Privacy Policy

Last updated:  May 25, 2018

Invitae Corporation, including its subsidiaries (referred to collectively as “Invitae,” “we” or “us”) is committed to protecting your privacy. To ensure transparency, this Privacy Policy (this “Policy”) describes how we collect, use, secure and share your personal information when you access or use our websites, including without limitation www.invitae.com, www.invitae.com/en/common/signup/ (our “Physician Portal”), www.invitae.com/en/patients/signup/ (our “Patient Portal”), www.combimatrix.com, www.goodstartgenetics.com, www.pin.invitae.com and www.cagene.com (referred to collectively as our “Websites”), and when you transmit information to us electronically or in hard copy in relation to our genetic testing and related services, Patients Insights Network (PIN), the Invitae Family History Tool, CancerGene Connect, or any other of our products or services (referred to collectively as our “Services”).

This Privacy Policy is in addition to and does not replace our Notice of Privacy Practices, which explains how we handle personally-identifiable health information.

1. ACCEPTANCE

Before using our Services, please read the Invitae Terms of Use, or to the extent you are participating in Invitae’s Patient Insight Network (“PIN”), the Invitae PIN Data Portal Terms of Use, or using CancerGene Connect, the CancerGene Connect Terms of Use. By accepting the applicable Terms of Use, you agree with our privacy practices as described in this Policy. If you do not agree with the terms of this Policy, please do not access or use our Websites or use our Services.

2. Policy Updates

Invitae may revise this Policy from time to time. All updates to this Policy will be posted on this web page. If we make any material changes we will notify you by email (sent to the e-mail address specified in your account) or by means of a notice on our Websites prior to the change becoming effective. Your continued use of our Websites after we have posted a notice on the website constitutes your acceptance of such changes.

Invitae may provide additional "just-in-time" disclosures or additional information about the data collection, use and sharing practices of specific Services. These notices may supplement or clarify Invitae’s privacy practices or may provide you with additional choices about how Invitae processes your information. If you have any questions, please contact us at privacy@invitae.com.

3. Types of information we collect

Throughout this Policy we use the term “personal information” to describe is data that identified you or makes you identifiable. The definition of personal information depends on the applicable law based on your physical location and may include other types of information such as your IP address. Only the definition that applies to your physical location will apply to you under this Policy.

This Policy covers all personal information that you voluntarily submit to us. This Policy does not apply to anonymized data as it cannot be used to identify you, such as aggregated data. Except as described in this Policy, Invitee will not give, sell, rent or loan any personal information to any third party.

We may collect the following types of information:

  • Information you provide voluntarily. We collect any personal information that you voluntarily provide to us, such as your inquiries through our website, information you provide about your business, suggestions for improvements, referrals, survey responses, or any other actions performed by you on our Services (such as, information you submit to the Patient Insights Network).
     
  • Communications between you and Invitae. We collect personal information you submit when contacting us (such as your name, contact information and any other information you choose to submit). We collect any communications between us, including any files or attachments we exchange. For example, we may send you Service-related emails (e.g., account verification, changes/updates to features of our Services, technical and security notices).
     
  • Registration information. When you register through our Patient Portal or purchase or use our Services, we collect personal information, such as your name, date of birth, billing and shipping address, and contact information (e.g., email, phone number). This information is combined with other personal information and protected health information that you provide to websites to give you access to your test results, permit you to sign any outstanding consent forms, check the status of your orders, pay your bills, and schedule appointments with a genetic counselor through our Patient Portal.

    Our Physician Portal is only for the use of physicians and their authorized representatives as stated in the Terms and Conditions of Use for our Physician Portal. In registering for our Physician Portal, physicians provide name, phone, address, and occupation. Our Physician Portal is used for the storage and transmission of protected health information between Invitae and physicians and their authorized representatives. Protected health information is used in accordance with the Health Information Portability and Accountability Act (HIPAA) and applicable laws governing patient privacy. Protected health information available on our Physician Portal may only be used or disclosed for treatment and other authorized purposes as stated in the Notice of Privacy Practices.
     
