Privacy Statement

Last Updated: 11/21/2019

At Nebula Genomics we make your privacy a central part of our Services. This privacy statement explains our collection, use, and disclosure of Personal Information. This privacy statement applies to Nebula Genomics, Inc. and to our controlled affiliates and subsidiaries (“Nebula”, “we”, “our”, or “us”).

References to our “Services” in this statement include our websites, apps, software, and related services. This statement applies to our products that display or reference this statement. This statement however does not apply to any third-party products that display or reference a different privacy statement.

PERSONAL DATA WE COLLECT

The personal data we collect depends on how you interact with us, the products you use, and the choices you make.

We collect information about you from different sources and in various ways when you use our products, including information you provide directly, information collected automatically, third-party data sources, and data we infer or generate from other data.

Information you provide directly. We collect personal data you provide to us. For example, we collect your contact information including name, email address, phone number, username, and password when you create an account or purchase a Service from us. If you make a purchase, we also collect credit card numbers and other payment information through our payment processor.

Contacting Us. You may also provide us other information when interacting with us by email, phone call, via Nebula Support or through other methods of communication. This may include feedback and customer support inquiries. This also includes your preferences for receiving communications about our activities, events, and publications.

Surveys. We also collect voluntary information through surveys. Basic information surveys may collect personal traits and characteristics such as sex, age, ethnicity, weight, and height. This may also include behavioral and social information such as your occupation, commute, diet, alcohol consumption and tobacco use, fitness and exercise and sleep behavior. Health surveys may collect more detailed information about your present or past physical or mental health, medical conditions, diseases and symptoms and other medical information.

Genetic Information. Through your use of the services you may submit a saliva sample. DNA is then extracted from your saliva at one of our partner labs and is converted to a machine-readable code (“DNA Data”) which is used to provide our Gene Sequencing Services. DNA test kit code, year of birth, and sex may also be collected for activation purposes.

Information collected automatically. When you use our products, some information is collected automatically. For example, when you visit our websites, our web servers automatically log your device's operating system, Internet Protocol (IP) address, access times, browser type and language, the website you visited before our site, and your activity on our websites. Depending on your device and app settings, you use our apps or online services. As further described in the Cookies Notice, our websites and online services store and retrieve data using cookies set on your device.

We also log information about your use of the Services, including your interactions with the Services and histories of your transactions and the parties with whom you’ve shared your genetic information.

Information created or generated. We infer new information from other data we collect, including using automated means to generate information about your likely preferences or other characteristics. For example, Google Analytics aids us in inferring your city, state, and country location based on your IP address. We also generate your DNA sequence from your saliva sample with assistance from our lab partners.

When you are asked to provide Personal Information, you may decline. But if you choose not to provide or allow information that is necessary for certain products or features, those products or features may not be available or function correctly.

Use of Data

Generally: to provide you with our Services and analyze and improve our Services.

We use your personal data to provide, personalize, analyze, and improve our Services and as otherwise described in this statement or otherwise disclosed to you. These activities include, among other things, using your information to:

1. Open your account and to your payments. More generally, we use your data to enable the use of our website including authentication of your site visits, providing personalized content, and personalizing your use of the Services;
2. Build new Services and improve existing Services;
3. Provide customer support and respond to your questions;
4. Communicate with you about purchases, your account and any relevant information about our Services (e.g. product updates, policy changes or security issues);
5. Enforce our Terms of Service or any other agreements between you and Nebula;
6. Detect, investigate, and protect against prohibited or illegal behaviors on our Services including combatting spam and other security risks; and
7. Perform research & development activities including but not limited to, conducting statistical data analysis and research.
8. To market new products and offers from Nebula and our partners as well as providing personalized advertising to you based off or your interests.

In carrying out these purposes, we combine data we collect from different sources to give you a more seamless, consistent, and personalized experience.

Genetic Results: to process, analyze and deliver your genetic results.

To receive results from our Services you must first create a Nebula account, register your kit, and submit your saliva sample to our contracted laboratories which then analyze your samples and provide us with the resulting data. Nebula uses your Genetic Information for these primary purposes:

• Analyze Genetic Information to provide you with information on:

1. your ancestry and ethnicity
2. the makeup of your oral microbiome,
3. other insights into what your DNA reveals about your traits, personal health and wellness, based on this information we may also invite you to participate in certain surveys which are entirely optional, and
4. customize the Nebula Library according to genetic profile.

• Study aggregated Genetic Information to provide more accurate ancestry results and oral microbiome and polygenic score percentiles.
• Improve features and functionality in our existing Services, as well as build new products to add to our Services and ultimately better serve you.
• Conducting scientific, statistical and historical research.

Blockchain Ledger

Nebula uses blockchain technology to improve transparency and control over genetic data. We are currently in the process of developing our blockchain infrastructure to record user consent settings and requests for access to user data. This will be designed to increase transparency and immutability of data access request and user consent for sharing data. By storing data requests and consent settings on the blockchain, Nebula hopes to enable users to audit any transactions involving their data to ensure that all of the data sharing is acceptable and no misuse of data has taken place.

Information we share with third parties:

Nebula is committed to transparency in data sharing, and giving you certain control over when and how your genetic data is shared. We only share your Personal Information, including your Genetic Information with third-parties with your explicit permission, as necessary to complete your transactions or provide the products you have requested or authorized, or as otherwise described in this Privacy Statement. We may share personal data with our subsidiaries and affiliates that share common data systems and process data as needed to provide our products and operate our business. We do, and will continue to, develop our Services around these principles. In the spirit of transparency, the circumstances described below explain when sharing might occur:

When you choose to share your information through sharing features:

As part of our Services, you have the option to share your Genetic Information with others through sharing features in the Services. This includes, but is not limited to, sharing your genetic reports or ancestry information with others on social media platforms such as Facebook.

If you decide to share details about your ancestry, traits, or any other information through these sharing features, you do so at your own risk. We encourage you to review the privacy statements of these third parties before using these features.

Sharing your Genetic Information for Research Purposes:

You will have the choice to participate in Nebula research. Nebula research may be conducted by Nebula in partnership with third-parties such as non-profit foundations, academic institutions or pharmaceutical companies; or similar third-parties independently performing research with Nebula facilitating access to the data. These studies may focus on a specific group or population, identify potential areas or targets for therapeutics and drug discovery, genetic research to help in further understanding the relationship between health and the human genome, and ultimately apply all of this knowledge to improve healthcare.

Nebula is not currently engaged in sharing your data with any researchers. In the near future, as the opportunity for you to connect with researchers arises, we will ensure either having acquired the proper consent from you for such sharing, or in turn will reach out to see if you are interested in engaging in Nebula’s research.

Service Providers

We work with other companies to provide our Services. In turn, we share information with these third-party services providers as necessary for them to provide their services to us and help us perform our contract with you. These third parties support our Services in a number of ways, including the following areas:

1. Order fulfillment and shipping
2. Payment processing
3. Our gene sequencing and processing labs
4. Customer care support
5. Cloud storage, IT, and security
6. Marketing and analytics

Aggregate Information 

We may use personal data in our possession to create de-identified and aggregated data sets. In other words, some of the data that we collect from you is stripped of all information that may be used to identify an individual, and are stored in a data set in combination with other users’ de-identified data. We may then use this aggregate data for any purposes or disclose it to third parties for their purposes in accordance with applicable laws. For example, we use Aggregate Information to provide statistical information such as our users’ Oral Microbiome percentiles. 

Law Enforcement

Nebula will not voluntarily share your genetic information with law enforcement. However, under certain circumstances your genetic information may be subject to processing pursuant to laws, regulations or judicial or governmental orders, warrants or subpoenas. In other words, a lawful demand by public authorities may require we share your personal Information.

Nebula will not share any other categories of Personal Information, other than to cooperate with law enforcement, protect the safety of persons or property, or in enforcing our, our affiliates or partners’ legal rights. For example, if a user defrauds our Services, we may share that user’s personal information with law enforcement in an effort to recuperate the defrauded costs.

