Privacy Policy

1. Overview.

This ChromaCode Privacy Policy (“Policy”) explains how ChromaCode, Inc. (“ChromaCode”, “Company”, “we”, “us” and “our”) may use information collected through the use of the ChromaCode website or ChromaCode CloudTM (collectively “Sites). In this Policy “user”, “you” and “your” refers to any third party users – whether an individual or an organization – of ChromaCode products and ChromaCode’s SaaS based software solution provided through the ChromaCode Cloud for use with ChromaCode products (“Services”). This Policy also explains your choices about how we use information about you. Your choices include how you can object to certain uses of information about you and how you can access and update certain information about you. If you do not agree with this Policy, you should not access or use the ChromaCode website or ChromaCode Cloud.

2. Definitions.

a. “Personal Information”. Any information relating to an identified individual, or to an individual who can be identified, directly or indirectly, by reference to such information, which may include, an identification number, an email address, physical address, phone number, or one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity. Without limiting the foregoing, Personal Information does not include information that is de-identified or corporate information that relates to an organization but not to an individual, such as a corporate name, corporate address or general corporate phone number.

b. “Analysis Data”. Output data from an PCR instrument (e.g., qPCR instrument) that contains, but is not limited to, intensity data collected from biological samples analyzed on that instrument, sample IDs numbers, and/or metadata about the PCR run. Analysis Data will be kept confidential.

3. Information We May Collect or Use.

a. Account and profile information. When You create an initial account with the ChromaCode Cloud, we store the email addresses of administrators and users of the account. We do not collect any other Personal Information from ChromaCode Cloud users during the ChromaCode Cloud account set-up. This Personal Information is kept confidential.

b. Location information. We record the IP addresses of computers from which Personal Information and Analysis Data are uploaded.

c. Content you provide through use of ChromaCode Cloud. When a user uploads Analysis Data to the ChromaCode Cloud, we store metadata about the instrument (e.g., make/model/serial number), metadata about the PCR run (e.g., run time), the uploaded raw PCR data, the processed PCR data, the target calls, and details of the assay configuration used to analyze the PCR data. ChromaCode may extract and use de-identified data which involves removal of sample names from the data. This de-identified data is combined with de-identified data from other customers analyzed by ChromaCode. The data is not shared with other customers.

d. Usage information. We may collect anonymous web navigational information to improve our understanding of the usability of the ChromaCode Cloud and ChromaCode website. Frequency of page hits and time spent on different pages are not associated with individual users or organizations.

4. How We Collect Your Information.

a. Analytics. We use analytics applications, including “Google Analytics”, to collect information about use of the ChromaCode website. Google Analytics collects information such as how often users visit a website, what pages they visit when they do so, and what other websites they visited prior to coming to a website. We use the information obtained from these applications only to improve our Sites and our product and service offerings. The information generated about your use of our Sites will be transferred and saved to the vendor’s server in the United States. For Google Analytics, within Member States of the European Union or other signatories of the Agreement on the European Economic Area, Google will first shorten your IP address. In exceptional cases, the full IP address will be transferred to a Google server in the United States to be shortened there. Google’s ability to use and share information collected by Google Analytics about your visits to the Sites is restricted by the Google Analytics Terms of Use and the Google Privacy Policy. You can opt-out of Google Analytics tracking by visiting https://tools.google.com/dlpage/gaoptout/.

b. Analysis Data. We process PCR instrument output files and extract signal intensity data and instrument metadata. We do not retain the files after they have been processed. We store the extracted data in our system and use signal processing and curve analysis algorithms to identify targets in the processed samples. Results and associated reports are stored in our system and only are only accessible by you. We also store de-identified input and processed data in a separate database and aggregate with other customers’ de-identified data.

5. How We Use Your Information.

a. To monitor performance of our products. We may use studies of the processed Analysis Data in the ChromaCode Cloud to assess the performance of our reagents. For example, we may use aggregated Analysis Data to assure the uniformity and stability of components in our reagent lots. We may also use aggregated Analysis Data to identify optimizations of our assays across different instrument platforms.

b. For research and development. We may use the aggregated Analysis Data in the ChromaCode Cloud to improve our computational methods. For example, we may compare processed signal data with raw intensity data to evaluate the performance of our algorithms on different instrument platforms.

c. To communicate with you about our products. If your institution has opted in to receive information about our marketing programs, we may use information about the assays you are running to provide you with information about new ChromaCode products that may be of interest.

d. To support customers. We may use your information (with your consent) to resolve technical problems.

