Last Modified: May 20, 2021
At DermTech, Inc. (“DermTech,” “we,” “us” or “our”) we take your privacy and the security of your information very seriously. At DermTech we provide clinical tests that your healthcare provider may order on your behalf and other products that we may choose to offer to focus on precision dermatology, including mobile applications.
This Policy is incorporated into, and is part of, our Mobile Terms of Service applicable to the Mobile App your use of the Services. Those capitalized terms not defined in this Policy shall be given the meaning provided within the Terms of Service.
If you have any questions regarding this Policy please contact us at firstname.lastname@example.org
The Policy describes the types of information we gather from people visiting our Site and from individual users (“you” or “users”) interacting with our Site and Services and how we use, transfer, and secure such information. By accessing our Services, you agree to be bound by this Policy. This Policy does not govern information we receive from third parties for the provision of services to such parties, unless specifically stated. If you do not agree to the terms of this Policy, you should not use the Services. Each time you use any Services, the current version of this Policy will apply. Accordingly, when you use any Services, you should check the date of this Policy (which appears at the top) and review any changes since you last reviewed the Policy.
Types of Information We Collect
We may collect two types of information from users of our Services: “Personal Information,” which is information that can be used to identify you (your account information, such as name, email address, ), and “Aggregate Information,” which is information that cannot be used to identify you (such as frequency of visits to the Site, browser type, etc.)
1.1. Personal Information Collected
1.1.1. We collect Personal Information that you voluntarily provide to us when you use our Services. For example, you may provide us with your email address, first name and last name, or other Personal Information.
1.1.2 Personal Information Collected When Using the Mobile App: When using our Mobile App, you may provide us Personal Information. For information that is considered PHI, please see our Notice of Patient Privacy Practices (please see Article 10 below) . Where the information provided is not PHI, but may still be used to identify you we will treat it as Personal Information under this Policy.
For example, you may provide us with:
- Contact Information such as your first name, last name, physical address, phone number, email address and other Personal Information.
- Date of Birth
- Insurance Information
- Billing and Payment Information
- Answers to survey questions related to services provided to you, including the Mobile App
1.1.3 Use of Personal Information: We use the Personal Information you provide to us as necessary to provide you the Services. Please note that this may involve transferring your Personal Information to a third party. Where you have opted in to marketing communications, including by signing up for marketing emails, we may also use Personal Information to market new products and services to you. Please note that we will transfer Personal Information to third parties as described within Section “2. Sharing of Personal Information with Third Parties.”
1.2. Collection of Personal Information by Third Parties
1.2.1. Some links within our Services may redirect you to third party websites that we do not operate. The privacy practices of these websites or services will be governed by their own policies. We make no representation or warranty as to the privacy policies of any third parties, including the providers of third-party applications.
1.3. Aggregate Information Collected
1.3.1. Aggregate Information is information that does not identify you. Aggregate Information may be collected when you use our Services, independent of any information you voluntarily enter. Additionally, we may use one or more processes to de-identify information that contains PHI, or Personal Information, such that only Aggregate Information remains. We may collect, use, store, and transfer Aggregate Information without restriction, including for use in research and development and product development.
1.3.2. For example, when you use our Services, some information is automatically collected. Such information could include your operating system, your location, the results of your test or a web site from which you linked to us (“referring page”), the name of the website you choose to visit immediately after ours (called the “exit page”), information about other websites you have recently visited, browser (software used to browse the internet) type and language, device identifier numbers, your site activity, and the time and date of your visit. Although we do our best to honor the privacy preferences of our visitors, we are not able to respond to Do Not Track signals from your browser at this time.
1.4. Use of “Cookies”
1.4.1. Cookies are alphanumeric identifiers that we transfer to your computer’s hard drive and smartphone through your web browser and our Services to help us identify you and enhance your experience. You have choices with respect to cookies. By modifying your browser preferences, you have the choice to accept all cookies, to be notified when a cookie is set, or to reject all cookies. If you choose to reject all cookies you may be unable to use part or all of our Services that require registration in order to participate. You can learn more about cookies and how they work at www.allaboutcookies.org. You can always disable cookies through your browser or smartphone settings. Doing so, however, may disable certain features on our Services. You can opt-out from third party cookies that are used for advertising purposes on the NAI website at https://www.networkadvertising.org/managing/opt_out.asp.
1.7. Interest-Based Advertising:
1.7.1. We may also participate in interest-based advertising using similar technology. This means that you may see advertising on our Sites tailored to your interests, or you may see advertising for DermTech and its properties on other websites based on your browsing behavior across websites. Some websites where we may advertise belong to ad networks that use your web browsing history to choose which ads to display on their network websites; these ads include advertising for DermTech and its Sites. Other websites where you see our ads, such as Facebook, may use interest preferences that you have chosen on those sites, to choose which ads to display to you. Some internet browsers, websites such as Facebook and mobile devices offer opt-outs for interest-based advertising. Please refer to the website that you are visiting, your browser and/or your device settings for additional information.
1.7.2. You can opt-out of receiving interest-based ads from third parties who are members of the Network Advertising Initiative (NAI) or who follow the Digital Advertising Alliance’s Self-Regulatory Principles for Online Behavioral Advertising by visiting the opt-out pages on the NAI website (https://www.networkadvertising.org/choices/) and DAA website (https://www.aboutads.info/choices/).
2. Sharing of Personal Information with Third Parties
2.1. We may transfer Personal Information to third parties for the purpose of providing the Services. We may disclose Personal Information to our affiliates or third-party service providers to provide you with the Services. For example, we may transfer your Personal Information to third party service providers such as Amazon Web Services, and other software providers to (i) assist with providing the Services; (ii) communicate with you about current or future offerings, including sending you marketing communications where you have opted in these communications. Your Personal Information may be stored and processed outside the United States. These third-party service providers are not authorized to retain, share, store or use your Personal Information for any purposes other than to provide the services they were hired to provide for you, as related to use of DermTech related services, and including assisting use with alerting you to future product offerings where you have opted in to receive such communications. DermTech also uses third-party vendors for customer relationship management (CRM) and emails. We pay transfer Personal Information to third-party vendors and make communications to you via third-party vendors.
2.2. We may also elect to transfer your Personal Information to third parties under special circumstances to: (i) to comply with a legal requirement, judicial proceeding, court order, or legal process served on us; (ii) to investigate a possible crime, such as fraud or identity theft; (iii) in connection with the sale, purchase, merger, reorganization, liquidation or dissolution of DermTech; (iv) when we believe it is necessary to protect the rights, property, or safety of DermTech or other persons, or (v) as otherwise required or permitted by law, including any contractual obligations of DermTech.
3. Corrections/Information Removal/Opt-Out
3.1. You can request that any Personal Information stored by us be deleted at any time by contacting us at email@example.com. We may require you to provide certain information to verify that it is you making the request. However, we will not delete information that we are required to retain in order to comply with applicable laws and regulations, our own data retention policies, or to complete the offering of any active portion of the Services.
3.2. If you no longer wish to receive our newsletter or promotional communications, you may opt-out of receiving them by following the instructions included in each communication.
4. Children and Privacy
4.1. We do not knowingly collect Personal Information from children in connection with the features of our Sites or Services. Please note, any use or access of the Mobile App by anyone under the age of 18 is strictly prohibited. In addition, if we become aware that an individual under the age of 18 has provided personally identifiable information through our Sites, we will immediately remove the individual’s personally identifiable information from our files.
5. How Do We Protect Your Information
5.1. We take the security of your Personal Information very seriously. We use reasonable administrative, physical, and technical safeguards to secure the Personal Information you share with us, and additional protections where required by applicable law.
6.1. Each time you use our Site or Services the current version of the Policy will apply. When you use our Site, you should check the date of this Policy (which appears at the top of the Policy) and review any changes since the last version. Our business changes frequently and this Policy is subject to change from time to time. Unless stated otherwise, our current Policy applies to all information that we have about you. We will not materially change our policies and practices to make them less protective of your privacy without the consent of affected customers.
