Privacy Policy
Last Updated: 2026-07-13
Before You Read the Full Policy
This summary is provided for convenience only. It does not replace or limit the full Privacy Policy below, which is the legally binding document. In short:
- Your genetic data is never sold to third parties, data brokers, or insurance companies without your specific consent to that particular disclosure, and you can request deletion of it at any time.
- Your physical DNA sample is destroyed within 180 days of testing, or sooner on request.
- We share your sample with one laboratory partner, solely to generate your results, under our instructions — see Section 5.
- You can access, correct, delete, or receive a copy of your data at any time — see Section 10.
- This Policy is governed by Lithuanian law, with disputes handled through arbitration — see Section 14.
1. Who We Are
1.1 Data Controller. This Privacy Policy (“Policy”) is issued by Pik Brands, UAB, a private limited liability company organized under the laws of the Republic of Lithuania, registration number 306461313, registered address Žirmūnų g. 70, LT-09124 Vilnius, Lithuania, doing business as “BYOSOM” (“BYOSOM,” “we,” “us,” or “our”). Pik Brands, UAB is the data controller responsible for your personal data.
1.2 Scope. This Policy explains how we collect, use, store, share, and protect personal information — including genetic information — in connection with byosom.com and our DNA-personalized skincare products and services (collectively, the “Services”). It should be read together with our Terms and Conditions.
1.3 Acceptance. By using our Services, you acknowledge this Policy. Where we rely on your separate consent for a particular activity — most importantly, genetic testing — we obtain that consent independently, as described in Section 5.
2. Important Notice: Arbitration Agreement
This Policy contains an agreement to resolve disputes through binding, individual arbitration rather than in court, and a waiver of your right to a jury trial and to participate in a class action. See Section 14 for full details, including how to opt out.
3. Information We Collect
3.1 Information You Provide. Your name, email address, phone number, shipping and billing address, payment details (processed by our payment processor; we do not store full card numbers), account credentials, and any information you share with our support team.
3.2 Information Generated Through Our Services. Your genetic information (Section 5), your personalized formulation and skincare recommendations, and your order and subscription history.
3.3 Information Collected Automatically. Device and browser information, IP address, and how you use our Site, through cookies and similar technologies (Section 12).
4. How We Use Your Information
We use your information to: process orders and manage your subscription; generate your genetic report and personalized formulation; communicate with you about your account, orders, and — with your consent — marketing; maintain and improve our Services, including through aggregated or de-identified analysis; and comply with our legal obligations.
5. Genetic Information: Collection, Use, and Consent
5.1 Separate Consent Required. Before we test your DNA sample, we obtain your explicit, specific consent to that testing, separate from your general acknowledgment of this Policy.
5.2 What We Test. Our analysis examines genetic markers associated with skin characteristics, including genes associated with collagen breakdown, antioxidant defense, and hydration and barrier function (among others: MMP1, MMP3, SOD2, GPX1, CAT, NQO1, AQP3, COL1A1).
5.3 Our Laboratory Partner. Testing is performed by an independent, accredited third-party laboratory — certified by CLIA and other applicable accrediting bodies — acting solely on our instructions and solely to generate your results. Our laboratory partner does not use your genetic data for its own purposes. We receive only the analysis results relevant to skincare characteristics — not your complete raw genetic profile.
5.4 No Sale of Genetic Data. We do not sell, rent, or otherwise provide your genetic data to third parties for marketing purposes, to data brokers, or to insurance companies, employers, or similar entities, unless you have given specific, informed consent to that particular disclosure. Your general acceptance of this Policy does not constitute consent for this purpose.
5.5 Retention and Destruction. Your physical DNA sample is retained for a maximum of 180 days following testing, after which it is destroyed, or destroyed earlier on your request. Your digital genetic results are retained for as long as your account remains active, unless you request deletion under Section 10.
5.6 Withdrawing Consent. You may withdraw your consent and request deletion of your genetic data and any remaining physical sample at any time. We will process such requests within 90 days. Doing so may limit or end our ability to provide personalized formulations or access to prior reports.
5.7 Law Enforcement Requests. We do not voluntarily disclose your genetic data to law enforcement. We disclose it only in response to a valid subpoena, court order, or other legal process we determine, in good faith, to be legally binding, and we will notify you of such a request unless legally prohibited from doing so.
5.8 State Genetic Privacy Laws. Depending on your state of residence, you may have additional rights under state genetic-privacy statutes, such as California’s Genetic Information Privacy Act. Nothing in this Policy limits any non-waivable right you have under such laws.
5.9 Biometric Information. Genetic information may be considered biometric information under certain state laws. We apply the protections in this Section 5 to genetic data regardless of how it is separately classified under applicable law.
