- Access or use our websites that link to this Policy (“Websites”).
- Access or use our genetic testing and related services.
- Interact with us, including by email, telephone, social media, and in person.
- Apply for a job at Invitae.
- Otherwise communicate with us.
We refer to our Websites, products, services, and interactions with you collectively as “Services” in this Policy.
This Policy is in addition to, and does not replace, our Notice of Privacy Practices, which explains how we use and disclose our patients’ protected health information (“PHI”) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). PHI may include, but is not limited to, your genetic testing information and results. To the extent of a conflict between the terms of this Policy and the Notice of Privacy Practices with respect to PHI, the Notice of Privacy Practices will control how we use and disclose your protected health information.
- 2. POLICY UPDATES
Invitae may revise this Policy from time to time. All updates to this Policy will be posted on the Websites. An updated Policy will supersede all previous versions. If we make any material changes to this Policy, we will notify you by email (sent to the e-mail address specified in your account) or by posting an updated Policy on our Websites. Your continued use of our Services after we have posted the updated Policy on the Websites constitutes your acceptance of such changes. Invitae may also provide additional "just-in-time" notices or information about its data collection, use, and sharing practices in relation to specific Services.
- 3. TYPES OF PERSONAL INFORMATION WE COLLECT
Throughout this Policy we use the term “personal information” to describe any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to a particular person or household. Data that has been de-identified or anonymized under applicable law is not personal information. Personal information includes, for example, PHI under HIPAA and personal data under the EU’s General Data Protection Regulation. This Policy covers all personal information that we collect from you or on your behalf through our Services.
We may collect the following types of personal information:
- Personal information you provide voluntarily. We collect any personal information that you voluntarily provide to us, such as health information you provide to us or your clinician to facilitate our provision of Services. If you are an ordering clinician, we may collect your name, phone number, place of business, and other contact information you provide when ordering a test.
- Communications between you and Invitae. We collect personal information you submit when contacting us (such as your name and email address).
- Registration information. When you register through our Patient Portal or create a user account to access our Services, we collect personal information, such as your name, date of birth, billing and shipping address, and contact information. We may use your registration information, for example, to enable you to access to your test results, check the status of your order, pay your bills, and schedule appointments with a genetic counselor. We also maintain a Physician Portal which is only for the use of physicians and their authorized representatives as stated in the Terms and Conditions of Use for our Physician Portal. When registering for our Physician Portal, physicians provide their names, phone numbers, addresses, and occupations.
- Payment information. When you place an order with us or complete purchases via our Services, we collect your payment information (such as payment card, billing, and shipping information, and your contact information).
- Job application information. If you apply for a position with Invitae through our Careers Page or otherwise, we will collect your resume, contact information, employment and education history, and other related information. We may also receive information from references you identify and other third parties (for instance, via background checks).
- Device information. When you use a mobile device (e.g., a tablet or smartphone) to access our Services, we may collect information about your device. We may collect information about your device’s hardware, operating system or software, device name, unique device identifier, your mobile network information and any other information about your device’s interaction with our Services. Some features of the Services may not function properly if use or availability of device identifiers is impaired or disabled.
- Information about your use of the Services. When you browse our Websites, our system automatically collects information such as your web request, Internet Protocol (“IP”) address, browser type, browser language, domain names, referring and exit pages and URLs, platform type, pages viewed and the order of these page views, the amount of time spent on particular pages, the date and time of your request and one or more cookies that may uniquely identify your browser. We may collect this information through third-party analytics tools. This information is used to analyze trends, administer our Websites, improve the design of our Websites, and otherwise enhance our Services.
- 4. CHILDREN'S INFORMATION
Our Websites are directed toward adults and are not designed for, intended to attract, or directed toward children under the age of 16. If you are under the age of 16, you must obtain the authorization of a responsible adult (parent or legal guardian) before using or accessing our Websites. If we become aware that we have collected any personal information from children under 16 without the authorization of a responsible adult, we will promptly remove such information from our databases.
- 5. HOW WE USE AND SHARE PERSONAL INFORMATION
We use personal information for the following purposes:
- Provide Services. We process your personal information to provide you with our Services. This includes performing operational and quality improvement activities in support of our Services. We share this information with third party service providers to the extent necessary to provide you with our Services. If you or your clinician provide Invitae with your telephone number, you consent to receive text messages and auto-dialed calls from Invitae for billing and informational purposes.
- Maintain legal and regulatory compliance. Certain laws or regulations apply to our Services that may require us to process your personal information. For example, we may process your personal information to fulfill our business obligations, ensure compliance with employment laws, or as necessary to manage risk as required under applicable law.
- Ensure the security of the Services. We may process your personal information to combat spam, malware, malicious activities or security risks; improve and enforce our security measures; and to monitor and verify your identity so that unauthorized users do not access your account with us.
- Create de-identified, anonymized or pseudonymized information. We may create de-identified, anonymized or pseudonymized information for use in research and development activities. De-identified information is information that cannot reasonably be used to identify you. Pseudonymized information is personal information, but does not include your name, address, or other information that can directly identify you. Anonymized information has been stripped of all information that could be reasonably used to identify you.
- Contact you. We may use your personal information to contact you about research opportunities, opportunities to connect with others, product feedback, and new products and services. You may set contact preferences by emailing firstname.lastname@example.org or by setting your preferences in the Patient Portal (if you have created an account).
- Conduct internal research and product development. We may perform internal research and product development activities using personal information. These activities help Invitae expand the genes it can offer for testing to patients and deliver new products and services. You may set internal research preferences by emailing email@example.com or by setting your preferences in the Patient Portal.
- Share de-identified or anonymized information with third parties. We may share de-identified (pseudonymized) or anonymized information with third parties for research or commercial activities. Third parties may include academic researchers and commercial entities. Invitae may include the contact information of your healthcare provider in the de-identified data if your healthcare provider has provided consent. Recipients of de-identified data are prohibited from attempting to re-identify you. Invitae will not share your identifiable data without your additional, explicit consent. You may set sharing preferences by emailing firstname.lastname@example.org or by setting your preferences in the Patient Portal.
- Share de-identified or pseudonymized information as part of sponsored testing programs. Invitae offers sponsored testing programs as described here. Participation in these programs is completely voluntary. Under these programs, third party biopharmaceutical companies sponsor the cost of testing for eligible patients. If you choose to participate in a sponsored testing program, Invitae will share your de-identified (pseudonymized) genetic test results and clinical information and the contact information of your healthcare provider with the sponsor(s), who may contact your healthcare provider.
- 6. RETENTION
We may store your personal information for as long as we need it to provide you our Services and to perform the activities described in this Policy, all to the extent permitted by law.
- 7. SECURITY MEASURES
We use reasonable technical, administrative and physical measures to protect information contained in our system against misuse, loss or alteration. We secure information that we receive through our Services using reasonable technical, physical and administrative safeguards.
Please recognize that protecting your personal information is also your responsibility. You should keep your username, password, ID numbers, or other access credentials secure as Invitae cannot secure personal information that you release on your own.
- 8. INTERNATIONAL TRANSFERS OF PERSONAL INFORMATION
We may store, process and transmit personal information in locations around the world, including locations outside of the country or jurisdiction where you are located. Our primary data processing activities occur within the United States. The United States and other countries where we process data may have data protection laws that are less protective than the laws of the jurisdiction in which you reside. If you do not want your information transferred to or processed or maintained outside of the country or jurisdiction where you are located, you should not use our Services.
We transfer your personal information subject to appropriate safeguards as permitted under the applicable data protection laws. Specifically, when your personal information is transferred out of the Designated Countries, we have the required contractual provisions for transferring personal information in place with the third parties to which your information is transferred. For such transfers, we rely on Standard Contractual Clauses for our legal transfer mechanism.
- 9. NOTICE TO INDIVIDUALS LOCATED IN THE EUROPEAN ECONOMIC AREA OR SWITZERLAND
This Section only applies to users of our Services that are located in the European Economic Area, United Kingdom or Switzerland (collectively, the “Designated Countries”) at the time of data collection. If any terms in this Section conflict with other terms contained in this Policy, the terms in this Section shall apply to users in the Designated Countries.
Lawful basis for processing your personal information. Below is a summary of our data processing activities and our lawful bases for processing data.
Purposes of processing Legal basis for processing
- to provide our services to you and conduct related, compatible activities such as quality improvement
- to send service-related communications
- to provide customer support
- to enforce our terms, agreements, or policies
- to ensure the security of our services
- to share information with our service providers, business partners, and affiliates
Processing is based on our contractual obligations under the applicable contract.
- to inform you about research opportunities
- to personalize your experience on our Websites
- to conduct research and product development
- change of control
Processing is based on our legitimate interest to better understand you, to maintain and improve the accuracy of the information we store about you, and to better promote or optimize our Services.
