Last Updated: 1/25/2022
By using our Services, you are agreeing to this Policy and you provide your informed and explicit consent to the uses of your Personal Information (defined below) including your Genetic Data. This Policy notifies you of the use of your Personal Information and by proceeding to use our Services you confirm your understanding of its terms.
This Policy explains what Personal Information we collect and how we use, maintain, disclose, and in certain cases, transfer your Personal Information. This Section provides an overview of our data practices.
At Nebula, we value your privacy and aim to provide you with clear and informed choices about your Personal Information. In order to provide our DNA testing services, we collect Personal Information about you that includes information such as:
- your name, contact information, age and gender;
- your personal health history and other personal history data;
- Genetic Data (as defined below) extracted from the sample provided by you.
We treat your Personal Information with great care and use this data to provide you the requested DNA testing and reporting services, to improve our products and services, and to communicate with you, including marketing and advertising communication, unless you opt-out, and for any other purposes, such as research, to which you chose to opt-in.
To accomplish some of those uses, we may disclose your Genetic Data to third parties that we partner with, such as our partner laboratories. If you chose to participate in scientific research, we may also disclose your Genetic Data to those third parties that we partner with to conduct such research. We will never disclose your Genetic Data for research purposes without you first choosing to participate in such research. Finally, if we are required by law, such as by court order or subpoena, we may share your Genetic Data with law enforcement. We do not disclose your Genetic Data to any law enforcement agency, unless we are legally required to do so.
We will not provide any data (genetic or non-genetic) to an insurance company or employer.
“Personal Information” means any information that identifies, relates to, describes, or is reasonably capable of being associated, linked or linkable with a particular individual or household, including any information that is subject to applicable data protection laws. Personal Information includes User Data, Survey Data, and Genetic Data (defined below).
“User Data” means all Personal Information that is not Survey Data or Genetic Data. This typically will include basic profile information such as name, email address, mailing address, phone number, as well as other data collected from a user’s interactions with us, such as order history, payment information, and communication preferences.
“Survey Data” includes the voluntarily provided basic personal data, such as sex, age, ethnicity, weight, and height that a user may provide when responding to a survey. This also includes behavioral and social information such as a user’s occupation, commute, diet, alcohol consumption and tobacco use, fitness and exercise and sleep behavior. Some surveys may collect more detailed information about a user’s present or past physical or mental health, medical conditions, diseases and symptoms and other medical information.
“Genetic Data” is the data that we collect from users in order to provide the Services. For example, a user may submit a saliva sample. DNA is then extracted from their saliva at Nebula (or partner) labs and is converted to a machine-readable code (“DNA Data”) which is used to provide the Services. DNA test kit code, year of birth, and sex may also be collected for activation purposes. Genetic Data does not include de-identified data.
“Applicable Laws” refers to the various privacy laws that apply or govern the collection, use, and disclosure of Personal Information. Without limitation, Applicable Laws specifically includes the California Consumer Privacy Act (“CCPA”) and all amendments thereto, including the California Privacy Rights Act (“CPRA”), Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”), the California Genetic Information Privacy Act (“GIPA”), and various other state laws applicable to the use of Genetic Data.
CATEGORIES AND SOURCES OF DATA
Through the use of the Services and in order to provide the Services requested, we may collect the below listed categories of Personal Information. We collect information about you from different sources and in various ways when you use our products, including information you provide directly, information we collect automatically, information from third-party sources, and data we infer or generate from other data.
The following are a non-exhaustive list of data points collected under each category
Directly from you
Collected automatically by third party services and tools
From third parties we partner with
Directly from you
Directly from you
Created or generated by us
Use of Data
We use your Personal Information to provide, personalize, analyze, and improve our Services and as otherwise described in this Policy or otherwise disclosed to you. The specific uses differ and vary based upon the categories of data and your permissions.
