Effective Date: Aug 18, 2022
PLEASE REVIEW THIS CAREFULLY AS IT DESCRIBES HOW INFORMATION ABOUT YOU MAY BE COLLECTED, USED, MAINTAINED, STORED, SHARED, AND PROTECTED.
Cardiogram is a mobile software platform that collects data from its users via smart phones and smart watches to provide personalized health monitoring and pre-diagnosis alerts and information. Cardiogram analyzes and deciphers the user data for the early detection and prevention of diseases.
Our “Services” include access to the Cardiogram.com public website, our Cardiogram mobile application, Cardiogram Subscription Services for our mobile application (“Subscription Services”), Supplements (“Supplements”), and personal At-Home Testing (“At-Home Testing”). The At-Home Testing may include cardio stress tests and the collection of biological samples.
The biological samples we collect include saliva, urine, cheek swab, skin swab, and other (“Samples”), using sample collection kits (“Kits”) provided by Cardiogram. Customers will collect the Samples and ship them to Cardiogram partner labs for testing and analysis. The Samples are subjected to scientific testing and Cardiogram proprietary technology that uses analytics, machine learning and Artificial Intelligence to generate personalized lifestyle, supplementary, and dietary to individuals via Cardiogram website located at www.Cardiogram.com and mobile applications. Based on our analysis of the Samples and customer-provided data, using Cardiogram technology, Cardiogram detects molecular and genetic features that are associated with certain diseases and deliver associated test results using its web and mobile platforms.
What Information We May Collect
When you subscribe to or use our Services, Cardiogram collects and uses several types of Personal Information, as defined below. This includes, among other things:
“Registration Information” is collected when you subscribe, place orders on our website or through our application, or register for our Services. This information includes, but is not limited to
- Your name and your contact data, such as your physical and billing addresses, e-mail address, phone number, and your account login and password;
- Payment information, such as your credit or debit card number; and
- Self-reported medical history information for you and your family members.
Cardiogram uses Registration Information to authenticate your access to your Cardiogram Account, websites and mobile applications for purposes that include but not limited to the following:
- Use of the Services;
- Obtaining physician authorization for testing requests;
- Facilitating any consultation services through our clinical and support partners;
- Enabling you to purchase or access add-ons and new features related to the Services;
- Charging recurring fees for Subscription Services;
- Delivering personalized reports;
- Sending research studies or study participation consents and questionnaires, marketing and other communications.
“Biological Samples” or “Samples” are the self-collected urine, saliva, and other fluid samples such as blood, cheek swabs, or skin swabs that you collect using Kits and used by Cardiogram for testing and analysis.
“Sample Data” is molecular or genetic data created from the Samples for testing and analysis.
“Personally Identifiable Information”, “PII”, or “Personal Data” is information about an individual that, when used directly or indirectly, alone or with other relevant data can identify an individual (e.g., first and last name, birthdate, home address, social security number, bank account number, credit card number, passport number, health insurance information, biometrics data, fingerprints, DNA, etc.).
“Sensitive Information” or “Sensitive Data” is a category of Personally Identifiable Information or Personal Data relating to confidential medical facts, medical history, records, racial or ethnic origins, political or religious beliefs, or sexuality.
“Self-Reported Information” is all information you provide us about yourself including, but not limited to:
- Information about your personal traits (e.g., eye color, height);
- Disease conditions (e.g., Type 2 Diabetes);
- Physical health-related information (e.g., pulse rate, heart rate, medicine you currently take, or whether you smoke),
- Diet related information (e.g., vegetarian, vegan, food allergies, etc.),
- Mental health related information (e.g. conditions such as fear or anxiety), or
- Your disease conditions, medical history, and family history (e.g., information similar to the foregoing about your family members).
Self-Reported Information can be provided to us in many ways including, but not limited to:
- Input and answers to surveys, questionnaires, emails, features on our website and software applications;
- While participating in research studies;
- Engaging with our customer service personnel; or
- While using the Services.
