[Effective Date: ________, 2022; Last Modified: _______, 2022]
This is the Privacy Notice of Burning Rock Biotech Limited together with its affiliate companies and subsidiaries(the “Privacy Notice”), including BR Hong Kong Limited, Burning Rock Dx LLC, Beijing Burning Rock Biotechnology Co., Ltd., Beijing Burning Rock Biotechnology Co., Ltd., Burning Rock (Beijing) Biotechnology Co., Ltd., Burning Rock Biotechnology (Shanghai) Co., Shanghai Burning Rock Health Consulting Co., Ltd. Burning Rock Biotechnology (Hangzhou) Co., Ltd. Guangzhou Burning Rock Dx Co., Ltd., Guangzhou Burning Rock Medical Equipment Co., Ltd., and Guangzhou Burning Rock Biotechnology Co., Ltd. (collectively, “Burning Rock”), whose corporate headquarter is located at 201-202, 2nd Floor, #7 Luoxuan 4th Rd Guangzhou Int’l Bio Island, Guangzhou Guangdong Province CHINA 510005. This Privacy Notice is for public disclosure and to inform customers, website visitors and other third parties, how Burning Rock may use information and data obtained from them.
I. IMPORTANT NOTICE
Burning Rock is a global leader committed to innovations in testing. We help scientists, clinicians, medical providers, and pharmaceutical companies address challenges, including through our therapy selection testing, detection capabilities, data analytics, testing, research, and clinical solutions services (collectively “Services”).
Burning Rock respects your privacy. This Privacy Notice provides notice about Burning Rock collects and processes your personal information when you access and use our Services, including the site https://us.brbiotech.com/ (“Site”). This Privacy Notice also provides certain information that is legally required and lists certain of your rights in relation to your personal information under applicable law. We may update this Privacy Notice from time to time, including at least once every twelve (12) months. We encourage you to check our Privacy Notice regularly to understand how we may process your personal information and sensitive personal information.
- Consumer. For purposes of this Privacy Notice and as defined by the California Consumer Privacy Act of 2018 (“CCPA”) and the California Privacy Rights Act of 2020 (“CPRA”), a consumer is a natural person. “You” as referred to in this Privacy Notice are a consumer as defined by the CCPA and CPRA.
- Personal Information.Personal Information may be defined under various privacy laws, but generally, is information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
- Sensitive Personal Information: Sensitive Personal Information is a subset of personal information that requires greater security protections and standards of care in handling. Sensitive personal information is defined as information that if lost, compromised, or disclosed could result in substantial harm, embarrassment, inconvenience, or unfairness to a consumer. Sensitive Personal Information may include a consumer’s precise geolocation and a consumer’sgenetic data, health-related, and biometric information.
III. YOUR RIGHTS AS U.S. RESIDENTS
Under the current and soon-to-be effective (i.e., January 1 and July 1, 2023) laws of several states, including California (the CCPA and the CPRA), Colorado (the Colorado Privacy Act (CPA)), Connecticut (the Connecticut Data Protection Act (CTDPA)), and Virginia (the Virginia Consumer Data Protection Act (VCDPA)), our customers who are residents of these states have certain rights regarding their personal information. This section describes the rights of residents of these states under their respective privacy laws (collectively “States’ Privacy Laws”) and how to exercise them. We extend these rights to customers from all states, not just to our customers in those states having enacted the laws specifically listed above.
In addition to the information provided in this Privacy Notice, you have several rights relating to your personal information and sensitive personal information as set forth below.
- Right to Access
You have the right to access personal information and sensitive personal information we may collect or retain about you. If requested, we will provide you with a copy of your personal information and sensitive personal information we collect as permitted by the States’ Privacy Laws.
- Right to Know
You have the right to request that we disclose certain information to you about our collection and use of your personal information and sensitive personal information over the past twelve (12) months. Once we receive and verify your request, we will disclose to you:
- The categories of personal information and sensitive personal information we collected about you.
