Metabolon, Inc. Global Privacy Policy

This Policy is effective as of 11 July 2019.

This Privacy Policy (the “Policy”) is intended to inform you about how Metabolon Inc. and its satellite site (“Metabolon,” “we,” “us,” or “our”) may collect, use, share, and secure the personal information that you provide to us through our website and by using our products and services.

We treat all personal information as confidential, both as required by law and as required by professional ethics. We do not share personal information with any third party outside our organization, except as necessary to operate our business, fulfill a customer’s request, as required by law, or as set forth in this Policy.  When it is necessary for us to share personal information with third parties for any of these reasons, we ensure that the third party has appropriate privacy practices in place, to treat this information with the same level of confidentiality that we would.

1 Information We Collect or Receive

We collect or receive the following types of personal information (that is, information that might individually identify a specific person) for our business when we have an appropriate basis:

1.1 Information You Voluntarily Choose to Provide

Contact information that customers and potential customers give to us so that we can contact them with information about our products and services, and so that we can provide these products and services when contracted to do so.

1.2 Information Collected Automatically When You Use Our Website

We are the sole owners of the information collected on this website (the “Site”). We collect information that you voluntarily give us via email or other direct contact from you. We will not sell or rent this information to anyone.

We will use your information to respond to you regarding the reason you contacted us.

Unless you ask us not to, we may contact you via email in the future to tell you about new products or services or changes to this Policy.

We receive personal information from Site visitors who submit information directly, such as when they inquire about our services, register to use Site features or receive information, or register for webinars and other events. That information typically includes name, title, address, phone number, fax number, and e-mail address. If you apply for a job in response to one of the career opportunities on our site, you will be submitting information to our service provider’s website subject to their privacy policy.

Metabolon may also collect or receive information about how individuals access the Site. This information may include internet protocol (IP) addresses (or the DNS name associated with it) of the individual's device, the web sites the user visited immediately prior to and upon exiting this Site, and the browser software the individual is using to access the Site. This information is used in to administer our systems and the Site, and to make improvements to and protect the Site.

Metabolon may use cookies and other technologies on the Site to enhance or improve user experience, including customization of content. A cookie is usually text data that a website transfers to the individual's browser from a web server that is stored on the individual's device. Cookies can be utilized to help us provide you with information targeted to your interests, based upon your prior browsing on our Site.

1.3 Information Collected Automatically When You Use Our Products

With a Metabolon account, you can sign in to Metabolon products/services, as well as those of select Metabolon partners. Personal information associated with your Metabolon account includes credentials, device and usage data, name and contact information, information about your interactions with Metabolon and partner products.

To enable personalization and consistent experiences across products and devices for your Metabolon accounts, we track and use visitor and account data.  Visitor data includes name, email, role, permissions, business title, location, IP address, first login date, and visitor actions (such as saw webinar, received email, downloaded whitepaper).  Account data includes account name, location, industry, size, assigned contacts, and activity (such as reports downloaded, data exports, feature usage).

1.4 Information Related to Laboratory Services

Metabolon, operating as a laboratory, may receive very limited personal information related to biochemical analysis, research, diagnostics, consulting, and clinical trial support services from or on behalf of controllers within the EU or Switzerland. In some cases, Metabolon processes Sensitive Personal Data, such as genetic data or data concerning health.  Metabolon processes that data in the performance of services for and under the direction of those controllers. We process this personal information to fulfill our contractual obligations to our customers and premised on the same legal basis they identified to you, such as your consent or fulfilling a contract with you.

1.5 Information We Receive from Others and through Our Processes

Protected health information associated with clinical specimens that are submitted to us for biochemical analysis.   We have appropriate HIPAA & GPDR-compliant procedures to protect the privacy and security of this information while fulfilling our customers’ requests for analysis and reporting from clinical specimens.