“Protected Health Information” or “PHI” is any information about the health status, provision of health care, or payment for health care services that can be linked to a specific individual.
“Medical Information” is information from your healthcare provider that you give Cardiogram permission to access. Cardiogram will access your Medical Information only with your written consent.
“Test Data” is information we extract from Sample Data for use in our testing services that produce data and test results that help us provide you with accurate and personalized recommendations and Services.
“De-identified Information” or “De-identified Data” is data where Personal Information that could otherwise be used to identify you is removed before using the data to provide the Services. Your Samples are used with your Personal Information only to the extent necessary and for the purpose of delivering the Service to you and communicating directly with you when necessary. For all other purposes, including for Research and Research Studies, analysis, and improving the Services, we use De-identified Data except when you have explicitly consented to our use of your Personal Information.
“Pseudonymized Information” or “Pseudonymized Data” is data where Personal Information has been replaced with artificial identifiers or pseudonyms (e.g., John or Jane Doe).
De-identified or Pseudonymized Data means that the data cannot be attributed to you or a specific individual without the use of additional information that is not accessible to the users of the data.
“Aggregate Information” or “Aggregate Data” means De-identified or Pseudonymized Information or Data that has been combined and compiled into collections or summaries. Aggregate Data is often used for data analysis and sometimes for Research.
Some features of our Services may enable you to post or upload on our website, social media, or public forums that relate to us, such as blogs, data, text, software, documents, audio, photographs, graphics, video, messages, discussions, emails, or other materials that you create or provide to us (“User Content”).
Any Personal Information you publicly include in your User Content may be read, collected, and used by anyone able to access the content. Cardiogram expressly disclaims any and all liability for the actions of third parties, including but not limited to actions relating to the use or disclosure of Personal Information by third parties. Please exercise caution before and when you choose to share Personal Information on our blogs, forums, or in any other public media.
By sending User Content, you grant Cardiogram and its licensees, assignees and designees an irrevocable, assignable, fully sub-licensable, perpetual, world-wide, royalty-free, non-exclusive license, in their sole discretion, to use, distribute, reproduce, modify, combine, adapt, publish, translate, rent, lease, sell, publicly perform and publicly display your User Content (in whole or in part), along with your name or any part thereof and state of residency, in Cardiogram’s discretion, and to use or incorporate all or any part of your User Content into other advertising, promotion, research, analysis or other materials in any format or medium now known or later developed. You hereby waive any right to inspect such use and any claims based on privacy, publicity, defamation, misappropriation, intellectual property or similar claims for any use of your User Content.
Cardiogram and its third-party service providers from whom it receives your information may use “cookies” and similar tracking technologies (such as web beacons, tags, scripts and device identifiers used for automatic collection of information), for a variety of purposes. Cookies are small data files that are stored on a user’s hard drive at the request of a website to enable the website to recognize and retain certain user information such as customer preferences and history.
Cookies help us recognize when and how you use our Services, customize and improve your experience, provide security, analyze our interactions with our Services and its features, gather demographic information about our user base, make special offers of our Services, monitor the success of marketing programs; and for targeted advertising on our website and on other websites on the Internet.
The information reports we receive from third party service providers can be in de-identified, individual-level, or at aggregate-level, and we may also use these reports to improve our data analytics methods. If we combine cookies with, or link them to, any of the Personal Information, Cardiogram will treat this information as Personal Information.
Google Analytics or Similar Services
Like many websites, we use Google Analytics or such similar web analytics services for web behavior monitoring, a service that provides information about how many users visit our website and online resources, when they visit, and how they navigate our website. We also may use other analytics tools, such as demographics and interest reporting, which enable us to learn more about the characteristics and interests of the users who visit our website, and remarketing, which enables us to provide relevant advertising on different websites and online services.
Other Types of Information
From time to time, we may collect other types of information automatically about your use of our Services through the log files. Such information may include your device’s Internet Protocol (IP) address, operating system, browser type, and your device ID. Cardiogram uses this information for purposes such as analyzing trends, administering the Service, improving customer service, diagnosing problems with our servers, monitoring the security of our systems, tracking user movement, and gathering broad demographic information for aggregate use.
Information on our At-Home Testing Services
Currently, all testing Services are performed at Cardiogram’s partner laboratories that are CLIA-certified labs that comply with federal regulatory standards applicable to testing performed on humans governed by The Clinical Laboratory Improvement Amendments of 1988 (“CLIA”). Depending on our needs we may use certified and licensed third-party service facilities in the future for testing and Sample collection services.
Our laboratory will use your Samples and Medical History associated with testing, analysis and generation of Sample Data that will be used to generate Test Data. Test Data is used with Self-Reported Data and Medical History in conjunction with our data analysis methods and machine learning and artificial intelligence models to generate the Test Results that we use in order to provide Test Reports, personalized recommendations, and providing you with recommendations for Supplements and Subscription Services, through our web and mobile platforms.
How We Use your Information
- a) Provide you with the Services
We use your information for activities necessary for provisioning the Services that include testing and analysis of data, generate and deliver Test Results and recommendations, customized recommendations for Supplements, and improve our Services. These activities may include but not limited to:
i) Open and maintain your Cardiogram Account;
ii) Enable purchase of our Services (e.g., process payments and Subscription Services);
iii) Communicate with you (e.g., informing you of policy changes, security updates or issues, delivery of Test Results (directly or through our lab partners), pre and post-test consultations, etc.);
iv) Implement your requests (e.g. requests to Customer Service);
v) Facilitate use of our website and mobile applications (including authenticating your visits, providing personalized content, and tracking your use of our Services);
vi) Facilitate the covered services of our Lab Partner(s);
vii) Enforce our Terms and other agreements such as monitor, detect, investigate and prevent prohibited or illegal activities, spam and other security risks, performing quality control;
viii) Perform Research Studies and Research & Development activities (which may include, for example, Research conducted by Cardiogram’s science and engineering teams);
ix) Conducting data analysis to improve existing Services or develop new Services; and
x) Improving our data analytics, machine learning and artificial intelligence models that help us provide more precise and accurately personalized recommendations.
We may also use your information to fix bugs or issues, analyze use of our website, charge recurring Subscription Services fees, to improve or optimize the customer experience and Customer Service, or assess the efficacy of our marketing campaigns.
b) Improve Services, Data Analysis, Machine Learning and Artificial Intelligence Models
We are constantly working on improving our Services and enhancing the capacity and accuracy of our data analysis, machine learning and artificial intelligence models we use for the purpose of delivering more accurate and personalized Services to you.
We may use your biometrics data we usually collect from users’ smart phones and smart watches, physiological and molecular data such as Samples, individual Clinical Data, Test Data, and Self Reporting Information in de-identified, pseudonymized, anonymized, or aggregate forms (after carefully removing the identifiers that easily identify who you are), together with similar data of others, for the purpose of improving Cardiogram’s machine learning models. Our artificial intelligence models run multiple analyses of aggregated de-identified data across our massive database of information, carefully selected high-quality scientific literature, expert knowledge from our team of scientists and engineers, and customer feedback to improve our Services. It is through our artificial intelligence models that we are able to provide better and more accurate Services to you via our mobile and web apps.
c) Provide Customer Service and Support
When you contact Cardiogram’s customer service (“Customer Service”), we may use or request additional Personal Information, as necessary to verify your identity, answer your questions, resolve disputes, and/or investigate and troubleshoot problems or complaints. In certain instances, we may require using one customer’s Personal Information to resolve another customer’s request. For example, if a customer reports behavior of another customer that violates our Terms of Service, we will separately process both customers’ Personal Information and respond separately to each customer as appropriate. We will not share your Personal Information with another customer or any third party without your specific consent.
d) Surveys and Testimonials
e) Marketing and communications
By creating a Cardiogram Account and using our Services, you agree to receive Service-related emails with information such as new features, add-ons, promotions, contests and other notifications about our Services. You can unsubscribe from receiving these marketing communications at any time. To unsubscribe, click the email footer “unsubscribe” link or send a request to our Customer Service using the details provided above. You may not opt-out of receiving non-promotional messages regarding your Cardiogram Account, such as technical notices, purchase confirmations, important notices on Cardiogram policies and deadlines applicable to use of Sample Kits and Sample submissions or Service-related emails.
We may also use the Personal Information you submit to us to personalize your user experience and to allow us to recommend or deliver the type of content, new features, or Service offerings in which you are most interested. We may also use your Personal Information to compile usage statistics and other data regarding use of our Services and for other types of marketing and communication purposes, without asking for and receiving your explicit consent (e.g., targeted advertising that uses third party advertising networks and providers who help us deliver targeted online advertisements or measure the effectiveness of ad campaigns). We and our third-party service providers will not use your Sensitive Information for marketing and communication purposes.
How We Disclose Your Information
In general, Cardiogram will not disclose your Personal Information (including Self-Reported Information and Medical Information) to third parties, except under the following circumstances:
a) With Express Written Permission
b) To Facilitate Business Operations
To the extent possible, Cardiogram will only disclose such individual-level Personal Information as necessary to facilitate its business operations. In these instances, the protection of your individual-level Personal Information will be subject to the service agreements or privacy policies of the specific Cardiogram partner or service provider. In addition, we also employ strong terms on data security, protection, and confidentiality of information (including our customer data) shared in our agreements with the service providers.
c) Sharing with Third Parties
We may share your individual-level Personal Information, without explicit consent, to the extent necessary, with third parties:
i) In order to perform business operations that help deliver the Services to you (e.g., Sample collection services, laboratory services, service providers that ship Kits, Supplement providers, logistics operators, IT service providers, customer service optimizers, etc.);
ii) In order to provide Services provided to you by our contracted partners; and
iii) For marketing and communication purposes.
Specifically, Cardiogram does not share your Personal Information with third parties in the following ways without your explicit consent:
i) Sell, lease, or rent it;
ii) Release it to any public databases;
iii) Use it in study participation with collaborators; and
iv) Share it with insurance companies, healthcare providers, educational institutions, government agencies, or employers.
d) As Required by Law
Under certain circumstances, Personal Information may be subject to disclosures pursuant to judicial or other government subpoenas, warrants, or orders, or in coordination with regulatory authorities. You acknowledge and agree that Cardiogram is free to preserve and disclose any and all Personal Information to law enforcement agencies or other regulatory agencies, if required to do so by law or in the good faith belief that such preservation or disclosure is reasonably necessary to comply with:
i) Legal or regulatory process (such as a judicial proceeding, court order, or government inquiry);
ii) Obligations that Cardiogram may owe pursuant to ethical, regulatory (such as state laws or Food and Drug Administration), and other professional rules, laws, and regulations;
iii) Enforce its Terms of Service;
iv) Respond to claims that any content violates the rights of third parties; or
v) Protect the rights, property, or personal safety of Cardiogram, its employees, its customers (including you), and the public.
In the event Cardiogram is required by law to disclose Personal Information, Cardiogram will notify you through the Registration Information provided to Cardiogram in advance, unless doing so would violate the law or a court order.
e) Customer Loses Capacity
When a customer has lost capacity or passed away, we will only give their Personal Information to individuals who are legally authorized to make decisions on their behalf, such as an executor, a personal representative, or a beneficiary of a deceased's estate. The person requesting the information must complete an authorization form and provide evidence and legal documentation indicating they are allowed to act on behalf of the individual before we will provide any information.
f) Transition of our Business
g) Commonly Owned Entities
Information Security Measures
Cardiogram uses a number of IT, physical, technical, and administrative measures to keep your Personal Information safe and secure. By employing these safeguards, we aim to prevent unauthorized access, minimize accidental disclosure, maintain data accuracy and integrity, and ensure appropriate use of the information in accordance with current technological and industry standards. In particular, data stored by Cardiogram software, and mobile applications are stored using encryption technology. All connections to Cardiogram websites, software, and mobile applications are encrypted using Secure Socket Layer (“SSL”) technology.
