Privacy Practices and Policies

PREVENTIONGENETICS NOTICE OF PRIVACY PRACTICES

This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.

EFFECTIVE DATE OF NOTICE: August 22, 2022

PreventionGenetics is required by law to provide individuals with notice of its legal duties and privacy practices with respect to your Protected Health Information (defined below). This Notice describes the privacy practices of PreventionGenetics, its employees, and other personnel ("PreventionGenetics", "we" or "us").

I. Our responsibility

PreventionGenetics and the members of its workforce are committed to protecting the privacy and confidentiality of your personal information, genetic information, and laboratory test results.

PreventionGenetics is required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to keep your Protected Health Information confidential. This Notice describes our legal duties and privacy practices and explains your patient privacy rights. When we use or disclose your Protected Health Information, we are required to abide by the terms of this Notice.

II. What is Protected Health Information?

Protected Health Information is your demographic information, medical history, laboratory results, insurance information, and other health information that is collected, generated, used, and communicated by PreventionGenetics to produce genetic testing results and to bill for our testing services. Examples of Protected Health Information include your name, date of birth, medical record number, social security number, insurance beneficiary number, and genetic information.

III. How we use and disclose your health information

Your Protected Health Information may be used and disclosed for treatment, payment, healthcare operations, and other purposes permitted or required by law. PreventionGenetics may use and disclose your Protected Health Information for the following purposes:

TREATMENT

We may use or disclose your Protected Health Information for treatment purposes. For example, we may use your Protected Health Information to perform our testing services and disclose your genetic testing results to your physician and other healthcare providers involved in your care.

PAYMENT

We may use or disclose your Protected Health Information to obtain payment for healthcare services we provide. For example, we may use and disclose your information to send a bill to your insurance company or health plan to receive payment for the services provided to you.

HEALTH CARE OPERATIONS

We may use and disclose your Protected Health Information for our healthcare operations. For example, we may use your Protected Health Information to monitor the quality of our testing services and review the competence and qualifications of our laboratory professionals.

PERSONAL REPRESENTATIVES

We may disclose Protected Health Information about you to your authorized personal representative, such as a lawyer, administrator, executor, or other authorized person responsible for you or your estate.

MINORS' PROTECTED HEALTH INFORMATION

We may disclose Protected Health Information about minors to their parents or legal guardians.

PSYCHOTHERAPY NOTES

While PreventionGenetics does not anticipate having access to your psychotherapy notes, PreventionGenetics may use or disclose your psychotherapy notes as required by law: for treatment, payment, or health care operations; to defend itself in a legal action or other proceeding brought by you; or to avert a serious threat to health or safety. Any other use and disclosure of your psychotherapy notes requires your written authorization.

COMMUNICATIONS ABOUT PRODUCTS AND SERVICES

We may use and disclose your Protected Health Information to contact you about other PreventionGenetics products and services that we believe may be of interest to you. Otherwise, any use or disclosure of Protected Health Information for marketing purposes requires your written authorization.

SALE OF YOUR INFORMATION

PreventionGenetics will not sell or otherwise share your Protected Health Information to third parties unless you provide written authorization.

DISCLOSURES TO BUSINESS ASSOCIATES

We may disclose your Protected Health Information to other companies or individuals, known as "Business Associates," who provide services to us. For example, we may use a company to perform billing services on our behalf. Our Business Associates are required to protect the privacy and security of your Protected Health Information and notify us of any improper disclosure of information.

AS REQUIRED BY LAW

We must disclose your Protected Health Information when required to do so by any applicable federal, state, or local law.

PUBLIC HEALTH ACTIVITIES

We may disclose your Protected Health Information for public health-related activities. Examples include: reporting diseases to authorized public health authorities; public health investigations; or notifying a manufacturer of a product regulated by the U.S. Food and Drug Administration of a possible problem encountered when using the product in our testing process.

HEALTH OVERSIGHT ACTIVITIES

We may disclose your Protected Health Information to a healthcare oversight agency for activities that are authorized by law, such as audits, investigations, inspections, and licensure activities. For example, we may disclose your Protected Health Information to agencies responsible for ensuring compliance with the rules of government health programs, such as Medicare or Medicaid.

