CareDx, Inc. AlloCare App Privacy Policy

This Privacy Policy (“Policy”) describes how CareDx Inc. and its affiliates under common ownership and control (collectively, “CareDx” “we,” “us,” or “our”) may use and disclose the information we collect about you through the CareDx Patient App (the “App”), and the choices you have about how we use your Personal Information. Personal Information is any information that could reasonably be used, directly or indirectly, to contact or identify you, including, for example, direct identifiers, such as your name and contact information, as well as information about your use or potential use of our Services (defined below) that could reasonably be linked to you, such as your Internet Protocol address or device information.

By using the App and our App Services (defined below), you consent to the processing of your Personal Information as set forth in this Policy, which is incorporated into the App’s Terms of Use. If you do not understand this Policy or have any questions regarding the collection, use, or disclosure of your Personal Information by CareDx, please reach out to us by using the contact details found at the end of this Policy.

The Policy applies to Personal Information that is collected or processed by us through the App, as well as the related products or services owned and operated by CareDx and made available in connection with the App, including wearable devices and digital platforms provided with the App (collectively, the “App Services”).

Please note, CareDx may have other unique privacy policies that apply to certain specific situations, such as privacy notices that cover data processing activities on the CareDx website and your participation as a patient in clinical research studies sponsored by CareDx (to the extent applicable). To the extent those policies or notices apply and conflict with this Policy, those policies govern our interactions with you.

Please note that this Privacy Policy does not apply to Protected Health Information (“PHI”). PHI is Personal Information about you that relates to: (a) your past, present, or future physical or mental health or condition, (b) the provision of health care to you, or (c) your past, present, or future payment for the provision of health care, which is created, received, transmitted, or maintained by an entity that is subject to the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended (“HIPAA”). To the extent CareDx handles your PHI as an entity subject to HIPAA (e.g., where we interact with you as a health care provider), we will maintain your PHI in accordance with our Notice of Privacy Practices. We may also maintain your PHI on behalf of other third parties subject to HIPAA, including, for example, physicians, hospitals, or medical facilities, in accordance with our contractual obligations as set out in the applicable agreements with such parties, including Business Associate Agreements (as appropriate). If you have any questions about CareDx’s use or disclosure of PHI in connection with the App or the App Services, you may contact us by using the information found in the “How to Contact Us” section at the end of this Policy.

We may collect several types of information from and about users of our App Services, including information:

• Identifiers, including your first name, address, last name, email address, username, password, and other account information that you may provide when registering on the App Services;
• Demographic information, including characteristics that may be protected by law such as gender or age;
• Protected classification characteristics under California or federal law, including, for example, your age and race;
• Commercial Information, including transaction history, products or services requested, obtained, or considered, request documentation, and your customer service records;
• Medical Information, including health care providers that you have visited, the reasons for your visit, the dates of visits, health care preferences, and medical and health information that you choose to share with us through use of the App Services. Please note, the medical and personal health information that you enter into the App Services or provide directly to us via the App Services is not PHI;
• Professional and employment information, such as your employer and job title;

• Educational Information, including information about education history or background;

• Financial Information, including financial transaction history, and financial account number;
• Sensory data, including audio, electronic, visual, thermal, olfactory, or similar information from connected devices;
• Geolocation information, including precise, real-time information about the location of the devices you use to access the App Services. You may be permitted to allow or deny the use of your device’s location by managing your location services preferences through your device settings;
• Internet or other similar network and device activity, including browsing history, search history, your interaction with the App or App Services, including any site information associated with your access and use of the App or the App Services, such as device model and OS version, device ID, device language, activities within the App Services and how long the App is open;
• Information collected from Apple HealthKit or a comparable data aggregation service. Where you choose to connect your mobile device to a compatible third-party service, such as Apple HealthKit, with your permission, we collect information from your user profile including: username and email address, step count and distance traveled, activity, glucose and oxygen saturation levels, active and resting energy levels, sleep analysis, blood pressure readings, workout history and other similar biometric data points;  and
• Inferences drawn from other information, including, for example, preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

