CareDx U.S. Personnel Privacy Notice

CareDx Inc., a Delaware Corporation, and its United States affiliates (“CareDx”, “we”, “us” or “our”) are committed to protecting information that we collect and use for employment, administrative, operational, and business-related purposes, as well as for the administration of our human resources (“HR”) functions. This U.S. Personnel Privacy Notice (the “Notice”) describes CareDx practices regarding the collection, use, transfer, disclosure, and other handling of the personal information of past or present directors, officer, employees, temporary workers, contractors, and job applicants (collectively, “you” or “Personnel”). This Notice may be updated from time to time to reflect changes in our personal information processing practices, and we will promptly update you when any such changes occur.

  1. Scope

This Notice applies to past or present CareDx directors, officers, employees, temporary workers, contractors, and job applicants who work in the United States.

  1. Personal Information We Collect

Good employment practices and the effective running of our business require us to collect, use, and otherwise process personal information that identifies or can identify you or a member of your household (“Personal Information”). CareDx may collect the following categories of Personal Information about Personnel:

  1. Identifiers such as a real name, suffix, alias, postal address, unique identification numbers (e.g., Personnel ID, System ID), online identifier, internet protocol address, email address, account name(s) or handle(s), date of birth, social security number, driver’s license number and photocopy, passport number and photocopy, state identification card number, usernames, passwords, (whether assigned by CareDx or selected by you), and any other similar identifiers.
  2. Additional types of information that may identify, relate to, describe, or be capable of being associated with particular individuals, including, the “identifiers” listed in the preceding bullet point a., and the following: marital status, birth or marriage certificates, nationality, ethnicity, gender, sexual orientation, signature, images, physical characteristics or description of yourself (such as, e.g., photographs or audio and/or visual recordings), address, home and mobile telephone numbers, vehicle registration and plate information, driving history, education, employment, employment history, bank account information, credit card number, debit card number, or any other financial information, medical information, and health insurance information.
  3. Characteristics of protected classifications under California or federal law, such as race, color, ethnicity, religion, national origin, sex, gender, marital status, medical conditions, disability status, information on physical limitations, special needs and other medical or health-related workplace accommodations, military and/or veteran status, residency, work permit status, age (40 years and older), and where permitted by law and proportionate in view of the function to be carried out by a Personnel, the results of credit and criminal background checks, drug and alcohol testing, and other screening procedures.
  4. Biometric information, including fingerprint and fingerprint templates that may be used in connection with securing and providing Personnel with access to certain CareDx systems and applications.
  5. Internet or other electronic network activity information, including, but not limited to, information regarding and/or collected automatically as part of your interaction with CareDx IT systems; electronic content produced or received by you using CareDx IT systems (including documents, information, emails, and other electronic communications transmitted or received through the use of CareDx IT systems); information relating to your accounts held on CareDx IT systems, websites, or apps (including account profiles on CareDx websites or apps and data stored in relation to such accounts, e.g., rights and privileges, activity, interests, favorites, likes, preferences, or other information that may be associated with your account); and information received by CareDx if you sign into IT systems, websites, apps, or accounts using social media or other third-party tools. This also includes voicemails, emails, and other work product correspondence and communications created, stored, or transmitted using CareDx computers, devices, or others communications equipment.
  6. If you use certain CareDx apps or websites, such apps or websites may collect geolocation data.
  7. As permitted by law, audio, electronic, visual, or similar information, such as photographs, and information captured on security systems, including key card or other entry control systems and CCTV systems.
  8. Other professional or employment-related information, including employment history, educational background and status, professional certifications, language capabilities, references, letters of recommendation and interview notes; start date/orientation date, title/position, grade and department/organization, region/location, employment status, work-related contact details, date(s) of promotion, work history, spouses or relatives who may work for CareDx and your relationship to them, technical skills; training records; emergency contact information; salary, bonus, long-term incentives and award history; work time and payroll records; sick pay/days, records of work absences, vacation entitlement and requests, performance appraisals, disciplinary and grievance procedures; pensions, investment accounts, insurance, and other benefits information (which may include information about your spouse, children and other eligible dependents and beneficiaries); date of hire, date of resignation or termination, reason for resignation or termination, other information relating to termination of employment; information collected in connection with taxation (such as information collected via standard tax forms) and verifying your right to work in the United States; acknowledgements regarding CareDx policies, as well as information provided pursuant to CareDx policies, such as information regarding potential conflicts of interest or similar compliance-related information; information we collect in connection with special offers or promotions that may be available to you by virtue of your employment with CareDx, if you elect to purchase or otherwise take advantage of such offers; your ownership interest in the CareDx; information we collect, including through third-party suppliers, regarding content and other data posted on the Internet (such as data posted in social media and other public locations on the Internet); and any information needed to comply with CareDx policies, EEOC or other reporting, law, court or other governmental requests, or law enforcement authorities.
  9. Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g, 34 C.F.R. Part 99). This includes details contained in letters of application and resume/CV such as institutions attended and performance.
  10. Sensitive Personal Information, including government identifiers such as social security number, driver’s license number, state identification card number, or passport number; complete account access credentials (usernames and passwords (whether assigned by CareDx or selected by you); financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; precise geolocation data; racial or ethnic origin; religious or philosophical beliefs; mail, email, or text messages contents not directed to us; biometric information processed for the purpose of uniquely identifying a person; health information; or sexual orientation.
  11. Inferences drawn from any of the information identified in this subdivision to create a profile about a person reflecting the person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

We do not sell the Personal Information or sensitive Personal Information we collect, or share this information for cross-context behavioral advertising.

  1. Retention Policy

CareDx will retain your Personal Information, including certain sensitive Personal Information as defined under applicable state privacy laws, such as the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, for as long as it is legally required or needed for CareDx’s legitimate business purposes as provided in Section 4 of this Notice.

  1. Purposes for Collection of Your Personal Information  

We may use and disclose your Personal Information to third parties for the following purposes and processing activities:

  1. To perform our operational purposes as an employer, which may include:
    1. Staffing and workforce management purposes, including recruitment, onboarding, training and development, scheduling and workforce planning, travel planning and management, vacation management, performance management, fleet management, strategic planning, succession planning and termination.
    2. Compensation, payroll, tax, insurance, pension and benefit planning and administration.
    3. Administration and maintenance of our occupational health plans, including work-related injury and illness recording obligations.
    4. Maintaining or servicing accounts and providing customer service.
    5. Providing you with access to information technology systems, networks, and/or applications owned or operated by CareDx as may be connected with your employment, as well as operating, analyzing, improving, and securing such systems.
    6. Aggregated benchmarking, statistical reporting and analytics to (i) manage our workforce and carry out our business operations, (ii) gather demographic information about our Personnel, and (iii) determine how we may better allocate resources and improve our services.
    7. Compiling and providing Personnel directories and contact information, facilitate communication, issue CareDx and emergency notices, provide and operate social, professional and CareDx forums/platforms (including digital and social medial forums/platforms), facilitate townhall meetings, provide news and information regarding CareDx, its business and Personnel.
    8. Creating promotional and commercial marketing materials, creating marketing events and collateral, issuing press releases, providing website information and disclosures, providing public webinars and meetings, running public activities and speaking events, participating in or operating CareDx’s patient ambassador program, and supporting CareDx ambassador or liaison activities.
    9. Short-term, transient use, provided that the Personal Information is not disclosed to another third party and is not used to build a profile about you or otherwise alter your experience outside the current interaction.
    10. Investor relations, corporate disclosures, financial reporting and disclosures, government reporting, participation in government programs.
    11. Facilitating customer and vendor communication or requests.
    12. Monitoring and protecting the security and use of our networks, communications and systems, offices and facilities, reports, property and infrastructure; detecting security incidents; protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity; security investigations; and debugging to identify and repair errors that impair existing intended functionality.
    13. Ensuring business continuity, supporting CareDx operations and legitimate business purposes.
    14. Payor or insurance coverage requirements and applications.
    15. Undertaking internal research for technological development and demonstration.
    16. Communicating with Personnel, conducting Personnel surveys, and other similar HR initiatives (including for measuring Personnel engagement), and providing reporting channels for Personnel including compliance or similar hotlines, HR operations, investigations and assessments.
    17. Undertaking activities to verify or maintain the quality or safety of a product or service that is owned, manufactured, manufactured for, provided by, provided at the direction of or controlled by CareDx, and to improve, upgrade, or enhance the service or product that is owned, manufactured, manufactured for, provided by, provided at the direction of or controlled by CareDx.
  2. To achieve purposes that have been notified to you or authorized by you, which may include:
    1. The administration of Personnel participation in various programs and services offered to eligible Personnel.
    2. Other activities involving Personal Information that have been notified to you as required by law.
  3. To comply with our legal obligations or in connection with legal claims, which may include:
    1. Business licensing, state licensing, regulatory licensing.
    2. Compliance with our policies and legal obligations.
    3. Dispute and complaint resolution, enabling compliance reporting, internal investigations and reviews, auditing, compliance, and risk management.
    4. Preventing illegal, wrongful, or unethical conduct in the conduct of the CareDx business; protecting the health and safety of Personnel and others; and safeguarding and maintaining the security of our premises, assets, and IT systems and infrastructure.
    5. Compliance with record-keeping, retention and reporting obligations.
    6. Compliance with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities.
    7. Cooperation with law enforcement agencies concerning conduct or activity that may violate federal, state, or local law.
    8. Establishing, exercising, or defending against legal claims.

