Guardant Health, Inc. (“Guardant Health”, “We” or “Us”) is committed to protecting your privacy. We are located in the USA and personal data provided to us will be transferred to, used and maintained by us in the USA. For US residents, we adopt this notice to comply with the California Consumer Privacy Act of 2018 (“CCPA”) and other California privacy laws. Any terms defined in the CCPA have the same meaning when used in this Policy.
For European Union (EU), UK and Swiss residents, see below “INTERNATIONAL USERS” for more information regarding our appropriate mechanism for personal data transfer from the EU and our Swiss Privacy Shield certification and information related to the UK Data Protection Act of 2018 (“DPA 2018”) and General Data Protection Regulation of 2018 (GDPR), (EU) 2016/679.
If you live in the US, please read our Notice of Privacy Practices Under HIPAA for US Residents. If you live in the EU or Switzerland, please read our Notice of Privacy Practices Under GDPR for EU, UK and Swiss Residents. Both of these documents are available on Guardant Health’s website as set forth above.
Information We Collect and Sources of the Information
Guardant Health may collect, store, and use personal information when it is voluntarily submitted to us by you (emails, Website review, submission of forms, correspondence, notes of telephone calls) or from activity with our Websites or Services. You may provide this information to us or it may come from your doctors or other healthcare providers when a test is ordered for you. If you live in the EU, UK or Switzerland, your information may come to us through distributors who are controllers of the data and provide it to us for healthcare purposes.
The categories of information we collect are:
- Category A: Personal identifiers (such as name, address, telephone number, email address, account name and medical record identifiers)
- Category B: Personal information categories listed in the CCPA (signature, name, health insurance information, financial information for payment purposes, medical information
- Category C: For employment and vendors, professional or employment-related history, performance evaluations, education, work history, credit information, bank account numbers or other financial information for payment and background checks
- Category D: Protected classification characteristics under California or federal law: age, race, marital status, medical condition, gender, military status and genetic information
- Category E: Biometric information regarding cancer patient tumor mutations
Internet or other similar network activity may be automatically collected about you and your computing device when you use, browse, and interact with our Services. Our Websites and Services collect this information in a variety of ways, including when you view a webpage, click on a link, access our mobile application, or enter data in an online form.
We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.
How We Use Your Personal Information
Guardant Health will only use your personal information for the purpose for which it was collected. We may use your personal information to contact you, to provide the information to your doctors, to obtain payment for our services, to respond to your inquires and requests and to respond to inquiries and requests from your doctors. We only collect the personal data that we need to perform our healthcare services and to obtain payment for our Services. We obtain the minimum amount necessary for our business purposes.
We may also use your personal information to provide you with customer support and to maintain and improve our Services. We may combine your information with other information about you that is available to us, including information from other sources, such as from your doctors, in order to maintain an accurate medical record of patients who receive our testing services.
De-identified, pseudonymized and anonymized data may be used for scientific research purposes related to the purpose for which we originally obtained your data. That research purpose is for the improvement and development of our cancer diagnostic products. Research data is non-personally identifiable information, so no PHI or PII (defined more specifically below) are used for research purposes.
Sharing Your Personal Information
We may occasionally hire third-party service providers to provide limited services on our behalf, such as our billing vendor. Guardant Health will give these service providers only the personal information they require to perform the contracted-for services, and we require such providers to agree to contractual terms to maintain the confidentiality of the information they receive.
In the preceding 12 months, we have disclosed the following categories of personal information for a business purpose as described above (for more detail about the Categories see Information We Collect and Sources of the Information above):
- Category A: Personal Identifiers
- Category B: California consumer records
- Category D: Protected classification characteristics
- Category E: Biometric data
This information was disclosed with your consent or in providing our Services for your healthcare treatment.
We may need to access or disclose your personal information to comply with the law or legal process and to exercise our legal rights or defend against legal claims. We may share personal information and any additional information available to us in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, or as otherwise required by law, such as for public safety purposes. We do not use personal data for profiling or other automated decision purposes.
Selling of Personal Information
Guardant does not sell or rent your personal information for any purpose. No personal information has been sold or rented in the preceding 12 months.
Your Rights and Cholices under CCPA
The CCPA provides consumers with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.
Access to Specific Information and Data Portability Rights
You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request, we will disclose to you:
- The categories of personal information we collected about you.
- The categories of sources for the personal information we collected about you.
- Our business or commercial purpose for collecting or selling that personal information.
- The categories of third parties with whom we share that personal information.
- The specific pieces of personal information we collected about you (also called a data portability request).
- If we sold or disclosed your personal information for a business purpose, two separate lists disclosing:
- sales, identifying the personal information categories that each category of recipient purchased; and
- disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.
Deletion Request Rights
You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies.
We may deny your deletion request if retaining the information is necessary for us or our service providers to:
- Complete the transaction for which we collected the personal information, provide a good or Service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
- Debug products to identify and repair errors that impair existing intended functionality.
- Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
- Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.).
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.
- Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
- Comply with a legal obligation.
- Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
Exercising Access, Data Portability, and Deletion Rights
To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us by either:
- Call us at 855.698.8887
- Email us at firstname.lastname@example.org
Only you or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.
You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:
- Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.
- Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.
Response Timing and Format
We endeavor to respond to a verifiable consumer request within 45 days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:
- Deny you goods or Services.
- Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
- Provide you a different level or quality of goods or Services.
- Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
Security of Your Personal Information
Guardant Health will take reasonable and appropriate precautions to protect personal information in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction. It is important to remember, however, that no system can provide 100% security at all times. Accordingly, we cannot guarantee the privacy and security of information stored on or transmitted using our Services.
We have implemented state-of-the-art physicial, administrative and technical safeguards to protect the confidentiality, integrity and availability of personal data residing on, processed by or transmitted by our servers. These safeguards include, among other things, facility and data access control, password protection, encryption of data at rest and in transit, security monitoring tools and protocols and the appointment of a Security Officer, a Privacy Officer and a Data Protection Officer who oversee and manage privacy and security.
Protected Health Information (PHI) and
Personally Identifiable Information (PII)
When generating laboratory results, receiving health information, or transmitting information to a healthcare provider, Guardant Health is subject to laws and regulations governing the use and disclosure of personal information including the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the UK DPA 2018 and the EU GDPR.
PHI (personal data related to past, present or future health conditions, treatments and payments and is protected by HIPAA) will only be used or disclosed for treatment and other authorized purposes as stated in our Notice of Privacy Practices under HIPAA for US Residents.
PII (personal data that can identify an individual and sensitive information related to racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation is protected under the GDPR and DPA 2018) will only be used and disclosed for the intended purpose of healthcare treatment as stated in our Notice of Privacy Practices under GDPR for EU, UK and Swiss Residents.
Certain elements of our Services and/or html email correspondence may use session cookies, persistent cookies or web beacons to anonymously track unique visitors, save website preferences, and to allow us to recognize visits from the same computer and browser. You have the option to reject some or all Website cookies on your computer and still use the Services. If you choose to reject all cookies, your access to the Website may be limited.
Aggregate Data Collection
Guardant Health tracks visits to our Services using visitor logs and tracking-codes to compile anonymous aggregate statistics. This aggregate information is collected service-wide, and includes anonymous website, application, and device statistics. When you browse our websites and access our applications, our system automatically collects information such as your web request, Internet Protocol (“IP”) address, browser type, browser language, domain names, referring and exit pages, Uniform Resource Locator (URL), platform type, location, unique device identifier, pages viewed and the order of these page views, the amount of time spent on particular pages, the date and time of your request and one or more cookies that may uniquely identify your browser.
When you access our Services through a mobile device, we may receive or collect and store a unique identification numbers associated with your device or our mobile application (including, for example a Unique ID for Advertisers (“IDFA”), Google Ad ID, or Windows Advertising ID), mobile carrier, device type, model and manufacturer, mobile device operating system brand and model, phone number, and, depending on your mobile device settings, your geographical location data or similar information regarding the location of your mobile device.
Guardant Health uses certain third-party services and analytics providers to: (1) send you customized notifications if you have provided us your email address, (2) analyze trends,
(3) administer the Services, (4) improve the design of our Services, and (5) otherwise enhance, monitor, and troubleshoot the Services we provide.
Guardant Health does not directly display advertisements in our applications or services.
Guardant Health may provide links to websites operated by third parties that are not covered by this Policy. Guardant Health does not maintain these sites and is not responsible for the privacy practices of sites it does not operate. We encourage you to review the privacy policies posted on those websites.
Information Access, Updates and Choice
You may choose to provide information to Guardant Health by completing the contact form, sending us an email, engaging with our customer service team or otherwise contacting us. If you are a Guardant Health Portal user, you may have an opportunity to elect to receive certain communications from us. Guardant Health email correspondence will include instructions on how to update certain personal information and how to unsubscribe from our emails, newsletters, and postal mail correspondence.
You may “opt out” of receiving communications from us related to our products and services and/or to request the removal of your contact information from our database by writing to us at the email address set forth below. However, Guardant Health cannot withdraw any previous disclosures made with your authorization, and we reserve the right to retain and disclose your information as permitted or required by law or regulation. You may also request access to your personal data by writing to us using the contact information below.
Do Not Track
We do not currently employ a mechanism to act upon “Do Not Track” instructions but are in the process of investigating such mechanisms.
Guardant Health Services are directed toward adults. We do not knowingly collect any personal information from children under the age of 13. If you are under 13, you must have permission from your parent or legal guardian before accessing or using our Services. If we become aware that we have collected any personal information from children under 13, we will promptly remove such information from our Services.
Our Services are located in the United States. If you choose to use the Services from the European Union or other regions of the world with laws governing data collection and use that may differ from U.S. law, then please note that you are transferring your information outside of those regions to the United States for storage and processing. By providing your information, you consent to any transfer and processing in accordance with this Policy.
Guardant Health will treat all personal information received from the EU/EEA and UK in accordance with GDPR and DPA 2018 requirements and personal data received from Switzerland in accordance with the Privacy Shield Principles and GDPR requirements. (See Notice of Privacy Practices Under GDPR for EU, UK and Swiss Residents for full details. This notice is located on Guardant Health’s website.)
For EU, UK and Swiss Individuals: Notice for Personal Data Transfers to the United States
With respect to personal data received or transferred pursuant to the Swiss-U.S. Privacy Shield Framework, Guardant Health is subject to the regulatory and enforcement powers of the U.S. Federal Trade Commission.
Guardant Health has certified that it adheres to the Privacy Shield Principles of:
Pursuant to the Swiss-U.S. Privacy Shield Framework, Swiss individuals have the right to obtain our confirmation of whether we maintain personal information relating to you in the United States. Upon request, we will provide you with access to the personal information that we hold about you. You may also correct, amend, or delete the personal information we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under the Swiss-U.S. Privacy Shield, should direct the query to email@example.com. If requested to remove data, we will respond within a reasonable timeframe.
Guardant Health will not use personal data for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual unless it has received the individual’s affirmative and explicit consent (opt-in).
We will provide an individual opt-out choice, or opt-in for sensitive data, before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information, please submit a written request to firstname.lastname@example.org.
Accountablity for Onward Transfer
Guardant Health contracts with third parties who perform functions on our behalf, including data processing services. These entities may have access to personal information for limited, specific purposes needed to perform these functions. Guardant Health requires these third parties to safeguard personal information by contract, obligating them to provide at least the same level of protection as is required by this Policy.
Guardant Health’s accountability for personal data that it receives in the United States under the Swiss-U.S. Privacy Shield and subsequently transfers to a third party is described in the Privacy Shield Principles. In particular, Guardant Health remains responsible and liable under the Privacy Shield Principles if third-party agents that it engages to process the personal data on its behalf do so in a manner inconsistent with the Principles, unless Guardant Health proves that it is not responsible for the event giving rise to the damage.
Guardant Health may be required to disclose an individual’s personal information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.
Data Integrity and Purpose Limitation
Guardant Health will use personal information only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual. Guardant Health will take reasonable steps to ensure that personal information is relevant to its intended use, accurate, complete, and current and obtain the minimum amount of information necessary to fulfill its provision of healthcare services.
Audit and Enforcement
We conduct periodic internal and third-party compliance audits of our relevant privacy practices, procedures, and our information and data processing systems, to verify adherence to this Policy. Any employee that we determine is in violation of this Policy will be subject to retraining, disciplinary action up to and including termination of employment and potential reporting to authorities.
The Guardant Health privacy and security program is subject to inspection by the Secretary of Health and Human Services (HHS) with respect to personal health information; the investigatory and enforcement powers of the Federal Trade Commission (FTC) with respect to Swiss-U.S. Privacy Shield; the Information Commissioner with respect to UK DPA 2018; and the applicable Supervisory Authority in the EU with respect to EU and UK personal data transferred under GDPR. Guardant Health commits to cooperate in any investigations by or inquiries from these regulators.
