CareDx Website (and Point of Collection) Privacy Notice

Effective date: June 1, 2024

This Privacy Notice (“Notice”) describes how CareDx, Inc. and its affiliates (collectively, “CareDx” “we,” “us,” or “our”) may collect, use, and disclose any information that identifies you or that we reasonably can link to information that identifies you or your household (“Personal Information”) which we collect from visitors to the CareDx Website, from other consumers, from conference attendees, customers, and business partners, as well as your choices and rights relating to your Personal Information. The “CareDx Website” means the website, www.CareDx.com, any website operated by or on behalf of CareDx that links to this Notice.

Protected Health Information

This Notice does not apply to Protected Health Information (“PHI”), as defined in the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended (“HIPAA”).  For information regarding how we collect, use, and disclose PHI that we receive as a covered entity under HIPAA, please see our Notice of Privacy Practices.  We may also maintain your PHI on behalf of other third parties subject to HIPAA, including, for example, physicians, hospitals, or medical facilities who are our CareDx customers.  Where we maintain your PHI on behalf of any third party subject to HIPAA, we will maintain that information in accordance with applicable Business Associate Agreements that CareDx may enter into with each third party.

Personal Information We Collect

Information You Provide. We collect the Personal Information you provide to us when you access or use the CareDx Website, such as when you create an account on the CareDx Website, use a feature on the CareDx Website, contact us with a question, comment, or request in connection with the CareDx Website or our products and services (collectively, the “Services”), or interact with us at an industry conference. The categories of Personal Information that we collect include the following:

  • Identifiers, including but not limited to your name, email address, account name, postal mailing address, telephone number, fax number, IP address, or other identifying information;
  • Demographic Information, including but not limited to Characteristics of Protected Classifications under California or Federal Law such as gender or age;
  • Commercial Information, including but not limited to payment information or transaction history, products or services purchased, obtained or considered, request documentation, and your customer service records;
  • Professional or Employment-Related Information, including but not limited to employer, job title, state medical license number, work skills, and employment history; and
  • Educational Information , defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99), including but not limited to information about education history or background.

Information We Receive from Third Parties. We may receive information about you from third parties, including public and private databases, providers of demographic information, healthcare professionals, hospitals, or similar healthcare providers, or other users with whom you are connected via the Services. For example, we receive Personal Information, including

  • Online Identifiers, from our marketing partners in order to provide various marketing, advertising, and customer support services directly to you; and
  • Inferences about you including information based on statistics, trends, or assumptions about the products and services that may interest you.

Information We Collect Automatically. When you access and use the CareDx Website, we and our third-party service providers may collect information, including usage and technical data, automatically from your device, including, for example:

  • Internet or Other Electronic Network Activity Information, such as web browser type, the web pages or sites that you visit just before or just after the CareDx Website, the pages you view on the CareDx Website, and the dates and times that you visit the CareDx Website; and
  • Geolocation Data, such as information that can be used to identify the precise physical location of a mobile device.

Subject to applicable laws, we may combine any of the information we receive about you with Personal Information we obtain from third parties such as healthcare professionals, hospitals, or similar healthcare providers or their representatives who may use patient-related products and services that we make available to them.

Sensitive Personal Information

We do not collect sensitive categories of Personal Information, such as precise geolocation data, account usernames and passwords, information about your race, political views, religious views, or health conditions or other protected classifications (“Sensitive Personal Information”), without obtaining your consent if required by law. We only use Sensitive Personal Information to perform services reasonably expected by average customers and other users who request those services; to prevent, detect, and investigate security incidents; to prevent and prosecute malicious, fraudulent or illegal actions directed at us; for short-term, transient use; or to verify or maintain the quality or safety of a product, service, or device which we may own, control, or provide, or to improve, upgrade, or enhance such services or devices.

Depending on your purpose for accessing CareDx Website, we may collect, use, or share your protected health information that you provide us for the purposes related to your treatment, your payment, or our healthcare operations. For information on how we collect, use, and disclose your protected health information, please see our Notice of Privacy Practices.

Online Identification Technologies

We may use online identification technologies, such as cookies, web beacons, or pixels in connection with the CareDx Website. These online identification technologies can be used to store registration information in an area of our site so that a user does not need to re-enter it on subsequent visits to that area. It is our intention to use these technologies to make navigation of our websites easier for visitors, to facilitate efficient registration procedures (including remembering preferences), to better deliver tailored content to visitors, and for targeted advertising purposes as described below.

We may also use site analytics providers which may set cookies in your browser. For example, we partner with Google Analytics, which uses Cookies to track your interactions with the CareDx Website. Google then collects that information and reports it back to us. This information helps us improve the CareDx Website so that we can better serve users like you. For information on how to opt out of Google Analytics tracking your online activity, visit https://support.google.com/analytics/answer/181881?hl=en.

If you are concerned about cookies, you may exercise certain preferences through the cookie settings offered on the CareDx Website.  In addition, most browsers permit individuals to decline cookies. In most cases, you may refuse or delete one or more cookies and still access CareDx Websites, but the functionality of the CareDx Website may be impaired. After you finish using the CareDx Website, you may delete site cookies from your system if you wish. If you would like more information on how to opt out of cookies, please visit: http://optout.aboutads.info.

Targeted Advertising

We may collect information about your online activities on the CareDx Websites for use in providing you with advertising about products and services tailored to your individual interests. This section of our Privacy Notice provides details and explains how to exercise your choices.

You may see certain ads on other websites because we participate in advertising networks. Ad networks allow us to target our messaging to users through demographic, interest-based and contextual means. These networks track your online activities over time by collecting information through automated means, including through the use of cookies, web server logs and web beacons. The networks use this information to show you advertisements that may be tailored to your individual interests. The information our ad networks may collect includes information about your visits to websites that participate in the relevant advertising networks, such as the pages or advertisements you view and the actions you take on the websites. This data collection takes place both on our websites and on third-party websites that participate in the ad networks. This process also helps us track the effectiveness of our marketing efforts.

To opt-out of targeted advertising, you can use the opt-out tools provided by the Network Advertising Initiative and the Digital Advertising Alliance.

How We Use Your Personal Information

We may use your Personal Information for the following purposes:

  • Identification and authentication: We use Personal Information to verify identity when you access and use the CareDx Website and to protect the security of your Personal Information.
  • Operating the Services: We process your Personal Information to provide the Services you have requested.
  • Improving our Services: We analyze information about how you use our Services to provide an improved experience for our customers of all our Services, including product testing and website analytics.
  • Communicating with you: We may use your Personal Information when we communicate with you, for example if we are providing information about changes to the terms and conditions or if you contact us with questions.
  • Webinars:  We may use your Personal Information to facilitate your participation in webinars or enable you to watch webinars offered on the CareDx Website.
  • Marketing: we may use your Personal Information to send you marketing communications related to our products and services including pertaining to AlloCare and to build a profile about you and place you into particular marketing segments in order to understand your preferences better and to appropriately personalize the marketing messages we send to you.
  • Informing you of research, clinical trial, and treatment opportunities: We may use your Personal Information to identify research studies, clinical trials, treatments, and similar opportunities that may be of interest to you and, as appropriate, we may communicate with you regarding any such opportunities. Where necessary, we will obtain your consent before sending such communications. Please note, if you choose to participate in any opportunities, as patient or provider, the Personal Information collected from you as participant may be subject to additional and different privacy notices.
  • Exercising our rights: We may use your Personal Information to exercise our legal rights where it is necessary to do so, for example to detect, prevent and respond to fraud claims, intellectual property infringement claims or violations of law or our Terms of Use.
  • Complying with our obligations: We may process your Personal Information to, for example, carry out fraud prevention checks or comply with legal or regulatory requirements.
  • Customizing your experience: When you use the CareDx Website, we may use your Personal Information to improve your experience of the CareDx Website, such as by providing interactive or personalized elements on the CareDx Website and providing you with content based on your interests.

We use de-identified, aggregate, pseudonymized, or anonymized information to help us analyze the use of the CareDx Website. Where permitted by law, this Notice does not limit our use or disclosure of de-identified, aggregate, pseudonymous, or anonymous information, and we reserve the right to use and disclose such information to other third parties in our discretion.

How and When We Disclose Your Personal Information

We may disclose your Personal Information with third parties under the following circumstances:

  • Our Affiliates. We may disclose certain information about you to our affiliates (e.g. your buying and browsing history on the CareDx Website) for marketing purposes, security, optimization of products and services, and internal reporting. We do this for the purposes set out above.
  • Service Providers and Business Partners. We may disclose your Personal Information to our service providers and business partners that provide services or perform functions on our behalf so that we may operate and manage our business, including but not limited to providing our services and products to you. The services or functions that our service providers perform on our behalf include but are not limited to marketing, website hosting, technical support and maintenance, email, payment processing, shipping services, and other business or administrative operations, legal functions, and identity verification.
  • Parties to a Corporate Transaction. In the event our assets are transferred or sold to another entity, your Personal Information may be transferred to the acquiring entity and/or to potential acquiring entities to the extent permitted by applicable law.
  • Third-Party Integrations. Third parties whose products or services that you choose to integrate into our products and services.
  • Other Third Parties You Designate. Third parties, including healthcare providers, that you otherwise designate. Please note, you are responsible for determining your designated recipients and providing CareDx with accurate information for such designated recipients. We do not verify the accuracy of any information you provide with respect to your designated recipients. Once you establish a designated recipient, we disclose your Personal Information to that designated recipient until you terminate the designation. We have no control over what the designated recipient does with your Personal Information. If your designated recipient is an entity, we encourage you to consult that designated recipient’s terms of use, privacy policy, and other provisions of the designated recipient’s website and services as they apply to your Personal Information.
  • Courts and Administrative Tribunals. To protect our interests and interests of others, we may disclose your Personal Information as is necessary in connection with legal or administrative proceedings, including, without limitation, to identify, contact, or bring legal action against a person or entity who may be violating our Terms of Use, or who may be causing harm to, or interfering with, other users of the Services.
  • Government Authorities and Law Enforcement Officials. We may disclose your Personal Information to law enforcement agencies, courts, other government authorities or other third parties where we believe necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights or the rights of any third party.

Your Choices

Your preferences about how we use your information are important to us. We encourage you to contact us at the contact information set forth below to update or correct your information if it changes or if the Personal Information we hold about you is inaccurate. Please note that we may require additional information from you in order to verify your identity or honor your requests.

You may unsubscribe from our marketing or promotional emails. To do so, please email us at marketing@caredx.com or use the unsubscribe mechanism offered in our marketing emails or other communications as applicable. Please note that if you already have requested our products or services when you decide to unsubscribe, there may be a short period of time for us to update your preferences and ensure that we honor your request.

Additional Notice of State-Specific Privacy Information and Rights

State-Specific Privacy Rights

If you are a resident of California, or a U.S. state in which a comprehensive privacy law similar to the California Consumer Privacy Act comes into effect after the Effective Date of this Privacy Notice, you may have one or more of the following rights. We will honor requests received to the extent required by applicable law and within the time provided by law.