7. How Do You Contact Us?
7.1. To contact us with your questions or comments regarding this Policy or the information collection and dissemination practices of this Site, please contact us as follows:
DermTech Operations, Inc.
ATTN: Privacy Officer
11099 N. Torrey Pines Road, Suite 100
La Jolla, CA 92037
7.2. When communicating to us regarding any questions you may regarding this policy or the Notice of Patient Privacy Practices (Article 10 below) or with any questions you may have about your privacy rights, please contact the Privacy Officer using electronic communication: firstname.lastname@example.org.
8. Visitors That Reside Outside the United States
8.1. DermTech provides its Services for the purpose of serving interested parties within the United States, and our Services are not intended, nor directed to anyone residing outside the United States.
9. Governing Law
9.1. This Policy is governed by the laws of the State of California, U.S.A. without giving effect to any principles of conflict of law.
10. NOTICE OF PATIENT PRIVACY PRACTICES
THE NOTICE IN THIS ARTICLE 10 (INCLUDING SECTIONS BELOW) DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
10.1. DermTech Operations, Inc. (“DERMTECH”) is required, by law, to maintain the privacy and confidentiality of your protected health information (“PHI”) and to provide our patients with notice of our legal duties and privacy practices with respect to your PHI. DermTech may access such PHI either through your and your healthcare provider’s use of the Mobile App as related to providing services to you, or through conducting of laboratory test(s) offered by DermTech and ordered by your healthcare provide.
COMMON USES AND DISCLOSURES OF YOUR HEALTH CARE INFORMATION ALLOWED UNDER THE LAW WITHOUT YOUR AUTHORIZATION:
10.2. Treatment – We may use your PHI to provide you with health treatment and services. If you obtain treatment from other providers in connection with our services, those other providers will have their own privacy practices which are not applicable to DERMTECH. You are encouraged to review the privacy practices of all providers involved in your care.
10.3. Payment – We may use and disclose your PHI so that the treatment and services you receive may be billed to and payment collected from you, your insurance company or a third party.
10.4. Health Care Operations – We may use or disclose your PHI for activities necessary to run our business, such performance of quality checks for our testing, internal audit, care coordination, budget and financial planning and general management and operation of our business.
10.5. Worker’s Compensation – We may release your PHI in order to comply with the laws related to worker’s compensation or similar programs.
10.6. Emergencies – We may disclose your PHI to a friend or family member who is involved in your medical care in the event of an emergency.
10.7. Public Health Activities – We may disclose your PHI for the purposes of preventing or controlling disease, injury, disability, or death; reporting child abuse or neglect; reporting domestic violence; or to report problems or other adverse events with products and/or services to the U.S. Food and Drug Administration.
10.8. Lawsuits and Disputes – We may disclose your PHI in the course of any administrative or judicial proceeding.
10.11. Coroners, Medical Examiners and Funeral Home Directors – We may disclose your PHI to a coroner or medical examiner.
10.12 Organ Donation – We may disclose your health information to organizations involved in procuring, banking, or transplanting organs and tissues.
10.13. Research – Under certain circumstances, we may use or disclose your PHI for research purposes within DERMTECH and with research collaborators outside of the company who are under contract and are also obligated to protect PHI. All research projects at DERMTECH are conducted in accordance with applicable law, with such protections as review by a committee responsible for ensuring the rights and welfare of research subjects, appropriate patient authorization when required, and an adequate plan to safeguard PHI.
10.14. Public Safety – We may use and share your PHI with persons who may be able to prevent or lessen a serious imminent threat to you, the public or another person’s health or safety.
10.15. Health Oversight Activities – We may release your health information to government agencies authorized to conduct audits and investigations. These government agencies monitor the operation of the health care system, government benefit programs such as Medicare and Medicaid, and compliance with government regulatory programs and civil rights laws.
10.16. Lawsuits and Disputes – We may disclose your health information if we are ordered to do so by a court or administrative tribunal that is handling a lawsuit or other dispute. We may also disclose your information in response to a subpoena, discovery request, or other lawful request by someone else involved in the dispute, but only if required judicial or other approval or necessary authorization is obtained.
10.17. Law Enforcement – When permitted by law, we may disclose your health information to law enforcement officials for certain reasons, such as complying with court orders.
10.18. Business Associates – There are some services provided in our organization through contracts with organizations that require PHI in order to provide their services. These organizations are called business associates. Examples of business associates include independent sales representatives working with your doctor, accreditation agencies, quality assurance reviewers, and third parties equipped to de-identify and mask information.
10.19. Legal Requirements – We will disclose your PHI without your permission when required to do so by federal, state, or local law.
10.20. Marketing – We cannot use your PHI for marketing or share your PHI with third parties for their own marketing purposes without your written authorization. However, in order to better serve you, we can provide you with marketing materials in a face-to face encounter without obtaining your authorization. We are also permitted to give you a promotional gift of nominal value without obtaining your authorization. In addition, we may communicate with you about products or services relating to your treatment, case management, or care coordination, or alternative treatments, therapies, providers or care settings without your authorization.
10.21. Sale – We will not sell your PHI to third parties. The sale of PHI, however, does not include a disclosure for public health purposes, for research purposes where we will only receive remuneration for our costs to prepare and transmit the health information, for treatment and payment purposes, for the sale, transfer, merger or consolidation of all or part of our company.
YOUR RIGHTS REGARDING YOUR PROTECTED HEALTH INFORMATION:
10.22. As part of your normal medical care, healthcare professionals may require access to your PHI. In the event of a request for your PHI from another healthcare provider, we will confirm that the healthcare provider is involved in your care before disclosing your PHI.
10.23. You have the right to request a limit on the PHI we disclose about you to someone who is involved in your care or the payment for your care. We are not required by law to agree to your request and we may say “no” if it will affect your care.
10.24. You may access a copy of this Notice on DERMTECH’s website. You have a right to obtain an additional paper copy of this Notice of Patient Privacy Practices upon request.
10.25. You have a right to limit disclosure of your PHI to your health plan if you pay for DERMTECH’s services in full and request that your PHI not be disclosed to your health plan.
10.26. You may request access to your DERMTECH medical record and billing records maintained by DERMTECH in order to inspect and request copies of the records. All records will be maintained for a period of time mandated by applicable state and/or federal law. If you request copies, we may charge you a reasonable fee consistent with applicable law and may charge you for our postage costs. You have the right to request an amendment to your health record if you feel the information is incorrect or incomplete. Please note that even if we accept your request, we are not required to delete any information from your health record.
10.27. You have a right to obtain an accounting (or a list) of certain disclosures of your PHI made by DERMTECH within the last 6 years. We’ll include all the disclosures except for those about treatment, payment, and health care operations and certain other disclosures (such as those that you asked us to make). We’ll provide one accounting a year for free but will charge you a reasonable, cost-based fee if you ask for another accounting within 12 months.
10.28. You have a right to request that your PHI be communicated by alternative means or at alternate locations.
10.29. You have the right to be notified of a breach of your unsecured PHI if the breach compromises the privacy and security of your information. We must provide required notices to you as soon as practicable, but no later than sixty (60) days following discovery of the breach. The notice will include a description of what happened, including the date, the type of information involved in the breach, steps you should take to protect yourself from potential harm, a brief description of the investigation into the breach, mitigation of harm and protection against further breaches and contact procedures to answer your questions.
CHANGES TO THIS NOTICE OF PATIENT PRIVACY PRACTICES:
10.30. DERMTECH may change this Notice of Patient Privacy Practices at any time in the future and will make the new provisions effective for all information that it maintains. The new notice will be available upon request and on our website.
10.31. If you have questions about any part of this Notice or if you want more information about your privacy rights, please contact us using the information provided above in Section 7.2.
10.32. If you believe your privacy rights have been violated, you may file a complaint with DERMTECH by calling 1-866-450-4223. You may also file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights by sending a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201, calling 1-877-696-6775, or visiting www.hhs.gov/ocr/privacy/hipaa/complaints/. We will not retaliate against you for filing a complaint.
The effective date of this DERMTECH Notice of Patient Privacy Practices is May 20, 2021.