VIOME PRIVACY POLICY

Version 2.1

Effective Date: November 1, 2018

Introduction

Viome, Inc. is a company that collects and analyzes physiological, physical, and molecular data for the purpose of understanding and optimizing the wellness of individuals. The samples collected from study participants include stool, blood, saliva, cheek swab, skin swab, and/or urine, using test kits provided by Viome. Participants will collect the clinical samples and ship them to Viome for analysis. Along with data obtained from clinical samples, participant-provided information will be collected and stored by Viome. Based on our analysis of all participant data, Viome will make personalized diet and lifestyle recommendations to the individual participant via, without limitation, the Viome website located at www.viome.com and Viome’s mobile applications.

Viome takes privacy very seriously. We are committed to protecting the privacy and security of “Personal Information”, which could be used to identify the participant, either alone or in combination with other information. By using the Viome website and mobile applications, and consenting to participate in the Viome clinical research study, the participant allows us to collect, store, and use their Personal Information for research purposes that will enable us to improve the personalization of diet and lifestyle advice. Viome recognizes and understands the importance of privacy and respects our participants’ desire to store and access Personal Information in a private and secure manner.

THIS PRIVACY POLICY DESCRIBES HOW INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. THIS PRIVACY POLICY FURTHER DESCRIBES OUR POLICIES WITH REGARD TO PERSONAL INFORMATION AND PROTECTED HEALTH INFORMATION. PLEASE REVIEW IT CAREFULLY.