- The categories of sources from which the personal information and sensitive personal information is collected.
- The specific pieces of personal information and sensitive personal information we collected about you.
- Our business or commercial purpose for collecting or selling any personal information.
- The purposes for which the personal information we collected will be used.
- The categories of third parties with whom we share personal information.
- If we sold or disclosed your personal information for a business purpose; and, if so, any categories of personal information that were sold or disclosed, and the categories of any third parties to whom personal information was sold or disclosed.
- Right to Opt-Out / Do Not Sell My Personal Information
You have the right to opt-out of the sale of your personal information to third parties. You may exercise this right by contacting our Data Protection Officer at email@example.com, or by clicking the link titled “Do Not Sell or Share My Personal Information” [INSERT URL] which appears in the footer on the homepage of the Site. This link will bring you to a webpage where you may opt-out of the sale or sharing of your personal information.
- Do Not Share or Disclose My Sensitive Personal Information
You have the right to limit how your sensitive personal information is used and/or shared with third parties. You may exercise this right by contacting our Data Protection Officer at firstname.lastname@example.org, or by clicking the link titled “Limit the Use of My Sensitive Personal Information” [INSERT URL] which also appears in the footer on the homepage of the Site. This link will bring you to a webpage where you may instruct us to limit the use of your sensitive personal information only to that which is necessary for providing Services to you.
- Right to Deletion
You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. You may exercise this right by contacting our Data Protection Officer at email@example.com. Once we receive and verify your request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies.
We may deny your deletion request if retaining the personal information is necessary for us or our Service providers to:
- Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our agreement with you.
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
- Debug products to identify and repair errors that impair existing intended functionality.
- Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
- Comply with the California Electronic Communications Privacy Act.
- Enable internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
- Comply with a legal obligation.
- Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
- Right to Correct / Right to Rectification
You have the right to request the correction of inaccurate personal information possessed by us. You may exercise this right by contacting our Data Protection Officer at firstname.lastname@example.org. Once we receive and verify your request, we will use commercially reasonable efforts to correct your personal information as directed, taking into account the nature of the personal information and the purposes of maintaining your personal information.
- Right to Opt Out of Processing of Personal Information through Automatic Means
You have the right to opt out of the processing of your personal information through automatic means. Such processing may be used to analyze or predict aspects of a person’s performance in certain contexts that may affect decisions relating to health, behavior, reliability, employment, economic situations, personal preferences, location, or movements. You may exercise this right by contacting our Data Protection Officer at email@example.com. Once we receive and verify your request, we will exclude your personal information from any processing undertaking by automatic means.
- The Extent of Your Rights
We will not discriminate against you for exercising any of the rights outlined above. Furthermore, there is no charge for you to exercise such right.
Please note, however, that the rights outlined above are not absolute. We may be entitled to refuse requests, in whole or in part, where exceptions under applicable law apply. If your requests are manifestly unfounded or excessive, in particular because of their repetitive nature, we may: (1) charge a reasonable fee taking into account the administrative costs of providing the information or taking the action requests; or (2) refuse to act on the request and notify you of the reason for refusing the request.
- Verifying Consumer Request
Only you or a person that you authorize to act on your behalf may make a verifiable consumer request related to your personal information.
In order to respond to your requests, we must perform some verification. For example, this would be necessary in order for us to respond to any requests to disclose or delete your data. Our verification methods will differ depending on the following circumstances:
Password-protected accounts – if you have a password-protected account with us, we will use password authentication to verify you. If your request is for deletion of personal information, we will need to re-verify you before we delete your information.
Non-password-protected accounts – we need to use either a two-tier or a three-tier verification process (which will depend on what type of request you are making). We will ask for you to confirm two or three pieces of information that we have on our records about you, for example:
- Your address
- Your zip code
- Your email address
- Your most recent purchase
We will never ask for the following information from you:
- Social security number
- Financial account number
- Account passwords
You may make a verifiable consumer request up to two times within a 12-month period, without charge. Unfortunately, we cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm that the personal information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.
We try to respond to a verifiable consumer request within thirty (30) days of its receipt. If we require more time, we will inform you of the reason and extension time period (up to 90 days). If you have an account with us, we will deliver our response to that account. If you do not have an account with us, we will deliver our response by mail or electronically, at your option. Any disclosures we provide will only cover the twelve-month period preceding receipt. The response we provide will also explain any reasons we cannot comply with a request, if applicable.
IV. INFORMATION ABOUT PERSONAL INFORMATION PROCESSING
A. How and When We Collect Personal Information and Sensitive Personal Information
- Personal Information That We Collect
Burning Rock collects personal information including consumers’ names, addresses, email addresses, phone numbers, locations, and certain cookies.
- We collect Personal Information about you primarily from you.
We collect most personal information directly from you, i.e., when you use or interact with our Site and Services or when you communicate with us or sign up to receive promotional materials or information. We collect personal information when you register for an account on our Site, utilize our Services, send inquiries to us, browse our Services online, make purchases from us, or apply for a job with us. We also may obtain certain information about you from publicly-available sources or third-party sources to help us provide and improve the Services and for marketing and advertising. We may combine your personal information with information we obtain from our Services, other users, or third parties to enhance your experience and improve the Services. Your medical or healthcare provider(s) may send us your personal information so that we may provide our Services.
- We leverage and/or collect cookies, device IDs, Location, data from the environment, and other tracking technologies.
We may collect certain personal information using cookies and other technologies, such as web beacons, device IDs, geolocation, HTML5 local storage, Flash cookies, and IP addresses.
We specifically use browser cookies for different purposes, including cookies that are strictly necessary for functionality and cookies that are used for personalization, performance/analytics, and advertising. Certain elements of our Services and/or html email correspondence may use session cookies, persistent cookies or web beacons to anonymously track unique visitors, save website preferences, and to allow us to recognize visits from the same computer and browser. You have the option to reject some or all Website cookies on your computer and still use the Services. If you choose to reject all cookies, your access to the Website may be limited.
- Sensitive Personal Information That We Collect
Burning Rock sometimes collects sensitive personal information about you that is necessary to provide our Services, which may include: usernames, account, or billing information, proof of identification, health-related and biometric information. If Burning Rock intends to collect additional types of sensitive personal information, it will inform you about (1) the types of additional sensitive personal information it intends to collect; (2) how it intends to use the additional type(s) of sensitive personal information; (3) disclose whether it will share the additional sensitive personal information; and (4) inform you how long it intends to retain your additional sensitive personal information. By clicking on the link titled “Limit the Use of My Sensitive Information” [INSERT URL] in the footer on the Site’s home page, you may request that we only use your sensitive personal information to fulfill a specified purpose, including but not limited to providing Services to you. Upon receiving such a request from you, we will, within a commercially reasonable period, stop using your sensitive personal information for any purpose other than that authorized by you and/or necessary to provide Services to you.
- We do not collect Personal Information or Sensitive Personal Information about consumers under the age of majority
We do not knowingly collect personal information or sensitive personal information online from individuals under the age of majority without parental consent. If you become aware that an individual under the age of majority has provided us with personal information or sensitive personal information without parental consent, please contact us viaemail at firstname.lastname@example.org, or visit the “Do Not Sell or Share My Personal Information” link [INSERT URL] or the on the homepage of the Site.
B. How We Disclose Personal Information
We may disclose your personal information as described in this Privacy Notice, including to certain third-party service providers described below. Our third-party service providers are subject to security and confidentiality obligations and are only permitted to process personal information for a specified, legitimate business purpose and in accordance with our instructions.
- To Affiliates and Collaborators.
With companies or ventures that are owned or controlled by Burning Rock, as identified in the beginning of this Notice, and internally within Burning Rock, in order to provide and improve our Services, for marketing purposes, for advertising, and for analytics.
- To Service Providers and Vendors.
With business collaborators, marketing collaborators, and vendors to provide, improve, and personalize the Services. We may also disclose personal information and sensitive personal information to your medical or healthcare provider, at their direction, in order to provide our Services.
- For Advertising and Marketing.
With advertising and marketing collaborators for advertising and marketing purposes on Burning Rock’s behalf.
- For Certain Analytics and Improvement.
We may use third-party vendors, such as Google, who use first-party cookies (such as the Google Analyticscookie) and third-party cookies (such as the DoubleClick cookie) together to inform, optimize and serve ads based on your past activity on the Site, including Google Analytics. The information collected may be used to, among other things, analyze and track data, determine the popularity of certain content and better understand online activity. If you do not want any information to be collected and used by Google Analytics, you can install an opt-out in your web browser (https://tools.google.com/dlpage/gaoptout/) and/or opt out from Google Analytics for Display Advertising or the Google Display Network by using Google’s Ads Settings (google.com/settings/ads).
- For Interest-Based Advertising.
With companies involved in interest-based advertising. This advertising consists of Burning Rock advertisements that are personalized for you and displayed on the Site and through other channels. For more information on how data is disclosed for advertising, see our Advertising and Analytics section.
- For Legal Compliance, Law Enforcement, and Public Safety Purposes.
As permitted by law, with law enforcement, government or regulatory bodies, lawful authorities, or other authorized third parties in order to comply with laws, regulators, court orders, or other legal obligations or to assist in an investigation, to protect and defend our rights and property, or the rights or safety of third parties, this Privacy Notice, or agreements with third parties, or for crime-prevention purposes.
- Actual or Contemplated Sale, Acquisition, or Reorganization.
In connection with a contemplated reorganization or an actual reorganization of our business, in connection with financing, a sale, acquisition or other transaction involving the disposal of all or part of our business or assets, including for the purpose of permitting the due diligence required to decide whether to proceed with a transaction.
- Residents of the European Economic Area.
Our disclosure is limited to circumstances where we are permitted to do so under applicable European and national data protection laws and regulations.
III. LEGAL BASIS FOR PROCESSING
We collect and process your personal information for a variety of different purposes set out in further detail below.
In some cases, we will ask you for consent to process your personal information.
However, in certain circumstances, applicable data protection laws allow us to process consumers’ personal information and sensitive personal information without needing to obtain the consumer’s consent.
1. Processing Personal Information Where Consent Not Obtained
In certain cases, separate consent is not required, including:
- For the performance of a contract.
To perform our contractual obligations to you, including fulfilling orders or purchases you have made, contacting you in relation to any issues with your order, in relation to the provision of the Services, or where we need to provide your personal information and/or sensitive personal information to our service providers.
- To comply with legal obligations.
To comply with laws, regulators, court orders, or other legal obligations, or pursuant to legal process.
- Automated Decision Making.
To accomplish certain business functions, we may use automated decision-making to process personal information to predict a natural person’s performance in certain contexts that may affect decision-making relating to health, behavior, reliability, employment, economic situations, personal preferences, location, or movements.
- Legitimate Interests.
To operate our business and provide our Services, other than in performing our contractual obligations to you for Burning Rock’s “legitimate interests” for the purposes of applicable law, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal information. Legitimate interests may include:
- To communicate with you regarding the Services, including to provide you important notices regarding changes to our Site to address and respond to your requests, inquiries, and complaints.
- To send you surveys in connection with our Services.
- To assist in the investigation of suspected illegal or wrongful activity, and to protect and defend our rights and property, or the rights or safety of third parties.
- To develop, provide, and improve our Services.
- To enforce our Privacy Notice, or agreements with third parties.
2.Matters That May Require Consent
In cases where we are not already authorized to process your personal information under applicable law, we may ask for your consent to process your personal information, including:
We may ask for your consent to contact you by telephone, SMS, post and/ or email about other offers, products, promotions, developments or services which we think may be of interest to you and for other marketing purposes.
- Sensitive Personal Information
Certain of our Services may involve the processing of sensitive personal information. If we collect sensitive personal information directly from you or a third-party such as a health care provider, we will obtain your consent where required before processing that sensitive personal information.
We may ask for your consent to use your personal information for research purposes, including for clinical studies.
3.Withdrawing Your Consent
- You may at any time withdraw the consent you provide for the processing of your personal information for the purposes set forth in this Burning Rock Privacy Notice, provided that we are not required by applicable law or professional standards to retain such information.
- As previously noted, you may click on the link titled “Do Not Sell or Share My Personal Information” [INSERT URL]which appears in the footer on the homepage of the Site. This link will bring you to a webpage where you may opt-out of the sale or sharing of your personal information. If you wish to limit the use or disclosure of your sensitive personal information you may click on the link titled “Limit the Use of My Sensitive Personal Information” [INSERT URL] which also appears in the footer on the homepage of the Site. This link will bring you to a webpage where you may request that your sensitive personal information be used or for a specified purpose(s).
- If you wish to opt out of the processing of your personal information through automatic means, you can do so by emailingus at email@example.com.
- If you want to stop receiving future marketing messages and materials, you can do so by clicking the “unsubscribe” link included in our email marketing messages or by emailingus at firstname.lastname@example.org.
IV. DE-IDENTIFIED OR ANONYMIZED DATA
We may create de-identified or anonymous data from your personal information by excluding certain data components (such as your name, email address, or linkable tracking ID) through obfuscation or through other means. With such exclusion, the de-identified or anonymous data will no longer personally identify you or any particular individual. Our use of anonymized data is not restricted by this Privacy Notice.
V. AGGREGATE DATA
We track visits to our Site using visitor logs and tracking-codes to compile anonymous aggregate statistics. This aggregate information is collected service-wide, and includes anonymous website, application, and device statistics. When you browse our websites and access our applications, our system automatically collects information such as your web request, Internet Protocol (“IP”) address, browser type, browser language, domain names, referring and exit pages, Uniform Resource Locator (URL), platform type, location, unique device identifier, pages viewed and the order of these page views, the amount of time spent on particular pages, the date and time of your request and one or more cookies that may uniquely identify your browser.
When you access our Site through a mobile device, we may receive or collect and store a unique identification numbers associated with your device or our mobile application (including, for example a Unique ID for Advertisers (“IDFA”), Google Ad ID, or Windows Advertising ID), mobile carrier, device type, model and manufacturer, mobile device operating system brand and model, phone number, and, depending on your mobile device settings, your geographical location data or similar information regarding the location of your mobile device.
VI. DATA RETENTION
To ensure our continued ability to provide you with our Services we will retain your personal information, including your name, address(es), email address(es), phone number(s), locations, and certain cookies, for as long as you maintain an account, or otherwise for the length of time required by applicable law, regulation or industry standard. Furthermore, we will retain your personal information and sensitive personal information as long as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
If we no longer need to process your personal information and sensitive personal information for the purposes set out in this Privacy Notice, e.g., when you stop requesting our Services, we will delete your personal information and sensitive personal information. Once we no longer need to process your personal information and sensitive personal information, we will delete your personal information and sensitive personal information within two years. At your request and where permissible, we will delete your personal information and sensitive personal information upon your request, as further described in the Your Rights as U.S. Residents section of this Privacy Notice.
VII. ADVERTISING AND ANALYTICS
Interest-based advertising is advertising that is targeted to you based on your web browsing and app usage over time. We disclose various types of de-identified information to enable interest-based advertising. You have the option to restrict the use of information for interest-based advertising and to opt-out of receiving interest-based ads. To do so you may click on the link titled “Do Not Sell or Share My Personal Information” [INSERT URL] which appears in the footer on the homepage of the Site.
