Privacy Policy

Version 5.3 - Last updated on 22 December 2020

This privacy policy (the “Privacy Notice”) describes how Saphetor SA (CHE- 467.115.331) and any of its affiliates (“Saphetor,” “we,” “us,” or “our”) processes personal data, including collection, use and disclosure, in connection with the use of any Saphetor platform, including, without limitation, the Saphetor website (saphetor.com), and the platforms VarSome, VarSome API, VarSome Pro and VarSome Clinical platforms (varsome.com and its subdomains) (collectively, the “Platforms”).

This Privacy Notice applies to information we collect through the Platforms, as well as other information provided to us online or offline by third parties, when we associate that information with customers or users of the Platforms; however, it does not apply to information collected from our employees, contractors, or vendors.  It also does not apply to information that you ask us to share with third parties or that is collected by certain third party providers of online tools (as further described in Section 6 below).  You acknowledge and agree that Saphetor is not responsible for the data collection or use practices of any other user of the Platforms or any third party utilized in providing the Platforms.

1. Introduction

We recognize the importance of privacy and of transparency in our processing of personal data.  By “processing” we mean operations performed on personal data, such as collection, structuring, storage, modifying, use, disclosure, restriction, erasure, destruction or any other operation defined as “processing” (or an equivalent term) under Applicable Data Protection Law (as defined in Section 2 below).  By “personal data” we mean any (i) information relating to an identified or identifiable natural person, and (ii) any other information defined as “personal data” or “personal information” (or an equivalent term) under Applicable Data Protection Law. An identifiable natural person is someone who can be identified, directly or indirectly, particularly by reference to an identifier such as a name, identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, cultural or social identity of that natural person.

This Privacy Notice explains (i) which personal data are processed on the Platforms, (ii) the manner and the purposes for which we process the personal data, and (iii) the measures which we take in order to protect such personal data.

By accessing and using any Platform, you accept this Privacy Notice and acknowledge that we collect and process your personal data in accordance with it.

We reserve the right to amend this Privacy Notice at any time at our sole discretion in order to adapt it to any new commercial or technological practice or change in the law. Should this occur, we will inform you by any appropriate means (including per email or via the Platforms, e.g. through banners, pop-ups or other notification mechanisms). If you do not accept these amendments, your sole remedy is to stop using the Platforms.

You must be at least 18 years old to use any of the Platforms.

2. How and Why We Process Personal Data

We only process personal data when we have a valid reason to do so, in accordance with the Applicable Data Protection Law.

We process personal data in compliance with Swiss data protection law and the European Union’s General Data Protection Regulation (collectively, “Applicable Data Protection Law”) and only when we have a valid reason to do so, as further specified below.

To provide the Platforms and Services to our Users:

If you are a user of the Platforms (a “User”), we mainly process your personal data to provide the Platforms and other services accessible on them (“Services”), including for creating and maintaining a user account, interacting with you and other Users (including for allowing other Users to view your public content), providing you with requested information and services, performing data analysis that you request, or in the manner expressly indicated when certain personal data are collected.

If you are not a User, we may process your personal data because it was provided to us in pseudonymized form by one of our Users, for instance due to your position as a customer or patient of an organization with which a User is affiliated (the “Organization”). In this case, we mainly process your personal data for the purpose of providing the Platforms and the Services to the Organization, based on a contract between us and the Organization. This Privacy Notice does not govern how the Organization processes your personal data or how we process your data for the account of the Organization (e.g. to carry out the analysis requested by the Organization). Please refer to the Organization’s policies and contact the Organization directly for any inquiry relating to the use of your personal data by it.

For our legitimate business interests, including to improve our Platforms and Services, for scientific and research purposes, as well as for security and monitoring and for statistical purposes:

Furthermore, we may also process your personal data for our legitimate business operations related to providing the Platforms, which include (i) to ensure that the Platforms and Services are provided in an efficient and secure way (e.g. through analysis of the Platforms’ stability and security, updates and troubleshooting, as well as support services); (ii) to improve and develop the Platforms and our Services; (iii) to moderate public contributions and exchanges between Users; (iv) to verify the accuracy of the information which are provided to us; (v) to benefit from cost-effective services (e.g. we may opt to use certain Platforms offered by suppliers); (vi) to meet our corporate and social responsibility objectives (including monitoring our performance or the use of the Platforms and our Services, and for statistical purposes); and (vii) other operational needs, such as billing and legal support.

We may also process personal data for scientific and research purposes, to provide other Users and third parties with aggregated or pseudonymized scientific information derived from it, for instance the fact that single molecular markers have been found in one or more datasets processed via a Platform or queried directly on a Platform, as well as the respective genotype, phenotype(s), or tumor types known about that individual(s) and their sex and ethnic background.

In addition, we may use de-identified (de-identified as used herein refers to data that has been de-identified pursuant to 45 C.F.R. § 164.514 and for which there is no reasonable basis to believe that the information can be used to identify an individual) meta-information derived from the analysis performed via the Platform, to improve the Platforms (e.g. the accuracy of the analysis we perform). Such de-identified meta-information will be derived using statistical methods, either in isolation or combined with data obtained from other sources.

When doing so, we generally rely on our legitimate business interest. You may object to such processing activities at any time by sending an email to DPO@saphetor.com.

For sending our newsletter, or for other marketing and advertising purposes:

Provided that we have obtained your prior and unambiguous consent, we may use your personal data, in particular, the contact details as well as other personal data collected in accordance with this Privacy Notice, for marketing and advertising purposes, e.g. to send you information and offers relating to our products and services and/or of our partners, such as prospectuses, newsletters, and other advertising messages. You may withdraw your consent at any time on https://varsome.com/accounts/preferences/ or by sending an email to DPO@saphetor.com.

If we have a legal obligation to do so:

We may further process personal data to comply with our legal or regulatory obligations. This will for instance be the case if we need to disclose certain information to public authorities or retain such information for tax or accounting purposes, or for the establishment, exercise or defense of legal claims.

For any other reason, based on authorization:

In addition to the above, we may process your personal data, if we have obtained your prior unambiguous written authorization  pursuant to 45 C.F.R. § 508 consent, solely for the purposes specified when obtaining your authorization. You may withdraw your authorization for this purpose at any time by sending an email to DPO@saphetor.com.

3. How and Where We Collect Personal Data

We collect the personal data which you provide when you use the Platform.

We collect the personal data you provide when you correspond with us and/or our partners, or when you use the Platforms, for example, when you create, manage and/or use your account, through webforms you fill in, or when you contribute to the Platforms (e.g. the comments and variant classifications you make) (“User Data”).

Such information may include your first and last name, work location, phone number, job title, employer name, business address, payment information, the information you filled in webforms, information about your use of the Platforms, and any other information which we may request from you.

We collect the personal data contained in the datasets uploaded by Users

As part of the Services we provide, we also collect the personal data contained in the datasets Users upload to the Platforms to run analysis (“Datasets”). Datasets contain genetic and/or other molecular data from individuals, or other special categories of  protected health information.

We process this personal data with additional care, as specified in this Privacy Notice.

Certain personal data are also collected in an automated manner.

We may also automatically collect personal data when you access and use the Platforms, including by means of tools, web forms, cookies and other active elements contained in our emails and/or those of our partners, e.g. basic logs on information such as IP address, user id, network ID and user location (“Analytics Data”).

Analytics Data includes the following information that we automatically collect and store the following information about your computer and your visit:

• the domain and host from which you access the Internet
• the Internet address of the website from which you linked directly to the Platforms, if applicable
• the date and time you accessed the Platforms, how long you spent on the Platforms and which pages you visited
• your Internet protocol (IP) address, its location, and your computer’s operating system and browser software

We may work with third parties to produce Analytics Data in aggregated and anonymized form. Third parties will be required to observe our privacy standards, to provide us only with aggregated and anonymized information, to use the information collected only for the purposes for which they have been retained by Saphetor, and to destroy the information afterwards.

You can limit certain authorizations by using settings related to the automated collection of your Analytics Data.

You may limit certain authorizations related to data collection, in particular in connection with the geolocation and access data contained in your device, subject to the available functionalities of your device.

You may also limit permissions for the automated collection of your Analytics Data on your web browser (if you access the Platforms via a computer) or on your device. For more detailed information, please consult the section on cookies below.

