Privacy Policy

INTRODUCTION AND APPLICABILITY

This Privacy Policy describes how we handle Personal Information we collect when you interact with our products, services, and digital properties that specifically reference this Privacy Policy (collectively, our “Services”). Examples of our Services include mobile applications, digital biomarkers (including digital and wearable devices), websites, online advertisements, platforms and communications that relate to clinical and research-related studies, and care management platforms and solutions.

This Privacy Policy applies when Verily is responsible for making decisions about how your Personal Information is used and disclosed (as a “controller”). This Privacy Policy does not apply to information that Verily handles to perform services on behalf of Verily’s business customers (as a “processor”), including business customers that are healthcare providers, health plans and research sponsors. In those cases, our business customers (not Verily) control how your information is handled, so we encourage you to review our customers’ privacy policies. This Privacy Policy also does not apply to certain information that is subject to health regulations, such as the Health Insurance Portability and Accountability Act (“HIPAA”) and ethical frameworks governing research studies (like the Common Rule) that apply to some of the research studies and clinical trials we manage. Verily may also provide you with a more specific privacy policy for certain services, in which case that more specific privacy notice will apply rather than this Privacy Policy.  

For example, Verily may manage wellness programs and research studies as a “processor” (or “business associate” when subject to HIPAA) to our business customers, such as health plans, healthcare providers, and research study sponsors.  In many cases, the information we handle as a “processor” will be similar to the information that we collect as a “controller” (such as health information and your contact information) and used for similar purposes as described in this Privacy Policy. However, when we handle this information as a “processor,” our business customer’s privacy policy applies to that information instead of this Verily Privacy Policy, and you should contact that business customer with questions or to exercise any data subject rights.

Please read this Privacy Policy carefully. Using the Services is voluntary. By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy.

CATEGORIES OF PERSONAL INFORMATION WE COLLECT

Depending on how you interact with our Services, we may collect the following categories of “Personal Information” (meaning data that identifies you or can reasonably be linked to you):

• Direct identifiers and contact information, including your name, address, phone number, email address, business contact information, user profile data, government identifiers (such as your Social Security Number or driver’s license), or other similar identifiers.
  
• Records about you, including the information we collect in clinical or research study-related activities and medical testing activities (such as biospecimens) and other health related information (including information collected when you use wearable and other devices (e.g., Study Watch), such as pulse rate, body movements, and similar information).
  
• Demographic and user information, including gender, age and date of birth, race, ethnicity, location, signatures, photos, and user data obtained through surveys or questionnaires, such as study eligibility surveys.
  
• Biometric data, such as facial identifiers used to verify your identity if you enroll in a research study. 
  
• Internet or other electronic activity information, including information about how you and your device interact with the Services. Examples include device type, browser, interaction dates and times, search history, how you interact with our communications (such as when you open an email/text message you received from us, the date and time you access and open them, etc.), precise and non-precise geolocation information derived from your IP address, information you enter into online forms, and similar usage data.
  
• Professional or employment-related information, such as academic credentials, job title, organization, professional licenses, professional affiliations and similar information we may collect in the context of your business relationship with us.
  
• Account registration information, such as your email address and user profile data you provide when you create or update your account and when using or interacting with our Services.
  
• Commercial information about individuals and business representatives, including purchase or subscription information, information about products you order, credit card number, name on credit card, expiration date, security code, and billing address, and information required for financing purchases.
  
• Inferences drawn from any of the information we collect about your preferences or behavior, including to assess the level of interest in our Services.
  
• Sensitive or “special” information. Some of the Personal Information described above may be considered “Sensitive” or “Special” Personal Information in certain jurisdictions, such as biospecimens, biometric data, health information, government identifiers, race and ethnicity, and precise geolocation information (you can disable geolocation information using your device’s settings). Where permitted by applicable law, we collect and process such information in connection with clinical or research activities, to verify your identity, to process payments, and for other purposes described in this notice.

You can choose not to share your Personal Information, but that may mean we cannot deliver the Services you request, including enrolling you in a clinical or research study.

SOURCES OF PERSONAL INFORMATION

We collect your Personal Information in the following ways:

• Directly from you, such as when you use or purchase our Services, register for an account, create a profile, join a research study, contact us, respond to a survey, or sign up to receive emails, text messages, or postal mailings. 

• Through cookies and other tracking technologies, such as when you visit our websites, use our mobile applications, open or click on emails we send you, or interact with our advertisements. We or third parties we work with collect information using technologies such as cookies, web beacons, clear GIF, pixels, internet tags, web server logs, and other data collection tools. For more information, please review our Cookie Policy. 