  • Payment information. When you place an order with us or engage in transactions via our Services, we collect your payment information through our Websites (such as payment card, billing, and shipping information in addition to your contact information).
     
  • Job application information. If you apply for a position with Invitae through our Careers Page we will collect your resume, contact information, employment and education history, and other related information. We may also receive information from references you identify and other third parties (for instance background checks).
     
  • Device information. When you use a mobile device (e.g., a tablet or smartphone) to access our Services, we may collect information about your device. We may collect information about your device’s hardware, operating system or software, device name, unique device identifier, your mobile network information and any other information about your device’s interaction with our Services. Some features of the Services may not function properly if use or availability of device identifiers is impaired or disabled.
     
  • Information about your use of the Services. When you browse our Websites, our system automatically collects information such as your web request, Internet Protocol (“IP”) address, browser type, browser language, domain names, referring and exit pages and URLs, platform type, pages viewed and the order of these page views, the amount of time spent on particular pages, the date and time of your request and one or more cookies that may uniquely identify your browser. We may collect this information through third-party analytics tools. This information is used to analyze trends, administer our Websites, improve the design of our Websites, and otherwise enhance our Services.
     
  • Cookies. We use technologies like cookies, web beacons and pixel tags to gather information about how you are interacting with our Services, which may include identifying your IP address, browser type, and referring page. For more information on cookies, please see our Cookie Policy.
     
  • Aggregate Website data collection. Our servers automatically record information created by your use of our Websites and we use visitor logs to compile anonymous aggregate statistics. This aggregate information is collected sitewide and includes anonymous website statistics.
4. Children's InFormation

Our Websites are directed toward adults and are not designed for, intended to attract, or direct toward children under the age of 16. If you are under the age of 16, you must obtain the authorization of a responsible adult (parent or legal guardian) before using or accessing our Websites. If we become aware that we have collected any personal information from children under 16, we will promptly remove such information from our databases.

5. how we Use personal information

Your personal information may be used for the following purposes:

  1. to provide our Services to you. We process your personal information to provide you with our Services that you request. We share this information with third-party services upon your request, or our service providers or partners to the extent necessary to provide you with our Services. We cannot provide you with our Services without processing your personal information.
     
  2. to inform you about research opportunity and clinical trials. If you are a healthcare provider or patient ordering our Services, to contact you about research opportunities, clinical trials, or clinical treatments for you or your patients when appropriate.
     
  3. to allow you to share personal information for research purposes. You have the choice to participate in Invitae’s PIN, an online platform for collecting health information from patients around the world, by providing your consent. As an Invitae PIN participant, you can take health surveys, upload medical records and learn about the latest research and clinical trials.
     
  4. to contact you about our Services. When you sign up for our Services, we will send you administrative or account-related information to you to keep you updated about our Services. As service-related communications are not promotional in nature you are not able to unsubscribe from such communications, otherwise you may miss important developments relating to your account or our Services that could affect your use of our Services.
     
  5. to respond to your inquiries and provide customer service. When you contact us, such as with questions, concerns, feedback, disputes or issues, we process your information. Without your personal information, we cannot respond to you or ensure your continued use and enjoyment of our Services.
     
  6. to enforce our terms, agreements or policies. We process your personal information to actively monitor, investigate, prevent and mitigate any alleged or actual prohibited, illicit or illegal activities on our Services; investigate, prevent, or mitigate violations of our terms, agreements or policies; enforce our agreements with third parties and partners. We cannot perform our Services in accordance with our terms, agreements or policies without processing your personal information for such purposes.
     
  7. to ensure the security of the Services. We process your personal information to combat spam, malware, malicious activities or security risks; improve and enforce our security measures; and to monitor and verify your identity so that unauthorized users do not access your account with us. We cannot ensure the security of our Services if we do not process your personal information for security purposes. 
     
  8. to maintain legal and regulatory compliance. Certain laws or regulations apply to our Services that may require us to process your personal information. For example, we process your personal information to fulfill our business obligations, ensure compliance with employment and recruitment laws, or as necessary to manage risk as required under applicable law. Without processing your personal information for such purposes, we cannot perform our Services in accordance with our legal and regulatory requirements.
     
  9. to personalize your experience on our Websites. We use cookies and similar tracking technology to personalize your experience on our Websites – please see our Cookie Policy for more information. By personalizing our Services, you get to enjoy our Services even more because we keep track of your preferences (e.g., your language selection, your time zone, etc.). Without processing your personal information for such purposes, you may not be able to access or personalize part or all of our Services.
     
  10. to conduct research and development. To continue to provide you with our innovative Services, we may collect information about the way you use and interact with our Services for research and development purposes. Research and development help us improve our Services and build new Services and customized features or Services. We take additional security measures when processing your personal information for such purposes, by de-identifying or pseudonymizing your information, limiting access to personnel that may conduct research and development, and applying other technical, physical, and administrative security measures. Without processing your personal information for such purposes, we cannot guarantee your continued enjoyment of part or all of our Services.
     
  11. to engage in marketing activities. We want to share information about our Services with you, and to do so we may process your contact information or information about your interactions with our Services to send you marketing communications; provide you with information about events, webinars, or other materials; deliver targeted marketing to you (please see our Cookie Policy for more information about interest-based advertising); and, keep you updated about our Services. You can opt-out of our marketing activities at any time and free of charge.

If in the future, we use your personal information in any way that is not described in this Policy, we will disclose this to you. At that time, you can choose not to allow us to use your personal information for any purpose that is incompatible with the purposes for which we originally collected it or subsequently obtained your consent. If you choose to limit the ways we can use your personal information, some or all of our Services may not be available to you. 

6. INFORMATION we share

Invitae may disclose your personal information as described below.

  1. Our service providers, vendors, and others. We may share your personal information with our service providers, business partners or third-party organizations that help us provide our Services to you. Such entities will be given access to your information as is reasonably necessary to provide our Services under contractual obligations at least as protective as this Policy. We require our agents, vendors and service providers to limit their use of information but do not otherwise guarantee that any entity receiving such information in connection with one of these transactions will abide by this Policy. Agents, vendors and service providers who may have access to protected health information are contractually obligated to protect the privacy and security of such information. 
     
  2. Affiliated businesses. We may share your personal information with group companies and affiliates. Affiliated businesses may use your information to help provide, understand, and improve our Services and the affiliates’ own services.
     
  3. Change of control. We may share your personal information with a subsequent owner, co-owner, or operator of our Services, or in connection with a corporate merger, consolidation, or restructuring; financing, acquisition, divestiture, or dissolution of all or some portion of our business; or other corporate change. We will notify you of any choices you may have regarding your information.
     
  4. Safety and legal compliance. We may share your personal information if we believe that such disclosure is necessary to comply with any applicable laws, regulations, legal processes or requests by public authorities (e.g., law enforcement, tax authorities, etc.); protect you, us or our other users’ rights or property, or to protect our Services; comply or enforce our terms, agreements or policies. 
     
  5. Your consent or actions. We will share personal information with companies or individuals when we have your consent to do so. Also, any information or content that you voluntarily disclose for posting to our Services, such as blog comments or social media posts on our social media profiles, become available to the public.
     
  6. Anonymous or aggregate data. We may share anonymized or aggregated information with any third parties. Such information no longer reasonably identifies you.
7. USE AND DISCLOSURE OF DE-IDENTIFIED INFORMATION

“De-identified” information is data we have stripped of your personally-identifiable information, such as your name, address, or birthdate. We may use de-identified information that we have obtained from our Services for various purposes, including for example:

  1. For quality control & validation:
    • In accordance with regulatory requirements, we may de-identify, store and use patients’ samples and information for internal quality control, validation, and research and development. This is important for Invitae to maintain high-quality genetic testing and to develop new genetic tests.
    • In accordance with regulatory requirements, we may also share de-identified patients’ samples and information with other laboratories for quality assurance and validation purposes. Such sharing is essential to having high-quality genetic testing within the community of testing laboratories.
       
