TABLE OF CONTENTS
Definitions
- Company - Compass Bioinformatics Inc. and any affiliates. Company acts as a Data Processor on behalf of Software Product(s) (InheriNext®, InheriNext® Edge) Users.
- Software Product(s) - Analytical software platforms: InheriNext®, InheriNext® Edge.
- Individual Data - Any private or identifying information from an individual person to which a User has been granted access for the purpose of obtaining a genetic health report.
- Personal Data - Any personal information (e.g. name, contact information, payment information) collected from an individual for the purpose of receiving a genetic health report. This includes genomic data (that is, data about an individual’s genetic sequence or DNA) and medical or health data (e.g., phenotype presentations, relevant medical history, and information collected by integrated apps and devices).
- User - A person (or laboratory or clinic) that has been granted access, through informed consent, to an individual’s genetic data for the purpose of having the data analyzed by Software Product(s) to understand if relationships exist between the data and potential health conditions. User acts as the Data Controller for Individual Data.
- User Data - Account registration and contact information (email address, first name, last name, country, phone number (optional) organization name (optional), division or subunit (optional)) of the person or persons who will perform analysis of an individual’s data with Software Product(s).
What Information We Collect
- Information User shares with Company for the purpose of receiving a genetic health report using the Software Product(s). These data are provided to us in accordance with Company’s Terms of Use. This data is never shared or sold with a third party.
- Information necessary to create digital access to the Software Product(s) platform is defined as User Data. This data is never shared or sold with a third party.
- We collect Web-Behavior Information via cookies and other similar tracking technologies. Cookies are not stored permanently and are never shared or sold to third parties. See Company’s Cookie Policy for more details.
How We Use Your Information
Company uses the information uploaded to the Software Product(s) Website to generate reports and provide analysis tools to support a User’s ability to understand the content of each report and apply personal judgment in the report’s usage. The Company uses aggregated and summarized Personal Data to improve the accuracy of future reports; Company does not use discrete Personal Data or Individual Data apart from its incorporation in the Software Product(s)’s report. Company does not retain Personal or Individual Data for any other purpose other than compliance with Good Laboratory Practices such as CLIA, or for compliance with relevant data retention law(s).
Data Rights of Each Individual
-
Right to be Informed
Full details are described in this Privacy Policy. Users will be informed of any use of the data collected. Users as Data Controllers can share such information with Individuals as legally required. -
Right of Access
Users can download all data uploaded to Software Product(s) to review, edit, or delete Personal Data at any time. Individuals can access their data from User as the Data Controller. -
Right to Rectification
At any time, Users can delete and resubmit Individual Data to make corrections and edit Personal Data. For inaccuracies in Individual DNA or health record information, Users must contact the organization who controls the origination of the data (e.g. a genetic testing lab, their physician’s office, etc.) to make corrections to the original data sent to Software Product(s). Once corrected, the User can resubmit the data. Individuals can request rectification from the User as the Data Controller. -
Right to Object Processing
At any time, Users can have the informed consent revoked requiring the Personal Data associated with the informed consent to be removed from the Software Product(s) database subject to Company’s data retention policy (see below). Individuals can object to processing from the User as the Data Controller. -
Right to Restrict Processing
There is no data processing supported on the submitted data other than the processing necessary for the return of a genetic health report. Data is not available for any secondary use through Software Product(s). -
Right to Data Portability
Users can download all submitted data for their review in the format originally submitted. Genetic data generated by the Company is available in a standard textual file format (vcf). Users can also view, edit, or delete their submitted and/or genetic data at any time. Individuals can request a copy of their data from the User as the Data Controller. -
Right to be Forgotten (Erasure)
At any time, Users can delete their account, and all Individual Data and Personal Data will be permanently removed, or purged, from Company’s database subject to Company’s data retention policy (see below). Individuals can request deletion of their Individual Data from the User as the Data Controller. User Data describing a business account is retained. -
Right in Relation to Automated Decision Making and Profiling
No automated decision making or profiling is performed by Company.
To file a complaint or make an inquiry about your data privacy rights, please send an email to [email protected]. For any other inquiries, please email info@compassbioinfo.com.
Company will respond via email within three (3) business days.
Data Retention
- Individual Data is deleted within 14 days from backend from User’s deletion request.
- Personal Data is deleted within 14 days from backend from User’s deletion request.
- The above Individual Data and Personal Data will be removed from data back-ups within thirty (30) business days.
- Any derived AI models (using aggregate data) that have been completed prior to User/Individual consent revocation will not be affected by a decision to purge data or revoke consent and will be retained in the models.
- User Data is retained to maintain the validity of the business records of the Company.
Third-Party Tools and Business Services
- Data hosting. The Company uses Google Cloud Platform (GCP) and Amazon Web Services (AWS) for Company’s cloud solutions providers. The Company uses various GCP and AWS data centers with the aim of providing optimal Member experience. The Company ensures that all data is protected with appropriate security and access safeguards in accordance with applicable privacy laws. We use data protection agreements with Company’s data hosting provider(s) to confirm compliance with applicable data protection and data privacy laws.
- Business Services. Business partners and subcontractors may access User Data in fulfillment of their contracted business services. This is inclusive of promotional and/or marketing events.
- Compliance. There may be a need to share User Data with regulators, data protection authorities, and/or enforcement agencies – as compelled by regulation or law.
- Legal and Financial Services. User Data may be shared during the Company’s operations to support its operations.
Security & Privacy Measures
The Company takes the security and privacy of all data very seriously. The Company uses technical, physical, and administrative controls designed to protect Personal Data and Individual Data from unauthorized access or disclosure and to regulate the appropriate use of this information. User Data is also secured and protected for all clients of the Company.
Data is segregated and encrypted in such a way that it reduces the risk of anyone trying to compromise Individual or Personal Data. The Company leverages what it believes to be best-in-class compliant infrastructure in all processes including data storage and processing. Compliance with the General Data Protection Regulation (GDPR) is characterized through data protection impact assessments (DPIAs) on an as-needed basis. Compliance with other data protection regulations is addressed in a manner consistent with each law and each jurisdiction (E.g.: APPI for Japan).
Company protects data using safeguards such as data backups, audit controls, access controls, data encryption, data segregation, and account creation and login verification. Company’s site and APIs use Secure Socket Layer (SSL) technology to encrypt all connections to and from Company’s site and APIs to enhance security of electronic data transmissions. The Company employs the encryption of data at rest and during transit for added security.
Contact Information
For any questions about Company’s Privacy Policy, contact us at:
Compass Bioinformatics Inc
Attention: Data Protection Officer
Email: [email protected]
Responses will be made within three (3) business days.
Changes to this Privacy Policy
Company cannot foresee all the potential applications of the data it collects, particularly in a rapidly developing field such as genomics and medical research. Therefore, the Company reserves the right to update this Privacy Policy from time to time. Before implementing any changes that involve the Company’s use of Individual Data and/or Personal Data the Company will first notify Users of the proposed changes at least 30 days before their effectiveness to provide Users with the opportunity inform potentially affected individuals to potentially revoke informed consent, purge some or all of the Individual Data or Personal Data, or delete data altogether if the revised terms depart from the User’s data controller obligations. If Users do not take one of these actions after receiving notice of those proposed changes, to the maximum extent permitted by applicable law, Users agree that they will be bound by the updated terms when they become effective.
Company reserves the right to update this Privacy Policy as it applies to Personal Data only from time to time without advance notice. When these changes are made, the Company will make a new copy of this Privacy Policy available on its website. Such changes will not apply retroactively but may be effective immediately on being made available on the Company’s website. Users acknowledge and agree that if Users access any of Company’s services covered by this Privacy Policy after the effective date of the change, to the maximum extent permitted by applicable law, they agree that they will be bound by the updated terms.
Users are responsible for ensuring that all contact information (i.e., User Data) remains up to date and valid.