The specific categories of information we collect include:
- Personally identifiable information (“PII”). When you set up a Color account, purchase a Test, or agree to use our Services, we collect what is generally called “personally identifiable information” or “PII”, which is information that specifically identifies you as an individual. Examples of PII we collect may include your name, email address, mailing address, phone number, government issued IDs or other identification, credit card, insurance information (if you’re seeking reimbursement), or other billing information. We may also collect information such as date of birth or sex that is considered PII because it can identify a specific individual when linked to other information.
- Personal and family health information (“PFHI”). To provide Services (including generating meaningful Results), we request certain information about you and, for certain Services, about your biological family (e.g., ancestry, age, and biological sex). Personal and Family Health Information for Color’s genetics Services also includes information about your history of certain health conditions, your family history of those conditions, your medication history, and any known genetic mutations in you or your family members. For the Service(s) to perform as intended, it’s important that you provide the most accurate information possible.
- Healthcare provider information. Individuals who use the Service may also provide us with information about their healthcare providers. Healthcare providers using the Service may provide us with information about patients for whom they are ordering a Test and information related to their medical practices, including the health system or clinic where they practice, NPI numbers, fax numbers, and the name, job title, and contact information of other providers involved in an individual’s care.
- Other people’s personally identifiable information. You may only share with Color PII about someone else and their protected health information (“PHI”) with the full and express consent of that other individual, for example, to purchase a Test for someone else or to share information for the Family Testing Program. We reserve the right to require proof of such consent. We will only use the information for the specific reason that it was provided to us and pursuant to the terms of this Policy, our Terms of Service, and if applicable, Informed Consent.
- Biological sample. To use our Tests, we require a biological sample such as a saliva or blood sample for our genetic Testing, or nasal swabs for our COVID-19 Testing. Please carefully review the Terms of Service and Informed Consent for the applicable Test for a description of how we handle your sample.
In general, we use the information that we collect to provide the Services you request, to help improve our services and client experiences, and in some cases, to help advance research and science. Specifically, we may use the information as follows:
- To provide the Services. For example, to set up your Color account, send you your sample collection kit, collect payment for the Service you requested and fulfill orders, and analyze your sample to produce the Results. As part of the genetic Testing Service, we may also periodically review your information to determine if any updates or changes to your Results (including, without limitation, reclassification of Variants of Uncertain Significance) are required. We may also use the information to conduct general business operations such as accounting, recordkeeping, and audits.
- To communicate with you. We may use your contact information to verify your identity or to communicate with you about the Service, for example, to notify you when your healthcare provider has ordered a Test for you, remind you about returning your kit, respond to your inquiries, connect you with Color Support personnel or a genetic counselor, follow up if there is an issue with your information or sample, and provide information about or request feedback on your Results. We may also contact you to request optional customer feedback, which could be used to improve our services and in publications. We’ll only associate your feedback with your name with your consent. To learn how you may opt out of marketing surveys, please read “Your Choices” below. If you’re a resident of the European Union (“EU”), we will only send you marketing surveys if you’ve opted in to receive such messages from Color. If you’re an EU resident and you didn’t opt in but you’re receiving such messages anyway, please contact us at email@example.com so we can promptly correct your preferences in our systems.
- To help us improve the Service and develop new tests and services. For example, if set forth in the Informed Consent applicable to the Test you are taking, your information, sample (until such time your sample is destroyed), and all sequence data may be de-identified and used to support our laboratory operations with internal quality control, laboratory validation studies, and internal research and development, perform data analysis, and for publication in Color’s research database. We may also use your information to understand how our Services are being used, understand our customer base and purchasing trend, understand the effectiveness of our marketing, and develop new products and services.
- For marketing purposes. For example, we may send you monthly health newsletters, occasional product updates, and special offers and opportunities that we think might interest you. To learn about how you may opt out of marketing emails, please read “Your Choices” below. If you’re a resident of the EU, we will only send you marketing emails if you’ve opted in. If you’re an EU resident and you didn’t opt in, but you’re receiving marketing communications anyway, please contact us at firstname.lastname@example.org so we can promptly correct your preferences in our systems.