To the extent any envisioned use is inconsistent with or outside of the above contemplated uses in this Notice, we will communicate that to you as required by law.

  1. Sharing of Your Personal Information

CareDx may share personal information with affiliates and third parties as we deem appropriate for any purpose set forth or contemplated in this Notice.  In general, CareDx shares personal information with the following categories of third parties:

  • Our affiliates;
  • Vendors, service providers, and other business partners;
  • Regulatory and/or government agencies, public authorities, law enforcement and security agencies, and courts, and other governmental or public bodies;
  • Parties involved in a corporate transaction in the event our assets are transferred or sold to another entity;
  • Professional advisers such as our legal representatives, auditors, and insurance brokers;
  • Courts and administrative tribunals as necessary in connection with legal or administrative proceedings; including disclosures to protect the rights, property, interests, health, safety, or security of our Personnel, customers, third parties, or the general public; and
  • Government authorities, law enforcement agencies or officials or other third parties, where we believe necessary to comply with a legal or regulatory obligation, protect our rights, or protect the rights of any third party.
  1. Notice of Monitoring

Your role, job, or affiliation with the CareDx may provide you with access to computers, tablets, phones, devices, information technology systems, networks, and/or applications owned or operated by or on behalf of CareDx (the “Systems”). Please note that CareDx may monitor and record your use of these Systems, including activity you conduct while using the Systems, emails, telephone conversations or transmissions, internet access or usage, chats, SMS or text messages and other electronic communications sent, received, or stored through these Systems, for any lawful purpose including to operate the Systems, to evaluate your use of the Systems, for compliance, investigations and audit purposes, and to protect against fraud, illegal activity, violation of CareDx policies, or misuse of the Systems, CareDx information assets, or other property. Monitoring may occur in connection with any  System, including (without limitation) with employees’ use of a computer, telephone, wire, radio, or electromagnetic, photoelectric, or photo-optical System. Accordingly, you should not have any reasonable expectation of privacy in connection with your use of CareDx Systems.

We also monitor our offices, and other workplace facilities, through video monitoring such as closed-circuit television (“CCTV”) and badge scans for security purposes. CCTV is primarily used at office entrance and exit points, elevator lobbies, rooms where there may be valuable equipment, such as server rooms, and in other select areas with a high risk for theft or with highly sensitive assets. CCTV is not used in private spaces such as restrooms, new mothers’ rooms, or locker rooms. Nor is it used to monitor Personnel workstations for performance reasons.

  1. Your Obligations Regarding Handling Personal Information

Please help keep your Personal Information up to date and inform us of any significant changes to your Personal Information.

Further, when handling personal information about others in the course of your employment, you must follow the law and CareDx policies, standards and procedures that are brought to your attention.  In particular, you must not access or use any such personal information for any purpose other than in connection with, and to the extent necessary for, your work with CareDx. Your obligation to keep the personal information of others confidential continues after separation or termination of your relationship with the CareDx.