If we are compelled to disclose your Personal Information, we will do our best to provide you with advance notice, unless we are prohibited under law from doing so. In the spirit of transparency, we will produce a Transparency Report to provide disclosure of the number of valid law enforcement requests for user data across all of our Services.

Other Legal Disclosures

We may share your personal data if we believe it is reasonably necessary to enforce the Nebula Terms and Conditions, protect the security and integrity of our Services, or protect the rights, safety, or property of Nebula, our employees or users.

Business Purposes

In the event that Nebula is acquired or transferred including in connection with corporate transaction, bankruptcy, or similar proceedings (including financing, merger, acquisition, dissolution, or a transfer, divestiture, or sale of a portion or all of our business or assets), we will share your personal data Information with the acquiring or receiving entity as a part of the transaction or negotiation for such a transaction. Nonetheless, the promises of this Privacy Statement will continue to apply to your personal data that is transferred to the new entity.

Choice and Control of Personal Data

1. Access, Correction, and Deletion  of your Personal Information. Nebula will allow you to access and correct your registration information within the account settings and your Self-Reported Information by going to the specific survey’s page and changing any answers previously reported. This will not delete your prior entry for the specific survey-response. To permanently delete any prior response for reasons such as inaccuracy, you may reach out to the Nebula team at Legal@nebula.org and request to have any health survey responses deleted. Also, you may download your raw genetic information here. You may initiate deletion of certain personal data by emailing support@nebula.org with your request.  If you would like to request access, correction, or deletion of any other information, contact Support@nebula.org and we will do our best to assist you without undue delay. However, to the extent permitted by applicable law, we reserve the right to charge a fee or decline requests that are unreasonable or excessive, where providing the data would be prohibited by law or could adversely affect the privacy or other rights of another person, or where we are unable to authenticate you as the person to whom the data relates. 
2. Communications preferences. You can choose whether to receive promotional communications from us by email. If you receive promotional emails from us and would like to stop, you can do so by following the directions in that message. These choices do not apply to mandatory service communications that are part of certain products, or to surveys or other informational communications that may have their own unsubscribe method.
3. Sale of Genetic Data to Researchers. See the Sharing your Genetic Information for Research Purposes section for choices about selling your data.
4. Choices for Cookies and Similar Technologies. See the Cookies section for choices about cookies and other analytics and advertising controls.
5. Do Not Track. Some browsers have incorporated "Do Not Track" (DNT) features that can send a signal to the websites you visit indicating you do not wish to be tracked. Because there is not a common understanding of how to interpret the DNT signal, our websites do not currently respond to browser DNT signals. Instead, you can use the range of other tools to control data collection and use, including the cookie controls and advertising controls described above.

EUROPEAN DATA PROTECTION RIGHTS

If the processing of personal data about you is subject to European Union data protection law, you have certain rights with respect to that data:

• You can request access to, and rectification or erasure of, personal data;
• If any automated processing of personal data is based on your consent or a contract with you, you have a right to transfer or receive a copy of the personal data in a usable and portable format;
• If the processing of personal data is based on your consent, you can withdraw consent at any time for future processing;
• You can to object to, or obtain a restriction of, the processing of personal data under certain circumstances; and
• For residents of France, you can send us specific instructions regarding the use of your data after your death.

To make such requests or contact our Data Protection Officer, you can follow the directions outlined in this privacy statement or contact us at Legal@nebula.org.  You also have the right to lodge a complaint with a supervisory authority, but we encourage you to first contact us with any questions or concerns.

We rely on different lawful bases for collecting and processing personal data about you, for example, with your consent and/or as necessary to provide the products you use, operate our business, meet our contractual and legal obligations, protect the security of our systems and our customers, or fulfil other legitimate interests.

Our Data Retention Policies

We retain personal data for as long as necessary to provide the products and fulfill the transactions you have requested, comply with our legal obligations, resolve disputes, enforce our agreements, and other legitimate and lawful business purposes. Because these needs can vary for different data types in the context of different products, actual retention periods can vary significantly based on criteria such as user expectations or consent, the sensitivity of the data, the availability of automated controls that enable users to delete data, and our legal or contractual obligations. For example, all of the data collected by Google Analytics for the purposes understanding our website usage is automatically deleted after 26 months, all mobile identifiers and cookie identifiers placed by Adroll expire and are then deleted after 13 months, and the Recent User Activity feed collected by Hotjar are retained for 1 year.

Nebula will store your account profile information, including your raw genetic data, health surveys, and related reports and information, as long as your Account is open, unless you make a request for us to delete all or any of your information prior to the closing of your Account as described in this privacy statement. If you decide to close your Account, then Nebula will automatically destroy this personal data related to your account. In specific circumstances such as by court order, subpoena, or other legal or regulatory obligations, however, Nebula may be required by law to store your information beyond the deletion of your Account or request for deletion of Personal Information. Nebula may also retain disaster recovery copies for a fixed period following this deletion, although this data will not be used for any purpose other than disaster recovery.

You may access and delete or change much of your information through your Account Settings here. Otherwise, any information that is not accessible in your Account Setting can be accessed and changed or deleted by reaching out to Legal@nebula.org.

Security

Nebula maintains a comprehensive information security program designed to protect your Personal Information through the use of many safeguards. Nebula has measures in place designed to protect against inappropriate access, loss, or misuse of Personal Information. For example, we use secure server software to encrypt Personal Information and work with data storage cloud partner that meet our security standards.   

While we cannot guarantee that loss, access or misuse of data will not occur, we use reasonable efforts to prevent these outcomes. To help us protect Personal Information, we request that you use a strong password and never share your password with anyone or use the same password with other sites or accounts.

Data Location and Transfer and Privacy Shield Notice

The personal data we collect may be stored and processed in your country or region, or in any other country where we or our affiliates, subsidiaries, or service providers maintain facilities. Currently, we primarily use data centers in the United States. The storage location is chosen to operate efficiently and improve performance. We take steps designed to ensure that the data we collect under this statement is processed according to the provisions of this statement and applicable law wherever the data is located.

Location of Processing European Personal Data

We transfer personal data from the European Economic Area and Switzerland to other countries, some of which have not been determined by the European Commission to have an adequate level of data protection. When we do so, we use a variety of established transfer mechanisms such, as the Privacy Shield or contracts, to help ensure your rights and protections. To learn more about the European Commission’s decisions on the adequacy of personal data protections, please visit: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en. 

Privacy Shield

Nebula participates in and has certified its compliance with both the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use and retention of personal data transferred to the United States from the European Union (EU), European Economic Area (EEA), and Switzerland. To learn more about the Privacy Shield program, and to view our certification, please visit the U.S. Department of Commerce’s Privacy Shield List.

We are committed to subjecting all personal data that we receive from the EU member countries, the EEA, and Switzerland to the Privacy Shield Framework Principles in the European Union Data Protection Rights section above. If third-party agents process personal data on our behalf in a manner inconsistent with the principles of either Privacy Shield Framework, we remain liable unless we prove we are not responsible for the event giving rise to the damage. If there is any conflict between the terms of this Privacy Statement and the Privacy Shield Principles, the Privacy Shield Principles shall govern.

In regard to personal data received or transferred pursuant to the Privacy Shield Frameworks, Nebula is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission (FTC). Further, in certain situations we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirement.

If you have a question or complaint related to our participation in the EU-U.S. or Swiss-U.S. Privacy Shield, please contact us as indicated at the bottom of this privacy statement. For any complaints related to the Privacy Shield frameworks that cannot be resolved with us directly, you may refer the matter to your local Data Protection Authority or the Swiss Federal Data Protection and Information Commissioner (FDPIC) if you are located in Switzerland. Finally, under limited circumstances and after other available dispute resolution mechanisms have been exhausted, binding arbitration is available for EU and Swiss individuals to address certain residual complaints not resolved by other means.

Changes to this Statement

We will update this privacy statement when necessary to reflect changes in our products, how we use Personal Information, or the applicable law. When we post changes to the statement, we will change the "Last Updated" date at the top of the statement.  If we make material changes to the statement, we will provide notice or obtain consent regarding such changes as may be required by law.

How to Contact Us