Guardant Health has committed to refer unresolved privacy complaints under the Swiss-U.S. Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/privacy-shield/for-consumers for more information and to file a complaint. This service is provided free of charge to you.
Guardant Health has further committed to cooperate with the panel established by the EU data protection authorities, the UK Information Commissioner, and the Swiss Federal Data Protection and Information Commissioner with regard to unresolved privacycomplaints concerning human resources data transferred from the EU, UK and Switzerland in the context of the employment relationship.
Legal Basis for Processing Personal Data Under GDPR
We process your personal data in order to perform our testing services and to bill for these services. You have most likely provided your consent for our testing through your doctor. Additionally, our processing is necessary based on our legitimate interest of providing our healthcare services to you. We process and store your contact information so that we may contact you regarding the delivery of our healthcare services – – for doctors use in treatment purposes and for patients test result reports. This personal information may come to us from you, your doctors, or your pathology lab and will be used to perform our testing services as you would expect when laboratory testing is ordered for you by your doctor.
Guardant Health may also use pseudonymized or anonymized data for scientific research purposes related to our cancer diagnostic product improvement and development. PHI and PII are not used for this purpose; and therefore, your identity is not known during our research activities.
For EU, UK and Swiss Individuals: Your Rights under the General Data Protection Regulation
In some regions (like the European Economic Area, UK and Switzerland), you have certain rights under applicable data protection laws, which include the right (i) to request access and obtain a copy of your personal information, (ii) to request rectification or erasure; (iii) to restrict the processing of your personal information; and (iv) if applicable, to data portability. In certain circumstances, you may also have the right to object to the processing of your personal information
You may also have the right to make a GDPR complaint to the relevant Supervisory Authority. A list of Supervisory Authorities is available here: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm. If you need further assistance regarding your rights, please contact us using the contact information provided below and we will consider your request in accordance with applicable law. In some cases our ability to uphold these rights for you may depend upon our obligations to process personal information for security, safety, fraud prevention reasons, compliance with regulatory or legal requirements, or because processing is necessary to deliver the services you have requested. Where this is the case, we will inform you of specific details in response to your request.
If you would like to exercise any of the above rights, please contact our Data Protection Officer at email@example.com.
Contact Us for Questions
You can contact Guardant Health using our Website contact page or sending an email to one of the addresses below. We address questions and complaints about privacy and the collection or use of personal information in a timely manner. Please include your contact information and a detailed description of your request or privacy concern.
Data Protection Officer
505 Penobscot Drive
Redwood City, CA, USA 94063
For our US Privacy Officer, please email: firstname.lastname@example.org.
For our EU/UK/Swiss Data Protection Officer, please email: email@example.com.
Additionally, Guardant has appointed DPR Group as its Data Protection Representative in the European Union so that you can contact them directly in your home country. DPR Group has locations in each of the 28 EU countries, so that Guardant Health, Inc.’s customers can always raise the questions they want.
If you want to raise a question to Guardant Health, Inc., or otherwise exercise your rights in respect of your personal data, you may do so by:
- Sending an email to DPR Group at firstname.lastname@example.org quoting “Guardant Health, Inc.” in the subject line,
- Contacting us on our online webform at dpr.eu.com/datarequest, or
- If you would like to mail your inquiry, please email DPR Group at email@example.com to obtain the most appropriate address. PLEASE NOTE: when mailing inquiries, it is ESSENTIAL that you mark your letters for ‘DPR Group’ and not ‘Guardant Health, Inc.’, or your inquiry may not reach us. Please refer clearly to Guardant Health, Inc. in your correspondence.
When we receive your correspondence, we are likely to request evidence of your identity, to ensure that your personal data and information connected with it is not provided to anyone other than to you.
If you feel that your complaint has not been addressed, you can also contact:
For HIPAA in the US: Office of Civil Rights at the Department of Health and Human Services website: www.hhs.gov/hipaa
For Privacy Shield in the EU/UK/Switzerland: Better Business Bureau EU Privacy Shield, http://www.bbb.org/EU-privacy-shield/for-eu-consumers
Effective Date: July 16, 2020