Privacy policy
Effective date: 03/15/2024
Nucleus Genomics, Inc. and its affiliated entities (collectively, “Nucleus,” “we,” or “us”) are committed to respecting your privacy and protecting your personal data. This Privacy Policy explains the types of personal data we may collect when you: visit our websites, including www.mynucleus.com and app.mynucleus.com, and all related websites, mobile applications, and web-based services (our “Sites”); interact with us by email, mail, or phone, or otherwise; or access use our products or services. We refer to our Sites, interactions with you, and products and services as “Services” throughout this Policy.
This Policy also describes how and why we collect, use, and disclose personal data, how we protect it, and your available rights and choices associated with it.
Some of the information we collect, use, and disclose is done so for purposes of providing healthcare and are regulated by the federal Health Insurance Portability and Accountability Act (HIPAA) and similar federal and state laws, including the privacy and security protections of those laws (collectively, “protected health information” or “PHI”). This Policy does not apply to PHI, and any overlapping coverage of PHI in this policy is incidental and provided to enhance your understanding of our data collection and use practices, and should not be construed as an acknowledgment of the applicability or inapplicability of certain privacy laws, including HIPAA and/or the state and other privacy laws that may apply to Nucleus. You can find more information about our collection and use of PHI in our HIPAA Notice of Privacy Practices.
This Policy also does not apply to third-party websites, products, or services, even if they link to our Sites or our Sites link to them. We recommend you review the privacy practices of those third parties before connecting, accessing third-party websites, and sharing any personal data.
We also encourage you to review our Terms of service to understand how your personal data will be treated as you make full use of our Sites. Unless otherwise defined in this Privacy Policy, capitalized terms used in this Privacy Policy have the same meanings as in our Terms of service.
01
Collecting Personal Data
We collect personal data in many contexts. This includes personal data collected directly from you when you sign up for Nucleus services, fill out a survey or questionnaire, or provide us with existing genetic information, as well as automatically when you use our Sites and Services.
For purposes of this Privacy Policy, “personal data” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an identifiable individual. Personal data includes “personal information” as that term is defined in applicable privacy laws. The personal data we collect through our Services will be apparent by the context, and may include, but is not limited to, the following types of information:
Personal data you provide to us
We may collect the following personal data about you that you choose to provide us when you use our Services:
Account and setup information. As part of the account creation process, Nucleus may ask for your first and last name, date of birth, FASTQ, VCF, or microarray DNA file, personal and familial health history, personal characteristics, health and wellness information, account-related preferences, email address, shipping address, phone number, user ID, and account password.
Genetic information. Nucleus may receive your genome sequence information, physical samples containing or reflecting your genetic information (such as cheek swabs), and text files, reports, and other findings about, or containing your genetic information that you submit to us, including such data generated by third parties. To the extent we discuss this information in this Privacy Policy, it is provided to enhance your understanding of our data collection and use practices and may still describe information that constitutes PHI.
Health and medical-related information. During sign-up or throughout your use of our Services, you may be presented with the opportunity to provide Nucleus with information regarding your health, including diseases or other medical conditions you or your family members have been diagnosed with. To the extent we discuss this information in this Privacy Policy, it is provided to enhance your understanding of our data collection and use practices and may still describe information that constitutes PHI.
Survey information. We may also collect information if you respond to surveys available on the Nucleus platform or via email in order to provide you additional Services. These surveys may ask you for information about specific characteristics and conditions that pertain to your biographical and health profile.
Wearable device information. You may be presented with the opportunity to provide Nucleus with information regarding your use of wearable devices (such as smartwatches). If you provide wearable device information to Nucleus, Nucleus may receive metrics like your calories burnt, weight, heart rate, sleep stages and patterns, minutes active, step count, distance traveled, precise geolocation, and other similar information.
Information in communications and posted content. Nucleus may offer ways for its users to communicate and interact with other Nucleus community members. Any personal data that you choose to include in those communications, posts, and related features will be collected by our Sites and used for the purposes described in this Privacy Policy.
Payment information. If you sign up for a membership or other paid product or service from us, you may be required to provide your payment card or bank account information and billing address.
Information we automatically collect
Our Sites use cookies and other tracking technologies such as web beacons, embedded scripts, and tags (“Cookies”), which collect information from you automatically as you use our Sites, including:
Browser and device data, such as IP address, device identifier, device type, operating system and Internet browser type, screen resolution, operating system name and version, device manufacturer and model, language, plug-ins, add-ons, and the language version of the Sites you are visiting; and
Usage data, such as geolocation data, browsing history, time spent on the Sites, pages visited, links clicked, language preferences, patterns of use, and the pages that led or referred you to our Site.
We may use third-party cookies, scripts, or pixels to collect and analyze website usage data and/or track user interaction to provide better customer experience and improve our product offerings. For example, we use Google Analytics on our Sites to help us analyze your use of our Sites and diagnose technical issues. We do not share PHI with any third-party advertiser, as outlined in our HIPAA Notice of Privacy Practices.
