Effective as of: July 24, 2020
(Effective 30 days from member notification on June 23, 2020)
- Safeguarding the privacy and security of your Personal Data and Shared Data is of the utmost importance.
- We understand and respect the sensitive nature of the information you may provide to us, and we strive to be transparent in our collection, use and disclosure of this information and to ask for your explicit consent to share sensitive information with third parties.
- We are committed to providing a secure, private, and safe environment for our services.
Information We Collect or You Share
How We Share/Use Your Data
LunaDNA does not access, use, or share Customer Data in any way. This data is secured within the Customer’s sandbox, and only available for the specific Customer’s use.
LunaDNA accesses Shared Data and/or Personal Data as follows:
- Population-level Research. Luna DNA's Manager, LunaPBC, Inc. (which we refer to as LunaPBC) or an approved and contracted Customer (e.g. researcher) may perform population-level searches based on a pre-defined study design. We refer to these searches as queries. Based on the results of a query, a subset of aggregated, de-identified Shared Data is populated in a private, secured compute environment controlled by LunaDNA, which we refer to as a sandbox, in order to complete the analysis required by the study design. This population-level research may have various purposes including the advancement of genomic science and identifying links between genomics and disease or other conditions. Researchers will be able to associate your Shared Data with a unique data file identification number that is independent from your Personal Data. Your Personal Data will not be viewable in any of the above activities.
- Research or Community Inquiries. In some situations, a Customer (e.g., a researcher or community administrator) may want to contact Members directly, for example for clinical trial recruitment or to inform Members of new community resources. Members’ preference whether to receive these invitations (which we call opt-in) can be turned on or off within your account settings page. For those who opt-in LunaDNA enables this contact via an automated process, which allows the Customer to invite you into a direct communication but does not grant them access to any of your Personal Data or individual Shared Data. It is then your choice whether you will engage in direct contact with the Customer or not. The invitation list is typically determined by LunaDNA or the Customer querying our platform, using the unique data file identification number linked to your Shared Data, and based on specific query parameters defined by the researcher or contracted third party.
- Member Inquiries. In some situations, a Member may want to contact Customers directly, for example to inquire about upcoming community events or studies. A Customer's preference whether to receive these invitations (which we call opt-in) can be turned on or off within its account settings page. For those who opt-in, LunaDNA enables this contact via an automated process, which allows the Member to invite the Customer into a direct communication but does not grant the Customer access to any of the Member’s Personal Data.
- LunaDNA Communications. LunaDNA or LunaPBC may contact you about your account and any relevant information about our Services. You can set your preferences for receiving these communications in your account settings.
- Improving LunaDNA Services. LunaDNA may use information it collects to improve its services, for example, improving the design and structure of our website or databases; to detect, prevent, or otherwise address fraud, security, or technical issues; and to protect against harm to the rights, property or safety of LunaDNA or our affiliates or members.
- As Required By Law. LunaDNA may use or disclose any information it collects as required by law or legal process, for example, in responding to a court-issued subpoena. However, we believe the steps LunaDNA takes to protect your information, such as its de-identified data segregation architecture, which does not allow for re-identification of Shared Data without the consent of the contributing member, provides substantial protection to our members in these situations. Where allowed by law or legal process and where reasonably possible, we will notify you in advance of any such proposed use or disclosure of your data.
Security & Privacy Measures
LunaDNA takes the security and privacy of your data very seriously. LunaDNA uses technical, physical, and administrative controls designed to protect member Personal Data and Shared Data from unauthorized access or disclosure and to regulate the appropriate use of this information.
Additionally, each type of data is uniquely tagged with a sequence of characters that is determined by a one-way hash function, designed in such a way that it is extremely difficult with today’s technology to reverse engineer the given value. This disaggregated data is currently stored across separate private cloud storage sites, increasing the barriers for anyone trying to access any member’s complete data profile. LunaDNA leverages what it believes to be best-in-class HIPAA compliant infrastructure in all processes including data storage and processing (even though we are not subject to HIPAA regulations).
