Privacy policy

Learn More

Privacy Policy

Version 5.4 - Last updated on 18 July 2024

This Privacy Notice describes how Saphetor SA processes the personal data we collect when you use our products (VarSome, VarSome API, VarSome Premium and VarSome Clinical platforms) or visit our website (saphetor.com, varsome.com).

We recognize the importance of privacy and of transparency in our processing of personal data. We process personal data in compliance with Swiss data protection law and the European Union’s General Data Protection Regulation (collectively, “Applicable Data Protection Law”).

This Privacy Notice explains (i) which personal data are processed on the Platforms, (ii) the manner and the purposes for which we process the personal data, and (iii) the measures which we take in order to protect such personal data. 

This Privacy Notice applies to information we collect through the Platforms, as well as other information provided to us online or offline by third parties, when we associate that information with customers or users of the Platforms; however, it does not apply to information collected from our employees, contractors, or vendors. It also does not apply to information that you ask us to share with third parties or that is collected by certain third party providers of online tools (as further described in Section 6 below). You acknowledge and agree that Saphetor is not responsible for the data collection or use practices of any other user of the Platforms or any third party utilized in providing the Platforms.

1. What data do we collect ? 

Saphetor collects the following data:

  • Personal data which you provide when you use the Platform

We collect the personal data you provide when you use the Platforms, for example, when you create, manage and/or use your account, through webforms you fill in, or when you contribute to the Platforms (e.g. the comments and variant classifications you make) (“User Data”). 

  • User Data: User Personal identification information (First and last name, email address, phone number, Organization name and address, etc.)
  • Datasets: the genetic and/or other molecular data from individuals, or other special categories of protected health information contained in the datasets uploaded by Users
  • Certain personal data are also collected in an automated manner.

Such information (“Analytics Data”) includes the following information that we automatically collect and store the following information about your computer and your visit:

  • IP address, user id, network ID and user location 

2. Why Do We Process Personal Data ?

We process personal data only when we have a valid reason to do so, as further specified below. 

  1. To provide the services to our Users:

If you are a user of the VarSome Platforms, we mainly process your personal data to provide the service: 

  • creating and maintaining a user account, 
  • interacting with you 
  • allowing other users to interact with you (including for allowing other Users to view your public content), 
  • providing you with requested information and services, performing data analysis that you request, or in the manner expressly indicated when certain personal data are collected. 
  • other operational needs, such as billing, customer support and legal support. 
  • to verify the accuracy of the information which are provided to us; 
  • to moderate public contributions and exchanges between Users; 

If you are not a User, we may process your personal data because it was provided to us in pseudonymized form by one of our Users, for instance due to your position as a customer or patient of an organization with which a User is affiliated (the “Organization”). In this case, we mainly process your personal data for the purpose of providing the services to the Organization, based on a contract between us and the Organization. This Privacy Notice does not govern how the Organization processes your personal data or how we process your data for the account of the Organization (e.g. to carry out the analysis requested by the Organization). Please refer to the Organization’s policies and contact the Organization directly for any inquiry relating to the use of your personal data by it.

  1. legitimate business operations related to providing the services, as well as for security and monitoring and for statistical purposes:

We may also process your personal data for our legitimate business operations related to providing the services, which include 

  • ensuring the services are provided in an efficient and secure way (e.g. through analysis of the Platforms’ stability and security, updates and troubleshooting, as well as support services); 
  • improving and developing the Platforms and our Services; 
  •  benefitting from cost-effective services (e.g. we may opt to use certain Platforms offered by suppliers); 
  • meeting our corporate and social responsibility objectives (including monitoring our performance or the use of the Platforms and our Services, and for statistical purposes); 
  1. for scientific and research purposes: 

We may also process personal data for scientific and research purposes, to provide other Users and third parties with aggregated or pseudonymized scientific information derived from it, for instance the fact that single molecular markers have been found in one or more datasets processed via a Platform or queried directly on a Platform, as well as the respective genotype, phenotype(s), or tumor types known about that individual(s) and their sex and ethnic background. 

  1. For sending our newsletter, or for other marketing and advertising purposes:

Provided that we have obtained your prior and unambiguous consent, we may use your personal data, in particular, the contact details as well as other personal data collected in accordance with this Privacy Notice, for marketing and advertising purposes, e.g. to send you information and offers relating to our products and services and/or of our partners, such as prospectuses, newsletters, and other advertising messages. If we have a legal obligation to do so:

We may further process personal data to comply with our legal or regulatory obligations. This will for instance be the case if we need to disclose certain information to public authorities or retain such information for tax or accounting purposes, or for the establishment, exercise or defense of legal claims. 

  1. For any other reason, based on authorization:

In addition to the above, we may process your personal data, if we have obtained your prior unambiguous written authorization, solely for the purposes specified when obtaining your authorization. 

3. How do We Store your Data?

  • Where do we store data ?

Saphetor securely stores your data in compliance with the ISO 27001:2022 standard. The storage location depends on your geographical region:

  • Data center based in Switzerland (CH)
  • Cloud (Google or AWS) in EU, US and Middle East.

“Datasets” uploaded on the Platforms are stored only in the region where the user uploads them. We do not store the Datasets to other countries unless authorized in writing by the Organization whose User uploaded them.

We store the Datasets on behalf of the User uploading them, as instructed by the User. If your personal data is in a Dataset, please direct any query you have regarding your data to your Organization.

  • How long do we store data ?

We will not retain your personal data for a longer period than necessary for the purposes as outlined in this Privacy Notice. 

Any Datasets uploaded to the Platform, and not used within a month will be automatically deleted.

4. Your rights

Except as otherwise required by law, you are entitled at all times to know if we are processing personal data concerning you. You may contact us to know the content of such personal data, verify their accuracy and request that they be supplemented, removed, updated, or rectified. You also have the right to ask us to cease processing any personal data that may have been obtained in breach of applicable law, and to object to the processing of your personal data for any other legitimate reason. 

However, if you are not a User, you should direct your privacy inquiries relating to the use of your personal data by your Organization, including any requests to exercise your data protection rights, directly to your Organization.

Where we rely on your authorization to process your personal data, we will seek your freely given and specific written authorization by providing you with informed and unambiguous indications relating to your personal data. You may revoke at any time such authorization.

  • The right to access

You may have the right to access your personal data processed by us or request without limitation that they be removed, updated, or amended.

  • The right to rectification 

Through your user account (if any), you can review, update, correct or delete the personal data available within your user account. . 

  • The right to withdraw your consent

Where we rely on your authorization to process your personal data, we will seek your freely given and specific written authorization by providing you with informed and unambiguous indications relating to your personal data. You may withdraw your consent at any time from your varsome.com profile page or by sending an email to DPO@saphetor.com .

  • The right to be forgotten (erasure)

If you close your user account, your User Data will be automatically deleted or anonymized within 30 days after your request, unless such data must be retained for a valid reason (e.g. by applicable law). We will still retain any Datasets you uploaded in order to fulfill our contractual agreement with your Organization). 

This does not include content that Users made publicly available on the Platforms, which will not be automatically removed. The public content of our Users is of scientific value and benefits to the wider community of patients, researchers, and healthcare professionals. You can manage and remove your content via your account setting or contact us (email to dpo@saphetor.com).

Please note that any information that we have copied may remain in back-up storage for a limited period of time after your deletion request.

  • The right to data portability

You may also have the right to request your personal data’s portability, i.e. that the personal data you have provided to us be returned to you or transferred to the person of your choice, in a structured, commonly used and machine-readable format without hindrance from us and subject to our confidentiality obligations, subject to applicable data protection laws.

  • The right to object processing

You have the right to lodge a complaint by sending an email to DPO@saphetor.com .

If you are not satisfied with how we process your personal data, you may file a complaint with the competent supervisory authority or equivalent data protection authority, in addition to your rights outlined above.

  • The right to restrict processing

You may limit certain authorizations related to data collection, in particular your Analytics Data on your web browser. 

We also collect non-personal data relating to the Platforms, that is, information that does not personally identify an individual. The non-personal data we collect includes how you interact with the Platforms, information generally collected or “logged” by Internet websites or Internet services when accessed or used by users, and information about your web browser or device accessing or using the Platforms.

We will not use non-personal data to try to identify you, and if we associate any non-personal data with information that personally identifies you, then we will treat it as personal data. 

  • The right to data portability

You may also have the right to request your personal data’s portability, i.e. that the personal data you have provided to you be returned to you or transferred to the person of your choice, in a structured, commonly used and machine-readable format without hindrance from us and subject to our confidentiality obligations, subject to applicable data protection laws.

5. International Transfers and Communications to Third Parties

User Data and Analytics Data may be disclosed to third parties (“Services Providers”) where necessary for the proper operation of the Platforms and the provision of the related Services. 

By “Service Providers” we mean companies, agents, contractors, service providers, or others engaged to perform functions on our behalf (such as processing of payments, provision of data storage, hosting of our website, marketing of our products and services, and conducting audits). When we use a Service Provider, we require that the Service Provider use and disclose the personal data received from us only to provide their services to us or as required by applicable law.

In this context, your personal data may be stored and processed outside the EEA, the United Kingdom, or Switzerland. We will ensure that suitable safeguards are in place to ensure that our third-party service providers provide an adequate level of protection to your personal data.

We may also disclose your personal data when we have a legitimate interest to do so, for instance to (i) any third party to whom we assign or transfer any of our rights or obligations in the event of a sale, merger, or transfer of all or substantially all of the assets of our company relating to the Platforms, or in the unlikely event of a bankruptcy, liquidation, or receivership of our business (if any of these occur, we will use commercially reasonable efforts to notify you of such transfer, for example via email or by posting notice on our Platforms); or (ii) to competent courts or supervisory or regulatory bodies, when we must compellingly disclose your personal data, pursuant to any applicable law, regulation or order. 

  • Social media

We may also enable you to use third-party services directly from the Platforms, namely through social networks such as LinkedIn, Twitter and YouTube in which case you recognize that the third-party operators of these services may access some of your personal data in connection with the Platforms. 

