Last modified: March 20, 2021
We may collect, use, store and transfer the following information to provide, improve and protect our Sites and in connection with our Business.
Contact Information such as your name, title, company, mailing address, email address, phone number, password, resume information, professional credentials, institutional affiliations, feedback and any other information you choose to provide to us;
Health / Test Order Information such as certain health information related to cancer status or cancer risk, demographic information, email address, and address;
Biographical and demographic information such as date of birth, age, gender, marital status, and information regarding any parents or legal guardians;
Testimonials such as any information you provide related to your experiences with our products and services;
Marketing and communication data which tells us your preference in receiving marketing from us and our third parties and your communication preferences;
Sensitive personal information such as your race or ethnicity, your political opinions, religious beliefs, membership in a trade union, physical or mental health condition, sexual orientation, or criminal offenses. Please note that we do not ask for any sensitive personal information through our Sites (except for responses to job postings that are collected by a third party) and request that you omit any such information in any communications with us. If you send us sensitive personal information, we will delete it unless you provide your specific consent to having us include it in your account, as it will be processed with the rest of your personal information; and
Payment-related information such as credit card and financial account information.
Technical data such as your internet protocol (“IP”) address, your login data, the web page you visited before visiting our Sites, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our Sites; and
Usage data which tells us how you use our Sites.
We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:
To process your registration on our Sites; and
To send you information about changes to our Terms of Service and other policies.
To communicate with you and respond to your service-related requests, questions and feedback.
Providing you with access to content and features on our Sites and developing our Business and our Sites;
Monitoring the use of our Sites and using personal information to help us evaluate, improve and protect our Sites and our products, both online and offline;
Ensuring the security of our Sites, by preventing unauthorized or malicious activities;
Investigating any complaints received from you or from others about our Sites or our Business;
Enforcing compliance with our Terms of Service and other policies and to help other organizations (such as copyright owners) enforce their rights;
Protecting our, your or others’ rights, privacy, safety or property (including by making and defending legal claims); and
Investigating and deterring against fraudulent, harmful, unauthorized, unethical or illegal activity.
To facilitate our recruitment activities and process employment applications, such as by evaluating a job candidate for an employment activity, and monitoring recruitment statistics.
Where we need to comply with a legal or regulatory obligation.
Where you have given your consent.
The ways we plan to use your personal information are as follows:
Business. We collect data in connection with developing our Business and our Sites.
Usage. We also use your data, especially usage data and technical data, including the actions you take in your account (such as visits to our Sites, page interaction information, and search history), to evaluate and improve our Sites and our products.
Cookies and other technologies. We use technologies like cookies to provide, improve, protect, and promote our Sites and our products.
Marketing. We also use your data to provide you with information about our Business we feel may interest you. If you do not want us to use your data in this way, select the ‘unsubscribe’ link in any email communication from us.
Relationship. We will also use your data to manage our relationship with you.
We may share information as discussed below, but we will not sell it to advertisers or third parties.
Other applications and third-party links. The Sites may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy policies. When you leave our Sites, we encourage you to read the privacy policies of every website you visit. Please remember that their use of your personal information will be governed by their privacy policies and terms.
The public. We may make available functionality that enables you to disclose information to the public; for example, when you submit or permit us to post testimonials on our Sites and/or social media channels. We do not control how other individuals or third parties use any personal information that you make available to the public.
Advertising partners. We may share personal information with third party advertising companies that collect information about your activity on our Sites and other online services for advertising purposes.
For compliance, fraud prevention and safety. We may share personal information for the compliance, fraud prevention and safety purposes described above and to comply with legal requirements and processes.
Business transfers. We may sell, transfer or otherwise share some or all of our business or assets, including personal information, in connection with a business transaction (or potential business transaction) such as a corporate divestiture, merger, consolidation, acquisition, reorganization or sale of assets, or in the event of bankruptcy or dissolution.
We implement measures and procedures that protect the privacy of individuals and help ensure that data protection is integral to all processing activities, such as pseudonymization, anonymization, information security controls, and a data retention protocol. However, security risk is inherent in all internet and information technologies and we cannot guarantee the security of your personal information.
Consistent with the United States Children’s Online Privacy Protection Act of 1998 (“COPPA”), we do not knowingly request personally identifiable information from anyone under the age of 13 without requiring parental consent. Any person who provides their personal information to GRAIL through our Sites represents that they are 13 years of age or older. If a parent or guardian becomes aware that his or her child has provided us with information without their consent, he or she should contact us. We will delete such information from our files as soon as reasonably practicable. We encourage parents with concerns to contact us at firstname.lastname@example.org.
GRAIL makes no representation that materials on our Sites are appropriate or available for use in other locations, and access to them from territories where their contents are illegal is prohibited. Those who choose to access our Sites from other locations do so on their own initiative and are responsible for compliance with applicable local laws.
Update your information. If you become aware that the personal information we maintain about you is inaccurate, incomplete, misleading, irrelevant or out of date, you may contact us at email@example.com.
Marketing communications. You may opt out of marketing-related emails by clicking the “Unsubscribe” link at the bottom of each such email, or by sending an email with the subject line “Unsubscribe” to firstname.lastname@example.org. You may continue to receive service-related and other non-marketing emails.
Do not track. Some internet browsers may be configured to send “Do Not Track” signals to the online services that you visit. We currently do not respond to “Do Not Track” or similar signals. To find out more about “Do Not Track,” please visit https://allaboutdnt.com.
Testimonials. If you gave us consent to post a testimonial on our Sites and/or or social media pages, but wish to update or delete it, please contact us at email@example.com.
Our Sites use “cookies” to gather general information about the browsing activities of visitors to our Sites. This allows us to constantly improve our Sites’ design by arranging the content in the most user-friendly manner and to continually meet the users’ needs. A cookie is a small text file that is placed on your hard disk by a web page server. Cookies contain information that can later be read by a web server in the domain that issued the cookie to you. (Nevertheless, we cannot guarantee that cookies will not be accessed by other persons.)
You have the ability to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. If you choose to decline cookies, you may not be able to sign in or use other interactive features of our Sites that depend on cookies. To learn more about how to manage cookies on different types of browsers, you can visit the website www.allaboutcookies.org.
We may use the following types of cookies:
Strictly necessary cookies: These cookies would be necessary for our Sites to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
Analytics cookies: These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our Sites. They help us to know which pages are the most and least popular and see how visitors move around the Sites. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our Sites, and will not be able to monitor its performance.
Advertising cookies: These cookies may be set through our Sites by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
We use Google Analytics, which collects information about usage of our Sites and allows us to receive information about general usage statistics.
In addition to the rights already described, California law permits California residents to request certain details about how their information is shared with third parties and, in some cases, affiliates, for those third parties’ and affiliates’ own direct marketing purposes. Under the law, a business must either provide this information or permit California customers to opt in to, or opt out of, this type of sharing.
We may from time to time elect to share certain personal information about you collected by us with third parties or affiliates for those third parties’ or affiliates’ own direct marketing purposes. If you are a California resident, you may opt out of such future sharing of your personal information (as defined by the California Shine the Light Act) by contacting us at firstname.lastname@example.org with the phrase “Do Not Share” in the subject line.
GRAIL’s processing of your personal data may be subject to applicable privacy laws in the EEA and the UK, including the General Data Protection Regulation (EU) 2016\679 (“GDPR”) and the Data Protection Act 2018 (“DPA18”).
Your rights. If you are an individual in the EEA or the UK, or GRAIL’s processing of your personal data is otherwise subject to the GDPR or the DPA18, you may have certain rights with respect to your personal data. You can exercise these rights at any time by contacting us at email@example.com.
Request access to your personal data. You can request a copy of the personal data we hold about you.
Request correction of your personal data. You can ask us to correct any incomplete or inaccurate personal data we hold about you.
Request erasure of your personal data. You can ask us to delete your personal data where there is no legitimate reason for us continuing to process it.
Request restriction of your personal data. You can ask us to suspend the processing of your personal data (such as when you want us to establish its accuracy or the reason for processing it).
Request portability of your personal data. You can ask us to transfer your personal data to another data controller in a machine-readable form. This right will only apply where we process your personal data based on your consent or where the processing is necessary for the performance of a contract between us.
Object to the processing of your personal data. You can object to our processing where we are relying on a legitimate interest (or those of a third party) as our legal basis. You can also object at any time to our use of your personal data for direct marketing purposes.
Withdraw your consent. Where we are relying on your consent to process your personal data, you can withdraw consent at any time. This will not affect the lawfulness of any processing carried out before you withdraw your consent. However, where we are relying on your consent as the legal basis for processing, we may not be able to provide certain products or services to you following the withdrawal of such consent.
You also have the right to complain to an EEA or UK data protection authority in the place you live, work or where you believe a breach of the GDPR or the DPA18 occurred. However, GRAIL would appreciate the opportunity to address your concerns before you do this, so please contact us in the first instance at firstname.lastname@example.org.
If necessary, we will notify any other parties (such as our suppliers or service providers) to which we have transferred your personal data of any changes that we make when you make a request under the GDPR or the DPA18. While we communicate to these parties, we are not responsible for the actions they take to answer your request. In some cases, you may also be able to access your personal data held by these third parties and correct, amend or delete it where it is inaccurate.
Your rights under the GDPR and the DPA 18 may be limited, such as where fulfilling your request would reveal personal data about another person or would infringe the rights of a third party (including our rights), or if you ask us to erase personal data that we are required by law to keep or have compelling legitimate interests in keeping. We will inform you of relevant exemptions we rely upon when responding to any request you make.
Transferring you personal data. When we transfer your personal data outside the EEA and the UK, and to the extent required by the GDPR and the DPA18, we rely on appropriate or suitable safeguards to transfer your personal data, including:
Using standard contractual clauses approved by relevant authorities as ensuring adequate safeguards for personal data;
Obtaining your consent to transfer personal data after first informing you about the possible risks of such a transfer;
When the transfer is necessary for the performance of a contract between you and us or if the transfer is necessary for the performance of a contract between us and a third party that is entered into in your interest; and
Where the transfer is necessary to establish, exercise or defend legal claims.
For further information, including to obtain a copy of the documents used to protect your personal data, please contact us at email@example.com.
Retaining your personal data. We seek to only retain personal data for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.