We also collect non-personal data relating to the Platforms, that is, information that does not personally identify an individual.  The non-personal data we collect includes how you interact with the Platforms, information generally collected or “logged” by Internet websites or Internet services when accessed or used by users, and information about your web browser or device accessing or using the Platforms.  

We will not use non-personal data to try to identify you, and if we associate any non-personal data with information that personally identifies you, then we will treat it as personal data.

4. Processing Methods

We may process your personal data by automated means but take appropriate security measures in this respect.

Our processing activities are carried out both by humans and with computers or computer tools, and in compliance with the purposes indicated in this Privacy Notice.

We may use your personal data to create a profile about you and provide you with more relevant information and services (“profiling”). You may have the right to object to such activities, in accordance with Applicable Data Protection Law. We do not use any individual decision-making based solely on automated processing.

Furthermore, we may process your data to remove any information that identifies you and your Organization from it (“de-identification”) and further use such de-identified data for purposes not contemplated by this Privacy Notice (including for data mining, benchmarking and analytics purposes, or for developing and marketing new services).

5. How Long Do We Store Personal Data?

We will not retain your personal data for a longer period than necessary for the purposes as outlined in this Privacy Notice.

If you delete your user account, your User Data will be deleted or anonymized within 30 days after such event, unless such data must be retained for a valid reason, such as if we are required to retain such information by applicable law. This does not include content that Users made publicly available on the Platforms, which will not be automatically removed. The public content of our Users is of scientific value and benefits to the wider community of patients, researchers, and healthcare professionals. You can manage and remove your content via your account setting or contact us (see contact details in section 11 below to request the removal of your content).

When our contractual relationship with your Organization is terminated, we will delete all Datasets that you uploaded to the Platforms. If you delete your user account, we will still retain any Datasets you uploaded in order to fulfill our contractual agreement with your Organization.

Please note that any information that we have copied may remain in back-up storage for a limited period of time after your deletion request.

6. International Transfers and Communications to Third Parties

 We may disclose your Personal Information to third parties as described below.

As further described in this privacy policy, we share your personal data in certain circumstances where we receive compensation.  We do this only when we have your consent and you may withdraw your consent at any time by emailing us at DPO@saphetor.com .

Datasets uploaded on the Platforms are stored only in the country where the user uploads them. We do not store the Datasets to other countries unless authorized in writing by the Organization whose user uploaded them.

We store the Datasets on behalf of the User uploading them, as instructed by the User. If your personal data is comprised in a Dataset, please direct any query you have regarding your data to your Organization.

User Data and Analytics Data may be disclosed to third parties where necessary for the proper operation of the Platforms and the provision of the related Services, or for promotional purposes. In this context, your personal data may be stored and processed outside your country of residence, including to countries that do not guarantee the same level of data protection and privacy as Switzerland, the United Kingdom, and the European Union.

We may also disclose personal data and non- personal data to Service Providers.  By “Service Providers” we mean companies, agents, contractors, service providers, or others engaged to perform functions on our behalf (such as processing of payments, provision of data storage, hosting of our website, marketing of our products and services, and conducting audits).   When we use a Service Provider, we require that the Service Provider use and disclose the personal data and non- personal data received from us only to provide their services to us or as required by applicable law.

We may communicate User Data and Analytics Data to third parties as part of operating the Platforms, and to subcontractors such as host services providers (e.g. Google Cloud platform (GCP), Amazon Web Services, Microsoft Azure), CRM provider (Hubspot), productivity/collaboration tools provider (Google Workspace), and other service providers.

We may also enable you to use third-party services directly from the Platforms, namely through social plug-ins of Google LLC; Facebook, Inc.; LinkedIn Corporation; Twitter; and/or Microsoft Corporation, in which case you recognize that the third-party operators of these services may access some of your personal data in connection with the Platforms. Please note that this Privacy Notice does not apply to the practices of any company or individual that we do not control, nor to any other website that may be linked from the Platforms. You should carefully review the privacy policies of any other website that you visit from the Platforms to learn more about their information and privacy practices. In such contexts, the collection and use of your personal data are governed by such other party or websites’ privacy policy. We shall not be held responsible for their privacy practices.

