Effective as of: September 18, 2023
What's Changed: We added clarity on the use of artificial intelligence in Customer workbenches, and we added more details about our AWS data hosting process. No changes have been made to LunaDNA's use of your Shared or Personal Data.
TABLE OF CONTENTS
- What Information We Collect, or You Share
- Why We Collect or Ask You to Share Your Information
- How We Use Your Information
- Data Rights of Each Individual
- Data Retention
- Minor Accounts
- Ward Accounts
- Third-Party Tools
- Security & Privacy Measures
- Contact Information
- Approved Researcher. A researcher who has had their research study reviewed by an Institutional Review Board (IRB) or similar regulatory body and whereby the regulatory body has exempted or approved their research study. A researcher is approved on a study by study basis.
- Community. A group of members self-assembling inside the platform with a shared purpose, e.g., similar health condition, similar lifestyle interests, etc. The community may be supported by personnel, who are also members, to provide additional resources to the group members.
- Customer. A user on the LunaDNA platform who accesses Customer Services (e.g., researchers, community administrators, etc.) or accesses Member Services on behalf of a Member (e.g., proxy, legal guardian, etc.). It is possible for a user to be both a Customer and Member. Customers are data processors.
- Customer Data. Any private or proprietary information that a customer chooses to import into their private, secure compute environment, also known as a “sandbox” or “workbench”. Under certain circumstances it can include personal information but shall not include any Shared Data or Personal Data.
- Member. A user on the LunaDNA platform who accepts the LunaDNA Consent with the intention or action of sharing data (Shared Data) on the platform. It is possible for a user to be both a Customer and Member.
- Minor. A user on the LunaDNA platform who is under the age of 18.
- Non-Shared Data Services. Those Services that do not involve use of Member Shared Data.
- Personal Data. Any personal information (e.g., your name, contact information, payment information). Personal Data does not include Shared Data.
- Services. Any of LunaDNA’s products, software, services, and website (including but not limited to text, graphics, images, and other material and information) as accessed from time to time by the user, regardless if the use is in connection with an account or not. Customers and Members may not have access to all of the same Services.
- Service Insights. Means any analysis outputs, workbooks, sheets, visualizations, etc. generated in the Customer’s private compute environment.
- Shared Data. Genomic data (that is, data about an individual’s genes, or DNA) and medical or health data (e.g., medications, allergies, surveys, health records, information collected by integrated apps and devices). Interview transcripts, where collected, are also protected as Shared Data.
- Ward. A user on the LunaDNA platform who is aged 18 or older and unable to create and manage their own LunaDNA account
What Information We Collect, or You Share
Why We Collect or Ask You to Share Your Information
LunaDNA collects your information or asks you to share information for the following reasons.
Enable researchers advance of health / medical science
Enable researchers to recruit Members to research studies, clinical studies, clinical trials, etc.
Supporting Members’ interests in learning about community resources and available research studies
Improving LunaDNA Services
Complying with legal obligations
How We Use Your Information
LunaDNA accesses Shared Data and/or Personal Data as follows:
- Enable researchers to advance health / medical science. An approved researcher accesses a cloud-based analysis space within the LunaDNA platform, which we call an Insights Workbench™ (“Workbench”), where the Shared Data collected from enrolled Members for the researcher’s specific study is available for processing. The inclusion of a Member’s Shared Data is contingent on the member choosing to enroll in that specific study. Shared Data from all Members enrolled in the study are assembled in the researcher’s Workbench. A minimum of three (3) Members must have enrolled in a study before the Shared Data is assembled in a Workbench. If a researcher has been approved to process Personal Data in their study, some or all of an enrolled Member’s Personal Data is assembled in the Workbench as well. A study requesting access to Personal Data must have an additional study-specific consent, which the Member must choose to accept before they are enrolled in the study.
- Enable researchers to recruit Members to research studies, clinical studies, clinical trials, etc. In some situations, a Customer (e.g., a researcher or community administrator) may want to contact Members directly, for example for clinical trial recruitment or to inform Members of new community resources. Members’ preference whether to receive these invitations (which we call opt-in) can be turned on or off within your account settings page. For those who opt-in, LunaDNA enables this contact via an automated process using the Recontact Agent™, which allows the Customer to invite you into a direct communication but does not grant them access to any of your Personal Data or individual Shared Data.
- Supporting Members’ interests in learning about community resources and available research studies. Communities to which a Member belongs, Customers in whose study a Member is participating, and LunaDNA or LunaPBC may contact Members about new study opportunities, community resources, details about their account and any relevant information about available Services. Members can set their preferences for receiving these communications in their account settings.