- To let you know about new services or research opportunities. For example, we may contact you to offer new Color services or to let you know about special offers for Color clients on third party products or services that may be useful to people with PFHI or Results like yours. We may also let you know about optional opportunities to participate in research we are conducting.
- For third party research and development, or for other purposes to which you have consented or authorized. For details about our R&D efforts with third parties, see below in the section entitled “How Information is Shared.”
- To protect and secure our Services, assets, network, and business operations, and to detect, investigate, and prevent activities that may violate our policies or be fraudulent or illegal.
- To comply with applicable law and our own obligations. We may also process the information we collect about you or from you for the following purposes: (i) to enforce our Terms of Service or other legal rights, including intellectual property rights; (ii) as may be required by applicable laws and regulations or requested by any judicial process or governmental agency; and (iii) to comply with industry standards or our policies.
When you use online services in connection with Color’s Service and/or Site, the following information may be collected, stored, and used:
- Cookies. To improve and customize your experience when you use the Site, we may send one or more cookies — small text files containing a string of alphanumeric characters — to your device. We may use both session cookies that disappear after you close your browser and persistent cookies that remain after you close your browser and may be used automatically by the browser on subsequent visits to the Site. Please review your browser “Help” file to learn how to adjust your cookie settings. Note that some Site services may not function properly if you disable cookies.
- DNT requests. Some browsers incorporate a “Do Not Track” (DNT) or similar feature that signals to digital services that a visitor doesn’t want to have their online activity tracked. Because there is not yet an accepted standard for how to respond to DNT signals, we and our service providers (like many digital service operators) do not respond to DNT signals.
- Device, usage, and other automatically collected information. When you use our Site, we and external parties operating on our behalf may automatically record certain information from your device by using various types of technology, including “clear gifs” or “web beacons.” This automatically collected information will help us customize and improve your experience with the Site and includes your IP address or other device address or ID, browser and/or device type, the web pages or sites that you visit just before or just after you use the Site, the pages or other content you view or otherwise interact with on the Site, and the dates and times that you visit, access, or use the Site. We also may use these technologies to improve our services by collecting information regarding your interaction with Color email messages, such as whether you opened or clicked on a message. We use automatically collected information to: (i) personalize our services, such as remembering your information so that you won’t have to re-enter it during your visit or the next time you visit the Site, (ii) provide customized content and information, and (iii) monitor and analyze the effectiveness of the Site and marketing activities.
- Analytics services. Color uses services including Google Analytics in order to improve our services, better understand our clients, and improve our communications. Learn more about Google Analytics’ about their use of your data and how to exercise your options regarding privacy.
- Advertising partners. We may work with third party advertising partners to show ads for the Service after you visit our Site. These third party partners collect information from you when you visit our website and other websites. If you don’t want to receive our personalized ads, please visit the opt-out pages of the Network Advertising Initiative (https://www.networkadvertising.org) or the Digital Advertising Alliance http://www.aboutads.info to learn about how you can opt out of receiving personalized ads from member companies. For more information, you can also visit: https://www.consumer.ftc.gov/topics/privacy-identity.
This section describes the circumstances under which we may share your information with third parties. For additional details, please review the Informed Consent for the applicable Test or Service.
To provide the Service.
- We may disclose your PII and PHI (including, for COVID-19 Testing, viral specimens detected in your biological sample) to others involved in your care, including healthcare providers (your own provider and/or an independent provider who may review your information to determine whether a Test is appropriate for you), genetic counselors (the genetic Testing Service includes complimentary access to Color’s genetic counselors), third party laboratories that may perform technical components of COVID-19 Testing or confirmatory laboratories for genetic Testing, public health authorities (as required in the case of certain Test results for communicable diseases like COVID-19 test), the health system or clinic where your own provider practices, and other providers that you or your healthcare provider designated to receive your PHI.