RESEARCH

Under certain circumstances, we may use or disclose your Protected Health Information for non-profit research purposes. Most data that are presented by PreventionGenetics for research purposes are aggregate data. Such data are collected from multiple patients such that it is impossible to identify the individual contributors. Occasionally, we will present data for research purposes that pertain to a single patient. These data will never contain obvious identifiers such as names, addresses, or identification numbers. Our senior scientists will carefully review the data to determine if you could possibly be identified from the data alone. If so, we will obtain your expressed written permission prior to presenting the data.

ORGAN OR TISSUE PROCUREMENT

We may disclose Protected Health Information to organ procurement organizations or related entities for the purpose of facilitating organ or tissue donation and transplantation.

CORONERS, MEDICAL EXAMINERS, AND FUNERAL DIRECTORS

We may disclose Protected Health Information to coroners, medical examiners, or funeral directors to identify a deceased patient, to determine cause of death, or other duty authorized by law.

JUDICIAL AND ADMINISTRATIVE PROCEEDINGS

Under certain circumstances, we may disclose your Protected Health Information in the course of a judicial or administrative proceeding in response to a court order, subpoena, or other lawful process.

LAW ENFORCEMENT

We may disclose your Protected Health Information to the police or other law enforcement officials as required by law or in compliance with a court order, warrant, subpoena, summons, or other legal process for locating a suspect, fugitive, witness, missing person, or victim of a crime.

THREATS TO HEALTH OR SAFETY

We may disclose Protected Health Information to prevent or reduce the risk of a serious and imminent threat to the health or safety of an individual or the general public.

VICTIMS OF ABUSE, NEGLECT, OR VIOLENCE

If required or authorized by law, we may disclose Protected Health Information to a government agency, such as social services or a protective services agency, if we reasonably believe that an individual adult or child is the victim of abuse, neglect, or domestic violence.

SPECIALIZED GOVERNMENT FUNCTIONS

Under certain circumstances, we may disclose your Protected Health Information to units of the government with special functions, such as the U.S. Military or the U.S. Department of State.

WORKERS COMPENSATION PROGRAMS

We may disclose your Protected Health Information as necessary to comply with requirements of workers' compensation or similar programs that provide benefits for work-related injuries or illness.

ALL OTHER USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION

We will ask for your written authorization before using or disclosing your Protected Health Information for any purpose not described above. You may revoke your authorization, in writing, at any time, except for disclosures that the company has already acted upon. A revocation of authorization must be submitted to the Privacy Officer at the address listed in Section VIII below.

IV. Your rights regarding your medical information

You have the following rights with respect to your Protected Health Information. To exercise any of these rights, please contact our Privacy Officer using the contact information provided at the end of this Notice.

ACCESS TO PROTECTED HEALTH INFORMATION

You, or your authorized or designated personal representative, have the right to inspect and copy the Protected Health Information maintained by us.

RESTRICTIONS ON USES AND DISCLOSURES

You have the right to request restrictions on our use and disclosure of your Protected Health Information. While we will consider all requests for additional restrictions carefully, we are not required to agree to a requested restriction except for Payment or Operations restrictions where payment has been made "out-of-pocket" and paid-in-full. If we do agree to a requested restriction, we will notify you in writing.

CONFIDENTIAL COMMUNICATIONS

You have the right to request that we communicate with you about your Protected Health Information by alternative means or to an alternative address. Your request must be in writing and must specify the alternative means or location. We will accommodate reasonable requests for confidential communications.

CORRECT OR UPDATE INFORMATION

If you believe the Protected Health Information we maintain about you contains an error, you may request that we correct or update your information. Your request must be in writing and must explain why the information should be corrected or updated. We may deny your request under certain circumstances and provide a written explanation.

ACCOUNTING OF DISCLOSURES

You may request a list, or accounting, of certain disclosures of your Protected Health Information made by us or our business associates for purposes other than treatment, payment, healthcare operations, and certain other activities. The request must be in writing, and the list will include disclosures made within the prior six years.

COPY OF NOTICE

Upon request, you may obtain a paper or electronic copy of this Notice.

V. Information breach notification

We are required to notify you following the discovery a breach of unsecured Protected Health Information, unless there is a demonstration, based on a risk assessment, that there is a "low probability" that the Protected Health Information has been compromised. You will be notified in a timely fashion, no later than 72 hours after discovery of the breach.

VI. Questions and complaints

If you have questions or concerns about our privacy practices or would like a more detailed explanation about your privacy rights, please contact our Privacy Office using the contact information below.

If you believe that we may have violated your privacy rights, you may submit a complaint to our Privacy Office. You also may submit a written complaint to the U.S. Department of Health and Human Services. We will provide you with the address to file your complaint with the U.S. Department of Health and Human Services upon request. PreventionGenetics will not take retaliatory action against you, and you will not be penalized in any way if you choose to file a complaint with us or with the U.S. Department of Health and Human Services.

VII. Changes to our notice of privacy practices

We reserve the right to change our privacy practices and the terms of this Notice at any time, provided such changes are permitted by applicable law.

We will promptly post any changes to this Notice on our Website at www.PreventionGenetics.com. Please review this Website periodically to ensure that you are aware of any updates.

VIII. Contact information

When communicating with us regarding this Notice, our privacy practices, or your privacy rights, please contact the Privacy Officer using the following contact information:

privacy@exactsciences.com

1-844-570-9736

PREVENTIONGENETICS PRIVACY POLICY

EFFECTIVE DATE OF POLICY: August 22, 2022

PreventionGenetics, a wholly-owned subsidiary of Exact Sciences, is a diagnostic laboratory that offers Clinical DNA Testing, DNA Banking, and other genetic services. PreventionGenetics is committed to protecting the privacy of every person who visits the PreventionGenetics Websites so that each person will feel free to gather information or make inquiries/comments about our sites. To ensure transparency, this Privacy Policy (this "Policy") describes how we collect, use, secure, and share your personal information when you access or use our Websites, including www.PreventionGenetics.com, www.preventiongenetics.com/portal/login/loginIndex (our myPrevent Portal), and www.preventiongenetics.com/pgdnabank/ (our DNA Banking Website) (referred to collectively as our "Websites"), and when you transmit information to us electronically or in hard copy in relation to our genetic testing and related services.

This Privacy Policy is in addition to and does not replace our Notice of Privacy Practices, which explains how we handle personally-identifiable health information.

1. ACCEPTANCE

Before using our Services, please read the PreventionGenetics Terms & Conditions. By accepting the applicable Terms & Conditions, you agree with our privacy practices as described in this Policy. If you do not agree with the terms of this Policy, please do not access or use our Websites or use our Services.

2. POLICY UPDATES

PreventionGenetics may alter or make changes to this web privacy statement from time to time when developments occur and/or technology improvements are implemented. When changes are made, we will update our privacy policy and notices. Please review this page periodically to ensure that you are aware of any such updates. Your continued use of our Websites after we have posted a notice on the Website constitutes your acceptance of such changes.

3. TYPES OF INFORMATION WE COLLECT

Throughout this Policy we use the term "personal information" to describe data that identifies you or makes you identifiable. The definition of personal information depends on the applicable law based on your physical location and may include other types of information such as your IP address. Only the definition that applies to your physical location will apply to you under this Policy.

This Policy covers all personal information that you voluntarily submit to us. This Policy does not apply to anonymized data, such as aggregated data, as it cannot be used to identify you. Except as described in this Policy, PreventionGenetics will not give, sell, rent, or loan any personal information to any third party.

We may collect the following types of information:

Information you provide voluntarily. We collect any personal information that you voluntarily provide to us, such as your inquiries through our Website, information you provide about your business, suggestions for improvements, referrals, survey responses, or any other actions performed by you on our Services.
Communications between you and PreventionGenetics. We collect personal information you submit when contacting us (such as your name, contact information and any other information you choose to submit). We collect any communications between us, including any files or attachments we exchange. For example, we may send you Service-related emails (e.g., account verification, changes/updates to features of our Services, technical and security notices).
Registration information. Our myPrevent Portal is only for the use of physicians and their authorized representatives as stated in the Terms and Conditions of Use for our Physician Portal. In registering for our Portal, physicians provide name, phone, address, and occupation. Our Portal is used for the storage and transmission of protected health information between PreventionGenetics and physicians and their authorized representatives. Protected health information is used in accordance with the Health Information Portability and Accountability Act (HIPAA) and applicable laws governing patient privacy. Protected health information available on our Portal may only be used or disclosed for treatment and other authorized purposes as stated in the Notice of Privacy Practices.
Payment information. When you place an order with us or engage in transactions via our Services, we collect your payment information through our Websites (such as payment card, billing, and shipping information in addition to your contact information).
Job application information. If you are applying online for employment, PreventionGenetics may ask for voluntary self-identification information, such as nationality or sex. Completion of this information is voluntary and is not a requirement of employment. This information will in no way affect the decision regarding your employment application. This information will be kept confidential and maintained separate from your application for employment. We hope that you will complete this information to assist us in recording data for statistical reports that we are obligated to file periodically with various government agencies.

Additionally, PreventionGenetics will ask for your education background, which is a requirement for the application process. Finally, the online application process will allow you an opportunity to post your current resume in text form or via an attachment. The information submitted is for our own recruitment use. PreventionGenetics does not sell the information you provide at this Website to any third party. PreventionGenetics will use this information to comply with your request for potential employment. PreventionGenetics is an Equal Opportunity Employer.
Device information. When you use a mobile device (e.g., a tablet or smartphone) to access our Services, we may collect information about your device. We may collect information about your device's hardware, operating system or software, device name, unique device identifier, your mobile network information, and any other information about your device's interaction with our Services. Some features of the Services may not function properly if use or availability of device identifiers is impaired or disabled.
Information about your use of the Services. When you browse our Websites, our system automatically collects information such as your web request, Internet Protocol ("IP") address, browser type, browser language, domain names, referring and exit pages and URLs, platform type, pages viewed and the order of these page views, the amount of time spent on particular pages, the date and time of your request, and one or more cookies that may uniquely identify your browser. We may collect this information through third-party analytics tools. This information is used to analyze trends, administer our Websites, improve the design of our Websites, and otherwise enhance our Services.
Cookies. PreventionGenetics tracks visitors to our Websites by collecting data elements called cookies. Cookies generated by the PreventionGenetics Websites are used to (1) enable certain functions and tools on these Websites, (2) assist in the navigation of the Websites, (3) Track resources and data used on these sites, and (4) remember computer settings. PreventionGenetics also collects other forms of non-personal information, such as browsers used to access our Websites, search terms used to find the Websites, and traffic referrals and links to our Websites. Cookies are not permanently maintained within our tracking system. You may prevent your computer from accepting cookies by modifying the properties on your Web browser; however, stopping your computer from accepting cookies may limit your Web browser's functionality on the PreventionGenetics Websites.

PreventionGenetics uses the services of Google Analytics and Pardot software to analyze traffic to the PreventionGenetics Websites. This software uses a first party cookie to track visitor activity on our Websites. We use this information to improve the content of our sites as well as to provide visitors with a more relevant overall experience with our organization and our sites. As mentioned earlier, we never share information you provide us with third parties. If you do not want these sites to place a cookie on your browser and track your activity, you may leave the sites or you may browse the sites using privacy mode in your web browser. To learn how to use privacy mode refer to the links below depending on the browser you use.

PreventionGenetics uses first party HTML browser cookies in our web tracking technology. This means that visitors to our sites are easily able to set their browsers to reject cookies (however, stopping your computer from accepting cookies may limit your Web browser's functionality on the PreventionGenetics Websites) and are easily able to delete cookies set by us and others. For example, to set the Internet Explorer browser to reject cookies go to Tools > Internet Options > Privacy > Settings and select the privacy level (using the slider bar) that you prefer. To delete cookies in Internet Explorer, go to Tools > Internet Options > General > Browsing History and click the Delete button then select the cookies option.
PreventionGenetics never stores any information in your computer's Flash local shared objects area (i.e. we never use what is known as 'flash cookies').
PreventionGenetics never uses visitor identification techniques that involve sharing information you provide us with other sites or vice versa.

Aggregate Website data collection. We will not give, sell, rent, loan, or otherwise disclose any personal information to any third party, unless (1) you have authorized us to do so, (2) we are legally required to do so, for example, in response to a subpoena, court order or other legal process, and/or (3) it is necessary to do so in order to protect and defend the rights or property of these Websites. We may share aggregate, non-personal information about Website usage with unaffiliated third parties. This aggregate information does not contain any personal identifiable information about our users.

