Last updated: August 12, 2019
Invitae Corporation, including its subsidiaries (referred to collectively as “Invitae,” “we” or “us”) is committed to protecting your privacy. To ensure transparency, this Privacy Policy (this “Policy”) describes how we collect, use, secure and share your personal information when you access or use our websites, including without limitation www.invitae.com, www.invitae.com/en/common/signup/ (our “Physician Portal”), www.invitae.com/en/patients/signup/ (our “Patient Portal”), www.combimatrix.com, www.goodstartgenetics.com, www.pin.invitae.com and www.cagene.com (referred to collectively as our “Websites”), and when you transmit information to us electronically or in hard copy in relation to our genetic testing and related services, Patients Insights Network (PIN), the Invitae Family History Tool, CancerGene Connect, or any other of our products or services (referred to collectively as our “Services”).
This Privacy Policy is in addition to and does not replace our Notice of Privacy Practices, which explains how we handle personally-identifiable health information.
Before using our Services, please read the Invitae Terms of Use, or to the extent you are participating in Invitae’s Patient Insight Network (“PIN”), the Invitae PIN Data Portal Terms of Use, or using CancerGene Connect, the CancerGene Connect Terms of Use. By accepting the applicable Terms of Use, you agree with our privacy practices as described in this Policy. If you do not agree with the terms of this Policy, please do not access or use our Websites or use our Services.
Invitae may revise this Policy from time to time. All updates to this Policy will be posted on this web page. If we make any material changes we will notify you by email (sent to the e-mail address specified in your account) or by means of a notice on our Websites prior to the change becoming effective. Your continued use of our Websites after we have posted a notice on the website constitutes your acceptance of such changes.
Invitae may provide additional "just-in-time" disclosures or additional information about the data collection, use and sharing practices of specific Services. These notices may supplement or clarify Invitae’s privacy practices or may provide you with additional choices about how Invitae processes your information. If you have any questions, please contact us at privacy@invitae.com.
Throughout this Policy we use the term “personal information” to describe is data that identified you or makes you identifiable. The definition of personal information depends on the applicable law based on your physical location and may include other types of information such as your IP address. Only the definition that applies to your physical location will apply to you under this Policy.
This Policy covers all personal information that you voluntarily submit to us. This Policy does not apply to anonymized data as it cannot be used to identify you, such as aggregated data. Except as described in this Policy, Invitee will not give, sell, rent or loan any personal information to any third party.
We may collect the following types of information:
Our Websites are directed toward adults and are not designed for, intended to attract, or direct toward children under the age of 16. If you are under the age of 16, you must obtain the authorization of a responsible adult (parent or legal guardian) before using or accessing our Websites. If we become aware that we have collected any personal information from children under 16, we will promptly remove such information from our databases.
Your personal information may be used for the following purposes:
If in the future, we use your personal information in any way that is not described in this Policy, we will disclose this to you. At that time, you can choose not to allow us to use your personal information for any purpose that is incompatible with the purposes for which we originally collected it or subsequently obtained your consent. If you choose to limit the ways we can use your personal information, some or all of our Services may not be available to you.
Invitae may disclose your personal information as described below.
“De-identified” information is data we have stripped of your personally-identifiable information, such as your name, address, or birthdate. We may use de-identified information that we have obtained from our Services for various purposes, including for example:
You agree that you have provided notice to, and obtained consent from, any third party individuals whose personal information you supply to us, including with regard to (a) the purposes for which such third party’s personal information has been collected; (b) the intended recipients or categories of recipients of the third party’s personal information; (c) which of the third party’s information is obligatory and which information, if any, is voluntary; and (d) how the third party can access and, if necessary, rectify the information held about them.
Our Websites may contain links to external websites. Invitae does not maintain these sites and is not responsible for the privacy practices of sites that it does not operate. Please refer to the specific privacy policies posted on these sites.
ou can update, amend or delete your account information and preferences at any time by visiting the My Account page after logging in. You may withdraw information you have submitted to the PIN database at any time by contacting the PIN coordinator at coordinator@pin.invitae.com; this will deactivate your account and the personally identifiable information in your profile will be removed.
Invitae email correspondence will include instructions on how to update certain personal information and how to unsubscribe from our emails and postal mail correspondence. Please follow the instructions in the emails to notify Invitae of changes to your name, email address, and preference information. Invitae will take reasonable steps, such as confirmation emails, to verify your identity before granting access to your personal information.
For individuals residing in the European Economic Area (EEA), Switzerland or the United Kingdom (collectively, the “Designated Countries”) at the time of data collection, please refer to Section 14 below.
We store your personal information for as long as we need it to provide you our Services, to serve the purpose(s) for which your personal information was processed, or as necessary to comply with our legal obligations, resolve disputes, or enforce our agreements to the extent permitted by law. While retention requirements can vary by country, we generally apply the retention periods noted below.
We store information used for marketing purposes indefinitely until you unsubscribe. Once you unsubscribe from marketing communications, we add your contact information to our suppression list to ensure we respect your unsubscribe request. Also, we retain any information collected via cookies, clear gifs, flash cookies, webpage counters and other technical or analytics tools up to one year from expiry of the cookie or the date of collection. If you have any questions about our retention periods, please feel free to contact us.
We use reasonable technical, administrative and physical measures to protect information contained in our system against misuse, loss or alteration. Information that you provide through our Websites is encrypted using industry-standard Secure Sockets Layer (SSL) technology, with the exception of information you send via email. Your information is processed and stored on controlled servers with restricted access. Unfortunately, no method of electronic transmission is 100% secure, so we cannot ensure or warrant the security of any information you transmit to our Websites, and you do so at your own risk.
Please recognize that protecting your personal information is also your responsibility. You should keep your username, password, ID numbers, or other access credentials secure as Invitae cannot secure personal information that you release on your own or that you request us to release. If we receive instructions using your log-in information we will consider that you have authorized the instructions.
We may store, process and transmit personal information in locations around the world, including locations outside of the country or jurisdiction where you are located. Such countries or jurisdictions may have data protection laws that are less protective than the laws of the jurisdiction in which you reside. If you do not want your information transferred to or processed or maintained outside of the country or jurisdiction where you are located, you should not use our Services.
We transfer your personal information subject to appropriate safeguards as permitted under the applicable data protection laws. Specifically, when your personal information is transferred out of the Designated Countries, we have the required contractual provisions for transferring personal information in place with the third parties to which your information is transferred. For such transfers, we rely on legal transfer mechanisms such as Binding Corporate Rules, Standard Contractual Clauses, or we work with US-based third parties that are certified under the EU-US and Swiss-US Privacy Shield Framework.
This Section only applies to users of our Services that are located in the European Economic Area, United Kingdom or Switzerland (collectively, the “Designated Countries”) at the time of data collection. We may ask you to identify which country you are located in when you use some of our Services, or we may rely on your IP address to identify which country you are located in.
Where we rely only on your IP address, we cannot apply the terms of this Section to any User or Customer that masks or otherwise obfuscates their location information so as not to appear located in the Designated Countries. If any terms in this Section conflict with other terms contained in this Policy, the terms in this Section shall apply to users in the Designated Countries.
Our relationship to you. A “data controller” is an entity that determines the purposes for which and the manner in which any personal information is processed. Any third parties that act as our service providers are “data processors” that handle your personal information in accordance with our instructions. In relation to the Patient Insight Network, we host the PIN platform at the direction of the PIN participants, and as such are a processor. In relation to our Physician Portal (or any similar portal hosted by an Invitae-owned company), Invitae is a controller in relation to the information that a physician enters directly into the website about him or herself. To the extent a user enters personal information on our Websites to pay for, use or obtain further information about our Services, Invitae is a controller.
Lawful basis for processing your personal information. We describe our processing activities in Section 5 (“How We Use Personal Information), Section 6 (“Information We Share”) and Section 7 (“Use and Disclosure of De-identified Information”). Below is a chart indicating the legal bases we rely in processing personal information.
Section | Purposes of processing | Legal basis for processing |
5(1) |
- to provide our services to you |
Processing is based on our contractual obligations under the Terms of Service, or to take steps at the request of the individual prior to entering into a contract. |
5(2) |
- to inform you about research opportunities |
Processing is based on our legitimate interest to better understand you, to maintain and improve the accuracy of the information we store about you, and to better promote or optimize our Services. |
5(6) |
- to ensure the security of our services |
Processing is necessary for compliance with our legal obligations, the public interest, or in your vital interests. |
5(3) |
- to allow you to share personal information for research purposes |
Processing is based on your consent,as required under applicable law. In relation to 7(i) and 7(ii), to the extent the de-identified data is anonymized, it is not considered personal data and falls outside the General Data Protection Regulations (GDPR). |
Marketing activities. Direct marketing includes any communications we send to you that are only based on advertising or promoting products and services. Transactional communications about your account or our Services are not considered “direct marketing” communications. We will only contact Users or Customers by electronic means (including email or SMS) based on our legitimate interest or their consent. When we rely on legitimate interest, we will only send you information about our Services that are similar to those which were the subject of a previous sale or negotiations of a sale to you. If you do not want us to use your personal information in this way, please click an unsubscribe link in your emails, or contact us at privacy@invitae.com. You can object to direct marketing at any time and free of charge.
Individual rights. We provide you with the rights described below when you use our Services. When we receive an individual rights request from you, please make sure you are ready to verify your identity. Please be advised that there are limitations to your individual rights. We may limit your individual rights in the following ways: (i) where denial of access is required or authorized by law; (ii) when granting access would have a negative impact on other's privacy; (iii) to protect our rights and properties; and (iv) where the request is frivolous or burdensome. If you have questions, if you would like to exercise your rights under the applicable law please contact us at privacy@invitae.com.
Invitae complies with the EU-US and the Swiss-US Privacy Shield Frameworks as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and the United Kingdom and/or Switzerland, as applicable, to the United States in reliance on Privacy Shield. Invitae has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/. The following Invitae subsidiaries also adhere to the Privacy Shield Principles:
In compliance with the Privacy Shield Principles, Invitae commits to resolve complaints about our collection or use of your personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Invitae at: privacy@invitae.com.
