GDPR NOTICE Data Protection Notice For EU/EEA Patients and Other Individuals

Effective: August 6, 2020
Last Reviewed: September, 2023

Biodesix, Inc. (“Biodesix”) is providing this notice for individuals residing in the European Union/European Economic Area from whom we acquire biological (i.e., blood or urine) specimens, as well as other individuals involved in the healthcare process. It explains how we collect and process your personal data in connection with our clinical laboratory services. 

Who We Are

Biodesix is a clinical laboratory company headquartered and principally operating in the United States. We collect biological samples (blood or urine) from patients for the following purposes:

  • Clinical laboratory services. If ordered through your health care provider, we provide certain testing services for particular types of cancer. We may also receive biological samples for testing through collaborative agreements with other healthcare organizations. 

Data Collection

We only collect personal data in relation to the services we provide, and limit our data collection to data which is appropriate and proportionate to the reasons for our collection.  Generally, we will collect the following information in connection with our provision of testing services:

  • Patient Name
  • Patient mailing address
  • Patient gender and age
  • Patient email
  • Patient phone number
  • Patient Account Numbers for purposes of payment/insurance
  • Contact information for the Patient’s healthcare provider(s) associated with the purpose of our testing
  • Tests ordered
  • We also obtain, in the course of our testing, medical information about the patient which is derived from the tests themselves.

If you are a healthcare provider or other individual involved in the treatment, payment, or operation of health care, we may, in connection with our provision of testing services, collect the following information about you:

  • Name
  • Mailing address
  • Email
  • Phone Number(s)

Data Processing

We use the personal data of patients and other individuals only for the intended health care purposes associated with:

  • obtaining biological samples
  • performing required testing
  • reporting results, and
  • obtaining payment.

If the patient’s healthcare professional contacts us directly, we will, after appropriate authentication, discuss our testing and results with them.

We may also use the data we collect to fulfill our regulatory and legal obligations, such as in relation to audits and checking to ensure that our testing equipment is working properly, and to comply with oversight agency inspections. We may use information in de-identified or anonymized format for public health purposes, such as to report outbreaks or similar irregularities to health officials to help keep communities and the people who live in them safe and healthy. In accordance with applicable laws, various de-identified or anonymized data may also be used to aid in tracking health trends and needed areas of research.

Access Limitations and Sharing Your Data

We strictly limit access to patient personal data to authorized members of Biodesix’s workforce and contractors who assist in the testing and test reporting process. We train these individuals in advance, with annual refresher training, on appropriate privacy and security requirements. Before allowing any contractor access to the data, we enter into appropriate contractual provisions requiring contractor compliance with privacy law and our instructions on data processing. 

We may also share certain personal data received in relation to the services described in this notice with third parties working with Biodesix, such as third-party laboratories with whom we have collaborations for performing certain specialized laboratory testing, as well as those that assist us with public health and safety aspects of our business. We never sell or share personal data pertaining to patients or other individuals with third parties for their own separate use. Should we share your data with a third party, the third party must provide written assurances that they will only process the data on behalf of Biodesix and subject to Biodesix’s instructions and that they will also ensure appropriate security measures to keep the personal data strictly confidential, consistent with applicable laws and regulations.

To the extent that we are required to provide access to any personal data to third parties who are not our business partners, such as in connection with regulatory audits, to fulfill regulatory reporting obligations to health oversight agencies, or in the event of any legal situations, we take steps to limit the data to that which is required for the specific purpose and take steps to ensure that the data are adequately safeguarded. For legal situations, where feasible, we take steps to inform the individual before any data is provided to the third-party, and if not feasible, will take reasonable steps to inform him/her as soon as practical thereafter.

Types of Cookies Used

Cookie Description Duration Type
__cfduid The cookie is set by CloudFare. The cookie is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information. 1 month

Necessary

View Service Privacy Policy 

__cfruid null   Other
__cfduid The cookie is set by CloudFare. The cookie is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information. 1 month

Necessary

View Service Privacy Policy 

_gcl_au This cookie is used by Google Analytics to understand user interaction with the website. 2 months Analytics
Opt-Out
__cfduid The cookie is set by CloudFare. The cookie is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information. 1 month

Necessary

View Service Privacy Policy 

__cfduid The cookie is set by CloudFare. The cookie is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information. 1 month