You can make decisions about your privacy and the ads you receive. You can control whether companies serve you on-line behavioral advertising by visiting the emailing us at email@example.com. The DAA opt-out requires that cookies not be blocked in your browser.
As an alternative to the DAA opt–out, you can also elect to block browser cookies from first parties (such as those from our website) and browser cookies from third parties (such as advertisers) by using the cookie blocking options built into your browser software. If you block browser cookies, some parts of our website may not function correctly. Also, blocking cookies will not stop third parties from collecting your IP address, data stored in “Flash” cookies, and certain other types of technical information that may uniquely identify your browser.
Due to the lack of consensus around a Do Not Track standard, our websites do not change how they collect or track data when they receive the “Do Not Track” flag.
VIII. SOCIAL NETWORK WIDGETS
Our Site may include social network sharing widgets that may provide information to their associated social networks or third parties about your interactions with our web pages that you visit, even if you do not click on or otherwise interact with the plug-in or widget. Information is transmitted from your browser and may include an identifier assigned by the social network or third party, information about your browser type, operating system, device type, IP address, and the URL of the web page where the widget appears. If you use social network tools or visit social networking sites, you should read their privacy disclosures, to learn what information they collect, use, and share.
IX. TRANSFER AND STORAGE OF PERSONAL INFORMATION
Burning Rock and associated Services and systems are stored on servers in China. If you are located outside of the United States or China, please be aware that personal information. we collect will be processed and stored in the United States and China, a jurisdiction in which the data protection and privacy laws may not offer the same level of protection as those in the country where you reside or are a citizen.
By using our Services and/or submitting your personal information, you agree to the transfer, storage, and/or processing of your personal information by Burning Rock in the United States and China. All data transfers by Burning Rock to a Burning Rock affiliate in the United States and China are conducted pursuant measures recognized by the EU Commission.
X. DATA PROTECTION OFFICER
If you have questions or concerns regarding our personal information and/or sensitive personal information collection and/or processing practices or this Privacy Notice, you can emailing us firstname.lastname@example.org. You also may opt out of the processing of your personal information by automatic means by contacting our Data Protection Officer at the above email address. You also may click on the link titled “Do Not Sell or Share My Personal Information” [INSERT URL] which appears in the footer on the homepage of the Site. This link will bring you to a webpage where you may opt-out of the sale or sharing of your personal information. If you wish to limit the use or disclosure of your sensitive personal information you may click on the link titled “Limit the Use of My Sensitive Personal Information” [INSERT URL] which also appears in the footer on the homepage of the Site. This link will bring you to a webpage where you may request that your sensitive personal information be used or for a specified purpose(s).
XI. RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY
You have a right to lodge a complaint with a supervisory authority.
XII. SECURITY SAFEGUARDS AND LINKS TO OTHER WEBSITES
We implement appropriate technical and organizational safeguards to protect against unauthorized or unlawful processing of personal information and against the accidental loss, destruction, or damage of personal information. Please be advised, however, that we cannot fully eliminate security risks associated with the storage and transmission of personal information.
This Privacy Notice only applies to Burning Rock. Our Site or Services may provide a link or otherwise provide access to another website, mobile application, or Internet location (collectively “Partner Sites”). We provide these links merely for your convenience. We have no control over, do not review, and are not responsible for Partner Sites, their content, or any goods or services available through the Partner Sites. Our Privacy Notice does not apply to Partner Sites, and any data you provide to Partner Sites, you provide at your own risk. We encourage you to review the privacy policies of any Partner Sites with which you choose to interact.
XIII. CONTACT US
For any questions regarding this Privacy Notice or your rights regarding your personal information, please emailing us at email@example.com.
XIV. MODIFICATIONS AND REVISIONS
We reserve the right to modify, revise, or otherwise amend this Privacy Notice at any time and in any manner. Any new version of this Notice will be posted on the Site. This Notice will be reviewed at least annually and updated, as necessary.
October 1, 2022
[INSERT BEFORE PUBLISH]