- to ensure the security of our services
- to maintain legal or regulatory compliance
- responding to legal requests and preventing harm
- safety and legal compliance
Processing is necessary for compliance with our legal obligations, the public interest, or in your vital interests.
- to conduct scientific, historical or statistical research
Processing is based on your consent, as required under applicable law, or as otherwise permitted by laws governing scientific, historical or statistical research.
- to create anonymized or pseudonymized information or samples
Processing is based on your consent, as required under applicable law, or as otherwise permitted by laws governing scientific or historical research.
Marketing activities. Direct marketing includes any communications we send to you that are only advertising or promoting products and services. Transactional communications about your account or our Services are not considered “direct marketing” communications. We will only send you direct marketing communications by electronic means (including email or SMS) based on our legitimate interest or your consent. When we rely on legitimate interest, we will only send you information about our Services that are similar to those which were the subject of a previous sale or negotiations of a sale to you. If you do not want us to use your personal information in this way, please click an unsubscribe link in your emails, or contact us at email@example.com. You can object to direct marketing at any time and free of charge.
Individual rights. We provide you with the rights described below when you use our Services. When we receive an individual rights request from you, please make sure you are ready to verify your identity. Please be advised that there are limitations to your individual rights. We may limit your individual rights in the following ways: (i) where denial of access is required or authorized by law; (ii) when granting access would have a negative impact on other's privacy; (iii) to protect our rights and properties; and (iv) where the request is frivolous or burdensome. If you have questions, if you would like to exercise your rights under the applicable law please contact us at firstname.lastname@example.org.
- Right to withdraw consent. If we, or any third parties to which we provide your personal information, rely on your consent to process your personal information, you have the right to withdraw your consent at any time. A withdrawal of consent will not affect the lawfulness of our processing or the processing by any third parties made before your withdrawal. In addition, your withdrawal of consent may not limit our, or the third parties’ further processing of personal information on another lawful basis, including where it is necessary for the performance of a contract; for us to comply with our legal obligations; where it protects your vital interests; or in limited circumstances where it is in our legitimate interests. Other exemptions may apply to your genetic testing information or other sensitive personal information. We will only process your personal information as permitted by applicable law.
- Right of access and rectification. If you request a copy of your personal information that we hold, we will provide you with a copy without undue delay and free of charge, except where we are permitted by law to charge a fee. We may limit your access if such access would adversely affect the rights and freedoms of other individuals. You may request to correct or update any of your personal information held by us, unless you can already do so directly via the Services.
- Right to erasure (the “right to be forgotten”). You may request us to erase any of your personal information held by us that: is no longer necessary in relation to the purposes for which it was collected or otherwise processed; was collected in relation to processing that you previously consented to, but later withdrew such consent; or was collected in relation to processing activities to which you object, and there are no overriding legitimate grounds for our processing such as the conduct of scientific research or the establishment or defense of legal claims.
- Right to object to processing. You may object to our processing at any time and as permitted by applicable law if we process your personal information on the legal basis of consent, contract, or legitimate interests. We can continue to process your personal information if it is necessary for the defense of legal claims, or for any other exceptions permitted by applicable law.
- Right to restriction. You have the right to restrict our processing your personal information where one of the following applies:
- You contest the accuracy of your personal information that we processed. We will restrict the processing of your personal information, which may result in an interruption of some or all of the Services, during the period necessary for us to verify the accuracy of your personal information.
- The processing is unlawful and you oppose the erasure of your personal information and request the restriction of its use instead.
- We no longer need your personal information for the purposes of the processing, but it is required by you to establish, exercise, or defend legal claims.
- You have objected to processing, pending the verification whether the legitimate grounds of our processing override your rights.
- We will only process your restricted personal information with your consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. We will inform you if or when the restriction is lifted.
Right to data portability. If we process your personal information based on a contract with you or based on your consent, or the processing is carried out by automated means, you may request to receive your personal information in a structured, commonly used and machine-readable format, and to have us transfer your personal information directly to another data controller, where technically feasible, unless exercise of this right adversely affects the rights and freedoms of others.
Notification to third parties. If we share your personal information with third parties, we will notify them of any requests for rectification, erasure, or restriction of your personal information, unless this proves impossible or involves disproportionate effort.
Right to lodge a complaint. If you believe we have infringed or violated your privacy rights, please contact us at email@example.com so that we can work to resolve your concerns. You also have a right to lodge a complaint with a competent supervisory authority situated in an EEA Member State of your habitual residence, place of work, or place of alleged infringement.
