Privacy Policy

This Privacy Policy applies to Verily products, communications, and digital properties (including websites, online platforms, mobile applications and wearable devices) that refer to this Privacy Policy, and where Verily may obtain and control your Personal Information (as defined herein) (collectively, the "Services").

For the purposes of this Privacy Policy, Verily is a controller (i.e., responsible party) of your Personal Information when we administer the Services directly on our own behalf. In certain situations, we also administer the Services on behalf of our business customers. In those instances, Verily may act as a processor or service provider to such customers. As such, you should review the privacy policy of these business customers, as they will be responsible for your Personal Information.

We offer a range of Services in support of our mission of bringing the promise of precision health to everyone, every day. Please note that some of our Services are subject to their own separate privacy policy, such as our Project Baseline platform (https://www.projectbaseline.com/privacy/) or certain services offered through our subsidiaries/affiliates.

Please read this Privacy Policy carefully. We want you to understand what information we collect from you when you use the Services, how we use such information, and whether and with whom we disclose such information. Using the Services is voluntary, and by accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy.

This section describes the categories of information that we may collect for the purposes described in this Privacy Policy. When you use the Services, several types of information may be collected from you, including: (1) Device Information; and (2) Personal Information. Personal Information generally refers to any information that can be linked to an identified or identifiable person. The term Personal Information also covers certain categories of "Sensitive" or "special" Personal Information that often receive additional protections and/or are subject to additional restrictions under applicable laws. In this Privacy Policy, we refer to this information as "Sensitive Personal Information".

Device Information
We may automatically collect Device Information regarding use of or access to the Services, such as:

• The type of device you use to access the Services;
• The date and time you access the Services;
• The type of web browser you use to access the Services;
• The sections within the Services that you access;
• The Internet Protocol ("IP") address (a number that is automatically assigned to a computer when the Internet is used);
• The user language;
• The operating system;
• The presence/absence of "flash" plug-ins;
• The screen resolution; and
• The connection type that you use to access the Services.

In addition, we may collect location information through the use of technology when you use our Services, such as data associated with your IP address or other online or device identifier. If you do not want us to collect and use this information, you may be able to disable the location features on your device. Check your device manufacturer settings for information on how to do so.

This information (collectively, "Device Information") does not, by itself, personally identify users. We use this Device Information to monitor the effectiveness of the Services, to help personalize your experience, and to consider potential improvements to the Services. Device Information may be collected through cookies or similar technologies. For more detailed information on cookies, please refer to the "Cookies and other Online Interactions" section below.

Personal Information
Access to and/or use of some Services may require disclosure of certain Personal Information as further described below. The categories and specific types of Personal Information that Verily has collected in the past 12 months about you may include:

• Direct identifiers and contact information, including your name, address, phone number, email address, business contact information, or other similar identifiers.
• Demographic and user information, including race, ethnicity, gender, age, location, and user data obtained through surveys or questionnaires, such as study eligibility surveys.
• Identifiers of our customers, third-party partners and collaborators, and their employees, with whom we may interact.
• Account registration information, such as your email address and password and user profile data provided when you create or update your account.
• Health-related information, such as information about a health condition or medical history as part of your use of the Services.
• Biospecimens, such as if you participate in clinical or research study-related activities or medical testing activities.
• Government identifiers, such as Social Security Number, driver’s license and other government identification documents (which may contain document numbers, birth date, gender and photo).
• Biometric data, specifically facial identifiers used in the identity verification process.
• Payment or banking information, including credit card number, name on credit card, expiration date, security code, and billing address, and information required for financing purchases, such as Social Security Number, name and contact information.
• Product survey response information.
• Information you submit when you contact us for support.
• Sensitive Personal Information (where permitted and in accordance with applicable law), of the information listed above, Social Security Number, passwords, geolocation data, racial or ethnic origin, biometric data, and/or health information may also qualify as Sensitive Personal Information depending on your geographical location.