- We may disclose your PII and PHI to bill and collect payment from you, your employer, your health insurance, your health system or clinic, or other responsible third parties. We may also engage third parties to assist us with these billing and collection efforts.
- We work with third party service providers to provide website, application development, analytics, variant analysis, payment processing, hosting, maintenance, support ticketing, transmission of test results, distribution and collection of Test kits, and other services for us. We limit the personal and health information we share with these service providers to that which is minimally necessary for them to perform their services for us, and we require them to agree to maintain the confidentiality and security of such information.
For research, development, and analytics (please also review the Informed Consent for the applicable Test or Service you are using for more details).
- As set forth in the genetic Test Informed Consent, we disclose our genetic Test clients’ de-identified genetic information to public databases like ClinVar in order to advance medical research. By contributing this information to such databases, we can help scientists better understand the impact of genetic variants on the risk of diseases and health conditions. Further, as set forth in the genetic Test Informed Consent, with your consent, we may also include your de-identified genetic information, PFHI, and Results in Color’s research database in order to support research in genetics. Information in Color’s research database will be accessible, searchable, and downloadable by researchers and the general public for an indefinite period of time. Genetic information in Color’s research database may include variants beyond those relevant to the product or service that your healthcare provider ordered for you, but such information will be de-identified. If you have consented in the past and later change your settings to opt out of Color’s research database, we cannot retract your de-identified information from research already performed or from previous releases of Color’s research database that have already been published. But we will promptly update our database following an opt out request and exclude your information from subsequent database releases.
- If set forth in the Informed Consent for the Test you are taking, we may also use your de-identified sample, genetic information, PFHI, and/or Results in our research with third party collaborators. We may engage in research with third parties like universities, hospitals, health systems, government institutions, or private companies to develop new tests, validate technologies, or improve existing technologies or processes. You can opt out of such third party research by updating your account settings or by notifying the healthcare provider who ordered your Test if you did not create a Color account. However, if you have consented in the past and later change your settings to opt out, Color cannot retract your de-identified sample (if you have chosen to store it), genetic information, PFHI, and/or Results from research already performed.
- If your employer has provided or paid for (in whole or in part) the Test, you acknowledge and agree that your de-identified Results and PFHI may be anonymized and/or aggregated and returned to your employer or its designee (e.g., plan administrator or pharmacy benefits manager) as a data analytics resource. Further, with your authorization, Color may provide your employer or other program sponsor with your identified Results and PHI.
- If your health system has provided or paid for (in whole or in part) the Test, you acknowledge and agree that your Results and PFHI may be provided to your health system. Further, Color may provide your health system with other data it has collected or sequenced, and related analyses, for your health system’s use for treatment, billing, healthcare operations, data analytics, or other purposes for which your health system has agreed to comply with applicable laws. If you have any questions about this, please contact your health system to learn if this applies to you and for details. Color expressly disclaims any and all liability for your health system’s use of information that it represents it is authorized to receive, store, and use.
For Color’s purposes.
- We may use or share aggregated or de-identified information (for example, aggregated trends about the general use of our Service) at our discretion, including publicly and with our partners (this information will not include PHI).
- We may author publications using de-identified information, either on our own or in collaboration with academic or commercial third parties (these publications may include, for example, blinded pedigree diagrams or de-identified family history).
- We may disclose your information when we believe in good faith that doing so is appropriate or necessary in order to enforce our Terms of Service.
- As described above, we work with third party advertising and analytics partners that collect information from you when you visit our Site. For more information, please see the “Cookies and Third Party Digital Services” section above.
- We may change our ownership or corporate organization while providing the Services. We may transfer to another entity or its affiliates or service providers some or all information about you in connection with, or during negotiations of, any merger, acquisition, sale of assets or any line of business, change in ownership control, financing transaction, or insolvency, bankruptcy, or receivership action. We cannot promise that an acquiring party or the merged entity will have the same privacy practices or treat your information the same as described in this Policy.
For security or legal purposes. We may also disclose your information under the following circumstances:
- If we believe in good faith that doing so is appropriate or necessary in order to address fraud, security, or technical issues, or protect against harm to us or others to the extent required or permitted by law.
- To comply with applicable federal, state, and local laws, rules, orders, and regulations, as well as law enforcement requests and legal process, such as a court order or subpoena. When possible, we will attempt to notify the individual who is the subject of the court order or subpoena so they may have an opportunity to oppose the disclosure.
We use physical, managerial, and technical safeguards that are designed to improve the integrity and security of your information. All information on our servers is encrypted when it is at rest or in transit. All personal information (genetic or otherwise) is encrypted with AES-256 when it’s stored on our servers and is always transmitted over SSL. Internally, strict guidelines and access controls protect your PII and PHI.
We cannot, however, ensure or warrant the security of any information you transmit to us or store in connection with the Service, and you do so at your own risk. We also cannot guarantee that such information may not be accessed, disclosed, altered, or destroyed by a breach of any of our physical, technical, or managerial safeguards. If you choose to share PII or PHI with us via the internet or wireless connection (for example, via email messages), you do so at your own risk. If you choose to share your Results, designated record set or other data obtained from Color, or any of your PII or PHI with anyone outside of Color, you do so at your own risk and Color has no control over the security of such sharing.
Color complies with the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”) to maintain the privacy and security of your PHI. If a breach occurs that may have compromised the privacy or security of your PHI, we will let you know promptly. We will follow the duties and privacy practices described in this Policy, our Notice of Privacy Practices, the Informed Consent, and Terms of Service.
If you receive marketing emails from us, you can unsubscribe from that particular type of marketing email by following the instructions contained within the email. Because we offer different types of marketing emails — (1) product news and feedback surveys, (2) health newsletters, (3) marketing promotions, and (4) research invitations — if you click “unsubscribe” from one type of email, due to system limitations, you will only be opted out of that type of commercial email; you will not automatically be unsubscribed from other email communication types. You can opt out of receiving all types of marketing emails from us by modifying your account settings or sending your request to us by email at email@example.com. Please be aware that if you opt out of receiving marketing emails from us or otherwise modify the nature or frequency of marketing communications you receive from us, it may take up to ten (10) business days for us to process your request, during which time you might receive marketing communications from us that you have already opted out from. Finally, while you can opt out of receiving marketing emails from us, you will continue to receive administrative communications from us regarding the Service.
You may, of course, decline to share certain information with us, in which case we might not be able to provide you with some or all of the features and functionality of the Service and our Site. If you want to access or amend information we hold about you, you may do so through your account settings or contact us at firstname.lastname@example.org. At any time, you may also request that we deactivate your account by contacting us at email@example.com. If you choose to deactivate your account, you will be unsubscribed from all marketing emails; your sample and PII will no longer be shared for research (if you have opted into such research or sample storage); and we will not provide you with any of the Services going forward (including, without limitation, any Results that have not yet been reported, or any updates or changes to your Results). Although we can remove your information from our active databases, some or all information from deactivated accounts will remain in our inactive database for compliance with legal, regulatory, and other requirements. Please also note that information that has already been de-identified, anonymized, aggregated, published, and/or shared with third parties as set forth in this Policy prior to an account deactivation request may not be retrievable or traced back for destruction, deletion, or amendment.
Please do not use or access any part of the Site or the Service if you are under 16 years of age. If you’re a parent or guardian and discover that your child under 16 has obtained an account on the Site, please alert us promptly at firstname.lastname@example.org so we can take action to prevent access.
We process “Personal Data,” as that term is defined in the EU General Data Protection Regulation, on the following legal bases: (1) with your consent; (2) as necessary to perform our agreement to provide Services; and (3) as necessary for our legitimate interests in providing the Services where those interests do not override your fundamental rights and freedom related to data privacy. Information we collect may be transferred to, and stored and processed in, the United States or any other country in which we or our affiliates or subcontractors maintain facilities for genetic analysis, storage, and processing as required for us to perform our contractual obligations to you.
Users that reside in the European Economic Area (“EEA”), U.K., or Switzerland have the right to lodge a complaint about our data collection and processing actions with the supervisory authority concerned. Contact details for data protection authorities are available here.
If you are a resident of the EEA, U.K., or Switzerland, you have certain rights. We may require you to provide us with information so that we can verify you prior to giving you access to any records containing information about you. These rights include the ability to do the following:
- Request from us access to information held about you or request transmission of your data to a third party.
- Request that we rectify inaccurate or incomplete information we hold about you.
- Request that we erase data when such data is no longer necessary for the purpose for which it was collected, when you withdraw consent and no other legal basis for processing exists.
- Request that we restrict our processing if there is a dispute about the accuracy of the data, if the processing is unlawful, if the processing is no longer necessary for the purposes for which it was collected but is needed by you for the establishment, exercise or defense of legal claims, or if your request to object to processing is pending evaluation.
- Object to processing of your personal data based on our legitimate interests or for direct marketing (including profiling). We will no longer process the data unless there are compelling legitimate grounds for our processing that override your interests, rights, and freedoms, or for the purpose of asserting, exercising, or defending legal claims.
- Withdraw your consent at any time, if we are processing your personal data based on your consent.
To submit a request to exercise your rights, please contact us at email@example.com. We may have a reason under the law why we do not have to comply with your request, or may comply with it in a more limited way than you anticipated. If we do, we will explain that to you in our response.
Persons with disabilities may obtain this notice in alternative format upon request by contacting us using the contact information below.
Residents of the State of California have the right to request information from us regarding other companies to whom Color has disclosed certain categories of information during the preceding year for those companies’ direct marketing purposes. If you are a California resident and would like to make such a request, please contact us at firstname.lastname@example.org.
The California Consumer Privacy Act (“CCPA”) provides California residents with rights to receive certain disclosures regarding the collection, use, and sharing of “Personal Information,” as well as rights to know/access, delete, and limit sharing of Personal Information. The CCPA defines “Personal Information” as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Information we collect that is “medical information” governed by the California Confidentiality of Medical Information Act or “protected health information” governed by the privacy, security, and breach notification rules of the Health Insurance Portability and Accountability Act is not within scope of the CCPA.
Certain other information we collect may also be exempt from the CCPA because it is considered public information (i.e., it is made available by a government entity) or covered by another specific federal privacy law.
To the extent that we collect Personal Information that is subject to the CCPA, that information, our practices, and your rights are described below.
You have the right to receive notice of the categories of Personal Information we collect, and the purposes for which those categories of Personal Information will be used. This notice should be provided at or before the time of collection. The categories we use to describe the information are those enumerated in the CCPA.
- Personal Identifiers:
- We collect your name, phone number, and email address and contact address when you create an account or complete a transaction. If you choose to create an account, you will also be asked to create a username, and we will assign one or more unique identifiers to your profile. We use this information to provide the Services, respond to your requests, and send information and advertisements to you.
- We collect your social media handle and basic account information when you interact with our Services through social media.
- We collect a unique numerical identifier, assigned to you by a cookie, automatically when you use our Services in order to identify you, provide the Services, keep you logged in to the Services, prevent fraud, and provide you with targeted information and offers.
- We collect payment information when you provide it to us, which may include your credit card number, when you complete a transaction. We use this information to streamline and facilitate payments and transactions.
- We collect your Driver’s License number or other identification, as well as age, in certain cases when administering certain Tests.
- We collect your IP address automatically when you use our Services. We use this information to identify you, gauge online activity on our website, measure the effectiveness of online services, applications, and tools, and serve targeted advertisements based on your online activities.
- We collect your Device ID automatically when you use our Services. We use this information to monitor your use and the effectiveness of our Services, to identify you, and to provide you with targeted information and offers.
- Internet or Electronic Activity Information. We collect internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding your interactions with our Site or Services.
- Protected Classifications: We are required to collect your biological sex, and, for COVID testing, your pregnancy status, in order to administer the Services.