6. How We Share Your Information.

ChromaCode does not share your Personal Information or Analysis Data with any third parties other than authorized third party service provides that work on ChromaCode’s behalf and who in all cases, are subject to confidentiality obligations.

7. Customer Access and Control of Information.

You have the right to delete some or all of your Personal Information and Analysis Data in ChromaCode Cloud at any time, understanding that this data will be immediately and permanently deleted and cannot be restored.

8. Changes of Privacy Policy.

We reserve the right to change this Policy without notice. When we make changes, we will make them available within thirty (30) days. The changed Policy supersedes and replaces the prior version. Your continued access to ChromaCode cloud represents your acceptance of the changed Policy. All users of ChromaCode Cloud will be notified of changes by email.

9. Users from Outside the United States.

ChromaCode is based in the United States (“U.S.”), and the Company’s offices are headquartered in the U.S. Information you provide to ChromaCode or information that it obtained as a result of your use of the ChromaCode Cloud software may be processed and transferred to the U.S. and be subject to U.S. law. Information may be processed by staff working for the Company in the US.

10. Information Security.

We will take reasonable precautions to protect your Personal Information in our possession from loss, misuse, and unauthorized access, disclosure, alteration, or destruction. We will make reasonable efforts to keep your Personal Information reliable for its intended use, accurate, current, and complete. As necessary, we will take additional precautions regarding the security of particularly sensitive information, such as credit card information. While we strive to secure your Personal Information, we cannot warrant or guarantee that this information will be protected under all circumstances, including those beyond our reasonable control.

11. Children.

The Sites are intended for business use. We do not knowingly collect or solicit Personal Information from anyone under the age of sixteen (16). If you are under the age of sixteen (16), please do not attempt to register for the Sites or send any Personal Information about yourself to us. If we learn that we have collected Personal Information from a child under the age of sixteen (16), we will delete that information as quickly as practicable. If you believe that a child under sixteen (16) may have provided us Personal Information, please contact us.

12. Contacting Us.

Questions regarding this Policy should be directed to privacy@chromacode.com or by mailing ChromaCode Privacy, Suite 100, 2330 Faraday Avenue, Carlsbad, CA 92008.

13. European Data Subjects:

EU General Data Project Regulation (“GDPR”).

a. GDPR. For this GDPR section, we use the terms “Personal Data” and “processing” as they are defined in the GDPR, but “Personal Data” means information that can be used to individually identify a person, and “processing” generally covers actions that can be performed in connection with data such as collection, use, storage and disclosure. ChromaCode is the controller of your Personal Data processed in connection with the Sites. Note that we may also process Personal Data of our customers’ end users or employees in connection with our provision of Services to customers, in which case we are the processor of Personal Data. If we are the processor of your Personal Data (i.e., not the controller), please contact the controller party in the first instance to address your rights with respect to such data. If there are any conflicts between this section 13 and any other provision of this Policy, the Section or portion of the Section that is more protective of Personal Data shall control to the extent of such conflict. If you have any questions about this section or whether any of the following applies to you, please contact us at privacy@chromacode.com.

b. What Personal Data Do We Collect from You? We collect Personal Data about you when you provide such information directly to us, when third parties such as our business partners or service providers provide us with Personal Data about you, or when Personal Data about you is automatically collected in connection with your use of our Sites. Please see the section 3, Information We May Collect or Use and Section 4, How We Collect Your Information. For the purposes of this Policy, when we use the term Personal Information, that is intended to also indicate Personal Data pursuant to the GDPR, if the applicable data subject is an EU resident.

c. How Do We Use Your Personal Data? Please refer to the section 5 above for details of how we use and process your Personal Data.

d. Lawful Bases for Processing. We will only process your Personal Data if we have a lawful basis for doing so. Lawful bases for processing may include consent, contractual necessity, and our “legitimate interests,” as further described below.

    i. Contractual Necessity: When you purchase our products and Services, we process your contact information (e.g., name, phone number, address, email address) as a matter of “contractual necessity”, meaning that we need to process the data to perform under our Terms and Conditions or other agreement with you, which enables us to provide you with the products and Services you request. When we process data due to contractual necessity, failure to provide such Personal Data will result in your inability to use some or all portions of the Sites or our products and Services that require such data.
    ii. Legitimate Interest: We may also process your contact information and other categories of Personal Data described in the Section 3 above for our legitimate interest purposes.

        a. Examples of these legitimate interests include:

            1. Operation and improvement of our business, products, and services
            2. Provision of customer support
            3.Protection from fraud or security threats
            4. Protecting the security of your account with us

            5. Providing you with a sign-in method
            6. Determining your geographic location and preferences so that we can serve you better

            7. Compliance with legal obligations
            8. Completion of corporate transactions

    iii. Consent: In some cases, we process Personal Data based on the consent you expressly grant to us at the time we collect such data. When we process Personal Data based on your consent, it will be expressly indicated to you at the point and time of collection. If you provide us with opt-in consent to receive marketing information from ChromaCode, we will process your email address for the purpose of sending you marketing information about our products and Services. The legal ground for processing your email address for this purpose is your consent. You may withdraw your consent any time by selecting “unsubscribe” in the marketing email or email us at privacy@chromacode.com.
    iv. Other Processing Grounds: From time to time we may also need to process Personal Data to comply with a legal obligation, if it is necessary to protect the vital interests of you or other data subjects, or if it is necessary for a task carried out in the public interest.

e. How and With Whom Do We Share Your Data? We share Personal Data with vendors, third party service providers, and agents who work on our behalf and provide us with services related to the purposes described in this Policy or our Terms and Conditions.
 For more information on such third parties, please refer to the Section 4 titled How We Share Your Information above.

f. How Long Do We Retain Your Personal Data? We retain Personal Data about you as set forth on our Company’s data retention policy. In some cases, we retain Personal Data for longer, if doing so is necessary to comply with our legal obligations, resolve disputes, or collect fees owed, or is otherwise permitted or required by applicable law, rule, or regulation. Afterwards, we retain some information in a depersonalized or aggregated form but not in a way that would identify you personally.

g. What Security Measures Do We Use? We seek to protect Personal Data using reasonable technical and organizational measures based on the type of Personal Data and applicable processing activity. For example, we protect the security of your information during transmission by using Secure Sockets Layer (SSL) software, which encrypts information you input. We also require our supplier and vendors to protect such information from unauthorized access, use, and disclosure.

h. What Rights Do You Have Regarding Your Personal Data? You have certain rights with respect to your Personal Data, including those set forth below. For more information about these rights, or to submit a request, please email privacy@chromacode.com. Please note that in some circumstances, we may not be able to fully comply with your request, such as if it is frivolous or extremely impractical, if it jeopardizes the rights of others, or if it is not required by law, but in those circumstances, we will still respond to notify you of such a decision. In some cases, we may also need to you to provide us with additional information, which may include Personal Data, if necessary to verify your identity and the nature of your request.

    i. Access: You can request more information about the Personal Data we hold about you and request a copy of such Personal Data. You can also access certain of your Personal Data by contacting us at privacy@chromacode.com to make such corrections.
    ii. Rectification: If you believe that any Personal Data we are holding about you is incorrect or incomplete, you can request that we correct or supplement such data. In certain circumstances, you can correct some of this information directly by contacting us at privacy@chromacode.com to make such corrections.
    iii. Erasure: You can request that we erase some or all of your Personal Data from our systems.
    iv. Withdrawal of Consent: If we are processing your Personal Data based on your consent (as indicated at the time of collection of such data), you have the right to withdraw your consent at any time. Please note, however, that if you exercise this right, you may have to then provide express consent on a case-by-case basis for the use or disclosure of certain of your Personal Data, if such use or disclosure is necessary to enable you to utilize some or all of our Sites.
    v. Portability: You can ask for a copy of your Personal Data in a machine-readable format. You can also request that we transmit the data to another controller where technically feasible.
    vi. Objection: You can contact us to let us know that you object to the further use or disclosure of your Personal Data for certain purposes.
    vii. Restriction of Processing: You can ask us to restrict further processing of your Personal Data.
    viii. Right to File Complaint: You have the right to lodge a complaint about ChromaCode’s practices with respect to your Personal Data with the supervisory authority of your country or EU Member State.

14. California Residents Privacy Rights:

California Consumer Privacy Act (“CCPA”).

a. CCPA and CPRA. The California Consumer Privacy Act (CCPA) is a state-wide data privacy bill that creates an array of consumer privacy rights and business obligations with regard to the collection and sale of Personal Information. The California Privacy Rights Act (CPRA), also known as Proposition 24, further expands the CCPA. 

b. These additional disclosures are required by the CCPA & CPRA:

    i. Categories of personal information collected. The personal information that ChromaCode collects, or has collected from consumers as part of the account login process detailed in Section 3 above in the  twelve (12) months prior to the effective date of this Policy, includes the following:

        a. Location information.
        b. We record the IP addresses of computers from which Personal Information and Analysis Data are uploaded.
        c. Content you provide through use of ChromaCode Cloud. When a user uploads Analysis Data to the ChromaCode Cloud, we store metadata about the instrument (e.g., make/model/serial number), metadata about the PCR run (e.g., run time), the uploaded raw PCR data, the processed PCR data, the target calls, and details of the assay configuration used to analyze the PCR data. ChromaCode may extract and use de-identified data which involves removal of sample names from the data. This de-identified data is combined with de-identified data from other customers analyzed by ChromaCode. The data is not shared with other customers.
        d. Usage information. We may collect anonymous web navigational information to improve our understanding of the usability of the ChromaCode Cloud and ChromaCode website. Frequency of page hits and time spent on different pages are not associated with individual users or organizations.

    ii. Categories of personal information disclosed for a business purpose. The personal information that ChromaCode disclosed to the third parties identified in Section 6 above about consumers for a business purpose in the twelve months prior to the effective date of this Policy, and specifically to service providers that help provide the Services, includes the following:

        a. Location information.
        b. We record the IP addresses of computers from which Personal Information and Analysis Data are uploaded.
        c. Content you provide through use of ChromaCode Cloud. When a user uploads Analysis Data to the ChromaCode Cloud, we store metadata about the instrument (e.g., make/model/serial number), metadata about the PCR run (e.g., run time), the uploaded raw PCR data, the processed PCR data, the target calls, and details of the assay configuration used to analyze the PCR data. ChromaCode may extract and use de-identified data which involves removal of sample names from the data. This de-identified data is combined with de-identified data from other customers analyzed by ChromaCode. The data is not shared with other customers.
        d. Usage information. We may collect anonymous web navigational information to improve our understanding of the usability of the ChromaCode Cloud and ChromaCode website. Frequency of page hits and time spent on different pages are not associated with individual users or organizations.

c. You have the right to request and obtain from ChromaCode, information about our collection and use of your Personal Information. Once we receive and confirm your verifiable consumer request, you have the right to make the following:

        a. The right to request specific pieces of Personal Information ChromaCode has collected about you.
        b. The right to request that ChromaCode disclose what Personal Information we collect, use, disclose or sell.
        c. The right to request that ChromaCode to delete any Personal Information that we have collected about you (subject to certain exceptions).
        d. The right to opt out of sale of your Personal Information.
        e. The right of nondiscrimination

d. We do not your sell Personal Information, as defined under CCPA.

e. We will not discriminate against you for exercising any of your privacy rights. You may exercise your rights to access, restrict or remove data by one of the following:

        a. By Email: privacy@chromacode.com
        b. Access our online webform California Residents or EU Residents
        c. By Mail: Attn: ChromaCode Privacy, Suite 100, 2330 Faraday Avenue, Carlsbad, CA 92008.
        d. Contact the ChromaCode Data Privacy Officer (“DPO”) by Email: dpo@chromacode.com 

For requests for access or deletion, we will first acknowledge receipt of your request within ten (10) business days of receipt of your request. We provide a substantive response to your request as soon as we can, generally within forty-five (45) days from when we receive your request, although we may be allowed to take longer to process your request under certain circumstances. If we expect your request is going to take us longer than normal to fulfill, we will let you know. We may not accommodate a request if we believe actioning the request would violate any law or legal requirement. Information that has been de-identified and/or accumulated genomic information, may not be retrievable or traced back for correction or removed from any database.

11/14/2023, 1:52:16 PM