In the above contexts, your personal data may be stored and processed in your region, or transferred to, stored at or otherwise processed outside your country of residence, including, in respect of residents of a country within the European Economic Area (the “EEA”), the United Kingdom, or Switzerland, in a country outside the EEA, the United Kingdom, or Switzerland, or any other country which does not necessarily offer an adequate level of data protection as recognized by the European Commission, the United Kingdom, or Switzerland, including without limitation the U.S. Such data may also be processed by staff operating inside or outside your country of residence, including staff located outside of the EEA, the United Kingdom,  or Switzerland, who works for us or our service providers.

Where we transfer your personal data outside the EEA, the United Kingdom, or Switzerland, we will ensure that suitable safeguards are in place to help ensure that our third-party service providers provide an adequate level of protection to your personal data. 

You may request additional information in this respect and obtain a copy of the relevant safeguards upon request through sending a request to the contact indicated in section 11 below.

Certain information is publicly available on the Platforms.

The Platforms allow Users to share information publicly (for instance public profile, posts, and other content that Users decide to make available to others.). This information will be publicly available on the internet; thus, accessible worldwide to other Users and our partners.

We may also disclose personal data to third parties when we have a legitimate interest or legal obligation to do so.

We may also disclose your personal data when we have a legitimate interest to do so, for instance to (i) any third party to whom we assign or transfer any of our rights or obligations in the event of a sale, merger, or transfer of all or substantially all of the assets of our company relating to the Platforms, or in the unlikely event of a bankruptcy, liquidation, or receivership of our business (if any of these occur, we will use commercially reasonable efforts to notify you of such transfer, for example via email or by posting notice on our Platforms); or (ii) to competent courts or supervisory or regulatory bodies, when we must compellingly disclose your personal data, pursuant to any applicable law, regulation or order.

7. Security

We maintain physical, technical and administrative safeguards designed to secure your personal data.

We are committed to the security of your personal data, and have in place physical, administrative and technical measures designed to keep secure your personal data and to prevent unauthorized access to it. We restrict access to your personal data to those persons who need to know it for the purpose described in this Privacy Notice. In addition, we use standard security protocols and mechanisms to exchange the transmission of sensitive data. When you enter sensitive information on our website, we encrypt it using Transport Layer Security (TLS) technology.

Although we take appropriate steps to protect your personal data, no application or website is completely secure. Therefore, we cannot guarantee that data you provide to us is completely  safe and protected from all unauthorized third-party access and theft. We waive any liability in this respect.

The Internet is a global environment. As a result, by sending information to us electronically, such data may be transferred internationally over the internet depending upon your location. The Internet is not a secure environment and this Privacy Notice applies to our use and disclosure of your personal data once it is under our control only. Given the inherent nature of the Internet, all Internet transmissions are made at your own risk.

If we have reasonable reasons to believe that your personal data have been acquired by an unauthorized person, and applicable law requires notification, we will promptly notify you of the breach by email (if we have it) and/or by any other channel of communication (including by posting a notice on the Platforms).

8. Cookies and Similar Technologies

We do not currently provide support for "do not track" browser features.

We use cookies and other similar technologies in connection with the Platforms.

A cookie is a small data file that we transfer to and is stored on your electronic device. For example, we use cookies or other analytics tools to measure the traffic to and usage of the Platforms and their distinctive features, and other miscellaneous uses.

We may use various types of cookies or other similar technologies some of which are likely to automatically process data directly on your devices and/or to transfer data personal concerning you to us.

Our use of cookies may vary depending on the section or functionalities of the Platform you access.

You may manage the cookies and similar technologies via the settings of your browser and/or your devices.

If you do not want cookies to be stored on your device, you may configure your browser or your device to refuse and/or restrict the cookies. Certain cookies are, however, essential to the functioning of the Platforms itself and its use may be altered or prevented by refusing these cookies.

For more information, please visit https://www.allaboutcookies.org. Please check the user help sections of your internet browser or electronic devices for specific instructions on the management of cookies.

Why and how we use cookies and other similar technologies?

These technologies are generally aimed at monitoring and analyzing your interactions with the Platforms and/or to enable us to improve the Platforms and their functionalities, namely through the personalization of the Platforms and the related services, according to your interactions. We also use cookies and similar technologies to measure and monitor the traffic and use of the Platforms, as well as its performance.