4. CHILDREN'S INFORMATION

Our Websites are directed toward adults and are not designed for, intended to attract, or directed toward children under the age of 16. If you are under the age of 16, you must obtain the authorization of a responsible adult (parent or legal guardian) before using or accessing our Websites. If we become aware that we have collected any personal information from children under 16, we will promptly remove such information from our databases.

5. HOW WE USE PERSONAL INFORMATION

Your personal information may be used for the following purposes:

to provide our Services to you. We process your personal information to provide you with our Services that you request. We share this information with third-party services upon your request, or our service providers or partners to the extent necessary to provide you with our Services. We cannot provide you with our Services without processing your personal information.
to inform you about research opportunity and clinical trials. If you are a healthcare provider or patient ordering our Services, to contact you about research opportunities, clinical trials, or clinical treatments for you or your patients when appropriate.
to contact you about our Services. When you sign up for our Services, we will send you administrative or account-related information to you to keep you updated about our Services. As service-related communications are not promotional in nature, you are not able to unsubscribe from such communications, otherwise you may miss important developments relating to your account or our Services that could affect your use of our Services.
to respond to your inquiries and provide customer service. When you contact us, such as with questions, concerns, feedback, disputes, or issues, we process your information. Without your personal information, we cannot respond to you or ensure your continued use and enjoyment of our Services.
to enforce our terms, agreements, or policies. We process your personal information to actively monitor, investigate, prevent, and mitigate any alleged or actual prohibited, illicit, or illegal activities on our Services; investigate, prevent, or mitigate violations of our terms, agreements, or policies; enforce our agreements with third parties and partners. We cannot perform our Services in accordance with our terms, agreements, or policies without processing your personal information for such purposes.
to ensure the security of the Services. We process your personal information to combat spam, malware, malicious activities, or security risks; improve and enforce our security measures; and to monitor and verify your identity so that unauthorized users do not access your account with us. We cannot ensure the security of our Services if we do not process your personal information for security purposes.
to maintain legal and regulatory compliance. Certain laws or regulations apply to our Services that may require us to process your personal information. For example, we process your personal information to fulfill our business obligations, ensure compliance with employment and recruitment laws, or as necessary to manage risk as required under applicable law. Without processing your personal information for such purposes, we cannot perform our Services in accordance with our legal and regulatory requirements.
to personalize your experience on our Websites. We use cookies and similar tracking technology to personalize your experience on our Websites - please see Section 3 above for more information. By personalizing our Services, you get to enjoy our Services even more because we keep track of your preferences (e.g., your language selection, your time zone, etc.). Without our processing of your personal information for such purposes, you may not be able to access or personalize part or all of our Services.
to conduct research and development. To continue to provide you with our innovative Services, we may collect information about the way you use and interact with our Services for research and development purposes. Research and development help us improve our Services and build new Services and customized features or Services. We take additional security measures when processing your personal information for such purposes, by de-identifying or pseudonymizing your information, limiting access to personnel that may conduct research and development, and applying other technical, physical, and administrative security measures. Without processing your personal information for such purposes, we cannot guarantee your continued enjoyment of part or all of our Services.
to engage in marketing activities. We want to share information about our Services with you. To do so, we may process your contact information or information about your interactions with our Services to send you marketing communications; provide you with information about events, webinars, or other materials; deliver targeted marketing to you; and keep you updated about our Services. You can opt-out of our marketing activities at any time and free of charge.

If in the future, we use your personal information in any way that is not described in this Policy, we will disclose this to you. At that time, you can choose not to allow us to use your personal information for any purpose that is incompatible with the purposes for which we originally collected it or subsequently obtained your consent. If you choose to limit the ways we can use your personal information, some or all of our Services may not be available to you.

6. INFORMATION WE SHARE

PreventionGenetics may disclose your personal information as described below.

Our service providers, vendors, and others. We may share your personal information with our service providers, business partners, or third-party organizations that help us provide our Services to you. Such entities will be given access to your information as is reasonably necessary to provide our Services under contractual obligations at least as protective as this Policy. We require our agents, vendors, and service providers to limit their use of information but do not otherwise guarantee that any entity receiving such information in connection with one of these transactions will abide by this Policy. Agents, vendors, and service providers who may have access to protected health information are contractually obligated to protect the privacy and security of such information.
Affiliated businesses. We may share your personal information with group companies and affiliates. Affiliated businesses may use your information to help provide, understand, and improve our Services and the affiliates' own services.
Change of control. We may share your personal information with a subsequent owner, co-owner, or operator of our Services, or in connection with a corporate merger, consolidation, or restructuring; financing, acquisition, divestiture, or dissolution of all or some portion of our business; or other corporate change. We will notify you of any choices you may have regarding your information.
Safety and legal compliance. We may share your personal information if we believe that such disclosure is necessary to comply with any applicable laws, regulations, legal processes or requests by public authorities (e.g., law enforcement, tax authorities, etc.); protect you, us or our other users' rights or property; protect our Services; and to comply or enforce our terms, agreements or policies.
Your consent or actions. We will share personal information with companies or individuals when we have your consent to do so. Also, any information or content that you voluntarily disclose for posting to our Services, such as blog comments or social media posts on our social media profiles, become available to the public.
Anonymous or aggregate data. We may share anonymized or aggregated information with any third parties. Such information no longer reasonably identifies you.

7. USE AND DISCLOSURE OF DE-IDENTIFIED INFORMATION

"De-identified" information is data we have stripped of your personally-identifiable"information, such as your name, address, or birthdate. We may use de-identified"information that we have obtained from our Services for various purposes, including for"example:

For quality control & validation:

In accordance with regulatory requirements, we may de-identify, store, and use patients' samples and information for internal quality control, validation, and research and development. This is important for PreventionGenetics to maintain high-quality genetic testing and to develop new genetic tests.
In accordance with regulatory requirements, we may also share de-identified patients' samples and information with other laboratories for quality assurance and validation purposes. Such sharing is essential to having high-quality genetic testing within the community of testing laboratories.

For research purposes:

We may contribute de-identified genetic variants that we have observed in the course of providing our Services to publicly available databases such as ClinVar. We do this to increase understanding and raise awareness of the significance of genetic variants within the medical and scientific communities.
We may use or disclose de-identified patient information for general research purposes. This may include research collaborations with third parties, such as universities, hospitals, or other laboratories, in which we utilize de-identified clinical cases, at the individual level or in the aggregate, in accordance with approved study protocols, and we may present or publish such information. This may also include commercial collaborations with private companies for purposes such as to determine the prevalence of particular disorders or variants among the patients we have tested or to determine whether any of the patients we have tested might be suitable for potential recruitment for research, clinical trials, or clinical care; however, we will not directly contact these patients about these opportunities without their prior written consent.

To the extent we have relied on your consent to process such de-identified data in relation to the above, you may withdraw your consent to participate at any time by changing your consent status on the My Account page after logging in. PreventionGenetics will not include your de-identified information in new research occurring after 30 days from the receipt of your request. Any research involving your data that has already been performed or published prior to our receipt of your request will not be reversed, undone, or withdrawn.

8. THIRD-PARTY INFORMATION

You agree that you have provided notice to, and obtained consent from, any third party individuals whose personal information you supply to us, including with regard to (a) the purposes for which such third party's personal information has been collected; (b) the intended recipients or categories of recipients of the third party's personal information; (c) which of the third party's information is obligatory and which information, if any, is voluntary; and (d) how the third party can access and, if necessary, rectify the information held about them.

9. LINKED WEBSITES

Our Websites may contain links to external websites. PreventionGenetics does not maintain these sites and is not responsible for the privacy practices of sites that it does not operate. Please refer to the specific privacy policies posted on these sites.

10. INFORMATION ACCESS, UPDATES, AND CHOICE

You can update, amend, or delete your account information and preferences at any time by visiting the My Account page after logging in.

PreventionGenetics email correspondence will include instructions on how to update certain personal information and how to unsubscribe from our emails and postal mail correspondence. Please follow the instructions in the emails to notify PreventionGenetics of changes to your name, email address, and preference information. PreventionGenetics will take reasonable steps, such as confirmation emails, to verify your identity before granting access to your personal information. For individuals residing in the European Economic Area (EEA), Switzerland, or the United Kingdom (collectively, the "Designated Countries") at the time of data collection, please refer to Section 14 below.

11. RETENTION

We store your personal information for as long as we need it to provide you our Services, to serve the purpose(s) for which your personal information was processed, or as necessary to comply with our legal obligations, resolve disputes, or enforce our agreements to the extent permitted by law. While retention requirements can vary by country, we generally apply the retention periods noted below.

We store information used for marketing purposes indefinitely until you unsubscribe. Once you unsubscribe from marketing communications, we add your contact information to our suppression list to ensure we respect your unsubscribe request. Also, we retain any information collected via cookies, clear gifs, flash cookies, webpage counters, and other technical or analytics tools up to one year from expiry of the cookie or the date of collection. If you have any questions about our retention periods, please feel free to contact us.

12. SECURITY MEASURES

We use reasonable technical, administrative, and physical measures to protect information contained in our system against misuse, loss or alteration. Information that you provide through our Websites is encrypted using industry-standard Secure Sockets Layer (SSL) technology, with the exception of information you send via email. Your information is processed and stored on controlled servers with restricted access. Unfortunately, no method of electronic transmission is 100% secure, so we cannot ensure or warrant the security of any information you transmit to our Websites, and you do so at your own risk.

Please recognize that protecting your personal information is also your responsibility. You should keep your username, password, ID numbers, or other access credentials secure as PreventionGenetics cannot secure personal information that you release on your own or that you request us to release. If we receive instructions using your log-in information we will consider that you have authorized the instructions.

13. INTERNATIONAL TRANSFERS OF PERSONAL INFORMATION

We may store, process, and transmit personal information in locations around the world, including locations outside of the country or jurisdiction where you are located. Such countries or jurisdictions may have data protection laws that are less protective than the laws of the jurisdiction in which you reside. If you do not want your information transferred to or processed or maintained outside of the country or jurisdiction where you are located, you should not use our Services.

We transfer your personal information subject to appropriate safeguards as permitted under the applicable data protection laws. Specifically, when your personal information is transferred out of the Designated Countries, we have the required contractual provisions for transferring personal information in place with the third parties to which your information is transferred. For such transfers, we rely on legal transfer mechanisms such as Standard Contractual Clauses.

14. NOTICE TO INDIVIDUALS LOCATED IN THE ECONOMIC EUROPEAN UNION OR SWITZERLAND

This Section only applies to users of our Services that are located in the European Economic Area, United Kingdom, or Switzerland (collectively, the "Designated Countries") at the time of data collection. We may ask you to identify which country you are located in when you use some of our Services, or we may rely on your IP address to identify which country you are located in.

Where we rely only on your IP address, we cannot apply the terms of this Section to any User or Customer that masks or otherwise obfuscates their location information so as not to appear located in the Designated Countries. If any terms in this Section conflict with other terms contained in this Policy, the terms in this Section shall apply to users in the Designated Countries.

Our relationship to you. A "data controller" is an entity that determines the purposes for which and the manner in which any personal information is processed. Any third parties that act as our service providers are "data processors" that handle your personal information in accordance with our instructions. PreventionGenetics is a controller in relation to the information that a physician enters about him or herself directly into the website using our myPrevent Portal (or any similar portal hosted by PreventionGenetics). To the extent a user enters personal information on our Websites to pay for, use, or obtain further information about our Services, PreventionGenetics is a controller.

Lawful basis for processing your personal information.We describe our processing activities in Section 5 ("How We Use Personal Information), Section 6 ("Information We Share") and Section 7 ("Use and Disclosure of De-identified Information"). Below is a chart indicating the legal bases we rely on in processing personal information.

Section	Purposes of processing	Legal basis for processing
5	to provide our services to you	Processing is based on our contractual obligations under the Terms of Service or to take steps at the request of the individual prior to entering into a contract.
5	to send service-related communications
5	to provide customer support
5	to enforce our terms, agreements, or policies
5	to ensure the security of our services
6	our service providers, business partners, and others
6	disclosure to affiliated businesses
5	to inform you about research opportunities	Processing is based on our legitimate interest to better understand you, to maintain and improve the accuracy of the information we store about you, and to better promote or optimize our Services.
5	to personalize your experience on our website
6	to conduct research and product development
6	change of control
5	to ensure the security of our services	Processing is necessary for compliance with our legal obligations, the public interest, or in your vital interests.
5	to maintain legal or regulatory compliance
5	responding to legal requests and preventing harm
6	safety and legal compliance
5	to allow you to share personal information for research purposes	Processing is based on your consent, as required under applicable law. In relation to 7(i) and 7(ii), to the extent the de-identified data is anonymized, it is not considered personal data and falls outside the General Data Protection Regulations (GDPR).
7	for quality control & validation
7	for research purposes