We may collect the categories of Personal Information listed above in the following manner:

• Information You Provide. We collect information that you voluntarily provide when you use the App or the App Services, such as when you register as a user of the App, use a feature or service on the App, or contact us with a question, comment, or request in connection with the App. The type of information that you provide is based on the specific function of the App that you access or use.
• Information you choose to provide outside of the App, for example, if you send us an inquiry using the contact information provided below or otherwise make a customer service inquiry associated with the App Services.
• Information We Receive from Third Parties. We may combine the information we collect from you with information that we receive about you from other sources, including public databases, providers of demographic information, joint marketing partners, social media platforms, and people with whom you are connected on social media platforms. We may also collect your Personal Information from integrations with third party applications, including the Apple HealthKit™ database on your iPhone and/or Apple Watch, if you choose to sync Apple HealthKit™ with the App Services or a comparable data aggregation service. If you submit any Personal Information relating to another individual to directly us, you represent that you have the authority to do so and to permit us to use the information in accordance with this Policy.
• Information You Choose to Share with Others. We may collect Personal Information when you share your information or communicate with others using the App or our App Services. For example, we may collect certain information in transmitting communications, treatment results, and other health information to your Patient Care Manager, Transplant Coordinator, and Health Care Provider, if so authorized. Whether you choose to disclose certain information is your discretion. Any information you choose to provide or upload to the App or App Services may be visible to other App users, as well as our authorized business partners and our respective service providers, who assist us in operating the App and providing the App Services. As your information will be viewable to the other users of the App and the App Services, you should provide only the information you feel comfortable disclosing.
• Information Shared By Your Health Care Provider. If you register with an activation code provided to you by your benefit or health care provider or otherwise access your health care provider account from within our services, we may receive information about you from your healthcare provider, such as your medication list and other information contained in your health records. As noted above, if your health care provider is covered by HIPAA, the information it provides us will generally be protected as PHI subject to HIPAA, with is not covered by this Policy. To the extent applicable, we will use and disclose your PHI only as permitted by our agreements with your Healthcare Provider, or as required by law, or as authorized by you.
• Information We Collect Automatically. When you download and use the App, we and our third party service providers may collect information, including usage and technical data, automatically from your device and other devices linked to the App including wearables devices.

We may disclose your Personal Information for business purposes to the following parties:

