Privacy Notice for California Residents
If you are a California resident, then this privacy notice may apply to you in addition to our Privacy Policy. This privacy notice is intended to describe our practices and your rights under the California Consumer Privacy Act of 2018 (“CCPA”), as amended by the California Privacy Rights Act of 2020 (“CPRA”) (collectively, the “CCPA/CPRA”) and applies to personal information of California residents. For purposes of this privacy notice, the term “personal information” means information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information does not include:
- Protected health information subject to the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended (collectively, “HIPAA”);
- Medical information governed by the California Confidentiality of Medical Information Act (“CMIA”);
- Clinical trial data or other information that is collected, used or disclosed in research;
- Publicly available information from government records or lawfully obtained truthful information that is a matter of public concern; or
- De-identified or aggregated consumer information.
If you are a California resident seeking information about your protected health information, please refer to our HIPAA Notice of Privacy Practices, which describes how we use and disclose your protected health information, our legal duties with respect to your protected health information, and your rights with respect to your protected health information and how you may exercise them.
Categories of Personal Information We Collect. In the previous 12 months, we have collected the following categories of personal information:
| Category | Examples |
| Identifiers | A real name, alias, postal address, IP address, email address, account name, and other similar identifiers. |
| Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) | Name, address, signature, telephone number, driver’s license number, credit card number or other financial information, education, employment, employment history, and health or medical information (where that information is processed in those situations outside the scope of either HIPAA or CMIA). Some personal information included in this category may overlap with other categories. |
| Protected classification characteristics under California or federal law | Age (40 years or older), race, citizenship, marital status, medical condition, physical or mental disability, sex, and veteran or military status. |
| Commercial information | Records of products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. |
| Internet or other similar network activity | Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement. |
| Geolocation data (note that we only collect this data on the GRAIL Site and Provider Portal, but not on the Patient Portal or Galleri Site) | Geographic location information about a particular individual or device. |
| Sensory data | Audio, electronic, and visual information, such as CCTV recordings from our office premises, and audio recordings of calls made to our call center. |
| Professional or employment-related information | Current or past job history or performance evaluations. |
| Non-public education information | Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records. |
| Inferences drawn from other Personal Information | Consumer profile inferred from any of the information above, including preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. |
| Sensitive personal information | Race, ethnicity, and criminal offenses. |
| Other | Customer information regarding products and services, testimonials and other information as described in our Privacy Policy. |
Sources from Which We Collect Personal Information. We may collect personal information from you directly or may receive your personal information from third parties or through other automated means. For additional information on how we may collect personal information, refer to the “Your Data” section of our Privacy Policy.
Purpose for Collecting, Disclosing, Selling or Sharing Personal Information. We may use, disclose, sell, or share each of the categories of personal information described above for one or more of the business purposes described in the “Purposes for Which We Will Use Your Data” section of our Privacy Policy.
Categories of Third Parties to Whom we Disclose Your Personal Information. We may disclose your personal information to the third parties described in the “Sharing Your Data” section of our Privacy Policy as well as with other third parties as may be described to you at the time we collect your personal information.
Sale or Sharing of Your Personal Information. We do not generally sell or share information as the terms “sell” and “sharing” are traditionally understood. We do not sell or share personal information (including de-identified personal information) to third parties for money. During the past 12 months, we may have engaged in delivering online advertising that was tailored to your interests, but we did not disclose data that would identify you by name, address or phone number. To the extent “sale” or “sharing” under the CCPA/CPRA are interpreted to include advertising technology activities such as those disclosed here and in our Privacy Policy as a “sale” or “sharing,” we will comply with applicable law, including the CCPA/CPRA, as to such activities. As described below, you have the right to opt out of the “sale” or “sharing” of your personal information. Additionally, you should know that the CCPA/CPRA prohibits third parties to whom we “sell” or “share” personal information from reselling or resharing it unless you have received explicit notice and an opportunity to opt-out of further sales or sharing. We do not sell or share sensitive personal information, nor do we sell or share any personal information about individuals who we know are under sixteen (16) years old.
California Privacy Rights. If you are a California consumer, you have certain rights related to your personal information under the CCPA/CPRA, including:
- Right to Know. You have the right to request that we disclose certain information to you about our collection and use of your personal information. Once we receive and verify your request, we will disclose to you, if requested: the categories of personal information we collected about you; the specific pieces of personal information we collected about you; the categories of sources for the personal information we collected about you; our business or commercial purpose for collecting, disclosing, selling or sharing your personal information; the categories of third parties to whom we disclose your personal information; and if we sold, shared or disclosed your personal information for a business purpose, three separate lists setting out: sales (identifying the personal information categories that each category of recipient purchased); sharing (identifying the personal information categories that each category of recipient obtained); and disclosures for a business purpose (identifying the personal information categories that each category of recipient obtained).
- Right to Delete. You have the right to request that we delete personal information we have collected about you, subject to certain exceptions.
- Right to Correct Inaccurate Information. You have the right to correct inaccurate personal information that we maintain about you.
- Right to Opt-Out of Sale or Sharing. You have the right to opt out of the sale or sharing of your personal information. To exercise that right, please visit the “Your California Privacy Choices” section of our website. Additionally, GRAIL processes opt-out preference signals in a frictionless manner communicated through Global Privacy Control settings you may turn on in certain browsers.
- Right to Limit the Use and Disclosure of Sensitive Personal Information. You have the right to limit the use or disclosure of your sensitive personal information if used to infer characteristics about you. To exercise this right, please visit the “Your California Privacy Choices” section of our website. GRAIL may continue using sensitive personal information for certain purposes expressly permitted by the CCPA/CPRA.
Non-Discrimination. Consistent with the CCPA/CPRA, we will not discriminate against you for choosing to exercise any of your CCPA/CPRA rights, including, for example, by denying goods or services to you, charging you different prices or rates, or providing a different level of quality of products or services. However, we may charge a different price or rate or provide a different level or quality of goods or services when that difference is reasonably related to the value provided to us by the data.
Methods for Submitting Requests. There are many ways you can exercise your rights under the CCPA/CPRA, including by:
- Completing an online CCPA/CPRA request form at ”Your California Privacy Choices”;
- Sending us an email at privacy@grailbio.com with the phrase “California Privacy Rights” in the subject line;
- Sending us a letter at the address provided below; or
- Calling us toll-free at (833) 694 – 2553.
Once we have received your request, we will process your request within the time provided by applicable law. If we need more time, we will tell you in writing why and how much longer we need, either by mail or electronically (based on your choice).
Authorized Agents. You may use an authorized agent to submit a consumer rights request. When we verify your agent’s request, we may verify both your and your agent’s identity and request a signed document from you that authorizes your agent to make the request for you. To protect your personal information, we reserve the right to deny a request from an agent that does not submit adequate proof that you authorized them to act for you.
Verification. When you exercise your right to know, delete, or correct, we will take steps to verify your identity with a reasonably high degree of certainty before processing your request. We may ask for additional information so that we can verify your identity. If it is necessary to collect additional information, we will use the information only for verification purposes and will delete it as soon as practicable after complying with your request. We will only use the personal information you provide to us in response to this request to verify your identity and to process your request, unless you initially provided the information for another purpose. We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you.
Retaining Your Personal Information
We seek to only retain personal information for as long as necessary to fulfill the purposes for which we collected such information, as set out in this Privacy Policy, including for the purposes of satisfying any legal, accounting, or reporting requirements, subject to your rights, in certain circumstances, to have your personal information erased. We may be required by law to hold certain personal information for specific periods. In other cases, we will retain your personal information for an appropriate period after our relationship ends to protect ourselves from legal claims or to administer our business. To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.
Shine the Light
In addition to the CCPA/CPRA privacy rights described above, California law permits California residents to request certain details about how their information is shared with third parties and, in some cases, affiliates, for those third parties’ and affiliates’ own direct marketing purposes. Under the law, a business must either provide this information or permit California customers to opt in to, or opt out of, this type of sharing. We may from time to time elect to share certain personal information (as defined by the California Shine the Light Act) about you collected by us with third parties or affiliates for those third parties’ or affiliates’ own direct marketing purposes. Californians are entitled to request information relating to our compliance with the California Shine the Light Act and to opt out of such future sharing of your personal information by contacting us at privacy@grailbio.com with the phrase “Do Not Share” in the subject line.
Last Updated: January 1, 2023.