Last updated November 27, 2024
This Privacy Policy describes how BillionToOne respects your privacy and is committed to protecting it through compliance with this Privacy Policy. We collect and use Personal Information about you through the use of our website at https://billiontoone.com/, our provider portal: https://provider.unityscreen.com/provider/login and our patient portal: https://results.unityscreen.com/client/login (the “Sites”) and through email, text, and other electronic communications between you and BillionToOne. This Policy describes how information about you may be collected, used, and disclosed. Please review this Privacy Policy carefully.
BillionToOne provides the Sites as an informational resource for patients and providers. The Sites also act as access point for our provider and patient portals.
PLEASE READ CAREFULLY PRIOR TO CONTINUING TO VIEW OUR SITES OR USE OUR SERVICES. BY ACCESSING THE SITES AND/OR USING OUR SERVICES, YOU AFFIRM THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO ABIDE TO THIS PRIVACY POLICY. YOUR ACCESS TO AND USE OF BILLIONTOONE’S SERVICES IS ALSO SUBJECT TO OUR TERMS OF USE AND OUR NOTICE OF PRIVACY PRACTICES. IF YOU DO NOT AGREE TO ABIDE BY THIS PRIVACY POLICY, YOU MAY NOT ENTER, ACCESS, OR OTHERWISE USE OUR SITES OR SERVICES. IF YOU USE THE SITES OR SERVICES ON BEHALF OF SOMEONE ELSE, YOU REPRESENT TO US THAT YOU ARE AUTHORIZED BY SUCH INDIVIDUAL TO ACCEPT THIS PRIVACY POLICY AND YOU DO ACCEPT THIS PRIVACY POLICY ON SUCH INDIVIDUAL’S BEHALF.
THIS PRIVACY POLICY DOES NOT COVER THE USE OF YOUR PERSONAL INFORMATION BY YOUR TREATING PHYSICIAN OR OTHER MEDICAL PROVIDERS. FOR INFORMATION REGARDING THEIR USE OF YOUR PERSONAL INFORMATION, PLEASE REFER TO THEIR RESPECTIVE PRIVACY NOTICES AND INFORMED CONSENT MATERIALS, AS APPLICABLE.
How Information is Collected and Used
We collect information in a variety of ways and from a variety of sources.
From you
We may obtain information directly from you in the course of providing the Services. This includes demographic data such as name, address, e-mail addresses, job title, home, work, and mobile telephone numbers, date of birth, credit or debit card number (for payment purposes only) and other relevant information. We may collect information relating to your health, including pregnancy and geniting testing data. If you are a health care provider creating an account in our Provider Portal, we may collect information related to your affiliation or organization, your NPI number or other related information. If you apply for employment through our Services, we collect information such as your resume and job application information, which may include educational information such as your degrees and transcripts, that you submit when applying for a job.
Please note that you do not need to register for an account simply to view the
BillionToOne website.
From your healthcare provider
Your healthcare provider will facilitate the collection of a blood sample and will provide
the sample and your information to BillionToOne for the purpose of providing laboratory
testing services (the “Services”). BillionToOne will process your blood sample; DNA will
be extracted from the submitted sample and sequenced. BillionToOne will store your
genetic sequencing and related data as required by applicable laws and regulations. All
sequence data may be used for regulatory compliance or healthcare operations, and
de-identified for internal quality control, validation studies, and internal research and
development purposes.
BillionToOne will retain your sample (blood and/or extracted DNA) only for the maximum
duration permitted under applicable law or regulation, after which point it will be
destroyed. Until such time that your sample is destroyed, BillionToOne may de-identify
your sample and use or store it for regulatory compliance purposes; internal quality
control; laboratory validation studies; or internal research and development.
We may use your information to contact you for quality assurance purposes. You can
opt out of such contact by contacting us directly using the contact methods at the
bottom of this Privacy Policy.
Cookies and Other Information We Collect Automatically
We may automatically collect certain information when you visit, use or navigate the
Sites. This information does not reveal your specific identity (like your name or contact
information) but may include device and usage information, such as your IP address,
browser and device characteristics, operating system, language preferences, referring
URLs, device name, country, location, information about how and when you use the
Sites and other technical information. We may collect such automatically generated or
collected information through a variety of tracking technologies, including cookies, Flash
objects, web beacons, embedded scripts, mobile SDKs, location-identifying
technologies and similar technology (“tracking technologies”), and we may use third-
party partners or services to assist with this effort. Information we collect automatically
about you or your device may be combined with other personal information we collect
directly. You are given the option to accept or reject cookies when first visiting the Sites.
While such automatically generated or collected information is primarily needed to
maintain the security and operation of the Sites, and for our internal analytics and
reporting purposes, we, or the third-party partners we use, may also use information to:
(a) remember information so that you will not have to re-enter it during your visit or the
next time you visit the Sites; (b) provide custom, personalized content and information
to you; (c) identify and contact you across multiple devices; (d) provide and monitor the
effectiveness of the Sites; (e) perform analytics and detect usage patterns on the Sites;
(f) diagnose or fix technology problems; (g) detect or prevent fraud or other harmful
activities, and (h) otherwise plan for and enhance the Sites and for other internal
purposes.
To learn more about how to opt out of Google’s use of the Google analytics cookies,
visit https://tools.google.com/dlpage/gaoptout. To learn about your choices in connection
with these practices on the particular device on which you are accessing this Privacy
Policy, please visit http://www.networkadvertising.org/choices and
http://www.aboutads.info/choices. You may also click on the informational icon
contained within each interest-based ad. We do not control these opt-out links or
whether any particular company chooses to participate in these opt-out programs. We
are not responsible for any choices you make using these mechanisms or the continued
availability or accuracy of these mechanisms.
Please note that even if you exercise the opt-out choices above, you may continue to
receive advertisements, for example, ads based on the particular website you are
viewing (e.g., contextually based ads). Also, if your browser (like some Safari browsers)
is configured to reject opt-out cookies when you opt out on the DAA or NAI websites,
your opt-out may not be effective
Consent To Electronic Communications and SMS
By using the Services, you consent to receiving certain recurring electronic
communications from us as further described in this Privacy Policy. You agree that any
referrals, notices, agreements, disclosures, or other communications that we send to
you electronically will satisfy any legal communication requirements, including that
those communications be in writing. We will send recurring ‘SMS’ messages to you via
‘SMS’ in accordance with this Privacy Policy.
You may receive an ‘SMS’ from us in relation to use of the Services. You can stop
receiving ‘SMS’ messages at any time by replying ‘STOP’ to the message.
As always, message and data rates may apply for any messages sent to you from us
and to us from you. Message frequency depends on your interaction. You should
contact your wireless provider with any questions. Please keep all information accurate
and up to date. For all further questions about the electronic communications and
‘SMS’, please contact us using the contact methods at the bottom of this Privacy Policy.
How Information is Shared
BillionToOne will not sell your information, sample, genetic data, or test results. This
section describes the circumstances under which we may share your information with
third parties.
To provide the Services
- We may disclose your information to others involved in your care, including your
healthcare providers, genetic counselors (the Services include complimentary
access to independent genetic counselors), confirmatory laboratories, the health
system or clinic where your provider practices, and other providers that you or
your healthcare provider designated to receive your information. We may contact
your healthcare provider to obtain additional information about the Service we
provided. - We may disclose your information to bill and collect payment for the Services
from you, your health insurance, or other responsible third parties. We may also
engage third parties to assist us with these billing and collection efforts. - We may work with third party service providers to provide application
development, analytics, variant analysis, payment processing, hosting,
maintenance, support ticketing, transmission of test results, and other services
for us. We limit the personal and health information we share with these service
providers to that which is minimally necessary for them to perform their services
for us, and we require them to agree to maintain the confidentiality and security
of such information.
For research, development, and analytics
- With your consent, we may share your de-identified genetic information with
public databases in order to advance medical research. By contributing this
information to such databases, we can help scientists better understand the
impact of genetic variants on the risk of diseases and health conditions. - We may use your de-identified sample, genetic information, and results in our
research. We may engage in research with third parties like universities,
hospitals, health systems, government institutions, or private companies to
develop new tests, validate technologies, or improve existing technologies or
processes. You can opt out of such third-party research by notifying the
healthcare provider who ordered your test or by contacting us directly using the
contact methods at the bottom of this Privacy Policy. However, if you have
consented in the past and later opt out, BillionToOne cannot retract your de-
identified sample, information, and/or results from research already performed.
For BillionToOne’s purposes
- We may author publications using de-identified information, either on our own or in collaboration with academic or commercial third parties.
- We may share aggregated, de-identified information (for example, aggregated trends about the general use of our Services) publicly and with our partners. This information will not include medical or genetic information.
- Information about our users may be disclosed and otherwise transferred to an acquirer, or successor or assignee as part of any merger, acquisition, debt financing, sale of assets, or similar transaction, as well as in the event of an insolvency, bankruptcy, or receivership in which information is transferred to one or more third parties as one of our business assets.
For security or legal purposes
We may also disclose your information under the following circumstances:
- Prevention of Fraud. If we believe in good faith that doing so is appropriate or
necessary to address fraud, security, or technical issues, or protect against harm
to us or others to the extent required or permitted by law. - Law Enforcement. To comply with applicable federal and state laws, rules, and
regulations, as well as law enforcement requests and legal process, such as a
court order or subpoena. When possible, we will attempt to notify the individual
who is the subject of the court order or subpoena so they may have an
opportunity to oppose the disclosure. - Business Transfers. We may share or transfer your personal information in
connection with, or during negotiations of, any merger, sale of assets, financing,
or acquisition of all or a portion of our organization to another party. - Affiliates. We may share your information with our affiliates, in which case we
will require those affiliates to honor this Privacy Statement. Affiliates would
include a parent company and any subsidiaries, joint venture partners or other
companies that we control or that are under common control with us, if any. - Business Partners. We may share your personal information with our business
partners to offer you certain products, services, or promotions.
How We Protect Your Information
BillionToOne takes reasonable and appropriate measures to protect your information
from accidental, unlawful or unauthorized destruction, loss, alteration, access,
disclosure or use. BillionToOne implements physical, administrative, and technical
safeguards that are designed to protect the integrity and security of your information.
BillionToOne regularly reviews and improves our security practices to help ensure the
integrity of our systems and your information. These practices include but are not limited
to:
- Access Controls. BillionToOne personnel may access and use information only
if they are authorized to do so and only for the purpose for which they are
authorized. - Encryption. BillionToOne uses industry standard security measures to encrypt sensitive information, in transit and at rest.
- Limited access to essential personnel. We limit access to sensitive information to authorized personnel, based on job function and role. Access controls include multifactor authentication and least-privileged authorization policies and practices.
Please recognize that protecting your personal information is also your responsibility.
We ask you to be responsible for safeguarding your password you use to access our
Services. You should not disclose your authentication information to any third-party and
should immediately notify BillionToOne of any unauthorized use of your password.
BillionToOne cannot secure personal information that you release on your own or that
you request us to release.
Your information collected through the Sites or Services may be stored and processed
in the United States or any other country in which BillionToOne or its affiliates,
subsidiaries, or service providers maintain facilities and, therefore, your information may
be subject to the laws of those other jurisdictions which may be different from the laws
of your country of residence. When we transfer personal data outside of these areas,
we take steps to make sure that appropriate safeguards are in place to protect your
personal information.
We cannot however guarantee that information may not be accessed, disclosed,
altered, or destroyed by a breach of any of our physical, technical, or administrative
safeguards. You agree that BillionToOne is not liable for the unauthorized release of
your information unless such release was the result of gross negligence or willful
misconduct on the part of BillionToOne.
BillionToOne complies with the applicable requirements of HIPAA to maintain the
privacy and security of your information. If a breach occurs that may have compromised
the privacy or security of your information, we intend to comply with all federal and state
reporting requirements.
Children’s Privacy
BillionToOne is committed to protecting the privacy of children as well as adults. Neither
BillionToOne nor any of its Sites or Services are designed for, intended to attract, or
directed toward children under the age of 18. A parent or guardian, however, may
collect a sample from, create an account for, and provide information related to, his or
her child who is under the age of 18. The parent or guardian assumes full responsibility
for ensuring that the information that he/she provides to BillionToOne about his or her
child is kept secure and that the information submitted is accurate.