We use your User Data as necessary to provide the Services, to improve our Services, and for other activities related to the Service. These activities include, among other things, to:
- Open your account and process your payments;
- Enable the use of our website including authentication of your site visits, providing personalized content, and personalizing your use of the Services;
- Build new Services and improve existing Services;
- Provide customer support and respond to your questions;
- Communicate with you about purchases, your account and any relevant information about our Services (e.g. product updates, policy changes or security issues);
- Enforce our Terms of Service or any other agreements between you and Nebula;
- Detect, investigate, and protect against prohibited or illegal behaviors on our Services including combatting spam and other security risks;
- Perform research and development activities using data that can no longer identify you by name, for the purpose of conducting statistical data analysis and scientific research;
- Contact you about research opportunities and obtain your research consent; and
- Market new products and offers from Nebula and our partners as well as providing personalized advertising to you based off of your interests.
In carrying out these purposes, we may combine User Data we collect from different sources to give you a more seamless, consistent, and personalized experience.
If you choose to provide Survey Data to us, we will use that data to provide the Services you requested. We also use Survey Data to improve our Services, and to provide personalized content through the Services. We may also use Survey Data to perform research including:
- Aggregated analysis of Survey Data;
- Study and derive patterns from Survey Data;
- Study and analyze patterns between Survey Data and Genetic Data;
- To allow you to participate in research conducted by our third-party research partners.
We only use your Genetic Data to process, analyze and deliver your genetic results as part of the Services you request. To receive results from our Services you must first create a Nebula account, register your kit, and submit your saliva sample to our (or contracted) laboratories which then analyze your samples and provide us with the resulting data. Nebula uses your Genetic Data for these primary purposes:
- Analyze Genetic Data to provide you with information on:
- your ancestry and ethnicity;
- the makeup of your oral microbiome;
- other insights into what your DNA reveals about your traits, personal health and wellness, based on this information we may also invite you to participate in certain surveys which are entirely optional.
- Customize the Nebula Library according to genetic profile;
- Study aggregated, de-identified (or pseudonymized) Genetic Data to provide more accurate ancestry results and oral microbiome and polygenic score percentiles;
- Improve features and functionality in our existing Services, as well as build new products to add to our Services and ultimately better serve you.
If you opt in to optional research, to Analyze Genetic Data to conduct scientific, statistical and historical research (in which case we will provide you with separate notice with an opportunity to consent, if required by applicable laws). Your participation in any research is completely voluntary, and we will ask for consent from you prior to using your Genetic Data for any research purposes unrelated to providing the Services.
Sharing of Data
Nebula is committed to transparency in data sharing, and to giving you certain control over when and how your Personal Information is shared. We will only share your Personal Information in accordance with Applicable Laws, as disclosed in the Policy, or as authorized by you.
We share your User Data as it may be needed to provide the Services you request. Specifically, we may need to share your User Data for the following purposes and with the following third parties:
- Order Fulfillment
In order to provide you the Services you requested, we may need to ship the DNA Testing Kit to you and you will need to ship the DNA Testing Kit to us. We engage third party service providers to fulfill shipment and delivery requests and we share your User Data, as may be necessary, with those third parties. This may include your name, mailing address, email address, phone number, order number, and DNA Test Kit Code.
- Perform Requested Sharing Services
As part of our Services, you have the option to share your User Data with others through sharing features in the Services. This includes, but is not limited to, sharing your reports or ancestry information with others on social media platforms such as Facebook.
If you decide to share details about your ancestry, traits, or any other information through these sharing features, you do so at your own risk. We encourage you to review the privacy policies of these third parties before using these features.
- Our Partner Laboratories
Depending on the Services you request, we may need to collect and process your DNA sample. We partner with third party laboratories to extract your DNA from your DNA sample, such as your saliva, which we then convert to a machine-readable code which is used to provide our Services. To properly extract you DNA from the sample, we may need to share certain User Data with the third parties, including your name, DNA Testing Kit Code, and other information as may be necessary.
- Customer Support
To ensure the continued satisfaction with our Services, we may also partner with certain third parties to provide customer support services. Our customer satisfaction teams may use certain tools to process and respond to your requests and we may need to share your User Data as part of that process.
- Information Technology Providers
As needed, we may share your User Data with our IT providers who provide services that ensure the proper functionality and security of our Services.