Biochemical information that we have obtained from our analysis of samples of blood or other specimens were sent to us under contracts to perform this testing. We may use aggregated, de-identified biochemical information from these samples for further scientific research and statistical purposes, in accordance with applicable laws. We do not use biochemical information from these samples to identify or reach back to an individual unless we have their prior consent to do so.

We also obtained contact information about potential customers from third parties. Metabolon may also obtain limited personal information about potential customers from other businesses. This information could include your name or company name, phone number, and email. Metabolon processes that information in order to further its legitimate business interests, including sending you communications about our products and services. You may choose to opt out of those communications at any time as further described in this Policy.

2 How We Use and Share Information

With respect to the personal information that Metabolon collects from you, Metabolon acts as the controller of your personal information. In this capacity, we only collect, use, share, store, or otherwise process your personal information when we have an appropriate basis. For example, we may process your personal information as necessary to provide the services you request, or to enforce or fulfill our obligations under our terms of use that apply to your engagement with this Site.  Additionally, your personal information may be used for legitimate interests (such as providing and improving the products and services, communicating with you, and improving the user-experiences) if doing so is consistent with your rights and appropriate to the context, and to comply with legal obligations. We will retain your personal information so long as reasonably necessary to fulfill these purposes.

Metabolon also processes personal information under the direction of our customers. In those instances, such as when we provide laboratory services as described in Section 1.4, Metabolon acts as a processor of the personal information of our customer, the data controller.

Metabolon may share personal information with service providers, affiliates, contractors, and other third parties who help us perform services such as managing communications, administering the Site, or conducting our business. We permit these third parties to use personal information as needed to deliver services or comply with law.

We will share personal information in the event we sell or transfer all or a portion of our business assets, such as during a merger, acquisition, liquidation, or bankruptcy.

In limited cases, we may share information with other parties if appropriate to respond to your request or inquiry.  We also may share personal information if we have a good faith belief that doing so is necessary to comply with law, respond to a legitimate request from law enforcement or other government body, to protect our interests or the health and safety of others, or to enforce our terms of use for this Site.

3 Your Choices

You may visit and browse our Site without providing any personal information, and you can always choose not to provide us with the personal information we request. However, choosing not to provide us with certain information that we request may prevent you from accessing or using certain portions of our Site.

If you would like to manage cookies used by this Site, the "help" section of the toolbar on most browsers will inform you on how to prevent your browser from accepting new cookies, how to have the browser notify you upon the receipt of a new cookie, or how to disable the use of cookies completely. However, if you configure your browser to decline cookies, certain features of our Site may not function correctly, and you may be required to re-enter any user IDs and passwords more frequently. Some browsers incorporate a "Do Not Track" feature that, when turned on, signals to websites and online services that you do not want to be tracked. Our site responds to Do Not Track signals.

You may opt out of any future contacts from us at any time by contacting us through one of the methods listed at the bottom of this Policy.

In addition, you can use the contact information at the bottom of this Policy to do the following at any time:

  • See what data we have about you, if any.
  • Change/correct any data we have about you.
  • Express any concern you have about our use of your data.
  • Have us delete any data we have about you.

Please note, however, that under U.S. law for clinical laboratories, if we performed a clinical test on a sample of your blood or other specimen from you (per request from you or your medical team), we must retain your test information.

When Metabolon acts as a controller, Metabolon offers individuals the opportunity to choose (opt out) whether Personal Data is (i) to be disclosed to a non-agent third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individuals. Individuals will be provided with clear, conspicuous, and readily available mechanisms to exercise their choice.

