Get the right answers to your questions
These "Privacy Highlights" provide an overview of some core components of our data handling practices. Please be sure to review the Full Privacy Statement.
Information We Collect
We generally collect the following information:
Information we receive when you use our Services.
Information you share directly with us.
We collect and process your information when you place an order, create an account, register your truGeny kit, complete research surveys, post on our Forums or use other messaging features, and contact Customer Care. This information can generally be categorized as Registration Information, Self-Reported Information, and/or User Content as defined in our full Privacy Statement.
Information from our DNA testing services.
With your consent, we extract your DNA from your saliva sample and analyze it to produce your Genetic Information (the As, Ts, Cs, and Gs at particular locations in your genome) in order to provide you with truGeny reports.
How We Use Informationc
We generally process Personal Information for the following reasons:
To provide our Services.
We process Personal Information in order to provide our Service, which includes processing payments, shipping kits to customers, creating customer accounts and authenticating logins, analyzing saliva samples and DNA, and delivering results and powering tools like DNA Relatives.
To analyze and improve our Services.
We constantly work to improve and provide new reports, tools, and Services. For example, we are constantly working to improve our ability to assign specific ancestries to your DNA segments and maximize the granularity of our results. We may also need to fix bugs or issues, analyze use of our website to improve the customer experience or assess our marketing campaigns.
For truGeny Research, with your consent.
If you choose to consent to participate in truGeny Research, truGeny researchers can include your de-identified Genetic Information and Self-Reported Information in a large pool of customer data for analyses aimed at making scientific discoveries.
Control: Your Choices
truGeny gives you the ability to share information in a variety of ways. You choose:
To store or discard your saliva sample
after it has been analyzed.
Which health report(s)
you view and/or opt-in to view.
When and with whom you share your information
including friends, family members, health care professionals, or other individuals outside our Services, including through third party services that accept truGeny data and social networks.
To give or decline consent for truGeny Research.
By agreeing to the Research Consent Document, Individual Data Sharing Consent Document, or participating in a truGeny Research Community you can give consent for the use of your data for scientific research purposes.
To delete your truGeny account and data
at any time.
How We Secure Information
truGeny implements measures and systems to ensure confidentiality, integrity, and availability of truGeny data.
De-identification/Pseudonymization, encryption, and data segmentation.
Registration Information is stripped from Sensitive Information, including genetic and phenotypic data. This data is then assigned a random ID so the person who provided the data cannot reasonably be identified. truGeny uses industry standard security measures to encrypt sensitive personal data both when it is stored (data-at-rest) and when it is being transmitted (data-in-flight). Additionally, data are segmented across logical database systems to further prevent re-identifiability.
Limiting access to essential personnel.
We limit access of information to authorized personnel, based on job function and role. truGeny access controls include multi-factor authentication, single sign-on, and a strict least-privileged authorization policy.
Detecting threats and managing vulnerabilities.
truGeny uses state of the art intrusion detection and prevention measures to stop any potential attacks against its networks. We have integrated continuous vulnerability scanning in our build pipeline and regularly engage third party security experts to conduct penetration tests.
Risks and Considerations
There may be some consequences of using truGeny Services that you haven't considered.
You may discover things about yourself and/or your family members that may be upsetting or cause anxiety and that you may not have the ability to control or change.
You may discover relatives who were previously unknown to you, or may learn that someone you thought you were related to is not your biological relative.
In the event of a data breach it is possible that your data could be associated with your identity, which could be used against your interests.
This Privacy Statement applies to all websites owned and operated by truGeny, Inc ("truGeny"), including www.trugeny.com (https://www.trugeny.com/), and any other websites, pages, features, or content we own or operate, and to your use of the truGeny mobile app and any related Services. Our Privacy Statement is designed to help you better understand how we collect, use, store, process, and transfer your information when using our Services.
Please carefully review this Privacy Statement and our Terms of Service (https://www.trugeny.com/about/tos/). By using our Services, you acknowledge all of the policies and procedures described in the foregoing documents. If you do not agree with or you are not comfortable with any aspect of this Privacy Statement or our Terms of Service you should immediately discontinue use of our Services.
1. Key Definitions
1.Aggregate Information: information that has been combined with that of other users and analyzed or evaluated as a whole, such that no specific individual may be
2. De-identified Information: information that has been stripped of your Registration Information (e.g., your name and contact information) and other identifying data such that you cannot reasonably be identified as an individual, also known as pseudonymized information.