- Marketing and Analytics
When you use or interact with our Services, we work with third parties who provide certain marketing and analytics services. For example, we may work with a third party service provider to collect information about your visit to the website such as the links you click and pages you read. We may share your User Data with such third parties in order to recognize you as an existing user.
We also work with third parties on various marketing campaigns and promotions and we may share your User Data (but not Survey or Genetic Data) with such third parties to contact you about our Services. You will always have the ability to opt-out of marketing communication.
When we share Personal Information for marketing or analytics purposes, we only share the data for very limited purposes and we prohibit those third parties from using or sharing your User Data for any purposes other than those authorized by us. Similarly, we do not sell any Personal Information for marketing purposes.
- As Required By Law
We may be required to share your User Data by law, such as by a lawful court order or subpoena. If we are required by law to share your User Data, we will attempt to provide you with notice prior to sharing your data, unless we are prohibited by law from doing so.
Absent a lawful court order or other law requiring us to share your User Data, we do not voluntarily share your Personal Information with any law enforcement agency.
- Business Transactions
We may also share and disclose your User Data with third parties as it may be necessary to complete a business transaction involving Nebula, such as a merger or acquisition of Nebula, or a sale of all or a portion of the Nebula business or assets. In such a case, your Personal Information would remain subject to the promises made in this Policy.
Survey and Genetic Data
We share your Survey Data and Genetic Data only with your explicit, prior consent. We may ask for permissions to share your Survey Data and Genetic Data with the following third parties:
- Partner Laboratories
In order to provide the Services we may need to work with one of our partner laboratories. If we work with such a third party partner, we will need to share your Genetic Data with the partner laboratory. Specifically, we will need to share you DNA sample with the third party laboratory who will then process it and extract the DNA Data that we need to provide the Services. When we use a partner laboratory to process your Genetic Data, we do so only with vetted and pre-approved third party laboratories who have a contractual relationship with Nebula. All Genetic Data shared with third party laboratories is shared only for a limited and specified purpose, and remains in our control, and cannot be shared for any other purposes by the laboratory.
At Nebula, we believe that genetic research is crucial to our deeper and better understanding of the human genome and we aim to continue to conduct genetic research in meaningful ways. From time to time, we may offer you the ability to participate in research. Your participation is completely voluntary and your access to the Services will not be impacted whether you choose to participate in research or not.
- United States Research
If you are located in the United States, we will only use Genetic Data that can personally identify you for research if you give us your affirmative consent. To participate in research, US based users must first consent to be in the Research Pool. You can find this consent form here (US and EU) . Your participation in the Research Pool does not give us consent to use your Personal Information for any research. Rather, it lets us know that you are interested in being contacted about specific research opportunities. When a specific research opportunity arises, we will then contact the users in the Research Pool with detailed information about each and specific research opportunity, which will include details about that research. You will then have the option to consent to the use of your Personal Information for that research. You can view the current research projects by visiting our research page.
You can revoke your consent to participate in research. To change your research consent settings, please visit portal.nebula.org. Your decision to revoke consent will not impact your Services.
In compliance with the applicable US laws, we may use de-identified data, including genetic or phenotypic information, for research purposes without any additional consent or authorization, but this data is not personally identifiable. We will not share Genetic Data that can personally identify you without your consent.
- EU/UK Research
If you are located in the European Economic Area (“EEA”) or the United Kingdom (“UK”), we will not use any of your Personal Information, including your Genetic Data and any information you provide in response to surveys or otherwise upload to your account or share with us through the use of our websites and Services, for research without your informed and explicit consent.
The types of research projects we anticipate conducting ourselves or with other non-profit organizations, researchers, physicians, academic institutions, other DNA testing companies or life sciences (pharmaceutical and medical device) companies (“Research Partners”) include:
- Studies related to population structure, demography, genetic variations and migration patterns.
- Studies related to human lifestyle and genetic markers related to diagnostics and medical conditions.
- Studies related to developing treatments and response to certain therapeutics.
- Studies related to the genetics of diet, sleep, mental health, and fitness.
You can find out more information about our research and consent to participate by visiting our research page.
If you consent to participate in research, we will only share research results which do not identify you by name, email, address or other information that identifies you directly. Research results are only based on de-identified, pseudonymized or aggregated data.
You can withdraw your consent from participating in research at any time. To change your research consent settings, please visit [INSERT LINK/INSTRUCTIONS]. Your decision to withdraw your consent will not impact your ability to use our websites and Services.
We may use Personal Information in our possession to create de-identified and aggregated data sets. In other words, some of the data that we collect from you is stripped of all information that may be used to identify an individual by name. We may then use this de-identified or pseudonymized genetic or phenotypic information (such as Genetic Data), which may be shared with or disclosed to third parties for research purposes in accordance with Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations, or where you are located in a country in the European Economic Area, Switzerland or the UK, as permitted under the EU/CH/UK General Data Protection Regulations.
- Law Enforcement
Nebula will not voluntarily share your User or Genetic Data with law enforcement. However, under certain circumstances your Survey Data and/or Genetic Data may be subject to processing pursuant to laws, regulations or judicial or governmental orders, warrants or subpoenas. In other words, where we are legally compelled to disclosure your Personal Information to a governmental or regulatory authority.
Nebula will not share any other categories of Personal Information, other than what is required to protect the safety of persons or property, or in enforcing our, our affiliates, or our partners’ legal rights. For example, if a user defrauds our Services, we may share that user’s Personal Information (but not Genetic Data) with law enforcement in an effort to recuperate the defrauded costs.
If we are compelled to disclose your Personal Information, we will do our best to provide you with advance notice, unless we are prohibited under law from doing so.
- Business Purposes
In the event that Nebula is acquired or transferred including in connection with corporate transaction, bankruptcy, or similar proceedings (including financing, merger, acquisition, dissolution, or a transfer, divestiture, or sale of a portion or all of our business or assets), we will share your Survey Data and Genetic Data with the acquiring or receiving entity as a part of the transaction or negotiation for such a transaction. Nonetheless, the promises of this Policy will continue to apply to your Personal Information that is transferred to the new entity. Any new entity will only be allowed to use your User and Genetic Data pursuant to this Policy, or as otherwise authorized by you.
DATA RETENTION POLICIES
We retain your Personal Information for as long as necessary to provide the products and fulfill the transactions you have requested, comply with our legal obligations, resolve disputes, enforce our agreements, and other legitimate and lawful business purposes. Because these needs can vary for different data types in the context of different products, actual retention periods can vary significantly based on criteria such as user expectations or consent, the sensitivity of the data, the availability of automated controls that enable users to delete data, and our legal or contractual obligations. For example, all of the data collected by Google Analytics for the purposes of understanding our website usage is automatically deleted after 26 months, all mobile identifiers and cookie identifiers placed by Adroll expire and are then deleted after 13 months, and the Recent User Activity feed collected by Hotjar are retained for 1 year.
Nebula will store your Personal Information as long as your Account is open, unless you make a request for us to delete all or any of your Personal Information prior to the closing of your Account as described in this Policy. If you decide to close your Account, then Nebula will automatically destroy all Personal Information related to your account, including User Data, Survey Data, and Genetic Data. In specific circumstances such as by court order, subpoena, or other legal or regulatory obligations, however, Nebula may be required by law to store your Personal Information beyond the deletion of your Account or request for deletion of Personal Information. Nebula may also retain disaster recovery copies for a fixed period following this deletion, although this data will not be used for any purpose other than disaster recovery.
If you provide us with your biological sample, we use it to provide the Services, but will not store or retain such sample unless we first obtain your consent.
You may access and delete or change much of your Personal Information through your Account Settings here. Otherwise, any Personal Information that is not accessible in your Account Setting can be accessed and changed or deleted by reaching out to Legal@nebula.org.
MAINTENANCE AND SECURITY
Nebula maintains a comprehensive information security program designed to protect your Personal Information through the use of many safeguards. Nebula has measures in place designed to protect against inappropriate access, loss, or misuse of Personal Information. For example, we use secure server software to encrypt Personal Information and work with data storage cloud partners that meet our security standards.