  2. For research purposes:
    • We may contribute de-identified genetic variants that we have observed in the course of providing our Services to publicly available databases such as ClinVar. We do this to increase understanding and raise awareness of the significance of genetic variants within the medical and scientific communities.
    • We may use or disclose de-identified patient information for general research purposes. This may include research collaborations with third parties, such as universities, hospitals or other laboratories, in which we utilize de-identified clinical cases, at the individual level or in the aggregate, in accordance with our study protocols, and we may present or publish such information. This may also include commercial collaborations with private companies for purposes such as to determine the prevalence of particular disorders or variants among the patients we have tested, or to determine whether any of the patients we have tested might be suitable for potential recruitment for research, clinical trials, or clinical care; however, we will not directly contact these patients about these opportunities without their prior written consent.
    • We may disclose de-identified PIN information to registrants of the PIN website and to third parties as permitted by law.
To the extent, we have relied on your consent to process such de-identified data in relation to the above, you may withdraw your consent to participate at any time by submitting a request to privacy@invitae.com. Invitae will not include your de-identified information in new research occurring after 30 days from the receipt of your request. Any research involving your data that has already been performed or published prior to our receipt of your request will not be reversed, undone, or withdrawn.
8. third-party information

You agree that you have provided notice to, and obtained consent from, any third party individuals whose personal information you supply to us, including with regard to (a) the purposes for which such third party’s personal information has been collected; (b) the intended recipients or categories of recipients of the third party’s personal information; (c) which of the third party’s information is obligatory and which information, if any, is voluntary; and (d) how the third party can access and, if necessary, rectify the information held about them.

9. Linked websites

Our Websites may contain links to external websites. Invitae does not maintain these sites and is not responsible for the privacy practices of sites that it does not operate. Please refer to the specific privacy policies posted on these sites.

10. INFORMATION access, updates, and choice

ou can update, amend or delete your account information and preferences at any time by visiting the My Account page after logging in. You may withdraw information you have submitted to the PIN database at any time by contacting the PIN coordinator at coordinator@pin.invitae.com; this will deactivate your account and the personally identifiable information in your profile will be removed.

Invitae email correspondence will include instructions on how to update certain personal information and how to unsubscribe from our emails and postal mail correspondence. Please follow the instructions in the emails to notify Invitae of changes to your name, email address, and preference information. Invitae will take reasonable steps, such as confirmation emails, to verify your identity before granting access to your personal information.

For individuals residing in the European Economic Area (EEA), Switzerland or the United Kingdom (collectively, the “Designated Countries”) at the time of data collection, please refer to Section 14 below.

11. Retention 

We store your personal information for as long as we need it to provide you our Services, to serve the purpose(s) for which your personal information was processed, or as necessary to comply with our legal obligations, resolve disputes, or enforce our agreements to the extent permitted by law. While retention requirements can vary by country, we generally apply the retention periods noted below.

We store information used for marketing purposes indefinitely until you unsubscribe. Once you unsubscribe from marketing communications, we add your contact information to our suppression list to ensure we respect your unsubscribe request. Also, we retain any information collected via cookies, clear gifs, flash cookies, webpage counters and other technical or analytics tools up to one year from expiry of the cookie or the date of collection. If you have any questions about our retention periods, please feel free to contact us.

12. security measures

We use reasonable technical, administrative and physical measures to protect information contained in our system against misuse, loss or alteration. Information that you provide through our Websites is encrypted using industry-standard Secure Sockets Layer (SSL) technology, with the exception of information you send via email. Your information is processed and stored on controlled servers with restricted access. Unfortunately, no method of electronic transmission is 100% secure, so we cannot ensure or warrant the security of any information you transmit to our Websites, and you do so at your own risk.