• Through digital and wearable devices, such as Verily’s Study Watch, if you enable features that push information to us (such as pairing it with a portal or mobile app).

• From our third-party partners, including companies we collaborate with to provide you Services, content providers, and data brokers. 

• Our study networks and research partners, such as study sponsors, clinical research organizations, laboratories, and healthcare providers (such as your doctors or study team). 

• From your Google user account, if you log in to the Service with your Google account. Creation and maintenance of your Google user account is handled by Google and is subject to Google’s Privacy Policy -- NOT this Privacy Policy. We may receive certain information from Google related to your Google user account, such as email address, and will treat such information in accordance with relevant Google policies. 

• From publicly available sources, such as public registers used for identity verification purposes.

USE OF YOUR PERSONAL INFORMATION

We may use your Personal Information to operate and improve our business, including:

• For everyday business purposes. We use your Personal Information for internal purposes as we manage our business, including for account management, contract administration, website management, corporate governance, troubleshooting, and other internal business functions. Your Personal Information may also be used for internal statistical and research purposes. We rely on the following legal bases for processing your Personal Information for everyday business purposes: contractual necessity, our legal obligations, and our legitimate interests of operating our business.
• To provide you with the Services that you request. This means that we may use your Personal Information to respond to your questions, process and fulfill your product orders, assist with financing and payments, operate the Services, assess and communicate with you about eligibility for certain Services, and perform other actions that you request. We rely on the following legal bases for processing your Personal Information to provide you the Services: contractual necessity, our legal obligations, your consent (in certain cases), and our legitimate interests of fulfilling your requests.
• To provide customer service. We use your Personal Information for customer relationship management and administration (including across our business units and divisions), such as to respond and address feedback you provide us or when you contact us for support. We rely on the following legal bases for processing your Personal Information to provide customer service: our legitimate interests of ensuring you have a good experience with our Services.
• For research and study-related purposes. When you participate in clinical or research study-related activities or medical testing activities, we use your Personal Information to create your profile, determine your eligibility for a study, enroll you in a study, conduct research-related analyses, or for other study related services (such as identity verification and payment). We rely on the following legal bases for processing your Personal Information for research/study-related purposes: our legal obligations, your consent, and our legitimate interests of identifying qualified study participants. For more information about our research and study-related purposes, please see the Research Studies section (Section 5) below.
• For marketing and promotional purposes. We may use Personal Information to engage in marketing, including targeting, designing and sending you communications (such as newsletters, surveys, questionnaires, and other marketing materials) that promote Verily Services and/or services offered by our partners. We rely on the following legal bases for processing your Personal Information for marketing purposes: your consent (where required by law in certain jurisdictions) and our legitimate interests of sending you information we think might interest you.
• To develop, improve, and personalize our Services. We use your Personal Information to analyze your needs; to help improve, develop, and evaluate the Services; and to develop new products and services. We also monitor the effectiveness and functionality of the Services, personalize your experience, and consider potential improvements to the Services. We rely on the following legal bases for processing your Personal Information for improving our products and Services: our legitimate interests of improving our Service offerings.
• For legal, compliance, and safety purposes. We use your Personal Information for purposes such as complying with our policies; legal, reporting, and similar requirements; investigating and responding to claims against us, our personnel, and our customers; for the establishment, exercise, or defense of legal claims; protecting our, your, our customers’, and other third parties’ safety, property, or rights; detecting, preventing, and responding to security incidents and health and safety issues; and protecting against malicious, deceptive, fraudulent, or illegal activity. We rely on the following legal bases for processing your Personal Information for compliance purposes: our legal obligations and our legitimate interests of operating our business in a compliant way.
• In connection with a corporate transaction. This includes circumstances where we acquire assets of another business or sell or transfer all or a portion of our business or assets including through a sale in connection with bankruptcy and other forms of corporate change. We rely on the following legal bases for processing your Personal Information in connection with a corporate transaction: our legal obligations and our legitimate interests of entering into such transactions.

We may collect, use or disclose sensitive or “special” Personal Information to provide you with the product or Services you have requested, to comply with our legal and regulatory obligations, or for certain other purposes of which we notify you in advance. For example, we may use biometric information to identify you as required to use certain Services, such as clinical or research studies. Our legal basis for processing is your consent (depending on the circumstances), our legal obligations, legitimate interest for scientific research purposes, and where authorized by law. 

