Invitae Privacy Policy

This Policy is not a contract and does not create any contractual rights or obligations. Your use of the Services is governed by the Invitae Terms of Use or other terms of use or contract linked to a particular Service.

Invitae may revise this Policy from time to time. All updates to this Policy will be posted on the Websites. An updated Policy will supersede all previous versions. If we make any material changes to this Policy, we will notify you by email (sent to the e-mail address specified in your account) in addition to posting an updated Policy on our Websites. Your continued use of our Services after we have posted the updated Policy on the Websites constitutes your acceptance of such changes. Invitae may also provide additional "just-in-time" notices or information about its data collection, use, and sharing practices in relation to specific Services.

This section lists the general categories of personal information we collect for the Services. See the Product Specific Policies section to learn more details for specific Invitae products or services.

Throughout this Policy we use the term “personal information” to describe any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to a particular person or household. Personal information includes, for example, PHI under HIPAA and personal data under the EU’s General Data Protection Regulation. This Policy covers all personal information that we collect from you or on your behalf through our Services.

We may collect the following types of personal information:

• Personal information provided by you or your clinician. We collect any personal information that you voluntarily provide to us, such as health information you provide to us or your clinician, or that your clinician provides to us either directly or via health information exchanges, to facilitate our provision of Services. If you are an ordering clinician, we may collect your name, phone number, place of business and other contact information you provide when ordering a test.
• Communications between you and Invitae. We collect personal information you submit when contacting us (such as your name and email address).
• Clinical information. From time to time, we collect additional medical records from your treating providers to support our delivery of genetic testing services.
• Registration information. When you register with Invitae or create a user account to access our Services, we collect personal information, such as your name, date of birth, billing and shipping addresses, and contact information. We may use your registration information to provide Services to you.
• Payment information. When you place an order that requires payment via our Services, we collect your payment information (such as payment card, billing, and shipping information, and your contact information).
• Device information. When you use a mobile device (e.g., a tablet or smartphone) to access our Services, we may collect information about your device. We may collect information about your device’s hardware, operating system or software, device name, unique device identifier, your mobile network information, and any other information about your device’s interaction with our Services. Some features of the Services may not function properly if the use or availability of device identifiers is impaired or disabled.
• Information about your use of the Services. When you browse our Websites, our system automatically collects information such as your web request, Internet Protocol (“IP”) address, browser type, browser language, domain names, referring and exit pages and URLs, platform type, pages viewed and the order of these page views, the amount of time spent on a page, the date and time of your request and one or more cookies that may uniquely identify your browser. We may collect this information through third-party analytics tools. This information is used to analyze trends, administer our Websites, improve the design of our Websites, and otherwise enhance our Services.
• Cookies. We use technologies like cookies, web beacons, and pixel tags to gather information about how you are interacting with our Services, which may include identifying your IP address, browser type, and referring page. For more information on cookies, please see our Cookie Policy.

Our Websites are directed toward adults and are not designed for, intended to attract, or directed toward children under the age of 16. If you are under the age of 16, you must obtain the authorization of a responsible adult (parent or legal guardian) before using or accessing our Websites. If we become aware that we have collected any personal information from children under 16 without the authorization of a responsible adult, we will promptly remove such information from our databases.

This section lists the general ways Invitae uses and shares your personal information we collect for the Services. See the Product Specific Policies section to learn more details for specific Invitae products or services.

• Provide Services. We process your personal information to provide you with our Services. We share this information with third party service providers to the extent necessary to provide you with our Services.
• Maintain legal and regulatory compliance. Certain laws or regulations apply to our Services that may require us to process your personal information. For example, we may process your personal information to fulfill our business obligations, ensure compliance with employment laws, or as necessary to manage risk as required under applicable law.
• Ensure the security of the Services. We may process your personal information to combat spam, malware, malicious activities, or security risks; improve and enforce our security measures; and to monitor and verify your identity so that unauthorized users do not access your account with us.
• Personalize your experience on our Websites. We may use cookies and similar tracking technology to keep track of your preferences (e.g., your language selection, time zones, etc.) so we can personalize your experience on our Websites. Please see our Cookie Policy for more information.
• Sale, Merger, or Bankruptcy. In connection with a bankruptcy, merger, acquisition or sale or other business transaction, involving all or a portion of our assets or business, user information will also be transferred as part of or in connection with the transaction.
• Affiliates. Invitae will share your personal information with our affiliates as necessary to provide the Services or with your consent where required by applicable law.
• Text Messages. You may opt-in to receive occasional text messages from Invitae to receive updates on our Services. Message frequency will vary. You agree that by providing your mobile phone number and opting in to receive text messages, you expressly consent to receive automated text messages from us to the mobile phone number you provide. Consent to receiving text messages is not required to be an Invitae user. Message and data rates may apply, and you should check the rates of your mobile carrier. Your mobile carrier is not liable for delayed or undelivered messages. You can opt out of receiving text messages by texting STOP in response to any text message. You can also text HELP and we will respond with instructions on how to opt out of or sign up for text messages from Invitae. Invitae is located in the United States, so international rates may apply depending on your location. We share your mobile phone number with service providers with whom we contract to send you automated text messages, but we will not share your mobile phone number with third parties for their own marketing purposes without your express consent. Contact us at clientservices@invitae.com if you have any questions about our text message program.