  1. Your Privacy Rights

U.S. Personnel of CareDx reside in the United States may have the following rights, to the extent permitted by applicable law:

Right to Know. You may have the right to request that we disclose certain information to you about our collection and use of your Personal Information including

  • The categories of Personal Information we collected about you.
  • The categories of sources for the Personal Information we collected about you.
  • Our business or commercial purpose for collecting, selling or sharing that Personal Information.
  • The categories of third parties to whom we disclose that Personal Information.
  • The specific pieces of Personal Information we collected about you.
  • The categories of Personal Information about you, if any, that we have sold or shared and the categories of third parties to whom we have sold or shared the information, by category or categories of Personal Information for each third party to whom we sold or shared the Personal Information.
  • The categories of Personal Information about you that we disclosed for a business purpose and the categories of persons to whom we disclosed the information for a business purpose.

Right to Delete. You may have the right to request that we delete Personal Information we have collected from you.

Right to Correct. You may have the right to request that we correct inaccurate Personal Information that we have collected about you.

Right to Non-Discrimination. Subject to applicable law, we may not discriminate against you for exercising any of the above-listed rights.

Within the last 12 months, we have disclosed the categories of Personal Information identified in the above section titled “Personal Information We Collect” for our business purposes. We list the categories of third parties to which we may disclose Personal Information in the above section titled “Sharing of Your Personal Information.” In the same period, CareDx has not sold Personnel’s Personal Information or sensitive Personal Information or shared this information for cross-context behavioral advertising as defined under California law.

CareDx only uses and discloses sensitive Personal Information for purposes of payroll processing, employee benefits eligibility, work or right to work eligibility, background checks, to prevent, detect, and investigate security incidents that compromise the availability, authenticity, integrity, or confidentiality of stored or transmitted Personal Information, to resist malicious, deceptive, fraudulent, or illegal actions directed at CareDx and to prosecute those responsible for those actions, in connection with affirmative action and diversity, equity, and inclusion programs, to prosecute and defend legal claims, and compliance with employment, income tax, and other applicable laws.

As required or permitted by law, we may take steps to verify your request before we can provide Personal Information to you, correct Personal Information, delete Personal Information, or otherwise process your request. To verify your request, we may require you to provide your name, physical address, email address, or contact information. If we believe we need further information to verify your request as required by law, we may ask you to provide additional information to us.

We may also limit our response to your exercise of rights as permitted by law. For example, if you request deletion, we may need to retain certain Personal Information to comply with our legal obligations or other permitted purposes.

We will deliver Personal Information that we are required by law to disclose to you in the manner required by law within 45 days (or the applicable statutory timeframe) after receipt of a verifiable request, unless we notify you that we require additional time to respond, in which case we will respond within such additional period required by law. We may deliver the Personal Information to you electronically or by mail at your option. If electronically, then we will deliver the information in a portable and, to the extent technically feasible, in a structured, commonly used, machine-readable format that allows you to transmit the information from one entity to another without hindrance.

You may request to exercise your rights by:

Visiting the CareDx Privacy Rights Center and submitting a request, by emailing us at privacy@caredx.com, or by calling us at 1-888-255-6627.  Please make sure that you identify yourself as an employee, contractor, job applicant or former employee when submitting your request.

You may designate an authorized agent to request any of the above rights on your behalf. You may make such a designation by providing the agent with a signed written permission stating that the agent is authorized to make the request on your behalf. If you are submitting a request through an authorized agent, we may, as permitted by law, require that the authorized agent provide proof that you gave the authorized agent signed permission to submit the request, require you to verify your identity directly with us and to directly confirm with us that you have provided the agent with your permission to submit the request on your behalf.

  1. Accessibility

If you use assistive technology and the format of this Notice interferes with your ability to access information, please contact us at privacy@caredx.com.

  1. How to Contact Us

If you have any questions or comments about this Notice, or if you would like us to update information we have about you, please contact us at privacy@caredx.com.

This Notice was last updated on December 1, 2022.