For Sensitive Personal Data, when Metabolon acts as a controller, Metabolon will give individuals the opportunity to affirmatively express consent (opt in) if such information is to be (i) disclosed to a third party or (ii) used for a purpose incompatible with those for which it was originally collected or subsequently authorized by the individuals through the exercise of opt-in choice. Metabolon will treat as sensitive any Personal Data received from a third party where the third party identifies and treats it as sensitive via a Controller or Agent contract with Metabolon

4 Additional Rights Available to EEA Residents

If you reside in a European Economic Area (“EEA”) member state or Switzerland, and Metabolon acts as a controller of your personal information, you have the right to request access to your personal information. You also have the right to request that we correct, amend, or delete your personal information. Your request to exercise these rights may be denied under certain circumstances, such as where the burden or expense of providing access would be disproportionate to the risks to the privacy of the individual in the case in question, or where the rights of persons other than the individual would be violated. You also may object to the processing of your personal information or request that we restrict processing of your personal information.

When Metabolon is a processor and not a controller, it will take reasonable steps to help the appropriate controller respond and will act on the reasonable direction of its controller customers with respect to access, erasure, rectification, or restricted processing.

You also may have the right to request that we transfer your personal information to you or to another controller identified by you. Please note that in cases where your personal information pertains to a clinical trial or similarly confidential study, we may not be able to adhere to your request, but we will work with you and the applicable controller to address your request as fully as possible.

To exercise your rights under this Section, please send your request as described in the “How to Contact Us” Section below. You also have the right to lodge a complaint about our processing of your personal information with your local data protection supervisory authority.

5 How We Protect Personal Information

We take precautions to protect your personal information, including applying reasonable and appropriate administrative, physical and technical safeguards that are designed to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the risks involved and the nature of the personal information.

6 Privacy Shield Certification

Metabolon’s Privacy Policy describes how Metabolon Processes Personal Data received from the European Union (EU) and Switzerland in compliance with the Privacy Shield Principles, including the Supplemental Principles (collectively “Principles”), documented in the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework (collectively, “Privacy Shield”). These principles were designed in collaboration with the European Commission and Swiss Administration to provide adequate protections for the transfer of personal data from the EU / Switzerland to the United States and are in accordance with the requirements of the EU General Data Protection Regulation (GDPR).  Personal Data may include data relating to customers, business partners as well as healthcare professionals and study participants as part of biochemical analysis, research, diagnostics, consulting, and clinical trial support services provided by Metabolon.

6.1 Scope

Metabolon participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework. Metabolon is committed to treating the personal information it receives under the “Privacy Shield” consistent with the Privacy Shield Principles, which can be found here: https://www.privacyshield.gov/EU-US-Framework. Metabolon has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/participant?id=a2zt0000000L1PGAA0&status=Active.

Metabolon acknowledges that it is subject to the jurisdiction of the Federal Trade Commission for compliance and enforcement of the Privacy Shield and Swiss Privacy Shield.

The Privacy Shield Frameworks protect the fundamental rights of anyone in the EU or Switzerland whose personal data is transferred to the United States for commercial purposes, and also brings legal clarity for businesses relying on transatlantic data transfers. Further information on the Privacy Shield is available from the European Commission here: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/eu-us-privacy-shield_en. Under certain conditions, more fully described here: https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted. 

6.2 Notice

When Metabolon acts as a controller and is the recipient of Personal Data, it shall provide the appropriate notice in clear and conspicuous language when individuals are first asked to provide Personal Data to Metabolon, including identification of our legal bases for Processing your Personal Data, or as soon thereafter as is practicable. In addition, when Metabolon is a controller it will seek consent prior to using Personal Data for any purpose incompatible with that for which it was originally collected or Processed.

6.3 Data Integrity and Purpose and Retention Limitations

Metabolon will only collect and Process Personal Data in a way that is consistent with, and relevant for, the purpose of Processing for which it was collected or authorized by the individual. Metabolon may use Personal Data for compatible Processing purposes such as those that reasonably serve customer relations, compliance and legal considerations, auditing, security and fraud prevention, preserving or defending Metabolon’s legal rights, scientific research or statistical purposes, or other purposes consistent with the expectations of a reasonable person given the context of the collection.

Metabolon will not process Personal Data in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. Metabolon will take reasonable steps to ensure that Personal Data is reliable for its intended use, accurate, complete, and current. Metabolon will adhere to the Principles for as long as the Personal Data is retained.

Where we act on behalf of our customers, Metabolon retains Personal Data until our engagement with our customers ends or they direct us to dispose of or return the data. Where we are a controller, we will Process Personal Data only so long as is necessary to fulfill the purposes for which it is Processed.   However, Metabolon also complies with U.S. law for clinical laboratories. As such, Metabolon must retain results from biochemical testing of blood and other human specimens, after that testing has been requested by patients or their medical professionals.

6.4 Recourse, Enforcement and Liability

In compliance with the Principles, Metabolon commits to resolve complaints about our collection or use of your Personal Data. European Union or Swiss individuals with inquiries or complaints regarding Metabolon’s Privacy Shield Privacy Policy should first contact Metabolon directly. Metabolon will respond to issues and complaints within 45 days of receipt. Metabolon encourages interested persons to raise any concerns about the collection, use, or Processing of Personal Data using the contact information provided.  In the event of a privacy related issue or complaint, Metabolon will investigate and attempt to promptly resolve any complaints and disputes regarding use and disclosure of Personal Data in accordance with the Principles.

For complaints that cannot be resolved, Metabolon commits to cooperate with the panel established by the EU data protection authorities (DPAs) or the Swiss Federal Data Protection and Information Commissioner (FDPIC), as applicable, and comply with the advice given by the panel or Commissioner about Personal Data transferred from the EU or Switzerland. In order to facilitate the handling of complaints, individuals in the EU can choose to contact their national DPA or use the form located at this link: http://ec.europa.eu/newsroom/document.cfm?doc_id=42962.  Individuals in Switzerland can contact the Swiss Information Commissioner by visiting https://www.edoeb.admin.ch/kontakt/index.html?lang=en.

This independent dispute resolution process is provided at no cost to the individual. Under certain conditions an individual may choose to invoke binding arbitration to resolve any residual complaints not resolved by Metabolon or the DPAs or FDPIC, as appropriate.  If an individual formally invokes binding arbitration, Metabolon will follow the terms set forth in Annex 1 of the Privacy Shield Frameworks. For more information on binding arbitration visit https://www.privacyshield.gov/article?id=ANNEX-I-introduction.

In the context of an onward transfer, Metabolon has responsibility for the Processing of Personal Data it receives under the Privacy Shield Frameworks and subsequently transfers to a third party acting as an agent on its behalf.  Metabolon shall remain liable under the Principles if its agent Processes such Personal Data in a manner inconsistent with the Principles, unless Metabolon proves that it is not responsible for the event giving rise to the damage.

7 International Transfers

As part of our international operations, we may transfer personal information to any jurisdiction where we do business.  When you use our Site or services, you acknowledge that we may transfer information about you as described in this Policy.

We will transfer your personal information for any of the purposes identified in this Policy to our subsidiaries, affiliates, and service providers that may be based outside of the jurisdiction where you are located. The laws in those jurisdictions may not provide the same level of data protection compared to the laws in your country. However, we will treat your personal information as subject to the protections described in this Policy.

When we transfer personal information from an entity based in the EEA to entities within our organization, we rely on the EU-U.S. Privacy Shield program or the Swiss-U.S. Privacy Shield program, as applicable. If we transfer personal information from the EEA to another party located outside the EEA, we will rely on a legal framework that provides appropriate safeguards, which could include the standard contractual clauses, binding corporate rules, Privacy Shield programs, or another framework deemed adequate by the European Commission.

8 Updates to Our Privacy Policy

We will indicate at the top of this Policy when it was last updated. We encourage you to periodically review this page for the latest information on our privacy practices. When warranted, we will try to provide additional notice of specific changes to this Policy, either by attempting direct communication with you and/or by posting on our Site.

9 How to Contact Us

To contact Metabolon with questions about this Policy, please use one of the contact methods below: