This Policy is effective as of 11 July 2019.
We treat all personal information as confidential, both as required by law and as required by professional ethics. We do not share personal information with any third party outside our organization, except as necessary to operate our business, fulfill a customer’s request, as required by law, or as set forth in this Policy. When it is necessary for us to share personal information with third parties for any of these reasons, we ensure that the third party has appropriate privacy practices in place, to treat this information with the same level of confidentiality that we would.
1 Information We Collect or Receive
We collect or receive the following types of personal information (that is, information that might individually identify a specific person) for our business when we have an appropriate basis:
1.1 Information You Voluntarily Choose to Provide
Contact information that customers and potential customers give to us so that we can contact them with information about our products and services, and so that we can provide these products and services when contracted to do so.
1.2 Information Collected Automatically When You Use Our Website
We are the sole owners of the information collected on this website (the “Site”). We collect information that you voluntarily give us via email or other direct contact from you. We will not sell or rent this information to anyone.
We will use your information to respond to you regarding the reason you contacted us.
Unless you ask us not to, we may contact you via email in the future to tell you about new products or services or changes to this Policy.
Metabolon may also collect or receive information about how individuals access the Site. This information may include internet protocol (IP) addresses (or the DNS name associated with it) of the individual's device, the web sites the user visited immediately prior to and upon exiting this Site, and the browser software the individual is using to access the Site. This information is used in to administer our systems and the Site, and to make improvements to and protect the Site.
1.3 Information Collected Automatically When You Use Our Products
With a Metabolon account, you can sign in to Metabolon products/services, as well as those of select Metabolon partners. Personal information associated with your Metabolon account includes credentials, device and usage data, name and contact information, information about your interactions with Metabolon and partner products.
To enable personalization and consistent experiences across products and devices for your Metabolon accounts, we track and use visitor and account data. Visitor data includes name, email, role, permissions, business title, location, IP address, first login date, and visitor actions (such as saw webinar, received email, downloaded whitepaper). Account data includes account name, location, industry, size, assigned contacts, and activity (such as reports downloaded, data exports, feature usage).
1.4 Information Related to Laboratory Services
Metabolon, operating as a laboratory, may receive very limited personal information related to biochemical analysis, research, diagnostics, consulting, and clinical trial support services from or on behalf of controllers within the EU or Switzerland. In some cases, Metabolon processes Sensitive Personal Data, such as genetic data or data concerning health. Metabolon processes that data in the performance of services for and under the direction of those controllers. We process this personal information to fulfill our contractual obligations to our customers and premised on the same legal basis they identified to you, such as your consent or fulfilling a contract with you.
1.5 Information We Receive from Others and through Our Processes
Protected health information associated with clinical specimens that are submitted to us for biochemical analysis. We have appropriate HIPAA & GPDR-compliant procedures to protect the privacy and security of this information while fulfilling our customers’ requests for analysis and reporting from clinical specimens.
Biochemical information that we have obtained from our analysis of samples of blood or other specimens were sent to us under contracts to perform this testing. We may use aggregated, de-identified biochemical information from these samples for further scientific research and statistical purposes, in accordance with applicable laws. We do not use biochemical information from these samples to identify or reach back to an individual unless we have their prior consent to do so.
We also obtained contact information about potential customers from third parties. Metabolon may also obtain limited personal information about potential customers from other businesses. This information could include your name or company name, phone number, and email. Metabolon processes that information in order to further its legitimate business interests, including sending you communications about our products and services. You may choose to opt out of those communications at any time as further described in this Policy.
2 How We Use and Share Information
Metabolon also processes personal information under the direction of our customers. In those instances, such as when we provide laboratory services as described in Section 1.4, Metabolon acts as a processor of the personal information of our customer, the data controller.
Metabolon may share personal information with service providers, affiliates, contractors, and other third parties who help us perform services such as managing communications, administering the Site, or conducting our business. We permit these third parties to use personal information as needed to deliver services or comply with law.
We will share personal information in the event we sell or transfer all or a portion of our business assets, such as during a merger, acquisition, liquidation, or bankruptcy.
3 Your Choices
You may visit and browse our Site without providing any personal information, and you can always choose not to provide us with the personal information we request. However, choosing not to provide us with certain information that we request may prevent you from accessing or using certain portions of our Site.
You may opt out of any future contacts from us at any time by contacting us through one of the methods listed at the bottom of this Policy.
In addition, you can use the contact information at the bottom of this Policy to do the following at any time:
- See what data we have about you, if any.
- Change/correct any data we have about you.
- Express any concern you have about our use of your data.
- Have us delete any data we have about you.
Please note, however, that under U.S. law for clinical laboratories, if we performed a clinical test on a sample of your blood or other specimen from you (per request from you or your medical team), we must retain your test information.
When Metabolon acts as a controller, Metabolon offers individuals the opportunity to choose (opt out) whether Personal Data is (i) to be disclosed to a non-agent third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individuals. Individuals will be provided with clear, conspicuous, and readily available mechanisms to exercise their choice.
For Sensitive Personal Data, when Metabolon acts as a controller, Metabolon will give individuals the opportunity to affirmatively express consent (opt in) if such information is to be (i) disclosed to a third party or (ii) used for a purpose incompatible with those for which it was originally collected or subsequently authorized by the individuals through the exercise of opt-in choice. Metabolon will treat as sensitive any Personal Data received from a third party where the third party identifies and treats it as sensitive via a Controller or Agent contract with Metabolon
4 Additional Rights Available to EEA Residents
If you reside in a European Economic Area (“EEA”) member state or Switzerland, and Metabolon acts as a controller of your personal information, you have the right to request access to your personal information. You also have the right to request that we correct, amend, or delete your personal information. Your request to exercise these rights may be denied under certain circumstances, such as where the burden or expense of providing access would be disproportionate to the risks to the privacy of the individual in the case in question, or where the rights of persons other than the individual would be violated. You also may object to the processing of your personal information or request that we restrict processing of your personal information.
When Metabolon is a processor and not a controller, it will take reasonable steps to help the appropriate controller respond and will act on the reasonable direction of its controller customers with respect to access, erasure, rectification, or restricted processing.
You also may have the right to request that we transfer your personal information to you or to another controller identified by you. Please note that in cases where your personal information pertains to a clinical trial or similarly confidential study, we may not be able to adhere to your request, but we will work with you and the applicable controller to address your request as fully as possible.
To exercise your rights under this Section, please send your request as described in the “How to Contact Us” Section below. You also have the right to lodge a complaint about our processing of your personal information with your local data protection supervisory authority.
5 How We Protect Personal Information
We take precautions to protect your personal information, including applying reasonable and appropriate administrative, physical and technical safeguards that are designed to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the risks involved and the nature of the personal information.
6 Privacy Shield Certification
Metabolon participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework. Metabolon is committed to treating the personal information it receives under the “Privacy Shield” consistent with the Privacy Shield Principles, which can be found here: https://www.privacyshield.gov/EU-US-Framework. Metabolon has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/participant?id=a2zt0000000L1PGAA0&status=Active.
Metabolon acknowledges that it is subject to the jurisdiction of the Federal Trade Commission for compliance and enforcement of the Privacy Shield and Swiss Privacy Shield.
The Privacy Shield Frameworks protect the fundamental rights of anyone in the EU or Switzerland whose personal data is transferred to the United States for commercial purposes, and also brings legal clarity for businesses relying on transatlantic data transfers. Further information on the Privacy Shield is available from the European Commission here: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/eu-us-privacy-shield_en. Under certain conditions, more fully described here: https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.
When Metabolon acts as a controller and is the recipient of Personal Data, it shall provide the appropriate notice in clear and conspicuous language when individuals are first asked to provide Personal Data to Metabolon, including identification of our legal bases for Processing your Personal Data, or as soon thereafter as is practicable. In addition, when Metabolon is a controller it will seek consent prior to using Personal Data for any purpose incompatible with that for which it was originally collected or Processed.
6.3 Data Integrity and Purpose and Retention Limitations
Metabolon will only collect and Process Personal Data in a way that is consistent with, and relevant for, the purpose of Processing for which it was collected or authorized by the individual. Metabolon may use Personal Data for compatible Processing purposes such as those that reasonably serve customer relations, compliance and legal considerations, auditing, security and fraud prevention, preserving or defending Metabolon’s legal rights, scientific research or statistical purposes, or other purposes consistent with the expectations of a reasonable person given the context of the collection.
Metabolon will not process Personal Data in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. Metabolon will take reasonable steps to ensure that Personal Data is reliable for its intended use, accurate, complete, and current. Metabolon will adhere to the Principles for as long as the Personal Data is retained.
Where we act on behalf of our customers, Metabolon retains Personal Data until our engagement with our customers ends or they direct us to dispose of or return the data. Where we are a controller, we will Process Personal Data only so long as is necessary to fulfill the purposes for which it is Processed. However, Metabolon also complies with U.S. law for clinical laboratories. As such, Metabolon must retain results from biochemical testing of blood and other human specimens, after that testing has been requested by patients or their medical professionals.
6.4 Recourse, Enforcement and Liability
For complaints that cannot be resolved, Metabolon commits to cooperate with the panel established by the EU data protection authorities (DPAs) or the Swiss Federal Data Protection and Information Commissioner (FDPIC), as applicable, and comply with the advice given by the panel or Commissioner about Personal Data transferred from the EU or Switzerland. In order to facilitate the handling of complaints, individuals in the EU can choose to contact their national DPA or use the form located at this link: http://ec.europa.eu/newsroom/document.cfm?doc_id=42962. Individuals in Switzerland can contact the Swiss Information Commissioner by visiting https://www.edoeb.admin.ch/kontakt/index.html?lang=en.
This independent dispute resolution process is provided at no cost to the individual. Under certain conditions an individual may choose to invoke binding arbitration to resolve any residual complaints not resolved by Metabolon or the DPAs or FDPIC, as appropriate. If an individual formally invokes binding arbitration, Metabolon will follow the terms set forth in Annex 1 of the Privacy Shield Frameworks. For more information on binding arbitration visit https://www.privacyshield.gov/article?id=ANNEX-I-introduction.
In the context of an onward transfer, Metabolon has responsibility for the Processing of Personal Data it receives under the Privacy Shield Frameworks and subsequently transfers to a third party acting as an agent on its behalf. Metabolon shall remain liable under the Principles if its agent Processes such Personal Data in a manner inconsistent with the Principles, unless Metabolon proves that it is not responsible for the event giving rise to the damage.
7 International Transfers
As part of our international operations, we may transfer personal information to any jurisdiction where we do business. When you use our Site or services, you acknowledge that we may transfer information about you as described in this Policy.
We will transfer your personal information for any of the purposes identified in this Policy to our subsidiaries, affiliates, and service providers that may be based outside of the jurisdiction where you are located. The laws in those jurisdictions may not provide the same level of data protection compared to the laws in your country. However, we will treat your personal information as subject to the protections described in this Policy.
When we transfer personal information from an entity based in the EEA to entities within our organization, we rely on the EU-U.S. Privacy Shield program or the Swiss-U.S. Privacy Shield program, as applicable. If we transfer personal information from the EEA to another party located outside the EEA, we will rely on a legal framework that provides appropriate safeguards, which could include the standard contractual clauses, binding corporate rules, Privacy Shield programs, or another framework deemed adequate by the European Commission.
We will indicate at the top of this Policy when it was last updated. We encourage you to periodically review this page for the latest information on our privacy practices. When warranted, we will try to provide additional notice of specific changes to this Policy, either by attempting direct communication with you and/or by posting on our Site.
9 How to Contact Us
To contact Metabolon with questions about this Policy, please use one of the contact methods below: