Version 6.0 – Effective 1 January 2026
Issued by Saphetor S.A., EPFL Innovation Park, 1015 Lausanne, Switzerland
CHE-467.115.331 • dpo@saphetor.com
This Privacy Policy applies to all platforms operated by Saphetor S.A., including VarSome Community, VarSome Premium, VarSome Clinical, VarSome API, and VarSome Insights (collectively, the "Platforms"). It is to be read alongside the VarSome Unified Terms of Use v7.0.
This Privacy Policy (the "Privacy Notice") describes how Saphetor S.A. (CHE-467.115.331) and any of its affiliates ("Saphetor," "we," "us," or "our") processes personal data in connection with the use of any Saphetor platform, including the Saphetor website (saphetor.com) and the platforms VarSome Community, VarSome Premium, VarSome Clinical, VarSome API, and VarSome Insights (collectively, the "Platforms").
This Privacy Notice applies to information we collect through the Platforms, as well as other information provided to us online or offline by third parties, when we associate that information with customers or users of the Platforms. It does not apply to information collected from our employees, contractors, or vendors, nor to information that you ask us to share with third parties.
By accessing and using any Platform, you accept this Privacy Notice and acknowledge that we collect and process your personal data in accordance with it. You must be at least 18 years old to use any of the Platforms.
We reserve the right to amend this Privacy Notice at any time. Material changes will be communicated to you by email or via the Platforms at least 30 days before the effective date, consistent with VarSome Unified Terms of Use v7.0, Section 16. If you do not accept these amendments, your sole remedy is to stop using the Platforms and request account closure at support@saphetor.com.
We process personal data in compliance with the following applicable data protection laws (collectively, "Applicable Data Protection Law"):
- The EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679);-
- The Swiss Federal Act on Data Protection (nDSG), in force September 2023;
- The UK General Data Protection Regulation (UK GDPR), effective January 2021;
- The Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations (45 C.F.R. Parts 160 and 164), where applicable to US-covered entities and business associates.
We only process personal data when we have a valid legal basis to do so. The legal bases we rely on are:
- Contract performance: processing necessary to provide the Platforms and Services to you or your Organization;
- Legitimate interests: processing for our legitimate business interests, including platform improvement, security, and research, where these are not overridden by your fundamental rights;
- Legal obligation: processing required to comply with applicable law or regulatory requirements;
- Consent: processing based on your freely given, specific, informed, and unambiguous consent, which you may withdraw at any time by contacting dpo@saphetor.com.
When you register for and use the Platforms, we collect personal data you provide directly, including: name, work location, phone number, job title, employer name, business address, payment information, and any information submitted via web forms. We use this data to create and maintain your account, provide Services, interact with you, process payments, and fulfil our contractual obligations.
As part of our Services, we process genomic and molecular datasets uploaded by users ("Datasets"). Datasets contain genetic and/or other molecular data from Individuals, or other special categories of protected health information. This data is processed with heightened care under GDPR Article 9 and HIPAA as applicable.
Saphetor processes Datasets only as a data processor on behalf of the uploading organization (the "Organization"). The Organization is the data controller in respect of Datasets and is responsible for the lawfulness of the original collection, any required consents, and the de-identification or pseudonymization of data before upload, in accordance with VarSome Unified Terms of Use v7.0, Section 3.4.
Saphetor accepts and processes de-identified or pseudonymized data only. Any protected health information must be de-identified pursuant to 45 C.F.R. § 164.514 before upload. For queries relating to your personal data contained in a Dataset, please contact your Organization directly.
Subject to express contractual authorization and the conditions set out in the VarSome Unified Terms of Use v7.0, Section 4.3, Saphetor may derive Aggregated Derivative Data — including Panel of Normals (PoN) files and baseline computational artifacts — from pseudonymized or de-identified Data Samples. The following applies:
- All contributing samples must be de-identified or pseudonymized such that no individual can be re-identified from the derived artifact or from the process of its construction;
- Aggregated Derivative Data is used only for: improving platform quality and accuracy; filtering technical noise (PoN use); internal quality control; and research purposes where no individual can be re-identified;
- Aggregated Derivative Data will not be sold or licensed to third parties;
- A Data Protection Impact Assessment (DPIA) is conducted prior to any new Aggregated Derivative Data processing activity (GDPR Article 35);
- Audit records identifying which samples contributed to any artifact are maintained and available to submitting organizations upon request;
- Clients may opt out by written notice to dpo@saphetor.com; opt-out applies prospectively.
We automatically collect information when you access and use the Platforms, including: domain and host from which you access the internet; IP address, location, and device/browser information; pages visited, time spent, and interaction data; and the referring URL. This "Analytics Data" is used to ensure platform stability and security, improve and develop the Platforms, and for statistical and monitoring purposes.
We may work with third-party analytics providers to process Analytics Data in aggregated and anonymized form. Third parties are required to observe our privacy standards and use data only for purposes for which they have been retained by Saphetor.
If you are a registered Member of VarSome Community, you may post public Information including variant classifications, publication links, and comments on variants. This information is publicly accessible on the Platforms and on the internet. Member Contributions are permanently and irrevocably licensed to Saphetor as described in VarSome Unified Terms of Use v7.0, Section 3.6. You can manage and remove your contributions via your account settings or by contacting us.
Provided we have obtained your prior and unambiguous consent, we may use your contact details for marketing purposes, including newsletters and information about our products and services. You may withdraw your consent at any time at https://varsome.com/accounts/preferences/ or by emailing dpo@saphetor.com.
We may process personal data for scientific and research purposes, including providing other users and third parties with aggregated or pseudonymized scientific information derived from it — for instance, that specific molecular markers have been found in one or more datasets, along with the respective genotype, phenotype(s), or tumor types known about those individuals and their sex and ethnic background. When doing so, we rely on our legitimate business interest, or on the scientific research exemption under GDPR Article 89 where applicable. You may object to such processing at any time by emailing dpo@saphetor.com.
We retain personal data only as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. Specific retention periods are:
- User account data: retained for the duration of your account. If you delete your account, User Data will be deleted or anonymized within 90 days, except where retention is required by law or for legitimate business purposes (e.g. audit trails, financial records). This is an update from the 30-day period in prior versions, aligned with VarSome Unified Terms of Use v7.0, Section 7.3.
- Publicly posted Member Contributions: not automatically removed on account deletion, as this content is of scientific value to the genomics community. You may request removal via account settings or by contacting us.
- Genomic Datasets (VarSome Clinical / API): retained in accordance with the applicable Service Delivery Agreement (SDA). In the absence of an SDA, Datasets are retained for a maximum of 12 months from last use before secure deletion. Upon termination of a Clinical subscription, data is archived for 90 days post-termination before secure deletion.
- Backup copies: may remain in backup storage for a limited period after a deletion request, after which they are purged.
- Legal retention: certain data may be retained for longer periods where required by law (e.g. tax, accounting, or regulatory obligations).
Saphetor operates data centres in Switzerland, the European Union (including France, where infrastructure is certified Hébergeur de Données de Santé / HDS), and the United States. Datasets uploaded on the Platforms are stored in the region selected by the Organization. We do not transfer Datasets to other regions without written authorization from the Organization.
Where personal data is transferred across borders, Saphetor ensures that appropriate safeguards are in place in accordance with GDPR Chapter V, the Swiss nDSG, and UK GDPR, including Standard Contractual Clauses (SCCs) or equivalent mechanisms. You may request information about applicable transfer mechanisms by contacting dpo@saphetor.com.
We may disclose personal data to trusted service providers ("Service Providers") who perform functions on our behalf, including cloud hosting (e.g. Google Cloud Platform, Amazon Web Services, Microsoft Azure), CRM (HubSpot), productivity tools (Google Workspace), and payment processing. Service Providers are required to process personal data only as instructed by Saphetor and in compliance with applicable data protection law.
A current list of sub-processors is available upon request from dpo@saphetor.com. Clients who have executed a Data Processing Agreement (DPA) with Saphetor will be notified of material sub-processor changes in accordance with the DPA.
Where Saphetor processes personal data as a data processor within the meaning of GDPR Article 28, a Data Processing Agreement is required. Organizations processing personal data through VarSome Clinical or the VarSome API in a commercial or clinical context must execute a DPA with Saphetor prior to commencing such processing. Standard DPA terms are available from dpo@saphetor.com. This includes execution of a Business Associate Agreement (BAA) where HIPAA applies.
The Platforms may enable you to use third-party services via social plug-ins (Google LLC, Meta Platforms, LinkedIn Corporation, X Corp., Microsoft Corporation). Where you interact with such plug-ins, the third-party operator may access some of your personal data. This Privacy Notice does not apply to those third parties. Please review their privacy policies directly.
We may disclose personal data to competent courts, supervisory authorities, or regulatory bodies where required by law. We may also disclose personal data in connection with a corporate transaction (sale, merger, transfer of assets) using commercially reasonable efforts to notify you of such transfer.
We share personal data in circumstances where we receive compensation only when we have your consent. You may withdraw consent at any time by emailing dpo@saphetor.com.
Saphetor maintains an Information Security Management System (ISMS) in compliance with ISO/IEC 27001:2022. Our security controls include:
- Access Control: restricting access to personal data to authorized personnel only;
- Data Encryption: encrypting data in transit (TLS) and at rest;
- Incident Management: maintaining an incident response plan to address security breaches;
- Regular Audits: conducting regular security audits and risk assessments;
- Multi-Factor Authentication (MFA): enabled on the Platforms.
In the event of a personal data breach posing a risk to the rights and freedoms of individuals, Saphetor will notify the relevant supervisory authority within 72 hours of becoming aware and, where necessary, inform affected individuals without undue delay, in accordance with GDPR Articles 33 and 34.
While we take appropriate steps to protect your personal data, no application or website is completely secure. We cannot guarantee absolute security of data transmitted over the internet. Internet transmissions are made at your own risk.
We use cookies and similar technologies in connection with the Platforms to monitor and analyze user interactions, improve platform functionality, personalize content, and measure traffic and performance.
Cookie types used include session cookies (retained only during your visit) and persistent cookies (retained for a specified period). You may manage cookies via your browser or device settings. Certain cookies are essential to the functioning of the Platforms and disabling them may affect your experience.
We do not currently support "Do Not Track" browser features. For more information on cookies, visit www.allaboutcookies.org. The complete list of cookies used on the Platforms is maintained at www.saphetor.com/cookies.
Depending on your jurisdiction, you have the following rights regarding your personal data:
- Right to Access: you may request a copy of the personal data we hold about you;
- Right to Rectification: you may request correction of inaccurate or incomplete personal data;
- Right to Erasure ("Right to be Forgotten"): you may request deletion of your personal data under certain conditions;
- Right to Restrict Processing: you may request that we restrict how we use your personal data;
- Right to Data Portability: you may request your personal data in a structured, commonly used, machine-readable format;
- Right to Object: you may object to processing based on legitimate interests, including profiling;
- Right to Withdraw Consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing;
- Right to Lodge a Complaint: you may lodge a complaint with the competent supervisory authority in your jurisdiction.
To exercise any of these rights, contact our Data Protection Officer at dpo@saphetor.com. We will respond within 30 days. If you are not a User but your data is processed as part of a Dataset uploaded by an Organization, please direct your requests to that Organization directly.
You may review, update, correct, or delete personal data in your account via account settings at https://varsome.com/account-settings/.
Genomic data constitutes special category sensitive data under GDPR Article 9 and equivalent provisions of the Swiss nDSG. Saphetor processes genomic data uploaded to the Platforms only:
- Under a contract with the uploading Organization, on the basis that the Organization has ensured appropriate legal grounds for the original collection and processing;
- In pseudonymized or de-identified form only, as described in Section 3.2;
- Subject to the heightened security and access controls described in Section 6;
- With a Data Processing Impact Assessment (DPIA) where required under GDPR Article 35.
Saphetor does not process genomic data for purposes incompatible with those agreed with the uploading Organization. Aggregated Derivative Data derived from genomic data is handled in accordance with Section 3.3 above and VarSome Unified Terms of Use v7.0, Section 4.3.
