Privacy Notice

Last update : 08-Dec-2025

Preamble

SeqOne is committed to protecting your personal data and respecting your privacy. This Privacy Notice explains how SeqOne S.A.S. (and its affiliates, including SeqOne Inc.) collects, uses, and protects your personal data, encompassing the services and platforms previously offered under Life&Soft and Congenica.

In any event, SeqOne undertakes to comply with the following two (2) essential principles:

You remain in control of your personal data.
Your data is processed in a transparent, confidential and secure manner.

Article 1. Identity and contact details of the data controller

Who We Are

Primary Data Controller: SeqOne S.A.S. (France), a simplified joint stock company registered with the Montpellier Trade and Companies Register under number 829 581 586
Head Office: SeqOne S.A.S. 22 Rue Durand, 34000 Montpellier, France.
Operational Sites: Montpellier (France), Paris (France) and Cambridge (UK).
Affiliated US Entity: SeqOne Inc., Wilmington, DE (USA).

When we refer to “SeqOne,” “we,” “us,” or “our” in this notice, we are referring to SeqOne S.A.S. and its affiliated companies across all our locations. As a controller operating in the EU, the UK and the USA, we adhere to the most stringent data protection standards, including the General Data Protection Regulation (EU) of April 27, 2016 (hereinafter “GDPR”), the UK GDPR, as set out in the DPA 2018, and amended on 01 January 2021 by regulations under the European Union (Withdrawal) Act 2018, to reflect the UK’s status outside the EU, and, for US-based activities involving Protected Health Information, the Health Insurance Portability and Accountability Act (HIPAA). .

If you have any questions about this notice or our data protection practices, please contact our Data Protection Officer (DPO):

Location	Contact Method
All sites (DPO)	Email: dpo@seqone.com
France (Montpellier/Paris)	Mail: SeqOne S.A.S., Attn: Data Protection Officer, 22 Rue Durand, 34000 Montpellier, France.
UK (Cambridge)	Mail: SeqOne S.A.S, Wellcome Genome Campus, Hinxton, Cambridge CB10 1SA, UK, Attn: Data Protection Representative
USA (HIPAA)	Mail: SeqOne Inc., c/o Pramex International, 1251 avenue of the Americas, fl.3, New York, NY, 10020.

‍

Article 2. Categories of Personal Data we process

As a specialist in AI-powered genomic medicine software, we process different types of data depending on your relationship with us (e.g., website visitor, customer contact, job applicant, or user of our platforms).

A. General Personal Data (for all individuals)

Identity Data: Name, job title, company/organisation name.
Contact Data: Email address, postal address, telephone number.
Technical & Usage Data: IP address, browser type, operating system, website visit history, log data (collected via cookies and similar technologies—see our separate Cookie Policy).
Communication Data: Information you provide when contacting us via forms, email, or telephone.
Professional Data: CV, cover letter, and interview notes (for job applicants).

B. Special Category Data (Health/Genomic Data)

We process genetic and health data when providing our genomic analysis and clinical interpretation services. This is Special Category Data under GDPR/UK GDPR, requiring a higher level of protection and a specific lawful basis.

Genetic Data: Processed genomic sequences (e.g., NGS data, variant information), patient reports, and clinical interpretation results from our software platform.
Health Data/PHI: Clinical phenotype, diagnostic information, and medical history relevant to the genomic analysis.

Note on Patient Data: For patient data, SeqOne typically operates as a Data Processor (under GDPR/UK GDPR) or a Business Associate (under HIPAA) on behalf of our client laboratories and healthcare providers (Data Controllers / Covered Entities). Our clients are responsible for ensuring they have the necessary legal basis (e.g., explicit consent or public interest in the area of public health) before providing us with patient data. We are contractually obligated to process this data strictly according to their instructions and legal requirements (Data Processing Agreements (DPAs) and Business Associate Agreements (BAAs)).

C. Connection Data and Cookies

When you visit our websites or use our online services, we collect data automatically.

Connection Data: IP address, access times, requested files, referral URL, and technical information about the device and operating system you use. This data is necessary for the proper functioning and security of our services.
Cookies and Tracking Technologies: Small text files placed on your device. We use them to:
- Strictly Necessary Cookies: Enable website functionality and security.
- Performance/Analytics Cookies: Help us understand how visitors use the site, which pages are most popular, and identify areas for improvement.
- Marketing/Targeting Cookies: Used to track your browsing habits and potentially show you relevant SeqOne advertisements on other sites (where consent is given).

Management: We use a Cookie Consent Management Platform (CMP) that allows you to accept or reject non-essential cookies. You can manage your preferences at any time via the cookie settings link on our website. For detailed information, please consult our separate Cookie Policy.

D. Social Network Data

We maintain official SeqOne pages on professional social media platforms (e.g., LinkedIn).

Interactions: We process data you voluntarily provide when you like, share, comment on, or send us messages via these platforms.
Profile Data: Depending on your privacy settings on the respective social network, we may see your name, public profile picture, professional title, and company.
Joint Controllership: For some types of processing (e.g., analytics of page visits), SeqOne and the social network platform may act as Joint Controllers. The platform (e.g., LinkedIn) typically holds primary responsibility for providing information and facilitating rights execution.

‍

Article 3. Global compliance & Lawful basis

US Health Data Compliance (HIPAA)

SeqOne Inc. and SeqOne S.A.S. (when working with US Covered Entities) comply with the US Health Insurance Portability and Accountability Act (HIPAA), including the Privacy Rule, Security Rule, and Breach Notification Rule, specifically regarding Electronic Protected Health Information (ePHI).

HIPAA Requirement	SeqOne Compliance Measure
Business Associate Agreement (BAA)	Mandatory contract with all Covered Entities that defines the permissible uses, disclosures, and security requirements for PHI.
Security Rule (ePHI)	Implementation of required administrative, physical, and technical safeguards, including encryption of ePHI both in transit and at rest.
Minimum Necessary Rule	Limiting the use and disclosure of PHI to the minimum amount necessary to perform the requested function (e.g., genomic analysis).
Breach Notification Rule	Established protocols for notifying Covered Entities without unreasonable delay following the discovery of a breach involving unsecured PHI.

‍

Purposes & lawful basis for processing (GDPR/UK GDPR)

We will only process your personal data when we have a valid legal basis to do so.

Processing Activity	Categories of Data Processed	Lawful basis (GDPR/UK GDPR)
Providing Core Services (Genomic Analysis, Clinical Decision Support)	Special Category Data (Genetic, Health) and General Data (User IDs, Service Logs)	Art. 9(2)(h) and Art. 6(1)(f) (Legitimate Interest): Necessary for the provision of health care services on behalf of our customers (Data Processors). The data is highly secured and often pseudonymised. Explicit Consent (Art. 9(2)(a)) is obtained by the Data Controller (our client).
Contract Management (Customer/Supplier relations)	Identity, Contact, Financial Data	Art. 6(1)(b) (Contractual Necessity): To fulfil our obligations under a contract with you or your organisation.
Website Operation & Improvement	Technical & Usage Data	Art. 6(1)(f) (Legitimate Interest): For system security, maintenance, and to improve our website experience. Consent (Art. 6(1)(a)) for non-essential cookies.
Social Media Engagement	Social Network Data, Contact Data	Art. 6(1)(f) (Legitimate Interest): To promote our activities, respond to public queries, and conduct B2B marketing.
Marketing & Communications	Identity, Contact, Communication Data	Art. 6(1)(a) (Consent): For sending newsletters and marketing materials. You can withdraw consent at any time. Art. 6(1)(f) (Legitimate Interest): For commercial prospecting to B2B contacts.
Recruitment	Professional, Identity, Contact Data	Art. 6(1)(b) (Steps prior to contract): To assess and process your job application.
Legal Compliance & Security	All Categories	Art. 6(1)(c) (Legal Obligation): To comply with legal requirements (e.g., financial reporting, medical device regulation). Art. 6(1)(f) (Legitimate Interest): For IT security and fraud prevention.

