PRIVACY POLICY

Guardant Health, Inc. (“Guardant Health”, “We” or “Us”) is committed to protecting your privacy.  We are located in the USA and personal data provided to us will be transferred to, used and maintained by us in the USA. For European Union (EU), UK and Swiss residents, see below “International Users” for more information regarding our EU and Swiss Privacy Shield certification and information related to the UK Data Protection Act of 2018 (“DPA 2018”) and General Data Protection Regulation of 2018 (GDPR), (EU) 2016/679.

This Privacy Policy describes the specific practices and guidelines that we follow to help ensure the confidentiality and security of your personal information when you use our websites located at www.guardanthealth.com, the Guardant Health portal, mobile applications, and any websites or services that reference this Privacy Policy, (collectively the “Websites” or “Services”).

If you live in the US, please read our Notice of Privacy Practices Under HIPAA for US Residents. If you live in the EU or Switzerland, please read our Notice of Privacy Practices Under GDPR for EU, UK and Swiss Residents.  Both of these documents are available on Guardant Health’s website as set forth above.

Guardant Health’s Privacy Policy expressly includes protection of personal data for UK residents. Currently, the UK is part of the EU.  However, the UK has voted to exit from the EU.  As long as the UK is part of the EU, Guardant Health will apply GDPR requirements to EU data.  When the UK exits the EU, Guardant Health will apply DPA 2018 requirements to EU data.  (The DPA 2018 was enacted by the UK to implement GDPR and became effective the same day as the GDPR, May 25, 2018.)

Information We Collect

Guardant Health may collect, store, and use personal information (such as your name, address, telephone number, and email address) when it is voluntarily submitted to us.  You may provide this information to us or it may come from your doctors or other healthcare providers when a test is ordered for you.  If you live in the EU, UK or Switzerland, your information may come to us through distributors who are controllers of the data and provide it to us for healthcare purposes.

We may automatically collect information about you and your computing device when you use, browse, and interact with our Services. Our Websites and Services collect this information in a variety of ways, including when you view a webpage, click on a link, access our mobile application, or enter data in an online form.

How We Use Your Personal Information

Guardant Health will only use your personal information for the purpose for which it was collected. We may use your personal information to contact you, to provide the information to your doctors, to obtain payment for our services, to respond to your inquires and requests and to respond to inquiries and requests from your doctors. We only collect the personal data that we need to perform our healthcare services and obtain the minimum amount necessary for our business purposes.

We may also use your personal information to provide you with customer support and to maintain and improve our services. We may combine your information with other information about you that is available to us, including information from other sources, such as from your doctors, in order to maintain an accurate medical record of patients who receive our testing services.

De-identified, pseudonymized and anonymized data may be used for scientific research purposes related to the purpose for which we originally obtained your data.  That research purpose is for the improvement and development of our cancer diagnostic products. Research data is non-personally identifiable information, so no PHI or PII (defined more specifically below) are used for research purposes.

Sharing Your Personal Information

Guardant Health may share your information with you, your healthcare providers and doctors, individuals who you have authorized to receive it and as described in this Privacy Policy. Guardant Health will not sell or rent your personal information to any other company or organization.

We may occasionally hire third-party service providers to provide limited services on our behalf, such as our billing vendor.  Guardant Health will give these service providers only the personal information they require to perform the contracted-for services, and we require such providers to agree to contractual terms to maintain the confidentiality of the information they receive.

We may need to access or disclose your personal information to comply with the law or legal process and to exercise our legal rights or defend against legal claims. We may share personal information and any additional information available to us in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, or as otherwise required by law, such as for public safety purposes.  We do not use personal data for profiling or other automated decision purposes.

Security of Your Personal Information

Guardant Health will take reasonable and appropriate precautions to protect personal information in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction. It is important to remember, however, that no system can provide 100% security at all times. Accordingly, we cannot guarantee the privacy and security of information stored on or transmitted using our Services.

We have implemented state-of-the-art physicial, administrative and technical safeguards to protect the confidentiality, integrity and availability of personal data residing on, processed by or transmitted by our servers.  These safeguards include, among other things, facility and data access control, password protection, encryption of data at rest and in transit, security monitoring tools and protocols and the appointment of a Security Officer, a Privacy Officer and a Data Protection Officer who oversee and manage privacy and security.

Protected Health Information (PHI) and

Personally Identifiable Information (PII)

When generating laboratory results, receiving health information, or transmitting information to a healthcare provider, Guardant Health is subject to laws and regulations governing the use and disclosure of personal information including the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the UK DPA 2018 and the EU GDPR.

PHI (personal data related to past, present or future health conditions, treatments and payments and is protected by HIPAA) will only be used or disclosed for treatment and other authorized purposes as stated in our Notice of Privacy Practices under HIPAA for US Residents.

PII (personal data that can identify an individual and sensitive information related to racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation is protected under the GDPR and DPA 2018) will only be used and disclosed for the intended purpose of healthcare treatment as stated in our Notice of Privacy Practices under GDPR for EU, UK and Swiss Residents.

Cookies

Certain elements of our Services and/or html email correspondence may use session cookies, persistent cookies or web beacons to anonymously track unique visitors, save website preferences, and to allow us to recognize visits from the same computer and browser. You have the option to reject some or all Website cookies on your computer and still use the Services. If you choose to reject all cookies, your access to the Website may be limited.

Aggregate Data Collection

Guardant Health tracks visits to our Services using visitor logs and tracking-codes to compile anonymous aggregate statistics. This aggregate information is collected service-wide, and includes anonymous website, application, and device statistics. When you browse our websites and access our applications, our system automatically collects information such as your web request, Internet Protocol (“IP”) address, browser type, browser language, domain names, referring and exit pages, Uniform Resource Locator (URL), platform type, location, unique device identifier, pages viewed and the order of these page views, the amount of time spent on particular pages, the date and time of your request and one or more cookies that may uniquely identify your browser.

When you access our Services through a mobile device, we may receive or collect and store a unique identification numbers associated with your device or our mobile application (including, for example a Unique ID for Advertisers (“IDFA”), Google Ad ID, or Windows Advertising ID), mobile carrier, device type, model and manufacturer, mobile device operating system brand and model, phone number, and, depending on your mobile device settings, your geographical location data or similar information regarding the location of your mobile device.

Third-Party Services

Guardant Health uses certain third-party services and analytics providers to: (1) send you customized notifications if you have provided us your email address, (2) analyze trends,

(3) administer the Services, (4) improve the design of our Services, and (5) otherwise enhance, monitor, and troubleshoot the Services we provide.

Guardant Health does not directly display advertisements in our applications or services.

Linked Sites

Guardant Health may provide links to websites operated by third parties that are not covered by this Policy. Guardant Health does not maintain these sites and is not responsible for the privacy practices of sites it does not operate. We encourage you to review the privacy policies posted on those websites.

Information Access, Updates and Choice

You may choose to provide information to Guardant Health by completing the contact form, sending us an email, engaging with our customer service team or otherwise contacting us. If you are a Guardant Health Portal user, you may have an opportunity to elect to receive certain communications from us. Guardant Health email correspondence will include instructions on how to update certain personal information and how to unsubscribe from our emails, newsletters, and postal mail correspondence.

You may “opt out” of receiving communications from us related to our products and services and/or to request the removal of your contact information from our database by writing to us at the email address set forth below. However, Guardant Health cannot withdraw any previous disclosures made with your authorization, and we reserve the right to retain and disclose your information as permitted or required by law or regulation. You may also request access to your personal data by writing to us using the contact information below.

Do Not Track

We do not currently employ a mechanism to act upon “Do Not Track” instructions but are in the process of investigating such mechanisms.­­­

Children’s Privacy

Guardant Health Services are directed toward adults. We do not knowingly collect any personal information from children under the age of 13. If you are under 13, you must have permission from your parent or legal guardian before accessing or using our Services. If we become aware that we have collected any personal information from children under 13, we will promptly remove such information from our Services.

International Users

Our Services are located in the United States. If you choose to use the Services from the European Union or other regions of the world with laws governing data collection and use that may differ from U.S. law, then please note that you are transferring your information outside of those regions to the United States for storage and processing. By providing your information, you consent to any transfer and processing in accordance with this Policy.

Guardant Health will treat all personal information received from the EU/EEA, UK and Switzerland in accordance with the Privacy Shield Principles and DPA 2018 and GDPR requirements.  (See Notice of Privacy Practices Under GDPR for EU, UK and Swiss Residents for full details. This notice is located on Guardant Health’s website.)