Links
For your convenience, the Sites may contain links to other third-party websites.
BillionToOne is not responsible for the privacy practices, advertising, products, services,
or the content of such other websites. None of the links on the Site(s) should be
deemed to imply that BillionToOne endorses or has any affiliation with the links.
California Privacy Rights
Under the Shine the Light law, California residents with whom we have an established
business relationship may request certain information regarding BillionToOne’s
disclosures in the prior calendar year, if any, of their personal information to third parties
for their own direct marketing purposes. If you are a California resident, you can make
such a request by contacting us using the contact methods at the bottom of this Privacy
Policy. You must clearly state the nature of your California Privacy Rights request and
provide sufficient information for us to process your request; at a minimum your name,
email address, and California postal address. We will respond to your request within 30
days.
Global Privacy Control
At this time, we do not recognize and honor Global Privacy Control (“GPC”) for U.S.-
based users; if GPC is enabled, we would recognize this as an “opt out of the sale or
sharing of personal information” or as an “opt out of targeted advertising and the sale of
personal data” request (non-California U.S. residents).
Do Not Track
Do Not Track (“DNT”) is a web browser setting that requests that a web application
disable its tracking of an individual user. When you choose to turn on the DNT setting in
your browser, your browser sends a special signal to websites, analytics companies, ad
networks, plug in providers, and other web services you encounter while browsing to
stop tracking your activity. Various third parties are developing or have developed
signals or other mechanisms for the expression of consumer choice regarding the
collection of information about an individual consumer’s online activities over time and
across third-party websites or online services (e.g., browser do not track signals), but
there is no universally-agreed upon standard for what a company should do when it
detects a DNT signal. Currently, we do not monitor or take any action with respect to
these signals or other mechanisms.
Changes To Our Privacy Policy
At our sole discretion, we may make changes to this Privacy Policy at any time. When
changes are made, we will post an updated Privacy Policy on our website. The changes
will apply to all information we have about you. All changes are effective immediately
upon posting; the date the Privacy Policy was last revised is identified at the top of the
page. BillionToOne will notify individuals of substantive changes to the Privacy Policy in the event of material changes to BillionToOne’s handling, use, or disclosure of Personal
Information.
Questions and Comments
BillionToOne commits to resolving questions and comments about your privacy and our
collection and use of your information. Individuals with inquiries or comments should
contact BillionToOne at support@billiontoone.com.
Alternatively, you can call us at (650) 460-2551 or send us a written request to the
address below:
BillionToOne, Inc.
1035 O’Brien Drive
Menlo Park, CA 94025
GDPR Privacy Rights
If you are a resident of or located within the EU or European Economic Area (“EEA”) or
the United Kingdom, you have certain additional data protection rights under the
General Data Protection Regulation (“EU GDPR”) or the UK GDPR (collectively
“GDPR”). These rights include:
- The right to access, update or delete the information we have on you.
- The right of rectification. You have the right to have your information rectified if that
information is inaccurate or incomplete. - The right to object. You have the right to object to our processing of your Personal
Information. - The right of restriction. You have the right to request that we restrict the processing of
your personal information. - The right to data portability. You have the right to be provided with a copy of the
information we have on you in a structured, machine- readable and commonly used
format. - The right to withdraw consent. You also have the right to withdraw your consent at any
time where we relied on your consent to process your personal information.
Legal Basis for Processing Personal Information under GDPR
BillionToOne’s legal basis for collecting and using the Personal Information described in
this Privacy Policy depends on the Personal Information we collect and the specific
context in which we collect it.
BillionToOne may process your Personal Information because:
- We need to perform a contract with you;
- You have given us permission to do so;
- The processing is in our legitimate interests, and it is not overridden by your rights; or
- To comply with the law.
Disclosure of Personal Information under GDPR
Disclosure of Personal Information under GDPR
Legal Requirements
BillionToOne may disclose your Personal Information in the good faith belief that such
action is necessary to:
- To comply with a legal obligation;
- To protect and defend the rights or property of BillionToOne;
- To prevent or investigate possible wrongdoing in connection with the Service;
- To protect the personal safety of users of the Service or the public; or
- To protect against legal liability.
Disclosure for Law Enforcement
Under certain circumstances, BillionToOne may be required to disclose your Personal
Information if required to do so by law or in response to valid requests by public
authorities (e.g., a court or a government agency).
As specified above, to exercise any of these rights, you can submit your request by
contacting us at BillionToOne. We will respond to your privacy requests within 30 days
and notify you of the action(s) we have taken or required steps to fulfill the request.
Please note that the above individual rights are not absolute, and we may be entitled to
refuse requests where certain exceptions apply. Please note that where our processing
of your Personal Information relies on your consent and where you then withdraw that
consent, we may not be able to provide all or some aspects of our services to you
and/or it may affect the provision of those services. Should you wish to raise a concern
about our use of information (without prejudice to any other rights you may have), you
have the right to do so with your local supervisory authority.
PRIVACY NOTICE FOR CALIFORNIA RESIDENTS
California Residents
If you are a California resident, the California Consumer Privacy Act (“CCPA”) as
amended and updated by the California Privacy Rights Act (“CPRA”) grant you certain
rights related to your information. They are summarized below.
- Right to Know: You may ask us for a copy of your personal data collected over
the past 12 months and for information about how we collect, use, disclose, and
sell it. - Right to Deletion: You may ask us to delete any personal data. If you delete your
personal data, you will permanently lose access to your account and the
information in your account. We may save personal data when permitted by
applicable law or for business purposes including, without limitation, when the
information is needed to comply with our legal obligations (including law
enforcement requests), meet regulatory requirements, meet requirements of our
business operations, resolve disputes, maintain security, prevent fraud and
abuse, enforce our Terms of Service, fulfill your request to “unsubscribe” from
further messages from us, or confirm that we have deleted your data. We retain
de-personalized information after your account has been closed. We cannot
disclose or delete specific pieces of personal information if the disclosure would
create a substantial, articulable, and unreasonable risk to the security of the
personal information, your account with us or the security of our systems. - Right to Correction: You also have a right to request that we correct inaccurate
personal information and that we delete personal information under certain
circumstances, subject to a number of exceptions. To make a request to correct
or delete, send us a request by using the contact methods described at the
bottom of this Privacy Policy. - Do Not Sell: Notice of Sale and Right to Opt-Out of the Sale or Sharing of Your
Personal Information: BillionToOne does not sell, in the traditional sense of the
word, or rent personal information to third parties. We do, however, share your
personal information as we describe in this Privacy Policy to make the Services
available to you. You have the right to opt-out of these disclosures. To exercise
this right, please submit a request by contacting us using the contact methods at
the bottom of this Notice. Please note that any request to opt-out may take a few
days to become effective, but will be handled within the timeframe permitted by
law. Once your opt out request is processed, it will apply on a going forward
basis with respect to our disclosure of information. Although we will not sell your
personal data (as those terms are defined in the CCPA and CPRA) after you
submit a “Right to Opt Out,” we will continue to share some personal data wit service providers. These service providers help us perform a host of services, including, but not limited to, analytic-related functions such as measuring our website performance, ensuring services are working correctly and securely, providing aggregate statistics and analytics, communicating directly with users and/or reducing fraud. - Right to Limit Use of Sensitive Personal Information: California consumers have the right to limit the use of each type of Sensitive Personal Information (as defined below) for each purpose with each type of third-party partner. You have a right to limit our use of Sensitive Personal Information (as defined below) for any purposes other than to provide the Services you request or as otherwise permitted by law. To do so, send us a request by using the contact methods described at the bottom of this Privacy Policy. Please note that BillionToOne only keeps your Sensitive Personal Information for a limited time. We do not provide your Sensitive Personal Information to any third parties other than those service providers that are necessary for us to provide our Services to you, including in your capacity as an employee.
- Right to Non-Discrimination: BillionToOne Collaborative will not discriminate against customers who exercise their rights. Specifically, if you exercise your rights, we will not deny you access to the site or Services, charge you different prices or rates for products or Services or provide you a different level or quality of products or Services.
You can learn more about how to make these requests by contacting us using the
contact methods at the bottom of this Notice, and we will consider your request in
accordance with applicable laws. In order to complete your request, you must confirm
your identity. If you request to opt-out of sales of your personal data, you will be directed
to verify your identity before completing your request.
In the preceding twelve (12) months, we have not sold any personal information. Below
is a summary of the personal information we collected from consumers, shared, or
disclosed over the past 12 months for business purposes, including product and service
delivery, business operations, customer support, communications, product development
and research, personalization, and marketing:
- Category A: Identifiers
Examples: A real name, alias, postal address, unique personal identifier, online
identifier, Internet Protocol address, email address, account name, driver’s
license number, passport number, or other similar identifiers.
Collected: Yes.
- Category B: Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e))
Examples: A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories.
Collected: Yes.
- Category C: Protected classification characteristics under California or federal
law
Examples: Age (40 years or older), race, color, ancestry, national origin,
citizenship, religion or creed, marital status, medical condition, physical or mental
disability, sex (including gender, gender identity, gender expression, pregnancy or
childbirth and related medical conditions), sexual orientation, veteran or military
status, genetic information (including familial genetic information).
Collected: Yes.
- Category D: Commercial information
Examples: Records and history of products or services purchased or considered.
Collected: Yes.
- Category E: Biometric information
Examples: Genetic, physiological, behavioral, and biological characteristics.
Collected: No.
- Category F: Internet or other similar network activity
Examples: Interaction with our Services or advertisement.
Collected: Yes.
- Category G: Geolocation data
Examples: Approximate physical location.
Collected: No.
- Category H: Sensory data
Examples: Audio, electronic, visual, thermal, olfactory, or similar information.
Collected: No.
- Category I: Professional or employment-related information
Examples: Current or past job history or performance evaluations.
Collected: Yes.
- Category J: Non-public education information (per the Family Educational
Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99))
Examples: Education records directly related to a student maintained by an
educational institution or party acting on its behalf, such as grades, transcripts,
class lists, student schedules, student identification codes, student financial
information, or student disciplinary records.
Collected: No.
- Category K: Inferences drawn from other personal information
Examples: Profile reflecting a person’s preferences, characteristics,
psychological trends, predispositions, behavior, attitudes, intelligence, abilities,
and aptitudes.
Collected: No.
- Category L: Sensitive Personal Information
Examples : Certain government identifiers, financial account information, precise
geolocation, contents of mail, email, and text messages, genetic data, and
health, sex life, or sexual orientation information
Collected: Yes
For purposes of the California CCPA, Personal Information or personal data does not
include:
- Publicly available information from government records.
- Deidentified or aggregated consumer information.
- Information excluded from the CCPA’s scope, such as:
- health or medical information covered by the Health Insurance Portability and
Accountability Act of 1996 (HIPAA) and the California Confidentiality of
Medical Information Act (CMIA) or clinical trial data; - personal information covered by certain sector-specific privacy laws, including
the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or
California Financial Information Privacy Act (FIPA), and the Driver’s Privacy
Protection Act of 1994.
- health or medical information covered by the Health Insurance Portability and
We obtain the categories of Personal Information listed above from the following
categories of sources:
- Directly from you. For example, from the forms you complete on our Service,
preferences you express or provide through our Service, or from your purchases
on our Services. - Indirectly from you. For example, from observing your activity on our Services.
- Automatically from you. For example, through cookies we or our Service
Providers set on your Device as you navigate through our Services. - From service providers. For example, third-party vendors to monitor and analyze
the use of our Services, third-party vendors for payment processing, or other
third-party vendors that we use to provide the Services to you.
We disclose your personal information for a business purpose to the following
categories of third parties:
- Health care providers for which you have engaged in a business contract.
- Service providers.
- Third parties to whom you authorize us to disclose your personal information in
connection with our Services.
Questions and Comments
BillionToOne commits to resolving questions and comments about your CCPA privacy
rights and our collection and use of your information. California residents with inquiries
or comments should contact BillionToOne at support@billiontoone.com.
Alternatively, you can call us at (650) 460-2551 or send us a written request to:
BillionToOne, Inc.
1035 O’Brien Drive
Menlo Park, CA 94025