  1. Acceptance of Privacy Policy. This VIOME PRIVACY POLICY (“Privacy Policy”) concerns the collection, use, and disclosure of your (“you” or “user”) information by Viome, Inc. (“Viome,” “we,” or “us”) in connection with the services, programs, websites, and software applications (collectively, the “Service”) provided by Viome. This Privacy Policy is incorporated by reference into the VIOME TERMS OF SERVICE (“Terms”), which can be found here: https://www.viome.com/terms. By subscribing to or otherwise using the Service, or accessing any content or material that is made available by Viome through the Service, you agree to be bound by the Terms, including this Privacy Policy. Viome reserves the right to change or modify this Privacy Policy at any time and in its sole discretion. Any changes or modifications will be effective immediately upon posting of the revisions on the Service. Your continued use of the Service following the posting of such changes or modifications will constitute your acceptance of those changes or modifications.
  2. Types of Personal Information. Viome collects and uses several types of Personal Information in connection with the Service: “Registration Information” is collected when you subscribe to or register for the Service. This information includes, but is not limited to, your name, password, payment plan, credit card information (Viome stores only 4 last digits and expiration date), shipping addresses, and contact information such as email address and telephone number. Viome uses Registration Information to authenticate your access to Viome websites and mobile applications; to enable you to purchase features related to the Service; to deliver personalized reports to you in connection with the Service; and to send you marketing communications. “Sample Data” is collected when you provide self-collected clinical samples to Viome for analysis using the Viome-supplied collection kits. Sample data includes, but is not limited to, gut or mouth microbe analysis, gut gene expression analysis, gut metabolite analysis, personal genetic analysis, personal gene expression, and personal metabolite analysis. If you consent to participate in the clinical study, the Sample Data are analyzed in aggregate with other participants’ data to improve the personalization of Viome’s diet and lifestyle recommendations. “Self-Reported Information” is collected when you provide information to Viome including, but not limited to, information your health conditions (e.g. Type 2 diabetes), other health-related information (e.g. smoking status, activity level, heart rate), diet information (e.g. food intake levels), and personal traits (e.g. height and weight). This information is provided to Viome using its websites and mobile applications. Self-Reported Information is used to support the study objective of identifying correlations between dietary and lifestyle inputs with molecular measures. “Medical Information” is collected when you give Viome permission to access your medical records. Only with your written and signed permission will Viome obtain the medical records from your healthcare provider and use the Medical Information to improve data analysis methods and optimize wellness recommendations provided to you in reports.
  3. Other Types of Collected Information.  When you use the Service, some information is automatically collected through the use of log files. Such information may include your device’s Internet Protocol (IP) address, your device’s operating system, the browser type, and your device ID (only for iOS users).  To ensure your data is safe and used only to the extent necessary to provide the Service, Viome deletes this information every three months.  Viome uses this information for purposes such as analyzing trends, administering the Service, improving customer service, diagnosing problems with our servers, tracking user movement, and gathering broad demographic information for aggregate use.
  4. Use of Cookies. We may also automatically collect certain information through the use of web beacons or “cookies.” Cookies are small data files that are stored on a user’s hard drive at the request of a website to enable the site to recognize users who have previously visited them and retain certain information such as customer preferences and history. If we combine cookies with, or link them to, any of the Personal Information, Viome will treat this information as Personal Information. If you wish to block, erase, or be warned of cookies, please refer to your browser instructions or help screen to learn about these functions. However, if your browser or device settings will not allow you to accept cookies or if a user rejects a cookie, you may not be able to sign in to your Viome account and will not be able to access certain Service features. In addition, Viome may use third parties to provide certain functionalities or to collect, track and analyze non-personally identifiable usage and statistical information from users, such as the user’s browser type, operating system, device ID (only for iOs users). These third parties may collect personal information from you in connection with the services they provide and may place cookies, web beacons or other devices on your device to collect non-personal information which may be used, among other things, to deliver advertising targeted to your interests and to better understand the usage of the Service and the other services tracked by these third parties. Viome is not responsible for, and does not control, any actions or policies of any third party service providers.
  5. Use of Google Analytics. Like many websites, we use Google Analytics, a service that provides information about how many users visit our website, when they visit, and how they navigate the site. We also may use other Google Analytics tools, such as Demographics and Interest Reporting, which enables us to learn more about the characteristics and interests of the users who visit our website, and Remarketing with Google Analytics, which enables us to provide relevant advertising on different websites and online services. To learn more about Google’s privacy practices, please review the Google Privacy Policy at https://www.google.com/policies/privacy/. You can also download the Google Analytics Opt-out Browser Add-on to prevent their data from being used by Google Analytics at https://tools.google.com/dlpage/gaoptout.
  6. Disclosure of Personal Information to Third-Parties. In general, Viome will not disclose individual-level Personal Information to third parties, except under the following circumstances:
    • Viome may disclose individual-level Personal Information to partners or service providers (e.g. credit card processors and accredited reference laboratories) who process and/or store Personal Information in order to help Viome provide, understand, or improve the Service. In those instances, the protection of your individual-level Personal Information will be subject to the privacy policy of the specific Viome partner or service provider.
    • If you consent to participate in the research program conducted by Viome and its research partners (the “Viome Research Program”), qualified Viome employees, consultants, and Viome’s scientific research collaboration partners may access your individual-level Sample Data, Self-Reported Information, and Medical Information for the purpose of conducting scientific research. A copy of the Viome Research Consent can be found at Here.
    • Viome may disclose such information to third parties where you provide express written consent for Viome to do so.
  7. Information Required to be Disclosed by Law. Under certain circumstances, Personal Information may be subject to disclosure pursuant to judicial or other government subpoenas, warrants, or orders, or in coordination with regulatory authorities. You acknowledge and agree that Viome is free to preserve and disclose any and all Personal Information to law enforcement agencies or others if required to do so by law or in the good faith belief that such preservation or disclosure is reasonably necessary to: (i) comply with legal or regulatory process (such as a judicial proceeding, court order, or government inquiry) or obligations that Viome may owe pursuant to ethical and other professional rules, laws, and regulations; (ii) enforce the Viome Terms of Service; (iii) respond to claims that any content violates the rights of third parties; or (iv) protect the rights, property, or personal safety of Viome, its employees, its participants (including you), and the public. In the event Viome is required by law to disclose Personal Information, Viome will notify you through the contact information provided to Viome in advance, unless doing so would violate the law or a court order.
  8. Security. To prevent unauthorized access or disclosure, to maintain data and information integrity, and to ensure the appropriate use of information, Viome uses various physical, technical, and administrative measures to keep your Personal Information secure, in accordance with current technological and industry standards. In particular, all connections to the Viome websites and mobile applications are encrypted using Secure Socket Layer (SSL) technology. Please recognize that protecting Personal Information is also your responsibility. We ask all participants to be responsible for keeping secure their password, as well as other authentication information used to access the Service. You should not share authentication information with any third parties, and should inform Viome immediately of any prohibited use of your password. Viome cannot secure and assumes no liability for Personal Information that is released by the Participant to third parties, such as a healthcare provider.
  9. Children’s Privacy. Viome is committed to protecting the privacy of children and abiding by the provisions of the Children’s Online Privacy Protection Act (COPPA). The Service is not designed or intended to attract children under the age of 13. A parent or legal guardian, however, may consent his/her child to study participation, and may assist the child with providing assent to study participation, if the child is old enough to do so. The parent/guardian may create an account for, assist with sample collection for, and provide Self-Reported Information on behalf of his or her child. The parent/guardian assumes full responsibility for ensuring that the information that he or she provides to Viome about his or her child is kept secure and that the information submitted is accurate. In the event that Viome is notified or becomes aware that the Service has been used by a child under the age of 13 to store information of that child without parental consent, Viome shall be and is authorized to delete, in its entirety, any of the information stored by that child. The Company also reserves the right to revoke any license to use the Service which is being used or has been used by a child under the age of 13.
  10. Account Closure and Correction of Personal Information. If the Participant wishes to stop participating in the Service, the account may be closed by sending a request to Viome via email at info@viome.com. When closing an account, Viome removes all personally identifiable information associated with Sample Data. In addition, Viome retains limited Registration Information related to the Participant’s order history (e.g., name, contact, and transaction data) for accounting and compliance purposes. Personal Information and Registration Information can be changed, corrected, or updated using the Viome websites and mobile applications.
  11. Business Transitions. In the event that Viome goes through a business transition such as a merger, acquisition by another company, or sale of all or a portion of its assets, Personal Information will likely be among the assets transferred. In such a case, Personal Information would remain subject to the terms of the pre-existing and current Privacy Policy.
  12. California Do-Not-Track Disclosures. Viome does not track its customers over time and across third party websites to provide targeted advertising and therefore does not respond to Do Not Track (DNT) signals. Third parties that have content embedded on Viome’s websites or mobile applications (e.g. social features) may set cookies on a user’s browser and/or obtain information about the fact that a web browser visited a specific Viome website from a certain IP address. Third parties cannot collect any other personal identifiable information from Viome’s websites unless you provide it to them directly.
  13. Data Privacy for EU Residents Under GDPR.
    A.     General Data Protection Regulation (“GDPR”) Information for EU Residents. The following information describes our commitments to you under the EU General Data Protection Regulation (“GDPR”). Except where a term is specifically defined herein, terms in Section 12 will have the meaning provided under the GDPR.