‍

Article 4. How we share your personal data

We may share your personal data with the following categories of recipients:

SeqOne Group Entities: Your data may be shared internally among SeqOne S.A.S. and SeqOne Inc. (and other SeqOne entities across our sites in Montpellier, Paris, and Cambridge) for administrative, billing, and resource management purposes, under strict internal data protection agreements.
Service Providers (Processors): Trusted third parties who perform services on our behalf, such as cloud hosting providers (e.g., ISO 27001 and HDS certified hosts), IT support, and email delivery services. These providers are only allowed to process your data according to our instructions.
Social Network Platforms: When you interact with our pages, the platform itself collects and processes data according to its own privacy policy.
Professional Advisers: Lawyers, auditors, and insurers who provide professional services.
Regulatory & Legal Authorities: We will disclose your data when legally required to comply with regulations (e.g., FDA, MHRA, CNIL, HHS), such as in response to a court order or to comply with medical device regulations.
Acquirers or Successors: In the event of a merger, acquisition, or asset sale, your personal data may be transferred to the new entity.

‍

Article 5. How long we keep your Data

Security

We implement robust technical and organisational security measures, including encryption, access controls, and regular audits, to protect your personal data, especially the highly sensitive Special Category Data, against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes we collected it for, including for satisfying any legal, accounting, or reporting requirements. Retention periods vary depending on the data type:

Service Data (Genetic/Health): Retention periods for Health Data/PHI are determined by the specific BAA/DPA with the client and applicable medical device and health records laws in the relevant jurisdiction (France, UK, or USA).
Recruitment Data: Typically retained for a maximum of 1 year after the recruitment process is complete, unless a longer period is legally required or you consent to being held for future opportunities.
Marketing Data: Kept until you object to receiving communications.
Connection Data & Cookies: Session cookies are deleted when you close your browser; persistent cookies are retained for a maximum duration (specified in our Cookie Policy).

‍

Article 6. Transfer of data outside the European Union

As an international company, we may transfer personal data between our sites in the EU (France) and the UK, and to other third-party service providers located outside these areas.

EU/UK ↔ UK Transfers: We rely on the UK Adequacy Regulations for data flowing from the UK to the EEA, and the EU Adequacy Decision for data flowing from the EEA to the UK.
Transfers Outside the EU/UK: For any transfer outside of jurisdictions deemed 'adequate' by the European Commission or the UK government, we will ensure that appropriate safeguards are in place, such as:
- Standard Contractual Clauses (SCCs): The relevant EU or UK versions, supplemented by necessary risk assessments.
- Binding Corporate Rules (BCRs).

‍

Article 7. Your data protection rights

Under GDPR and UK GDPR, you have the following rights regarding your personal data. To exercise any of these rights, please contact our DPO using the details in Section 1.

Your Right	Description
Right to be Informed	To receive clear and transparent information about our data processing (as provided in this notice).
Right of Access	To request a copy of the personal data we hold about you (Data Subject Access Request).
Right to Rectification	To have any incomplete or inaccurate data we hold about you corrected.
Right to Erasure	To ask us to delete or remove personal data where there is no good reason for us to continue processing it (the "right to be forgotten"), by withdrawing consent for example.
Right to Restrict Processing	To ask us to suspend the processing of your personal data, for example, if you want us to establish its accuracy or the reason for processing it.
Right to Data Portability	To request the transfer of your personal data to another party in a structured, commonly used, machine-readable format.
Right to Object	To object to the processing of your personal data where we are relying on a legitimate interest (or that of a third party) and there is something about your particular situation that makes you want to object. You also have an absolute right to object to processing for direct marketing purposes.
Rights related to Automated Decision-Making	The right not to be subject to a decision based solely on automated processing (including profiling) which produces legal or similarly significant effects.

‍

‍Right to Lodge a Complaint

You have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction:

For France (EU GDPR): The CNIL (Commission Nationale de l'Informatique et des Libertés).
For the UK (UK GDPR): The ICO (Information Commissioner's Office).
USA (HIPAA): US Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

‍