The provision of the Personal Information, including Sensitive Personal Information, listed above is voluntary. In certain instances, however, we will not be able to process your request for our Services without the requested Personal Information.

The following information may also be Personal Information depending on how it is used and linked with other information.

• If you receive an email from us, we may use certain tools to capture data related to when you open our message or click on any links or banners it contains.
• Information regarding your interactions with our Websites or mobile app, including how you interact with links you can click on, information that you type into online forms or information about your device or browser.
• Information about how you interact with our Services. This includes data such as access dates and times, app features or pages viewed, app crashes and other system activity, type of browser and third party sites or services used before interacting with our Services.
• Browser type, operating system, IP address, domain name, click-activity, referring website, and/or a date/time stamp for visitors.
• Information regarding your body movements, pulse rate or similar information derived from your use of wearables and similar devices (e.g., Study Watch).

We collect your Personal Information in the following ways, pursuant to applicable law:

Directly From You, when you use or purchase our Services, register for an account or create a profile, contact us, respond to a survey, sign up to receive emails, text messages, and/or postal mailings.

Through Cookies and Other Data Collection Technologies, when you visit our websites, use our mobile applications, or open or click on emails we send you, or interact with our advertisements. For analytics purposes, we or third parties we work with collect certain information using technologies such as cookies, web beacons, clear GIF, pixels, internet tags, web server logs, and other data collection tools. For more information, please see the  "Cookies and Other Online Interactions" section below.

Through Wearable Devices, when you use wearable devices, such as Verily’s Study Watch; provided that you may be required to enable certain features in order for us to receive information (such as pairing it with a portal or mobile app).

From Our Third-Party Partners, including from third parties that we have partnered with to provide you the Services that you have requested from us.

From Your Google User Account, when you may be required to log in to the relevant Service with a Google user account. Creation and maintenance of your Google user account is handled by Google, and is subject to its separate privacy policy, and NOT this Privacy Policy. We may receive certain information from Google related to your Google user account, such as email address, and we will treat such information in accordance with relevant Google policies.

From Publicly Available Sources, such as information collected for identification verification purposes.

Processing Purposes:
We may use your Personal Information for the following business and commercial purposes ("Processing Purposes") associated with our general business operations.

• We may use your Personal Information for everyday business purposes, such as account management, contract administration, website management, corporate governance, and legal and regulatory reporting obligations.
• We may use your Personal Information to provide you with the Services that you requested. This means that we may use your Personal Information to respond to your questions, process and fulfill your product orders, operate the Services, notify you when we think you may be interested in or eligible for certain Services (as permitted by applicable law), perform our obligations to you, and perform other actions based on your consent.
• We may use your Personal Information to process your purchase and financing of our products, and to make payments.
• We may use your Personal Information to respond and address feedback you provide us or if you contact us for support.
• We may use your Personal Information to send you marketing communications that promote Verily products, programs or services and/or those of our partners (with your consent, where required), and to determine the types of marketing communications to send.
• We may use Personal Information for marketing and promotional purposes.
• We may use your Personal Information to analyze your needs and help improve, develop, and evaluate the Services, and to develop new products and services.
• We may use your Personal Information to comply with laws and regulations and legal processes.
• We may use your Personal Information to monitor compliance with our policies, procedures and applicable terms of service, for fraud prevention, to detect and address illegal activities and/or to protect Verily and its employees, users and property.
• We may use your Personal Information for customer relationship management and administration.
• We may use biometric information, specifically facial recognition information, to identify you as required for your use of certain Services, such as clinical or research studies.
• We may use your Sensitive Personal Information to provide you with the product or Services you have requested or for certain other purposes listed in this section.
• Where legally permissible, your Personal Information may also be used to create de-identified, anonymized or aggregate data sets. Such information is not considered Personal Information and can be used for various purposes, such as statistical and research analysis, in accordance with applicable law.
• We may use Device Information to monitor the effectiveness and improve the functionality of the Services, to help personalize your experience and to consider potential improvements to the Services. This information may also be used for statistical and research purposes and administrative purposes including, without limitation, to troubleshoot and resolve problems with the Services. We may rely on third-party partners to collect and analyze the Device Information. Device Information may also be collected through cookies or similar technologies. For more detailed information on cookies, please refer to the "Cookies and Other Online Interactions" section below.