    When Viome acts as Controller. Viome acts as a Controller when it determines the purposes and means of processing personal data.

    When Viome acts as a Processor. Viome acts as a Processor where it processes personal data for another Controller. Where we process your data in our capacity as a Processor on behalf of a third party Controller, the processing of your personal data will not be governed by this Privacy Policy. In such event, we encourage you to contact the Controller directly to learn about their processing of your information and to exercise your rights, or we will forward your request directly to such Controller upon receipt.

    Right to access, correct, and delete your personal data. Please contact privacy@viome.com to exercise your rights to access, correct, and delete your personal data pursuant to GDPR. We are not required to comply with your request to erase personal data if the processing of your personal data is necessary for compliance with a legal obligation or for the establishment, exercise, or deference of legal claims. Subject to the above terms and conditions, Viome will, within 30 days from the request of a customer, delete the personal data concerning such customer and destroy all samples provided by such customer. Notwithstanding the above provisions, Viome shall be permitted to retain any and all anonymized, aggregate data.

    Right to restrict the processing of your personal data. You have the right to restrict the use of your personal data; however, we can continue to use your personal data following a request for restriction, where:
    • we have your consent; or
    • to establish, exercise or defend legal claims; or
    • to protect the rights of another natural or legal person.
      Right to data portability. To the extent that we process your personal data (i) based on your consent or under a contract; and (ii) through automated means, you have the right to receive such personal data in a structured, commonly used, machine-readable format, or you can ask to have it transferred directly to another data controller;

    Personal data retention. We retain your personal data for as long as necessary to provide you with our services, or for other important purposes such as complying with legal obligations, resolving disputes, and enforcing our agreements.

    Third parties with access to personal data. Viome shares your personal data with third parties as follows:

    • Customer support service providers: to process orders and respond to customer service requests
    • Website and mobile application usage analytics services: to determine who is using Viome’s services and how to improve those services
    • Payment processors: to process customer payments
    • Sequencing facilities: to provide critical sequencing required to deliver personalized analysis and recommendations to Viome customers
    • Scientific research collaborators: to engage in scientific research regarding the human microbiome
    • Software developers: to develop and test Viome’s software
    • Database service providers: to securely store results of customer sample analysis and recommendations
    • Storage facilities: to securely store raw and processed Viome customer samples
      How to exercise your rights. If you would like to exercise any of the rights described above, please send us a request to privacy@viome.com. In your message, please indicate the right you would like to exercise and the information that you would like to access, review, correct, or delete.

    We may ask you for additional information to confirm your identity and for security purposes, before disclosing the personal data requested to you. We reserve the right to charge a fee where permitted by law, for instance if your request is manifestly unfounded or excessive.

    We may not always be able to fully address your request, for example if it would impact the duty of confidentiality we owe to others, or if we are legally entitled to deal with the request in a different way.

    We ask that you attempt to resolve any issues regarding your data protection or requests with us first. Please contact us at privacy@viome.com and we will respond to your request promptly. You may also contact Viome’s designated, EU-based representative at:

    DPR Group
    BPM 335368
    372 Old Street
    EC1V 9AU London, United Kingdom
    datainquiry@dpr.eu.com quoting in the subject line
    online webform at www.dpr.eu.com/datarequest

    If you are not happy with how we have resolved your complaint, you may contact the relevant supervisory authority. http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm

    Viome’s “privacy by design” approach requires that our default user data protection levels be at the highest setting by default. In the unlikely event of breach, Viome will notify data subjects and Supervisory Authorities (SAs) in the EU according to procedures provided in GDPR Articles 33 and 34.

    Using and sharing your information. We collect, use, and share your personal data where we are satisfied that we have an appropriate legal basis to do this. This may be because:
    • Our use of your personal data is necessary to perform a contract or take steps to enter into a contract with you; or
    • Our use of your personal data is in our legitimate interest as a commercial organization (for example in order to make improvements to our products and services and to provide you with information you request);
    • Our use of your personal data is necessary to comply with a relevant legal or regulatory obligation that we have (for example, where we are required to disclose personal data to a court); or
    • Our use of your personal data is in accordance with your consent.
     If you would like to find out more about the legal bases on which we process personal data, please contact us using the details below.

    B.     Exporting Personal Data from the EU. Viome may transfer your personal data outside of the country from which it was originally provided. This transfer may be intra-group or to third parties that we work with who may be located in jurisdictions outside the EU which have no data protection laws or laws that are less strict compared with those governing the EU. Whenever we transfer personal data outside of the EU, we take legally required steps to make sure that appropriate safeguards are in place to protect your personal data as further set forth below. Please contact us as set forth below for more information about the safeguards we have put in place to protect your personal data and privacy rights in these circumstances.

    For EU Individuals: Privacy Shield Notice for Personal Data Transfers to the United States

    Viome complies with the EU-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries transferred to the United States pursuant to Privacy Shield. Viome has certified that it adheres to the Privacy Shield Principles with respect to such data. If there is any conflict between the policies in this privacy policy and data subject rights under the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/

    With respect to personal data received or transferred pursuant to the Privacy Shield Frameworks, Viome is subject to the regulatory and enforcement powers of the U.S. Federal Trade Commission.

    The following provisions govern information collected in reliance on the EU-U.S. Privacy Shield Framework Principles (“Principles”) for transfers of personal data from the EU to the United States.

    Pursuant to the Privacy Shield Frameworks, EU individuals have the right to obtain our confirmation of whether we maintain personal information relating to you in the United States. Upon request, we will provide you with access to the personal information that we hold about you. You may also correct, amend, or delete the personal information we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under Privacy Shield, should direct their query to privacy@viome.com. If requested to remove data, we will respond within a reasonable timeframe.

    Lawful requests. Viome may be required to disclose personal data pursuant to lawful requests made by public authorities, including to meet national security or law enforcement requirements.

    Dispute Resolution. In compliance with the Privacy Shield Principles, Viome commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to Privacy Shield. European Union individuals with Privacy Shield inquiries or complaints should first contact Viome at: privacy@viome.com.

    Viome has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers for more information and to file a complaint. This service is provided free of charge to you.

    If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Privacy Shield Annex 1 at https://www.privacyshield.gov/article?id=ANNEX-I-introduction

    Notice. When Viome collects personal data from individuals, it will inform the individual of the purpose for which it collects and uses the personal data and the types of non-agent third parties to which Viome discloses or may disclose that information. Viome shall provide the individual with the choice and means for limiting the use and disclosure of their personal data. Notice will be provided in clear and conspicuous language when individuals are first asked to provide personal data to Viome, or as soon as practicable thereafter, and in any event before Viome uses or discloses personal data for a purpose other than for which it was originally collected.

    In instances in which Viome is not the controller or collector of the personal data, but only a processor, it has no means of providing individuals with the choice and means for limiting the use and disclosure of their personal data or providing notices when individuals are first asked to provide personal data to Viome. In such instances, Viome will comply with the instructions of the controller of such information; provide appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and to the extent appropriate, assist the controller in responding to individuals exercising their rights under the Principles.

    Choice. In those instances where Viome collects personal data from individuals, we will provide an individual opt-out choice, or opt-in for sensitive data, before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information, please submit a written request to privacy@viome.com.

    Disclosures to Third Parties. In those instances in which Viome collects personal data from individuals, prior to disclosing personal data to a third party, Viome shall notify the individual of such disclosure and allow the individual the choice to opt out of such disclosure. Viome shall ensure that any agent third party for which personal data may be disclosed subscribes to these principles or are subject to law providing the same level of privacy protection as is required by these principles and agree in writing to provide an adequate level of privacy protection.

    Viome’s accountability for personal data that it receives in the United States under the Privacy Shield and subsequently transfers to a third party is described in the Privacy Shield Principles. In particular, Viome remains responsible and liable under the Privacy Shield Principles if third-party agents that it engages to process the personal data on its behalf do so in a manner inconsistent with the Principles, unless Viome proves that it is not responsible for the event giving rise to the damage.

    Data Security. Viome shall take reasonable steps to protect personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction. Viome has put in place appropriate physical, electronic and managerial procedures to safeguard and secure the information from loss, misuse, unauthorized access or disclosure, alteration or destruction. Viome cannot guarantee the security of information on or transmitted via the Internet.

    Self-assessment. Viome uses a self-assessment approach or outside compliance review to assure compliance with this privacy policy and periodically verifies that this privacy policy is accurate, comprehensive for the information intended to be covered, and in accordance with the Principles.

    Data Integrity. Viome shall only process personal data in a way that is compatible with and relevant for the purpose for which it was collected or authorized by those who provided the information. To the extent necessary for those purposes, Viome shall take reasonable steps to ensure that personal data is accurate, complete, current and reliable for its intended use.

    Access. In those instances in which Viome collects personal data directly from individuals, Viome shall allow those individuals access to their personal data and allow the individual to correct, amend or delete inaccurate information, except where the burden or expense of providing access would be disproportionate to the risks to the privacy of the individual in the case in question or where the rights of persons other than the individual would be violated.

  14. Contact. If you have questions about this Privacy Policy, please contact us at info@viome.com or by writing to us at:
    Viome, Inc.
    Attn: Privacy Officer
    81 Camino Entrada, Suite 100
    Los Alamos, NM 87544