Please recognize that protecting your personal information is also your responsibility. You should keep your username, password, ID numbers, or other access credentials secure as Invitae cannot secure personal information that you release on your own or that you request us to release. If we receive instructions using your log-in information we will consider that you have authorized the instructions.

13. international transfers of personal information

We may store, process and transmit personal information in locations around the world, including locations outside of the country or jurisdiction where you are located. Such countries or jurisdictions may have data protection laws that are less protective than the laws of the jurisdiction in which you reside. If you do not want your information transferred to or processed or maintained outside of the country or jurisdiction where you are located, you should not use our Services.

We transfer your personal information subject to appropriate safeguards as permitted under the applicable data protection laws. Specifically, when your personal information is transferred out of the Designated Countries, we have the required contractual provisions for transferring personal information in place with the third parties to which your information is transferred. For such transfers, we rely on legal transfer mechanisms such as Binding Corporate Rules, Standard Contractual Clauses, or we work with US-based third parties that are certified under the EU-US and Swiss-US Privacy Shield Framework.

14. NOTICE TO INDIVIDUALS LOCATED IN THE ECONOMIC EUROPEAN UNION OR SWITZERLAND

This Section only applies to users of our Services that are located in the European Economic Area, United Kingdom or Switzerland (collectively, the “Designated Countries”) at the time of data collection. We may ask you to identify which country you are located in when you use some of our Services, or we may rely on your IP address to identify which country you are located in.

Where we rely only on your IP address, we cannot apply the terms of this Section to any User or Customer that masks or otherwise obfuscates their location information so as not to appear located in the Designated Countries. If any terms in this Section conflict with other terms contained in this Policy, the terms in this Section shall apply to users in the Designated Countries.

Our relationship to you. A “data controller” is an entity that determines the purposes for which and the manner in which any personal information is processed. Any third parties that act as our service providers are “data processors” that handle your personal information in accordance with our instructions. In relation to the Patient Insight Network, we host the PIN platform at the direction of the PIN participants, and as such are a processor. In relation to our Physician Portal (or any similar portal hosted by an Invitae-owned company), Invitae is a controller in relation to the information that a physician enters directly into the website about him or herself. To the extent a user enters personal information on our Websites to pay for, use or obtain further information about our Services, Invitae is a controller. 

Lawful basis for processing your personal information. We describe our processing activities in Section 5 (“How We Use Personal Information), Section 6 (“Information We Share”) and Section 7 (“Use and Disclosure of De-identified Information”). Below is a chart indicating the legal bases we rely in processing personal information.

Section Purposes of processing Legal basis for processing

5(1)
5(4)
5(5)
5(6)
5(7)
6(1)
6(2)

- to provide our services to you
- to send service-related communications
- to provide customer support 
- to enforce our terms, agreements, or policies
- to ensure the security of our services
- our service providers, business partners and others
- disclosure to affiliated businesses

Processing is based on our contractual obligations under the Terms of Service, or to take steps at the request of the individual prior to entering into a contract.

5(2)
5(9)
5(10)

6(3)

- to inform you about research opportunities
- to personalize your experience on our website
- to conduct research and product development

- change of control
Processing is based on our legitimate interest to better understand you, to maintain and improve the accuracy of the information we store about you, and to better promote or optimize our Services.

5(6)
5(7)
5(6)

6(4)

- to ensure the security of our services
- to maintain legal or regulatory compliance
- responding to legal requests and preventing harm
- safety and legal compliance

Processing is necessary for compliance with our legal obligations, the public interest, or in your vital interests. 

5(3)
7(1)

7(2)

- to allow you to share personal information for research purposes
- for quality control & validation

- for research purposes
Processing is based on your consent,as required under applicable law. In relation to 7(i) and 7(ii), to the extent the de-identified data is anonymized, it is not considered personal data and falls outside the General Data Protection Regulations (GDPR).