Legal Basis of Processing
Where a legal basis for processing is required (e.g., in the European Union and the United Kingdom), we process your information for the purposes described in this Privacy Policy based on the following legal grounds:

• With Your Consent: In certain instances, we ask for your consent to process your Personal Information for specific purposes. Provision of your consent is voluntary, and you have the right to withdraw your consent at any time.
• When Pursuing Legitimate Interests: We process your Personal Information for our legitimate interests and those of third parties, while applying appropriate safeguards that protect your privacy, and as further described in this Privacy Policy.
• To Perform a Contract With You: We will process your Personal Information when processing of your Personal Information is necessary for the evaluation, execution or performance of a contract with you.
• When We Have Legal Obligations: We will process your Personal Information when we have a legal obligation to do so, for example, if we are responding to a legal process or an enforceable government request, including law enforcement.

In some cases, your provision of Personal Information may be required by a statutory or contractual obligation.

Service Providers:

• Verily may disclose your Personal Information or make it accessible to certain companies engaged to perform services on our behalf (“Service Providers”). For example, Verily leverages certain technology and services from Google LLC, including cloud services, security services, data storage, website hosting and other support functions. Service Providers’ access to data is strictly limited to the purpose of providing such services to Verily. They are required to perform the services based on our instructions and are not permitted to use the data for any other purpose.

Other Third-Party Vendors:

• We may also disclose Personal Information to Third-Party Vendors, such as our external auditors, attorneys, accountants, and similar professionals, based on our legitimate interest in the operation of our business and our obligations to comply with applicable laws and regulations. These Third-Party Vendors may use your Personal Information to provide services to us and to comply with their legal, regulatory and/or fiduciary obligations.

Business and Research Partners:

• We may partner with other companies to provide you with products or services on a joint or “co-branded” basis. You should be aware that, in such cases, the relevant partner’s privacy policy may also apply in addition to this policy.

Legal Obligations, to Authorities and for Product Safety:

• We may disclose your Personal Information to satisfy applicable laws or regulations, including those related to product safety and adverse event reporting, and in response to legal processes or enforceable government or law enforcement requests.
• We may also disclose your Personal Information if disclosure is reasonably necessary to monitor compliance with our policies and applicable terms of service, to detect, prevent, or otherwise address fraud, security or technical issues, or to protect against the rights, property or safety of Verily, our customers, our users or the public, as required or permitted by law.

Disclosure to Subsequent Owner or Operator:

• We may transfer your Personal Information to a successor entity upon a merger, consolidation or other corporate reorganization, to a purchaser of all or a portion of our assets, or pursuant to a financing arrangement. The Personal Information we have about you may be transferred to parties to the transaction based on our legitimate interest in preparing for and completing the transaction.

Other Disclosures with Your Consent:

• We may share Personal Information with companies, organizations or individuals outside of Verily, for purposes not specified elsewhere in this Privacy Policy, when we have your consent to do so.

De-identified or Aggregate Information:

• We may aggregate and anonymize information you provide to us in such a way as to ensure it will no longer be identifiable to you.  We may share de-identified, anonymized or aggregated data at our discretion, in accordance with applicable laws.

We use various technologies to collect and store information, including cookies, pixel tags, local storage, such as browser web storage or application data caches, databases, and server logs (collectively for purposes of this section, “cookies”). Cookies are small bits of data cached or stored on your computer or mobile device based on your Internet activity. We may use cookies to improve the Services and provide features that are tailored to your needs. This section describes how we use cookies and how you can manage cookies that are not required to operate our sites and mobile applications.

The information collected by these tracking technologies may include (a) your internet protocol (IP) address, unique device identifiers, location, browser type, and Internet service provider information; (b) information about when and how you access and use our websites or Services, such as the domains you visit, what features you used and for how long, the website that referred you to us, and date/time stamps associated with your usage; (c) information about the device you use to access the websites or Services, such as device type, device ID, and device/browser settings; and (d) location of the device used to access the websites or Services derived from GPS or WiFi use.

We differentiate between cookies that are essential for the technical features of the Services and, in certain instances, optional analytics cookies.

Cookie Type	Description
Essential Cookies	These are cookies that the Services need in order to function, and that enable you to move around and use the Services and features. Without these essential cookies, the Services will not perform as smoothly for you as we would like it to and we may not be able to provide the Services or certain features you request. Examples of where these cookies are used include: to determine when you are signed in; to determine when your account has been inactive; and for other troubleshooting and security purposes.
Analytics Cookies	Analytics cookies allow us to understand more about how many visitors we have to our Services, how many times they visit us and how many times a user viewed specific pages within our Services. Although analytics cookies allow us to gather specific information about the pages that you visit and whether you have visited our Services multiple times, we cannot use them to find out details such as your name or address. We use Google Analytics. For more information about Google Analytics, please refer to "How Google Uses Information From Sites or Apps that Use Our Services", which can be found at www.google.com/policies/privacy/partners/, or any other URL Google may provide from time to time. We also use the Meta Conversion Pixel to measure the effectiveness of our advertising in an aggregated manner.

Depending on your location and applicable laws, we may give you the option of adjusting your preferences with regard to the categories of cookies we use. When this option is available, you can configure your personal settings on our Cookies Banner under “Settings” or via other options that may be available on the relevant Service. If you use a different device to access the same Services, you may need to manage your settings for each separate device you use.

Do Not Track ("DNT") is a privacy preference that visitors can set in their web browsers. When a visitor turns on DNT, the browser sends a message to websites requesting that they do not track the visitor. At this time, we do not respond to these signals.

• Promotional Emails. You can opt out of receiving marketing or promotional emails by following the unsubscribe instructions contained in marketing or promotional emails you receive from us. If you decide not to receive marketing or promotional emails, we may still send you service or transactional-related communications, such as notices about your account.
• Promotional Text Messages. You may have an opportunity to receive promotional text messages from us. In such case, you will be able to  opt out of receiving text messages at any time by replying “STOP,” or following the unsubscribe instructions contained in the text message.

Depending on where you live, you may have certain rights with respect to your Personal Information. For example, under local applicable laws, including the European Union and the United Kingdom, you may have the following rights:

• Correction/Rectification: You have the right to request that we correct or supplement any inaccurate or incomplete Personal Information we process about you.
• Deletion/Erasure: You have the right to request that we delete your Personal Information.
• Access: You have the right to request access to the Personal Information we hold about you, along with other information such as the purposes of the processing, the recipients or categories of recipients to whom the Personal Information has been or will be disclosed, the sources of the Personal Information, retention, and transfers of Personal Information.
• Data Portability: In certain circumstances, you have the right to request that we provide the Personal Information which you provided to us in a structured, commonly used and machine-readable format; and you have the right to transmit such Personal Information to another entity.
• Restriction of Processing: You have the right to request that we restrict the processing of your Personal Information in certain cases. Where applicable, the respective Personal Information will be marked accordingly and may only be processed by us for certain purposes.
• Objection to Processing: In certain circumstances, you have the right to object to our processing of your Personal Information.
• Withdrawal of Consent: Where our processing is based on your consent, you have the right to withdraw such consent at any time; however, you may not be able to use the Service or feature for which you are withdrawing your consent. Withdrawing your consent will not affect the lawfulness of the processing we conducted prior to your withdrawal.