While we cannot guarantee that loss, access or misuse of data will not occur, we use reasonable efforts to prevent these outcomes. To help us protect Personal Information, we request that you use a strong password and never share your password with anyone or use the same password with other sites or accounts.
DATA LOCATION AND TRANSFER
We are a global business. Personal Information may be stored and processed in any country where we do business or our service providers do business. We may transfer your Personal Information to countries other than your own country, including to the United States. These countries may have data protection rules that are different from your country. When transferring data across borders, we take measures to comply with applicable data protection laws related to such transfer. Officials (such as law enforcement or security authorities) in those other countries may be entitled to access your Personal Information.
If you are located in the European Economic Area (“EEA”), the UK or Switzerland, we are directly regulated by the EU/CH/UK GDPR and your Personal Information will be transferred to the United States for processing by us. We may need to transfer your Personal Information to third parties and will comply with applicable laws to provide an adequate level of data protection for the transfer of your Personal Information. Where we do transfer your Personal Information to third parties, including partners, we will ensure that your Personal Information is protected by appropriate cross-border transfer solutions to provide adequate protection.
Please contact us if you would like to learn about the specific transfer security mechanisms we use.
CHANGES TO THIS PRIVACY STATEMENT
We will update this Policy when necessary to reflect changes in our products, how we use Personal Information, or the applicable law. When we post changes to the statement, we will change the "Last Updated" date at the top of the statement. If we make material changes to the statement, we will provide notice or obtain consent regarding such changes as may be required by law.
JURISDICTION SPECIFIC PROVISIONS
Pursuant to Fla. Stat. § 760.40, upon your request, your Genetic Data is available to your physician. If you wish to share this data with your physician, you may download your raw Genetic Data in your account, or by clicking here.
CALIFORNIA CONSUMERS DATA RIGHTS
Pursuant to the California Consumer Privacy Act (CCPA), California residents are afforded certain additional rights regarding our use of your Personal Information.
Right to Know
Under the CCPA, you have a right to request information about our collection, use, and disclosure of your Personal Information over the prior 12 months, and ask that we provide you with the following information:
- Categories and specific pieces of Personal Information we have collected about you.
- Categories of sources from which we collect Personal Information.
- Purposes for collecting Personal Information.
- Categories of third parties with which we share Personal Information.
- Categories of Personal Information disclosed about you for a business purpose.
- If applicable, categories of Personal Information sold about you and the categories of third parties to which the Personal Information was sold, by category or categories of Personal Information for each third party to which the Personal Information was sold.
You can access your Personal Information within your account settings and the Survey Data within the specific survey page. To make a verifiable request for information about the Personal Information we have collected about you, you may reach out to the Nebula team at Legal@nebula.org. Also, you may download your raw Genetic Data here. We will do our best to assist you without undue delay and within the time required under the CCPA. However, to the extent permitted by Applicable Law, we reserve the right to charge a fee or decline requests that are unreasonable or excessive, where providing the Personal Information would be prohibited by law or could adversely affect the privacy or other rights of another person, or where we are unable to authenticate you as the person to whom the Personal Information relates.
Right to Delete
You also have a right to request that we delete your Personal Information, subject to certain exceptions. To make a verifiable request to delete the Personal Information we have collected about you, you may reach out to the Nebula team at Legal@nebula.org.
Right to Non-Discrimination
The CCPA prohibits discrimination against California residents for exercising their rights under the CCPA. Discrimination may exist where a business denies or provides a different level or quality of goods or services, or charges (or suggests that it will charge) different prices, rates, or penalties on residents who exercise their CCPA rights, unless doing so is reasonably related to the value provided to the business by the residents’ data.
Shine the Light
Where applicable, California Civil Code Section 1798.83 permits users of the websites that are California residents to request certain information regarding our disclosure of Personal Information to third parties for their direct marketing purposes. To make such a request please contact us using the information provided in the “Contact Us” section below.