Invitae has further committed to refer unresolved Privacy Shield complaints to ICDR-AAA, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please visit http://go.adr.org/privacyshield.html for more information or to file a complaint. The services of ICDR-AAA are provided at no cost to you.
Note that:
This Section only applies to users of our Services that reside in the State of California.
For purposes of this Section 16, the term “personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information does not include publicly available information that is made available from federal, state, or local government records, nor does it include patient information collected and maintained by us in compliance with HIPAA and/or the California Confidentiality of Medical Information Act, or anonymized data that cannot be used to identify you.
California privacy rights. In addition to the rights described elsewhere in this Privacy Policy, California residents have the right to: (i) request additional disclosures about your personal information we collect, use, disclose and sell; (ii) request access to and deletion of your personal information; (iii) opt out of the sale of your personal information; and (iv) obtain a copy of your personal information. We will not discriminate against you for exercising any of these rights, for example, by charging a different price or denying goods or services. However, we may charge a different price or rate or provide a different level or quality of goods or services when that difference is reasonably related to the value provided to you by the data.
Methods for submitting requests. If you wish to exercise any of these rights please email privacy@invitae.com with the phrase “California Privacy Rights” in the subject line. You may also send a letter to us at Invitae Corporation, Attn: Chief Privacy Officer, 1400 16th St., San Francisco, California 94103, call us toll-free at (800) 436-3037, or complete an online form at www.invitae.com/contact, and please indicate in the form: Attn: Chief Privacy Officer. To exercise the right to opt out of the sale of your personal information, you may contact Invitae through any of the above channels. We will review your request and respond accordingly. The rights described herein are not absolute, and we reserve all of our rights available to us at law in this regard. Additionally, if we retain your personal information only in de-identified form, we will not attempt to re-identify your data in response to a California privacy rights request.
If you make a request related to personal information about you, you will be required to supply a valid means of identification as a security precaution. We will verify your identity with a reasonably high degree of certainty using the following procedure where feasible: we will match identifying information you provide when making the request to the personal information maintained by us, or use a third-party identity verification service. If it is necessary to collect additional information, we will use the information only for verification purposes and will delete it as soon as practicable after complying with your request. For requests related to particularly sensitive information, we may require additional proof of your identity.
If you make a California privacy rights request through an authorized agent, we will require written proof that the agent is authorized to act on your behalf.
We will process your request within the timeframe provided by applicable law.
Additional disclosures
Categories of personal information we collect. In the previous 12 months, Invitae has collected the following categories of personal information:
Identifiers such as names, dates of birth, and contact information;
Information protected by the California Customer Rights Statute such as names, contact information, financial information, and health insurance information;
Characteristics of protected classifications under California or federal law, such as age, ancestry, and medical condition;
Commercial information such as records of products or services purchased;
Biometric information such as genetic characteristics;
Internet or other electronic network activity information;
Professional or employment-related information;
Sources from which we collect personal information. Invitae may collect personal information from you directly. Invitae may also receive personal information about you from third parties or through automated means. For additional information on how we may collect personal information, refer to Section 3 of this Privacy Policy.
Purpose for collecting or selling personal information. Your personal information may be collected or used for the purposes described in Section 5 of this Privacy Policy, as well as for other purposes that may be described to you at the time we collect your personal information.
Categories of third parties with whom we share your personal information. Invitae may share your personal information with the third parties described in Section 6 of this privacy policy, as well as with other third parties as may be described to you at the time we collect your personal information. However, except with respect to our sale of ordering clinician contact information to pharmaceutical company partners (which we do only with the consent of the ordering clinicians), all third parties with whom we share personal information are prohibited from using personal information for any purpose other than providing services to us.
Sale of personal information. In the preceding 12 months, Invitae has not sold personal information, except with respect to certain ordering clinicians who sign an attestation consenting to the sale of their contact information to our pharmaceutical company partners as part of one of Invitae’s sponsored testing programs. Invitae does not sell the personal information of individuals under the age of 16.
Sale and disclosures of personal information.
In the previous 12 months, Invitae, as part of the data reports it sells to pharmaceutical partners under its sponsored testing programs, includes the contact information of ordering clinicians who may reside in the State of California. As noted, ordering clinicians consent to this sharing of their contact information via an attestation when they order a test under a sponsored testing program.
In the previous 12 months, Invitae has disclosed the following categories of personal information for a business purpose, but only to service providers that are prohibited from using that information for any purpose other than providing services to us:
Identifiers;
Information protected by the California Customer Rights Statute;
Characteristics of protected classifications under California or federal law;
Commercial information such as records of products or services purchased;
Biometric information such as genetic characteristics;
Internet or other electronic network activity information;
Professional or employment-related information.
Our Websites are owned and operated by Invitae. If you have any questions about this Policy or our Services, you can contact us at privacy@invitae.com, by using the Contact Us page, or by regular mail at Invitae Corporation, 1400 16th St., San Francisco, California 94103.