If you choose to assert any of these rights under applicable laws, we will respond within the time period prescribed by applicable law. Please note that you may be located in a jurisdiction where we are not obligated to fulfill a request and that many of the above rights may be generally  subject to exceptions and limitations. To the extent permitted by applicable law, we may reject requests that are unreasonably repetitive, unduly burdensome, risk the privacy of others, or would be very impractical to honor.  If we are not able to provide the requested information or make the change you requested, you will be provided with the reasons for such decisions. Depending on where you are located, you may have the right to lodge a complaint with the relevant supervisory authority.

If you are based outside of the United States and would like to exercise any individual rights you may have, please submit your privacy requests by emailing us at datarightsrequest@verily.com.

Your request must: (i) provide sufficient information that allows us to reasonably verify that you are the person about whom we collected Personal Information or an authorized representative of that person; and (ii) describe the request with sufficient detail that allows us to properly understand, evaluate, and respond to it. We will only use Personal Information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.

If you are a California resident and the California Consumer Privacy Act (“CCPA”) applies to your Personal Information (e.g., an exception described in the next paragraph does not apply), we provide this additional information so you can understand and exercise your rights under the CCPA.

Please note that the CCPA generally does not apply to certain data that is subject to the California Confidentiality of Medical Information Act, the Health Insurance Portability and Accountability Act of 1996 or information collected, used, or disclosed as part of certain clinical trials and research, as defined in Section 164.501 of Title 45 of the Code of Federal Regulations and that is conducted in accordance with the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, good clinical practice guidelines issued by the International Council for Harmonisation, or human subject protection requirements of the United States Food and Drug Administration.

We use and disclose your Personal Information for the Processing Purposes as set out in the “Use of Your Personal Information”  and “Disclosure of Your Personal Information” sections above

When the CCPA applies, California residents will have the following consumer rights:

• Limit Sensitive Personal Information: You have the right to opt out of certain uses and disclosures of Sensitive Personal Information. However, we do not use or disclose Sensitive Personal Information for purposes other than those which cannot be limited under California law.
• Do not Sell or Share My Personal Information:  You have the right to prohibit/opt out of the "sale" or "share" of Personal Information. However, we have not "sold" or "shared" your Personal Information in the past 12 months.
• Access, Portability, Correction, Deletion: You have the right to request  access to Personal Information, data portability, deletion/erasure of Personal Information and correction/rectification of inaccurate Personal Information, as described in the section above entitled "Your Privacy Rights".
  • To exercise your rights to Access, Portability, Correction or Deletion, you may submit such requests by (1)  emailing us at datarightsrequest@verily.com or (2) calling our toll-free number at 833-821-6366.
  • After you make your request, we will use the information we have about you to verify your identity (and if applicable, your authorized agent’s identity). Our verification process may include a request for additional information to confirm your identity or your authorized agent’s identity (such as your name, email address and date of birth) or to obtain proof that you have given your authorized agent permission to act on your behalf. If our verification process is successful, we will respond to your request within the time and in the manner required by applicable law. If we cannot validate the identity of you and/or your authorized agent or obtain proof that you have given your authorized agent permission to act on your behalf, we will attempt to contact you to inform you.
  • If you designate an authorized agent to submit requests to exercise certain privacy rights on your behalf, we will require verification that you provided the authorized agent permission to make a request on your behalf.

We do not discriminate against California residents who exercise any of their rights described in this Privacy Policy. However, Verily may require use of your Personal Information to provide access to the Services. Therefore, when you exercise your deletion rights, in particular, you may lose access to certain aspects of the Services that require your Personal Information.

Unless otherwise specified, Verily’s Services are not directed to children under the age of 13 (or the relevant age as defined by applicable law) (“Children” or “Child”) and Verily does not knowingly collect or distribute Personal Information from Children. Unless otherwise specified, Children are not permitted to use the Services, and we request that Children not submit any Personal Information through the Services. If you believe your Child has impermissibly submitted Personal Information, please contact us to request that such information be removed. Once we are aware of information impermissibly entered by a Child, we will exercise commercially reasonable efforts to remove such information from our systems.