  • Right to know. You may have the right to request that we disclose certain information to you about our collection and use of your Personal Information over the past 12 months. Specifically, you have the right to request that we disclose:
    • Whether we are processing personal information about you.
    • The categories of Personal Information we collected about you.
    • The categories of sources for the Personal Information we collected about you.
    • Our business or commercial purpose for collecting, selling, or sharing that Personal Information.
    • The categories of third parties to whom we disclose that Personal Information.
    • The categories of Personal Information about you, if any, that we have sold or shared and the categories of third parties to whom we have sold or shared the information, by category or categories of Personal Information for each category of third party to whom we sold or shared the Personal Information.
    • The categories of Personal Information about you that we disclosed for a business purpose and the categories of recipients to whom we disclosed the information for a business purpose.
    • The specific pieces of Personal Information we collected about you.
  • Right to delete. You may have the right to request that we delete Personal Information that we have collected about you. Please note if you have requested a service that requires the use of your Personal Information, we may not be able to provide that service if you choose to delete your Personal Information.
  • Right to Correct. You may have the right to request that we correct inaccurate Personal Information that we have collected about you.
  • Right to Opt Out. You have the right to opt out of the sale of Personal Information about you for valuable consideration, the sharing of Personal Information about you for cross-context behavioral advertising, targeted advertising, and profiling in furtherance of decisions that produce legal or similarly significant effects concerning you. To opt-out, click Do Not Sell or Share My Personal Information or as provided below under “Exercising Your Applicable State Specific Rights.” You can also opt-out of targeted advertising by using the opt-out tools provided by the Network Advertising Initiative and the Digital Advertising Alliance.
  • Right to Appeal. If you receive our refusal to fulfill a previous request that you submitted, you may have the right to appeal such refusal by emailing us at privacy@caredx.com.
  • Right to Non-Discrimination. Subject to applicable law, we may not discriminate against you for exercising any of the above-listed rights or any other rights under the California Consumer Privacy Act or similar comprehensive privacy laws that come into effect in U.S. states after the Effective Date of this Privacy Notice, including by:
    • Denying you goods or services.
    • Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties.
    • Providing you a different level or quality of goods or services.
    • Suggesting that you will receive a different price or rate for goods or services or a different level or quality of goods or services.

We may, however, charge different prices or rates, or provide a different level or quality of goods or services, if that difference is reasonably related to the value provided to CareDx by your Personal Information, subject to the requirements of applicable law.

Disclosure, Selling, and Sharing of Personal Information

Within the last 12 months, we have disclosed the categories of Personal Information identified in the above section titled “Personal Information We Collect” for our business purposes. We list the categories of third parties to which we may disclose Personal Information in the above section titled “How and When We Disclose Your Information”.

As is common practice among businesses that operate Internet Web sites, we may disclose certain identifiers, information about the use of the CareDx Website, and inferences drawn about you to our analytics, advertising, and social media partners for their services. These disclosures may qualify as sales of Personal Information for valuable consideration or sharing of Personal Information for cross-context behavioral advertising under applicable law. However, we do not sell or share Personal Information covered by this Privacy Notice in exchange for monetary value. We also do not knowingly sell or share the Personal Information of individuals under 16 years of age.

Exercising Your Applicable State-Specific Rights

If you are a resident of California or a U.S. state in which a comprehensive privacy law similar to the California Consumer Privacy Act has come into effect since the Effective Date of this Privacy Notice, and you would like to exercise any of the above rights, please submit your request via our webform, email us at privacy@caredx.com, or call us at +1-888-255-6627.

For requests made in connection with the Right to Know, Right to Correct, and Right to Delete, please note:

  • As required or permitted by law, we may take steps to verify your request before we can provide Personal Information to you, correct Personal Information, delete Personal Information, or otherwise process your request. To verify your request, we may require you to provide your name, physical address, email address, contact information, and information about your account or previous transactions with us. If we believe we need further information to verify your request as required by law, we may ask you to provide additional information to us.
  • We may also limit our response to your exercise of rights as permitted by law. For example, if you request deletion, we may need to retain certain Personal Information to comply with our legal obligations or other permitted purposes.
  • We will deliver Personal Information that we are required by law to disclose to you in the manner required by law within 45 days (or the applicable statutory timeframe) after receipt of a verifiable request, unless we notify you that we require additional time to respond, in which case we will respond within such additional period required by law. We may deliver the Personal Information to you through your account, if you maintain an account with CareDx, or electronically or by mail at your option. If electronically, then we will deliver the information to you or, at your request, to another entity, in a portable and, to the extent technically feasible, in a structured, commonly used, machine-readable format that allows you to transmit the information from one entity to another without hindrance.

