Privacy Notice for California Residents
- Protected health information subject to the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended (collectively, “HIPAA”);
- Medical information governed by the California Confidentiality of Medical Information Act (“CMIA”);
- Clinical trial data or other information that is collected, used or disclosed in research;
- Publicly available information from government records or lawfully obtained truthful information that is a matter of public concern; or
- De-identified or aggregated consumer information.
If you are a California resident seeking information about your protected health information, please refer to our HIPAA Notice of Privacy Practices, which describes how we use and disclose your protected health information, our legal duties with respect to your protected health information, and your rights with respect to your protected health information and how you may exercise them.
Categories of Personal Information We Collect. In the previous 12 months, we have collected the following categories of personal information:
|Identifiers||A real name, alias, postal address, IP address, email address, account name, and other similar identifiers.|
|Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e))||Name, address, signature, telephone number, driver’s license number, credit card number or other financial information, education, employment, employment history, and health or medical information (where that information is processed in those situations outside the scope of either HIPAA or CMIA). Some personal information included in this category may overlap with other categories.|
|Protected classification characteristics under California or federal law||Age (40 years or older), race, citizenship, marital status, medical condition, physical or mental disability, sex, and veteran or military status.|
|Commercial information||Records of products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.|
|Internet or other similar network activity||Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.|
|Geolocation data (note that we only collect this data on the GRAIL Site and Provider Portal, but not on the Patient Portal or Galleri Site)||Geographic location information about a particular individual or device.|
|Sensory data||Audio, electronic, and visual information, such as CCTV recordings from our office premises, and audio recordings of calls made to our call center.|
|Professional or employment-related information||Current or past job history or performance evaluations.|
|Non-public education information||Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.|
|Inferences drawn from other Personal Information||Consumer profile inferred from any of the information above, including preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.|
|Sensitive personal information||Race, ethnicity, and criminal offenses.|
California Privacy Rights. If you are a California consumer, you have certain rights related to your personal information under the CCPA/CPRA, including:
- Right to Know. You have the right to request that we disclose certain information to you about our collection and use of your personal information. Once we receive and verify your request, we will disclose to you, if requested: the categories of personal information we collected about you; the specific pieces of personal information we collected about you; the categories of sources for the personal information we collected about you; our business or commercial purpose for collecting, disclosing, selling or sharing your personal information; the categories of third parties to whom we disclose your personal information; and if we sold, shared or disclosed your personal information for a business purpose, three separate lists setting out: sales (identifying the personal information categories that each category of recipient purchased); sharing (identifying the personal information categories that each category of recipient obtained); and disclosures for a business purpose (identifying the personal information categories that each category of recipient obtained).
- Right to Delete. You have the right to request that we delete personal information we have collected about you, subject to certain exceptions.
- Right to Correct Inaccurate Information. You have the right to correct inaccurate personal information that we maintain about you.
- Right to Opt-Out of Sale or Sharing. You have the right to opt out of the sale or sharing of your personal information. To exercise that right, please visit the “Your California Privacy Choices” section of our website. Additionally, GRAIL processes opt-out preference signals in a frictionless manner communicated through Global Privacy Control settings you may turn on in certain browsers.
- Right to Limit the Use and Disclosure of Sensitive Personal Information. You have the right to limit the use or disclosure of your sensitive personal information if used to infer characteristics about you. To exercise this right, please visit the “Your California Privacy Choices” section of our website. GRAIL may continue using sensitive personal information for certain purposes expressly permitted by the CCPA/CPRA.
Non-Discrimination. Consistent with the CCPA/CPRA, we will not discriminate against you for choosing to exercise any of your CCPA/CPRA rights, including, for example, by denying goods or services to you, charging you different prices or rates, or providing a different level of quality of products or services. However, we may charge a different price or rate or provide a different level or quality of goods or services when that difference is reasonably related to the value provided to us by the data.
Methods for Submitting Requests. There are many ways you can exercise your rights under the CCPA/CPRA, including by:
- Completing an online CCPA/CPRA request form at ”Your California Privacy Choices” section of our website;
- Sending us an email at email@example.com with the phrase “California Privacy Rights” in the subject line;
- Sending us a letter at the address provided below; or
- Calling us toll-free at (833) 694 – 2553.
Once we have received your request, we will process your request within the time provided by applicable law. If we need more time, we will tell you in writing why and how much longer we need, either by mail or electronically (based on your choice).
Authorized Agents. You may use an authorized agent to submit a consumer rights request. When we verify your agent’s request, we may verify both your and your agent’s identity and request a signed document from you that authorizes your agent to make the request for you. To protect your personal information, we reserve the right to deny a request from an agent that does not submit adequate proof that you authorized them to act for you.
Verification. When you exercise your right to know, delete, or correct, we will take steps to verify your identity with a reasonably high degree of certainty before processing your request. We may ask for additional information so that we can verify your identity. If it is necessary to collect additional information, we will use the information only for verification purposes and will delete it as soon as practicable after complying with your request. We will only use the personal information you provide to us in response to this request to verify your identity and to process your request, unless you initially provided the information for another purpose. We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you.
Retaining Your Personal Information
Shine the Light
In addition to the CCPA/CPRA privacy rights described above, California law permits California residents to request certain details about how their information is shared with third parties and, in some cases, affiliates, for those third parties’ and affiliates’ own direct marketing purposes. Under the law, a business must either provide this information or permit California customers to opt in to, or opt out of, this type of sharing. We may from time to time elect to share certain personal information (as defined by the California Shine the Light Act) about you collected by us with third parties or affiliates for those third parties’ or affiliates’ own direct marketing purposes. Californians are entitled to request information relating to our compliance with the California Shine the Light Act and to opt out of such future sharing of your personal information by contacting us at firstname.lastname@example.org with the phrase “Do Not Share” in the subject line.
Last Updated: January 1, 2023.