GRAIL, Inc. (“GRAIL”) is committed to protecting and respecting your privacy and ensuring that your personal information is processed fairly and lawfully in line with all relevant privacy legislation. The purpose of this Privacy Statement is to set out the principles governing our use of personal information that we may obtain about you through this website (the “Site”) and in connection with our business (the “Business”). By using this Site, you agree to our use of the personal information that we obtain about you.
Please read this Privacy Statement carefully. We may change our Privacy Statement from time to time. We therefore ask you to check it occasionally to ensure that you are aware of the most recent version that will apply each time you access this Site. If a revision meaningfully reduces your rights, we will notify you. BY USING THIS SITE, YOU AGREE TO THIS PRIVACY STATEMENT. IF YOU DO NOT AGREE TO THIS PRIVACY STATEMENT, DO NOT USE THIS SITE.
For your convenience, this Site may contain links to a number of other websites. The privacy policies and procedures described here do not apply to those sites; we suggest contacting those sites directly for information on their data collection and distribution policies. Any reference to a linked site or any specific third party product or service by name does not constitute or imply its endorsement by us, and you assume all risk with respect to its use.
We may collect, use, store and transfer the following information to provide, improve and protect our Site and in connection with our Business.
The data we collect and process. You may give us personal information by visiting or interacting with the Site, filling in forms on the Site, interacting with our Business, by corresponding with us by phone, e-mail, or otherwise, or through your employment by GRAIL, Inc. or its subsidiary. This personal information includes the following data which are referred to in this Privacy Statement as ‘your data’, ‘your personal data’ or ‘your personal information’:
- personal information you provide when you interact with the Site. The personal information you give us may include your name, title, company, mailing address, email address, phone number, password, resume information, feedback and any other information you choose to provide to us;
- technical data such as your internet protocol (IP) address, your login data, the web page you visited before visiting our Site, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our Site;
- usage data which tells us how you use our Site;
- marketing and communication data which tells us your preference in receiving marketing from us and our third parties and your communication preferences; and
- sensitive personal data such as your race or ethnicity, your political opinions, religious beliefs, membership in a trade union, physical or mental health condition, sexual orientation, or criminal offenses. Please note that we do not ask for any sensitive personal information through our website (except for responses to job postings which is collected by a third party) and request that you omit any such information in any communications with us. If you send us sensitive personal information, we will delete it unless you provide your specific consent to having us include it in your account, as it will be process with the rest of your personal information.
Purposes for which we will use your data
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
- Where we need to perform the contract we are about to enter into or have entered into with you.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
- Where we need to comply with a legal or regulatory obligation.
The ways we plan to use your personal data are as follows
- Business. We collect data in connection with developing our Business and our Site.
- Usage. We also use your data, especially usage data and technical data, including the actions you take in your account (such as Site visits, page interaction information, and search history), to evaluate and improve our Site and our Products.
- Cookies and other technologies. We use technologies like cookies to provide, improve, protect, and promote our Site and our Products. GRAIL currently does not respond to Do Not Track requests.
- Marketing. We also use your data to provide you with information about our Business we feel may interest you. If you do not want us to use your data in this way, select the ‘unsubscribe’ link in any e-mail communication from us.
- Relationship. We will also use your data to manage our relationship with you.
Sharing your data
We may share information as discussed below, but we won’t sell it to advertisers or third parties.
Others working for GRAIL. GRAIL uses trusted third parties (i.e. IT services, analytics services, etc.) to help us provide, improve, protect, and promote our Site and our Business. These third parties will access your information only to perform tasks on our behalf in compliance with this Privacy Statement, and we’ll remain responsible for their handling of your information per our instructions.
Other applications and third-party links. The Site may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy policies. When you leave our Site, we encourage you to read the privacy policies of every website you visit. Please remember that their use of your personal information will be governed by their privacy policies and terms.
Protecting your data
We only process personal data where we have a legal basis for doing so. We review the personal data we hold periodically to ensure it is being lawfully processed.
Before transferring personal data to any third party (e.g. suppliers, partners and back office support), we seek to establish that there is a legal reason for making the transfer, which may include your consent.
We seek to only retain personal data subject to General Data Protection Regulation (“GDPR”) for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
We have implemented measures and procedures that protect the privacy of individuals and help ensure that data protection is integral to all processing activities. This includes implementing measures which may include, for example:
- Cyber/data security controls; and
- A data retention policy.
Your rights – individuals in the European Union
If you are an individual in the European Union, you have certain rights with respect to the access, correction, restriction, and erasure of your personal information stored on our platform at any time. You can exercise any of these rights at any time by contacting us at email@example.com. Your rights include the following:
- Accessing your data. Upon request, we shall provide any information relating to your data and our processing of your data in a concise, transparent, intelligible and easily accessible form using clear and plain language. The information shall be provided in writing or by other means, including, where appropriate, by electronic means within 30 days of a written request.
- Correcting your data. You have the right to ask us to rectify any inaccurate or incomplete personal data on our platform. If we have given your personal data to any third parties, we will notify those third parties that GRAIL has received a request to rectify your personal data, unless doing so proves impossible or involves disproportionate effort. Those third parties should also rectify the personal data they hold – however, we are not in a position to audit those third parties to ensure that the rectification has occurred.
- Erasing your data. You can ask us to erase your personal data stored on our platform. If we receive a request to erase your data, we will ask you if you want your personal data to be removed entirely or if you want to be kept on a list of individuals who do not want to be contacted in the future (for a specified period or otherwise). We cannot keep a record of individuals whose data we have erased so you may be contacted again by us, should we come into possession of your personal data at a later date. If we have given your personal data to any third parties, we will tell those third parties that GRAIL has received a request to erase your personal data, unless this proves impossible or involves a disproportionate effort. Those third parties should also rectify the personal data they hold – however, GRAIL will not be in a position to audit those third parties to ensure that the rectification has occurred.
Restricting the use of your data. We only process your personal data where we have the legal basis for doing so. You have the right to ask us to suspend or otherwise restrict the processing of your personal data where:
- You challenge the accuracy of the personal data;
- The processing is unlawful but you do not want us to erase it;
- We no longer need the personal data for the purposes of the processing, but you want us to hold it as you need it to establish, exercise, or defend legal claims; or
- You have objected to our use of your data, but we need to verify whether we have legitimate grounds to use it.
If we have given the personal data to any third parties, we will tell those third parties that we have received a request to restrict the use of your personal data, unless this proves impossible or involves a disproportionate effort. Those third parties should also rectify the personal data they hold – however, we will not be in a position to audit those third parties to ensure that the rectification has occurred.
Withdrawing your consent. Where we are relying on consent to process your personal data (for example consent to receive marketing) you have the right to withdraw your consent at any time. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you.
Your rights – individuals outside the European Union
Accessing Account Information. We will provide you with the means to ensure that personally identifiable information GRAIL maintains is correct and current. You may review this information by contacting us by sending an email to firstname.lastname@example.org.
A Record of Data Transfer. GRAIL will provide the right to request and receive, once a year and free of charge, information about third parties to whom we have disclosed certain types of personal information (if any) about you in the prior calendar year, and a description of the categories of personal information shared. To make such a request, please send an email to email@example.com and please include the phrase “Personal Information Privacy Request” in the subject line, the domain name of the website you are inquiring about, along with your name, address and email address. At our option, we may respond to such requests by providing instructions about how our users can exercise their options to prevent our disclosure of personal information to third parties for their direct marketing purposes.
Upon request, twice a year and free of charge, we shall provide to you any information relating to your personal information and our processing of your personal information in a concise, transparent, intelligible, and easily accessible form using clear and plain language. To make such a request, please send an email to firstname.lastname@example.org and please include the phrase “Personal Information Privacy Request” in the subject line, the domain name of the website you are inquiring about, along with your name, address and email address. You can also ask us to delete your personal data stored on our platform. If we receive a request to delete your data, we will ask you if you want your personal information to be removed entirely or if you want to be kept on a list of individuals who do not want to be contacted in the future (for a specified period or otherwise). We cannot keep a record of individuals whose personal information we have deleted so you may be contacted again by us, should we come into possession of your personal information at a later date.
Requests to know and requests to delete will be honored within 45 days; if more time is needed to respond, GRAIL will notify you. GRAIL will respond to your request to delete within 15 days. You may also designate an authorized agent to act on your behalf with regard to a request to know or delete by providing us with a signed letter authorizing the agent to submit a request on your behalf or a valid power of attorney issued.
If you have a disability and require an alternative format to this privacy notice, please email us at: email@example.com so that we may provide you with a more suitable format.
Where we store and transfer your data
The Site is controlled by GRAIL from its offices in the United States. GRAIL may store and use information in the United States, United Kingdom and other jurisdictions; any personal data provided to GRAIL will be transmitted to or within those jurisdictions. GRAIL also may transfer information and personal data to other jurisdictions to facilitate GRAIL’s third party processors’ access to and/or processing of information and/or personal data.
Individuals in the EU. Whenever we transfer your personal data outside the European Economic Area (“EEA”), we ensure a similar degree of protection is afforded to it as in the EEA by using specific contractual clauses approved by the European Commission which give personal data the same protection it has in Europe.
GRAIL makes no representation that materials on this Site are appropriate or available for use in other locations, and access to them from territories where their contents are illegal is prohibited. Those who choose to access this Site from other locations do so on their own initiative and are responsible for compliance with applicable local laws.
Have questions or concerns about our Privacy Statement? Contact us at firstname.lastname@example.org.
Effective Date: January 29, 2020