coll. on Healthcare. The report is not a medical record entry, a diagnosis, a treatment recommendation or medical advice.
The physician is the decision-maker. Any diagnostic, preventive, therapeutic or other health-related decision is made solely by the treating physician (or another qualified healthcare professional). OmixMe provides a molecular information basis only and does not make such decisions.
Consult a physician. Before any diagnostic, preventive, therapeutic or other health-related decision or intervention, the Client should consult a physician or another qualified healthcare professional.
No guarantees, no automated decisions. OmixMe does not guarantee any treatment outcome, does not make therapeutic claims, and does not make decisions based solely on automated processing; every report is reviewed by a human expert.
15. Children’s privacy
Where OmixMe processes data relating to minors (e.g. in paediatric oncology), processing is based on the consent of the legal representative, together with the child’s assent where the child is able to understand. Under Slovak law the age for consent to information-society services is 16; different thresholds may apply in other jurisdictions. Outside the paediatric context, our website and services are not intended for persons under 18, and we do not knowingly collect their data without authorisation from a parent or legal guardian.
16. Data Protection Officer and contact
OmixMe appoints a Data Protection Officer (DPO) given that processing of special-category data is a core activity on a large scale (Art. 37(1)(c) GDPR). For any question about your personal data, or to exercise your rights, contact us:
DPO / privacy: [dpo@omixme.com] / [privacy@omixme.com] (to be set up)
Postal address: SAMETA s.r.o., Čulenova 7936/5, 811 09 Bratislava, Slovak Republic
17. Right to lodge a complaint
If you believe that we process your personal data unlawfully, please contact us first so we can try to resolve the matter. You also have the right to lodge a complaint with the Office for Personal Data Protection of the Slovak Republic, Námestie 1. mája 18, 811 06 Bratislava.
18. Final provisions
OmixMe may amend this Privacy Policy at any time. We will post changes on our website and, where appropriate, notify you by other means. If any provision is found void or unenforceable, it will be severed and the remaining provisions will continue in full force and effect.