- 10. NOTICE TO CALIFORNIA RESIDENTS
This Section only applies to users of our Services that reside in the State of California. For purposes of this Section, the term “personal information” does not include publicly available information that is made available from federal, state, or local government records or patient information collected and maintained by us in compliance with HIPAA and/or the California Confidentiality of Medical Information Act.
California privacy rights. In addition to the rights described elsewhere in this Policy, California residents have the right to: (i) request additional disclosures about your personal information we collect, use, disclose and sell; (ii) request access to and deletion of your personal information; (iii) opt out of the sale of your personal information; and (iv) obtain a copy of your personal information. We will not discriminate against you for exercising any of these rights, for example, by charging a different price or denying goods or services. However, we may charge a different price or rate or provide a different level or quality of goods or services when that difference is reasonably related to the value provided to you by the data.
Methods for submitting requests. If you wish to exercise any of these rights please email firstname.lastname@example.org with the phrase “California Privacy Rights” in the subject line. You may also send a letter to us at Invitae Corporation, Attn: Chief Privacy Officer, 1400 16th St., San Francisco, California 94103, call us toll-free at (800) 436-3037, or complete an online form at www.invitae.com/contact, and please indicate in the form: Attn: Chief Privacy Officer. To exercise the right to opt out of the sale of your personal information, you may contact Invitae through any of the above channels. We will review your request and respond accordingly. The rights described herein are not absolute, and we reserve all of our rights available to us at law in this regard. Additionally, if we retain your personal information only in de-identified form, we will not attempt to re-identify your data in response to a California privacy rights request.
If you make a request related to personal information about you, you will be required to supply a valid means of identification as a security precaution. We will verify your identity with a reasonably high degree of certainty using the following procedure where feasible: we will match identifying information you provide when making the request to the personal information maintained by us, or use a third-party identity verification service. If it is necessary to collect additional information, we will use the information only for verification purposes and will delete it as soon as practicable after complying with your request. For requests related to particularly sensitive information, we may require additional proof of your identity.
We will process your request within the timeframe provided by applicable law.
- Categories of personal information we collect. In the previous 12 months, Invitae has collected the following categories of personal information:
- Identifiers such as names, dates of birth, and contact information;
- Information protected by the California Customer Rights Statute such as names, contact information, financial information, and health insurance information;
- Characteristics of protected classifications under California or federal law, such as age, ancestry, and medical condition;
- Commercial information such as records of products or services purchased;
- Internet or other electronic network activity information;
- Professional or employment-related information.
- Sources from which we collect personal information. Invitae may collect personal information from you directly. Invitae may also receive personal information about you from third parties or through automated means.
- Purpose for collecting or selling personal information. Your personal information may be collected or used for the purposes described in Section 5 of this Policy, as well as for other purposes that may be described to you at the time we collect your personal information.
- Categories of third parties with whom we share your personal information. Invitae may share your personal information with the third parties described in Section 5 of this Policy, as well as with other third parties as may be described to you at the time we collect your personal information.
- Sale of personal information. In the preceding 12 months, Invitae has not sold personal information, except with respect to certain ordering clinicians who sign an attestation consenting to the sale of their contact information to our pharmaceutical company partners as part of one of Invitae’s sponsored testing programs. Invitae does not sell the personal information of individuals under the age of 16.
- Sale and disclosures of personal information.
- In the previous 12 months, Invitae, as part of the data reports it sells to pharmaceutical partners under its sponsored testing programs, includes the contact information of ordering clinicians who may reside in California. As noted, ordering clinicians consent to this sharing of their contact information via an attestation when they order a test under a sponsored testing program.
- In the previous 12 months, Invitae has disclosed the following categories of personal information for a business purpose, but only to service providers that are prohibited from using that information for any purpose other than providing services to us:
- Information protected by the California Customer Rights Statute;
- Characteristics of protected classifications under California or federal law;
- Commercial information such as records of products or services purchased;
- Internet or other electronic network activity information; and
- Professional or employment-related information.
California Shine the Light. California residents may also request information from us once per calendar year about any Personal Information shared with third parties for the third party’s own direct marketing purposes, including the categories of information and the names and addresses of those businesses with which we have shared such information. To make such a request, please reach us at the contact information listed below. This request may be made no more than once per calendar year, and we reserve our right not to respond to requests submitted other than to the email or mailing addresses specified below.
- 11. DO NOT TRACK
Certain web browsers and other devices you may use to access the Websites may permit you to submit your preference that you do not wish to be “tracked” online. Like many websites, our Websites are not currently designed to recognize a “Do Not Track” signal from a web browser.