Marketing activities. Direct marketing includes any communications we send to you that are only based on advertising or promoting products and services. Transactional communications about your account or our Services are not considered “direct marketing” communications. We will only contact Users or Customers by electronic means (including email or SMS) based on our legitimate interest or their consent. When we rely on legitimate interest, we will only send you information about our Services that are similar to those which were the subject of a previous sale or negotiations of a sale to you. If you do not want us to use your personal information in this way, please click an unsubscribe link in your emails, or contact us at privacy@invitae.com. You can object to direct marketing at any time and free of charge.

Individual rights. We provide you with the rights described below when you use our Services. When we receive an individual rights request from you, please make sure you are ready to verify your identity. Please be advised that there are limitations to your individual rights. We may limit your individual rights in the following ways: (i) where denial of access is required or authorized by law; (ii) when granting access would have a negative impact on other's privacy; (iii) to protect our rights and properties; and (iv) where the request is frivolous or burdensome. If you have questions, if you would like to exercise your rights under the applicable law please contact us at privacy@invitae.com

  • Right to withdraw consent. If we rely on consent to process your personal information, you have the right to withdraw your consent at any time. A withdrawal of consent will not affect the lawfulness of our processing or the processing of any third parties based on consent before your withdrawal.
     
  • Right of access and rectification. If you request a copy of your personal information that we hold, we will provide you with a copy without undue delay and free of charge, except where we are permitted by law to charge a fee. We may limit your access if such access would adversely affect the rights and freedoms of other individuals. You may request to correct or update any of your personal information held by us, unless you can already do so directly via the Services.
     
  • Right to erasure (the “right to be forgotten”). You may request us to erase any of your personal information held by us that: is no longer necessary in relation to the purposes for which it was collected or otherwise processed; was collected in relation to processing that you previously consented to, but later withdrew such consent; or was collected in relation to processing activities to which you object, and there are no overriding legitimate grounds for our processing.
     
  • Right to object to processing. You may object to our processing at any time and as permitted by applicable law if we process your personal information on the legal basis of consent, contract or legitimate interests. We can continue to process your personal information if it is necessary for the defense of legal claims, or for any other exceptions permitted by applicable law.
     
  • Right to restriction. You have the right to restrict our processing your personal information where one of the following applies:
    • You contest the accuracy of your personal information that we processed. We will restrict the processing of your personal information, which may result in an interruption of some or all of the Services, during the period necessary for us to verify the accuracy of your personal information.
    • The processing is unlawful and you oppose the erasure of your personal information and request the restriction of its use instead.
    • We no longer need your personal information for the purposes of the processing, but it is required by you to establish, exercise or defense of legal claims.
    • You have objected to processing, pending the verification whether the legitimate grounds of our processing override your rights.
    • We will only process your restricted personal information with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. We will inform you if or when the restriction is lifted.
  • Right to data portability. If we process your personal information based on a contract with you or based on your consent, or the processing is carried out by automated means, you may request to receive your personal information in a structured, commonly used and machine-readable format, and to have us transfer your personal information directly to another “controller”, where technically feasible, unless exercise of this right adversely affects the rights and freedoms of others. 
     
  • Notification to third-parties. If we share your personal information with third parties, we will notify them of any requests for rectification, erasure or restriction of your personal information, unless this proves impossible or involves disproportionate effort.
     
  • Right to lodge a complaint. If you believe we have infringed or violated your privacy rights, please contact us at privacy@invitae.com so that we can work to resolve your concerns. You also have a right to lodge a complaint with a competent supervisory authority situated in a Member State of your habitual residence, place of work, or place of alleged infringement.
CONTACTING US

Our Websites are owned and operated by Invitae. If you have any questions about this Policy or our Services, you can contact us at privacy@invitae.com, by using the Contact Us page, or by regular mail at Invitae Corporation, 1400 16th St., San Francisco, California 94103.