3. Individual-level Information: information about a single individual's genotypes, diseases or other traits/characteristics, but which is not necessarily tied to Registration Information.
4. Personal Information: information that can be used to identify you, either alone or in combination with other information. truGeny collects and stores the following types of Personal Information:
Registration Information: information you provide about yourself when registering for and/or purchasing our Services (e.g. name, email, address, user ID and
password, and payment information).
Genetic Information: information regarding your genotypes (i.e. the As, Ts, Cs, and Gs at particular locations in your genome), generated through processing of
your saliva by truGeny or by its contractors, successors, or assignees; or otherwise processed by and/or contributed to truGeny.
Self-Reported Information: information you provide directly to us, including your disease conditions, other health-related information, personal traits, ethnicity,
family history, and other information that you enter into surveys, forms, or features while signed in to your truGeny account.
Sensitive Information: information about your health, Genetic Information, and certain Self-Reported Information such as racial and ethnic origin, sexual orientation,
and political affiliation.
User Content: all information, data, text, software, music, audio, photographs, graphics, video, messages, or other materials - other than Genetic Information
and Self-Reported Information-generated by users of truGeny Services and transmitted, whether publicly or privately, to or through truGeny
Web-Behavior Information: information on how you use truGeny Services collected through log files, cookies, web beacons, and similar technologies, (e.g., browser
type, domains, page views).
2. Information we collect
Information you provide directly to us
Information related to our genetic testing services
Genetic Information includes the truGeny results reported to you as part of our Services, and may be used for other purposes, as outlined in Section 3 below.
Information collected through tracking technology Other
types of information
3. How we use your information
To provide you with Services and analyze and improve our Services
To process, analyze and deliver your genetic testing results
To allow you to share your Personal Information with others
To allow you to share your Personal Information for research purposes
To recruit you for external research
To provide customer support
To conduct surveys or polls, and obtain testimonials
To provide you with marketing communications
4. Information we share with third parties
To provide you with Services and analyze and improve our Services
"Targeted advertising" service providers Aggregate Information
Information we share with commonly owned entities As
required by law
5. Your choices
Access to your account
Sharing outside of the truGeny Services Account
6. Security Measures
truGeny produces secure applications by design
truGeny incorporates explicit security reviews in the software development lifecycle, quality assurance testing and operational deployment.
Registration Information is stripped from Sensitive Information, including Genetic and Self-Reported Information. This data is then assigned a randomly generated ID so an individual cannot reasonably be identified.
truGeny uses industry standard security measures to encrypt Sensitive Information both at rest and in transit.
Separation of Environments
truGeny ensures processing, production, and research environments are separated and access is restricted. Data, including Registration Information, Genetic Information, and Self-Reported Information are segmented across logical database systems to further prevent re-identifiability.
Limiting access to essential personnel.
We limit access to Personal Information to authorized personnel, based on job function and role. truGeny access controls include multi-factor authentication, single sign-on, and strict least-privileged authorization policy.
Detecting threats and managing vulnerabilities
truGeny uses state of the art intrusion detection and prevention measures to stop any potential attacks against its networks. We have integrated continuous vulnerability scanning in our processes and regularly engage third party security experts to conduct penetration tests.
truGeny maintains a formal incident management program designed to ensure the secure, continuous delivery of its Services. truGeny has implemented an incident management program using industry best practices, including guidance from the National Institute of Standards and Technology (NIST).
Managing third party service providers
truGeny requires service providers to implement and maintain accepted industry standard administrative, physical and technical safeguards to protect Personal Information
Your Responsibility. Please recognize that protecting your Personal Information is also your responsibility. We ask you to be responsible for safeguarding your password, secret questions and answers, and other authentication information you use to access our Services. You should not disclose your authentication information to any third party and should immediately notify truGeny of any unauthorized use of your password. truGeny cannot secure Personal Information that you release on your own or that you request us to release. Your information collected through the Service may be stored and processed in the United States or any other country in which truGeny or its subsidiaries, affiliates or service providers maintain facilities and, therefore, your information may be subject to the laws of those other jurisdictions which may be different from the laws of your country of residence
7. Children's Privacy
8. Linked Websites
truGeny provides links to third party websites operated by organizations not affiliated with truGeny. truGeny does not disclose your information to organizations operating such linked third party websites. truGeny does not review or endorse, and is not responsible for, the privacy practices of these organizations. We encourage you to read the privacy statements of each and every website that you visit. This Privacy Statement applies solely to information collected by truGeny and our service providers on our behalf.
9. Information for Customers in Designated Countries
Section 9 only applies to individuals located in the European Economic Area (“EEA”), United Kingdom, or Switzerland (the “Designated Countries”).
truGeny participates in and has certified its compliance with both the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Information transferred from the European Union (EU), European Economic Area (EEA), and Switzerland to the United States, respectively. truGeny is committed to subjecting all Personal Information received from the EU member countries, EEA and Switzerland, in reliance on the Privacy Shield Frameworks, to the Framework's applicable Principles. If there is any conflict between the terms in this Privacy Statement and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit U.S. Department of Commerce's Privacy Shield List. (https://www.privacyshield.gov/list) truGeny is responsible for the processing of Personal Information it receives, under the Privacy Shield Frameworks, or subsequently transfers to a third party acting as an agent on its behalf. truGeny complies with the Privacy Shield Principles for all onward transfers of Personal Information from the EU, EEA and Switzerland, including the onward transfer liability provisions. With respect to Personal Information received or transferred pursuant to the Privacy Shield Frameworks, truGeny is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, truGeny may be required to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Our relationship with you
We are the “controller” with respect to your Personal Information because we determine the means and purposes of processing your information when using our Services.
Legal bases for processing Personal Information from the EU Direct
We describe how we process your Personal Information in Sections 2 through 4 of this Privacy Statement. We may process your Personal Information if you consent to the processing, to satisfy our legal obligations, if it is necessary to carry out our obligations arising from any contracts we entered with you or to take steps at your request prior to entering into a contract with you, or for our legitimate interests to protect our property, rights or safety of truGeny, our customers or others.
We will obtain your consent where required to send you marketing communications using electronic means. You may withdraw your consent at any time within your Account Settings or by emailing firstname.lastname@example.org (mailto:email@example.com) We will only contact you by electronic means (email, push notification, SMS, etc.) with information about our Services that are similar to those which were the subject of a previous sale or negotiations of a sale to you. We will only share your Personal Information with third parties for marketing purposes with your explicit consent. If you do not want us to use your Personal Information in this way, please review and update your Account Settings as necessary or contact us at firstname.lastname@example.org (mailto:email@example.com). You may raise such objection with regard to initial or further processing for purposes of direct marketing at any time and free of charge. The withdrawal of your consent will not affect the lawfulness of processing based on consent before its withdrawal. Other marketing activities will happen based on the legitimate interests of truGeny. E.g., where we tailor marketing communications or send targeted marketing messages via post, phone or social media and other third party platforms; and in providing existing customers with information (via email or other channels) about similar products and services.
You can exercise your privacy rights by following the instructions below or contacting us at firstname.lastname@example.org. (mailto:email@example.com) We will handle your request under applicable law. When you make a request, we may verify your identity to protect your privacy and security. Right to withdraw consent. To the extent truGeny requests and you provide your consent to the processing of your Personal Information, you can withdraw your consent at any time. Your withdrawal will not affect the lawfulness of our processing based on consent before your withdrawal. Right of access to and rectification of your Personal Information. Our site allows you to access and rectify certain Registration Information within your Account Settings, and your Self-Reported Information by going to the surveys page. You can download your raw Genetic Information within your Account Settings or by going to the applicable tool in "Tools". If you would like to access or rectify any other information, contact Customer Care and we will do our best to assist you without undue delay. We may reject part or all of your request if responding to your request could adversely affect the rights and freedoms of others. Right to erasure (or, "Right to be Forgotten"). As explained under Section 5.d. ("Account Deletion"), we allow our customers to delete theiraccounts at any time. You can request erasure of Personal Information that: (a) is no longer necessary in relation to the purposes for which it was collected or otherwise processed; (b) was collected in relation to processing to which you previously consented, but later withdrew such consent; or (c) was collected in relation to processing activities to which you object, and there are no overriding legitimate grounds for our processing. If we have made your Personal Information public and we are required to erase such Personal Information, we will take reasonable steps, including technical measures, to inform controllers that are processing any links to or copies or replications of your Personal Information of your erasure request. Our assistance with your request for erasure is subject to limitations by relevant data protection laws, available technology and the cost of implementation.
Right to data portability. If we process your Personal Information based on a contract with you or based on your consent, or the processing is carried out by automated means, you may request to receive your Personal Information in a structured, commonly used and machine-readable format, and to have us transfer your Personal Information directly to another controller, where technically feasible, unless exercise of this right adversely affects the rights and freedoms of others. A "controller" is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of your Personal Information.
