EEA Privacy Notice

NOTICE TO INDIVIDUALS LOCATED IN THE EUROPEAN ECONOMIC AREA, UNITED KINGDOM, OR SWITZERLAND

THIS SECTION ONLY APPLIES TO USERS OF OUR SERVICES LOCATED IN THE EUROPEAN ECONOMIC AREA, UNITED KINGDOM, OR SWITZERLAND (COLLECTIVELY, THE “EEA DESIGNATED COUNTRIES”) AT THE TIME OF DATA COLLECTION. WE MAY ASK YOU TO IDENTIFY WHICH COUNTRY YOU ARE LOCATED IN WHEN YOU USE SOME OF OUR SERVICES, OR WE MAY RELY ON YOUR IP ADDRESS TO IDENTIFY WHICH COUNTRY YOU ARE LOCATED IN.

Where we rely only on your IP address, we cannot apply the terms of this Notice to any User or Customer that masks or otherwise obfuscate their location information so as not to appear located in the Designated Countries. If any terms in this Notice conflict with other terms in our Privacy Policy, the terms in this Notice shall apply to users in the Designated Countries. This Notice is supplemental to our Privacy Notice and Terms of Service.

• Alphadera Labs’s relationship to you. A “controller” is an entity that determines the purposes for which and the manner in which any personal information is processed. Alphadera Labs is a “controller” with respect to your personal information under certain circumstances. Regarding our Provider Portal and Patient Portal, Alphadera Labs is a controller in relation to the information that a provider enters directly into the Websites about him or herself or his or her patients. To the extent a user or patient directly enters personal information on our Websites to pay for, use, or obtain further information about our Services, Alphadera Labs is a controller. A “processor” is an entity that processes personal information on behalf of a controller. For example, any third parties that act as our service providers are “processors” that handle your personal information in accordance with our instructions. To the extent that Alphadera Labs receives personal information as part of any Informed Consent or Test Requisition Form, and to the extent that Alphadera Labs receives identifiable samples and/or identifiable genetic information necessary to perform the Services, Alphadera Labs is a processor, and your provider is the controller.
• Lawful basis for processing your personal information. We process personal information on the following legal bases: (1) with your consent per an informed consent form from your provider; (2) as necessary to fulfill our contractual obligations to provide Services; and (3) as necessary for our legitimate interests in providing the Services where those interests do not override your fundamental rights and freedoms related to data privacy. To the extent that any de-identified data is anonymized, it is not considered personal data and falls outside applicable privacy laws.
• Marketing activities. Direct marketing includes any communications we send you based only on advertising or promoting products and services. Transactional communications about your account or our Services are not considered “direct marketing” communications. We will only contact patients or providers by electronic means (including email or SMS) based on our legitimate interest or their consent. If you do not want us to use your personal information this way, please click an unsubscribe link in your emails, or contact us at privacy@alphaderalabs.com.
• Individual data subject rights. We provide you with the rights described below when you use our Services. When we receive an individual rights request from you, please make sure you are ready to verify your identity. Please be advised that there are limitations to your individual rights. We may limit your individual rights in the following ways: (i) where denial of access is required or authorized by law; (ii) when granting access would have a negative impact on other's privacy; (iii) to protect our rights and properties; and (iv) where the request is frivolous or burdensome. If you have questions if you would like to exercise your rights under the applicable law, please get in touch with us at privacy@alphaderalabs.com.
• Right to withdraw consent. If we rely on consent to process your personal information, you have the right to withdraw your consent at any time. A withdrawal of consent will not affect the lawfulness of our processing or the processing of any third parties based on consent before your withdrawal.
• Right of access and rectification. If you request a copy of your personal information that we hold, we will provide you with a copy without undue delay and free of charge, except where we are permitted by law to charge a fee. We may limit your access if such access adversely affects the rights and freedoms of other individuals. You may request to correct or update any of your personal information held by us unless you can do so directly via the Services.
• Right to erasure (the “right to be forgotten”). You may request us to erase any of your personal information held by us that: is no longer necessary in relation to the purposes for which it was collected or otherwise processed; was collected in relation to processing that you previously consented to but later withdrew such consent; or was collected in relation to processing activities to which you object, and there are no overriding legitimate grounds for our processing.
• Right to object to processing. You may object to our processing at any time and as permitted by applicable law if we process your personal information on the legal basis of consent, contract, or legitimate interests. We can continue to process your personal information if it is necessary to defend legal claims or for any other exceptions permitted by applicable law.
• Right to restriction. You have the right to restrict our processing of your personal information where one of the following applies:
• You contest the accuracy of the personal information that we processed. We will restrict the processing of your personal information, which may interrupt some or all of the Services, during the period necessary for us to verify the accuracy of your personal information.
• The processing is unlawful, and you oppose the erasure of your personal information and request the restriction of its use instead.
• We no longer need your personal information for the purposes of the processing, but it is required by you to establish, exercise, or defend legal claims.
• You have objected to processing pending the verification of whether the legitimate grounds of our processing override your rights. We will only process your restricted personal information with your consent, for the establishment, exercise, or defense of legal claims, for the protection of the rights of another natural or legal person, or for the important public interest. We will inform you if or when the restriction is lifted.
• Right to data portability. Suppose we process your personal information based on a contract with you or based on your consent, or the processing is carried out by automated means. In that case, you may request to receive your personal information in a structured, commonly used, and machine-readable format and to have us transfer your personal information directly to another “controller,” where technically feasible, unless the exercise of this right adversely affects the rights and freedoms of others.
• Notification to third parties. Suppose we share your personal information with third parties. In that case, we will notify them of any requests for rectification, erasure, or restriction of your personal information unless this proves impossible or involves a disproportionate effort.

Local laws may limit the rights described above. Further, your right of access and deletion is not absolute and may not be available if fulfillment of such right would, among other things:

• cause interference with the execution and enforcement of the law and private legal rights (such as in the case of the investigation or detection of legal claims or the right to a fair trial);
• breach or prejudice the rights of confidentiality and security of others;
• prejudice security or grievance investigations, corporate re-organizations, future and ongoing negotiations with third parties, compliance with regulatory requirements relating to economic and financial management; or
• otherwise violate the interests of others or where the burden or cost of providing access would be disproportionate.

Complaints.

If you believe we have infringed or violated your privacy rights, please contact us at privacy@alphaderalabs.com so that we can resolve your concerns. You also have a right to lodge a complaint with a competent supervisory authority in a Member State of your habitual residence, place of work, or place of the alleged infringement. A listing of data protection authorities can be found at http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.

You may also contact our EU Representative, DataRep, at https://www.datarep.com.