• Our Affiliates. We may share certain information about you with our subsidiaries and affiliates within the CareDx group of companies for the purposes set out above;
• To Service Providers and Business Partners. We may share your Personal Information with our service providers and business partners that provide services to us, such as those that fulfill requests for information, answer calls, administer programs or projects, assist in research and development, or deliver advertisements or other communications;
• Third Party Integrations. We may share your Personal Information with third-party sites or platforms, such as with your social networking service, if you have expressly requested that we do so via the App. For example, with your consent, we may share your profile information and data collected from your connected devices with other health-focused mobile applications installed on your mobile device to help you track your health and wellness information, such as Apple Health Kit or a comparable data aggregation service. If you share your information with these apps, your Personal Information, including your health information, will be used in accordance with privacy policies for those separate apps, not this Policy;
• Other App Users. We may share your Personal Information with other App users and authorized individuals interacting with the App Services, including, for example:
  • Other Transplant Patients, that you may interact with directly or direct us to contact;
  • Transplant Buddies, such as a friend, family member, or another individual interested in monitoring your progress as transplant patient;
  • Health Care Providers, who may be responsible for helping you understand how to use the App and may also be providing advice to support your patient care via the App and in the context of their job function; and
  • Patient Care Managers, who may be responsible for working with third parties, including transplant centers, to facilitate your testing services;
• Healthcare Providers. With your consent, we may share your information, including information collected from your connected devices, with your healthcare providers (e.g. Transplant Coordinator, Surgeon, Nephrologist) that you designate to receive your information;
• CareDx and Health Researchers. We may share information collected through the App and the App Services with healthcare researchers and other research organizations, including information generated from the App, the App Services, and connected devices. ;
• Other Third-Parties You Designate and Persons You Direct Us To Contact. With your consent, we may share your information with any individual you authorize to receive your Personal Information (e.g., immediate family or friends). We do not verify the accuracy of any information you provide with respect to your designated recipients. Once you establish a designated recipient, we share your Personal Information with that designated recipient until you terminate the designation. We have no control over what the designated recipient does with your Personal Information. If your designated recipient is an entity, we encourage you to consult that designated recipient’s terms of use, privacy policy, and other provisions of the designated recipient’s website and services as they apply to your Personal Information;
• Government and Regulatory Authorities. As required by law, such as to law enforcement, to health authorities to report possible adverse events, during government inspections or audits, as ordered or directed by courts or other governmental agencies, or in order to comply with a subpoena or other legal process;
• Courts and Administrative Tribunals. When we believe in good faith that disclosure is necessary to protect legal rights or the security or integrity of our operations or the App; protect your safety or the safety of others; investigate fraud, a breach of contract, or a violation of law; respond to a government request; or allow us to pursue available remedies or limit the damages that we may sustain;
• Parties to a Corporate Transaction. We may share your Personal Information with third parties, advisors, and other entities to the extent reasonably necessary for development of or to proceed with the negotiation or completion of a corporate or commercial transaction, including a reorganization, merger, acquisition, joint venture, sale or other disposition of all or a portion of our business, assets, or stock (including in connection with any bankruptcy or similar proceedings).

We may also disclose your Personal Information in exchange for monetary or other valuable benefit to our business partners who offer products or services and/or research studies/opportunities jointly with CareDx or to permit a third party or business partner to deliver marketing communications or products and services and/or research studies/opportunities that may be of interest to you, subject to any choices you have expressed. The following categories of your Personal Information may be shared with these parties:

• Identifiers;
• Demographic information;
• Protected characteristics;
• Commercial information;
• Medical Information;
• Financial Information; and
• Inferences drawn from any of the above information categories.

We may disclose information that does not personally identify you for any purpose, except where we are required to do otherwise under applicable law.

Your preferences about how we use your information are important to us and, when possible, we aim to honor them. If you are a registered user of the App, we offer the following choices that you can exercise with regard to your Personal Information:

• Unsubscribe. Where you have elected to participate in one of our programs or services or to receive marketing communications from us, we offer you the ability to discontinue your participation or to opt out of receiving those communications in the communication itself. Alternatively, you can contact us to opt out using the contact information found in the “How to Contact Us” section at the end of this Privacy Policy.
• Manage Notifications. If you are using our mobile application, we will provide you with the opportunity to opt into receiving notifications from us through your device. If you no longer wish to receive these communications, you may opt out of receiving them at the device level by modifying your profile settings.
• Manage Your Account Information. If you have registered an account, you may access, change, or correct your personal account information at any time by logging into your account. You may also make the request to us using the contact details below, in which case we may need to verify your identity before granting access or otherwise changing or correcting your information.

If you are a California resident, we offer the following choices that you can exercise with regard to your Personal Information:

• Opt-outs and Unsubscribing. As described above, CareDx may disclose your Personal Information in exchange for monetary or other valuable benefit. You may request to opt out of such “sale” of your Personal Information to third parties. To do so please contact us using the contact information found in the “How to Contact Us” section at the end of this Privacy Policy. Additionally, where you have elected to participate in one of our programs or services or to receive marketing communications from us, we may offer you the ability to discontinue your participation or to opt out of receiving those communications in the communication itself, or by reaching out to us using the contact details below. Please note that you may not opt out of receiving non-promotional email messages regarding certain administrative, technical, or safety notices about The App or our products or services.
• Access and Portability. You may request certain details about how your Personal Information is handled and receive specific pieces of your Personal Information by mail or electronic communication. You are entitled to request your Personal Information no more than twice in any twelve-month period.
• You may exercise your right to request the deletion of certain Personal Information which we have collected about you in connection with the App.