Please note that this Privacy Notice does not apply to the practices of any company or individual that we do not control, nor to any other website that may be linked from the Platforms. You should carefully review the privacy policies of any other website that you visit from the Platforms to learn more about their information and privacy practices. In such contexts, the collection and use of your personal data are governed by such other parties or websites’ privacy policy. We shall not be held responsible for their privacy practices. 

The Platforms allow Users to share information publicly (for instance public profile, posts, and other content that Users decide to make available to others.). This information is not covered by this Privacy Notice.

6. Security 

We maintain physical, technical and administrative safeguards designed to secure your personal data.

We are committed to the security of your personal data, and have in place physical, administrative and technical measures designed to keep your personal data secure and to prevent unauthorized access to it. We restrict access to your personal data to those persons who need to know it for the purpose described in this Privacy Notice. In addition, we use standard security protocols and mechanisms to exchange the transmission of sensitive data. When you enter sensitive information on our website, we encrypt it using Transport Layer Security (TLS) technology.

If we have reasonable reasons to believe that your personal data have been acquired by an unauthorized person, and applicable law requires notification, we will promptly notify you of the breach by email (if we have it) and/or by any other channel of communication (including by posting a notice on the Platforms).

7. Contact 

If you have questions about our privacy notice, our processing of your personal data, 

  • If you are an individual, whose Datasets are analyzed on behalf of our Users, please contact your Organization directly. 
  • If you are a User, please contact us at DPO@saphetor.com 

Should you wish to report a complaint or feel that Saphetor has not addressed your concern in a satisfactory manner, you may contact the Privacy Commissioner’s Office from your country.

8. Changes to our Privacy Notice

Saphetor keeps its privacy notice under regular review and places any updates on this web page. 

Should this occur, we will inform you by any appropriate means (including per email or via the Platforms, e.g. through banners, pop-ups or other notification mechanisms). 

9. Specific Jurisdictions 

Residents of Canada

If you have an objection to the use of your personal data as described in this Privacy Notice, you may file a complaint by sending an email to DPO@saphetor.com . We will attempt to accommodate your objection or complaint, but you understand that, to the extent you object to our processing of personal data that is necessary for us to provide the Platforms, certain features and functionalities of the Platforms may no longer be available to you. Nothing in this Privacy Notice prejudices your rights to file a complaint with the Office of the Privacy Commissioner of Canada, and/or with any other applicable data protection authorities.

Residents of California

A California resident who has provided personal data to a business with whom he/she has established a business relationship for personal, family, or household purposes (“California Customer”) is entitled to request information about whether the business has disclosed personal data to any third parties for the third parties’ direct marketing purposes. In general, if the business has made such a disclosure of personal data, upon receipt of a request by a California Customer, the business is required to provide a list of all third parties to whom personal data was disclosed in the preceding calendar year, as well as a list of the categories of personal data that were disclosed.

However, under the law, a business is not required to provide the above-described lists if the business adopts and discloses to the public (in its privacy policy) a policy of not disclosing a customer’s personal data to third parties for their direct marketing purposes unless the customer first affirmatively agrees to the disclosure, as long as the business maintains and discloses this policy. Rather, the business may comply with the law by notifying the customer of his or her right to prevent disclosure of personal data to third parties for direct marketing purposes and providing a cost free means to exercise that right. To prevent disclosure of your personal data for use in direct marketing by a third party for its own purposes, do not opt in by providing your consent to such use when you provide personal data through the Platforms. Please note that whenever you allow your personal data to be shared with a third party to communicate with you, your information will be subject to that third party’s privacy policy. If you later decide that you do not want that third party to use your information, you will need to contact the third party directly. You should always review the privacy policy of any party that collects your information to determine how that entity will handle your information. However, you may withdraw your consent for future disclosures to third parties for their marketing purposes by emailing us at DPO@saphetor.com .

California Customers may request further information about our compliance with California’s privacy law by e-mailing DPO@saphetor.com . Please note that we are only required to respond to one request per customer each year, and we are not required to respond to requests made by means other than through this email address.

10. Cookies and Similar Technologies

Cookies are text files placed on your computer to collect standard Internet log information and visitor behavior information. When you visit our websites, we may collect information from you automatically through cookies or similar technology.

For further information, visit https://www.allaboutcookies.org.

Saphetor uses cookies and other similar technologies in a range of ways to improve your experience on our website and Platform, including:

  • Keeping you signed in
  • Understanding how you use our website, our Platform 
  • Measuring and monitoring the traffic and use of the Platforms, as well as its performance

Some cookies are retained in your electronic device for only as long as you access and use the Platforms, while others persist for a longer specified or unspecified period.

You may manage the cookies and similar technologies via the settings of your browser and/or your devices.

If you do not want cookies to be stored on your device, you may configure your browser or your device to refuse and/or restrict the cookies. Certain cookies are, however, essential to the functioning of the Platforms itself and its use may be altered or prevented by refusing these cookies.