Because genetic testing is still an evolving science, we may store personal information provided to us in the context of performing genetic tests and delivering genetic testing services for as long as we need it to provide and improve our Services and to perform the activities described in this Policy, all to the extent permitted by law. This information remains subject to the protections of HIPPA, and the commitments in this Privacy Policy, for as long as we retain it.

We use reasonable technical, administrative, and physical measures to protect information contained in our system against misuse, loss or alteration; and to secure information that we receive through our Services.

Please recognize that protecting your personal information is also your responsibility. You should keep your username, password, ID numbers, or other access credentials secure as Invitae cannot secure personal information that you release on your own.

We may store, process, and transmit personal information in locations around the world, including locations outside of the country or jurisdiction where you are located. Our primary data processing activities occur within the United States. The United States and other countries where we process data may have data protection laws that are less protective than the laws of the jurisdiction in which you reside. If you do not want your information transferred to or processed or maintained outside of the country or jurisdiction where you are located, you should not use our Services.

We transfer your personal information subject to appropriate safeguards as permitted under the applicable data protection laws.

This Section only applies to users of our Services located in the European Economic Area, the United Kingdom or Switzerland (collectively, the “Designated Countries”) at the time of data collection. If any terms in this Section conflict with other terms contained in this Policy, the terms in this Section shall apply to users in the Designated Countries. Lawful basis for processing your personal information. Below is a summary of our data processing activities and our lawful bases for processing data.

Marketing activities. Direct marketing includes any communications we send to you that are only advertising or promoting products and services. Transactional communications about your account or our Services are not considered “direct marketing” communications. We will only send you direct marketing communications by electronic means (including email or SMS) based on our legitimate interest or your consent. When we rely on legitimate interest, we will only send you information about our Services that are similar to those which were the subject of a previous sale or negotiations of a sale to you. If you do not want us to use your personal information in this way, please click an unsubscribe link in your emails, or contact us at clientservices@invitae.com. You can object to direct marketing at any time and free of charge.

Individual rights. We provide you with the rights described below when you use our Services. When we receive an individual rights request from you, please make sure you are ready to verify your identity. Please be advised that there are limitations to your individual rights. We may limit your individual rights in the following ways: (i) where denial of access is required or authorized by law; (ii) when granting access would have a negative impact on other's privacy; (iii) to protect our rights and properties; and (iv) where the request is frivolous or burdensome. If you have questions, if you would like to exercise your rights under the applicable law please contact us at clientservices@invitae.com.

• Right to withdraw consent. If we, or any third parties to which we provide your personal information, rely on your consent to process your personal information, you have the right to withdraw your consent at any time. A withdrawal of consent will not affect the lawfulness of our processing or the processing by any third parties made before your withdrawal. In addition, your withdrawal of consent may not limit our, or the third parties’ further processing of personal information on another lawful basis, including where it is necessary for the performance of a contract; for us to comply with our legal obligations; where it protects your vital interests; or in limited circumstances where it is in our legitimate interests.
• Right of access and rectification. If you request a copy of your personal information that we hold, we will provide you with a copy without undue delay and free of charge, except where we are permitted by law to charge a fee. We may limit your access if such access would adversely affect the rights and freedoms of other individuals. You may request to correct or update any of your personal information held by us.
• Right to erasure (the “right to be forgotten”). You may request us to erase any of your personal information held by us that: is no longer necessary in relation to the purposes for which it was collected or otherwise processed; was collected in relation to processing that you previously consented to, but later withdrew such consent; or was collected in relation to processing activities to which you object, and there are no overriding legitimate grounds for our processing such as the conduct of scientific research or the establishment or defense of legal claims.
• Right to object to processing. You may object to our processing at any time and as permitted by applicable law if we process your personal information on the legal basis of consent, contract, or legitimate interests. We can continue to process your personal information if it is necessary for the defense of legal claims, or for any other exceptions permitted by applicable law.
• Right to restriction. You have the right to restrict our processing of your personal information where one of the following applies:
• You contest the accuracy of your personal information that is processed.We will restrict the processing of your personal information, which may result in an interruption of some or all of the Services, during the period necessary for us to verify the accuracy of your personal information.
• The processing is unlawful and you oppose the erasure of your personal information and request the restriction of its use instead.
• We no longer need your personal information for the purposes of the processing, but it is required by you to establish, exercise, or defend legal claims.
• You have objected to processing, pending the verification whether the legitimate grounds of our processing override your rights.
• We will only process your restricted personal information with your consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. We will inform you if or when the restriction is lifted.

