This Policy is effective as of January 22, 2020.
We treat all personal information as confidential, both as required by law and as required by professional ethics. We do not share personal information with any third party outside our organization, except as necessary to operate our business, fulfill a customer’s request, as required by law, or as set forth in this Policy. When it is necessary for us to share personal information with third parties for any of these reasons, we ensure that the third party has appropriate privacy practices in place, to treat this information with the same level of confidentiality that we would.
1 Information We Collect or Receive
We collect or receive the following types of personal information (that is, information that might individually identify a specific person) for our business when we have an appropriate basis:
1.1 Information You Voluntarily Choose to Provide
Contact information that customers and potential customers give to us so that we can contact them with information about our products and services, and so that we can provide these products and services when contracted to do so.
1.2 Information Collected Automatically When You Use Our Website
We are the sole owners of the information collected on this website (the “Site”). We collect information that you voluntarily give us via email or other direct contact from you. We will not sell or rent this information to anyone.
We will use your information to respond to you regarding the reason you contacted us.
Unless you ask us not to, we may contact you via email in the future to tell you about new products or services or changes to this Policy.
Metabolon may also collect or receive information about how individuals access the Site. This information may include internet protocol (IP) addresses (or the DNS name associated with it) of the individual's device, the web sites the user visited immediately prior to and upon exiting this Site, and the browser software the individual is using to access the Site. This information is used in to administer our systems and the Site, and to make improvements to and protect the Site.
1.3 Information Collected Automatically When You Use Our Products
With a Metabolon account, you can sign in to Metabolon products/services, as well as those of select Metabolon partners. Personal information associated with your Metabolon account includes credentials, device and usage data, name and contact information, information about your interactions with Metabolon and partner products.
To enable personalization and consistent experiences across products and devices for your Metabolon accounts, we track and use visitor and account data. Visitor data includes name, email, role, permissions, business title, location, IP address, first login date, and visitor actions (such as saw webinar, received email, downloaded whitepaper). Account data includes account name, location, industry, size, assigned contacts, and activity (such as reports downloaded, data exports, feature usage).
1.4 Information Related to Laboratory Services
Metabolon, operating as a laboratory, may receive very limited personal information related to biochemical analysis, research, diagnostics, consulting, and clinical trial support services from or on behalf of controllers within the EU or Switzerland. In some cases, Metabolon processes Sensitive Personal Data, such as genetic data or data concerning health. Metabolon processes that data in the performance of services for and under the direction of those controllers. We process this personal information to fulfill our contractual obligations to our customers and premised on the same legal basis they identified to you, such as your consent or fulfilling a contract with you.
1.5 Information We Receive from Others and through Our Processes
Protected health information associated with clinical specimens that are submitted to us for biochemical analysis. We have appropriate HIPAA & GPDR-compliant procedures to protect the privacy and security of this information while fulfilling our customers’ requests for analysis and reporting from clinical specimens.
Biochemical information that we have obtained from our analysis of samples of blood or other specimens were sent to us under contracts to perform this testing. We may use aggregated, de-identified biochemical information from these samples for further scientific research and statistical purposes, in accordance with applicable laws. We do not use biochemical information from these samples to identify or reach back to an individual unless we have their prior consent to do so.
We also obtained contact information about potential customers from third parties. Metabolon may also obtain limited personal information about potential customers from other businesses. This information could include your name or company name, phone number, and email. Metabolon processes that information in order to further its legitimate business interests, including sending you communications about our products and services. You may choose to opt out of those communications at any time as further described in this Policy.
2 How We Use and Share Information
Metabolon also processes personal information under the direction of our customers. In those instances, such as when we provide laboratory services as described in Section 1.4, Metabolon acts as a processor of the personal information of our customer, the data controller.
Metabolon may share personal information with service providers, affiliates, contractors, and other third parties who help us perform services such as managing communications, administering the Site, or conducting our business. We permit these third parties to use personal information as needed to deliver services or comply with law.
We will share personal information in the event we sell or transfer all or a portion of our business assets, such as during a merger, acquisition, liquidation, or bankruptcy.
3 Your Choices
You may visit and browse our Site without providing any personal information, and you can always choose not to provide us with the personal information we request. However, choosing not to provide us with certain information that we request may prevent you from accessing or using certain portions of our Site.
You may opt out of any future contacts from us at any time by contacting us through one of the methods listed at the bottom of this Policy.
In addition, you can use the contact information at the bottom of this Policy to do the following at any time:
- See what data we have about you, if any.
- Change/correct any data we have about you.
- Express any concern you have about our use of your data.
- Have us delete any data we have about you.
Please note, however, that under U.S. law for clinical laboratories, if we performed a clinical test on a sample of your blood or other specimen from you (per request from you or your medical team), we must retain your test information.
When Metabolon acts as a controller, Metabolon offers individuals the opportunity to choose (opt out) whether Personal Data is (i) to be disclosed to a non-agent third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individuals. Individuals will be provided with clear, conspicuous, and readily available mechanisms to exercise their choice.
For Sensitive Personal Data, when Metabolon acts as a controller, Metabolon will give individuals the opportunity to affirmatively express consent (opt in) if such information is to be (i) disclosed to a third party or (ii) used for a purpose incompatible with those for which it was originally collected or subsequently authorized by the individuals through the exercise of opt-in choice. Metabolon will treat as sensitive any Personal Data received from a third party where the third party identifies and treats it as sensitive via a Controller or Agent contract with Metabolon
4 Additional Rights Available to EEA Residents
If you reside in a European Economic Area (“EEA”) member state or Switzerland, and Metabolon acts as a controller of your personal information, you have the right to request access to your personal information. You also have the right to request that we correct, amend, or delete your personal information. Your request to exercise these rights may be denied under certain circumstances, such as where the burden or expense of providing access would be disproportionate to the risks to the privacy of the individual in the case in question, or where the rights of persons other than the individual would be violated. You also may object to the processing of your personal information or request that we restrict processing of your personal information.
When Metabolon is a processor and not a controller, it will take reasonable steps to help the appropriate controller respond and will act on the reasonable direction of its controller customers with respect to access, erasure, rectification, or restricted processing.
You also may have the right to request that we transfer your personal information to you or to another controller identified by you. Please note that in cases where your personal information pertains to a clinical trial or similarly confidential study, we may not be able to adhere to your request, but we will work with you and the applicable controller to address your request as fully as possible.
To exercise your rights under this Section, please send your request as described in the “How to Contact Us” Section below. You also have the right to lodge a complaint about our processing of your personal information with your local data protection supervisory authority.
5 Additional Rights Available to California Residents
If you are a resident of the State of California, you are entitled under California law, including the California Consumer Privacy Act of 2018 (“CCPA”), to certain additional information about, and additional rights with respect to, our collection and disclosure of your personal information. This Section provides that additional information and describes those additional rights. This Section applies solely to consumers who reside in the State of California, and to information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with California consumers or households ("California Personal Information"). Metabolon provides this portion of our Policy to comply with our obligations in our capacity as a “Business” under the CCPA. This section of the Policy does not apply to information Metabolon collects, maintains, or discloses in our capacity as a "Service Provider" under CCPA on behalf of our clients, including medical information that we process within the clinical services that we perform on behalf of our clients. If your information has been submitted to us as part of our performance of those services and you would like to learn more about the handling of that information or exercise any rights you may have under the CCPA, please inquire with the client directly.
As used in this Policy, the term “California Personal Information” does not include:
- Information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration;
- Publicly available information lawfully made available from federal, state, or local government records;
- Deidentified or aggregated consumer information; or
- Other information excluded from the CCPA's scope, including:
- Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA); and
5.1 Sales and Disclosures of California Personal Information for a Business Purpose
We may disclose your California Personal Information to a third party for a business purpose. In the preceding twelve (12) months, we have disclosed California Personal Information for the following business purposes:
- Auditing related to our transactions with you, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance.
- Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.
- Debugging to identify and repair errors that impair existing intended functionality.
- Short-term, transient uses where California Personal Information is not disclosed to a third party and is not used to build a profile about you or otherwise alter your experience outside our current interaction.
- Performing services on behalf of our clients, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments.
- Undertaking internal research for technological development and demonstration.
- Undertaking activities to verify or maintain the quality or safety of a service that we produce and to improve, upgrade, or enhance the service.
- Other purposes noted herein, or that are reasonably necessary and proportionate to achieve the operational purpose for which we collected your California Personal Information, or for another operational purpose that is compatible.
In the preceding twelve (12) months, we have not sold California Personal Information.
5.2 Other Rights and Choices Regarding Your California Personal Information Under CCPA
You have the right to request that we disclose certain information to you about our collection, use, and sharing of your personal information over the past 12 months, including (a) the categories of personal information we collected about you; (b) the categories of sources for the personal information we collected about you; (c) our business or commercial purpose for collecting or selling that personal information; (d) the categories of third parties with whom we share that personal information; (e) the specific pieces of personal information we collected about you (also called a data portability request); and (f) if we sold or disclosed your personal information for a business purpose, two separate lists disclosing (i) sales, identifying the personal information categories that each category of recipient purchased; and (ii) disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.
You also have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies.
To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us by either:
o Calling us at +1 919 572 1711
o Emailing us at: firstname.lastname@example.org
Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.
We will endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time, we will inform you of the reason and extension period in writing.
If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.
Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will to the extent technically feasible select a format to provide your personal information that is readily useable and should allow you to transmit the information to another entity without hindrance.
We will not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information and describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it. We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you.
You have the right not to be discriminated against for exercising any of your CCPA rights. However, to the extent permitted by the CCPA we may offer you certain financial incentives for the collection or sharing or your personal information that can result in different prices, rates, or quality levels. Any CCPA-permitted financial incentive we offer will reasonably relate to your personal information’s value and contain written terms that describe the program’s material aspects. Participation in a financial incentive program requires your prior opt in consent, which you may revoke at any time.
6 How We Protect Personal Information
We take precautions to protect your personal information, including applying reasonable and appropriate administrative, physical and technical safeguards that are designed to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the risks involved and the nature of the personal information.
7 Privacy Shield Certification
Metabolon participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework. Metabolon is committed to treating the personal information it receives under the “Privacy Shield” consistent with the Privacy Shield Principles, which can be found here: https://www.privacyshield.gov/EU-US-Framework. Metabolon has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/participant?id=a2zt0000000L1PGAA0&status=Active.
Metabolon acknowledges that it is subject to the jurisdiction of the Federal Trade Commission for compliance and enforcement of the Privacy Shield and Swiss Privacy Shield.
The Privacy Shield Frameworks protect the fundamental rights of anyone in the EU or Switzerland whose personal data is transferred to the United States for commercial purposes, and also brings legal clarity for businesses relying on transatlantic data transfers. Further information on the Privacy Shield is available from the European Commission here: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/eu-us-privacy-shield_en.Under certain conditions, more fully described here: https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.
When Metabolon acts as a controller and is the recipient of Personal Data, it shall provide the appropriate notice in clear and conspicuous language when individuals are first asked to provide Personal Data to Metabolon, including identification of our legal bases for Processing your Personal Data, or as soon thereafter as is practicable. In addition, when Metabolon is a controller it will seek consent prior to using Personal Data for any purpose incompatible with that for which it was originally collected or Processed.
7.3 Data Integrity and Purpose and Retention Limitations
Metabolon will only collect and Process Personal Data in a way that is consistent with, and relevant for, the purpose of Processing for which it was collected or authorized by the individual. Metabolon may use Personal Data for compatible Processing purposes such as those that reasonably serve customer relations, compliance and legal considerations, auditing, security and fraud prevention, preserving or defending Metabolon’s legal rights, scientific research or statistical purposes, or other purposes consistent with the expectations of a reasonable person given the context of the collection.
Metabolon will not process Personal Data in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. Metabolon will take reasonable steps to ensure that Personal Data is reliable for its intended use, accurate, complete, and current. Metabolon will adhere to the Principles for as long as the Personal Data is retained.
Where we act on behalf of our customers, Metabolon retains Personal Data until our engagement with our customers ends or they direct us to dispose of or return the data. Where we are a controller, we will Process Personal Data only so long as is necessary to fulfill the purposes for which it is Processed. However, Metabolon also complies with U.S. law for clinical laboratories. As such, Metabolon must retain results from biochemical testing of blood and other human specimens, after that testing has been requested by patients or their medical professionals.
7.4 Recourse, Enforcement and Liability
For complaints that cannot be resolved, Metabolon commits to cooperate with the panel established by the EU data protection authorities (DPAs) or the Swiss Federal Data Protection and Information Commissioner (FDPIC), as applicable, and comply with the advice given by the panel or Commissioner about Personal Data transferred from the EU or Switzerland. In order to facilitate the handling of complaints, individuals in the EU can choose to contact their national DPA or use the form located at this link: http://ec.europa.eu/newsroom/document.cfm?doc_id=42962. Individuals in Switzerland can contact the Swiss Information Commissioner by visiting https://www.edoeb.admin.ch/edoeb/en/home.html. This independent dispute resolution process is provided at no cost to the individual. Under certain conditions an individual may choose to invoke binding arbitration to resolve any residual complaints not resolved by Metabolon or the DPAs or FDPIC, as appropriate. If an individual formally invokes binding arbitration, Metabolon will follow the terms set forth in Annex 1 of the Privacy Shield Frameworks. For more information on binding arbitration visit https://www.privacyshield.gov/article?id=ANNEX-I-introduction.
In the context of an onward transfer, Metabolon has responsibility for the Processing of Personal Data it receives under the Privacy Shield Frameworks and subsequently transfers to a third party acting as an agent on its behalf. Metabolon shall remain liable under the Principles if its agent Processes such Personal Data in a manner inconsistent with the Principles, unless Metabolon proves that it is not responsible for the event giving rise to the damage.
8 International Transfers
As part of our international operations, we may transfer personal information to any jurisdiction where we do business. When you use our Site or services, you acknowledge that we may transfer information about you as described in this Policy.
We will transfer your personal information for any of the purposes identified in this Policy to our subsidiaries, affiliates, and service providers that may be based outside of the jurisdiction where you are located. The laws in those jurisdictions may not provide the same level of data protection compared to the laws in your country. However, we will treat your personal information as subject to the protections described in this Policy.
When we transfer personal information from an entity based in the EEA to entities within our organization, we rely on the EU-U.S. Privacy Shield program or the Swiss-U.S. Privacy Shield program, as applicable. If we transfer personal information from the EEA to another party located outside the EEA, we will rely on a legal framework that provides appropriate safeguards, which could include the standard contractual clauses, binding corporate rules, Privacy Shield programs, or another framework deemed adequate by the European Commission.
We will indicate at the top of this Policy when it was last updated. We encourage you to periodically review this page for the latest information on our privacy practices. When warranted, we will try to provide additional notice of specific changes to this Policy, either by attempting direct communication with you and/or by posting on our Site.
10 How to Contact Us
To contact Metabolon with questions about this Policy, please use one of the contact methods below: