Privacy Notices
Last Updated: November 27, 2024
Privacy Policy
GRAIL, Inc. and its subsidiaries and affiliates (collectively, “GRAIL”) is providing this Privacy Policy to set out the principles governing our use of personal information that we may obtain about you through one or more of our websites at which this Privacy Policy is posted including GRAIL.com (the “GRAIL Site”), provider.grail.com (the “Provider Portal”), my.grail.com (the “Patient Portal”) and Galleri.com (the “Galleri Site”) (collectively, our “Sites”) and in connection with our business (our “Business”).
If you are using our Sites in connection with a HIPAA covered service, please refer to our HIPAA Notice of Privacy Practices, which describes how we use and disclose your protected health information (“PHI”) and your rights with respect to your PHI. In connection with HIPAA covered services, in the event of a conflict between this Privacy Policy and the HIPAA Notice of Privacy Practices, our HIPAA Notice of Privacy Practices will control.
Users in California should also read the Privacy Notice for California Residents, which describes our practices and your rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act. You may have certain rights regarding our processing of your personal information under applicable state law including, for example, if you are a consumer in Colorado, Connecticut, Nevada, Utah or Virginia. Please see our Supplemental State Privacy Notice for more information.
If you are in the EU/EEA or the UK, this Privacy Policy is provided for informational purposes only. Users in the EEA and UK should also read the Privacy Notice for European Users, which provides additional information about how GRAIL processes, stores and transfers your personal information and the rights that you have with respect to such personal information.
If you are outside the European Economic Area (“EEA”) or the United Kingdom (“UK”), by using our Sites, you agree to our use of the personal information that we obtain about you. If you do not agree to this Privacy Policy, do not use our Sites.
Please read this Privacy Policy carefully. We may change our Privacy Policy from time to time. We therefore ask you to check it occasionally to ensure that you are aware of the most recent version that will apply each time you access our Sites. In the event of material changes to this Privacy Policy, we will notify you. Any modifications to this Privacy Policy will be effective upon our posting the new terms and/or upon implementation of the new changes on our Sites (or as otherwise indicated at the time of posting). In all cases, your continued use of our Sites, products and services after the posting of any modified Privacy Policy indicates your acceptance of the terms of the modified Privacy Policy.
For your convenience, our Sites may contain links to a number of other websites that we do not own or operate. If you access those links, you will leave our Sites. This Privacy Policy does not apply to those other websites; we suggest contacting those websites directly for information on their data collection and distribution policies. Any reference to a linked website or any specific third party product or service by name does not constitute or imply its endorsement by us, and you assume all risk with respect to its use.
Information We Collect
We may collect personal information when you visit or interact with our Sites, fill in forms on our Sites, interact with our Business, correspond with us by phone, e-mail or otherwise, or when you inquire about or apply for employment opportunities at GRAIL. This personal information generally refers to information that relates to an identified or identifiable individual or household, such as a name, contact details, or address, and includes the following information, which are referred to in this Privacy Policy as “personal information” generally.
- Information You Provide Us. When you interact with our Sites, for example when you complete one of our online forms such as a job application form, you may provide us with information that we collect, including:
- Contact Information such as your name, title, company, mailing address, email address, phone number, password, resume information, professional credentials, institutional affiliations and any other information you choose to provide to us;
- Health / Test Order Information such as certain health information related to cancer status or cancer risk, demographic information, email address, and address (to the extent such information constitutes PHI, it will be subject to our HIPAA Notice of Privacy Practices);
- Biographical and demographic information such as date of birth, age, gender, marital status, and information regarding any parents or legal guardians;
- Testimonials such as any information you provide related to your experiences with our products and services;
- Marketing and communication data which tells us your preference in receiving marketing from us and our third parties and your communication preferences;
- Sensitive personal information such as your race or ethnicity, or criminal offenses. Please note that we do not ask for any sensitive personal information through our Sites (except for responses to job postings that are collected by a third party) and request that you omit any such information in any communications with us. If you send us sensitive personal information, we will delete it unless you provide your specific consent to having us include it in your account, as it will be processed with the rest of your personal information; and
- Payment-related information such as credit card and financial account information.
- Information that We Collect Automatically When You Visit our Sites. When you visit our Sites, we may collect the following information from your computer or other electronic device (for more information regarding our collection of this information, please see our Cookie Notice).
- Technical data such as your internet protocol (“IP”) address, your login data, the web page you visited before visiting our Sites, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our Sites; and
- Usage data which tells us how you use our Sites.
Personal information does not include information that can no longer be used to identify you, whether in combination with other information or otherwise, including de-identified or aggregated consumer information.
Purposes for which we will use your personal information
We will only use your personal information in compliance with applicable law. Most commonly, we will use your personal information in the following circumstances:
- To provide services to you or to perform the contract we are about to enter into or have entered into with you.
- To manage our relationship with you.
- To process your registration on our Sites and send you information about changes to our Terms of Service and other policies.
- To communicate with you and respond to your service-related requests, questions, and feedback.
- To verify your identity or provide you with the information, products and services that you request. For example, we provide information or respond to your questions when you contact us.
- To facilitate our recruitment activities and process employment applications, such as by evaluating a job candidate for an employment activity, and monitoring recruitment statistics.
- To provide, evaluate, improve, protect, and promote our Sites and our products. Note that we use your usage data and technical data, including the actions you take in your account (such as visits to our Sites, page interaction information, and search history) as well as cookies and other technologies for these purposes, as further described in our Cookie Notice.
- To comply with a legal or regulatory obligation, such as a subpoena, court order, warrant, or similar legal process.
- Where you have given your consent and as described to you when we collect your personal information.
- Where it is necessary for our legitimate interests (or those of a third party) and, where consistent with applicable laws.
- To provide you with access to content and features on our Sites and develop our Business and our Sites;
- To enhance your experience when you visit our Sites, such as remembering your preferences. We may also use your personal information to provide you with information about our Business we feel may interest you, market new products to you, and send you communications about new features. If you do not want us to use your data in this way, select the ‘unsubscribe’ link in any email communication, or text ‘STOP’ to opt out of any SMS communication, from us;
- To monitor the use of our Sites and use personal information to help us provide, evaluate, improve, protect, and promote our Sites and our products, both online and offline;
- To ensure the security of our Sites, by preventing unauthorized or malicious activities;
- To investigate any complaints received from you or from others about our Sites or our Business;
- To enforce compliance with our Terms of Service and other policies and to help other organizations (such as copyright owners) enforce their rights;
- To protect our, your or others’ rights, privacy, safety or property (including by making and defending legal claims); and
- To investigate and deter fraudulent, harmful, unauthorized, unethical, or illegal activity.
Sharing Your Data
We may share information as discussed below.
Affiliates. We may share your personal information with our corporate parent, subsidiaries, and affiliates, for purposes consistent with this Privacy Policy.
Service Providers and Contractors. GRAIL uses trusted third parties with whom we contract to help us provide, improve, protect, and promote our Sites and our Business, and to perform business operations, such as determining eligibility for our products. These third parties may contact you on our behalf to perform these business operations. These third parties will access your personal information only to perform tasks on our behalf in compliance with this Privacy Policy.
Other Applications and Third-party Links. The Sites may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy policies. When you leave our Sites, we encourage you to read the privacy policies of every website you visit. Please remember that their use of your personal information will be governed by their privacy policies and terms.
The Public, with your consent. We may make available functionality that enables you to disclose information to the public. We do not control how other individuals or third parties use any personal information that you choose to make available to the public. If you gave us consent to post a testimonial on our Sites and/or social media pages but wish to update or delete it, please contact us at privacy@grailbio.com.
For Compliance, Fraud Prevention and Safety. We may share personal information for the compliance, fraud prevention and safety purposes described above and to comply with legal requirements and processes.
Business Transfers. We may transfer or otherwise share some or all of our business or assets, including personal information, in connection with a business transaction (or potential business transaction) such as a corporate divestiture, merger, consolidation, acquisition, reorganization or sale of assets, or in the event of bankruptcy or dissolution.
Legal Purposes. We will disclose your personal information when we think it is necessary to investigate or prevent actual or suspected fraud, criminal activity, injury or damage to us or others; when otherwise required by law, regulation, subpoena, court order, warrant, or similar legal process; or if necessary to assert or protect our rights or assets.
Other Parties. To another party or parties for any other purpose disclosed by us when you provided your personal information, with your consent or authorization, or as otherwise permitted or required by applicable law.
Protecting Your Data
We take reasonable precautions intended to help protect the personal information that we collect and store; however, no system or online transmission of data is completely secure. We cannot guarantee the security of information transmitted to or through our services. Any transmission is at your own risk. Please use security measures to protect your personal information.
Children
Consistent with the United States Children’s Online Privacy Protection Act of 1998 (“COPPA”), we do not knowingly request personally identifiable information from anyone under the age of 13 without requiring parental consent. Any person who provides their personal information to GRAIL through our Sites represents that they are 13 years of age or older. If a parent or guardian becomes aware that his or her child has provided us with information without their consent, he or she should contact us. We will delete such information from our files as soon as reasonably practicable. We encourage parents with concerns to contact us at privacy@grailbio.com.
Where We Store and Transfer Your Data
The Sites are controlled by GRAIL from its offices in the United States. GRAIL may store and use information in the United States, the UK and other jurisdictions; any personal information provided to GRAIL will be transmitted to or within those jurisdictions. GRAIL also may transfer information and personal information to other jurisdictions to facilitate GRAIL’s third party processors’ access to and/or processing of information and/or personal information. Such jurisdictions may have privacy laws not as protective as those in your jurisdiction. Users in the EEA and the UK should read the important information provided in the Privacy Notice for European Users about transfer of personal information outside of the EU/EEA and UK.
GRAIL makes no representation that materials on our Sites are appropriate or available for use in other locations, and access to them from territories where their contents are illegal is prohibited. Those who choose to access our Sites from other locations do so on their own initiative and are responsible for compliance with applicable local laws.
Your Choices
Update Your Information. If you become aware that the personal information we maintain about you is inaccurate, incomplete, misleading, irrelevant or out of date, you may contact us using our online request form.
Marketing Communications. You may opt out of marketing-related emails by clicking the “Unsubscribe” link at the bottom of each such email, or by sending an email with the subject line “Unsubscribe” to privacy@grailbio.com. You may continue to receive service-related and other non-marketing emails. You may opt-out of receiving physical mail by contacting privacy@grailbio.com.
Do Not Track. Some internet browsers may be configured to send “Do Not Track” signals to the online services that you visit. We currently do not respond to “Do Not Track” or similar signals. To find out more about “Do Not Track,” please visit http://www.allaboutdnt.com.
Testimonials. If you gave us consent to post a testimonial on our Sites and/or or social media pages, but wish to update or delete it, please contact us at privacy@grailbio.com.
Use of Cookies and Other Technologies
Certain of our Sites use “cookies” to gather general information about the browsing activities of visitors to those Sites. Please see our Cookie Notice for more information.
Retaining Your Personal Data
We seek to only retain personal information for as long as necessary to fulfill the purposes for which we collected such information, as set out in this Privacy Policy, including for the purposes of satisfying any legal, accounting, or reporting requirements, subject to your rights, in certain circumstances, to have your personal information erased. We may be required in law to hold certain personal information for specific periods. In other cases, we will retain your personal information for an appropriate period after our relationship ends to protect ourselves from legal claims or to administer our business. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Contact
Have questions or concerns about our Privacy Policy? Contact us:
GRAIL, Inc.
Attention: Legal Department
1525 O’Brien Drive
Menlo Park
California 94025
By email: privacy@grailbio.com
By telephone: (833) 694‑2553
Privacy Notice for California Residents
If you are a California resident, then this California privacy notice may apply to you in addition to our Privacy Policy. This privacy notice is intended to describe our practices and your rights under the California Consumer Privacy Act of 2018 (“CCPA”), as amended by the California Privacy Rights Act of 2020 (“CPRA”) (collectively, the “CCPA/CPRA”) and applies to personal information of California residents. For purposes of this privacy notice, the term “personal information” means information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
Personal information does not include:
- Protected health information subject to the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended (collectively, “HIPAA”);
- Medical information governed by the California Confidentiality of Medical Information Act (“CMIA”);
- Clinical trial data or other information that is collected, used or disclosed in research;
- Publicly available information from government records or lawfully obtained truthful information that is a matter of public concern; or
- De-identified or aggregated consumer information.
If you are a California resident seeking information about your protected health information, please refer to our HIPAA Notice of Privacy Practices (“HIPAA NPP”), which describes how we use and disclose your protected health information, our legal duties with respect to your protected health information, and your rights with respect to your protected health information and how you may exercise them.
Categories of Personal Information We Collect and Our Purposes for Collection. In the previous 12 months, we may have collected the following categories of personal information for the following purposes:
left blank
Category of Personal Information | Purpose(s) for Collection and Use |
---|---|
Identifiers (e.g., a real name, alias, postal address, IP address, email address, account name, and other similar identifiers) |
To provide, support, market, communicate about, and develop our products, services, events, and other offerings; to administer user accounts; to facilitate our recruitment activities and process employment applications |
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) (e.g., name, address, signature, telephone number, driver’s license number, credit card number or other financial information, education, employment, employment history, and health or medical information (where that information is processed in those situations outside the scope of either HIPAA or CMIA). Some personal information included in this category may overlap with other categories.) |
To provide, support, market, communicate about, and develop our products, services, events, and other offerings; to administer user accounts; to process payments, administer fees, provide users with invoices, or resolve billing issues; to facilitate recruitment activities and process employment applications. To the extent personal data within this category constitutes PHI under HIPAA, it will be treated in accordance with our HIPAA NPP. |
Protected classification characteristics under California or federal law (e.g., age (40 years or older), race, citizenship, marital status, medical condition, physical or mental disability, sex, and veteran or military status.) |
To provide, support, market, communicate about, and develop our products, services, events, and other offerings; to administer user accounts; to facilitate our recruitment activities and process employment applications. To the extent personal data within this category constitutes PHI under HIPAA, it will be treated in accordance with our HIPAA NPP. |
Commercial information (e.g., records of products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.) |
To provide, support, market, communicate about, and develop our products, services, events, and other offerings; to conduct research and analysis; to perform quality improvement activities |
Internet or other similar network activity (e.g., browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.) |
To provide, support, market, communicate about, and develop our products, services, events, and other offerings; to conduct research, analysis, and quality improvement activities |
Geolocation data (e.g., state level geographic location information about a particular individual or device.) |
To market and communicate about our products, services, events, and other offerings; to evaluate the effectiveness of our marketing activities |
Sensory data (e.g., audio, electronic, and visual information, such as CCTV recordings from our office premises, and audio recordings of calls made to our call center.) |
To protect our, your, or others’ rights, privacy, safety or property; and to investigate and deter fraudulent, harmful, unauthorized, unethical, or illegal activity |
Professional or employment-related information (e.g., Current or past job history or performance evaluations. |
To facilitate our recruitment activities and process employment applications, such as by evaluating a job candidate for an employment activity and monitoring recruitment statistics |
Non-public education information (e.g., education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.) |
To facilitate our recruitment activities and process employment applications, such as by evaluating a job candidate for an employment activity and monitoring recruitment statistics |
Inferences drawn from other Personal Information (e.g., consumer profile inferred from any of the information included in this chart, including preferences, characteristics and predispositions |
To market and communicate about our products, services, events, and other offerings; to evaluate the effectiveness of our marketing activities |
Other (e.g., customer information regarding products and services, testimonials and other information as described in our Privacy Policy.) |
To provide, support, market, communicate about, and develop our products, services, events, and other offerings; to conduct research, analysis, and quality improvement activities; as may be communicated to you at the time your personal information is collected |
Sources from Which We Collect Personal Information: We may collect personal information from you directly or may receive your personal information from third parties or through other automated means. For additional information on how we may collect personal information, refer to the “Information We Collect” section of our Privacy Policy.
Categories of Third Parties to Whom we Disclose Your Personal Information: We may disclose your personal information to the third parties described in the “Sharing Your Data” section of our Privacy Policy as well as with other third parties as may be described to you at the time we collect your personal information.
Sale or Sharing of Your Personal Information: We do not generally sell or share information as the terms “sell” and “sharing” are traditionally understood. We do not sell or share personal information (including de-identified personal information) to third parties for money. During the past 12 months, we may have engaged in delivering online advertising that was tailored to your interests, but we did not disclose data that would identify you by name, address or phone number. To the extent “sale” or “sharing” under the CCPA/CPRA are interpreted to include advertising technology activities such as those disclosed here and in our Privacy Policy as a “sale” or “sharing,” we will comply with applicable law, including the CCPA/CPRA, as to such activities. As described below, you have the right to opt out of the “sale” or “sharing” of your personal information. Additionally, you should know that the CCPA/CPRA prohibits third parties to whom we “sell” or “share” personal information from reselling or resharing it unless you have received explicit notice and an opportunity to opt-out of further sales or sharing. We do not sell or share sensitive personal information, nor do we sell or share any personal information about individuals who we know are under sixteen (16) years old.
California Privacy Rights. If you are a California consumer, you have certain rights related to your personal information under the CCPA/CPRA, including:
- Right to Know. You have the right to request that we disclose certain information to you about our collection and use of your personal information. Once we receive and verify your request, we will disclose to you, if requested: the categories of personal information we collected about you; the specific pieces of personal information we collected about you; the categories of sources for the personal information we collected about you; our business or commercial purpose for collecting, disclosing, selling or sharing your personal information; the categories of third parties to whom we disclose your personal information; and if we sold, shared or disclosed your personal information for a business purpose, three separate lists setting out: sales (identifying the personal information categories that each category of recipient purchased); sharing (identifying the personal information categories that each category of recipient obtained); and disclosures for a business purpose (identifying the personal information categories that each category of recipient obtained).
- Right to Delete. You have the right to request that we delete personal information we have collected about you, subject to certain exceptions.
- Right to Correct Inaccurate Information. You have the right to correct inaccurate personal information that we maintain about you.
- Right to Opt-Out of Sale or Sharing. You have the right to opt out of the sale or sharing of your personal information. To exercise that right, please contact us using the Your Privacy Choices form. Additionally, GRAIL processes opt-out preference signals in a frictionless manner communicated through Global Privacy Control settings you may turn on in certain browsers.
- Right to Limit the Use and Disclosure of Sensitive Personal Information. You have the right to limit the use or disclosure of your sensitive personal information if used to infer characteristics about you. To exercise this right, please contact us using the Your Privacy Choices form. GRAIL may continue using sensitive personal information for certain purposes expressly permitted by the CCPA/CPRA.
Non-Discrimination. Consistent with the CCPA/CPRA, we will not discriminate against you for choosing to exercise any of your CCPA/CPRA rights, including, for example, by denying goods or services to you, charging you different prices or rates, or providing a different level of quality of products or services. However, we may charge a different price or rate or provide a different level or quality of goods or services when that difference is reasonably related to the value provided to us by the data.
Methods for Submitting Requests. There are many ways you can exercise your rights under the CCPA/CPRA, including by:
- Completing an online request using our Your Privacy Choices form here;
- Sending us an email at privacy@grailbio.com with the phrase “California Privacy Rights” in the subject line;
- Sending us a letter at the address provided in the Contact Us section of this Privacy Policy; or
- Calling us toll-free at (833) 694‑2553.
