PRIVACY POLICY & SECURITY



EFFECTIVE DATE: August 2018
LAST UPDATED: April 2019

Privacy Statement

TOVANA Health ("TOVANA Health," "we" or "us") is committed to protecting the privacy of all visitors to the TOVANA Health website. TOVANA Health has established this Privacy Statement to inform you of the specific practices and guidelines that help ensure the security and confidentiality of your personal information.
By using or accessing in any way the websites we control and operate, including www.tovanahealth.com, and www.dnaunlocked.com (our "Websites"), and our online portal/platform "https://tovanahealth.com/home/login/" or by transmitting information to us by email or other electronic means, you agree to the terms of this Privacy Statement. If you do not agree with the terms of this Privacy Statement, please do not access or use the Websites.

UPDATES
TOVANA Health may revise this Privacy Statement from time to time. All updates to this statement will be posted on this web page. If we make significant changes, TOVANA Health will notify you by posting a notice on the website. Please check the website for the most current version of our Privacy Statement. Your continued use of the website after we have posted a notice on the website constitutes your acceptance of such changes.

LINKED WEBSITES
The TOVANA Health Websites may contain links to external websites. TOVANA Health does not maintain these sites and is not responsible for the privacy practices of sites that it does not operate. Please refer to the specific privacy statements posted on these sites.

AGGREGATE DATA COLLECTION
TOVANA Health tracks visits to our Websites and uses visitor logs to compile anonymous aggregate statistics. This aggregate information is collected sitewide, and includes anonymous website statistics. In addition, when you browse our Websites, our system automatically collects information such as your web request, Internet Protocol ("IP") address, browser type, browser language, domain names, referring and exit pages and URLs, platform type, pages viewed and the order of these page views, the amount of time spent on particular pages, the date and time of your request and one or more cookies that may uniquely identify your browser. This information is used to analyze trends, administer the Websites, improve the design of our Websites and otherwise enhance the services we provide.

COOKIES
Certain pages of the Websites and/or html email correspondence may use session cookies, persistent cookies or web beacons to anonymously track unique visitors, save website preferences and to allow us to recognize visits from the same computer and browser. You have the option to reject the Websites' cookies and still use the Website. However, your access to the Website may be limited.

TYPES OF PERSONAL INFORMATION COLLECTED
TOVANA Health may collect, store and use personally identifiable information (such as name, email address, postal code and email preferences) when it is voluntarily submitted to us, such as when you register for updates or contact us.

CHILDREN
The TOVANA Health Websites are directed toward adults. If you are under the age of 13, you must obtain the authorization of a responsible adult (parent, legal custodian or teacher) before using or accessing our Websites. We will not knowingly collect or use any personal information from any children under the age of 13. If we become aware that we have collected any personal information from children under 13, we will promptly remove such information from our databases.

USE OF PERSONAL INFORMATION
We may use your personal information to contact you, improve this site, provide you with information that you have requested or provide you with additional information, which TOVANA Health believes may be of interest to you. We may also use this information to respond to your inquiries, provide you with technical support and enforce our Terms and Conditions and other policies governing use of the Websites. We may combine your information with other information about you that is available to us, including information from other sources. TOVANA Health will keep resumes confidential and will use them only for employment purposes. Use for any other purpose will be with your explicit consent. TOVANA Health will not sell or rent your personal information to any other company or organization. TOVANA Health may share your information with third party service providers who perform marketing or other services on our behalf. TOVANA Health may access and/or disclose your personal information to law enforcement officials, regulatory agencies or other third parties as we, in our sole discretion, believe necessary or appropriate in connection with an investigation of illegal activity that may expose us to legal liability or costs, to enforce our policies governing the Websites and for regulatory compliance. TOVANA Health may also disclose your information in connection with corporate restructuring, merger or consolidation with, or sale of substantially all of our assets to a third party. We do not guarantee that any entity receiving such information in connection with one of these transactions will abide by this Privacy Statement.

SECURITY MEASURES
Information that you provide to TOVANA Health through these Websites is encrypted using industry standard Secure Sockets Layer (SSL) technology, with the exception of information you send via email. Your information is processed and stored on controlled servers with restricted access. Unfortunately, we cannot ensure or warrant the security of any information you transmit to our Websites, and you do so at your own risk. As a consequence, TOVANA Health disclaims any warranties or representations relating to maintenance or nondisclosure of private information.

