PRIVACY POLICY

Guardant Health, Inc. (“Guardant Health”, “We” or “Us”) is committed to protecting your privacy.  We are located in the USA and personal data provided to us will be transferred to, used and maintained by us in the USA. For European Union (EU) and Swiss residents, see below “International Users” for more information regarding our EU and Swiss Privacy Shield certification and information related to the General Data Protection Regulation of 2018 (GDPR), (EU) 2016/679]

This Privacy Policy describes the specific practices and guidelines that we follow to help ensure the confidentiality and security of your personal information when you use our websites located at www.guardanthealth.com, the Guardant Health portal, mobile applications, and any websites or services that reference this Privacy Policy, (collectively the “Websites” or “Services”).

If you live in the US, please read our Notice of Privacy Practices Under HIPAA for US Residents. If you live in the EU or Switzerland, please read our Notice of Privacy Practices Under GDPR for EU and Swiss Residents.  Both of these documents are available on Guardant Health’s websites.

Information We Collect

Guardant Health may collect, store, and use personal information (such as your name, address, telephone number, and email address) when it is voluntarily submitted to us.  You may provide this information to us or it may come from your doctors or other healthcare providers when a test is ordered for you.  If you live in the EU or Switzerland, your information may come to us through distributors who are controllers of the data and provide it to us for healthcare purposes.

We may automatically collect information about you and your computing device when you use, browse, and interact with our Services. Our Websites and Services collect this information in a variety of ways, including when you view a webpage, click on a link, access our mobile application, or enter data in an online form.

How We Use Your Personal Information

Guardant Health will only use your personal information for the purpose for which it was collected. We may use your personal information to contact you, to provide the information to your doctors, to obtain payment for our services, to respond to your inquires and requests and to respond to inquiries and requests from your doctors. We only collect the personal data that we need to perform our healthcare services and obtain the minimum amount necessary for our business purposes.

We may also use your personal information to provide you with customer support and to maintain and improve our services. We may combine your information with other information about you that is available to us, including information from other sources, such as from your doctors, in order to maintain an accurate medical record of patients who receive our testing services.

De-identified, pseudonymized and anonymized data may be used for scientific research purposes related to the purpose for which we originally obtained your data.  That research purpose is for the improvement and development of our cancer diagnostic products. Research data is non-personally identifiable information, so no PHI or PII is used for research purposes.

Sharing Your Personal Information

Guardant Health may share your information with you, your healthcare providers and doctors, individuals who you have authorized to receive it and as described in this Privacy Policy. Guardant Health will not sell or rent your personal information to any other company or organization.

We may occasionally hire third-party service providers to provide limited services on our behalf, such as our billing vendor.  Guardant Health will give these service providers only the personal information they require to perform the contracted-for services, and we require such providers to agree to contractual terms to maintain the confidentiality of the information they receive.

We may need to access or disclose your personal information to comply with the law or legal process and to exercise our legal rights or defend against legal claims. We may share personal information and any additional information available to us in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, or as otherwise required by law, such as for public safety purposes.  We do not use personal data for profiling or other automated decision purposes.

Security of Your Personal Information

Guardant Health will take reasonable and appropriate precautions to protect personal information in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction. It is important to remember, however, that no system can provide 100% security at all times. Accordingly, we cannot guarantee the privacy and security of information stored on or transmitted using our Services.

We have implemented state-of-the-art physicial, administrative and technical safeguards to protect the confidentiality, integrity and availability of personal data residing on, processed by or transmitted by our servers.  These safeguards include, among other things, facility and data access control, password protection, encryption of data at rest and in transit, security monitoring tools and protocols and the appointment of a Security Officer, a Privacy Officer and a Data Protection Officer who oversee and manage privacy and security.

Protected Health Information (PHI) and

Personally Identifiable Information (PII)

When generating laboratory results, receiving health information, or transmitting information to a healthcare provider, Guardant Health is subject to laws and regulations governing the use and disclosure of persona information including the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the EU GDPR.

PHI (personal data related to past, present or future health conditions, treatments and payments) will only be used or disclosed for treatment and other authorized purposes as stated in our Notice of Privacy Practices under HIPAA for US Residents.

PII (personal data that can identify an individual and sensitive information related to racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation is protected under the GDPR) will only be used and disclosed for the intended purpose of healthcare treatment as stated in our Notice of Privacy Practices under GDPR for EU and Swiss Residents.

Cookies

Certain elements of our Services and/or html email correspondence may use session cookies, persistent cookies or web beacons to anonymously track unique visitors, save website preferences, and to allow us to recognize visits from the same computer and browser. You have the option to reject some or all Website cookies on your computer and still use the Services. If you choose to reject all cookies, your access to the Website may be limited.

Aggregate Data Collection

Guardant Health tracks visits to our Services using visitor logs and tracking-codes to compile anonymous aggregate statistics. This aggregate information is collected service-wide, and includes anonymous website, application, and device statistics. When you browse our websites and access our applications our system automatically collects information such as your web request, Internet Protocol (“IP”) address, browser type, browser language, domain names, referring and exit pages, Uniform Resource Locator (URL), platform type, location, unique device identifier, pages viewed and the order of these page views, the amount of time spent on particular pages, the date and time of your request and one or more cookies that may uniquely identify your browser.

When you access our Services through a mobile device, we may receive or collect and store a unique identification numbers associated with your device or our mobile application (including, for example a Unique ID for Advertisers (“IDFA”), Google Ad ID, or Windows Advertising ID), mobile carrier, device type, model and manufacturer, mobile device operating system brand and model, phone number, and, depending on your mobile device settings, your geographical location data or similar information regarding the location of your mobile device.

Third-Party Services

Guardant Health uses certain third-party services and analytics providers to send you customized notifications if you have provided us your email address, analyze trends, administer the Services, improve the design of our Services, and otherwise enhance, monitor, and troubleshoot the Services we provide.

Guardant Health does not transmit PHI or PII to its third-party service providers and does not directly display advertisements in our applications or services.

Linked Sites

Guardant Health may provide links to websites operated by third parties that are not covered by this Policy. Guardant Health does not maintain these sites and is not responsible for the privacy practices of sites it does not operate. We encourage you to review the privacy policies posted on those websites.

Information Access, Updates and Choice

You may choose to provide information to Guardant Health by completing the contact form, sending us an email, engaging with our customer service team or otherwise contacting us. If you are a Guardant Health Portal user, you may have an opportunity to elect to receive certain communications from us. Guardant Health email correspondence will include instructions on how to update certain personal information and how to unsubscribe from our emails, newsletters, and postal mail correspondence.

You may “opt out” of receiving communications from us related to our products and services and/or to request the removal of your contact information from our database by writing to us at the email address set forth below. However, Guardant Health cannot withdraw any previous disclosures made with your authorization, and we reserve the right to retain and disclose your information as permitted or required by law or regulation. You may also request access to your personal data by writing to us using the contact information below.

Do Not Track

We do not currently employ a mechanism to act upon “Do Not Track” instructions but are in the process of investigating such mechanisms.­­­

Children’s Privacy

Guardant Health Services are directed toward adults. We do not knowingly collect any personal information from children under the age of 13. If you are under 13, you must have permission from your parent or legal guardian before accessing or using our Services. If we become aware that we have collected any personal information from children under 13, we will promptly remove such information from our Services.

International Users

Our Services are located in the United States. If you choose to use the Services from the European Union or other regions of the world with laws governing data collection and use that may differ from U.S. law, then please note that you are transferring your information outside of those regions to the United States for storage and processing. By providing your information, you consent to any transfer and processing in accordance with this Policy.

EU-U.S. and Swiss-U.S. Privacy Shield Compliance

Guardant Health has certified its compliance with the EU-US Privacy Shield Framework and Swiss-US Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland. For more information about the EU-U.S. Privacy Shield Framework, Swiss-U.S. Privacy Shield Framework, and to view our certification page, visit the U.S. Department of Commerce’s Privacy Shield website at https://www.privacyshield.gov.

Guardant Health has certified that it adheres to the Privacy Shield Principles of:

Notice

Guardant Health’s participation in the Privacy Shield applies to all personal data that is subject to this Privacy Policy and is received from the EU, European Economic Area (EEA), and Switzerland. Personal information received under the Privacy Shield may include information such as name and email address, health information, contact details, and billing information. Guardant Health uses this information to deliver its services and to bill for payment for such services.

Guardant Health will treat all personal information received from the EU/EEA and Switzerland in accordance with the Privacy Shield Principles and GDPR requirements.  (See Notice of Privacy Practices Under GDPR for EU and Swiss Residents for full details)

Choice

Guardant Health will not use personal data for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual unless Guardant Health has received the individual’s affirmative and explicit consent (opt-in).

Accountablity for Onward Transfer

Guardant Health contracts with third parties who perform functions on our behalf, including data processing services. These entities may have access to personal information for limited, specific purposes needed to perform these functions. Guardant Health requires these third parties to safeguard personal information by contract, obligating them to provide at least the same level of protection as is required by this Policy.

Guardant Health may be required to disclose an individual’s personal information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.