- Improving LunaDNA services. LunaDNA may use information it collects to improve its services, for example, improving the design and structure of our website or databases; to detect, prevent, or otherwise address fraud, security, or technical issues; and to protect against harm to the rights, property or safety of LunaDNA or our affiliates or Members.
- As required by law. LunaDNA may use or disclose any information it collects as required by law or legal process, for example, in responding to a court-issued subpoena. However, we believe the steps LunaDNA takes to protect Member information, such as its de-identified data segregation architecture, which does not allow for re-identification of Shared Data without the consent of the contributing Member, provides substantial protection to our Members in these situations. Where allowed by law or legal process and where reasonably possible, we will notify Members in advance of any such proposed use or disclosure of their data.
LunaDNA accesses Customer Data as follows:
- Enable researchers to facilitate the advancement of health / medical science. A Customer can import private and/or proprietary data sets into their Workbench. If requested by the Customer, LunaDNA may help structure the data set to optimize it for analysis in the Workbench. Otherwise, LunaDNA does not access, use, or share Customer Data in any way. This data is secured within the Customer’s Workbench, and only available for the specific Customer’s use.
Data Rights of Each Individual
- Right to be Informed
- Right of Access
Members can download all Shared Data from their Member account and view, edit, or delete their Personal Data from their Member account at any time. Shared Data of Members who enroll in a research study is processed as described above in “Enable researchers to facilitate the advancement of health / medical science”.
- Right to Rectification
At any time, Members can delete and resubmit Shared Data to make corrections and edit Personal Data from their Member account. For inaccuracies in their DNA or health record information, Members must contact the organization who controls the origination of the data (e.g., 23andMe, a genetic testing lab, their physician’s office, etc.) to make corrections to the original data. Once corrected, the Member can resubmit the data or in the case of a connected patient portal, the data will be updated with the next automatic sync to their account.
- Right to Object Processing
At any time, Members can revoke their consent(1), delete their account(2), or delete some, but not all, of their data(3) from our database subject to our data retention policy (see below).
(1) All Shared Data, (2) all Shared Data and All Personal Data, or (3) the specific Shared Data selected, is permanently deleted or purged from our database.
- Right to Restrict Processing
A Member can restrict the processing of their Shared Data based on the research studies they choose to enroll in as well as by exercising their right to revoke their consent or delete some or all of their data at any time.
- Right to Data Portability
Members can download all Shared Data from their Member account in industry standard file formats. Members can also view, edit, or delete their Personal Data from their Member account at any time.
- Right to be Forgotten
At any time, Members can delete their account and all Shared Data and Personal Data will be permanently removed, or purged, from our database subject to our data retention policy (see below).
- Right in Relation to Automated Decision Making and Profiling
No automated decision making or profiling is performed by LunaDNA as the data controller.
To file a complaint or make an inquiry about your data privacy rights, please send an email to email@example.com. For any other inquiries, please email firstname.lastname@example.org. We will respond via email within two (2) business days.
- Member Shared Data is deleted within twenty-four (24) hours from when a Member deletes their account or when they delete specific pieces of Shared data.
- Member Personal Data is deleted within twenty-four (24) hours from when a Member deletes their account.
- Member Shared Data may take up to 30 days to delete from a Workbench actively processing Shared Data.
- Any research that has been completed or published using Member Shared Data prior to the Member revoking consent for the use of that data or purging that data from our database will not be affected by the Member’s decision to purge data or revoke consent and will be retained in the published research data set (e.g., as part of a scientific publication). This also includes any study insights or models already derived from the Member Shared Data inclusive of Artificial Intelligence (AI) models that have been trained on Member Shared Data.
- Member Shared and Personal Data will be removed from data back-ups within fourteen (14) business days.
- Customers may choose to publish manuscripts or submit data to a regulatory body (such as the Food & Drug Administration (FDA) or European Medicines Agency (EMA) as part of a research study. Associated regulations may require the data set used for analysis and the analyses be archived. These archived data sets will include Member Shared Data for Members enrolled in the study. The archived data sets are maintained on the LunaDNA platform independent of the Member account and inaccessible except in the event of a complaint where the data set must be made available to investigating parties to reproduce the results identified by the original researcher.
LunaDNA is not designed for, intended to attract, or directed toward minor children under the age of 13 years. Only persons aged 18 years or older (an “adult”) may establish an account in LunaDNA and contribute Shared Data or Personal Data on their own behalf. A parent or legal guardian (either, a “guardian”) of a person under the age of 18 years (a “child”) may create and control a Member account on behalf of the child (a “Minor Account”) and provide Shared Data and Personal Data for the child until the child reaches the age of 18 years.
- Within a Minor Account, and as the child remains under 18 years of age, a guardian may act on behalf of the child in such activities including but not limited to: (a) consenting via the LunaDNA consent, (b) sharing the child’s Shared Data and Personal Data, and (c) responding to research requests (if the guardian has chosen to allow such requests in the privacy settings).
- The guardian's contact information linked to the Minor Account is considered Personal Data associated with the guardian's account.
- Currently, a Minor Account is not eligible for the issuance of shares in LunaDNA.
- The guardian may choose to convert a Minor Account to an account directly in the child’s control (a “conversion”) once the child is at least 13 years of age and is eligible to act on their own behalf for sharing and controlling their personal data under relevant laws and regulations. Following a conversion, the consent for use of the child’s Shared Data is revoked unless and until the child re-consents to the LunaDNA consent on their own behalf. The guardian is responsible for confirming the child is eligible to control their own account and consent on their own behalf based on the applicable legal requirements in the jurisdiction in which they live prior to initiating a conversion.
- If the guardian has not completed a conversion prior to the child’s 18th birthday, then upon the child’s 18th birthday, the guardian will be locked out of the child’s account, except to perform a conversion, and the consent for use of the child’s Shared Data will be revoked. Following conversion, the former child beneficiary of the account will have the option to re-consent to the LunaDNA consent on their own behalf.
LunaDNA recognizes that some adults (18 years of age or older) may not be able to create or manage their own accounts due to health conditions or legal circumstances (i.e., they are “incapacitated”). We refer to these adults as “wards”. An individual to whom the ward has granted authority to act on their behalf, which we refer to as a caregiver-life proxy (or “caregiver”), may establish an account in LunaDNA and contribute Shared Data or Personal Data on behalf of their ward.
- Within a Ward Account, and if the adult remains incapacitated, a caregiver may act on behalf of the ward in such activities including but not limited to: (a) consenting via the LunaDNA consent, (b) manage the ward's privacy settings, (c) sharing the ward’s Shared Data and Personal Data, and (d) responding to research requests (if the caregiver has chosen to allow such requests in the privacy settings).
- The caregiver's contact information, linked to the Ward Account, is considered Personal Data associated with the caregiver’s account.
- The caregiver must agree to convert a Ward Account to an account directly in the ward’s control (a “conversion”) if the ward re-establishes capacity and is capable of acting on their own behalf for sharing and controlling their personal data under relevant laws and regulations. Following a conversion, the consent for use of the ward’s Shared Data is revoked unless and until the ward re-consents to the LunaDNA consent on their own behalf. The caregiver is responsible for confirming the ward is capable of controlling their own account and consent on their own behalf based on the applicable legal requirements in the jurisdiction in which they live prior to initiating a conversion.
- Data hosting. LunaDNA uses Amazon Web Services (AWS) for our cloud solutions provider. LunaDNA uses various AWS data centers, including data centers located in the USA, with the aim to provide optimal Member experience. Some data centers can be in countries that lack a data adequacy decision by the European Union. We ensure your data is protected with appropriate safeguards in accordance with applicable privacy laws. We use data protection agreements with our data hosting provider(s).
- Support Tools. LunaDNA uses Freshworks software to manage our online support chat and help desk services. No data is transferred from LunaDNA to Freshworks. Freshworks enables GDPR-compliant support for all of their customers worldwide. https://www.freshworks.com/privacy/.
- Other Tools. Please review the LunaDNA Cookies Policy which may describe other tools.
Security & Privacy Measures
LunaDNA takes the security and privacy of your data very seriously. LunaDNA uses technical, physical, and administrative controls designed to protect member Personal Data and Shared Data from unauthorized access or disclosure and to regulate the appropriate use of this information.
Data is segregated and encrypted in such a way that it reduces the risk of anyone trying to form a complete profile of the Member's data. LunaDNA leverages what it believes to be best-in-class compliant infrastructure in all processes including data storage and processing (even though we are not subject to HIPAA regulations). Compliance with the General Data Protection Regulation (GDPR) is characterized through data protection impact assessments (DPIAs) on an as needed basis.
We protect data via safeguards such as data backups, audit controls, access controls, data encryption, data segregation, and account creation and login verification. Our site and APIs use Secure Socket Layer (SSL) technology to encrypt all connections to and from our site and APIs to enhance security of electronic data transmissions. Luna adheres to or exceeds NIST 800 series recommendations for encryption. Our security compliance is audited and certified annually via SOC2. You can view our SOC2 certification here:
Attention: Data Protection and Privacy Officer
10070 Mesa Rim Road
San Diego, CA 92121
Name: Scott Kahn
Name: Scott Kahn
You are responsible for ensuring that your contact information (i.e., email listed on your profile page) remains up to date and valid.