INFORMATION ACCESS, UPDATES AND CHOICE
You may choose to provide information to TOVANA Health by completing the registration form, sending us an email or otherwise contacting us. In the registration form, you may have an opportunity to elect to receive certain communications from us. TOVANA Health email correspondence will include instructions on how to update certain personal information and how to unsubscribe from our emails and postal mail correspondence. Please follow the instructions in the emails to notify TOVANA Health of changes to your name, email address and preference information. TOVANA Health will take reasonable steps, such as confirmation emails, to verify your identity before granting access to your personal information. If you choose to unsubscribe from our email and/or postal mail services, you will no longer receive this correspondence. However, TOVANA Health may retain your information for a period of time to resolve disputes, troubleshoot problems or for other valid business or legal reasons.

THIRD PARTY INFORMATION
You agree that you have provided notice to, and obtained consent from, any third party individuals whose personal information you supply to us, including with regard to: (a) the purposes for which such third party's personal information has been collected; (b) the intended recipients or categories of recipients of the third party's personal information; (c) which of the third party's information is obligatory and which information, if any, is voluntary; and (d) how the third party can access and, if necessary, rectify the information held about them.

FINANCIAL INFORMATION
We do not currently collect financial information, such as your payment method (valid credit card number, type, expiration date or other financial information); that information is collected and stored by our third party payment processing company (the “Payment Processor”), and use and storage of that information is governed by the Payment Processor’s applicable terms of service and privacy policy.

EMAIL COMMUNICATIONS WITH US
As part of the Services, you may occasionally receive email and other communications from us, such as communications relating to your Account. Communications relating to your Account will only be sent for purposes important to the Services, such as password recovery.

GOVERNING LAW
Our Websites are controlled and operated by TOVANA Health. By choosing to visit our Websites or otherwise provide information to TOVANA Health, you agree that any dispute over privacy or the terms contained in this Privacy Statement will be governed by the laws of the State of Texas. If you are accessing our Websites from any location with regulations or laws governing personal data collection, use or disclosure that differ from United States laws or regulations, please note that through your continued use of our Websites, which is governed by the laws of the State of Texas and the United States of America and this Privacy Statement, you are transferring personal information to the United States of America and you consent to that transfer and to the collection and processing of such information in the United States. You also consent to the adjudication of any disputes arising in connection with our Websites and Platforms in the State of Texas.
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

NOTICE OF PRIVACY PRACTICES & HIPAA


EFFECTIVE DATE OF NOTICE: August 1, 2018
LAST UPDATED: April 2019

This Notice describes the privacy practices of TOVANA Health, its employees and other personnel ("TOVANA Health," "we" or "us").

I. Our responsibility
TOVANA Health and the members of its workforce are committed to protecting the privacy and confidentiality of your personal information, genetic information and laboratory test results.
TOVANA Health is required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to keep your personal health information ("Protected Health Information") confidential. This Notice describes our legal duties, privacy practices and explains your patient privacy rights. When we use or disclose your Protected Health Information, we are required to abide by the terms of this Notice.
II. What is protected health information
Protected Health Information is your demographic information, medical history, laboratory results, insurance information and other health information that is collected, generated, used and communicated by TOVANA Health to produce genetic testing results and bill for our testing services. Examples of Protected Health Information include your name, date of birth, medical record number, social security number, insurance beneficiary number and genetic information.
III. How we use and disclose your health information
Your Protected Health Information may be used and disclosed for treatment, payment, healthcare operations and other purposes permitted or required by law. TOVANA Health may use and disclose your Protected Health Information for the following purposes: We may use or disclose your Protected Health Information for treatment purposes. For example, we may use your Protected Health Information to perform our testing services and disclose your genetic testing results to your physician and other healthcare providers involved in your care.

PAYMENT
We may use or disclose your Protected Health Information to obtain payment for healthcare services we provide. For example, we may use and disclose your information to send a bill to your insurance company or health plan to receive payment for the services provided to you.

HEALTHCARE OPERATIONS
We may use and disclose your Protected Health Information for our healthcare operations. For example, we may use your Protected Health Information to monitor the quality of our testing services and review the competence and qualifications of our laboratory professionals.

PERSONS INVOLVED IN YOUR CARE OR PAYMENT FOR YOUR CARE
We may disclose your Protected Health Information to persons you identify who are involved in your care or payment for your care, such as a family member, relative or close friend, unless you object or ask us not to.

PERSONAL REPRESENTATIVES
We may disclose Protected Health Information about you to your authorized personal representative, such as a lawyer, administrator, executor or other authorized person responsible for you or your estate.

MINORS' PROTECTED HEALTH INFORMATION
We may disclose Protected Health Information about minors to their parents or legal guardians.

COMMUNICATIONS ABOUT PRODUCTS AND SERVICES
We may use and disclose your Protected Health Information to contact you about other TOVANA Health products and services which we believe may be of interest to you. Any use, disclosure or sale of Protected Health Information to third parties for marketing purposes requires your written authorization.

DISCLOSURES TO BUSINESS ASSOCIATES
We may disclose your Protected Health Information to other companies or individuals, known as "Business Associates," who provide services to us. For example, we may use a company to perform billing services on our behalf. Our Business Associates are required to protect the privacy and security of your Protected Health Information and notify us of any improper disclosure of information.

AS REQUIRED BY LAW
We must disclose your Protected Health Information when required to do so by any applicable federal, state or local law.

PUBLIC HEALTH ACTIVITIES
We may disclose your Protected Health Information for public health-related activities. Examples include: reporting diseases to authorized public health authorities or public health investigations; or notifying a manufacturer of a product regulated by the U.S. Food and Drug Administration of a possible problem encountered when using the product in our testing process.

HEALTH OVERSIGHT ACTIVITIES
We may disclose your Protected Health Information to a healthcare oversight agency for activities that are authorized by law, such as audits, investigations, inspections and licensure activities. For example, we may disclose your Protected Health Information to agencies responsible for ensuring compliance with the rules of government health programs such as Medicare or Medicaid.

RESEARCH
Under certain circumstances, we may use or disclose your Protected Health Information for research purposes. All research projects at TOVANA Health are subject to review by a committee responsible for ensuring the protection of individual research subjects, appropriate patient authorization and an adequate plan to safeguard Protect Health Information. In preparation for research, we may review limited Protected Health Information to draft research protocols, to identify prospective research participants or for similar purposes provided the information is not removed from our premises.

ORGAN OR TISSUE PROCUREMENT
We may disclose Protected Health Information to organ procurement organizations or related entities for the purpose of facilitating organ or tissue donation and transplantation.

CORONERS, MEDICAL EXAMINERS AND FUNERAL DIRECTORS
We may disclose Protected Health Information to coroners, medical examiners or funeral directors to identify a deceased patient, to determine cause of death or other duty authorized by law.

JUDICIAL AND ADMINISTRATIVE PROCEEDINGS
Under certain circumstances, we may disclose your Protected Health Information in the course of a judicial or administrative proceeding in response to a court order, subpoena or other lawful process.

LAW ENFORCEMENT
We may disclose your Protected Health Information to the police or other law enforcement officials as required by law or in compliance with a court order, warrant, subpoena, summons or other legal process for locating a suspect, fugitive, witness, missing person or victim of a crime.

THREATS TO HEALTH OR SAFETY
We may disclose Protected Health Information to prevent or reduce the risk of a serious and imminent threat to the health or safety of an individual or the general public. VICTIMS OF ABUSE, NEGLECT OR VIOLENCE If required or authorized by law, we may disclose Protected Health Information to a government agency, such as social services or a protective services agency, if we reasonably believe that an individual adult or child is the victim of abuse, neglect or domestic violence.

SPECIALIZED GOVERNMENT FUNCTIONS
Under certain circumstances, we may disclose your Protected Health Information to units of the government with special functions, such as the U.S. Military or the U.S. Department of State.

WORKERS COMPENSATION PROGRAMS
We may disclose your Protected Health Information as necessary to comply with requirements of workers' compensation or similar programs that provide benefits for work-related injuries or illness.

ALL OTHER USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION
We will ask for your written authorization before using or disclosing your Protected Health Information for any purpose not described above. You may revoke your authorization, in writing, at any time, except for disclosures that the company has already acted upon.
IV. Your rights regarding your medical information
You have the following rights with respect to your Protected Health Information. To exercise any of these rights, please contact our Privacy Office using the contact information provided at the end of this Notice.

ACCESS TO PROTECTED HEALTH INFORMATION
You, or your authorized or designated personal representative, have the right to inspect and copy the Protected Health Information maintained by us. We may deny access to certain information for specific reasons, for example, where Federal and state laws regulating laboratories prohibit us from disclosing genetic testing results directly to a patient.

RESTRICTIONS ON USES AND DISCLOSURES
You have the right to request restrictions on our use and disclosure of your Protected Health Information. While we will consider all requests for additional restrictions carefully, we are not required to agree to a requested restriction except for Payment or Operations restrictions where payment has been made "out-of-pocket" and paid-in-full. If we do agree to a requested restriction, we will notify you in writing.

CONFIDENTIAL COMMUNICATIONS
You have the right to request that we communicate with you about your Protected Health Information by alternative means or to an alternative address. Your request must be in writing and must specify the alternative means or location. We will accommodate reasonable requests for confidential communications.

CORRECT OR UPDATE INFORMATION
If you believe the Protected Health Information we maintain about you contains an error, you may request that we correct or update your information. Your request must be in writing and must explain why the information should be corrected or updated. We may deny your request under certain circumstances and provide a written explanation.

ACCOUNTING OF DISCLOSURES
You may request a list, or accounting, of certain disclosures of your Protected Health Information made by us or our business associates for purposes other than treatment, payment, healthcare operations and certain other activities. The request must be in writing and the list will include disclosures made within the prior six years.

COPY OF NOTICE
Upon request, you may obtain a paper or electronic copy of this Notice.
V. Information breach notification
We will promptly notify you following the discovery of a breach of unsecured Protected Health Information, unless there is a demonstration, based on a risk assessment, that there is a "low probability" that the Protected Health Information has been compromised.
VI. Questions and complaints
If you have questions or concerns about our privacy practices or would like a more detailed explanation about your privacy rights, please contact our Privacy Office using the contact information below.
If you believe that we may have violated your privacy rights, you may submit a complaint to our Privacy Office. You also may submit a written complaint to the U.S. Department of Health and Human Services. You can file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights by sending a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201, calling 1-877-696-6775, or visiting www.hhs.gov/ocr/privacy/hipaa/complaints/. TOVANA Health will not take retaliatory action against you and you will not be penalized in any way if you choose to file a complaint with us or with the U.S. Department of Health and Human Services.
VII. Changes to our notice of privacy practices
We reserve the right to change our privacy practices and the terms of this Notice at any time, provided such changes are permitted by applicable law. We will promptly post any changes to this Notice on our website at https://tovanahealth.com/home/privacy/. Please review this website periodically to ensure that you are aware of any updates.
VIII. Contact information
When communicating with us regarding this Notice, our privacy practices or your privacy rights, please contact the Privacy Office using the following contact information: support@tovanahealth.com.

SAFE HARBOR PRIVACY POLICY (EUROPE)


EFFECTIVE DATE: August 1, 2018
LAST UPDATED: April 2019

Safe Harbor Privacy Policy

TOVANA Health (“TOVANA Health”) respects individual privacy and values the confidence of its customers, employees, healthcare professionals, consumers and business partners.
TOVANA Health is committed to upholding the confidentiality of personal information and strives to collect, use and disclose personal information in a manner consistent with the laws and regulations of the countries in which it does business.
This Safe Harbor Privacy Policy (the “Policy”) sets forth the privacy principles that TOVANA Health follows with respect to personal information transferred from the European Economic Area (“EEA”) (which includes the 27 member states of the European Union (EU) plus Iceland, Liechtenstein and Norway) and Switzerland to the United States of America.

1. SAFE HARBOR
The United States Department of Commerce, the European Commission and the Swiss Federal Data Protection and Information Commissioner (FDPIC) have jointly agreed on a set of data protection principles and frequently asked questions (the “Safe Harbor Principles”) to enable U.S. companies to satisfy the requirement under European Union and Swiss law that adequate protection is given to personal information transferred from the EU or Switzerland to the United States.
The EEA and Switzerland have recognized the U.S. Safe Harbor as providing adequate data protection. TOVANA Health has established a comprehensive Privacy and Security Compliance program and is committed to protecting personal privacy consistent with the seven Safe Harbor Principles.

2. SCOPE
This Safe Harbor Privacy Policy (the “Policy”) applies to all personal information received by TOVANA Health in the United States of America from the EEA and Switzerland, in any form including electronic, paper or verbal.

3. DEFINITIONS
For purposes of this Policy, the following definitions shall apply: "Agent" means any third party that collects or uses personal information under the instructions of TOVANA Health or to which TOVANA Health discloses personal information for use on TOVANA Health’s behalf.
"TOVANA Health” means TOVANA Health , its successors, affiliates, subsidiaries, divisions and groups in the United States of America.
"Personal information" means any information or set of information that identifies or is used by or on behalf of TOVANA Health to identify an individual. Personal information does not include information that is encoded or anonymized, or publicly available information that has not been combined with non-public personal information. "Sensitive personal information" means personal information that reveals race, ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, or that concerns health or sex life. TOVANA Health will treat any information received from a third party as sensitive personal information where that third party treats and identifies the information as sensitive personal information.

