Effective Date: January 25, 2019
Viome, Inc. is a company that collects and analyses physiological, physical, and molecular data for the purpose of understanding and optimising the wellness of individuals. The samples collected include stool, blood, saliva, cheek swab, skin swab, and/or urine, using sample collection kits provided by Viome. Customers will collect the clinical samples and ship them to Viome for analysis. Along with data obtained from clinical samples, customer-provided information will be collected and stored by Viome. Based on our analysis of all customer data, Viome will make personalised diet and lifestyle recommendations to the individual via, without limitation, the Viome website located at www.viome.com and Viome’s mobile applications.
Viome takes privacy very seriously. We are committed to protecting the privacy and security of “Personal Information” which could be used to identify the customer, either alone or in combination with other information. By accessing or using the Service (as defined below), the customer allows us to collect, store, and use their Personal Information to enable us to improve the personalization of diet and lifestyle advice. Viome recognizes and understands the importance of privacy and respects our customers’ desire to store and access Personal Information in a private and secure manner.
2. Types of Personal Information
Viome collects and uses several types of Personal Information in connection with the Service. “Registration Information” is collected when you subscribe to or register for the Service. This information includes, but is not limited to, your name, password, payment plan, credit card information (Viome stores only 4 last digits and expiration date), shipping addresses, and contact information such as email address and telephone number. Viome uses Registration Information to authenticate your access to Viome websites and mobile applications; to enable you to purchase features related to the Service; to deliver personalised reports to you in connection with the Service; and to send you marketing communications. “Sample Data” is collected when you provide self-collected clinical samples to Viome for analysis using the Viome-supplied collection kits. Sample Data includes, but is not limited to, gut or mouth microbe analysis, gut gene expression analysis, gut metabolite analysis, personal genetic analysis, personal gene expression, and personal metabolite analysis. If you consent to use the Service or to participate in the clinical study, your Sample Data is analysed in aggregate with other customers’ Sample Data to improve the personalization of Viome’s diet and lifestyle recommendations. “Self-Reported Information” is collected when you provide information to Viome related to, but not limited to, your health conditions (e.g. Type 2 diabetes), other health-related information (e.g. smoking status, activity level, heart rate), diet information (e.g. food intake levels), and personal traits (e.g. height and weight). This information is provided to Viome using its websites and mobile applications. Self-Reported Information is used to support the study objective of identifying correlations between dietary and lifestyle inputs with molecular measures. “Medical Information” is collected when you give Viome permission to access your medical records. Only with your written and signed permission will Viome obtain the medical records from your healthcare provider and use the Medical Information to improve data analysis methods and optimise wellness recommendations provided to you in reports.
3. Other Types of Collected Information
When you use the Service, some information is automatically collected through the use of log files. Such information may include your device’s Internet Protocol (IP) address, your device’s operating system, the browser type, and your device ID (only for iOS users). To ensure your data is safe and used only to the extent necessary to provide the Service, Viome deletes this information every three months. Viome uses this information for purposes such as analysing trends, administering the Service, improving customer service, diagnosing problems with our servers, tracking user movement, and gathering broad demographic information for aggregate use.
5. Use of Google Analytics
6. Disclosure of Personal Information to Third-Parties
In general, Viome will not disclose individual-level Personal Information to third parties, except under the following circumstances:
7. Information Required to be Disclosed by Law
Under certain circumstances, Personal Information may be subject to disclosure pursuant to judicial or other government subpoenas, warrants, or orders, or in coordination with regulatory authorities. You acknowledge and agree that Viome is free to preserve and disclose any and all Personal Information to law enforcement agencies or others if required to do so by law or in the good faith belief that such preservation or disclosure is reasonably necessary to: (i) comply with legal or regulatory process (such as a judicial proceeding, court order, or government inquiry) or obligations that Viome may owe pursuant to ethical and other professional rules, laws, and regulations; (ii) enforce the Viome Terms of Service; (iii) respond to claims that any content violates the rights of third parties; or (iv) protect the rights, property, or personal safety of Viome, its employees, its customers (including you), and the public. In the event Viome is required by law to disclose Personal Information, Viome will notify you through the contact information provided to Viome in advance, unless doing so would violate the law or a court order.
To prevent unauthorized access or disclosure, to maintain data and information integrity, and to ensure the appropriate use of information, Viome uses various physical, technical, and administrative measures to keep your Personal Information secure, in accordance with current technological and industry standards. In particular, all connections to the Viome websites and mobile applications are encrypted using Secure Socket Layer (SSL) technology. Please recognize that protecting Personal Information is also your responsibility. We ask all users of the Service to be responsible for keeping their password secure, as well as other authentication information used to access the Service. You should not share authentication information with any third parties, and should inform Viome immediately of any prohibited use of your password. Viome cannot secure and assumes no liability for Personal Information that is released by the customer to third parties, such as a healthcare provider. Viome keeps all personal data and information on secure cloud servers. Only a small group of staff can access information that can be used to identify you. These are people who need that information to complete the testing, analysis, and reporting. Your samples and other information you provide will be labeled with a code and not your name. The information that matches the code to your identity will be kept in a protected database at Viome. Only a small group of staff will have access to the protected database. We will not include any information in any publications that would make it possible to identify you. All Viome employees, consultants, and others who might have access to your private information must sign confidentiality agreements that mandate them to keep that information private. Your data may be shared with your doctor only with your written permission. Your specimens will be analysed, and remnants will be securely stored with de-identified alphanumeric IDs (no personal information).
9. Children’s Privacy
Viome is committed to protecting the privacy of children and abiding by the provisions of the Children’s Online Privacy Protection Act (COPPA). The Service is not designed or intended to attract children under the age of 13. In some instances, a parent or legal guardian, however, may consent his/her child to study participation, and may assist the child with providing assent to study participation, if the child is old enough to do so. In such cases, the parent/guardian may create an account for, assist with sample collection for, and provide Self-Reported Information on behalf of his or her child. The parent/guardian assumes full responsibility for ensuring that the information that he or she provides to Viome about his or her child is kept secure and that the information submitted is accurate. In the event that Viome is notified or becomes aware that the Service has been used by a child under the age of 13 (or any higher applicable minimum age for a given product, as disclosed by Viome) to store information of that child without parental consent, Viome shall be and is authorized to delete, in its entirety, any of the information stored by that child. The Company also reserves the right to revoke any license to use the Service which is being used or has been used by a child under the age of 13 (or the applicable minimum age).
10. Account Closure and Correction of Personal Information
If the customer wishes to stop participating in the Service, the account may be closed by sending a request to Viome via email at firstname.lastname@example.org. When closing an account, Viome removes all personally identifiable information associated with Sample Data. In addition, Viome retains limited Registration Information related to the customer’s order history (e.g., name, contact, and transaction data) for accounting and compliance purposes. Personal Information and Registration Information can be changed, corrected, or updated using the Viome websites and mobile applications.
11. Business Transitions
12. California Do-Not-Track Disclosures
Viome does not track its customers over time and across third party websites to provide targeted advertising and therefore does not respond to Do Not Track (DNT) signals. Third parties that have content embedded on Viome’s websites or mobile applications (e.g. social features) may set cookies on a user’s browser and/or obtain information about the fact that a web browser visited a specific Viome website from a certain IP address. Third parties cannot collect any other personal identifiable information from Viome’s websites unless you provide it to them directly.
13. Data Privacy for EU Residents Under GDPR
A. General Data Protection Regulation (“GDPR”) Information for EU Residents
The following information describes our commitments to you under the EU General Data Protection Regulation (“GDPR”). Except where a term is specifically defined herein, terms in Section 12 will have the meaning provided under the GDPR.
When Viome acts as Controller
Viome acts as a Controller when it determines the purposes and means of processing personal data.
When Viome acts as a Processor
Right to access, correct, and delete your personal data
Please contact email@example.com to exercise your rights to access, correct, and delete your personal data pursuant to GDPR. We are not required to comply with your request to erase personal data if the processing of your personal data is necessary for compliance with a legal obligation or for the establishment, exercise, or deference of legal claims. Subject to the above terms and conditions, Viome will, within 30 days from the request of a customer, delete the personal data concerning such customer and destroy all samples provided by such customer. Notwithstanding the above provisions, Viome shall be permitted to retain any and all anonymized, aggregate data.
Right to restrict the processing of your personal data
You have the right to restrict the use of your personal data; however, we can continue to use your personal data following a request for restriction, where:
Right to data portability
To the extent that we process your personal data (i) based on your consent or under a contract; and (ii) through automated means, you have the right to receive such personal data in a structured, commonly used, machine-readable format, or you can ask to have it transferred directly to another data controller.
Personal data retention
We retain your personal data for as long as necessary to provide you with our services, or for other important purposes such as complying with legal obligations, resolving disputes, and enforcing our agreements.
Third parties with access to personal data
Viome shares your personal data with third parties as follows:
How to exercise your rights
If you would like to exercise any of the rights described above, please send us a request to firstname.lastname@example.org. In your message, please indicate the right you would like to exercise and the information that you would like to access, review, correct, or delete.
We may ask you for additional information to confirm your identity and for security purposes, before disclosing the personal data requested to you. We reserve the right to charge a fee where permitted by law, for instance if your request is manifestly unfounded or excessive.
We may not always be able to fully address your request, for example if it would impact the duty of confidentiality we owe to others, or if we are legally entitled to deal with the request in a different way.
We ask that you attempt to resolve any issues regarding your data protection or requests with us first. Please contact us at email@example.com and we will respond to your request promptly. You may also contact Viome’s designated, EU-based representative at:
If you are not happy with how we have resolved your complaint, you may contact the relevant supervisory authority. http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm
Viome’s “priacy by design” approach requires that our default user data protection levels be at the highest setting by default. In the unlikely event of breach, Viome will notify data subjects and Supervisory Authorities (SAs) in the EU according to procedures provided in GDPR Articles 33 and 34.
Using an sharing your information
We collect, use, and share your personal data where we are satisfied that we have an appropriate legal basis to do this. This may be because:
If you would like to find out more about the legal bases on which we process personal data, please contact us using the details below.
B. Exporting Personal Data from the EU
Viome may transfer your personal data outside of the country from which it was originally provided. This transfer may be intra-group or to third parties that we work with who may be located in jurisdictions outside the EU which have no data protection laws or laws that are less strict compared with those governing the EU. Whenever we transfer personal data outside of the EU, we take legally required steps to make sure that appropriate safeguards are in place to protect your personal data as further set forth below. Please contact us as set forth below for more information about the safeguards we have put in place to protect your personal data and privacy rights in these circumstances.
For EU Individuals: Privacy Shield Notice for Personal Data Transfers to the United States
With respect to personal data received or transferred pursuant to the Privacy Shield Framework, Viome is subject to the regulatory and enforcement powers of the U.S. Federal Trade Commission.
The following provisions govern information collected in reliance on the EU-U.S. Privacy Shield Framework Principles (“Principles”) for transfers of personal data from the EU to the United States.
Pursuant to the Privacy Shield Frameworks, EU individuals have the right to obtain our confirmation of whether we maintain personal information relating to you in the United States. Upon request, we will provide you with access to the personal information that we hold about you. You may also correct, amend, or delete the personal information we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under Privacy Shield, should direct their query to firstname.lastname@example.org. If requested to remove data, we will respond within a reasonable timeframe.
Viome may be required to disclose personal data pursuant to lawful requests made by public authorities, including to meet national security or law enforcement requirements.
In compliance with the Privacy Shield Principles, Viome commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to Privacy Shield. European Union individuals with Privacy Shield inquiries or complaints should first contact Viome at: email@example.com.
Viome has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers for more information and to file a complaint. This service is provided free of charge to you.
If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Privacy Shield Annex 1 at https://www.privacyshield.gov/article?id=ANNEX-I-introduction
When Viome collects personal data from individuals, it will inform the individual of the purpose for which it collects and uses the personal data and the types of non-agent third parties to which Viome discloses or may disclose that information. Viome shall provide the individual with the choice and means for limiting the use and disclosure of their personal data. Notice will be provided in clear and conspicuous language when individuals are first asked to provide personal data to Viome, or as soon as practicable thereafter, and in any event before Viome uses or discloses personal data for a purpose other than for which it was originally collected.
In instances in which Viome is not the controller or collector of the personal data, but only a processor, it has no means of providing individuals with the choice and means for limiting the use and disclosure of their personal data or providing notices when individuals are first asked to provide personal data to Viome. In such instances, Viome will comply with the instructions of the controller of such information; provide appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and to the extent appropriate, assist the controller in responding to individuals exercising their rights under the Principles.
In those instances where Viome collects personal data from individuals, we will provide an individual opt-out choice, or opt-in for sensitive data, before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information, please submit a written request to firstname.lastname@example.org.
Disclosures to Third Parties
In those instances in which Viome collects personal data from individuals, prior to disclosing personal data to a third party, Viome shall notify the individual of such disclosure and allow the individual the choice to opt out of such disclosure. Viome shall ensure that any agent third party for which personal data may be disclosed subscribes to these principles or are subject to law providing the same level of privacy protection as is required by these principles and agree in writing to provide an adequate level of privacy protection.
Viome’s accountability for personal data that it receives in the United States under the Privacy Shield and subsequently transfers to a third party is described in the Privacy Shield Principles. In particular, Viome remains responsible and liable under the Privacy Shield Principles if third-party agents that it engages to process the personal data on its behalf do so in a manner inconsistent with the Principles, unless Viome proves that it is not responsible for the event giving rise to the damage.
Viome shall take reasonable steps to protect personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction. Viome has put in place appropriate physical, electronic and managerial procedures to safeguard and secure the information from loss, misuse, unauthorized access or disclosure, alteration or destruction. Viome cannot guarantee the security of information on or transmitted via the Internet.
Viome shall only process personal data in a way that is compatible with and relevant for the purpose for which it was collected or authorized by those who provided the information. To the extent necessary for those purposes, Viome shall take reasonable steps to ensure that personal data is accurate, complete, current and reliable for its intended use.
In those instances in which Viome collects personal data directly from individuals, Viome shall allow those individuals access to their personal data and allow the individual to correct, amend or delete inaccurate information, except where the burden or expense of providing access would be disproportionate to the risks to the privacy of the individual in the case in question or where the rights of persons other than the individual would be violated.
Attn: Privacy Officer
81 Camino Entrada, Suite 100
Los Alamos, NM 87544