Marketing activities. Direct marketing includes any communications we send to you that are only based on advertising or promoting products and services. Transactional communications about your account or our Services are not considered "direct marketing" communications. We will only contact users or customers by electronic means (including email or SMS) based on our legitimate interest or their consent. When we rely on legitimate interest, we will only send you information about our Services that are similar to those which were the subject of a previous sale or negotiations of a sale to you. If you do not want us to use your personal information in this way, please click an unsubscribe link in your emails, or contact us at privacy@PreventionGenetics.com. You can object to direct marketing at any time and free of charge.

Individual rights. We provide you with the rights described below when you use our Services. When we receive an individual rights request from you, please make sure you are ready to verify your identity. Please be advised that there are limitations to your individual rights. We may limit your individual rights in the following ways: (i) where denial of access is required or authorized by law; (ii) when granting access would have a negative impact on others' privacy; (iii) to protect our rights and properties; and (iv) where the request is frivolous or burdensome. If you have questions, if you would like to exercise your rights under the applicable law please contact us at privacy@exactsciences.com.

Right to withdraw consent. If we rely on consent to process your personal information, you have the right to withdraw your consent at any time. A withdrawal of consent will not affect the lawfulness of our processing or the processing of any third parties based on consent before your withdrawal.
Right of access and rectification. If you request a copy of your personal information that we hold, we will provide you with a copy without undue delay and free of charge, except where we are permitted by law to charge a fee. We may limit your access if such access would adversely affect the rights and freedoms of other individuals. You may request to correct or update any of your personal information held by us, unless you can already do so directly via the Services.
Right to erasure (the "right to be forgotten"). You may request us to erase any of your personal information held by us that: is no longer necessary in relation to the purposes for which it was collected or otherwise processed; was collected in relation to processing that you previously consented to, but later withdrew such consent; or was collected in relation to processing activities to which you object, and there are no overriding legitimate grounds for our processing. Our assistance with your request for erasure is subject to limitations by relevant data protection laws, available technology, and the cost of implementation. While we will delete the majority of your personal data, the right to erasure is not absolute; it is subject to limitations by relevant data protection laws, our data retention requirements, and other legal obligations. Notably, the following limitations apply: Genetic Information, date of birth, and sex will be retained by PreventionGenetics as required for compliance with applicable legal obligations, including the U.S. Clinical Laboratory Improvement Amendments of 1988 (CLIA), California Business and Professional Code Section 1265, and College of American Pathologists (CAP) accreditation requirements.
Right to object to processing. You may object to our processing at any time and as permitted by applicable law if we process your personal information on the legal basis of consent, contract, or legitimate interests. We can continue to process your personal information if it is necessary for the defense of legal claims or for any other exceptions permitted by applicable law.
Right to restriction. You have the right to restrict our processing your personal information where one of the following applies:
- You contest the accuracy of your personal information that we processed. We will restrict the processing of your personal information, which may result in an interruption of some or all of the Services, during the period necessary for us to verify the accuracy of your personal information.
- The processing is unlawful, and you oppose the erasure of your personal information and request the restriction of its use instead.
- We no longer need your personal information for the purposes of the processing, but it is required by you to establish, exercise, or defend legal claims.
- You have objected to processing, pending the verification whether the legitimate grounds of our processing override your rights.
- We will only process your restricted personal information with your consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. We will inform you if or when the restriction is lifted.
Right to data portability. If we process your personal information based on a contract with you or based on your consent, or the processing is carried out by automated means, you may request to receive your personal information in a structured, commonly-used, and machine-readable format and to have us transfer your personal information directly to another "controller," where technically feasible, unless exercise of this right adversely affects the rights and freedoms of others.
Notification to third parties. If we share your personal information with third parties, we will notify them of any requests for rectification, erasure, or restriction of your personal information, unless this proves impossible or involves disproportionate effort.

When communicating with us regarding our privacy practices or your privacy rights, please contact the Privacy Officer using the following contact information: