CareDx, Inc. AlloCare App Privacy Policy

This Privacy Notice (“Notice”) describes how CareDx, Inc. and its affiliates under common ownership and control (collectively, “CareDx” “we,” “us,” or “our”) may use and disclose the information we collect about you through the AlloCare^™ App (the “App”), and the choices you have about how we use your Personal Information. “Personal Information” is any information that identifies you or that we can reasonably associate with or link to you.

By using the App and our App Services (defined below), you acknowledge that you have read and understand this Notice, and you consent to the processing of your Personal Information as set forth in this Notice, which is incorporated into the App’s Terms of Use. If you do not understand this Notice or have any questions regarding the collection, use, or disclosure of your Personal Information by CareDx, please reach out to us by using the information in the “How to Contact Us” section at the end of this Notice.

The Notice applies to Personal Information that is collected or processed by us through the App, as well as the related products or services owned and operated by CareDx and made available in connection with the App, including wearable devices and digital platforms provided with the App (collectively, the “App Services”).

CareDx may have other privacy notices or policies that apply to certain specific situations, such as privacy notices that cover data processing activities on the CareDx website and your participation as a patient in clinical research studies sponsored by CareDx (to the extent applicable). Please refer to any such other privacy notice or policy where applicable, and not this Notice, to understand how we collect and process your Personal Information in those situations.

This Notice does not apply to Protected Health Information (“PHI”), as defined in the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended (“HIPAA”). For information regarding how we collect, use, and disclose PHI that we receive as a covered entity under HIPAA, please see our Notice of Privacy Practices. We may also maintain your PHI on behalf of other third parties subject to HIPAA, including, for example, physicians, hospitals, or medical facilities who are our CareDx customers. Where we maintain your PHI on behalf of any third party subject to HIPAA, we will maintain that information in accordance with applicable Business Associate Agreements that CareDx may enter into with each third party. If you have any questions about CareDx’s use or disclosure of your PHI in connection with the App or the App Services, you may contact us by using the information in the “How to Contact Us” section at the end of this Notice. Please note that this app is offered by CareDx as a service to individuals but you do not have to be a patient receiving health care services from CareDx in order to use the app.  Whether we are required to do so under HIPAA or not, CareDx will treat all patient data it receives through the App Services as “PHI” protected by HIPAA.

We may collect several types of information from and about users of our App and App Services, including the following:

• Identifiers, including your name, date of birth, postal mailing address, phone number, email address, emergency contact information, photos or images, username, password, and other account information that you may provide when registering on the App Services;
• Demographic information, including Characteristics of Protected Classifications under California or Federal Law such as gender, race, or age;
• Commercial Information, including transaction history, products or services requested, obtained, or considered, request documentation, and your customer service records
• Medical Information, including health care providers that you have visited, the reasons for your visit, the dates of visits, health care preferences, and medical and health information that you choose to share with us through use of the App Services, such as appointments, lab tests and results, medications, fluid intake, urine intake, blood pressure, spirometry data, heart rate, temperature, sleep, weight, steps, and mood. Please note the medical and personal health information that you enter into the App Services or provide directly to us via the App Services will be treated by CareDx as PHI under HIPAA.  These App Services are a personal service to you to help you create and maintain a personal health record, including based on information directed by you to be transmitted. You are not required to be a patient of CareDx in order to use the App;
• Sensory data, including audio, electronic, visual, thermal, olfactory, or similar information from connected devices;
• Geolocation information, including precise, real-time information about the location of the devices you use to access the App Services. You may be permitted to allow or deny the use of your device’s location by managing your location services preferences through your device settings;
• Internet or other electronic network and device activity information, including browsing history, search history, your interaction with the App or App Services, including any site information associated with your access and use of the App or the App Services, such as device model and OS version, device ID, device language, activities within the App Services and how long the App is open, IP address, and advertising identifiers;
• Information collected from Apple HealthKit™ or a comparable data aggregation service. Where you choose to connect your mobile device to a compatible third-party service, such as Apple HealthKit™, with your permission, we collect information from your user profile including: username and email address, step count and distance traveled, activity, glucose and oxygen saturation levels, active and resting energy levels, sleep analysis, lab tests and results, medications, blood pressure readings, workout history and other similar data points (this will be treated by CareDx as patient data subject to HIPAA); and
• Inferences drawn from other information, including, for example, preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
• Sensitive personal information, such as your account usernames and passwords that may allow access to an account, race or health conditions, precise geolocation data, or your messages not directed to us. We do not collect sensitive Personal Information without obtaining your consent if required by law.

We may collect the categories of Personal Information listed above in the following manner:

• Information You Provide. We collect information that you voluntarily provide when you use the App or the App Services, such as when you register as a user of the App, use a feature or service on the App, or contact us with a question, comment, or request in connection with the App. The type of information that you provide is based on the specific function of the App that you access or use.
• Information you choose to provide outside of the App, for example, if you send us an inquiry using the contact information provided below or otherwise make a customer service inquiry associated with the App Services.
• Information We Receive from Third Parties. We may combine the information we collect from you with information that we receive about you from third parties, including public databases, providers of demographic information, joint marketing partners, social media platforms, and people with whom you are connected on social media platforms. We may also collect your Personal Information from integrations with third party applications, including the Apple HealthKit™ database on your iPhone and/or Apple Watch, if you choose to sync Apple HealthKit™ with the App Services or a comparable data aggregation service. If you submit any Personal Information relating to another individual directly to us, you represent that you have the authority to do so and to permit us to use the information in accordance with this Notice.
• Information You Choose to Share with Others. We may collect Personal Information when you share your information or communicate with others using the App or our App Services. For example, we may collect certain information in transmitting communications, treatment results, and other health information to your Patient Care Manager, Transplant Coordinator, and Health Care Provider, if so authorized. Whether you choose to disclose certain information is at your discretion. Any information you choose to provide or upload to the App or App Services may be visible to other App users, as well as our authorized business partners and our respective service providers, who assist us in operating the App and providing the App Services. AS YOUR INFORMATION WILL BE VIEWABLE TO THE OTHER USERS OF THE APP AND THE APP SERVICES, YOU SHOULD PROVIDE ONLY THE INFORMATION YOU FEEL COMFORTABLE DISCLOSING.
• Information Shared by Your Health Care Provider. If you register with an activation code provided to you by your benefit or health care provider or otherwise access your health care provider account from our services, we may receive information about you from your healthcare provider, such as your medication list and other information contained in your health records. As noted above, if your health care provider is covered by HIPAA, the information it provides us will generally be protected as PHI subject to HIPAA. To the extent applicable, we will use and disclose your PHI only as permitted by our agreements with your Healthcare Provider, or as required by law, as authorized by you, or as permitted by HIPAA.
• Information We Collect Automatically. When you download and use the App, we and our third-party service providers may collect information, including usage and technical data, automatically from your device and other devices linked to the App including wearables devices.

We may collect information about your activities in the App for use in providing you with advertising about products and services tailored to your individual interests. This section of our Notice provides details and explains how to exercise your choices.

You may see certain ads on websites or other services that are not controlled by us because we participate in advertising networks. Ad networks allow us to target our messaging to users through demographic, interest-based and contextual means. These networks track your online activities over time by collecting information through automated means, including through the use of cookies, web server logs, and web beacons. The networks use this information to show you advertisements that may be tailored to your individual interests. The information our ad networks may collect includes information about your visits to websites or apps that participate in the relevant advertising networks, such as the pages or advertisements you view and the actions you take on the websites or apps. This data collection takes place both on our websites and in the App, and on third-party websites or services that participate in the ad networks. This process also helps us track the effectiveness of our marketing efforts. To opt-out of targeted advertising, you can use the opt-out tools provided by the Network Advertising Initiative and the Digital Advertising Alliance.

We may use your information, including your Personal Information, for the following purposes:

• to provide the App Services you have requested and operate and maintain the App;
• to facilitate your access to general information about transplant care;
• to provide you with general information about disease awareness and management programs, educational materials and health statistics;
• to verify your identity when you access and use our App Services and to protect the security of your Personal Information;
• to provide you with information about the App, our other products, programs, or services, your accounts, and notices, as well as to provide customer support (e.g., where we may be providing information about changes to the terms and conditions or if you contact us with questions regarding the App);
• to send you marketing communications related to our products and services and to build a profile about you and place you into particular marketing segments to better understand your preferences and to appropriately personalize any marketing messages we may send to you, where permitted by applicable law, you have affirmatively opted in to receive marketing;
• to send administrative information to you, such as information about the App and our terms, conditions, and policies;
• to permit you to participate in polls, surveys, promotions, or other interactive features, such as chat features, and to administer these activities;
• to personalize your experience and better tailor content and offers to you;
• to allow you to send messages to another person through the App;
• to share your feedback with third parties, including our third-party suppliers and partners who help us provide the App;
• to help us and our business partners better understand our audiences, evaluate user interest in the App, improve the App, and perform other market research activities;
• to conduct quality assurance, surveys, and other internal business and management activities in connection with AlloCare App activities and operations;
• for other business purposes, such as using data analytics, conducting audits, monitoring and prevention of fraud, infringement, and other potential misuse of the App, modifying the App, determining the effectiveness of our promotional campaigns, and operating and expanding our business activities; and
• as we believe to be necessary or appropriate: (a) under applicable law, including laws outside your country of residence; (b) to comply with legal process; (c) to respond to requests from public and government authorities, including public and government authorities outside your country of residence; (d) to enforce our terms and conditions; (e) to protect our operations; (f) to protect our rights and interests and/or that of you or others; and (g) to allow us to pursue available remedies or limit the damages that we may sustain.

In addition to those purposes listed above, we may use your information for any other purpose disclosed to you at the time of collection or that you have previously authorized. For example, if you, separately, choose to participate in any clinical studies, you will be asked to first review and sign an informed consent and authorization form (if applicable) (“Informed Consent”) for the study. By using the App and related App Services, you may also consent to the collection, use, and sharing of your information collected from and shared with the clinical studies as described in this Notice and as outlined in the Informed Consent, to the extent your Informed Consent permits the use and disclosure of your Personal Information in connection with the App and the App Services. To the extent anything in this Notice conflicts with the Informed Consent, the terms of the Informed Consent will control.

We only use sensitive personal information as described above to perform services reasonably expected by average customers and other users who request those services; to prevent, detect, and investigate security incidents; to prevent and prosecute fraudulent or illegal actions directed at us; for short-term, transient use; to perform services on behalf of the business; or to verify or maintain the quality or safety of a product, service, or device which we may own, control, or provide, or to improve, upgrade, or enhance such services or devices.

Subject to applicable laws, we may combine, aggregate, pseudonymize, de-identify or anonymize any of the information we collect from or about you. We may use information that does not personally identify you for any purposes, except where we are required to do otherwise under applicable law.

We may disclose your Personal Information to the following parties:

• Our Affiliates. We may disclose certain information about you to our subsidiaries and affiliates within the CareDx group of companies for the purposes set out above;
• Service Providers and Business Partners. We may disclose your Personal Information to our service providers and business partners that provide services to us, such as those that fulfill requests for information, answer calls, administer programs or projects, assist in research and development, or deliver advertisements or other communications;
• Third Party Integrations. We may disclose your Personal Information to third-party sites or platforms, such as with your social networking service, if you have expressly requested that we do so via the App. For example, with your consent, we may disclose your profile information and data collected from your connected devices to other health-focused mobile applications installed on your mobile device to help you track your health and wellness information, such as Apple HealthKit^™ or a comparable data aggregation service. If you disclose your information to these apps, your Personal Information, including your health information, will be used in accordance with privacy notices or policies for those separate apps, not this Notice. Please refer to the third-party sites’ or platforms’ privacy notices or policies where applicable, and not this Notice, to understand how they collect and process Personal Information;
• Other App Users. We may disclose your Personal Information with your consent to other App users and authorized individuals interacting with the App Services, including, for example:
  • Other Transplant Patients, that you may interact with directly or direct us to contact;
  • Transplant Buddies, such as a friend, a family member, or another individual interested in monitoring your progress as a transplant patient;
  • Health Care Providers, who may be responsible for helping you understand how to use the App and may also be providing advice to support your patient care via the App and in the context of their job function; and
  • Patient Care Managers, who may be responsible for working with third parties, including transplant centers, to facilitate your testing services;
• Healthcare Providers. With your consent, we may disclose your information, including information collected from your connected devices, to your healthcare providers (e.g., transplant coordinator, surgeon, nephrologist) that you authorize to receive your information, including those you designate to receive or transmit your information via the App;
• CareDx and Health Researchers. We may disclose information collected through the App and the App Services to healthcare researchers and other research organizations, including information generated from the App, the App Services, and connected devices;
• Other Third-Parties You Designate and Persons You Direct Us to Contact. With your consent, we may disclose your information to any individual you authorize to receive your Personal Information (e.g., immediate family or friends). We do not verify the accuracy of any information you provide with respect to your designated recipients. Once you establish a designated recipient, we disclose your Personal Information to that designated recipient until you terminate the designation. We have no control over what the designated recipient does with your Personal Information. If your designated recipient is an entity, we encourage you to consult that designated recipient’s terms of use, privacy policy, and other provisions of the designated recipient’s website and services as they apply to your Personal Information;
• Government and Regulatory Authorities. We may disclose your information to law enforcement, to health authorities to report possible adverse events, during government inspections or audits, as ordered or directed by courts or other governmental agencies, or in order to comply with a subpoena or other legal process;
• Courts and Administrative Tribunals. We may disclose your Personal Information when we believe in good faith that the disclosure is necessary to protect legal rights or the security or integrity of our operations or the App; protect your safety or the safety of others; investigate fraud, a breach of contract, or a violation of law; respond to a government request; or allow us to pursue available remedies or limit the damages that we may sustain;
• Parties to a Corporate Transaction. We may disclose your Personal Information to third parties, advisors, and other entities to the extent reasonably necessary for development of or to proceed with the negotiation or completion of a corporate or commercial transaction, including a reorganization, merger, acquisition, joint venture, sale or other disposition of all or a portion of our business, assets, or stock (including in connection with any bankruptcy or similar proceedings).

We may disclose information that does not personally identify you for any purpose, except where we are required to do otherwise under applicable laws.

We may disclose your Personal Information in exchange for valuable benefit or consideration to our business partners who offer products or services and/or research studies/opportunities jointly with CareDx, or to third parties or business partners who deliver marketing communications or products and services and/or research studies/opportunities that may be of interest to you, subject to any choices you have expressed.  These disclosures may be deemed “sales” of Personal Information under applicable law. The following categories of your Personal Information may be disclosed or “sold” to these parties:

• Identifiers;
• Demographic information;
• Protected characteristics;
• Commercial information;
• Medical Information;
• Financial Information; and
• Inferences drawn from any of the above information categories.

We do not knowingly sell Personal Information of individuals under the age of 16 or share their Personal Information for cross-context behavioral advertising.

Your preferences about how we use your information are important to us. If you are a registered user of the App, we offer the following choices that you can exercise with regard to your Personal Information:

• Location Information. You can choose whether to allow the App to collect and use real-time information about your device’s location through the device’s privacy settings. If you block the use of location information, some parts of the App may become inaccessible or not function properly.
• Unsubscribe. Where you have elected to participate in one of our programs or services or to receive marketing communications from us, we offer you the ability to discontinue your participation or to opt out of receiving those communications in the communication itself. You may also make the request as provided below in “How to Contact Us”. Please note that you may not opt out of receiving non-promotional email messages regarding certain administrative, technical, or safety notices about the App or our products or services.
• Manage Notifications. If you are using our App, we will provide you with the opportunity to opt into receiving notifications from us through your device. If you no longer wish to receive these communications, you may opt out of receiving them at the device level by modifying your profile or notification settings.
• Manage Your Account Information. If you have registered an account, you may access, change, or correct your personal account information at any time by logging into your account. You may also make the request as provided below in “How to Contact Us”, in which case we may need to verify your identity before granting access or otherwise changing or correcting your information.

If you are a resident of California, or a U.S. state in which a comprehensive privacy law similar to the California Consumer Privacy Act comes into effect after the Effective Date of this Privacy Notice, you may have one or more of the following rights. We will honor requests received to the extent required by the applicable law and within the time provided by law.

• Right to know. You have the right to request that we disclose certain information to you about our collection and use of your Personal Information over the past 12 months. Specifically, you have the right to request that we disclose:
  • Whether we are processing Personal Information about you.
  • The categories of Personal Information we collected about you.
  • The categories of sources for the Personal Information we collected about you.
  • Our business or commercial purpose for collecting, selling, or sharing that Personal Information.
  • The categories of third parties to whom we disclose that Personal Information.
  • The categories of Personal Information about you, if any, that we have sold or shared and the categories of third parties to whom we have sold or shared the information, by category or categories of Personal Information for each category of third party to whom we sold or shared the Personal Information.
  • The categories of Personal Information about you that we disclosed for a business purpose and the categories of recipients to whom we disclosed the information for a business purpose.
  • The specific pieces of Personal Information we collected about you.

• Right to delete. You have the right to request that we delete Personal Information that we have collected about you. However, if you have requested a service that requires the use of your Personal Information, we may not be able to provide that service if you choose to delete your Personal Information. 
• Right to correct. You may have the right to request that we correct inaccurate Personal Information that we have collected about you.
• Right to opt out. You have the right to opt out of the sale of Personal Information about you for valuable consideration, the sharing of Personal Information about you for cross-context behavioral advertising, targeted advertising, and profiling in furtherance of decisions that produce legal or similarly significant effects concerning you. To opt-out, click Do Not Sell My Personal Information or as provided below under “Exercising Your Applicable State Specific Rights.”
• Right to Appeal. If you receive our refusal to fulfill a previous request that you submitted, you may have the right to appeal such refusal by emailing us at privacy@caredx.com.
• Right to non-discrimination. Subject to applicable law, we may not discriminate against you for exercising any of the above-listed rights or any other rights under the California Consumer Privacy Act or similar comprehensive privacy laws that come into effect in U.S. states after the Effective Date of this Privacy Notice, including by:
  • Denying you goods or services;
  • Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties;
  • Providing you a different level or quality of goods or services; or
  • Suggesting that you will receive a different price or rate for goods or services or a different level or quality of goods or services.
• We may, however, charge different prices or rates, or provide a different level or quality of goods or services, if that difference is reasonably related to the value provided to CareDx by your Personal Information, subject to the requirements of applicable law. We may also limit our response to your exercise of rights as permitted by law.

Exercising Your Rights

If you are a resident of California or a U.S. state in which a comprehensive privacy law similar to the California Consumer Privacy Act has come into effect since the Effective Date of this Privacy Notice, and you would like to exercise any of the above rights, please submit your request via our webform, email us at privacy@caredx.com, or call us at +1-888-255-6627.

For requests made in connection with the Right to Know, Right to Delete, and Right to Correct, please note:

• As required or permitted by law, we may take steps to verify your request before we can provide Personal Information to you, delete or correct Personal Information, or otherwise process your request. To verify your request, we may require you to provide your name, physical address, email address, contact information, and information about your account or previous transactions with us. If we believe we need further information to verify your request as required by law, we may ask you to provide additional information to us.
• There may be circumstances where we will not be able to honor your request. For example, if you request deletion, we may need to retain certain Personal Information to comply with our legal obligations or other permitted purposes.
• We will deliver Personal Information that we are required by law to disclose to you in the manner required by law within 45 days (or the applicable statutory timeframe) after receipt of a verifiable request, unless we notify you that we require additional time to respond, in which case we will respond within such additional period of time required by law. We may deliver the Personal Information to you through your account, if you maintain an account with CareDx, or electronically or by mail at your option. If electronically, then we will deliver the information to you or, at your request, to another entity, in a portable and, to the extent technically feasible, in a structured, commonly used, machine-readable format that allows you to transmit the information from one entity to another without hindrance.

Authorized Agent

You may designate an authorized agent to request any of the above rights on your behalf. You may make such a designation by providing the agent with a signed written permission stating that the agent is authorized to make the request on your behalf. Your agent may contact us via the information provided in the “Exercising Your Rights” section to make a request on your behalf. If you are submitting a request through an authorized agent, we may, as permitted by law, require:

• The authorized agent to provide proof that you gave the authorized agent signed permission to submit the request.
• You to verify your identity directly with us.
• You to directly confirm with us that you have provided the agent with your permission to submit the request on your behalf.

Data Sharing for Direct Marketing Purposes

California Civil Code Section § 1798.83 permits California residents to request certain information regarding our disclosure of Personal Information to third parties for their direct marketing purposes. If you are a California resident, you may ask us to refrain from sharing your Personal Information with certain of our affiliates and other third parties for their marketing purposes. To make such a request, please use our webform, email us at privacy@caredx.com, or call us at +1-888-255-6627.

We do not currently respond to web browser “Do Not Track” (“DNT”) signals or other mechanisms that provide a method to opt out of the collection of information on the App. For more information about DNT signals, please visit http://allaboutdnt.com.

CareDx uses commercially reasonable physical, managerial, and technical safeguards that we designed to preserve the integrity and security of the Personal Information you provide to CareDx. We cannot, however, ensure or warrant the security of any information you transmit to CareDx, and you do so at your own risk. The safety and security of your information also depends on you. Where we have given you (or where you have chosen) a password for access to our App Services, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.

Protecting the privacy of minors is especially important. CareDx does not knowingly collect Personal Information from children under the age of sixteen (16) through the App or App Services, and our App or Services is not intended to be used by children under the age of sixteen (16). If we learn that a child under the age of sixteen (16) has provided us with Personal Information, we may delete it. Moreover, anyone under eighteen (18) years old should seek their parent or guardian’s permission prior to using or disclosing any Personal Information through our App or App Services. A parent or guardian of a CareDx patient under the age of sixteen (16) may register as a user of the App or App Services but is not authorized by CareDx to permit the child to use the App or App Services. If you, as a parent or guardian, become aware that your child has directly provided us with Personal Information and desire for us to delete or destroy such information, please contact us as instructed in the “How to Contact Us” section at the end of this Notice.

We may use or process your Personal Information in the United States or any other country in which we or our service providers operate. Because we operate with a technical infrastructure that is located in the United States, we may need to transfer your Personal Information to the United States for storage and as may be otherwise necessary, consistent with the terms of this Notice. Our use and storage of your Personal Information outside of the country in which you reside may subject your Personal Information to laws of other jurisdictions that may be different from the laws of the country in which you reside.

The App may contain links to third party services that are not under our control. We are not responsible for the collection and use of your information by any such services, and we encourage you to review their privacy policies. In addition, we are not responsible for the information collection, use, disclosure, or security practices of other organizations, such as Facebook, Apple, Google, Microsoft, or any other app developer, app provider, social media platform provider, operating system provider, wireless service provider, or device manufacturer, including in connection with any information you disclose to such other organizations through or in connection with the App.

You may opt to integrate the App with the Apple HealthKit™ database or a comparable data aggregation service. The App cannot read or provide information to the Apple HealthKit™ database or the comparable data aggregation service database without your explicitly granted permission. Please note, the information you provide directly from the Apple HealthKit™ App or a comparable data aggregation service (i.e., not through the App or the App Services) is governed by Apple’s terms and conditions and privacy notice or the applicable data aggregation service’s terms and conditions and privacy notice. CareDx is not responsible for the protection of data and information stored within the Apple HealthKit™ database or a comparable data aggregation service database. We strongly recommend you review the applicable policies, notice, and procedures before synching and backing up your Apple HealthKit™ data or other comparable data aggregation service data.

We may update this Privacy Notice from time to time by posting a new Privacy Notice within the App. We reserve the right to modify this Notice at any time, so we encourage you to review this page frequently. If we make a material change to our Privacy Notice, we will take reasonable steps to notify you, for example, by posting a banner or pop-up notice on the App. If you continue to use the App or the App Services after having been provided with such notice you will be deemed to have acknowledged the updated Privacy Notice.

If you have any questions about this Privacy Notice, please contact us by email at privacy@caredx.com or by calling us at +1-888-255-6627.