Necessary

View Service Privacy Policy 

UserMatchHistory Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences. 1 month

Other

View Service Privacy Policy

lidc This cookie is set by LinkedIn and used for routing. 1 day

Functional

View Service Privacy Policy

uid_syncd null 3 days Other
lang This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.   Functional
bcookie This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page. 2 years

Functional

View Service Privacy Policy

bscookie This cookie is a browser ID cookie set by Linked share Buttons and ad tags. 2 years

Advertisement

View Service Privacy Policy

ab null 1 year Other
_pk_id.1343.3d15 null 1 year

Piwik Analytics Platform

View Service Privacy Policy  

_pk_ses.1343.3d15 null 30 minutes Other
IDE Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile. 1 year

Advertisement

Google Ads Settings
IBA Opt-Out extension for Chrome and Firefox

View Service Privacy Policy

NID This cookie is used to a profile based on user's interest and display personalized ads to the users. 6 months

Advertisement

Google Ads Settings
IBA Opt-Out extension for Chrome and Firefox

View Service Privacy Policy

IQver This cookie is set IntentIQ. The purpose is not known as of yet. 2 years Other
test_cookie A session cookie used to check if the user’s browser supports cookies. 15 minutes Other
personalization_id Used on sites that share Twitter content and with Twitter share plugin. Persistent cookie that is set for 730 days 1 year 11 months 29 days

Twitter 

View Service Privacy Policy 

 

Data Transfers

Because Biodesix is headquartered in the United States, the personal data that we collect in relation to the services described in this notice are always processed in the U.S. The data will be stored on secure servers located in the U.S. As such, your data is only accessible to authorized, limited persons who require access to perform their job responsibilities and those persons may be located in countries other than your country of residence. Although there are variations in the data protection laws and level of protection of personal data from country to country, we take steps to ensure that your data is appropriately safeguarded and transferred in a manner consistent with the applicable data protection laws of your country, irrespective of its location.

Data Security

Biodesix uses appropriate technical and organizational security measures to prevent unauthorized or unlawful disclosure or access to, or accidental or unlawful loss, destruction, alteration or damage to the personal data that it collects about individuals for the services described in this notice. Irrespective of whether the data are stored in paper or electronic form, these measures are intended to ensure an appropriate level of security in relation to the risks inherent to the processing and the nature of the data to be protected, and are also applied in a manner consistent with applicable laws and regulations.

Data Accuracy

Biodesix takes reasonable steps to keep its personal data accurate, complete, and up-to-date in accordance with the purposes for which it was collected. Biodesix also relies on the healthcare professionals, insurers and other individuals who entrust us with personal data for purposes of providing the services described in this notice, to provide accurate information to us, and to amend or update that information if they later determine that it is incomplete or inaccurate.

Individual Rights

Individuals whose personal data is collected and processed by Biodesix can contact Biodesix at the address below, in relation to any questions about their data or to exercise their individual rights of access, amendment, objection or erasure. To protect privacy, we require individuals to authenticate themselves and will provide them with a form to obtain a copy of their data. In accordance with applicable laws, these rights, and particularly the right to amendment, objection or erasure, are limited.

For additional information about Biodesix’s privacy and security practices or to exercise your rights of access or rectification, kindly contact our Data Privacy Officer at Privacy@Biodesix.com.

Right to Withdraw Consent (Opt-Out)

In accordance with applicable data protection laws and requirements, Biodesix provides individuals with the right to withdraw consent (opt-out) in relation to personal data entrusted to us. To do so, you may contact us regarding privacy at Privacy@Biodesix.com. The right to withdraw consent is not absolute in all contexts, and may be limited by legal and regulatory obligations.

Retention Period

Biodesix retains the personal data of individuals referenced in this notice consistent with legal and business requirements, including any US Federal or State law requirements regarding retention of health care data, and then securely disposes of the information.

Questions, Claims or Contacts

Should you have any questions or concerns about your personal data, or if you wish to contact us for any other reason relating to your data, you may email us at Privacy@Biodesix.com. Please put “Privacy Request” in the subject line of your email.

If you believe that your data has been improperly collected, mismanaged, or if you are not satisfied with the resolution of any claim by Biodesix, you also have the right to contact the privacy (data protection) regulatory authorities.

Effective: November 10, 2019

Data-driven diagnostic solutions

icon-chat

Get in touch

icon-union

Data Library