• Security: We strive to maintain the security of your information by using appropriate measures designed to protect our systems. However, we cannot guarantee the security of any information that is disclosed online.
• Retention: How long we retain your Personal Information depends on the context in which, and purposes for which, we collected it. We generally retain Personal Information for as long as necessary for achieving the purposes for which it was collected or processed, unless a different retention period is required by applicable law.
  • Biometric Information: Any biometric facial identifiers processed by Verily (or its Service Provider acting on its behalf) will be permanently deleted when the initial purpose for which it was collected or obtained has been satisfied or within three years after your last interaction with Verily, unless otherwise required by law.

We may provide links to other third-party websites through the Services solely as a convenience to you. However, such linking does not mean, and should not be interpreted to mean, that Verily endorses, is affiliated with or makes any representations concerning such third-party websites. Verily neither reviews, controls, nor is responsible for these third-party sites or any content therein. By using such links, you will leave the Services. Please note that any Personal Information that you provide to such third parties will be governed by their privacy policies, and we have no control over or responsibility for their privacy practices. If you decide to access any of the third-party sites linked to the Services, you do so entirely at your own risk. Verily shall not be liable for any consequences arising from use of any third-party websites to which the Services link. We encourage you to review the privacy policies of any third-party website or application for details about what information is collected and how it is used and/or disclosed prior to providing any Personal Information.

Unless otherwise specified, we may process the information collected through the Services on a server located outside the country where you live. However, we will handle your Personal Information in accordance with this Privacy Policy regardless of where your Personal Information is stored or processed. When we transfer Personal Information from the European Economic Area, the United Kingdom (UK) and Switzerland to other countries, including to the United States, we use a variety of legal means to help ensure the data is appropriately protected.  We comply with certain legal frameworks relating to the cross-border transfer of Personal Information by implementing appropriate contractual or other measures, including but not limited to, the European Union or United Kingdom Standard Contractual Clauses, where required.  Where permitted by applicable law, you may request a copy of such contractual clauses by contacting us using the information set out below in the "Contact Us" section.

While Verily does not rely on the Privacy Shield certification as a basis for international data transfers, Verily Life Sciences LLC complies with the EU-US and Swiss-US Privacy Shield Frameworks as set forth by the US Department of Commerce regarding the collection, use and retention of Personal Information in the United States from European Union member countries and the UK and Switzerland, respectively ("European Personal Information"), as described in our Privacy Shield certification. Verily’s Privacy Shield certification does not include data processed through our website and portal at www.projectbaseline.com ("Project Baseline"), which is subject to appropriate contractual or other measures, as set for in its separate privacy policy

(https://www.projectbaseline.com/privacy/).

Verily has certified its commitment to be subject to the Privacy Shield Principles such European Personal Information received from the EU and the UK and Switzerland. We shall remain responsible for such European Personal Information that we share under the Onward Transfer Principle with third parties for processing on our behalf, as described under the caption "How We Use and Disclose Information Collected." Learn more about the Privacy Shield program here.

If you have an inquiry regarding our privacy practices in relation to our Privacy Shield certification, we encourage you to contact us using the information set out below in the “Contact Us” section. Verily is subject to the investigatory and enforcement powers of the US Federal Trade Commission (FTC). You may also file a complaint free of charge with your local data protection authority and we will work with them to resolve your complaint. In certain circumstances, the Privacy Shield Framework provides the right to invoke binding arbitration to resolve complaints not resolved by other means, as described in Annex I to the Privacy Shield Principles.

From time to time, we may update and post revisions to this Privacy Policy. Any changes will be effective immediately upon the posting of the revised Privacy Policy. We encourage you to review this page periodically for the latest information on our privacy practices. This Privacy Policy was updated as of the effective date listed above.

If you have any questions or concerns regarding the information gathered through the Services, please contact us at prisec@verily.com.

Attn: Verily Privacy Office, c/o Verily Life Sciences LLC, 269 East Grand Avenue, South San Francisco, CA, 94080