Once we have received your request, we will process your request within the time provided by applicable law. If we need more time, we will tell you in writing why and how much longer we need, either by mail or electronically (based on your choice).
Authorized Agents. You may use an authorized agent to submit a consumer rights request. When we verify your agent’s request, we may verify both your and your agent’s identity and request a signed document from you that authorizes your agent to make the request for you. To protect your personal information, we reserve the right to deny a request from an agent that does not submit adequate proof that you authorized them to act for you.
Verification. When you exercise your right to know, delete, or correct, we will take steps to verify your identity with a reasonably high degree of certainty before processing your request. We may ask for additional information so that we can verify your identity. If it is necessary to collect additional information, we will use the information only for verification purposes and will delete it as soon as practicable after complying with your request. We will only use the personal information you provide to us in response to this request to verify your identity and to process your request, unless you initially provided the information for another purpose. We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you.
Retaining Your Personal Information: We seek to only retain personal information for as long as necessary to fulfill the purposes for which we collected such information, as set out in this Privacy Policy, including for the purposes of satisfying any legal, accounting, or reporting requirements, subject to your rights, in certain circumstances, to have your personal information erased. We may be required by law to hold certain personal information for specific periods. In other cases, we will retain your personal information for an appropriate period after our relationship ends to protect ourselves from legal claims or to administer our business. To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.
Shine the Light
In addition to the CCPA/CPRA privacy rights described above, California law permits California residents to request certain details about how their information is shared with third parties and, in some cases, affiliates, for those third parties’ and affiliates’ own direct marketing purposes. Under the law, a business must either provide this information or permit California customers to opt in to, or opt out of, this type of sharing. We may from time to time elect to share certain personal information (as defined by the California Shine the Light Act) about you collected by us with third parties or affiliates for those third parties’ or affiliates’ own direct marketing purposes. Californians are entitled to request information relating to our compliance with the California Shine the Light Act and to opt out of such future sharing of your personal information by contacting us at privacy@grailbio.com with the phrase “Do Not Share” in the subject line.
Supplemental State Privacy Notice
Additional Rights Under State Laws
You may have certain rights regarding our processing of your personal information under applicable state law, including, for example if you are a consumer in Colorado, Connecticut, Nevada, Utah or Virginia. This section is intended to comply with these laws by supplementing the information provided elsewhere in the Privacy Policy.
Collection of personal information. GRAIL may collect the personal information described in the What Information We Collect section of our Privacy Notice. Please note that some of this personal information will be considered sensitive under your state’s legal definition which can vary across different states. Any health information we collect is subject to our HIPAA Notice of Privacy Practices. In the event of a conflict between this Supplemental State Privacy Notice and the HIPAA Notice of Privacy Practices, the Notice of Privacy Practices will control with respect to your health data.
Use of personal information. We may collect, use, or disclose personal information about US state residents for purposes listed in the Purposes for Which We Will Use your Data section of our Privacy Statement.
Disclosure of personal information. We may disclose your personal information to the categories of service providers and third parties identified in the Sharing your Data section of our Privacy Notice, and in ways that are described in that section.
Your privacy rights. We provide the privacy rights described in the Your Choices section of our Privacy Notice regardless of your location. Your state may afford you additional privacy rights as noted below. To exercise your right, please email us at privacy@grailbio.com or visit our Your Privacy Choices form. We will respond to your verifiable request within the time limit afforded under applicable law.
- The right to know whether GRAIL is processing your personal information
- The right to receive (“access”) a copy of your personal information
- The right to correct inaccurate personal information
- The right to request deletion of your personal information
- The right to opt out of certain disclosures of your Personal Information (for more information about your right to opt-out, please see below)
- The right to appeal GRAIL’s refusal to take action regarding a privacy rights request
Please note that exceptions to these rights may still apply as otherwise described in this Privacy Notice.
Additional opt-out rights
- Certain states have the right to opt out of targeted advertising and sales. If you are a resident of one of these states, you can use our cookie preferences tool (click on "Cookie Notice and Choices" in the site footer) to disable ad trackers on our website in order to opt out.
- Users in some states may opt out of profiling in furtherance of decisions that produce legal or similarly significant effects. While you may still make this request, GRAIL does not currently use profiling in this manner.
- Certain states provide residents a limited right to opt out of the sale of personal information. GRAIL does not sell or share personal information (including de-identified personal information) to third parties for money. We may engage in delivering online advertising that was tailored to your interest, but we do not disclose data that would identify you by name, address, or phone number, nor do we disclose sensitive information like health data for those purposes. To the extent “sale” is interpreted under applicable law to include advertising technology activities described here and elsewhere in our Privacy Policy as a “sale,” we will comply with applicable law with respect to such activities. You can exercise your rights to opt-out by emailing us at privacy@grailbio.com or visiting our Your Privacy Choices form.
These rights will not apply, however, if GRAIL does not collect any personal information about you or if all of the information we collect is exempt from your applicable state’s privacy laws. For example, these state laws do not apply to personal information that is already protected by certain other privacy laws, such as protected health information subject to HIPAA. For information regarding your rights with respect to your protected health information, please visit our HIPAA Notice of Privacy Practices.
Privacy Notice for European Users
GRAIL’s processing of your personal data may be subject to applicable privacy laws in the EEA and the UK, including the General Data Protection Regulation (EU) 2016/679 (“EU GDPR”), the UK Data Protection Act 2018 (“DPA18”) and the EU GDPR as it forms part of the law of England, Wales, Scotland and Northern Ireland (together with the DPA18, the “UK GDPR”).
For the purposes of this privacy notice, “personal data” means any data or information that relates to and can identify a living individual. The data controller of your personal data is GRAIL, Inc., which can be contacted by post at GRAIL Bio UK Ltd. 210 Euston Road, London, NW1 2DA (Attn: Legal Department), by email at privacy@grailbio.com and by telephone at +0-808-303-0070.
Depending on the context in which GRAIL collects and uses your personal data, this Privacy Notice for European Users may apply in addition to, or be superseded by, other privacy notices or policies that govern our processing of your personal data. For example, participants in GRAIL’s clinical research trials will receive a privacy notice or policy that is specific to each trial, whereas if you apply for a position at GRAIL Bio UK Ltd, our Applicant Privacy Notice will explain more about how we process your personal data in that specific context.
Provision of Personal Data. We only process personal data where we have a legal basis for doing so. The legal bases are described in the section of our Privacy Policy titled “Purposes for which we will use your data”. Where we use your personal data to provide our products or services, in relation to your application for employment or to comply with our legal obligations, the provision of this personal data is mandatory. The failure to provide the requested personal data means that we may not be able to provide these products or services or process your application. The provision of all other personal data, such as the details you provide so we can send marketing communications, is optional.
Your Rights. If you are an individual in the EEA or the UK, or GRAIL’s processing of your personal data is otherwise subject to the GDPR or the UK GDPR, you may have certain rights with respect to your personal data. You can exercise these rights at any time by contacting us at privacy@grailbio.com.
- Request Access to your Personal Data. You can request a copy of the personal data we hold about you.
- Request Correction of your Personal Data. You can ask us to correct any incomplete or inaccurate personal data we hold about you.
- Request Erasure of your Personal Data. You can ask us to delete your personal data where there is no legitimate reason for us continuing to process it.
- Request Restriction of your Personal Data. You can ask us to suspend the processing of your personal data (such as when you want us to establish its accuracy or the reason for processing it).
- Request Portability of your Personal Data. You can ask us to transfer your personal data to another data controller in a machine-readable form. This right will only apply where we process your personal data based on your consent or where the processing is necessary for the performance of a contract between us.
- Object to the Processing of your Personal Data. You can object to our processing where we are relying on a legitimate interest (or those of a third party) as our legal basis. You can also object at any time to our use of your personal data for direct marketing purposes.
- Withdraw Your Consent. Where we are relying on your consent to process your personal data, you can withdraw consent at any time. This will not affect the lawfulness of any processing carried out before you withdraw your consent. However, where we are relying on your consent as the legal basis for processing, we may not be able to provide certain products or services to you following the withdrawal of such consent.
- You also have the right to complain to an EEA or UK data protection authority in the place you live, work or where you believe a breach of the GDPR or the UK GDPR occurred. However, GRAIL would appreciate the opportunity to address your concerns before you do this, so please contact us in the first instance at privacy@grailbio.com.
If necessary, we will notify any other parties (such as our suppliers or service providers) to which we have transferred your personal data of any changes that we make when you make a request under the GDPR or the UK GDPR. While we communicate to these parties, we are not responsible for the actions they take to answer your request. In some cases, you may also be able to access your personal data held by these third parties and correct, amend or delete it where it is inaccurate.
Your rights under the GDPR and the UK GDPR may be limited, such as where fulfilling your request would reveal personal data about another person or would infringe the rights of a third party (including our rights), or if you ask us to erase personal data that we are required by law to keep or have compelling legitimate interests in keeping. We will inform you of relevant exemptions we rely upon when responding to any request you make.
Transferring your Personal Data. When we transfer your personal data outside the EEA and the UK, and to the extent required by the GDPR and the UK GDPR, we rely on appropriate or suitable safeguards to transfer your personal data, including:
- Using standard contractual clauses approved by relevant authorities as ensuring adequate safeguards for personal data;
- Obtaining your consent to transfer personal data after first informing you about the possible risks of such a transfer;
- When the transfer is necessary for the performance of a contract between you and us or if the transfer is necessary for the performance of a contract between us and a third party that is entered into in your interest; and
- Where the transfer is necessary to establish, exercise or defend legal claims.
For further information, including to obtain a copy of the documents used to protect your personal data, please contact us at privacy@grailbio.com.
Retaining your Personal Data. We seek to only retain personal data described in this Privacy Notice and our Privacy Policy for as long as necessary to fulfill the purposes for which we collected such data, as set out in this Privacy Notice and our Privacy Policy, including for the purposes of satisfying any legal, accounting, or reporting requirements, subject to your rights, in certain circumstances, to have your personal data erased. We may be required in law to hold certain personal data for specific periods. In other cases, we will retain your personal data for an appropriate period after our relationship ends to protect ourselves from legal claims or to administer our business. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Contact
Contact us:
GRAIL
Attention: Legal Department
1525 O’Brien Drive
Menlo Park, California 94025
By email: privacy@grailbio.com
By telephone: (833) 694‑2553
The Galleri test is recommended for use in adults with an elevated risk for cancer, such as those aged 50 or older. The Galleri test does not detect all cancers and should be used in addition to routine cancer screening tests recommended by a healthcare provider. Galleri is intended to detect cancer signals and predict where in the body the cancer signal is located. Use of Galleri is not recommended in individuals who are pregnant, 21 years old or younger, or undergoing active cancer treatment.
Results should be interpreted by a healthcare provider in the context of medical history, clinical signs and symptoms. A test result of No Cancer Signal Detected does not rule out cancer. A test result of Cancer Signal Detected requires confirmatory diagnostic evaluation by medically established procedures (e.g. imaging) to confirm cancer.
If cancer is not confirmed with further testing, it could mean that cancer is not present or testing was insufficient to detect cancer, including due to the cancer being located in a different part of the body. False-positive (a cancer signal detected when cancer is not present) and false-negative (a cancer signal not detected when cancer is present) test results do occur. Rx only.
The GRAIL clinical laboratory is certified under the Clinical Laboratory Improvement Amendments of 1988 (CLIA) and accredited by the College of American Pathologists. The Galleri test was developed and its performance characteristics were determined by GRAIL. The Galleri test has not been cleared or approved by the Food and Drug Administration. The GRAIL clinical laboratory is regulated under CLIA to perform high-complexity testing. The Galleri test is intended for clinical purposes.