***Last updated: November 9, 2022***
This Policy applies to “Personal Information” we obtain from individuals through our website and any associated portals (collectively, our “Site”), our products and services (collectively, the “Services”), and from third party and publicly available sources, as further described below. Please read this Policy carefully before you use our Services, whether online or offline. When referenced in this Policy, the term “Personal Information” includes any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, including any information that is subject to applicable data protection laws. For the purpose of this Policy, Personal Information generally does not include “protected health information” as defined under the Health Insurance Portability and Accountability Act of 1996, as amended and implemented (“HIPAA”) or information that has been deidentified in accordance with applicable law.
Collection and Use of Your Personal Information
We rely on a wide variety of information to run our business. In some instances, this information may include Personal Information. The following summary describes the type of Personal Information that we collect from you for our purposes and how we use that Personal Information. We also provide information regarding the legal basis of processing such Personal Information, as required by certain privacy laws.
Supplier Relationship ManagementWe collect certain contact and related business information (name, email address, professional contact information) when you or your organization provides us with certain products or services. We also use such information to administer and maintain our relationship with your organization. In some instances, we may collect certain background or screening information to the extent needed and in accordance with applicable law.We have a legitimate interest in administering our relationship with our suppliers and performing our contract with your organization.
|Context||Types of Data||Primary Purpose for Collection and Use of Data|
|Portal/Account Registration||When you register for an account on our Site, we collect your SomaLogic username, password and your name (or alias). If you are a healthcare provider, we may also collect the following business-related information: company name, job title/ responsibility, email address, telephone and fax number, business address, the history of your purchase and/or contractual relationship with SomaLogic. We may also collect information relating to the actions that you perform while logged into your account. If you choose to provide it, we may also collect information such as product and service preferences.||We have a legitimate interest in providing account related functionalities to our users, including account creation and maintenance, and, providing the relevant product or service to you or your patients/end users and performing our contract with you and your organization.|
|Customer Relationship Management/Service Use History||We collect certain contact and related business information (name, email address, professional contact information) when you or your organization obtains products or services from us. We also use such information to administer and maintain our relationship with your organization. In some instances, we may collect certain background or screening information to the extent needed and in accordance with applicable law.||We have a legitimate interest in providing products and services to our customers and performing our contract with your organization.|
We also have a legitimate interest in detecting and preventing fraud.
|Feedback/Support||If you provide us feedback or contact us for support, we will collect your name and e-mail address, as well as any other content that you send to us to reply to you.||We have a legitimate interest in using this information to receive, and act upon, your feedback or issues, such as to develop new ways to meet our customer’s needs and to grow our business.|
|Mailing List||When you sign up for one of our mailing lists or use our “Contact Us” or “Get Updates” functionality, we collect your email address or postal address along with your role in your organization.||We have a legitimate interest in sharing information about our products or services with you and otherwise providing you with marketing or promotional materials.|
|Social Media Information||We may collect certain information related to your social media usage as it relates to us, in particular from business focused social media sites, such as LinkedIn. For instance, we may collect information about users who post about SomaLogic on a social media site, such as to post about their experience with SomaLogic or to repost a news article from SomaLogic.||We have a legitimate interest in using this information to understand your usage of and interactions with our social media sites as it relates to us and to generate related content.|
|Applicant Information||For visitors who apply for employment through a third-party website or through the SomaLogic Site, we may collect information about you, such as your name, location, prior employment history, references, and curriculum vitae. We may also collect certain types of Personal Information that may be considered sensitive or special (e.g., race or ethnic origin, information needed to address workplace accommodations, sexual orientation, and criminal background information), in accordance with and to the extent permitted by applicable law. The Personal Information collected by these third-party sites will also be subject to the privacy practices and policies of those sites.||We have a legitimate interest in obtaining applicant Personal Information to consider applicants for employment. Supranational law, national law, or a collective agreement requires us to process the data to comply with our obligations and rights, and those of the applicants, in the fields of employment, social security and social protection law.|
|Health Information||We may collect information pertaining to your medical history, medical treatment or diagnosis, test results, clinical health, and health care provider information, in accordance with and to the extent permitted by applicable law. We may receive this information from authorized third parties, including, when legally permitted, from your health care providers and health systems. As noted above and in certain circumstances, such information may be submitted by healthcare providers or other customers to us in our capacity as a service provider to those healthcare providers or other customers. In those instances, because we are not acting as a data controller (as the term is defined in applicable law), you should review the privacy policies of such third parties with whom you are dealing directly, as they will be responsible for the handling of your Personal Information in this context.||We have a legitimate interest in collecting information about your health to carry out a contract with you or your healthcare provider or to provide you with services or products.|
|Promotional Material||We may process your Personal Information, such as contact information and name, to send you promotional information about SomaLogic products and services, special promotions, and initiatives such as events, fairs and exhibitions organized by SomaLogic.||We have a legitimate interest in sharing information about our products or services with you and otherwise providing you with marketing or promotional materials.|
We collect Personal Information about you from different sources: (1) directly from you throughout our relationship through both online and offline interactions, including when you contact us, access our Site, use our Site or Services, or sign up for and use our Services; (2) indirectly from you, for example, from observing your actions on our Site; and (3) from other sources, including third parties (such as from companies that also provide marketing lead information or from your employer to the extent your organization is acting as our customer), business partners (e.g., health care providers, health systems, and clinical laboratories), our affiliates, and publicly available sources.
If you do not provide us with certain Personal Information, we may not be able to fulfill the requested purpose of collection, such as to respond to your queries or requests for customer service or to provide the full functionality of our Site to you. However, unless otherwise specified, not providing your Personal Information will not result in legal or other consequences to you.
Although the table above describes our primary purpose in collecting your Personal Information, in many situations we have more than one purpose. As a result, our collection and processing of your Personal Information may be based on different contexts, including any of the following: with your consent, our need to perform a contract, our obligations under law, and our general interest in conducting our business.
We use various reasonable safeguards (administrative, organizational, technical, and physical) to protect the Personal Information we collect and process. Our security controls are designed to maintain an appropriate level of confidentiality, integrity, and availability of your Personal Information. Nonetheless, in the event of an incident that we are required by law to inform you of, we may notify you electronically, in writing, or by telephone, if permitted to do so by law. We encourage you to use caution when using the Internet. If you have reason to believe that your interaction with us is no longer secure, please immediately notify us as specified in the “Contact Us” section below.
The time periods for which we retain your Personal Information depend on the purposes for which we use it and applicable law for the type of data and use. SomaLogic will keep your Personal Information for as long as you are a registered subscriber or user of our Services or for as long as we have a valid business purpose to do so and, thereafter, for no longer than is required or permitted by applicable law, as reflected in SomaLogic’s internal Records Retention Policy. The Personal Information we collect may be stored and processed in servers in the United States or other jurisdictions where SomaLogic, or our service providers, have facilities.
SomaLogic does not knowingly collect Personal Information from children under the age of 13 (or other relevant age of majority) without first obtaining parental consent in accordance with applicable law. Users under the age of 13 should not submit any Personal Information to us. If you believe we have collected Personal Information from your child in error or have questions or concerns about our practices relating to children, please notify us using the details in the “Contact Us” section below. We will take prompt steps to remove the Personal Information from our systems.
SomaLogic is headquartered in the United States, and we have operations, entities, and service providers both in the United States and throughout the world. As such, we and our service providers may transfer your Personal Information to, or access it in, jurisdictions that may not provide equivalent levels of data protection as that of your home jurisdiction. We will take steps to ensure that your Personal Information receives an adequate level of protection in the jurisdictions in which we process it. If you are located in the European Economic Area, Switzerland or the UK, we provide adequate protection for the transfer of Personal Information to countries outside of these areas, such as through the use of authorized EU Standard Contractual Clauses, the UK Standard Contractual Clauses, or the UK Addendum to the EU Standard Contractual Clauses. Depending on your location, you may have the right to request a copy of such appropriate safeguards by contacting us as set out at the end of this Policy.
Depending on where you are located, you may have additional rights, as detailed below.
- The right to access: You may have the right to obtain from us confirmation as to whether or not Personal Information concerning you is being processed, and, where that is the case, to request access to the Personal Information. Information that you have a right to access includes the purposes of the processing, the categories of Personal Information concerned, and the recipients or categories of recipient to whom the Personal Information have been or will be disclosed, among other categories of information. However, this is not an absolute right, and the interests of other individuals may restrict your right of access. You may have the right to obtain a copy of the Personal Information free of charge. For further copies requested by you, we may charge a reasonable fee based on administrative costs.
- The right to rectification (right to correct inaccurate information): You may have the right to request that we correct any Personal Information about you that is inaccurate. Depending on the purpose of the processing, you also have the right to request that we complete the Personal Information we hold about you where you believe it is incomplete, including by means of providing a supplementary statement.
- The right to erasure (right to be forgotten): You may have the right to request that we erase your Personal Information, under certain conditions.
- The right to restrict processing: You may have the right to request that we restrict the processing of your Personal Information, under certain conditions. In such case, the respective data will be marked and may only be processed by us for certain purposes.
- The right to object to processing: You may have the right to object to our processing of your Personal Information, under certain conditions, and we can be required to no longer process your Personal Information. Such right to object may apply if we collect and process your Personal Information for profiling purposes in order to better understand your interests in our products and services or for direct marketing. If you have a right to object and you exercise this right, your Personal Information will no longer be processed by us for such purposes. Such a right to object may not exist if the processing of your Personal Information is necessary to enter into a contract with you or to perform a contract with you that has already been concluded.
- The right to data portability: You may have the right to request that we transfer the Personal Information we have collected about you to another organization, or directly to you, in a structured, commonly used, and machine-readable format, under certain conditions.
- The right to withdraw consent: Where we rely on your consent to process your Personal Information, you have the right to withdraw that consent at any time with future effect. Such a withdrawal will not affect the lawfulness of the processing prior to the consent withdrawal.
- Right to Know what Personal Information is Sold or Shared and to Whom: At the current time, SomaLogic does not sell your Personal Information to or share (as the term is defined by certain privacy laws) your Personal Information with third parties for their marketing purposes.
- Right to Prohibit the Sale or Sharing of Personal Information: At the current time, SomaLogic does not sell your Personal Information to or share (as the term is defined by certain privacy laws) your Personal Information with third parties for their marketing purposes.
- Right to Limit the Use and Disclosure of Sensitive Personal Information: We will only use sensitive or special Personal Information as needed for the purposes for which it was collected. If this changes, we will notify you, and you may have the right to restrict such additional uses.
We do not discriminate against individuals who exercise any of their rights described in this Policy. However, SomaLogic may require the use of your Personal Information to provide access to the Services. Therefore, when you exercise, in particular, your deletion right, as well as other rights, you may lose access to certain aspects of the Services that require your Personal Information.
Note that certain information governed by either the California Confidentiality of Medical Information Act (CMIA) or HIPAA or subject to the Federal Policy for the Protection of Human Subjects (also known as the Common Rule) pursuant to either good clinical practice guidelines issued by the International Counsel for Harmonisation or human subject protection requirements of the United States Food and Drug Administration, (2) is not in scope with respect to the application of and/or to the rights of residents of certain states within the United States. However, additional rights may be available under those laws and standards. Please contact us at [email protected] for more information.
You may also have the right to lodge a complaint with the competent data protection supervisory authority if we have not addressed your questions or concerns about Personal Information. Further, in relation to marketing communications from us, you may choose not to receive such messages by clicking on the unsubscribe link, or by contacting us as specified in the “Contact Us” section below. We may still send you some important emails, like responding to you by email if you send us a request or comment.
Exercising Your Rights
To exercise your rights, or appeal a decision we have made regarding your rights, please contact us as stated in the “Contact Us” section of this Policy, or you may submit a request to us by either:
- Emailing us at [email protected]; or
- Calling us at 877-990-2626
If you choose to assert any of these rights under applicable law, we will respond within the time period prescribed by applicable law. Please note that many of the rights listed in the “Your Rights” section are subject to exceptions and limitations. Further, we may request additional information to respond to or fulfill any requests regarding your rights under applicable law or regulations. Your rights and our responses will vary based on your country or territory of residency.
In certain jurisdictions, a person authorized to act on your behalf may make a verifiable consumer request related to your Personal Information. If you designate an authorized person to submit requests to exercise certain privacy rights on your behalf, we will require verification that you provided the authorized agent with such permission. Specifically, you must provide us with a copy of the signed permission you have given to the authorized agent to submit the request on your behalf and verify your own identity directly with us.
Your verifiable request must: (i) provide sufficient information that allows us to reasonably verify that you are the person about whom we collected Personal Information or that you are an authorized representative of that person; and (ii) describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to the request. We will only use Personal Information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.
As SomaLogic grows and our business changes, we reserve the right to modify, expand, or update this Policy at any time as we deem appropriate to reflect those changes. When we make changes to this Policy, we will post the updated Policy on the Site and update the Policy’s “last updated” date above. It is important that you check back from time to time and make sure that you have reviewed the most current version of this Policy. If you do not agree with the changes, then you should stop using our Site and Services and notify us that you do not want your Personal Information used in accordance with the changes.
If you have questions or concerns regarding this Policy, would like to access the Policy in an alternative format, or would like to update Personal Information we have about you or your preferences, please contact us by email at priva[email protected], or by one of the following additional methods:
In the United States by calling us at 303-625-9000, Toll-Free 877-990-2626, or by writing to us at:
2945 Wilderness Place
Boulder, Colorado 80301
ATTN: Data Privacy Officer
In the EU and UK, we have appointed Reed Smith LLP as our GDPR representative. Reed Smith is authorised to receive communications relating to how we use Personal Information on our behalf and can be contacted by writing to:
For the EU:
Reed Smith LLP
112 Avenue Kléber
+33 (0)1 76 70 40 86
For the UK:
Reed Smith LLP
The Broadgate Tower
20 Primrose Street
London EC2A 2RS
+44 (0)20 3116 3000 ext. 3494