Some cookies are retained in your electronic device for only as long as you access and use the Platforms, while others persist for a longer specified or unspecified period.

The complete list of cookies is at the end of this document.

9. Your Rights

You may have the right to access your personal data processed by us or request without limitation that they be removed, updated, or amended.

Except as otherwise required by law, you are entitled at all times to know if we are processing personal data concerning you. You may contact us to know the content of such personal data, verify their accuracy and request that they be supplemented, removed, updated, or rectified. You also have the right to ask us to cease processing any personal data that may have been obtained in breach of applicable law, and to object to the processing of your personal data for any other legitimate reason. However, if you are not a User, you should direct your privacy inquiries relating to the use of your personal data by your Organization, including any requests to exercise your data protection rights, directly to your Organization.

By accessing your user account (if any), you can review, update, correct or delete the personal data available within your user account. In addition, we will delete or anonymize your personal data if you delete your user account, as specified in section 5 above.

Where we rely on your authorization  to process your personal data, we will seek your freely given and specific written authorization by providing you with informed and unambiguous indications relating to your personal data. You may revoke at any time such authorization.

You may also have the right to request your personal data’s portability, i.e. that the personal data you have provided to you be returned to you or transferred to the person of your choice, in a structured, commonly used and machine-readable format without hindrance from us and subject to our confidentiality obligations, subject to applicable data protection laws.

You have the right to lodge a complaint by sending an email to DPO@saphetor.com.

If you are not satisfied with how we process your personal data, you may file a complaint with the competent supervisory authority or equivalent data protection authority, in addition to your rights outlined above.

10. Contact

As indicating above, if you have questions about our processing of your personal data in connection with the analysis we conduct on Datasets on behalf of our Users, please contact your Organization directly.

For other inquiries, please contact us at DPO@saphetor.com

11. Specific Jurisdictions

Residents of Canada

If you have an objection to the use of your personal data as described in this Privacy Notice, you may file a complaint by sending an email to DPO@saphetor.com. We will attempt to accommodate your objection or complaint, but you understand that, to the extent you object to our processing of personal data that is necessary for us to provide the Platforms, certain features and functionalities of the Platforms may no longer be available to you. Nothing in this Privacy Notice prejudices your rights to file a complaint with the Office of the Privacy Commissioner of Canada, and/or with any other applicable data protection authorities.

Residents of Nevada

We share your personal data in certain circumstances where we receive compensation.  We do this only when we have your consent and you may withdraw your consent at any time by emailing us at DPO@saphetor.com. 

Residents of California

A California resident who has provided personal data to a business with whom he/she has established a business relationship for personal, family, or household purposes (“California Customer”) is entitled to request information about whether the business has disclosed personal data to any third parties for the third parties’ direct marketing purposes.  In general, if the business has made such a disclosure of personal data, upon receipt of a request by a California Customer, the business is required to provide a list of all third parties to whom personal data was disclosed in the preceding calendar year, as well as a list of the categories of personal data that were disclosed.

However, under the law, a business is not required to provide the above-described lists if the business adopts and discloses to the public (in its privacy policy) a policy of not disclosing a customer’s personal data to third parties for their direct marketing purposes unless the customer first affirmatively agrees to the disclosure, as long as the business maintains and discloses this policy.  Rather, the business may comply with the law by notifying the customer of his or her right to prevent disclosure of personal data to third parties for direct marketing purposes and providing a cost free means to exercise that right.  To prevent disclosure of your personal data for use in direct marketing by a third party for its own purposes, do not opt in by providing your consent to  such use when you provide personal data through the Platforms.  Please note that whenever you allow your personal data to be shared with a third party to communicate with you, your information will be subject to that third party’s privacy policy.  If you later decide that you do not want that third party to use your information, you will need to contact the third party directly.  You should always review the privacy policy of any party that collects your information to determine how that entity will handle your information.  However, you may withdraw your consent for future disclosures to third parties for their marketing purposes by emailing us at DPO@saphetor.com.

California Customers may request further information about our compliance with California’s privacy law by e-mailing DPO@saphetor.com. Please note that we are only required to respond to one request per customer each year, and we are not required to respond to requests made by means other than through this e-mail address.

12. Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies‍

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.