In some cases, we may require your Personal Information to fulfill a statutory or contractual obligation. When we ask for your consent to use your Personal Information for specific purposes, you have the right to withdraw your consent at any time.

RESEARCH STUDIES

When you engage in our research platform, you may be asked to provide information to create your profile, determine your eligibility for a study, enroll you in a study, or for other study related services (such as identity verification and payment). 

For example, when you participate in research studies (both where Verily is the sponsor and when Verily is managing the study on behalf of a sponsor), you may be required to read and sign an Informed Consent Form (“ICF”). The ICF will be more specific than this Privacy Policy about how we (or the study sponsor) will collect, use, and disclose your Personal Information for that particular study – and the ICF will control in the event of a conflict with this Privacy Policy. 

We will require you to sign the ICF before starting a study. In some cases, you may be required to agree to the ICF by providing your name, email address, and a password as an electronic signature, or by providing a handwritten signature. In other cases, you may need to provide your name and/or Google account information as an electronic signature.

Once you are enrolled in a study, you may be asked to provide additional information (like periodic health updates) and respond to surveys relevant to the study you are in. You may also be requested to report to a laboratory or other clinical site to provide biospecimens. If that is the case, the ICF and/or the study sponsor will explain this further data collection.

DISCLOSURE OF YOUR PERSONAL INFORMATION

We may disclose the Personal Information listed above to companies outside of Verily in the following situations:

• Service Providers: Verily may disclose your Personal Information or make it accessible to companies that provide services to us (“Service Providers”). For example, Verily relies on Service Providers to provide certain technology and services, including cloud services, security services, data storage, website hosting and other support functions. It is our policy to have in place agreements with our Service Providers that limit how Service Providers can use and disclose your Personal Information and require them to keep it secure.
• Professional Services Companies: We may disclose Personal Information to professional services companies, such as our external auditors, attorneys, accountants, and similar professionals, in order to receive services. 
• Business and Research Partners: We may partner with other companies that use Personal Information for their own purposes such as partners we work with to conduct research or provide you with products or services, which may be on a joint or “co-branded” basis. In some cases, the relevant partner’s privacy policy may also apply in addition to this Privacy Policy.  
• Affiliates and Subsidiaries: We may disclose Personal Information to our affiliates and subsidiaries, including parent entities, corporate affiliates, subsidiaries, business units, and other companies that share common ownership
• Legal Obligations, to Authorities, and for Safety: We may disclose your Personal Information to satisfy applicable laws or regulations, including those related to product safety and adverse event reporting, and in response to legal processes or enforceable government or law enforcement requests. We may also disclose your Personal Information if disclosure is reasonably necessary to monitor compliance with our policies and applicable terms of service; to detect, prevent, or otherwise address fraud, security or technical issues; or to protect the rights, property or safety of Verily, our customers, our users, or the public, as required or permitted by law. 
• Disclosure to Subsequent Owner or Operator: We may transfer your Personal Information to a successor entity upon a merger, consolidation, bankruptcy, reorganization, or in connection with other forms of corporate change; to a purchaser of all or a portion of our assets; or pursuant to a financing arrangement. The Personal Information we have about you may be transferred to parties to the transaction based on our legitimate interest in preparing for and completing the transaction. 
• Other Disclosures with Your Consent: We may share Personal Information with companies, organizations, or individuals outside of Verily for purposes not specified elsewhere in this Privacy Policy when we have your consent to do so.

DE-IDENTIFIED, AGGREGATE, AND ANONYMOUS INFORMATION

We may de-identify, aggregate, or anonymize information to ensure it will no longer be identifiable to you. We may use or disclose such data at our discretion, such as for statistical and research analysis. We do not try to re-identify this data unless we are required to or permitted by applicable laws.

COOKIES AND OTHER TRACKING TECHNOLOGIES

We use cookies and other tracking technologies to collect information about you, your device, and how you interact with our online Services. Please review our Cookie Policy for more information about the types of tracking technologies we use. 

Do Not Track (“DNT”) is a privacy preference that visitors can set in their web browsers. When a visitor turns on DNT, the browser sends a message to websites requesting that they do not track the visitor. At this time, we do not respond to these signals.

YOUR COMMUNICATIONS CHOICES

• Marketing Emails. You can opt out of receiving marketing or promotional emails by following the unsubscribe instructions contained in marketing or promotional emails you receive from us. If you decide not to receive marketing or promotional emails, we may still send you service or transactional-related communications, such as notices about your account.
• Marketing Text Messages. You may have an opportunity to receive promotional text messages from us. In such case, you will be able to opt out of receiving text messages at any time by replying “STOP,” or following the unsubscribe instructions contained in the text message.

