Privacy Policy

Introduction

Your privacy is very important to us. Our privacy policy (“Policy”) explains the information that Orchid Biosciences, Inc. (“Orchid”) gathers from your use of the Service and our Site, how we use, disclose, and protect it, your choices, and some other important information. Before using the Service, you must review and agree to the Terms of Service (“Terms of Service”), along with Orchid’s informed consent (“Informed Consent”). Capitalized terms used but not defined in this Policy have the meaning given to them in the Terms of Service.

The specific categories of information we collect include:

• Personally identifiable information (“PII”). When you set up an Orchid account or purchase a Test, we collect what is generally called “personally identifiable information” or “PII”, which is information that specifically identifies you as an individual. Examples of PII we collect may include your name, email address, mailing address, phone number, credit card, or other billing information. We may also collect information such as date of birth or sex that, when linked to other information that identifies a specific individual, is considered PII.

• Personal and family health information (“PFHI”). To provide meaningful Results, we request certain information about you and your biological family, such as ancestry, age, and biological sex. Personal and Family Health Information also includes information about your history of certain health conditions, your family history of those conditions, your medication history, and any previous genetic tests done for you or your family members. For the Service to perform as intended, it’s important that you provide the most accurate information possible.

• Healthcare provider information. Individuals who use the Service may also provide us with information about their healthcare providers. Healthcare providers using the Service may provide us with information about patients for whom they are ordering a Test and information related to their medical practices, including the health system or clinic where they practice, NPI numbers, fax numbers, and the name, job title, and contact information of other providers involved in an individual’s care.

• Other people’s personally identifiable information. You may only share with Orchid PII about someone else and their protected health information (“PHI”) with the full and express consent of that other individual. We reserve the right to require proof of such consent. We will only use the information for the specific reason that it was provided to us and pursuant to the terms of this Policy, our Terms of Service, and if applicable, Informed Consent.

• Biological sample. To use the Service, we require a biological sample such as a saliva or tissue sample. Please carefully review our Terms of Service and Informed Consent for a description of how we handle your sample.

Cookies and online tracking information. Please refer to the section below entitled “Cookies and third party digital services” for more information.

Information Orchid Collects

Cookies and Third Party Digital Services

When you use online services in connection with Orchid’s Service and/or Site, the following information may be collected, stored, and used:

• Cookies. To improve and customize your experience when you use the Site, we may send one or more cookies — small text files containing a string of alphanumeric characters — to your device. We may use both session cookies that disappear after you close your browser and persistent cookies that remain after you close your browser and may be used automatically by the browser on subsequent visits to the Site. Please review your browser “Help” file to learn how to adjust your cookie settings. Note that some Site services may not function properly if you disable cookies.

• DNT requests. Some browsers incorporate a “Do Not Track” (DNT) or similar feature that signals to digital services that a visitor doesn’t want to have their online activity tracked. Because there is not yet an accepted standard for how to respond to DNT signals, we and our service providers (like many digital service operators) do not respond to DNT signals.

• Device, usage, and other automatically collected information. When you use our Site, we may automatically record certain information from your device by using various types of technology, including “clear gifs” or “web beacons.” This automatically collected information will help us customize and improve your experience with the Site and includes your IP address or other device address or ID, browser and/or device type, the web pages or sites that you visit just before or just after you use the Site, the pages or other content you view or otherwise interact with on the Site, and the dates and times that you visit, access, or use the Site. We also may use these technologies to improve our services by collecting information regarding your interaction with Orchid email messages, such as whether you opened or clicked on a message. We use automatically collected information to: (i) personalize our services, such as remembering your information so that you won’t have to re-enter it during your visit or the next time you visit the Site; (ii) provide customized content and information; and (iii) monitor and analyze the effectiveness of the Site and marketing activities.

• Analytics services. Orchid uses services like Google Analytics in order to improve our services, better understand our clients, and improve our communications. Learn more about Google Analytics’ privacy choices.

Advertising partners. We may work with third party advertising partners to show ads for the Service after you visit our Site. These third party partners collect information from you when you visit our website and other websites. If you don’t want to receive our personalized ads, please visit the opt-out pages of the Network Advertising Initiative (https://www.networkadvertising.org) or the Digital Advertising Alliance http://www.aboutads.info to learn about how you can opt out of receiving personalized ads from member companies. For more information, you can also visit: https://www.consumer.ftc.gov/topics/privacy-identity.

How We Use This Information

We will only use your personal information as described in this Privacy Policy or as disclosed to you prior to such processing taking place. The purposes for which we may use your personal information include:

Providing any services or products that you request or purchase in connection with the Services.
Contacting you regarding the administration of any features or functions of the Services you have registered to use.
Providing you with notices about your account, including expiration and renewal notices.
Carrying out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collection.
Notifying you about changes to our Site, our policies, terms or any products or services we offer or provide though it.Sending you marketing and promotional emails.
Responding to your questions or other requests.
Allowing you to participate in the interactive features of the Services.
Tailoring your experience on the Services and/or otherwise customizing what you see when you visit and use the Services.
Saving your user account, registration and profile data or other personal information (so you do not have to re-enter it each time you visit or use the Services).
Tracking your return visits to and use of the Services.
For research purposes, for marketing/promotional purposes and to provide anonymous reporting for internal and external clients and business partners;
Accumulating and reporting aggregate, statistical information in connection with the Services and user activity.
Determining which features and services users like best to help us operate the Services, enhance and improve our services and the Services and display advertising and marketing information.
Tailoring your experience on the Services and/or otherwise customizing what you see when you visit and use the Services.
Keeping you secure and safe while using our Services, which requires us to process your Personal Information to combat spam, malware, malicious activities or security risks.
Improving and enforcing our security measures.
Maintaining legal and regulatory compliance.
Enforcing compliance with our terms and conditions and policies.
Protecting you, others and our business, including, without limitation, using information for fraud prevention.
For any other purpose disclosed to you prior to you providing us your Personal Information or which are reasonably necessary to provide the Services or other related products and/or services requested.

We may use the information we have collected from you to enable us to display advertisements to our advertisers’ target audiences. Even though we do not disclose your personal information for these purposes without your consent, if you click on or otherwise interact with an advertisement, the advertiser may assume that you meet its target criteria.

How Information is Shared

This section describes the circumstances under which we may share your information with third parties. For additional details, please review the Informed Consent.

To provide the Service
We may disclose your PII and PHI to others involved in your care, including healthcare providers or genetic counselors (the Service includes complimentary access to Orchid’s genetic counselors), confirmatory laboratories, the health system or clinic where your own provider practices, and other providers that you or your healthcare provider designated to receive your PHI.

We may disclose your PII and PHI to bill and collect payment from you, your health system or clinic, or other responsible third parties. We may also engage third parties to assist us with these billing and collection efforts.

We work with third party service providers to provide website, application development, analytics, variant analysis, payment processing, hosting, maintenance, support ticketing, transmission of test results, distribution and collection of Test kits, and other services for us. We limit the personal and health information we share with these service providers to that which is minimally necessary for them to perform their services for us, and we require them to agree to maintain the confidentiality and security of such information.

For research, development, and analytics
We disclose our clients’ de-identified genetic information to public databases in order to advance medical research. By contributing this information to such databases, we can help scientists better understand the impact of genetic variants on the risk of diseases and health conditions.

With your consent, we may also use your de-identified sample, genetic information, PFHI, and Results in our research with third party collaborators. We may engage in research with third parties like universities, hospitals, health systems, government institutions, or private companies to develop new tests, validate technologies, or improve existing technologies or processes. You can opt out of such third party research by updating your account settings or by notifying the healthcare provider who ordered your Test if you did not create an Orchid account. However, if you have consented in the past and later change your settings to opt out, Orchid cannot retract your de-identified sample (if you have chosen to store it), genetic information, PFHI, and/or Results from research already performed.

With your consent, we may also include your de-identified genetic information, PFHI, and Results in Orchid’s research database in order to support research in genetics. Information in Orchid’s research database will be accessible, searchable, and downloadable by researchers and the general public for an indefinite period of time. Genetic information in Orchid’s research database may include variants beyond those relevant to the product or service that your healthcare provider ordered for you, but such information will be de-identified. If you have consented in the past and later change your settings to opt out of Orchid’s research database, we cannot retract your de-identified information from research already performed or from previous releases of Orchid’s research database that have already been published. But we will promptly update our database following an opt out request and exclude your information from subsequent database releases.

If your health system has provided or paid for (in whole or in part) the Test, you acknowledge and agree that your Results and PFHI may be provided to your health system. Further, Orchid may provide your health system with other data it has collected or sequenced, and related analyses, for your health system’s use for treatment, billing, healthcare operations, data analytics, or other purposes for which your health system has agreed to comply with applicable laws. If you have any questions about this, please contact your health system to learn if this applies to you and for details. Orchid expressly disclaims any and all liability for your health system’s use of information that it represents it is authorized to receive, store, and use.

For Orchid’s purposes
We may share aggregated, de-identified information (for example, aggregated trends about the general use of our Service) publicly and with our partners (this information will not include PHI).

We may author publications using de-identified information, either on our own or in collaboration with academic or commercial third parties (these publications may include, for example, blinded pedigree diagrams or de-identified family history).

We may disclose your information when we believe in good faith that doing so is appropriate or necessary in order to enforce our Terms of Service.

Information about our users may be disclosed and otherwise transferred to an acquirer, or successor or assignee as part of any merger, acquisition, debt financing, sale of assets, or similar transaction, as well as in the event of an insolvency, bankruptcy, or receivership in which information is transferred to one or more third parties as one of our business assets.

As described above, we work with third party advertising and analytics partners that collect information from you when you visit our Site. For more information, please see the “Cookies and third party digital services” section above.

For security or legal purposes.
We may also disclose your information under the following circumstances:
If we believe in good faith that doing so is appropriate or necessary in order to address fraud, security, or technical issues, or protect against harm to us or others to the extent required or permitted by law.

To comply with applicable federal and state laws, rules, and regulations, as well as law enforcement requests and legal process, such as a court order or subpoena. When possible, we will attempt to notify the individual who is the subject of the court order or subpoena so they may have an opportunity to oppose the disclosure.

How We Protect Your Information

We use physical, managerial, and technical safeguards that are designed to improve the integrity and security of your information. All information on our servers is encrypted when it is at rest or in transit. All personal information (genetic or otherwise) is encrypted with AES-256 when it’s stored on our servers and is always transmitted over SSL. Internally, strict guidelines and access controls protect your PII and PHI.

We cannot, however, ensure or warrant the security of any information you transmit to us or store in connection with the Service, and you do so at your own risk. We also cannot guarantee that such information may not be accessed, disclosed, altered, or destroyed by a breach of any of our physical, technical, or managerial safeguards. You agree that Orchid is not liable for the unauthorized release of your PII or PHI, unless such release was the result of gross negligence or willful misconduct on the part of Orchid. If you choose to share PII or PHI with us via the internet or wireless connection (for example, via email messages), you do so at your own risk. If you choose to share your Results, designated record set or other data obtained from Orchid, or any of your PII or PHI with anyone outside of Orchid, you do so at your own risk and Orchid has no control over the security of such sharing.

Orchid complies with the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”) to maintain the privacy and security of your PHI. If a breach occurs that may have compromised the privacy or security of your PHI, we will let you know promptly. We will follow the duties and privacy practices described in this Policy, our Notice of Privacy Practices, the Informed Consent, and Terms of Service.

This Privacy Policy is in addition to and does not replace our HIPAA Privacy Authorization, which explains how we handle personally-identifiable health information that is covered by HIPAA.

Your Choices

If you receive marketing emails from us, you can unsubscribe from that particular type of marketing email by following the instructions contained within the email. Because we offer different types of marketing emails — (1) product news and feedback surveys, (2) health newsletters, (3) marketing promotions, and (4) research invitations — if you click “unsubscribe” from one type of email, due to system limitations, you will only be opted out of that type of commercial email; you will not automatically be unsubscribed from other email communication types. You can opt out of receiving all types of marketing emails from us by modifying your account settings or sending your request to us by email at support@orchidhealth.com. Please be aware that if you opt out of receiving marketing emails from us or otherwise modify the nature or frequency of marketing communications you receive from us, it may take up to ten (10) business days for us to process your request, during which time you might receive marketing communications from us that you have already opted out from. Finally, while you can opt out of receiving marketing emails from us, you will continue to receive administrative communications from us regarding the Service.

You may, of course, decline to share certain information with us, in which case we might not be able to provide you with some or all of the features and functionality of the Service and our Site. If you want to access or amend information we hold about you, you may do so through your account settings or contact us at support@orchidhealth.com. At any time, you may also request that we deactivate your account by contacting us at upport@orchidhealth.com. If you choose to deactivate your account, you will be unsubscribed from all marketing emails; your sample and PII will no longer be shared for research (if you have opted into such research or sample storage); and we will not provide you with any of the Services going forward (including, without limitation, any Results that have not yet been reported, or any updates or changes to your Results). Although we can remove your information from our active databases, some or all information from deactivated accounts will remain in our inactive database for compliance with legal, regulatory, and other requirements. Please also note that information that has already been de-identified, anonymized, aggregated, published, and/or shared with third parties as set forth in this Policy prior to an account deactivation request may not be retrievable or traced back for destruction, deletion, or amendment.

Changes and updates to this policy

Please revisit this page periodically to stay aware of any changes to this Policy, which we may update from time to time. If we modify the Policy, we’ll make it available through the Site, and indicate the date of the latest revision. In the event that the modifications materially alter your rights or obligations hereunder, we will make reasonable efforts to notify you of this change, for example, by sending a message to your email address on file with us. Your continued use of the Site and/or Service after the revised Policy becomes effective indicates that you have read, understood, and agreed to the current version of the Policy.

Our contact information

Please contact us with any questions or comments about this Policy, your personal information, our use and disclosure practices, or your consent choices by email at support@orchidhealth.com.