You acknowledge and agree that protecting Personal Information is a responsibility shared between you and Cardiogram. In this regard, we ask all users of our Services to be responsible for keeping their login IDs, passwords, and other authentication information used to access the Service in a secure manner and maintain strict confidentiality. You should not share your Cardiogram Account and authentication information with any third parties and should inform Cardiogram immediately of any prohibited use of your Cardiogram Account or authentication information. Cardiogram cannot secure and assumes no liability for Personal Information that is released by our customers to third parties, such as physicians, insurance companies, or healthcare service providers.
Cardiogram implements several physical and technical security measures to ensure confidentiality, integrity, security, and availability of Cardiogram and customer data by employing industry standard safeguards such as de-identification, pseudonymization, encryption, and data segmentation. Sample Data and other Personal Information provided to us is stored after labeling them with an assigned code without your name or other Personal Information that can easily identify your Sample with you.
To ensure the on-going confidentiality, integrity, and security of your data, Cardiogram conducts periodic risk assessments of its electronically protected health information systems (“ePHI”) which we use to store your Personal Data. We de-identify customers' PII from PHI and use multiple layers of industry standard security measures applicable to encryption and access protection for Sensitive Data, based on job function and role. Cardiogram access controls include multi-factor authentication, single sign-on, and strict least-privileged authorization policies.
Cardiogram keeps all customer Personally Identifiable Information and Data on secure cloud servers. Only a small group of qualified personnel within Cardiogram can access information that can be used to identify you. These are personnel who need that information in order to provide, complete, testing, analysis, and reporting related to the Services. The Personal Information that matches the assigned codes will be kept in a secure, access controlled, and protected database by Cardiogram. Only a small group of essential personnel will have access to this secure and protected database.
We will not include any Personal Information that would make it possible to identify you in any Research, studies or publications. All Cardiogram employees, consultants, and others who might have access to your Personal Information must sign confidentiality and non-disclosure agreements that mandate them to keep customer Personal Information confidential. Your Personal Information may be shared with your health care service provider only with your written permission. Your Samples and related specimens and their remnants, after testing and analysis, is either stored securely with de-identified alphanumeric IDs (with no Personal Information that can identify you) or destroyed usually within a short amount of time such as 7-14 days.
Cardiogram is committed to protecting the privacy of children and abiding by the provisions of the Children’s Online Privacy Protection Act (“COPPA”). The Services are not designed for, intended to attract, or directed toward children under the age of 18 or below the legal age of majority to form a binding contract in your country of residence, whichever is greater. A parent or a legal guardian, however, may collect Samples using Sample Kits, and create a Cardiogram Account for, and provide Registration information for his or her child who is under the age of majority. On these occasions, the parent or guardian assumes full responsibility for following the Sample collection instructions and ensuring that the information that he or she provides to Cardiogram about his or her child is kept secure, and that the information submitted is accurate.
In the event Cardiogram is notified or becomes aware that the Service has been used by a child under the age of 18 to store information of that child without parental consent, Cardiogram shall be and is authorized to delete, in its entirety, with no notice to you, any of the information stored by that child or by you on that child’s behalf. Cardiogram also reserves the right to revoke any license to use the Services, which is being used or has been used by a child under the age of 18.
If you believe that we have gathered Personal Information from a person under 18, please contact us at [email protected]
Retention of Personal Information
Unless you close your Cardiogram Account that results in deletion of your Personal Information as described in the Account Closure process as specified below, Cardiogram may store your Personal Information as long as your Cardiogram Account is open.