6. How We Share Your Information
6.1 Service Providers. We share information with service providers who perform functions on our behalf — our laboratory partner (Section 5.3), logistics and fulfillment partners, and payment processors — each under contractual obligations to use your information only as we direct and only for the purpose of their engagement.
6.2 Legal and Safety Disclosures. We may disclose information where required by law, to respond to valid legal process, or to protect the rights, property, or safety of BYOSOM, our customers, or the public.
6.3 Business Transfers. If BYOSOM is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction, subject to this Policy or a successor policy of which you will be notified.
6.4 No Sale of Personal Information. We do not sell your personal information.
7. International Data Transfers
7.1 Transfers to the United States. Our laboratory partner and certain other service providers described in this Policy are located in the United States. Providing our Services necessarily requires sending your DNA sample and related data to the United States for analysis and fulfillment.
7.2 Legal Basis. As a company established in Lithuania, we are subject to the GDPR’s requirements governing transfers of personal data outside the European Economic Area. We rely on your explicit, informed consent to this specific transfer — given as part of your consent to genetic testing under Section 5 — as the basis for this transfer. We do not currently rely on the EU-U.S. Data Privacy Framework or Standard Contractual Clauses for this transfer. We are evaluating whether additional safeguards are appropriate for this relationship and will update this Policy if our practices change.
This section states our actual current practice rather than claiming frameworks not yet in place. See the accompanying notes for why this is the single highest-priority item for legal review.
8. Data Retention
Beyond the genetic-data-specific schedule in Section 5.5, we retain: account information for 7 years after account closure; custom formulation data for 10 years; purchase history for 7 years; and communication records for 3 years. We retain information for these periods to support warranty, legal, and quality obligations, and delete or anonymize it afterward except where a longer period is required by law.
9. Security
We use encryption, access controls, and barcode-based sample identification to protect your information, and we require our staff and service providers to maintain its confidentiality. No system is completely secure, and we cannot guarantee absolute security. We will notify you and any applicable regulator of a data breach affecting your information as required by applicable law.
10. Your Privacy Rights
10.1 Your Rights. You may request to: access the personal information we hold about you; correct inaccurate information; delete your information; receive a copy of your information in a portable format; restrict or object to certain processing; and withdraw consent you have previously given. To exercise these rights, contact us using the information in Section 15. We will respond within 30 days, except as described in Section 5 for genetic-data-specific requests.
10.2 California Residents. If you are a California resident, you have the right to know what personal information we collect, request its deletion, opt out of its sale (we do not sell personal information), and not be discriminated against for exercising these rights. California’s Genetic Information Privacy Act provides additional protections specific to genetic data, consistent with Section 5 of this Policy.
10.3 Verification. We may need to verify your identity before completing a request under this Section 10.
11. Children’s Privacy
Our Services are not directed to, and are not intended for use by, anyone under 18. We do not knowingly collect personal information from anyone under 18. If we learn we have done so, we will delete it promptly.
12. Cookies and Third-Party Services
We use cookies and similar technologies to operate our Site, remember your preferences, and understand how our Site is used. You can control cookies through your browser settings. Our Site may link to third-party services, which operate under their own privacy policies; we are not responsible for their practices.
13. Policy Updates
We may update this Policy at any time. We will post the updated Policy on our Site with a new “Last Updated” date and, where required by law or where you have an active account, notify you by email. Your continued use of our Services after an update takes effect constitutes your acceptance of the revised Policy.
14. Governing Law and Dispute Resolution
14.1 Governing Law. This Policy is governed by the laws of the Republic of Lithuania, without regard to its conflict-of-laws principles, except that this Section 14 is additionally governed by, and interpreted consistent with, the U.S. Federal Arbitration Act.
14.2 Agreement to Arbitrate. Except for disputes eligible for small claims court under Section 14.5, you and BYOSOM agree that any dispute, claim, or controversy arising out of or relating to this Policy will be resolved by binding arbitration administered by the American Arbitration Association (“AAA”) under its Consumer Arbitration Rules, rather than in court.
14.3 Individual Basis Only. Arbitration will be conducted on an individual basis. You and BYOSOM each waive any right to bring or participate in a class, collective, or representative action.
14.4 Jury Trial Waiver. You and BYOSOM each waive any right to a jury trial for any claim subject to arbitration under this Section 14.
14.5 Small Claims Court Option. Either party may instead bring an individual qualifying claim in small claims court, in lieu of arbitration.
14.6 Right to Opt Out. You may opt out of this arbitration agreement by sending written notice to the address in Section 15 within thirty (30) days of first accepting this Policy. If you opt out, disputes will be resolved in a court of competent jurisdiction consistent with Section 14.1’s choice of law, and Sections 14.2 through 14.5 will not apply to you.
15. Contact Information
Pik Brands, UAB, doing business as BYOSOM
Žirmūnų g. 70, LT-09124 Vilnius, Lithuania
Registration No. 306461313
Email: [email protected]