What personal data we collect, why we collect it, when and how it is used, and how we will protect your privacy.
We will never use, share or sell your data or personal information without your explicit consent – and will only access your data as necessary to provide you with the services you request or for purposes of critical system maintenance and security.
In order to interact with our website and services, you will need to opt-in to temporarily storing personal data such as your name and email address in cookies. These are for your convenience in order to remain logged into your account, save preferences, and not re-input data on every page. OpenCures does not use tracking cookies.
If you visit our website, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser. If you login to our website, we will set up several cookies to save your login information and your screen display choices. Login cookies last until you log out, or your session expires due to inactivity for more than 2 hours. Screen options cookies last for one year. If you select “Remember Me”, your login will persist for two weeks.
Data we Collect
In the course of signing up for and using the OpenCures website and services, you may provide various types of identifying and personal data including but not limited to demographic information, health biomarker measurements, your behavior while using our website, and stored bio-specimens from which biomarker data is acquired by the tests you order and consent to. All data that is identifiably linked to your user account is your Personal Data and is considered private and owned by you. You may opt to view, share, or delete your Personal Data at your discretion – and it will only be visible to you, people you have specifically shared it with, and authorized OpenCures personnel on a strict as-needed basis for the express purpose of providing customer service, quality control, and security.
OpenCures users may opt-in to share De-Identified Data within the OpenCures Database. This is an aggregate (pooled) of pooled data for research purposes. This data is stripped of identifying attributes such as your name, email, address and precise date of birth following HIPAA and Safe Harbor data practices. Once De-Identified Data has been shared to a pool, it may not be possible to delete it upon request. All data sharing is strictly opt-in only — users are not required to share any data in order to make full use of OpenCures services. Informed consent will be mandated for all opt-in data sharing.
How we secure your data
We strive to use the latest industry standard means to secure and protect your data, including:
- De-identification according to HIPAA Safe Harbor HIPAA
- Encryption of all data at rest, such as personally identifiable reports
- Limiting access by trained OpenCures personnel, and only when necessary for providing our services
- End-to-end encryption of all web traffic and database connections
How we use your data
By default, your data will be accessed only as necessary to provide services that you request. You may also opt-in to allow OpenCures to access your data for the purposes of:
- Improving our services – such as the analysis of De-Identified Data for data quality metrics
- Permitting user-led or third party research on the pooled De-Identified Data (the OpenCures Database)
- Recruit you for external research studies
- Provide customer support
- Notify you about relevant new features, products, and services
Third Party Services
When you order tests and other services through OpenCures, they will generally be provided by third parties. In these cases we will not expose your identity to those parties except when legally obliged – in which case we will seek your informed consent as part of the ordering process. For example, you may provide us with a blood sample which we send to a third party for mass spectrometry analysis – the sample we send will use a de-identified number that can then be used to link the returned data to your OpenCures account.
The OpenCures platform will offer the ability to connect to other health data providers you subscribe to, allowing you to copy your data into your OpenCures account. We will only acquire data on you from such third party sources when you provide explicit consent.
In the course of interacting with our website certain third party services such as automated spam detection may be used and will have limited visibility into your De-Identified Data.
What rights you have over your data
If you have an account on this site, or have left identifiable comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you (with the exception of some De-Identified Data). This does not include any data we are obliged to keep for administrative, legal, or security purposes.
What data breach procedures we have in place
In the case of a detected data breach, we will inform you of the breach in a timely manner, including what information may have been stolen, the date of the breach, what actions we are taking, and what rights you have in accordance with California and US law.