- Commercial Information: When you engage in transactions with us, we create records of services purchased or considered, as well as purchasing or consuming histories or tendencies. We use this information to measure the effectiveness of our Services and we may use this to provide you with targeted information, advertisements and offers.
- Geolocation Data: We collect your IP address automatically when you use our Services, from which we can derive your coarse geolocation. We do not collect precise geolocation data.
- Audio, electronic, visual, thermal, olfactory, or similar information: We record calls in our provision of customer support and genetic counseling Services.
- Professional or employment-related information: We collect information about your current employer and employment history when you apply for a job with us.
- Education information: We collect information about your education history and level of information when you apply for a job with us.
We may use any of the categories of information listed above for other business or operational purposes compatible with the context in which the Personal Information was collected.
You have the right to request access to Personal Information collected about you and information regarding the source of that information, the purposes for which we collect it, and the third parties and Service Providers with whom we share it. You may submit such a request as described below. To protect our customers’ Personal Information, we are required to verify your identify before we can act on your request.
You have the right to request in certain circumstances that we delete Personal Information that we have collected directly from you. You may submit such a request as described below. To protect our customers’ Personal Information, we are required to verify your identify before we can act on your request. We may have a reason under applicable law, rule, order, or regulation why we do not have to comply with your request, or why we may comply with it in a more limited way than you anticipated. If we do, we will explain that to you in our response.
You may submit a request to exercise your rights to know/access or delete your Personal Information by emailing your request to email@example.com
In order to process your request to know/access or delete Personal Information we collect, disclose, or sell, we must verify your request. We do this by asking you to provide personal identifiers we can match against information we may have collected from you previously.
You may authorize another individual or a business registered with the California Secretary of State, called an authorized agent, to make requests on your behalf. We require that you and the individual complete notarized affidavits in order to verify the identity of the authorized agent and confirm that you have authorized them to act on your behalf.
You have the right to opt out of any sale of your Personal Information by us to third parties.
We do not “sell” your personal information in the conventional sense. However, like many companies, we use advertising services that try to tailor online ads to your interests based on information collected via cookies and similar technologies about your activity on our Site. This is called interest-based advertising. The CCPA’s statutory definition of the term “sale” is broad and may include use of interest-based advertising services.
To “sell” information means to disclose it to a company for monetary or other benefit. A company may be considered a third party either because the purpose of sharing is not an enumerated business purpose under California law, or because our contract does not restrict them from using Personal Information for other purposes.
We sell the following information:
- Personal Identifiers: We permit our advertising partners to obtain your IP address and Device ID.
- Internet or Electronic Activity Information: We permit our advertising partners to obtain electronic network activity information about you, including, but not limited to, browsing history, search history, and information regarding your interactions with our Site or Services.
To exercise your right to opt out of the sale of your Personal Information, please visit our “Do Not Sell My Personal Information” page, also referred to as our “Cookie Management Center”.
Please note that your right to opt out does not apply to our sharing of Personal Information with Service Providers since we engage them to perform a function on our behalf and they are contractually obligated to use the Personal Information only for that function.
We may also disclose information to other entities who are not listed here when required by applicable law, rule, order, or regulation, or to protect our Company or other persons, as described above.
We do not offer any rewards programs or incentives for the collection or sharing of data at this time.
Please revisit this page periodically to stay aware of any changes to this Policy, which we may update from time to time. If we modify the Policy, we’ll make it available through the Site, and indicate the date of the latest revision. In the event that the modifications materially alter your rights or obligations hereunder, we will make reasonable efforts to notify you of this change, for example, by sending a message to your email address on file with us. Your continued use of the Site and/or Service after the revised Policy becomes effective indicates that you have read, understood, and agreed to the current version of the Policy.
Please contact us with any questions or comments about this Policy, your personal information, our use and disclosure practices, or your consent choices by email at firstname.lastname@example.org or US mail to Color, Attn. Support, 839 Mitten Road, Suite 100, Side Door, Burlingame, CA 94010.
Version date: January 27, 2021