YOUR PRIVACY RIGHTS

Depending on where you live, you may have certain rights with respect to your Personal Information. For example, under local applicable laws, including in the European Union, the United Kingdom, or Switzerland and certain U.S. states such as California and Colorado, you may have the following rights:

• Correction/Rectification: You may have the right to request that we correct or supplement any inaccurate or incomplete Personal Information we process about you. 
• Deletion/Erasure: You may have the right to request that we delete your Personal Information.
• Access: You may have the right to confirm whether we process your Personal Information. You also may request access to the Personal Information we hold about you, along with other information such as the purposes of the processing, the categories of recipients to whom the Personal Information has been or will be disclosed, the sources from which we collect Personal Information, and information about retention and transfer of your Personal Information. You may also request the specific pieces of Personal Information we have collected about you.
• Data Portability: In certain circumstances, you may have the right to request that we provide the Personal Information which you provided to us in a structured, commonly used, and machine-readable format; and you have the right to transmit such Personal Information to another entity.
• Restriction of Processing: You may have the right to request that we restrict the processing of your Personal Information in certain cases. Where applicable, the respective Personal Information will be marked accordingly and may only be processed by us for certain purposes.
• Objection to Processing: In certain circumstances, you may have the right to object to our processing of your Personal Information.
• Withdrawal of Consent: Where our processing is based on your consent, you may have the right to withdraw such consent at any time; however, you may not be able to use the Service or feature for which you are withdrawing your consent. Withdrawing your consent will not affect the lawfulness of the processing we conducted prior to your withdrawal.
• Not Be Subject to Automated Decision-Making/Profiling: You may have the right to opt out certain automated processing activities that are used to evaluate characteristics about you.
• Lodge a Complaint: You may have the right to lodge a complaint with the relevant supervisory authority if you believe we have violated our data protection obligations.

To exercise your rights, you may submit such requests directly by calling our toll-free number at 833-821-6366, submitting a request through our Online Form, or emailing us at datarightsrequest@verily.com. We do not discriminate against individuals who exercise any of their rights described in this Privacy Policy.

Please note that you may be located in a jurisdiction where we are not required to fulfill these rights, or that your rights may be subject to exceptions and limitations (such as if your Personal Information is collected in accordance with HIPAA or in the context of certain clinical studies).

Your request must: (i) provide enough information to allow us to reasonably verify your identity; and (ii) describe the right you are exercising with enough detail to allow us to properly understand, evaluate, and respond to your request. Please also note the following:

• Verification: We will generally seek to verify your identity by matching the information you provide (such as name and email address) with our files and confirming you have access to the email account you used to interact with us. We will inform you if we need different or additional information to confirm your identity (such as your date of birth, phone number, or a signed declaration). 
• Authorized Agents: Authorized agents may submit requests to exercise certain privacy rights on behalf of an individual by submitting a request using the methods above and indicating that they are submitting the request as an agent. We will require verification of the agent’s identity and that the authorized agent has permission to make a request on the individual’s behalf. 
• Appeal: If we deny your rights request, you may have the right to appeal. To submit an appeal, email us at datarightsrequest@verily.com.

SUPPLEMENTAL U.S. STATE PRIVACY DISCLOSURES

We only use and disclose Sensitive Personal Information for the following purposes: (i) performing services or providing goods reasonably expected by an average consumer; (ii) detecting security incidents; (iii) resisting malicious, deceptive, or illegal actions; (iv) ensuring the physical safety of individuals; (v) for short-term, transient use, including non-personalized advertising; (vi) performing or providing internal business services; (vii) verifying or maintaining the quality or safety of a service or device; or (viii) for purposes that do not infer characteristics about you. We do not “sell” Personal Information or “share” Personal Information for targeted advertising purposes.

The chart below details the categories of Personal Information we collected and to whom it was disclosed for a business purpose in the past 12 months.

California’s “Shine the Light” law (Civil Code Section § 1798.83) permits California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please send an email to datarightsrequest@verily.com.

CHILDREN’S PRIVACY

Unless we note otherwise, our Services are not directed to children under the age of 13 (or the relevant age as defined by applicable law) (“Children” or “Child”) and Verily does not knowingly collect Personal Information from Children. Unless otherwise specified, Children are not permitted to use the Services, and we request that Children not submit any Personal Information through the Services. If you believe your Child has submitted Personal Information, please contact us to request that we remove such information. Once we are aware of information entered by a Child, we will exercise commercially reasonable efforts to remove such information from our systems.