To exercise your preferences with respect to your Personal Information, contact us by email at customercare@caredx.com or call us at +1-888-255-6627. You may freely exercise these rights without fear of being denied goods or services.  However, in some circumstances, for example where you have requested a service that requires the use of your Personal Information, we may not be able to provide that service if you choose to delete your Personal Information.

California law requires that we indicate whether we honor “Do Not Track” settings in your browser concerning targeted advertising. We do not currently respond to web browser “Do Not Track” signals or other mechanisms that provide a method to opt out of the collection of information on the App. For more information about DNT signals, please visit http://allaboutdnt.com.

CareDx uses commercially reasonable physical, managerial, and technical safeguards to preserve the integrity and security of the Personal Information you provide to CareDx.  We cannot, however, ensure or warrant the security of any information you transmit to CareDx, and you do so at your own risk.  Once we receive your transmission of information, CareDx makes commercially reasonable efforts to ensure the security of our systems.  However, please note that this is not a guarantee that such information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards.

CareDx does not knowingly collect any Personal Information from children under the age of thirteen (13) without parental consent, unless permitted by law.  A parent or guardian, however, may use the App to establish a user account for a minor under the age of thirteen (13). The parent or guardian is solely responsible for providing supervision of the minor’s use of App and any related App Services and the parent or guardian assumes full responsibility for ensuring that the child’s registration information is kept secure and that the information submitted is accurate. The parent or guardian also assumes full responsibility for the interpretation and use of any information provided through the App and the App Services for the minor.

If we learn that a child under the age of thirteen (13) has provided us with Personal Information, as defined by the Children’s Online Privacy Protection Act, we may delete it. If a parent or guardian becomes aware that his or her child has directly provided us with Personal Information, please contact us by using the contact information below.

The App Services are controlled and operated from the United States and CareDx makes no representation that the App Services are appropriate or available for use in locations outside of the United States. By accessing or using the App, any information you provide to us or that we automatically collect will be received in the United States and may be transferred to other jurisdictions and you explicitly authorize its processing in the United States in accordance with this Policy and pursuant to the laws of the United States, as well as and subsequent transfers outside the United States. If we transfer your Personal Information outside the United States, we take steps to protect your Personal Information as required under applicable law. We will retain your Personal Information for no longer than is necessary for the performance of our obligations, to achieve the purposes for which the information was collected, or as may be permitted under applicable law.

The App may contain links to third party services that are not under our control. We are not responsible for the collection and use of your information by any such services, and we encourage you to review their privacy policies. In addition, we are not responsible for the information collection, use, disclosure, or security practices of other organizations, such as Facebook, Apple, Google, Microsoft, or any other app developer, app provider, social media platform provider, operating system provider, wireless service provider, or device manufacturer, including in connection with any information you disclose to such other organizations through or in connection with the App.

You may opt to integrate the App with the Apple HealthKit™ database or a comparable data aggregation service. The App cannot read or write to the HealthKit database or the comparable data aggregation service database without your explicitly granted permission. Please note, the information you provide directly from the Apple Health App or a comparable data aggregation service (i.e., not through the App or the App Services) is governed by the Apple Terms and Conditions and Privacy Policy or the applicable data aggregation service Terms and Conditions and Privacy Policy. CareDx is in no way responsible for the protection of data and information stored within the Apple HealthKit database or a comparable data aggregation service database. It is strongly recommended that you review the applicable policies and procedures before synching and backup your Apple HealthKit data or other comparable data aggregation service data.

This Privacy Policy was last modified of September 22, 2020.