Effective Date: January 25, 2019
Viome, Inc. is a company that collects and analyzes physiological, physical, and molecular data for the purpose of understanding and optimizing the wellness of individuals. The samples collected include stool, blood, saliva, cheek swab, skin swab, and/or urine, using sample collection kits provided by Viome. Customers will collect the clinical samples and ship them to Viome for analysis. Along with data obtained from clinical samples, customer-provided information will be collected and stored by Viome. Based on our analysis of all customer data, Viome will make personalized diet and lifestyle recommendations to the individual via, without limitation, the Viome website located at www.viome.com and Viome’s mobile applications.
Viome takes privacy very seriously. We are committed to protecting the privacy and security of “Personal Information” which could be used to identify the customer, either alone or in combination with other information. By accessing or using the Service (as defined below), the customer allows us to collect, store, and use their Personal Information to enable us to improve the personalization of diet and lifestyle advice. Viome recognizes and understands the importance of privacy and respects our customers’ desire to store and access Personal Information in a private and secure manner.
- Types of Personal Information. Viome collects and uses several types of Personal Information in connection with the Service. “Registration Information” is collected when you subscribe to or register for the Service. This information includes, but is not limited to, your name, password, payment plan, credit card information (Viome stores only 4 last digits and expiration date), shipping addresses, and contact information such as email address and telephone number. Viome uses Registration Information to authenticate your access to Viome websites and mobile applications; to enable you to purchase features related to the Service; to deliver personalized reports to you in connection with the Service; and to send you marketing communications. “Sample Data” is collected when you provide self-collected clinical samples to Viome for analysis using the Viome-supplied collection kits. Sample Data includes, but is not limited to, gut or mouth microbe analysis, gut gene expression analysis, gut metabolite analysis, personal genetic analysis, personal gene expression, and personal metabolite analysis. If you consent to use the Service or to participate in the clinical study, your Sample Data is analyzed in aggregate with other customers’ Sample Data to improve the personalization of Viome’s diet and lifestyle recommendations. “Self-Reported Information” is collected when you provide information to Viome related to, but not limited to, your health conditions (e.g. Type 2 diabetes), other health-related information (e.g. smoking status, activity level, heart rate), diet information (e.g. food intake levels), and personal traits (e.g. height and weight). This information is provided to Viome using its websites and mobile applications. Self-Reported Information is used to support the study objective of identifying correlations between dietary and lifestyle inputs with molecular measures. “Medical Information” is collected when you give Viome permission to access your medical records. Only with your written and signed permission will Viome obtain the medical records from your healthcare provider and use the Medical Information to improve data analysis methods and optimize wellness recommendations provided to you in reports.
- Other Types of Collected Information. When you use the Service, some information is automatically collected through the use of log files. Such information may include your device’s Internet Protocol (IP) address, your device’s operating system, the browser type, and your device ID (only for iOS users). To ensure your data is safe and used only to the extent necessary to provide the Service, Viome deletes this information every three months. Viome uses this information for purposes such as analyzing trends, administering the Service, improving customer service, diagnosing problems with our servers, tracking user movement, and gathering broad demographic information for aggregate use.
Disclosure of Personal Information to Third-Parties. In general, Viome will not disclose individual-level Personal Information to third parties, except under the following circumstances:
- Viome may disclose your Personal Information to third parties where you provide consent pursuant to your acceptance of Viome’s Terms of Service or where you otherwise provide express written consent for Viome to do so.
- Information Required to be Disclosed by Law. Under certain circumstances, Personal Information may be subject to disclosure pursuant to judicial or other government subpoenas, warrants, or orders, or in coordination with regulatory authorities. You acknowledge and agree that Viome is free to preserve and disclose any and all Personal Information to law enforcement agencies or others if required to do so by law or in the good faith belief that such preservation or disclosure is reasonably necessary to: (i) comply with legal or regulatory process (such as a judicial proceeding, court order, or government inquiry) or obligations that Viome may owe pursuant to ethical and other professional rules, laws, and regulations; (ii) enforce the Viome Terms of Service; (iii) respond to claims that any content violates the rights of third parties; or (iv) protect the rights, property, or personal safety of Viome, its employees, its customers (including you), and the public. In the event Viome is required by law to disclose Personal Information, Viome will notify you through the contact information provided to Viome in advance, unless doing so would violate the law or a court order.
- Security. To prevent unauthorized access or disclosure, to maintain data and information integrity, and to ensure the appropriate use of information, Viome uses various physical, technical, and administrative measures to keep your Personal Information secure, in accordance with current technological and industry standards. In particular, all connections to the Viome websites and mobile applications are encrypted using Secure Socket Layer (SSL) technology. Please recognize that protecting Personal Information is also your responsibility. We ask all users of the Service to be responsible for keeping their password secure, as well as other authentication information used to access the Service. You should not share authentication information with any third parties, and should inform Viome immediately of any prohibited use of your password. Viome cannot secure and assumes no liability for Personal Information that is released by the customer to third parties, such as a healthcare provider. Viome keeps all personal data and information on secure cloud servers. Only a small group of staff can access information that can be used to identify you. These are people who need that information to complete the testing, analysis, and reporting. Your samples and other information you provide will be labeled with a code and not your name. The information that matches the code to your identity will be kept in a protected database at Viome. Only a small group of staff will have access to the protected database. We will not include any information in any publications that would make it possible to identify you. All Viome employees, consultants, and others who might have access to your private information must sign confidentiality agreements that mandate them to keep that information private. Your data may be shared with your doctor only with your written permission. Your specimens will be analyzed, and remnants will be securely stored with de-identified alphanumeric IDs (no personal information).
- Children’s Privacy. Viome is committed to protecting the privacy of children and abiding by the provisions of the Children’s Online Privacy Protection Act (COPPA). The Service is not designed or intended to attract children under the age of 13. In some instances, a parent or legal guardian, however, may consent his/her child to study participation, and may assist the child with providing assent to study participation, if the child is old enough to do so. In such cases, the parent/guardian may create an account for, assist with sample collection for, and provide Self-Reported Information on behalf of his or her child. The parent/guardian assumes full responsibility for ensuring that the information that he or she provides to Viome about his or her child is kept secure and that the information submitted is accurate. In the event that Viome is notified or becomes aware that the Service has been used by a child under the age of 13 (or any higher applicable minimum age for a given product, as disclosed by Viome) to store information of that child without parental consent, Viome shall be and is authorized to delete, in its entirety, any of the information stored by that child. The Company also reserves the right to revoke any license to use the Service which is being used or has been used by a child under the age of 13 (or the applicable minimum age).
- Account Closure and Correction of Personal Information. If the customer wishes to stop participating in the Service, the account may be closed by sending a request to Viome via email at email@example.com. When closing an account, Viome removes all personally identifiable information associated with Sample Data. In addition, Viome retains limited Registration Information related to the customer’s order history (e.g., name, contact, and transaction data) for accounting and compliance purposes. Personal Information and Registration Information can be changed, corrected, or updated using the Viome websites and mobile applications.
- California Do-Not-Track Disclosures. Viome does not track its customers over time and across third party websites to provide targeted advertising and therefore does not respond to Do Not Track (DNT) signals. Third parties that have content embedded on Viome’s websites or mobile applications (e.g. social features) may set cookies on a user’s browser and/or obtain information about the fact that a web browser visited a specific Viome website from a certain IP address. Third parties cannot collect any other personal identifiable information from Viome’s websites unless you provide it to them directly.
Data Privacy for EU Residents Under GDPR.
A. General Data Protection Regulation (“GDPR”) Information for EU Residents. The following information describes our commitments to you under the EU General Data Protection Regulation (“GDPR”). Except where a term is specifically defined herein, terms in Section 12 will have the meaning provided under the GDPR.
When Viome acts as Controller. Viome acts as a Controller when it determines the purposes and means of processing personal data.
Right to access, correct, and delete your personal data. Please contact firstname.lastname@example.org to exercise your rights to access, correct, and delete your personal data pursuant to GDPR. We are not required to comply with your request to erase personal data if the processing of your personal data is necessary for compliance with a legal obligation or for the establishment, exercise, or deference of legal claims. Subject to the above terms and conditions, Viome will, within 30 days from the request of a customer, delete the personal data concerning such customer and destroy all samples provided by such customer. Notwithstanding the above provisions, Viome shall be permitted to retain any and all anonymized, aggregate data.
Right to restrict the processing of your personal data. You have the right to restrict the use of your personal data; however, we can continue to use your personal data following a request for restriction, where:
- we have your consent; or
- to establish, exercise or defend legal claims; or
- to protect the rights of another natural or legal person.
Personal data retention. We retain your personal data for as long as necessary to provide you with our services, or for other important purposes such as complying with legal obligations, resolving disputes, and enforcing our agreements.
Third parties with access to personal data. Viome shares your personal data with third parties as follows:
- Customer support service providers: to process orders and respond to customer service requests
- Website and mobile application usage analytics services: to determine who is using Viome’s services and how to improve those services
- Payment processors: to process customer payments
- Sequencing facilities: to provide critical sequencing required to deliver personalized analysis and recommendations to Viome customers
- Scientific research collaborators: to engage in scientific research regarding the human microbiome
- Software developers: to develop and test Viome’s software
- Database service providers: to securely store results of customer sample analysis and recommendations
- Storage facilities: to securely store raw and processed Viome customer samples.
We may ask you for additional information to confirm your identity and for security purposes, before disclosing the personal data requested to you. We reserve the right to charge a fee where permitted by law, for instance if your request is manifestly unfounded or excessive.
We may not always be able to fully address your request, for example if it would impact the duty of confidentiality we owe to others, or if we are legally entitled to deal with the request in a different way.
We ask that you attempt to resolve any issues regarding your data protection or requests with us first. Please contact us at email@example.com and we will respond to your request promptly. You may also contact Viome’s designated, EU-based representative at:
372 Old Street
EC1V 9AU London, United Kingdom
firstname.lastname@example.org quoting < Viome, Inc. > in the subject line
online webform at www.dpr.eu.com/datarequest
If you are not happy with how we have resolved your complaint, you may contact the relevant supervisory authority. http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm
Viome’s “privacy by design” approach requires that our default user data protection levels be at the highest setting by default. In the unlikely event of breach, Viome will notify data subjects and Supervisory Authorities (SAs) in the EU according to procedures provided in GDPR Articles 33 and 34.
Using and sharing your information. We collect, use, and share your personal data where we are satisfied that we have an appropriate legal basis to do this. This may be because:
- Our use of your personal data is necessary to perform a contract or take steps to enter into a contract with you; or
- Our use of your personal data is in our legitimate interest as a commercial organization (for example in order to make improvements to our products and services and to provide you with information you request);
- Our use of your personal data is necessary to comply with a relevant legal or regulatory obligation that we have (for example, where we are required to disclose personal data to a court); or
- Our use of your personal data is in accordance with your consent.
B. Exporting Personal Data from the EU. Viome may transfer your personal data outside of the country from which it was originally provided. This transfer may be intra-group or to third parties that we work with who may be located in jurisdictions outside the EU which have no data protection laws or laws that are less strict compared with those governing the EU. Whenever we transfer personal data outside of the EU, we take legally required steps to make sure that appropriate safeguards are in place to protect your personal data as further set forth below. Please contact us as set forth below for more information about the safeguards we have put in place to protect your personal data and privacy rights in these circumstances.
For EU Individuals: Privacy Shield Notice for Personal Data Transfers to the United States
With respect to personal data received or transferred pursuant to the Privacy Shield Framework, Viome is subject to the regulatory and enforcement powers of the U.S. Federal Trade Commission.
The following provisions govern information collected in reliance on the EU-U.S. Privacy Shield Framework Principles (“Principles”) for transfers of personal data from the EU to the United States.
Pursuant to the Privacy Shield Frameworks, EU individuals have the right to obtain our confirmation of whether we maintain personal information relating to you in the United States. Upon request, we will provide you with access to the personal information that we hold about you. You may also correct, amend, or delete the personal information we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under Privacy Shield, should direct their query to email@example.com. If requested to remove data, we will respond within a reasonable timeframe.
Lawful requests. Viome may be required to disclose personal data pursuant to lawful requests made by public authorities, including to meet national security or law enforcement requirements.
Dispute Resolution. In compliance with the Privacy Shield Principles, Viome commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to Privacy Shield. European Union individuals with Privacy Shield inquiries or complaints should first contact Viome at: firstname.lastname@example.org.
Viome has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers for more information and to file a complaint. This service is provided free of charge to you.
If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Privacy Shield Annex 1 at https://www.privacyshield.gov/article?id=ANNEX-I-introduction
Notice. When Viome collects personal data from individuals, it will inform the individual of the purpose for which it collects and uses the personal data and the types of non-agent third parties to which Viome discloses or may disclose that information. Viome shall provide the individual with the choice and means for limiting the use and disclosure of their personal data. Notice will be provided in clear and conspicuous language when individuals are first asked to provide personal data to Viome, or as soon as practicable thereafter, and in any event before Viome uses or discloses personal data for a purpose other than for which it was originally collected.
In instances in which Viome is not the controller or collector of the personal data, but only a processor, it has no means of providing individuals with the choice and means for limiting the use and disclosure of their personal data or providing notices when individuals are first asked to provide personal data to Viome. In such instances, Viome will comply with the instructions of the controller of such information; provide appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and to the extent appropriate, assist the controller in responding to individuals exercising their rights under the Principles.
Choice. In those instances where Viome collects personal data from individuals, we will provide an individual opt-out choice, or opt-in for sensitive data, before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information, please submit a written request to email@example.com.
Disclosures to Third Parties. In those instances in which Viome collects personal data from individuals, prior to disclosing personal data to a third party, Viome shall notify the individual of such disclosure and allow the individual the choice to opt out of such disclosure. Viome shall ensure that any agent third party for which personal data may be disclosed subscribes to these principles or are subject to law providing the same level of privacy protection as is required by these principles and agree in writing to provide an adequate level of privacy protection.
Viome’s accountability for personal data that it receives in the United States under the Privacy Shield and subsequently transfers to a third party is described in the Privacy Shield Principles. In particular, Viome remains responsible and liable under the Privacy Shield Principles if third-party agents that it engages to process the personal data on its behalf do so in a manner inconsistent with the Principles, unless Viome proves that it is not responsible for the event giving rise to the damage.
Data Security. Viome shall take reasonable steps to protect personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction. Viome has put in place appropriate physical, electronic and managerial procedures to safeguard and secure the information from loss, misuse, unauthorized access or disclosure, alteration or destruction. Viome cannot guarantee the security of information on or transmitted via the Internet.
Data Integrity. Viome shall only process personal data in a way that is compatible with and relevant for the purpose for which it was collected or authorized by those who provided the information. To the extent necessary for those purposes, Viome shall take reasonable steps to ensure that personal data is accurate, complete, current and reliable for its intended use.
Access. In those instances in which Viome collects personal data directly from individuals, Viome shall allow those individuals access to their personal data and allow the individual to correct, amend or delete inaccurate information, except where the burden or expense of providing access would be disproportionate to the risks to the privacy of the individual in the case in question or where the rights of persons other than the individual would be violated.
Attn: Privacy Officer
81 Camino Entrada, Suite 100
Los Alamos, NM 87544