Right to data portability. If we process your personal information based on a contract with you or based on your consent, or the processing is carried out by automated means, you may request to receive your personal information in a structured, commonly used and machine-readable format, and to have us transfer your personal information directly to another data controller, where technically feasible, unless exercise of this right adversely affects the rights and freedoms of others.

Notification to third parties. If we share your personal information with third parties, we will notify them of any requests for rectification, erasure, or restriction of your personal information, unless this proves impossible or involves disproportionate effort.

Right to lodge a complaint. If you believe we have infringed or violated your privacy rights, please contact us at clientservices@invitae.com so that we can work to resolve your concerns. You also have a right to lodge a complaint with a competent supervisory authority situated in an EEA Member State of your habitual residence, place of work, or place of alleged infringement.

This Section only applies to users of our Services that reside in the State of California. For purposes of this Section, the term "personal information" does not include information subject to HIPAA or the California Confidentiality of Medical Information Act. For example, this Section does not apply to genetic test records or to any data or medical records stored by Invitae.

If you are a California Resident, you are entitled to certain privacy rights relating to your personal information. This section describes those rights and how you can exercise those rights.

• Right to Know and Access Personal Information. You have the right to access and know what personal information we collect about you, and how we use, disclose, or sell such personal information. We do not "share" personal information as that term is used in the California Consumer Privacy Act.
• Right to Request Deletion of your Personal Information. You have the right to request that we delete the personal information we have about you subject to certain limitations. If we do not delete your personal information for reasons permitted under applicable law, we will let you know the reason why.
• Right to Correct Inaccurate Personal Information. You have the right to request that we correct inaccurate personal information that we maintain about you.
• Right to Opt Out of Sale of your Personal Information. You may have the right to opt out of the sale or sharing of your Personal Data.
  
  Non-Discrimination

We will not discriminate or retaliate against you for exercising any of your rights identified in this privacy policy.

Methods for Submitting Requests. If you wish to exercise any of these rights please email clientservices@invitae.com with the phrase “California Privacy Rights” in the subject line. You may also send a letter to us at Invitae Corporation, Attn: Chief Privacy Officer, 1400 16th St., San Francisco, California 94103, call us toll-free at 800-436-3037. We will review your request and respond accordingly.

If you are a California ordering clinician and would like to exercise your right to opt out of the sale of your personal information please log in to your portal account, fill out the form located here, or use one of the methods described above.

Identity Verification for requests. If you make a request related to personal information about you, you will be required to supply a valid means of identification as a security precaution. We will verify your identity with a reasonably high degree of certainty using the following procedure where feasible: we will match identifying information you provide when making the request to the personal information maintained by us, or use a third-party identity verification service. If it is necessary to collect additional information, we will use the information only for verification purposes and will delete it as soon as practicable after complying with your request. For requests related to particularly sensitive information, we may require additional proof of your identity.

Authorizing a Third Party to Make a Request. If you wish to authorize a third party to make a request on your behalf through an authorized agent, you must contact us directly and you or the third party acting on your behalf must provide a valid California power of attorney or comparable documentation of written permission from you and verification of your identity. Such power of attorney must meet the requirements of Probate Code sections 4000 to 4465. You may also make a privacy request on behalf of your minor child.

Additional disclosures
How We Collect Your Personal Information

We may have collected personal information about you from a variety of sources in the past 12 months:

• From You: When you set up your account or interact with us regarding your account, for billing and payment, for when you start, receive, or discontinue services, and when you otherwise interact with us or our representatives.
• From Providers: We work with and receive personal information from third parties such as service providers, vendors, contractors, credit agencies, or market researchers who provide products and services on our behalf.
• From Your Use of Our Website or Mobile Apps: We collect information about your visits and use of our website and mobile apps, including information through cookies and other logging technologies.

Categories of personal information we collect. In the previous 12 months, Invitae may have collected the following categories of personal information:

• Identifiers, such as your name, date of birth and contact information. We use this information to provide you with our services, maintain your account, operate our business, and to otherwise communicate with you. We may provide this information to service providers and contractors or to other third parties as required by law.
• Information Subject to Protection Under California Law, such as the Identifiers above, health insurance information, credit card number, or debit card number. We use this information to provide you with our services, maintain your account, and to otherwise communicate with you. We may provide this information to service providers, regulators or to other third parties as required by law.
• Characteristics of Protected Classifications, such as your racial or ethnic origin and health information. For more information, please see the "Sensitive personal information" description below.
• Sensitive Personal Information, such as your driver's license or government issued identification number, racial or ethnic origin.
• Payment Information. We or our service providers may collect your credit card or debit card information. We use this information to process payments for our services. We do not, however, collect or store payment card or bank information. Payments and purchases are processed through our service providers.
• Commercial Information, such as a record of products or services obtained or considered. We use this information to better understand your use of our services and for our internal business purposes. We may provide this information to service providers and contractors or to other third parties as required by law.
• Professional Information, including information relating to your role as a representative or agent of a company or business, such as your work title and contact information. We use this to conduct business with you or your employer and provide you with services and otherwise communicate with you. We may provide this information to service providers and contractors or with other third parties as required by law.
• Internet and Other Electronic Activity Information, such as your browsing history, search history, information about your interactions with our website, use our mobile apps, or interact with our digital advertisements. We may provide this information to service providers, contractors or to other third parties as required by law. We may collect the following internet and other electronic activity data:
• Your Visits to Our Website or Mobile Apps: we collect information about visits to our website and mobile apps, such as the number of visitors and the number of users that click on certain links or use certain services. For some functionalities, such as rate analysis, we link usage information with the customer visiting the website.
• Log Data: we receive information that is automatically recorded by our servers when you visit our website or mobile apps, including your Internet Protocol ("IP") Address.

Cookies: For more information about our use of Cookies, and your choices with respect to cookies, please read our Cookie Policy.

Purpose for collecting or selling personal information. Your personal information may be collected or used for the purposes described in sections 5, 12, or 13 of this Policy, as well as for other purposes that may be described to you when we collect your personal information.

Categories of third parties with whom we share your personal information. Invitae may share your personal information with the following categories of third parties:

• At Your Choice: You may authorize other companies or persons to receive your personal information.
• To Our Service Providers and Contractors: We may disclose your personal information to service providers and contractors that provide services and support to us. We contractually require service providers and contractors acting on our behalf to take reasonable steps to protect your personal information and to not use your personal information for any purpose other than that for which it was given to the service provider or contractor.
• To Third Parties to Fulfill Legal Obligations: From time to time, we may disclose your personal information with other parties as required pursuant to a valid legal warrant, subpoena, court order, or other legal or regulatory mandate, or as necessary for us to defend to assert legal claims.
• To Third-Party Analytics Companies. We use selected third parties to collect data about how you interact with our website and apps. This information may be used to, among other things, improve the functionality of our website and services.
• To Potential Business Partners. We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.
• To Other Parties: From time to time, we may share your personal information to parties such as law enforcement or other government agencies when we, in good faith, believe you or others are acting unlawfully, when we believe it is necessary or appropriate to satisfy any law, regulation or other governmental request, to operate our business properly, to protect or defend our rights or the rights or well-being of our users, and when we believe disclosure is necessary or appropriate to protect the health and safety of our employees, other consumers, and the general public.

Retention

We retain your personal information based on legal requirements or business needs. Generally, we only retain personal information for as long as is reasonably necessary for our business purpose or as required by law. Information we retain remains subject to the protections of applicable law and the commitments made by Invitae in this Privacy Policy.

Selling Personal Information

In the last 12 months we may have sold the personal information relating to clinicians who have ordered genetic tests from Invitae. We have not sold other personal information, including the PHI of patients, in the preceding 12 months for any monetary value. However, our use of certain website cookies may be considered a “sale” of information under California law. In the past twelve months, we may have shared your internet activity or geolocation with third parties whose cookies are on our websites. These cookies are used to analyze usage of our website, provide you with relevant advertising and products, and provide additional, dynamic functionality to our websites. You can opt-out of this “sale” of information by using our cookie management tool, available here. We also recognize opt-out preference signals contained in HTTP header fields.

Disclosing Aggregated and De-identified Data

We may share aggregated or de-identified, data and information derived from personal information with other entities for the purpose of performing activities that may help us provide and improve our products and services.

California Shine the Light Law

California residents may also request information from us once per calendar year about any personal information shared with third parties for the third party’s own direct marketing purposes, including the categories of information and the names and addresses of those businesses with which we have shared such information. To make such a request, please reach us at the contact information listed below. This request may be made no more than once per calendar year, and we reserve our right not to respond to requests submitted other than to the email or mailing addresses specified below.