We protect data via safeguards such as data backups, audit controls, access controls, data encryption, data segregation by type, and account creation and login verification. Our site and application program interfaces (APIs) use Secure Socket Layer (SSL) technology to encrypt all connections to and from our site and APIs to enhance security of electronic data transmissions. Additionally, we use nationally recommended standards and processes for securing and encrypting all stored member data.
Each member will be in control of the selection and safety of his or her password. LunaDNA has put additional measures in place to assist with account security including email verification at account creation and two-factor authentication for members signing into their LunaDNA account. Data within LunaDNA may exist across international jurisdictions, but in all cases, abides by LunaDNA’s security and privacy policies.
Third Party Tools
- Data hosting. LunaDNA uses Amazon Web Services for our cloud services.
- LunaDNA & LunaPBC Support Tools. LunaDNA uses Freshworks software to manage our online support chat and help desk services. Freshworks enables GDPR-compliant support for all of their customers worldwide. https://www.freshworks.com/privacy/
As explained in our LunaDNA Consent, Members may choose at any time to revoke your consent to all of your data, purge some or all of your data, and even delete your account completely from our databases. Customers may also delete their Customer Data at any time or delete their Account dependent on any terms in their LunaPBC contract.
- What Are Cookies? Cookies are small pieces of information sent by a web server to a web browser which allows the server to uniquely identify the browser on each page. To learn more about cookies, including how you can turn them off, you can visit allaboutcookies.org.
Strictly Necessary Cookies. These cookies are essential in order to enable you to navigate through our website and use its features. Without these cookies, we cannot remember your login details or otherwise keep track of any services you have requested.
Performance Cookies. These cookies collect anonymous information on how visitors use our website. For example, we currently use Google Analytics cookies to help us understand how customers arrive at our site, browse or use our site and highlight areas where we can improve areas such as navigation, data uploading experience and marketing campaigns.
Functionality Cookies. These cookies remember choices you have made, such as the country you visit our website from, your preferred language and search parameters such as size, color or product line. These can then be used to provide you with an experience more appropriate to your selections and to make your visits more tailored and pleasant.
Targeting or Advertising Cookies. These cookies collect information about your browsing habits in order to make advertising more relevant to you and your interests. They may also be used to limit the number of times you see an advert as well as help measure the effectiveness of an advertising campaign. The cookies are usually placed by third party advertising networks. They remember the websites you visit and that information is shared with other parties such as advertisers.
To learn more about advertising cookies and to control your preferences, visit https://youradchoices.com/.
- Deleting or Blocking Cookies. You can control how they are used on your browser. To learn more about clearing and managing cookies, visit allaboutcookies.org/manage-cookies/clear-cookies-installed.html.
LunaDNA is not designed for, intended to attract, or directed toward minor children under the age of 13. Only persons age 18 or older (an “adult”) may establish an account in LunaDNA and contribute Shared Data or Personal Data on their own behalf. A parent or legal guardian (either, a “guardian”) of a person under the age of 18 (a “child”) may create and control a Member account on behalf of the child (“Minor Account”) and provide Shared Data and Personal Data for the child until the child reaches the age of 18.
- Within a Minor Account, and as long as the child remains under 18 years of age, a guardian may act on behalf of the child in such activities including but not limited to: (a) consenting via the LunaDNA consent, (b) sharing the child’s Shared Data and Personal Data, and (c) responding to research requests (if the guardian has chosen to allow such requests in the privacy settings).
- The guardian's contact information linked to the Minor Account is considered Personal Data associated with the guardian's account.
- Currently, a Minor Account is not eligible for the issuance of shares in LunaDNA.
- The guardian may choose to convert a Minor Account to an account directly in the child’s control (a “conversion”) once the child is at least 13 years of age and is eligible to act on their own behalf for sharing and controlling their personal data under relevant laws and regulations. Following a conversion, the consent for use of the child’s Shared Data is revoked unless and until the child re-consents to the LunaDNA consent on their own behalf. The guardian is responsible for confirming the child is eligible to control their own account and consent on their own behalf based on the applicable legal requirements in the jurisdiction in which they live prior to initiating a conversion.
- If the guardian has not completed a conversion prior to the child’s 18th birthday, then upon the child’s 18th birthday, the guardian will be locked out of the child’s account, except to perform a conversion, and the consent for use of the child’s Shared Data will be revoked. Following conversion, the former child beneficiary of the account will have the option to re-consent to the LunaDNA consent on their own behalf.
- The LunaDNA Consent Agreement details what happens when consent is revoked.
LunaDNA recognizes that some adults (18 years of age or older) may not be able to create or manage their own accounts due to health conditions or legal circumstances (i.e. they are “incapacitated”). We refer to these adults as “wards”. An individual to whom the ward has granted authority to act on their behalf, which we refer to as a caregiver-life proxy (or “caregiver”), may establish an account in LunaDNA and contribute Shared Data or Personal Data on behalf of their ward.
- Within a Ward Account, and as long as the adult remains incapacitated, a caregiver may act on behalf of the ward in such activities including but not limited to: (a) consenting via the LunaDNA consent, (b) manage the Ward's privacy settings, (c) sharing the ward’s Shared Data and Personal Data, and (d) responding to research requests (if the caregiver has chosen to allow such requests in the privacy settings).
- The caregiver's contact information, linked to the Ward Account, is considered Personal Data associated with the caregiver’s account.
- The caregiver must agree to convert a Ward Account to an account directly in the ward’s control (a “conversion”) if the ward re-establishes capacity and is capable of acting on their own behalf for sharing and controlling their personal data under relevant laws and regulations. Following a conversion, the consent for use of the ward’s Shared Data is revoked unless and until the ward re-consents to the LunaDNA consent on their own behalf. The caregiver is responsible for confirming the ward is capable of controlling their own account and consent on their own behalf based on the applicable legal requirements in the jurisdiction in which they live prior to initiating a conversion.
- The LunaDNA Consent Agreement details what happens when consent is revoked.
Attention: Data Protection and Privacy
4110 Campus Point Court
San Diego, CA 92121
You are responsible for ensuring that your contact information (i.e., email listed on your profile page) remains up to date and valid.
- Community. A group of members self-assembling inside the platform with a shared purpose, e.g. similar health condition, similar lifestyle interests, etc. The community may be supported by personnel, who are also members, to provide additional resources to the group members.
- Customer. A user on the LunaDNA platform who accesses Customer Services (e.g. researchers, community administrators, etc.) or accesses Member Services on behalf of a Member (e.g. proxy, legal guardian, etc.). It is possible for a user to be both a Customer and Member.
- Customer Data. Any private or proprietary information that a customer chooses to import into their private, secure compute environment, also known as a "sandbox".
- Member. A user on the LunaDNA platform who accepts the LunaDNA Consent with the intention or action of sharing data (Shared Data) on the platform. It is possible for a user to be both a Customer and Member.
- Non-Shared Data Services. Those Services that do not involve use of Member Shared Data.
- Personal Data. Any personal information (for example, your name, contact information, payment information). Personal Data does not include Shared Data.
- Services. Any of LunaDNA’s products, software, services, and website (including but not limited to text, graphics, images, and other material and information) as accessed from time to time by the user, regardless if the use is in connection with an account or not. Customers and Members may not have access to all of the same Services.
- Shared Data. Genomic data (that is, data about an individual’s genes, or DNA) and medical or health data (for example, medications, allergies, surveys, health records, information collected by integrated apps and devices).
- Share Holder Members. Members who hold shares in LunaDNA (which we offer to some members in exchange for rights to Shared Data). The term Share Holder Member in these Terms corresponds to the term “member” as used in LunaDNA’s Operating Agreement and Offering Circular defining the rights of Share Holder Members.