TABLE OF CONTENTS
Definitions
- Company. Compass Bioinformatics Inc and any affiliates.
- Individual Data. Any private or identifying information that an individual to which a user has been granted access for the purpose of obtaining a genetic health report.
- Personal Data. Any personal information (e.g., your name, contact information, payment information) collected on an individual for the purpose of receiving a genetic health report. This includes genomic data (that is, data about an individual’s genes, or DNA) and medical or health data (e.g., phenotype presentations, relevant medical history, and information collected by integrated apps and devices).
- User. A user who has been granted access through informed consent to an individual’s sample or genetic data for the purpose of having the data analyzed by InheriNext to understand if relationships exist between the data and potential health conditions. A User acts as the Data Controller for Individual Data.
- User Data. Account registration and contact information (email address, first name, last name, country, phone number (optional) organization name (optional), division or subunit (optional),)
What Information We Collect
- Information a User shares with us for the purpose of receiving a genetic health report using InheriNext. These data and/or samples are provided to us in accordance with our Terms and Conditions. This data is never shared or sold with a third party.
- Information necessary to create digital access to the InheriNext platform is defined as User Data. This data is never shared or sold with a third party.
- We collect Web-Behavior Information via cookies and other similar tracking technologies. Cookies are not stored permanently and are never shared or sold to third parties. See our Cookie Policy for more details.
How We Use Your Information
The Company uses the information uploaded to the InheriNext Website to generate reports and provide analysis tools to support a user’s ability to understand the content of each report and apply personal judgment in the report’s usage. The Company uses aggregated and summarized Personal Data to improve the accuracy of future reports; the Company does not use discrete Personal Data or Individual Data apart from its incorporation in an InheriNext report. The Company does not retain Personal or Individual Data for any other purpose other than compliance with Good Laboratory Practices such as CLIA, or for compliance with legal data retention law.
Data Rights of Each Individual
-
Right to be Informed
Full details are described in this Privacy Policy. Both Users and the individuals whose data was sent to InheriNext would be informed of any use of the data collected. -
Right of Access
Users can download all data uploaded to InheriNext to review, edit, or delete any Personal Data at any time. Individuals can access their data via the User that uploaded data to the InheriNext platform as a Data Controller. -
Right to Rectification
At any time, Users can delete and resubmit Individual Data to make corrections and edit Personal Data. For inaccuracies in Individual DNA or health record information, Users must contact the organization who controls the origination of the data (e.g., 23andMe, a genetic testing lab, their physician’s office, etc.) to make corrections to the original data sent to InheriNext. Once corrected, the User can resubmit the data. Individuals can request rectification via the User that uploaded data to the InheriNext platform as a Data Controller. -
Right to Object Processing
At any time, Users can have the informed consent revoked requiring the Personal Data associated with the informed consent to be removed from the InheriNext database subject to our data retention policy (see below). Individuals can object to processing via the User that uploaded data to the InheriNext platform as a Data Controller. -
Right to Restrict Processing
There is no data processing supported on the submitted data other than the processing necessary for the return of a genetic health report. Data is not available for any secondary use through InheriNext. -
Right to Data Portability
Users can download all submitted data for their review in the format originally submitted. Genetic data generated by the Company is available in a standard textual file format (vcf). Users can also view, edit, or delete their submitted and/or genetic data at any time. Individuals can request a copy of their via the User that uploaded data to the InheriNext platform as a Data Controller. -
Right to be Forgotten (Erasure)
At any time, Users can delete their account, and all Individual Data and Personal Data will be permanently removed, or purged, from our database subject to our data retention policy (see below). Individuals can request deletion of their Individual Data via the User that uploaded these data to the InheriNext platform as a Data Controller. User Data describing a business account is retained. -
Right in Relation to Automated Decision Making and Profiling
No automated decision making or profiling is performed by the Company.
To file a complaint or make an inquiry about your data privacy rights, please send an email to [email protected]. For any other inquiries, please email [email protected]. The Company will respond via email within two (2) business days.
Data Retention
- Individual Data is deleted within 14 days from backend from when a User requests deletion.
- Personal Data is deleted within 14 days from backend from when a User requests deletion.
- Any derived AI models that have been completed prior to the User/Individual revoking consent will not be affected by the decision to purge data or revoke consent and will be retained in the models.
- Individual Data and Personal Data will be removed from data back-ups within thirty (30) business days.
- User Data is retained to maintain the validity of the business records of the Company.
Users may choose to publish manuscripts consistent with the informed consent of the Individuals whose data is published. Once published, such data is retained permanently.
Third-Party Tools and Business Services
- Data hosting. The Company uses Google Cloud Platform (GCP) and Amazon Web Services (AWS) for our cloud solutions provider. The Company uses various GCP and AWS data centers with the aim of providing optimal Member experience. The Company ensures that all data is protected with appropriate safeguards in accordance with applicable privacy laws. We use data protection agreements with our data hosting provider(s) to confirm compliance with applicable data protection and data privacy laws.
- Business Services. Business partners and subcontractors may access User Data in fulfillment of their contracted business services. This is inclusive of promotional and/or marketing events
- Compliance. There may be a need to share User Data with regulators, data protection authorities, and/or enforcement agencies – as compelled by regulation or law.
- Legal and Financial Services. User Data may be shared during the course of the Company’s operations to support said operations.
Security & Privacy Measures
The Company takes the security and privacy of all data very seriously. The Company uses technical, physical, and administrative controls designed to protect Personal Data and Individual Data from unauthorized access or disclosure and to regulate the appropriate use of this information. User Data is also secured and protected for all clients of the Company.
Data is segregated and encrypted in such a way that it reduces the risk of anyone trying to compromise Individual or Personal Data. The Company leverages what it believes to be best-in-class compliant infrastructure in all processes including data storage and processing. Compliance with the General Data Protection Regulation (GDPR) is characterized through data protection impact assessments (DPIAs) on an as needed basis. Compliance with other data protection regulations are addressed in a manner consistent with each law and each jurisdiction.
Contact Information
For any questions about our Privacy Policy, contact us at:
Compass Bioinformatics Inc
Attention: Data Protection Officer
Email: [email protected]
Changes to this Privacy Policy
The Company cannot foresee all the potential applications of the data we collect, particularly in a rapidly developing field such as genomics and medical research. Therefore, the Company reserves the right to update this Privacy Policy from time to time. Before implementing any changes that involve the Company’s use of your Individual Data and/or Personal Data the Company will first notify Users of the proposed changes at least 30 days before their effectiveness to provide Users with the opportunity inform potentially affected individuals to potentially revoke their consent, purge some or all of the Individual Data or Personal Data, or even delete altogether if the revised terms depart from the Users’ data controller obligations. If Users do not take one of these actions after receiving notice of those proposed changes, to the maximum extent permitted by applicable law, Users agree that they will be bound by the updated terms when they become effective.
The Company reserves the right to update this Privacy Policy as it applies to Personal Data only from time to time without advance notice. When these changes are made, the Company will make a new copy of this Privacy Policy available on its website. Such changes will not apply retroactively but may be effective immediately on being made available on our website. Users acknowledge and agree that if Users use any of our services covered by this Privacy Policy after the effective date of the change, to the maximum extent permitted by applicable law, they agree that they will be bound by the updated terms.
You are responsible for ensuring that your contact information (i.e., User Data) remains up to date and valid.