Correction of Personal Information
Your Personal Information, if incorrect, can be corrected, changed, or updated by sending a request to our Customer Service using the information stated below:
Submit via email:
[email protected] and request “Correction of Personal Information”
Submit by mail:
Cardiogram Customer Service (Correction of Personal Information)
1200 Ridgefield Blvd., Ste 170
Asheville NC 28806 USA
If you no longer wish to use the Services or have your Personal Information processed by us in order to provide you the Services, you may close your Cardiogram Account by using our mobile apps or by sending our Customer Service a request using the information specified below.
Submit via email:
[email protected] and request “Account Closure”
Once we receive your request, we will send an email to the email address linked to your Cardiogram Account detailing our Account Closure Policy and requesting that you confirm your closure request. Once you confirm your request to close your Cardiogram Account, your Cardiogram Account will no longer be accessible. When your request is processed, it cannot be cancelled, undone, withdrawn, or reversed. When closing a Cardiogram Account, Cardiogram removes or deletes Personal Information associated with that Cardiogram Account, subject to certain limitations stated below:
To the extent necessary and permitted by law, Cardiogram may still retain:
i) Request, and transaction data for accounting, audit, and compliance purposes;
ii) Limited Personal Information for compliance with legal retention requirements (e.g., CLIA requirements);
iii) Limited Personal Information to fulfill contractual obligations, exercise or defend legal claims;
iv) Limited Personal Information to fulfill audit and compliance processes;
v) Information already used for Research and Study Participants; and
vi) Limited information in de-identified, pseudonymized, or aggregate forms used in Research, data analysis, machine learning and artificial intelligence.
Retention of Personal Information
Unless you close your Cardiogram Account and delete your Personal Information in the Account as described under Account Closure as specified above, Cardiogram will store your Personal Information as long as your Cardiogram Account is open.
Pursuant to the California Consumer Privacy Act of 2018 (“CCPA”), California residents are afforded certain additional rights regarding use of your Personal Information. However, depending on your data choices, certain services may be limited or unavailable. If you are a California Resident, to learn more about your California Residents’ privacy rights under CCPA and to obtain a copy of our CCPA Notice for California Residents, please contact our Customer Service by sending a request using the information specified below.
Submit via email:
Email [email protected] and request Assistance with CCPA Notice Rights.
California Do-Not-Track Disclosures
Cardiogram does not track its customers over time and across third party websites to provide targeted advertising and therefore does not respond to Do Not Track (“DNT”) signals. Third parties that have content embedded on Cardiogram’s websites or mobile applications (e.g., social features) may set cookies on a user’s browser and obtain information about the web browser visiting a specific Cardiogram website from a certain IP address. Third parties cannot collect any other Personal Information from Cardiogram’s websites, software, or mobile applications unless you provide it to them directly.
Pursuant to Nevada Privacy Law (“NPL”), Nevada residents may direct a business that operates an internet website not to sell certain Personal Information about you. Cardiogram does not sell your Personal Information to third parties. If you are a Nevada resident, for more information about your rights under NPL or how we handle and share your Personal Information, contact our Customer Service by sending a request using the information specified below:
Submit via email:
Email [email protected] and request Assistance with NPL Rights.
Data Privacy for Residents of Designated Countries
This section applies only to the Personal Information of the residents of the European Economic Area (“EEA”), United Kingdom, or Switzerland (collectively, the “Designated Countries”). When we transfer, store, and process the Personal Information of the residents of the Designated Countries, we implement appropriate safeguards applicable to transfer of such Personal Information to and from the Designated Countries in accordance with the terms specified below:
When we transfer, store, or process your Personal Information to U.S. or other countries outside of where you reside, we rely on various legal bases to lawfully transfer such Personal Information around the world, including the European Union Commission approved model contractual clauses (“lawful data transfer mechanisms”).
Our Relationship with You
We are the “controller” with respect to your Personal Information because we determine the means and purposes of processing your information when you use our Services.
We may contact you by electronic means for marketing communications with information about our Services that are similar or related to our Services with you. If you do not want us to use your Personal Information in this way, please contact us at [email protected] to withdraw your consent at any time. The withdrawal of your consent will not affect the lawfulness of processing based on consent before its withdrawal.
Transfer to a Third Party