Terms of Agreement
Last Updated: August 29, 2022 Personalis, Inc. (“Personalis”, “We”, or “Us”) respects the privacy of visitors to our website and is committed to protecting it through our compliance with this policy. Personalis is located in the United States and personal data provided to us will be used and maintained by us in the United States. For United States residents, we provide this policy in accordance with the California Consumer Privacy Act of 2018 (“CCPA”), the California Consumer Rights and Protection Act (“CPRA”) and other applicable California privacy laws (collectively, “California Law,”), the Colorado Privacy Act of 2020 (“CPA”) and other applicable Colorado privacy laws, and the Virginia Consumer Data Protection Act (“CDPA”) and other applicable Virginia privacy laws, collectively, State Privacy Laws (“SPL”). Where necessary, this policy specifies state-specific information. Otherwise, this policy adopts the most stringent requirements of SPL and affords them to all U.S. residents.
For individuals within China, the section on “Chinese Users” provides information regarding our appropriate mechanisms for personal data transfer from China related to the Personal Information Protection Law (“PIPL”).
For European Union (“EU”) and United Kingdom (“UK”) residents, the section on “European Users” provides information regarding our appropriate mechanisms for personal data transfer from the EU and information related to the UK Data Protection Act of 2018 (“DPA 2018”) and the General Data Protection Regulation of 2018 (“GDPR”), EU 2016/679.
If you live in the US, please read our Notice of Privacy Practices Under HIPAA for US Residents.
Data Collection and Use
We may collect, store, and use several types of information that is provided to us by you, or on your behalf. Examples include both (1) personally identifiable information and (2) non-personal information. This information may include information voluntarily submitted by you (e.g., emails, requests for information through our Websites, other correspondence) or information collected from activity with our Websites. We may also receive information about you from your physicians or other healthcare providers when ordering tests or Services from us. For more detailed information on personal information from children, please refer to the “Children’s Policy” section below.
The categories of information that we may collect are:
- Information by which you may be personally identified, such as your name, postal address, email address, telephone number, medical record identifiers, IP address, or any other identifier by which you may be contacted online or offline. This may also include other information that has been identified as personal information under CCPA, including your signature, health insurance information, financial information for payment purposes, or other medical information.
- Classification characteristics that are protected under state or federal law, including race, age, marital status, medical condition, gender, veteran status, and genetic information.
- Biometric information, including particular genetic sequence information related to cancer.
- For individuals seeking employment with Personalis, information related to your professional or employment-related history, education, work history, gender, race and ethnicity information, veterans status, and disability status.
- Information that is about you but does not identify you, such as information about your internet connection, the equipment you use to access our Websites, and other usage details. We collect this information directly from you when you provide it to us and/or automatically as you navigate through our Websites.
We will only use your personal information for the purposes for which it was collected. We will only collect as much personal data as is reasonably necessary in relation to our business purposes. We may use information that we collect about you or that you provide to us, including any personal information, for the following purposes: to provide our Websites and/or Services to you; to provide you with information, products, or services that you request from us or that we believe may be of interest to you; to contact you; for payment purposes; to provide information to your physicians and other healthcare providers; and to fulfill any other purpose for which you provide it. We may also use and process your personal information for marketing purposes (e.g., to offer or furnish additional information to you about Personalis, its products and/or services), to personalize the types of information you receive from Personalis, to store your interests and preferences in order to customize your use of our Websites, to communicate with you, to verify compliance with the terms and conditions of our Websites, to authenticate customers and users, to evaluate how our Websites are being used and the audience the Websites are reaching, to compile, identify, and analyze trends and interests to help us improve our Websites and/or Services, and to develop and improve the content and operation of our Websites or Services to better serve the needs of our customers and users.
We may also use your personal information to provide you with customer support and to maintain and improve our Websites. We may combine your information with other information about you that is available to us, including information from other sources, in order to maintain accurate records of individuals who engage our services and to assist with the marketing of Personalis products and services. Additionally, your personal information may be aggregated with information from other users of our Websites such that the information no longer personally identifies you. We will take reasonable measures to ensure this de-identified data cannot be associated with you. We will not attempt to re-identify individuals from the aggregated information. Any recipient of de-identified data from Personalis is contractually obligated to also refrain from attempting to re-identify individuals from aggregated data as well as to take steps to ensure the aggregated information cannot be associated with any one individual.
We may use and process the aggregated information for the general purpose of evaluating our market and/or business trends, our customer and user demographics, interests and behavior, our past and future product and/or service offerings and/or pricing, or other aspects of our business. We may share such aggregated information with our business partners, vendors, distributors, or other collaborators for these same purposes. We may also sell or license such aggregate information to one or more third parties for use and processing in a similar manner.
While Personalis makes every reasonable effort to protect information collected through our Websites and Services, based on the volume, scope, and nature of the personal data processed, please be aware that there is always some risk involved when submitting data over the Internet. We cannot guarantee that our Websites are 100% safe from illegal tampering or “hacking.” Any data transmitted over the Internet may be at risk; however, once it is received at Personalis and entered into its database, it has the same protection that Personalis extends to its own confidential information. We track the total number of visitors to our Websites, the number of visitors to each page of the Websites, and the domain names of our visitors’ Internet service providers. No personally identifiable information is gathered in this process.
Personalis’s general retention policy is to retain your personal information for only as long as is necessary for the business purposes for which your personal information was collected. The length of time that Personalis retains any personal information including, but not limited to, first-party cookies, and your name, address, email and genetic information varies depending on the legal basis for processing that personal information, applicable regulations, and Personalis’s need to establish, exercise, or defend legal claims.