Requests Made Through Agents
You may designate, in writing or through a power of attorney, an authorized agent to make requests on your behalf to exercise your rights. Before accepting such a request from an agent, we will require the agent to provide proof you have authorized it to act on your behalf, and we may need you to verify your identity directly with us.
Do Not Track
Some browsers have incorporated "Do Not Track" (DNT) features that can send a signal to the websites you visit indicating you do not wish to be tracked. Because there is not a common understanding of how to interpret the DNT signal, our websites do not currently respond to browser DNT signals. Instead, you can use the range of other tools to control data collection and use.
Filing of a Complaint
Effective January 1, 2022, California residents also have the right to file a complaint with the California Attorney General’s Office alleging violation of the Genetic Information Privacy Act. As the Attorney General’s Office releases additional information on how to file that Complaint, we will supplemental this Policy with that information, as required under the applicable law.
Although we do not sell Personal Information (as defined in Chapter 603A of the Nevada Revised Statutes), Nevada residents have the right to submit a verified request directing us not to sell your Personal Information. To submit such a request, please contact us using the information in the “Contact Us” section below.
EUROPEAN DATA PROTECTION RIGHTS
If the processing of your Personal Information is subject to the EU, Swiss or UK General Data Protection Regulations (GDPR), the rights available to you depend on our reason for processing your Personal Information. Your rights may include:
- Access: You have the right to ask us for copies of your Personal Information subject to applicable exemptions, which means you may not always receive all the Personal Information we process.
- Rectification: You have the right to ask us to rectify Personal Information you think is inaccurate. You also have the right to ask us to complete Personal Information you think is incomplete.
- Erasure/deletion: You have the right to ask us to erase your Personal Information in certain circumstances.
- Restriction of processing: You have the right to ask us to restrict the processing of your Personal Information in certain circumstances.
- Right to object to processing: You have the right to object to processing if we are able to process your Personal Information where the processing is in our legitimate interests.
- Profiling: The right not to be subject to a decision based solely on automated processing, including profiling.
- Data portability: Where you have provided us with Personal Information based on your consent, you have the right to ask that it be given to you or transferred to another organization.
- Lodge a Complaint: You have the right to lodge a complaint with your local data protection authority if you are unhappy with any aspect of our processing of your Personal Information.
You are not required to pay any charge for exercising your rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. We have one month to respond to you.
For residents of France, you can send us specific instructions regarding the use of your data after your death.
To make such requests or contact our Data Protection Officer, you can follow the directions outlined in this Policy or contact us at Legal@nebula.org.
You will not have to pay a fee to access your Personal Information (or to exercise any of the other rights described above).
We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Information (or to exercise any of your other rights). This is a security measure to ensure that your Personal Information is not disclosed to any person who has no right to receive it.
This GDPR Statement applies to persons located in the European Economic Area (EEA), Switzerland and the UK. This GDPR Statement supplements our Policy; however, where the Policy conflicts with this GDPR Statement, the GDPR Statement will prevail as to persons located in the EEA, Switzerland and the UK.
Controller of your Personal Information [and local representative]
Nebula Genomics, Inc. is the controller of your Personal Information. We have appointed the following representatives:
For the EEA:
For the UK:
[EU rep name] and [UK rep name] roles in this respect are limited solely to being a contact point for questions on data protection from persons located in the EEA or UK and data protection supervisory authorities. For the avoidance of doubt, neither [EU rep name] nor [UK rep name] can field other communications or legal process on behalf of Nebula.]
Pursuant to the GDPR, we will use your Personal Information in one or more of the following circumstances:
For all information uses, see section “Use of Data” above.
With your consent. In other cases, where we need to perform the contract we are about to enter into or have entered into with you; where it is necessary for our legitimate interests (or those of a third party) to provide or improve our Services and your interests and fundamental rights do not override that; and where we need to comply with a legal or regulatory obligation.
With your consent.
With your consent.
HOW TO CONTACT US
You may contact Nebula or our Data Protection Officer (DPO) at: Legal@nebula.org.
Our address is: 711 Stewart Ave, Garden City, NY 11530