Please review our Cookie Policy below for more information about our use of these technologies.
Aggregated, anonymized, and de-identified information
We may create aggregated, anonymous, and de-identified data from your personal data by removing data components that make the data personally identifiable to you or through obfuscation or other means. Aggregated, anonymized, and de-identified information is not subject to this policy. For the avoidance of doubt, your PHI does not fall into this category, and it is governed by our HIPAA Notice of Privacy Practices. An example of aggregated, anonymous, and de-identified information would be sharing the number of customers Nucleus has.
Information we receive from our healthcare and other service providers
We work with healthcare and other service providers to ensure the certainty of our products. We may collect certain personal data and other data about you from these entities in accordance with applicable law and the context in which you provided the data. This may include your health and medical-related information and contact information. Because some or all of this information may be provided in connection with your healthcare provider’s provision of health care to you, the information may be PHI and, therefore, not subject to this Privacy Policy.
Summary of Nucleus Data Use
The chart below is designed to help connect the dots of how and why we may use different types of personal data.
CATEGORY OF PERSONAL DATA
SOURCES
PROCESSING PURPOSES
CATEGORIES OF THIRD PARTY RECIPIENTS (EXCLUDING OUR SERVICE PROVIDERS)
Identifiers, including
Name
Address
Email address
Phone number
Date of birth
Account username
IP address
Unique device identifiers
Mobile app identifiers
You, including via your use of our Sites.
Our service providers, such as companies who help us provide Services to you.
Contact you and provide information
Provide customer service
Perform identity and age verification as required under applicable law
Provide and maintain the Service
Facilitate interactive features
Internal analytics
Market our products and services
Market the products and services of others
Promotions and sweepstakes
Internal business purposes, including general business administration
Audit, compliance, legal, policy, procedure, and regulatory obligations
Customer claims and fraud investigation and prevention
Systems and data security
Protecting the safety of our employees and others
Profiling
For any purpose consistent with your preferences
N/A
Commercial information, including
Information about your interests and preferences, (e.g., Services you have purchased, obtained, or considered)
Same sources as noted for “Identifiers”
Same purposes as noted for “Identifiers”
N/A
Financial information, including
Bank account number
Credit card number
Debit card number
Any other financial information
Same sources as noted for "Identifiers"
Provide and maintain the Service
Internal business purposes, including general business administration
N/A
Internet or other electronic network activity information, including
Browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages
Content and information about your communications through the Services
Information using cookies and tracking technologies
Mobile operating system information
Mobile internet browser type
Diagnostic data
Same sources as noted for "Identifiers"
Same purposes as noted for “Identifiers”
N/A
Geolocation Data, including
Global Positioning System ("GPS") data
Locational information based upon your IP address
Cell network data
Locational data collected from various devices including your mobile device(s) or vehicle(s)
Same sources as noted for "Identifiers"
Internal business purposes, including general business administration
Customer claims and fraud investigation and prevention
Systems and data security
Protect the safety of our employees and others
Internal analytics
N/A
Audio, electronic, visual, or similar information, including
Any original text, audio recordings, photos, videos, music, and other media you may share on the Services.
Your name, voice, and/or likeness when you participate in sweepstakes, contests, promotions, and other Company programs
Same sources as noted for "Identifiers"
Same purposes as noted for “Identifiers”
N/A
Characteristics or protected classifications, including:
Age
Date of birth or age range
Gender or gender identity
National origin
Racial or ethnic origin
Sexual orientation
Same sources as noted for "Identifiers"
For internal business purposes, including general business administration
Customer claims and fraud investigation and prevention
Systems and data security
Protecting the safety of our employees and others
Internal analytics
N/A
Professional or employment-related information, including:
Professional licenses or registrations
Same sources as noted for "Identifiers"
Same purposes as noted for “Identifiers”
N/A
Sensitive information or sensitive data, including:
Account log-in information
Mental or physical health condition or diagnosis
Personal data collected and analyzed concerning health
Genetic information
Consumer health data, as further described in our Consumer Health Data Privacy Notice.
Same sources as noted for "Identifiers"
Provide customer service
Provide and maintain the Service
Internal analytics
Market our products and services
Market the products and services of others
Internal business purposes, including general business administration
Audit, compliance, legal, policy, procedure, and regulatory obligations
Profiling
For any purpose consistent with your preferences
N/A
Inferences about you using any of the above, including:
Results from our genetic analysis services such as our genetic risk reports.
Same sources as noted for "Identifiers"
Any of the above purposes
N/A
02
Using Personal Data
We may use the personal data we collect for the following purposes:
Our Services
We use the personal data we collect to provide, maintain and improve our Services. This includes:
To provide you with requested Services, as they are described when you first register on our Sites and as may be offered over the course of your use of our Sites.
To facilitate and support our community features.
To provide you with customer service and support, and to facilitate other communications that you request or that are required to render Services to you.
To process payments.
To provide you with information about new Services, clinical trials, and other opportunities that we believe may be of interest to you, whether offered by us or third-party partners, and to personalize, measure, and improve such offers.
To perform internal analytics, or for new and existing Sites and Services, such as our user accounts and related features.
To maintain and improve the quality of our Services.
To improve our product offerings and better understand our customers, including to conduct internal studies related to genetic information, understand our user trends, and understand the effectiveness of our marketing.
To protect ourselves, you, and others; prevent fraud and other unlawful or unauthorized activity; and create and maintain a trusted, secure, and reliable online environment.
To comply with our legal obligations; respond to subpoenas, court orders, or legal process; and to establish or exercise our legal rights or defense against legal claims.
Digital marketing communications
We may send you promotional email communications about Nucleus, invite you to participate in events or promotions, or otherwise communicate with you for marketing purposes, consistent with your preferences and applicable law. For example, when we collect your contact information through your interaction with our Sites, we may use that information to send you information that you have requested about Nucleus, our third-party partners, or relevant clinical studies. You may opt out of receiving any, or all, of these communications from us by following further instructions provided in Your Privacy Rights and Choices.
03
Disclosing Personal Data
We may disclose your personal data to the following categories of third parties:
Our service providers
We share personal data with our service providers (also known as data processors) to enable them to provide services on our behalf, including healthcare providers, laboratory services, analytics, payment processing, website hosting, customer and technical support, and other services. These third parties have access to your personal data only to perform these tasks on our behalf and are obligated not to disclose or use the information for any other purpose.
We may also share certain reports with our independent physician network and/or your healthcare provider, consistent with your expressed preferences and our regulatory obligations.
Our business partners
We partner with businesses and organizations who may offer products and services that we believe may be of interest to you. In certain cases, we may share personal data with these partners consistent with this Policy and the context in which you provided the information to us.
Our affiliates
We may share personal data with our affiliates as necessary, to provide our Services and for internal administrative purposes. We will require such affiliates to comply with the terms of this Privacy Policy.
Third parties related to a change of ownership
If Nucleus is involved in a merger, acquisition, asset sale, or other corporate combination, your personal data may be transferred. We will provide notice before your personal data is transferred and/or becomes subject to a different privacy policy.
Third parties related to law, harm prevention, and public interest
We may share personal data as we believe necessary (i) to comply with applicable law, rules and regulations; (ii) to enforce our contractual rights; (iii) to investigate possible wrongdoing in connection with the Services; (iv) to protect and defend the rights, privacy, safety and property of Nucleus, you and others; and (v) to respond to requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities.
We do not disclose your personal data — including your genetic information — with public databases; insurance companies; or employers; law enforcement (absent a valid court order, subpoena, or search warrant); or to third-parties for their own marketing purposes.
04
Data Retention
We will retain your personal data only for as long as is necessary for the purposes set out in this Policy. We will retain and use your personal data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.
We will also retain certain personal data for internal analysis and product improvement purposes. This information is generally retained for a shorter period, except when this data is used to strengthen the security or to improve the functionality and offerings of our Services, or we are legally obligated to retain this data for longer time periods.
Our determination of precise retention periods will be based on (i) the length of time we have an ongoing relationship with you; (ii) whether there is a legal obligation to which we are subject; and (iii) whether retention is advisable in light of our legal position, including regard to applicable statutes of limitations, litigation or regulatory investigations.
05
Data Security
The security of your personal data is important to us. There is no method of transmission over the Internet or method of electronic storage that is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security. We maintain appropriate technical, administrative, and physical safeguards to help protect the security of your personal data against unauthorized access, destruction, loss, alteration, disclosure, or misuse. You can learn more in our FAQ and Data Privacy and Security page.
06
International Data Transfers
Our Sites are operated exclusively in the United States. We may transfer, store and use information we collect and maintain about you, including personal data outside of your state, province, country, or other governmental jurisdiction. The data protection laws in the jurisdiction in which we process personal data may differ from those of your jurisdiction, and in certain circumstances, your personal data may be subject to access requests from governments (such requests made through valid legal processes like under the National Security Letter or Foreign Intelligence Surveillance Act), courts, law enforcement agencies, or regulatory agencies in those other jurisdictions. By using the Sites or providing us with any information, you consent to the transfer and processing of your information, including personal data, in the United States as set forth in this Policy
If you are located in the European Economic Area (“EEA”), the United Kingdom (“UK”), or Switzerland, we comply with any applicable laws to provide an adequate level of data protection to the U.S., as described further in our European Privacy Notice. Where applicable law requires us to ensure that an international data transfer is governed by a data transfer mechanism, we use EU Standard Contractual Clauses with data recipients located outside the EEA or the UK as well as other appropriate measures and safeguards.
07
Cookie Policy
When you visit our Sites, we may collect information from you automatically through Cookies. Cookies are files with a small amount of data which may include unique identifier. Cookies are sent to your browser from a website and stored on your device. Other tracking technologies are also used such as beacons, tags and scripts to collect and track information and to improve and analyze our Services. We also rely on partners to provide many features of our Sites using data about your use of the Sites. You can modify your browser settings to decline or accept Cookies. However, in a few cases, some of our Sites’ features may not function as designed.
We use Cookies for the following purposes:
Necessity. To enable features that are necessary for providing you the services on our Sites, such as keeping you signed in, improving security, and preventing and detecting fraud.
Preference. To allow us to remember your preferences and identify you when you return to our Sites.
Analytics. To allow us to understand how our Sites are being used, track site performance and content views, and make improvements to the content, products or services.
Third-Party Analytics. We may use third party service providers to monitor and analyze the use of our Service. For example, we may use Google Analytics or other service providers for analytics services. These analytics services may use cookies and other tracking technologies to help us analyze how users use the Service. Information generated by these services (e.g., your time spent per page or other usage information) may be transmitted to and stored by Google Analytics and other service providers on servers in the U.S. (or elsewhere) and these service providers may use this information for purposes such as evaluating your use of the Service, compiling statistic reports on the Service’s activity, and providing other services relating to Service activity and other Internet usage. You may exercise choices regarding the use of cookies from Google Analytics by going to https://tools.google.com/dlpage/gaoptout or downloading the Google Analytics Opt-out Browser Add-on.
Some web browsers and devices used to access our Sites may allow you to enable a “Do Not Track” setting, designed to inform websites that you do not want to be tracked. Like many websites, our Sites do not support “Do Not Track” functionality.
08
Children’s Information
The Sites are intended for a general audience and we do not knowingly collect personal data from children under the age of 18 through the Sites.
If you are a parent or guardian and you are aware that a child under age of 18 has provided us with personal data without parental consent, please contact us using the information in the Contact Us section. If we become aware that we have collected personal data from children under the age of 18 without verification of parental consent, we will take steps to remove that information from our servers.
09
Your Privacy Rights and Choices
You may have rights and choices regarding our use and disclosure of your personal data. Unless instructed otherwise, you can exercise these rights and choices using the information in the Contact Us section at the end of this Policy.
Opting out of receiving electronic communications from us
You will not receive promotional electronic communications from us unless you have opted in to receive such communications. If you no longer wish to receive promotional email communications from us, you may opt-out via the unsubscribe link included in such emails or by accessing your account settings page. We will comply with your request as soon as reasonably practicable. Please note that if you opt out of receiving promotional emails from us, we may still send you important administrative messages that are required in order to provide you with our Services or for other reasons disclosed in this Policy.
View or change your account personal data
You may be provided with the opportunity to review, correct, update, or delete your personal data by submitting a request to concierge@mynucleus.com or going to your account settings page.
U.S. privacy rights
Certain U.S. jurisdictions provide residents with certain rights with respect to their personal data or personal data as defined under applicable law. These rights are subject to the specific laws of that jurisdiction and that certain other rights might apply. Please review our California Privacy Notice; Nevada Privacy Notice; Colorado, Connecticut, Utah, and Virginia Privacy Notice; and Consumer Health Data Privacy Notice for more information on rights and terms specific to your location or place of residence.
European privacy rights
Individuals located in the European Economic Area, United Kingdom, and Switzerland have certain rights with respect to our collection, use, and sharing of their personal data. Please review our European Privacy Notice for more information about those rights.
10
Exercising Your Privacy Rights
Depending on your place of residence or location, one or more of the jurisdiction-specific notices below may apply to you. If so, please use the following information to exercise your rights. Please note that any request you submit to us is subject to an identification and residency verification process as permitted under applicable law, as well as certain other procedural requirements that may be noted in the sections below. Additionally, all requests are subject to certain exceptions under applicable law, which may vary. If you are a visually-impaired customer, a customer who has another disability or a customer who seeks support in another language, you may access your privacy rights by emailing us at concierge@mynucleus.com.
How to submit a request
If you wish to exercise any of the rights listed in the jurisdiction-specific notices below, please send your request(s) to concierge@mynucleus.com or mail to:
Nucleus Genomics, Inc.
Attn: Nucleus Council
8000 Norman Center Drive
Bloomington, MN 55437
We do not charge a fee to process or respond to your verifiable consumer request unless its excessive, repetitive, manifestly unfounded, or in accordance with applicable law. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
How we verify and respond to requests
Except where otherwise noted, we will respond to your request within forty-five (45) days after receipt and we reserve the right to extend the response time by an additional forty-five (45) days when reasonably necessary and provided consumer notification of the extension is made within the first forty-five (45) days. As described below, in some jurisdictions, an authorized agent may submit a request to exercise your rights on your behalf.
If you have an account with us, we will deliver our written response to that account or via electronic mail. If you do not have an account with us, we will deliver our written response by electronic mail.
However, we cannot respond to your request or provide you with personal data if we cannot verify or authenticate your identity or authority to make the request and confirm that the personal data relates to you. Generally, a rights request must include:
Sufficient information that allows us to reasonably verify you are the person about whom we collected personal data or an authorized representative, which must include, at a minimum, your first and last name and email address.
Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to the request.
You are not required to create an account with us to submit a verifiable or authenticated consumer request. However, we do consider requests made through your password protected account sufficiently verified when the request relates to personal data associated with that specific account. We will only use personal data provided in a verifiable or authenticated consumer request to verify your (or your authorized agent’s as applicable) identity or authority to make the request.
Depending on applicable law, you may be limited in how many verifiable or authenticated consumer request you make within a twelve (12) month period. If we have collected information on your minor child, you may exercise the above rights on behalf of your minor child. Additionally, in some jurisdictions, you may designate an authorized agent to submit a request on your behalf, and if so, we may require proof of the agent’s authorization by you and/or verification of the agent’s own identity.
Data Protection Officer
If you are a resident of the European Union, you may contact our Data Protection Officer at privacy@mynucleus.com or by mail using the contact information in Contact Us.
11
California Privacy Notice
This California Privacy Notice applies to any California residents about whom we collect personal information (“consumers”). The provisions contained within this section are intended to provide notices in compliance with the California Consumer Privacy Act of 2018 (“CCPA”) and the California Genetic Information Privacy Act of 2022 (“GIPA”). Any capitalized term used and not otherwise defined below has the meaning assigned to it in our Privacy Policy.
For the purposes of this California Privacy Notice, except where a different definition is noted, “personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household. Personal information does not include publicly available information, information that has been de-identified or aggregated, or other information subject to certain federal and state regulation. For purposes of this section, “publicly available information” includes: information is made available from federal, state, or local government records information that a business has a reasonable basis to believe is lawfully available to the general public, either through widely distributed media, or by the consumer and information that is made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience. Personal information does not include publicly available information, information that has been de-identified or aggregated, or other information subject to certain sector-specific privacy laws such as “protected health information” covered by HIPAA.
If you are a visually-impaired customer, a customer who has another disability or a customer who seeks support in another language, you may access this California Privacy Notice by emailing us at concierge@mynucleus.com.
Personal Information We Collect and Why We Collect It
The CCPA provides California residents with rights to receive certain disclosures regarding the collection, use, and disclosure of personal information.
We may collect, or have collected, the following categories of personal information:
Identifiers
Commercial information
Financial information
Internet or other electronic activity information
Geolocation data
Professional or employment-related information
Audio, electronic, visual, or similar information
Characteristics of protected classifications under California or federal law
Inferences drawn from any of the above.
We use the personal information we collect for the following purposes:
Contact you and provide information
Provide customer service
Perform identity and age verification as required under applicable law
Provide and maintain the Service
Facilitate interactive features
Internal analytics
Market our products and services
Market the products and services of others
Promotions and sweepstakes
Internal business purposes, including general business administration
Audit, compliance, legal, policy, procedure, and regulatory obligations
Customer claims and fraud investigation and prevention
Systems and data security
Protecting the safety of our employees and others
Profiling
For any purpose consistent with your user preferences
More detail about these data practices is in the Collecting Personal Information and Using Personal Information sections of this Policy.
Sources of Collected Personal Information
We may collect personal information from the categories of sources provided in the Summary of Nucleus Data Use chart above.
To Whom We Disclose Personal Information
We may disclose personal information to the categories of recipients provided in the Summary of Nucleus Data Use chart above. We limit our disclosure of personal information above to our service providers for one or more business purposes, as detailed in Disclosing Personal Information.
We do not and have not sold/shared personal information to third parties, including for any monetary or nonmonetary value or in connection with cross-context behavioral advertising, as those terms are defined under California law. We also do not sell/share personal information of minors under 16 years of age.
Sensitive Personal Information
Certain of the personal information that we collect may constitute “sensitive personal information” as defined by California law.
This may include:
Account login information
Mental or physical health condition or diagnosis
Personal data collected and analyzed concerning health
We collect sensitive personal information for the following purposes:
Provide customer service
Provide and maintain the Service
Internal analytics
Market our products and services
Market the products and services of others
Internal business purposes, including general business administration
Audit, compliance, legal, policy, procedure, and regulatory obligations
Profiling
For any purpose consistent with your preferences
Product improvements
As noted in Section 11(c) above, we do not sell/share any personal information, including the above-listed sensitive personal information.
Retention of Personal Information
We will retain personal information, including sensitive personal information only for as long as is necessary for the purposes set out in this Policy. We will retain and use your personal information to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.
We will also retain certain personal information for internal analysis and product improvement purposes. This information is generally retained for a shorter period, except when this data is used to strengthen the security or to improve the functionality or offerings of our Services, or we are legally obligated to retain this information for longer time periods.
Our determination of precise retention periods will be based on (i) the length of time we have an ongoing relationship with you; (ii) whether there is a legal obligation to which we are subject; and (iii) whether retention is advisable in light of our legal position, including regard to applicable statutes of limitations, litigation or regulatory investigations.
Your California Privacy Rights
If you are a California resident, you have the following rights under California law in relation to your personal information, subject to certain exceptions
Right to know and access. You have the right to know what personal information we collect, use, disclose, and sell and/or share, as those terms are defined under applicable law. You may ask us to provide you a portable copy of this information up to two times in a rolling twelve-month period.
Right to delete and erase. You have the right to request under certain circumstances that we, as well as our service providers and contractors, delete the personal information that we collect about you.
Right to correct inaccurate personal information. You have the right to request the correction of inaccurate personal information.
Right to non-discrimination. You have the right not to receive discriminatory treatment for the exercise of the privacy rights described above.
Right to opt out of sale and/or sharing. You have the right to opt-out of the sale and/or sharing of your personal information by a business.
Right to limit use and disclosure. You have the right to limit the use or disclosure of your sensitive personal information to only the uses necessary for us to provide goods or services to you. We will not use or disclose your sensitive personal information after you have exercised your right unless you subsequently provide consent for the use of your sensitive personal information for additional purposes.
Sharing with third parties for their own direct marketing purposes. We do not disclose this personal information to third parties for their own purposes without your consent. If you wish to request information regarding such practices under California’s “Shine the Light” Law, please Contact Us via email or mail. You must include your full name, email address and postal address in your email or mail request so that we can verify your California residence and respond.
How to exercise your rights. You may exercise any of the rights described in this section by following the instructions in Exercising Your Privacy Rights above.
12
Nevada Privacy Notice
While we do not “sell” personal information as defined by Nevada law, Nevada residents nonetheless have the right to request to opt out of the future “sale” of your personal information under Nevada SB 220. If you are a Nevada resident and would like to make such a request, please Contact Us. You must include your full name, email address, and postal address in your request so that we can verify your Nevada residence and respond. In the event we sell your personal information after the receipt of your request, we will make reasonable efforts to comply with such request.
Nevada SB 370 provides Nevada residents with rights to receive certain disclosures and access regarding the collection, use, sale, and sharing of consumer health data, as defined below. For information regarding the consumer health data that we collect, how we use it, what sources it is derived from, to whom we disclose it, as well as the rights of Nevada residents and our responsibilities under SB 370, please see our Consumer Health Data Privacy Notice.
13
Colorado, Connecticut, Utah, and Virginia Privacy Notice
This Privacy Notice contains additional information for residents of Colorado, Connecticut, Utah, and Virginia regarding personal data as defined in Collecting Personal Data that we collect, how we use it, what sources it is derived from, and who we disclose it to, and provides information regarding your rights, and our responsibilities, under applicable laws and regulations. The provisions contained within this section are intended to provide notices in compliance with the Colorado Privacy Act (“CPA”), the Connecticut Data Privacy Act (“CTDPA”), the Utah Consumer Privacy Act (“UCPA”) and the Virginia Consumer Data Protection Act (“VCDPA”). This section does not apply to certain personal data that is already subject to certain federal and state regulations, such as protected health information.
Our Personal Data Practices
The CPA, CTDPA, UCPA, and VCDPA provides rights to residents of Colorado, Connecticut, Utah, and Virginia, respectively, to receive certain disclosures and access regarding collection, use, sale, and sharing of personal data. The Summary of Nucleus Data Use chart above explains what kinds of personal data we may collect or have collected, how we collect it, why we collect it, and who we may disclose it to. More detail about what we do with your personal information is found in the Collecting Personal Data, Using Personal Data, and Disclosing Personal Data sections of this Policy.
Your Privacy Rights
If you are a resident of Colorado, Connecticut, Utah, or Virginia, you have the following rights under applicable law in relation to your personal data, subject to certain exceptions:
Right to know and access. You have the right to know what personal data we collect, use, disclose, and/or sell or share as those terms are defined under applicable law. You may ask us to provide you a portable copy of this information up to two times in a rolling twelve-month period.
Right to delete and erase. You have the right to request under certain circumstances that we, as well as our service providers and contractors, delete the personal data that we collect about you.
Right to correct inaccurate personal data. You have the right to request the correction of inaccurate personal data.
Right to non-discrimination. You have the right not to receive discriminatory treatment for the exercise of the privacy rights described above.
Right to opt out. You have the right to opt out of targeted advertising, our sale of your personal data, and profiling decisions that could produce legal or similarly significant effects concerning the consumer.
Rights concerning sensitive personal data. If you are a Connecticut, Colorado, or Virginia resident, we cannot process your sensitive data or your sensitive data inferences, or use your personal data for certain purposes without your affirmative consent. If you are a Utah resident, you have the right to opt out of having your sensitive personal data processed.
The CTDPA provides Connecticut residents with additional rights to receive certain disclosures and access regarding the collection, use, sale, and sharing of consumer health data, as defined below. For information regarding the consumer health data that we collect, how we use it, what sources it is derived from, to whom we disclose it, as well as the rights of Connecticut residents and our responsibilities under the CTDPA, please see our Consumer Health Data Privacy Notice.
How to exercise your rights. You may exercise any of the rights described in this section by following the instructions in Exercising Your Privacy Rights above.
How to appeal decisions about your rights. Connecticut and Virginia residents can appeal our decisions concerning privacy rights requests, as follows:
Connecticut residents. If you are a Connecticut resident and want to appeal our decision with regard to a request that you have made, please Contact Us. Within sixty (60) days of receipt of an appeal, we will inform you in writing of any action taken or not taken, including an explanation of our reasons in reaching the decision. If the appeal is denied, you may contact Connecticut’s Office of the Attorney General by phone at (860) 808-5420 or by submitting a form here.
Virginia residents. If you are a Virginia resident and want to appeal our decision with regard to a request that you have made, please Contact Us or notify the Office of the Attorney General of Virginia online here. Within sixty (60) days of receipt of an appeal, we will inform you in writing of any action taken or not taken, including an explanation of our reasons in reaching the decision. If the appeal is denied, you may contact Virginia’s Office of the Attorney General by phone at (804) 786-2071, written correspondence to 202 North 9th Street, Richmond, Virginia 23219, or online here.
14
Consumer Health Data Privacy Notice
This Consumer Health Data Privacy Notice provides additional information regarding the consumer health data that we collect, how we use it, what sources it is derived from, and to whom we disclose it, and provides information regarding rights of individuals who are residents of Connecticut, Nevada, and Washington, or who are otherwise subject to those laws. The provisions contained within this section are intended to provide notices in compliance with the Connecticut Data Privacy Act (“CTDPA”), Nevada SB 370, and Washington’s My Health, My Data Act (“MHMD”).
For the purposes of this section, “consumer health data” means personal data that is linked or reasonably linkable to you and that identifies your past, present, or future health status or mental health status, as may be applicable. Consumer health data does not include “protected health information” covered by HIPAA.
Consumer Health Data We Collect
Our Services involve the collection of lab results and related information, as well as certain user surveys focused on your health and wellness. Accordingly, we may collect, or have collected, the following categories of consumer health data about you:
Individual health treatments, conditions, treatment, diseases, or diagnosis
Social, psychological, behavioral, or medical interventions
Health-related surgeries or procedures
Use or purchase of prescribed medication
Diagnosis or diagnostic testing, treatment, or medication
Gender affirming care information
Reproductive or sexual health information
Biometric data
Genetic data
Bodily functions
Vital signs, symptoms, or measurements of the above categories
Precise location information that could reasonably indicate your attempt to acquire or receive health services or supplies
Data that identifies you seeking health care services
Any information that we or our service providers process to associate or identify you with the above information that is derived from non-health information (such as inferred data).
Categories of Sources of Consumer Health Data
We may collect consumer health data from the following categories of sources:
Directly from you through your interactions with us, such as when you use our Services, create an account with us, provide wearable device information, complete electronic forms, or otherwise contact us via chat, email, phone, or text.
From third party service providers, in accordance with applicable law and the context in which you provided the data.
How We Use Consumer Health Data
We use the consumer health data we collect about you to provide customer service; provide and maintain our Services; market our products and Services; market the products and services of others; for internal business purposes, including general business administration; profiling; improving our product offerings and features; and for any purpose consistent with your preferences.
To Whom We Disclose Consumer Health Data
We will only disclose your consumer health data with your consent. For example, at your request, we may disclose consumer health data, such as your biometric data, with your healthcare provider or provider’s health system. Under certain circumstances, we may be required to disclose your personal data if required to do so by law or in response to valid requests by public authorities.
Your Consumer Health Data Privacy Rights
Nevada and Washington residents have the following rights in relation to your consumer health data, subject to certain exceptions:
Right to know. You have the right to know what consumer health data we collect, share, or sell, as those terms are defined under applicable law. You also have the right to obtain a list of all third parties and affiliates with whom we have shared or sold your consumer health data, and an active email address or other mechanism that you may use to contact these third parties. If you are a Washington resident or otherwise subject to Washington law, you also have the right to access your consumer health data that we collect, share, or sell.
Right to withdraw consent. You have the right to withdraw consent from the collection and sharing of your Consumer Health Data.
Right to delete. You have the right to request that we, as well as our service providers and contractors, delete the consumer health data that we collect about you.
Right to non-discrimination. You have the right not to receive discriminatory treatment for the exercise of the privacy rights described above.
Connecticut residents have the rights referenced in the Colorado, Connecticut, Utah, and Virginia Privacy Notice in relation to consumer health data.
How to exercise your rights. You may exercise any of the rights described in this section by following the instructions in Exercising Your Privacy Rights.
15
European Privacy Notice
This European Privacy Notice applies to any individuals located within the EEA, UK, or Switzerland from whom we may have collected personal data from any source, including through your use of our Sites, Products, and Services. We provide this European Privacy Notice to comply with applicable privacy laws. Any capitalized term used and not otherwise defined below has the meaning assigned to it in our Privacy Policy.
European law provides individuals located in Europe with rights to receive certain disclosures regarding the collection, use, and sharing of personal data, as well as rights to be informed, access, rectification, erasure, restrict processing, data portability and to object with respect to collected personal data. For the purposes of this European Privacy Notice, “personal data” means any information relating to an identified or identifiable natural person.
Basis for processing your personal data
Nucleus relies on one or more legal bases to process your personal data under applicable law. We may process personal data (i) as necessary to perform our contractual obligations to you, including, but not limited to, those obligations in our terms of use; (ii) as necessary to pursue our legitimate interests as further detailed below; (iii) as necessary for our compliance with our legal obligations such as a request or order from courts, law enforcement or other government authorities; and/or (iv) with your consent, including to send you marketing email messages and other information that may be of interest to you, which you may withdraw at any time.
Legitimate business interests
We may collect, process, and maintain personal data to pursue the legitimate business interests outlined below. To determine these legitimate interests, we balance our legitimate interests against the legitimate interests and rights of you and others and only process personal data in accordance with those interests where they are not overridden by your data-protection interests or fundamental rights and freedoms.
While our legitimate interests are most extensively detailed in Section 2 of our Privacy Policy, they generally include:
Provide, improve, and develop our Sites and Services, such as delivering requested services to you, providing user support, communicating with you, customizing the Sites to better fit your needs as a user, perform internal analytics, and develop new Services. This may also include sharing personal data with our trusted service providers that provide services on our behalf.
Protect you and others and to create and maintain a trusted environment, such as by complying with our legal obligations and our agreements with you and other third parties, to ensure safe, secure, and reliable Sites and Services, and to detect and prevent wrongdoing and crime, assure compliance with our policies, and protect and defend our rights, interests, and property.
Provide, personalize, measure and improve our marketing, including sending you promotional messages and other information that may be of interest to you with your consent. We may also use personal data to understand our user base and the effectiveness of our marketing. This processing is done pursuant to our legitimate interest in undertaking marketing activities to offer products or services that may be of interest to you.
Your privacy rights
In certain circumstances, individuals located within the EEA, UK, and Switzerland are entitled to the following data protection rights regarding their personal data:
Right to access. You have the right to request confirmation of whether Nucleus processes personal data relating to you, and if so, to request a copy of that personal data.
Right to rectification. You have the right to request that Nucleus correct or update your personal data that is inaccurate, incomplete or outdated.
Right to erasure. You have the right to request that Nucleus erase your personal data in certain circumstances provided by law.
Right to restrict processing. You have the right to request that Nucleus restrict the use of your personal data in certain circumstances.
Right to object to processing. You have the right to object to Nucleus processing your personal data, under certain conditions.
Right to data portability. You have the right to request that Nucleus export the data that we have collected to you or another company, under certain conditions.
Where the processing of your personal data is based on your previously provided consent, you have the right to withdraw your consent at any time. If you would like to exercise any of these rights, please submit a written request using the information in the Contact Us section below. We will respond to these requests in accordance with applicable data protection laws. We may ask you to verify your identity in order to help us respond efficiently to your request.
You may also have the right to lodge a complaint about our data collection and processing actions with the appropriate supervisory authority. You can view the contact information for your data protection authority here.
16
Links to Other Websites
Our Sites may contain links to other websites that are not operated by Nucleus. We strongly suggest you review their privacy policies. If any linked website is not owned or controlled by us, we are not responsible for its content or privacy policies, or the practices of the operator of the website or services.
17
Changes to This Privacy Policy
We may change this Privacy Policy from time to time to reflect new services or changes in our data practices or relevant laws. The “effective date” legend at the top of this Privacy Policy indicates when this Privacy Policy was last revised. Any changes are effective when we post the revised Privacy Policy on the Sites. If we make any material changes to this Privacy Policy, we will take reasonable measures to notify you via email and/or a prominent notice on our Sites prior to the change becoming effective, and will update the effective date at the top of this Privacy Policy. You are advised to review this Privacy Policy periodically for any changes.
18
Contact Us
If you have any questions or concerns about this Privacy Policy or wish to exercise one of your privacy rights, please contact us at concierge@mynucleus.com.
EFFECTIVE DATE 03/15/2024