For EU, UK and Swiss Individuals: Privacy Shield Notice for Personal Data Transfers to the United States

To protect your privacy and security, we may take steps to verify your identity, before granting access to data. If you are resident in the EEA, UK or Switzerland, we will process any access request you make in accordance with our commitments under the EU-U.S. Privacy Shield or the Swiss-U.S. Privacy Shield.

Guardant Health complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries (and Iceland, Liechtenstein, and Norway), UK and Switzerland transferred to the United States pursuant to Privacy Shield.  Guardant Health has certified that it adheres to the Privacy Shield Principles with respect to such data. If there is any conflict between the policies in this privacy policy and data subject rights under the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/.

With respect to personal data received or transferred pursuant to the Privacy Shield Frameworks, Guardant Health is subject to the regulatory and enforcement powers of the U.S. Federal Trade Commission.

Guardant Health has certified that it adheres to the Privacy Shield Principles of:

Notice

Guardant Health’s participation in the Privacy Shield applies to all personal data that is subject to this Privacy Policy and is received from the EU, European Economic Area (EEA), UK and Switzerland. Personal information received under the Privacy Shield may include information such as name and email address, health information, contact details, and billing information. Guardant Health uses this information to deliver its services and to bill for payment for such services.

Access

Pursuant to the Privacy Shield Frameworks, EU, UK and Swiss individuals have the right to obtain our confirmation of whether we maintain personal information relating to you in the United States.  Upon request, we will provide you with access to the personal information that we hold about you.  You may also correct, amend, or delete the personal information we hold about you.  An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under Privacy Shield, should direct the query to dpo@guardanthealth.com. If requested to remove data, we will respond within a reasonable timeframe.

Choice

Guardant Health will not use personal data for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual unless it has received the individual’s affirmative and explicit consent (opt-in).

We will provide an individual opt-out choice, or opt-in for sensitive data, before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized.  To request to limit the use and disclosure of your personal information, please submit a written request to dpo@guardanthealth.com.

Accountablity for Onward Transfer

Guardant Health contracts with third parties who perform functions on our behalf, including data processing services. These entities may have access to personal information for limited, specific purposes needed to perform these functions. Guardant Health requires these third parties to safeguard personal information by contract, obligating them to provide at least the same level of protection as is required by this Policy.

Guardant Health’s accountability for personal data that it receives in the United States under the Privacy Shield and subsequently transfers to a third party is described in the Privacy Shield Principles. In particular, Guardant Health remains responsible and liable under the Privacy Shield Principles if third-party agents that it engages to process the personal data on its behalf do so in a manner inconsistent with the Principles, unless Guardant Health proves that it is not responsible for the event giving rise to the damage.

Guardant Health may be required to disclose an individual’s personal information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.

Data Integrity and Purpose Limitation

Guardant Health will use personal information only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual. Guardant Health will take reasonable steps to ensure that personal information is relevant to its intended use, accurate, complete, and current and obtain the minimum amount of information necessary to fulfill its provision of healthcare services.

Audit and Enforcement

We conduct periodic internal and third-party compliance audits of our relevant privacy practices, procedures, and our information and data processing systems, to verify adherence to this Policy. Any employee that we determine is in violation of this Policy will be subject to retraining, disciplinary action up to and including termination of employment and potential reporting to authorities.

The Guardant Health privacy and security program is subject to inspection by the Secretary of Health and Human Services (HHS) with respect to personal health information; the investigatory and enforcement powers of the Federal Trade Commission (FTC) with respect to Privacy Shield; the Information Commissioner with respect to UK DPA 2018; and the applicable Supervisory Authority in the EU with respect to GDPR. Guardant Health commits to cooperate in any investigations by or inquiries from these regulators.

Complaints

In compliance with the Privacy Shield Principles, Guardant Health commits to resolve complaints about our collection or use of your personal information.  EU, UK and Swiss individuals with inquiries or complaints regarding our Privacy Shield Policy should first contact Guardant Health, at dpo@guardanthealth.com or you can mail us at:  Data Protection Officer, Guardant Health, 505 Penobscot Drive, Redwood City, CA, USA 94063.

Guardant Health has committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers for more information and to file a complaint. This service is provided free of charge to you.

Guardant Health has further committed to cooperate with the panel established by the EU data protection authorities, the UK Information Commissioner, and the Swiss Federal Data Protection and Information Commissioner with regard to unresolved Privacy Shield complaints concerning human resources data transferred from the EU, UK and Switzerland in the context of the employment relationship.