4. PRIVACY PRINCIPLES
The privacy principles in this Policy are based on the Safe Harbor Principles. Notice: Where TOVANA Health collects personal information directly from individuals in the EEA or Switzerland, it will inform them about the purposes for which it collects and uses such personal information and the type of Agents to which it discloses such information. Notice will be provided in clear and conspicuous language when individuals are first asked to provide personal information to TOVANA Health, or as soon as practicable thereafter, and in any event before TOVANA Health uses or discloses the information for a purpose other than that for which it was originally collected. Where TOVANA Health receives personal information from its subsidiaries, affiliates or other entities in the EEA or Switzerland, it will use and disclose such information in accordance with the notices provided by such entities and the choices made by the individuals with respect to their personal information.
Choice: TOVANA Health does not use personal information for purposes other than which it was collected, i.e., the provision of TOVANA Health laboratory services. Personal information is not disclosed to non-agent third parties.
Onward Transfer: TOVANA Health ensures that any Agent to whom it transfers personal information will safeguard personal information consistent with the terms of this Policy. The majority of Agents to whom TOVANA Health transfers sensitive personal information are subject to the Health Information Portability and Accountability Act of 1996 (HIPAA) and are bound to protect the privacy and security of patient information. In the event that information is transferred to an Agent who is not subject to the HIPAA Rules, TOVANA Health will assure that: the Agent is contractually obligated to provide at least the same level of protection as is required by HIPAA; is subject to EU Directive 95/46/EC (the EU Data Protection Directive); has certified to the Safe Harbor, or is subject to another European Commission adequacy finding (e.g., companies located in Switzerland). Where TOVANA Health has knowledge that an Agent is using or disclosing personal information in a manner contrary to this Policy, TOVANA Health will take all reasonable steps to prevent or stop that use or disclosure.
Security: TOVANA Health will take all reasonable precautions to protect personal information in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction. TOVANA Health uses a combination of technologies, procedures and organizational measures to safeguard personal information.
Data Integrity: TOVANA Health will use personal information only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual. TOVANA Health will take all reasonable steps to ensure that personal information is relevant to its intended use and is accurate, complete and current.
Access And Correction: Upon request, TOVANA Health will grant individuals reasonable access to personal information that it holds about them. In addition, TOVANA Health will take reasonable steps to permit individuals to correct, amend or delete information that is inaccurate or incomplete. TOVANA Health will take reasonable steps to facilitate amendments to information provided by third parties if an individual raises a query. Enforcement: TOVANA Health will conduct compliance audits of its relevant privacy practices to verify adherence to this Policy. Any employee that TOVANA Health determines is in violation of this policy will be subject to disciplinary action up to and including termination of employment.
Dispute Resolution: Any questions or concerns regarding the use or disclosure of personal information should be directed to the TOVANA Health Privacy Officer at the address given below. TOVANA Health will investigate and attempt to resolve complaints and disputes regarding use and disclosure of personal information in accordance with the principles contained in this Policy. For complaints that cannot be resolved between TOVANA Health and the complainant, TOVANA Health has agreed to participate in the dispute resolution procedures of the panel established by the European Data Protection Authorities and the Swiss Federal Data Protection and Information Commissioner to resolve disputes pursuant to the Safe Harbor Principles.

5. LIMITATION ON APPLICATION OF PRINCIPLES
Adherence by TOVANA Health to these Safe Harbor Principles may be limited (a) to the extent required to respond to a legal or ethical obligation; and (b) to the extent expressly permitted by an applicable law, rule or regulation.

6. INTERNET PRIVACY
TOVANA Health sees the Internet and online technologies as valuable tools for communicating and interacting with consumers, employees, healthcare professionals, business partners and others. TOVANA Health recognizes the importance of maintaining the privacy of information collected and/or stored online and has created an Internet Privacy Policy governing personal information collected or stored through the websites it operates. With respect to personal information that is transferred from the EEA or Switzerland to the United States of America the Privacy Policy is subordinate to this policy. However, the Privacy Policy also reflects additional legal requirements and evolving standards with respect to Internet privacy.

7. CONTACT INFORMATION
Questions or comments regarding this Policy should be submitted to the TOVANA Health Privacy Officer by mail as follows: support@tovanahealth.com.