For users in the EU/EEA, your personal data is processed in compliance with GDPR. The data controller for User Data and Analytics Data is Saphetor S.A. The supervisory authority with primary jurisdiction is the Swiss Federal Data Protection and Information Commissioner (FDPIC); you may also lodge a complaint with the supervisory authority in your EU Member State of habitual residence.
For users in the United Kingdom, personal data is processed in compliance with UK GDPR and the Data Protection Act 2018. Where data is transferred from the UK, Saphetor relies on UK adequacy decisions or International Data Transfer Agreements (IDTAs) as applicable. You may lodge a complaint with the Information Commissioner's Office (ICO).
For users in Switzerland, personal data is processed in compliance with the Swiss Federal Act on Data Protection (nDSG), in force since 1 September 2023. You may lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC).
Where Saphetor processes protected health information (PHI) on behalf of a covered entity or business associate, it does so as a Business Associate under HIPAA. A Business Associate Agreement (BAA) must be in place. PHI must be de-identified pursuant to 45 C.F.R. § 164.514 before upload to the Platforms, as required by VarSome Unified Terms of Use v7.0, Section 3.4.
California residents have rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), including the right to know, right to delete, right to opt-out of sale, and right to non-discrimination. Saphetor does not sell personal data. To exercise your California privacy rights, contact dpo@saphetor.com. We respond to one request per customer per year.
For residents of Canada, you may file a complaint regarding our processing of your personal data by emailing dpo@saphetor.com, or with the Office of the Privacy Commissioner of Canada.
All VarSome platforms and services are delivered through cloud infrastructure. Saphetor processes personally identifiable information (PII) in cloud environments in accordance with ISO/IEC 27017:2015 (Code of practice for information security controls for cloud services) and ISO/IEC 27018:2019 (Code of practice for protection of PII in public clouds acting as PII processors), implemented within the scope of our ISO/IEC 27001:2022-certified Information Security Management System. In cloud environments, Saphetor acts as a PII processor in relation to data uploaded by customer organisations, and as a PII controller in relation to account, usage, and contact data of registered users. Customer data is stored in the region selected at onboarding and is not transferred to another region without the organisation’s written consent. All data is encrypted in transit (TLS 1.2 or higher) and at rest (AES-256), access is restricted to authorised personnel using multi-factor authentication, and customer data is logically segregated from other customers’ data at the storage and processing layer. We do not use data processed on behalf of customer organisations for advertising, marketing, or any purpose beyond the delivery of contracted services, and consent for such use is never a condition of access to any Saphetor platform.
Saphetor engages trusted cloud infrastructure and service providers (sub-processors) to deliver its platforms. All sub-processors are bound by data processing agreements meeting the requirements of GDPR Article 28 and equivalent provisions under applicable law. A current sub-processor register is available upon written request to dpo@saphetor.com. Organisations with active Data Processing Agreements are notified of any intended change to sub-processors at least 14 days in advance. In the event of a personal data breach in a cloud environment, Saphetor will notify the relevant supervisory authority within 72 hours and inform affected organisations without undue delay, in accordance with GDPR Articles 33 and 34. Upon termination of a cloud service agreement, Saphetor will return PII to the organisation or securely delete it within 90 days, at the organisation’s election, with written confirmation of deletion provided on request. All Saphetor personnel and contractors with access to cloud environments containing PII are subject to confidentiality agreements and complete role-specific privacy training before gaining access to production systems. For any questions about cloud data processing, or to request the sub-processor register or a Data Processing Agreement, please contact our Data Protection Officer at dpo@saphetor.com.
If you have questions or concerns about this Privacy Notice or about how we process your personal data, please contact:
Data Protection Officer (DPO)
Email: dpo@saphetor.com
Saphetor S.A.
EPFL Innovation Park – C, 1015 Lausanne, Switzerland
VAT: CHE-467.115.331
Saphetor Life Sciences, Inc. (US Operations)
265 Franklin Street, Suite 1702, Boston, MA 02110
For questions about processing of personal data contained in Datasets uploaded by an Organization, please contact that Organization directly.
Privacy Policy: www.saphetor.com/privacy-policy
Cookies Policy: www.saphetor.com/cookies
Terms of Use: www.varsome.com/information/legal/terms/
System Status: status.saphetor.com