If you choose to exercise any of the above privacy rights in applicable states, we will not discriminate against you by offering you different pricing or products, or by providing you with a different level or quality of services, based solely upon your request.  However, in some circumstances, for example where you have requested a service that requires the use of your Personal Information, we may not be able to provide that service if you choose to delete your Personal Information.

Authorized Agent

You may designate an authorized agent to request any of the above rights on your behalf. You may make such a designation by providing the agent with a signed written permission stating that the agent is authorized to make the request on your behalf. Your agent may contact us via the information provided in the “Exercising Your Applicable State-Specific Rights” section to make a request on your behalf. If you are submitting a request through an authorized agent, we may, as permitted by law, require:

  • The authorized agent to provide proof that you gave the authorized agent signed permission to submit the request.
  • You to verify your identity directly with us.
  • You to directly confirm with us that you have provided the agent with your permission to submit the request on your behalf.

Data Sharing for Direct Marketing Purposes (California)

California Civil Code Section § 1798.83 permits California residents to request certain information regarding our disclosure of Personal Information to third parties for their direct marketing purposes. If you are a California resident, you may ask us to refrain from sharing your Personal Information with certain of our affiliates and other third parties for their marketing purposes. To make such a request, please use our webform, email us at privacy@caredx.com, or call us at +1-888-255-6627.

Do Not Track Signals

We do not currently respond to web browser “do not track” signals or other mechanisms that provide a method to opt out of the collection of information across websites or other online services.

International Data Transfer

We may use or process your Personal Information in the United States or any other country in which we or our service providers operate. Because we operate with a technical infrastructure that is located in the United States, we may need to transfer your Personal Information to the United States for storage and as may be otherwise necessary, consistent with the terms of this Notice. Our use and storage of your Personal Information outside of the country in which you reside may subject your Personal Information to laws of other jurisdictions that may be different from the laws of the country in which you reside.

Children’s Information

Protecting the privacy of young children is especially important.  For that reason, CareDx does not knowingly collect personal information through the CareDx Website from persons 16 and under, and no part of the CareDx Website is directed to persons under 16. If you are under 16 years of age, then please do not use or access the CareDx Website at any time or in any manner. If we learn that we have collected Personal Information from a child less than 16 years of age, we will take the appropriate steps to delete this information. If you believe we have any information from or about a child under 16, please contact us using the information available in the “Contact Us” section at the end of this Notice.

Third Party Links

The CareDx Website may include links to other websites whose privacy practices may differ from our practices. If you submit Personal Information to any of those sites, your information is governed by their privacy policies. We encourage you to carefully read the privacy statement of any website you visit.

Retention

We will retain your Personal Information as long as we have a relationship with you. When deciding how long to keep your Personal Information after our relationship with you has ended, we take into account our legitimate business needs and our legal obligations, including, for example fraud prevention, dispute resolution, investigations, and enforcement of our Terms of Use.

Security

CareDx uses commercially reasonable physical, managerial, and technical safeguards that we designed to preserve the integrity and security of the Personal Information you provide to CareDx.  We cannot, however, ensure or warrant the security of any information you transmit to CareDx, and you do so at your own risk.  The safety and security of your information also depends on you. Where we have given you (or where you have chosen) a password for access to our Services, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.

Changes to the Privacy Notice

We may modify or update this Notice from time to time. If we update this Notice, we will notify you by posting a new privacy notice on this page. The date this Notice was last revised is identified at the top of the page. You are responsible for periodically visiting the CareDx Website and this Notice to check for any changes. If you continue to use our Services after having been provided with such notice you will be deemed to have acknowledged the updated privacy notice.

Contact Us

Please contact CareDx with any questions or comments about this Notice, your Personal Information, our third-party disclosure practices, or your consent choices at:  privacy@caredx.com or call us at +1-888-255-6627.