If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms.  See Privacy Shield Annex I at: https://www.privacyshield.gov/article?id=ANNEX-I-introduction.

Legal Basis for Processing Personal Data Under GDPR

We process your personal data in order to perform our testing services and to bill for these services.  You have most likely provided your consent for our testing through your doctor.  Additionally, our processing is necessary based on our legitimate interest of providing our healthcare services to you.  We process and store your contact information so that we may contact you regarding the delivery of our healthcare services – – for doctors use in treatment purposes and for patients test result reports. This personal information may come to us from you, your doctors, or your pathology lab and will be used to perform our testing services as you would expect when laboratory testing is ordered for you by your doctor.

Guardant Health may also use pseudonymized or anonymized data for scientific research purposes related to our cancer diagnostic product improvement and development.  PHI and PII are not used for this purpose; and therefore, your identity is not known during our research activities.

For EU, UK and Swiss Individuals: Your Rights under the General Data Protection Regulation

In some regions (like the European Economic Area, UK and Switzerland), you have certain rights under applicable data protection laws, which include the right (i) to request access and obtain a copy of your personal information, (ii) to request rectification or erasure; (iii) to restrict the processing of your personal information; and (iv) if applicable, to data portability. In certain circumstances, you may also have the right to object to the processing of your personal information

You may also have the right to make a GDPR complaint to the relevant Supervisory Authority. A list of Supervisory Authorities is available here:  http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.  If you need further assistance regarding your rights, please contact us using the contact information provided below and we will consider your request in accordance with applicable law. In some cases our ability to uphold these rights for you may depend upon our obligations to process personal information for security, safety, fraud prevention reasons, compliance with regulatory or legal requirements, or because processing is necessary to deliver the services you have requested. Where this is the case, we will inform you of specific details in response to your request.

If you would like to exercise any of the above rights, please contact our Data Protection Officer at dpo@guardanthealth.com.

Changes to Our Privacy Policy

We reserve the right to update and revise this Privacy Policy as necessary.  If we change our Privacy Policy and Notices, we will post those changes on our Websites to keep you aware of what information we collect, how we use it, and under what circumstances we may disclose it. Changes to this Privacy Policy are effective when they are posted on this page.

Contact Us for Questions

You can contact Guardant Health using our Website contact page or sending an email to one of the addresses below. We address questions and complaints about privacy and the collection or use of personal information in a timely manner. Please include your contact information and a detailed description of your request or privacy concern.

Guardant Health

Data Protection Officer

505 Penobscot Drive

Redwood City, CA, USA 94063

(855) 698-8887

For our US Privacy Officer, please email:  privacy@guardanthealth.com.

For our EU/UK/Swiss Data Protection Officer, please email:  dpo@guardanthealth.com.

Additionally, Guardant has appointed DPR Group as its Data Protection Representative in the European Union so that you can contact them directly in your home country. DPR Group has locations in each of the 28 EU countries, so that Guardant Health, Inc.’s customers can always raise the questions they want.

If you want to raise a question to Guardant Health, Inc., or otherwise exercise your rights in respect of your personal data, you may do so by:

  • Sending an email to DPR Group at datainquiry@dpr.eu.com quoting “Guardant Health, Inc.” in the subject line,
  • Contacting us on our online webform at dpr.eu.com/datarequest, or
  • If you would like to mail your inquiry, please email DPR Group at datainquiry@dpr.eu.com to obtain the most appropriate address. PLEASE NOTE: when mailing inquiries, it is ESSENTIAL that you mark your letters for ‘DPR Group’ and not ‘Guardant Health, Inc.’, or your inquiry may not reach us. Please refer clearly to Guardant Health, Inc. in your correspondence.

When we receive your correspondence, we are likely to request evidence of your identity, to ensure that your personal data and information connected with it is not provided to anyone other than to you.

If you feel that your complaint has not been addressed, you can also contact:

For HIPAA in the US:  Office of Civil Rights at the Department of Health and Human Services website:  www.hhs.gov/hipaa

For Privacy Shield in the EU/UK/Switzerland:  Better Business Bureau EU Privacy Shield, http://www.bbb.org/EU-privacy-shield/for-eu-consumers

Effective Date: March 20, 2019