Right to restriction of our processing. You can restrict our processing of your Personal Information where one of the following applies: (a) you dispute the accuracy of Personal Information processed by truGeny (for a period enabling us to verify its accuracy); (b) the processing is unlawful and you oppose the erasure of the Personal Information and request the restriction of its use instead; (c) truGeny no longer needs the Personal Information for the purposes of the processing, but it is required by you for the establishment, exercise or defense of legal claims; and (d) you have objected to certain processing relying on legitimate interest, pending the verification whether truGeny's legitimate grounds override your rights. Restricted Personal Information shall only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. We will notify you if the restriction is lifted. Notification of erasure, rectification and restriction. We will provide notice to each recipient that we disclosed your Personal Information to regarding any rectification or erasure of Personal Information or restriction of processing, unless you initiated the disclosure or providing notice proves impossible or involves disproportionate effort. Upon your request, we will share the list of recipients with you. Right to object to processing. Where the processing of your Personal Information is based on consent, contract, or legitimate interests described under the Legal Bases for Processing heading above, you may restrict or object, at any time, to the processing of your Personal Information as permitted by applicable law. We may continue to process your Personal Information if it is necessary for the defense of legal claims, or for any other exceptions permitted by applicable law. Automated individual decision-making, including profiling. You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects on you, except as allowed under applicable data protection laws. Retention of your Personal Information. Unless you make a request for us to delete your account or delete certain Personal Information (i.e., User Content, etc.), we will store your Personal Information as long as your account is open. If you request to delete your account, we will take the steps described under “Your Choices – Account Deletion” and delete all your Personal Information, unless a longer retention period is required or permitted by law. The rights described above may be limited by local laws. Further, your right of access and deletion is not absolute and may not be available if fulfillment of such right would, among other things: cause interference with execution and enforcement of the law and legal private rights (such as in the case of the investigation or detection of legal claims or the right to a fair trial); breach or prejudice the rights of confidentiality and security of others; prejudice security or grievance investigations, corporate re-organizations, future and ongoing negotiations with third parties, the compliance with regulatory requirements relating to economic and financial management; or otherwise violate the interests of others or where the burden or cost of providing access would be disproportionate.
If you believe that we have infringed your rights, we encourage you to contact us so that we can try to address your concerns or dispute informally. Our contact information is: Global Privacy Officer, truGeny, Inc., 899 West Evelyn Avenue, Mountain View, CA 94041 1.800.239.5230, firstname.lastname@example.org (mailto:email@example.com)
Alternatively, you may contact truGeny's EU member representative, DPR Group, at https://www.dpr.eu.com/truGeny (https://www.dpr.eu.com/truGeny).
truGeny's commitment to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks entitle you to lodge a complaint via our Privacy Shield independent dispute resolution mechanism. To send your privacy complaints under the Privacy Shield Principles, please contact the BBB EU PRIVACY SHIELD, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://www.bbb.org/EU-privacy-shield/for-eu-consumers (https://www.bbb.org/EU-privacy-shield/for-eu-consumers) for more information and/or to file a complaint. As a last resort and under limited circumstances, EU, EEA and Swiss individuals with residual privacy complaints may invoke a binding arbitration option before the Privacy Shield Panel. You also have a right to lodge a complaint with a competent supervisory authority situated in a Member State of your habitual residence, place of work, or place of alleged infringement. You can find the relevant supervisory authority name and contact details here: https://ec.europa.eu/info/law/law-topic/data- protection/reform/what-are-data-protection-authorities-dpas_en (https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-are-data-protection- authorities-dpas_en).
10. Changes to this Privacy Statement
Whenever this Privacy Statement is changed in a material way, a notice will be posted as part of this Privacy Statement and on our website for 30 days. After 30 days the changes will become effective. In addition, all customers will receive an email with notification of the changes prior to the change becoming effective. truGeny may provide additional "just-in-time"; disclosures or additional information about the data collection, use and sharing practices of specific Services. Such notices may supplement or clarify truGeny's privacy practices or may provide you with additional choices about how truGeny processes your Personal Information.
11. Contact information
If you have questions about this Privacy Statement, or wish to submit a complaint, please email truGeny's Privacy Administrator at firstname.lastname@example.org (mailto:email@example.com), or send a letter to: Privacy Administrator truGeny, Inc. 899 West Evelyn Avenue Mountain View, CA 94041 1.800.239.5230 *This Privacy Statement was last updated on July 17, 2018.
Read the previous version of the document. (?version=5.1)