Certain web browsers and other devices you may use to access the Websites may permit you to submit your preference that you do not wish to be “tracked” online. Like many websites, our Websites are not currently designed to recognize a “Do Not Track” signal from a web browser.

This section describes policies specific to Invitae’s genetic testing services. We describe how Invitae uses and protects your data and the choices available to you to determine how it is used. Two of Invitae’s founding principles are 1) patients own and control their own genetic information and 2) genetic information is more valuable when shared. These principles have guided the company since its inception and inform how Invitae uses and protects patient data.

Information Invitae Collects for Genetic Testing

As a genetic testing laboratory, Invitae receives your sample (e.g. blood, saliva) along with your relevant health information. Invitae then analyzes the genetic information contained within the sample and delivers a genetic test report to your healthcare provider. Your sample and the health and genetic information Invitae receives and generates about you (collectively, “your data”) is considered as sensitive personal data by regulators. Your data is subject to strict legal requirements regarding how it can and cannot be used and how it must be protected.

How Invitae Uses and Shares Your Genetic Data.

The following activities are a core part of Invitae’s genetic testing services such that when you consent to a genetic test, you are consenting to and understand you cannot opt-out of these activities:

• Providing genetic testing services, including preparing and delivering a genetic test report to your healthcare providers. This report may be delivered through the Invitae portal or an intermediary and may include raw sequencing data.
• Performing operational activities in support of genetic testing services, such as billing for services Invitae provides. Invitae may contact you via text or email (per your contact preference) as part of delivering the genetic testing services.
• Internal uses for validation, quality improvement, refining and updating Invitae’s classification of genetic variants, and product development related to genetic testing.
• Sharing of anonymized variant information with ClinVar, a federal program that enables research on genes and health.
• Sharing of anonymized variant information according to the ClinGen Variant Curation Expert Panel Protocol, which implements an approved process of evaluating the strength of evidence supporting or refuting a claim that variation in a particular gene causes a particular disease.
• Sharing of data that is summarized at a group or aggregate level rather than data that is specific to a single individual.
• Sharing of the contact information of your healthcare provider with third parties if your healthcare provider has provided consent.

You also consent to the research and commercial activities as set forth below, you can opt out of any of the following activities by setting your preferences in the Invitae patient portal or by emailing us. Samples originating in the State of New York will not be eligible for the research and commercial activities described below. No tests other than those authorized shall be performed on your biological sample, though your de-identified data may still be utilized unless you opt out as described above.

• Performing internal research activities. These are activities where Invitae uses patient samples or data to generate new knowledge.
• Sharing de-identified data and samples with third parties for research or commercial activities.
  • Third parties may include academic researchers, commercial entities, and other genetic testing laboratories. Recipients of the de-identified data and samples are prohibited from attempting to re-identify you. Recipients may link de-identified data from Invitae with other data sources to create a combined data set as long as the data remains de-identified. Invitae will NOT share your identifiable data or sample without your additional, explicit consent. If you opt out of data sharing after your data has already been shared, you understand your data cannot be “un-shared”.
• Contacting you about research opportunities, opportunities to connect with others, product feedback, and new products and services.

Sponsored Testing Programs and Data Sharing. If you choose to participate in a sponsored testing program or other data sharing program offered by Invitae to help individuals access genetic testing, you are consenting to de-identified data sharing through the program. You understand that (1) you cannot opt out of data sharing through the program (except where required by law) and (2) your general data sharing preference will not apply to data sharing through the program.

Location of processing of sample and data. Invitae is located in the United States and Invitae will process your data and sample in the United States.

Retention of data and samples. Invitae will retain your data and sample for as long as reasonably necessary for the purposes described above. However, if you are a resident of New York, your sample will be destroyed no more than 60 days after the sample was taken or at the end of the testing process, whichever is later.

Patient Insights Networks (PINs) are online platforms where individuals can take surveys, upload medical records, track health outcomes, and learn about the latest research and clinical trials.

PIN Data Storage and Sharing. Data stored in PINs is safeguarded and de-identified which makes it possible to share with researchers and drug developers working to help find new and better treatments for disease. Data is also shared with other patients, as well as various organizations, as discussed in further detail below.

Invitae will only share your de-identified data stored in a PIN according to the preferences you set, either at account creation or at any time after. If you opt-in, your de-identified data may be shared:

• With public databases such as ClinVar, a federal program that enables research on genes and health.
• With PIN Participants including non-profit organizations, doctors, research scientists, medical investigators, regulatory agencies, and pharmaceutical and biomedical companies.