Data Integrity and Purpose Limitation

Guardant Health will use personal information only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual. Guardant Health will take reasonable steps to ensure that personal information is relevant to its intended use, accurate, complete, and current and obtain the minimum amount of information necessary to fulfill its provision of healthcare services.

Audit and Enforcement

We conduct periodic internal and third-party compliance audits of our relevant privacy practices, procedures, and our information and data processing systems, to verify adherence to this Policy. Any employee that we determine is in violation of this Policy will be subject to retraining, disciplinary action up to and including termination of employment and potential reporting to authorities.

The Guardant Health privacy and security program is subject to inspection by the Secretary of Health and Human Services (HHS) with respect to personal health information; the investigatory and enforcement powers of the Federal Trade Commission (FTC) with respect to Privacy Shield and the applicable Supervisory Authority in the EU with respect to GDPR. Guardant Health commits to cooperate in any investigations by or inquiries from these regulators.

Complaints, Questions

We strive to resolve all complaints about privacy and the collection or use of personal information. If you have questions about our privacy program, contact the following:

For our US Privacy Officer, please email:  privacy@guardanthealth.com.

For our EU/Swiss Data Protection Officer, please email:  dpo@guardanthealth.com.

If you feel that your complaint has not been addressed, you can also contact:

For HIPAA in the US:  Office of Civil Rights at the Health and Human Services website:  www.hhs.gov/hipaa

For Privacy Shield in the EU/Switzerland:  Better Business Bureau EU Privacy Shield, http://www.bbb.org/EU-privacy-shield/for-eu-consumers

Legal Basis for Processing Personal Data Under GDPR

We process your personal data in order to perform our testing services and to bill for these services.  You have most likely provided your consent for our testing through your doctor.  Additionally, our processing is necessary based on our legitimate interest of providing our healthcare services to you.  We process and store your contact information so that we may contact you regarding the delivery of our healthcare services – – for doctors use in treatment purposes and for patients test result reports. This personal information may come to us from you, your doctors, or your pathology lab and will be used to perform our testing services as you would expect when laboratory testing is ordered for you by your doctor.

Guardant Health may also use pseudonymized or anonymized data for scientific research purposes related to our cancer diagnostic product improvement and development.  PHI and PII are not used for this purpose; and therefore, you identity is not known during our research activities.

Storage and Retention of Personal Data

We store your personal data using state-of-the-art technical tools, such as data encryption which encrypts data while at rest and in transit, access control to all systems, sharing only the minimum amount necessary with the minimum number of employees (and trained contractors) to perform our services, password protection, constant security monitoring and recovery mechanisms for data loss.

Personal data is stored for as long as necessary to run your test, manage your account with us, ensure that the results are complete and accurate, bill for our services, and within clinical laboratory regulations which currently require medical record storage for seven years. Additionally, pseudonymized and anonymized data may be stored for additional years if necessary for research record keeping and regulatory submissions.

Physician contact information is kept until they are no longer customers. Physicians who stop ordering tests will have their personal data removed from our systems.

Privacy Rights

In some regions (like the European Economic Area and Switzerland), you have certain rights under applicable data protection laws, which include the right (i) to request access and obtain a copy of your personal information, (ii) to request rectification or erasure; (iii) to restrict the processing of your personal information; and (iv) if applicable, to data portability. In certain circumstances, you may also have the right to object to the processing of your personal information

If you would like to exercise any of the above rights, please contact our Data Protection Officer at dpo@guardanthealth.com.

To protect your privacy and security, we may take steps to verify your identity, before granting access to data. If you are resident in the EEA or Switzerland, we will process any access request you make in accordance with our commitments under the EU-U.S. Privacy Shield or the Swiss-U.S. Privacy Shield.

Governing Law

Our Services are controlled and operated by Guardant Health. By choosing to visit our Websites or otherwise provide information to Guardant Health, you agree that any dispute over privacy or the terms contained in this Privacy Policy will be governed by our Terms of Use and the laws of the State of California.

Changes to Our Privacy Policy

We reserve the right to update and revise this Privacy Policy as necessary.  If we change our Privacy Policy and Notices, we will post those changes on our Website to keep you aware of what information we collect, how we use it, and under what circumstances we may disclose it. Changes to this Privacy Policy are effective when they are posted on this page.

How to Contact Us

You can contact Guardant Health using our Website contact page or sending an email to the address below. Please include your contact information and a detailed description of your request or privacy concern.

Guardant Health Inc.

505 Penobscot Drive

Redwood City, CA, USA 94063

(855) 698-8887

For US email: privacy@guardanthealth.com

For EU/Swiss email:  dpo@guardanthealth.com

Effective Date: May 25, 2018