The following table outlines the criteria applied to retention decisions for each category of personal information. The retention period for each category will only be as long as is reasonably necessary to achieve the business purpose(s) for which it was collected and to comply with applicable regulations.
|Identifiers||Identifiers may be collected to perform services on behalf of the business, to provide advertising and marketing services, to ensure security and integrity, and to undertake activities to verify or maintain the quality or safety of a service or device and to improve, upgrade, or enhance a service or device.|
|Biometric Information, including genetic data||Biometric information may be collected to perform services on behalf of the business, to undertake internal research for technological development, and to undertake activities to verify or maintain the quality or safety of a service or device and to improve, upgrade, or enhance a service or device.|
|Internet Activity Information||Internet activity information may be collected for auditing related to online advertising, debugging to identify and repair errors, performing services on behalf of the business, and providing advertising and marketing services.|
|Employment-related information||Employment-related information may be collected to ensure security and integrity and to perform services on behalf of the business.|
Personalis follows contractual rights and responsibilities with respect to processing and retaining personal information. Please note that, if Personalis processes your personal information on the legal basis of your consent and you withdraw your consent, your personal information will not be retained unless another legal basis for retaining your data has been established and communicated to you. In some circumstances Personalis may anonymize personal information so that it may no longer be associated with an individual, and in such cases we may use that anonymized information without further notice to you and outside of this Policy.
Sometimes business and legal requirements oblige us to retain certain information, for specific purposes, for an extended period of time. Reasons we might retain some data for longer periods of time include:
- Security, fraud & abuse prevention
- Financial record-keeping
- Complying with legal or regulatory requirements
- Ensuring the continuity of our services
- Direct communications with Personalis
Your Rights and Choices for Your Information
We provide the above disclosures and mechanisms described in this policy so you can exercise your rights to receive information about our data practices, as well as to request access to and deletion of your personal information. We provide two mechanisms that allow you to submit requests to access, review, update, and/or delete your information. You can submit such requests by (1) calling our toll-free number at 1-855-436-6634 or (2) emailing us at [email protected]. These are the same mechanisms that you may use to appeal any refusal of the data subject rights described in SPL. We will provide a written description of the actions and reasons taken in response to an appeal within 60 days. Appeals will be addressed within 60 days.
Your Rights and Choices under CCPA
The CCPA provides California consumers with specific rights regarding their personal information, including your right to request that we disclose certain information to you about our collection and use of your personal information over the past year. Once we receive and can confirm that your request is verified and legitimate, we will disclose to you: (1) the categories of personal information we collected about you; (2) the categories of sources for the personal information we have collected; (3) our business purpose for collecting that personal information; (4) the categories of third parties with whom we have shared that personal information; and (5) the specific pieces of personal information that we have collected about you (this is also known as a data portability request). In addition, you also have the right to request that we delete any of your personal information that we’ve collected from you and retained, subject to certain laws and other exceptions. Once we receive your verified and legitimate request, we will delete your personal information, unless an exception applies, and inform you of the deletion. We reserve the right to deny your deletion request if retaining the information is necessary for us to perform the Services that you’ve requested from us, or pursuant to applicable law.
Your Rights and Choices under other State Privacy Laws
You may contact the Colorado Attorney General’s Office by visiting this website (https://coag.gov/) if appealing in relation to a CPA-based request or the Virginia Attorney General’s office by visiting this website (https://www.oag.state.va.us/) if appealing in relation to a CDPA-based request with concerns about the outcome of any appeal.
Personalis does not sell your identifiable personal information. We only share your information as described in this policy. Personalis also processes your information for the purposes described in this policy which include disclosures permitted for ‘business purposes’ or ‘internal operations’ by SPL. These purposes include:
- Protecting against security threats, abuse, and illegal activity. Personalis uses and may disclose information to detect, prevent, and respond to security incidents, and to protect against other malicious, deceptive, fraudulent, or illegal activity.
- Developing new products and features that are useful to our customers.
- Marketing to inform users about our products and services.
- Performing research that improves our products and services for our customers.
- Fulfilling obligations to our customers.
- Enforcing legal claims, including investigation of potential violations of applicable Terms of Agreement.
Links to Third Party Websites
We are committed to protecting the privacy of children. Our Website is not intended for or designed to attract children under the age of 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected or received personal information from a child under 13 without verification of parental consent, we will delete that information. If you believe that we may have any information from or about a child under 13, please contact us at [email protected]. Parents of a child under 13 may initiate the process of verifying their consent for their child to use the site by contacting us at pr[email protected].
If you access the Website from within China, then this section may apply to you and you may contact us at [email protected] in order to exercise your rights to access, correct, know, delete, data portability, restrict processing, withdraw consent, and lodge a complaint with regulators.
Personalis is located and operates in the United States, as such your information may be transferred to entities located outside China, including entities located in the United States, for processing consistent with those listed above. Personalis will treat all personal information received from you in accordance with Personal Information Privacy Law requirements.
Personalis has conducted a risk assessment on the cross-border transfer of information from China. The transfer is necessary for Personalis’s business purposes. The use of this Website by an individual from within China constitutes informed, voluntary, and explicit consent for the handling and transfer of personal information. To revoke that consent, users within China must contact us at [email protected].
If you are an EU citizen or are accessing the Website from within the European Economic Area, then this section may apply to you and you may contact us at [email protected] in order to exercise your rights to request access to, update, remove, and restrict the processing of your information.
Personalis is located and operates in the United States, as such your information may be transferred to entities located outside the European Economic Area, including entities located in the United States, for processing consistent with those listed above. Personalis will treat all personal information received from you in accordance with GDPR requirements.