SECURITY AND RETENTION

• Security: We strive to maintain the security of your information by using reasonable and appropriate measures designed to protect our systems and the security of your Personal Information. However, we cannot guarantee the security of any information that is disclosed online. 
• Retention: How long we store your Personal Information depends on how and why we collected it. We generally keep Personal Information for as long as necessary for performing the purposes for which we collected it unless an applicable law requires us to keep it for longer. This includes storing your Personal Information to provide you with the Services you have requested and interact with you; maintain our business relationship with you; improve our business over time; ensure the ongoing legality, safety and security of our Services and relationships; or otherwise in accordance with our internal storage and retention procedures. Once you have ended your relationship with us, we may keep your Personal Information in our systems and records to perform our obligations under certain contracts or for other legitimate business purposes, such as to allow easier future user onboarding, demonstrate our business practices and contractual obligations, or provide you with information about our Services in case of interest. Please contact us if you would like more information about our specific retention periods.
• Biometric Information: Any biometric facial identifiers processed by Verily (or its Service Provider acting on its behalf) will be permanently deleted when the initial purpose for which it was collected or obtained has been satisfied or within three years after your last interaction with Verily, whichever occurs first, unless otherwise required by law.

LINKED THIRD-PARTY SITES

We may provide links to other third-party websites through the Services solely as a convenience to you. However, such linking does not mean that Verily endorses, is affiliated with, or makes any representations about such third-party websites. Any Personal Information that you provide to such third parties will be governed by their privacy policies. We encourage you to review the privacy policies of any third-party website or application for details about what information is collected and how it is handled before providing any Personal Information.

INTERNATIONAL TRANSFERS

Unless we state otherwise, we may use or store the information collected through the Services on servers located outside the country where you live, including in the United States. The privacy laws in these countries may be different, and in some cases less protective, than the laws where you live. We take steps to protect your information where it is transferred, including by agreeing to standard contractual clauses approved by governmental authorities, binding corporate rules, approved code of conduct or certification in place, or based on a permissible statutory derogation. Where permitted by applicable law, you may request a copy of such transfer mechanisms by contacting us using the information set out below in the “Contact Us” section. 

Verily complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Verily has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the collection, use, retention, and processing of personal data received from the European Union and the United Kingdom. In reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Verily has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the collection, use, retention, and processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. The Federal Trade Commission has jurisdiction over Verily’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF). To learn more about the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework and to view our certification, please visit https://www.dataprivacyframework.gov.

Verily has certified its commitment to be subject to the DPF Principles for European Personal Information. This Privacy Policy describes the types of European Personal Information we collect, the purposes for which we collect and use it, and how we disclose it to third parties. This Privacy Policy also contains a description of your right to access your European Personal Information and the choices and means we offer you for limiting the use and disclosures of your European Personal Information. We shall remain responsible for European Personal Information that we share under the Onward Transfer Principle with third parties.

If you have an inquiry regarding our privacy practices in relation to our DPF certification, we encourage you to contact us using the information set out below in the “Contact Us” section. If we are unable to resolve your complaint, you may file a complaint free of charge with your local data protection authority, and we will work with them to resolve your complaint. In certain circumstances, the DPF provides the right to invoke binding arbitration to resolve complaints not resolved by other means. 

Verily is subject to the investigatory and enforcement powers of the US Federal Trade Commission (FTC). Please note that we may be required to disclose European Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

In compliance with the EU-US DPF and the UK Extension to the EU-US DPF and the Swiss-US DPF, Verily commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning the handling of personal data received in reliance on the EU-US DPF and the UK Extension to the EU-US DPF and the Swiss-US DPF.

MODIFICATIONS TO OUR PRIVACY POLICY

We will inform you of changes to this Privacy Policy that we make from time to time by posting the updated Privacy Policy here. Any changes will be effective immediately upon the posting of the revised Privacy Policy. We encourage you to review this page periodically for the latest information on our privacy practices. This Privacy Policy was updated as of the effective date listed above.

CONTACT US

If you have any questions or concerns regarding the information gathered through the Services, please contact us at prisec@verily.com or via mail at:

Attn: Verily Privacy Office

c/o Verily Life Sciences LLC
269 East Grand Avenue
South San Francisco, CA, 94080

Our Data Protection Officer can be reached at: prisec@verily.com