Herasight Global Privacy and Cookies Policy

Last Updated: July 2025

Preamble: Our Commitment to Your Privacy

Welcome to Herasight. This Global Privacy Policy ("Policy") explains how Herasight, Inc. and its affiliates (collectively, "Herasight," "we," "us," or "our") collect, use, disclose, and otherwise process your Personal Information. Our commitment to data protection is a cornerstone of our operations. We believe that handling personal data with transparency, security, and respect is not merely a legal requirement but a fundamental ethical responsibility, particularly in the sensitive field of health and biotechnology.

This Policy governs the processing of your Personal Information when you interact with us, whether online or offline. This includes your use of our websites, including Herasight.com and its subdomains, our patient, provider, and payment portals, our mobile applications ("Apps"), and any other online services we maintain (collectively, our "Sites"). It also applies to information collected through offline channels, such as at conferences, through correspondence, or at provider and clinic offices.

This Policy is designed to be comprehensive and globally applicable. It supplements any state-specific or international privacy notices that may apply to you, including our Notice of Privacy Practices under the Health Insurance Portability and Accountability Act (HIPAA), our Terms of Use, and specific notices for residents of certain jurisdictions. This Policy does not apply to information processed in an employment context, such as data from our employees or job applicants.

For the purposes of this Policy, "Personal Information" (or "PI") is a broad term that encompasses what may be referred to as "Personal Data" or "personally identifiable information" ("PII") under various domestic and international privacy laws.

By accessing or using our Sites or services, you signify your understanding of and agreement with the terms of this Policy. If you do not agree with the practices described herein, you should not use our Sites or services.

Section 1: Data Responsibility and Governance

Our Identity as Data Controller

For the purposes of data protection laws, including the General Data Protection Regulation (GDPR), the legal entity responsible for your Personal Information (the "Data Controller") is:

Herasight Inc
1007 N Orange St.,
4th Floor Suite #2398 Wilmington,
Delaware 19801, United States

Contacting Herasight

For general inquiries about this Policy or our privacy practices, please contact our Privacy Office. For specific requests related to your data rights or formal regulatory matters, please direct your correspondence to our Data Protection Officer. This dual structure ensures that your inquiries are handled efficiently by the appropriate team, reflecting our commitment to both operational responsiveness and formal legal compliance across jurisdictions.

Our Data Protection Officer (DPO) and Privacy Office

Herasight has appointed a Data Protection Officer to oversee our compliance with global data protection regulations, particularly those originating from the European Union.

Privacy Office (for general inquiries and rights requests):

Email: privacy@herasight.com

Data Protection Officer (for formal regulatory matters, especially from the EEA/UK):

  • Email: dpo@herasight.com
  • Mailing Address: Data Protection Officer, Herasight Inc 1007 N Orange St., 4th Floor Suite #2398 Wilmington, Delaware 19801, United States

Section 2: The Personal Information We Collect

We collect Personal Information to provide and improve our services, communicate with you, and fulfill our legal and operational obligations. The information we collect can be categorized by how it is obtained.

Subsection 2.1: Information You Voluntarily Provide

We collect Personal Information that you voluntarily submit to us, both online and offline. This occurs when you fill out webforms, send us emails, respond to surveys, register for webinars or promotions, inquire about a test or service, pay a bill, or report a problem with our Sites. If you contact us, we may keep a record of that correspondence.

The categories of Personal Information you may provide include:

  • Contact Information: Your name, email address, physical address (including country), and telephone number. We may also collect information about your role (e.g., patient, caregiver, physician) and the reason for your contact.
  • Account and Login Information: If you create an account on one of our portals, we will collect your username and password.
  • Communications: The content of text messages, emails, and other communications you send to us.
  • Professional and Commercial Information: Information about your interest in our products and services, content you have viewed, feedback you provide on your experiences, your professional title, and job responsibilities.
  • Medical and Health Information: Information about clinical services performed or considered, treatment options, test results, and other medical information you choose to disclose to us in the course of using our services.
  • Referral Information: If you refer another individual to our services, we may collect that person's name, mailing address, email address, and/or phone number.
  • Employment Application Information: If you apply for a position with Herasight, we collect the information you provide in your curriculum vitae (CV) and application materials.

Section 3: Our Purposes and Legal Bases for Processing Your Information

We use your Personal Information only for the specific purposes for which it was provided and to the extent necessary for those purposes. Our employees and service providers are contractually bound to strict confidentiality. To provide maximum transparency, particularly for our users in the European Economic Area (EEA) and the United Kingdom (UK), the following table outlines our primary data processing activities, the categories of data involved, and the legal basis upon which we rely for each activity. This structured approach demonstrates our commitment to "privacy by design," ensuring that we have a legitimate and lawful justification for every processing activity we undertake.

Purpose of Processing
Providing and Customizing Clinical Services (e.g., test fulfillment, benefit verification, patient/provider portal access, product delivery)
Communication and Customer Support (e.g., responding to inquiries, sending essential service notifications, quality control)
Processing Payments (e.g., online bill payment for services rendered)
Sales, Marketing, and Advertising (e.g., sending information on health-related products, newsletters, serving targeted ads)
Research and Development (R&D) (e.g., improving our products, services, and scientific understanding using de-identified data and samples)
Security and System Integrity (e.g., protecting against fraud, cyber-attacks, identity theft, and other unlawful activity)
Legal and Regulatory Compliance (e.g., accounting, auditing, defending against legal claims, responding to lawful requests from authorities)
Recruitment and Employment (e.g., processing applications for employment)
Categories of Personal Information Processed
Contact Information, Account and Login Information, Medical and Health Information, Professional Information
Contact Information, Communications, Account and Login Information
Contact Information, Financial/Payment Information
Contact Information, Professional Information, Device and Connection Data, Usage Data
Medical and Health Information (de-identified), Biologic Samples (de-identified)
Device and Connection Data, Usage Data, Account and Login Information
All relevant categories as required by the specific situation
Contact Information, Employment Application Information
Legal Basis (Primarily for EEA/UK Users)
Performance of a Contract with you or your provider; Legitimate Interest in providing our core services.
Legitimate Interest in providing responsive and effective support; Performance of a Contract.
Performance of a Contract; Legal Obligation to maintain financial records.
Consent (for newsletters and certain advertising); Legitimate Interest in promoting our services.
Consent (where required by law or for specific research projects); Legitimate Interest in innovation and service improvement.
Legitimate Interest in
protecting our assets, systems, and users; Legal Obligation to ensure data security.
Legal Obligation; Legitimate Interest in defending our legal rights and complying with our corporate governance duties.
Consent (implied by your submission of an application); Legitimate Interest in assessing candidates for employment.

Section 4: Disclosure and Sharing of Personal Information

We are committed to keeping your Personal Information private. We only disclose your information to third parties in the limited circumstances described in this Policy or as required by law.

Our Stance on Selling Data

Herasight does not sell the "Protected Health Information" (as defined by HIPAA) of patients. Furthermore, Herasight does not sell the "Personal Information" of its customers, which includes personally identifiable information collected outside of our healthcare services, such as website visitor data or provider information.

Disclosures to Service Providers and Partners

We may disclose your Personal Information to trusted service providers, contractors, and other third parties who perform functions on our behalf. These partners require access to your information to deliver the services we have contracted them for, and they are not permitted to use it for any other purpose. These services include:

  • Website and IT systems operation, hosting, maintenance, and security.
  • Benefit verification, program enrollment, and product fulfillment.
  • Payment processing.
  • Marketing, sales, customer engagement, and data analytics services.
  • Licensing, certification, and quality management activities.

We ensure that all such service providers are bound by written contracts that require them to maintain the confidentiality and security of your information and to process it only in accordance with our instructions.

Disclosures for Legal, Safety, or Business Transactions

We may disclose your Personal Information if we believe in good faith that it is necessary to:

  • Comply with a law, regulation, legal process, or enforceable governmental request.
  • Enforce our Terms of Use and other policies, including investigation of potential violations.
  • Detect, prevent, or otherwise address fraud, security, or technical issues.
  • Protect against harm to the rights, property, or safety of Herasight, our users, or the public as required or permitted by law.

In the event that Herasight is involved in a merger, acquisition, dissolution, sale of assets, or similar transaction, your Personal Information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your Personal Information.

Sharing for Targeted Advertising

While we do not sell your Personal Information, we may "share" certain information, such as your IP address and data collected via cookies, with third-party advertising partners for the purpose of providing you with "targeted advertising" (also known as cross-context behavioral advertising). This practice helps us market our services to individuals who may be interested in them. You have the right to opt-out of this sharing at any time, as detailed in Section 5 below.

Section 5: Cookies, Tracking Technologies, and Digital Advertising

A. Cookies, Tags, Web Beacons, Pixels, etc.

Our Sites use "cookies" and other tracking technologies like web beacons and pixels to function effectively, enhance your experience, and analyze site usage. Cookies are small text files sent to your computer or device by a website to remember information about your visit.

We use both first-party cookies (set by Herasight) and third-party cookies (set by our partners like Google and Facebook) for several purposes:

  • Essential Purposes: These cookies are strictly necessary for the Site to function, such as authenticating users for our secure portals and maintaining security.
  • Functional Purposes: These cookies enhance your experience by remembering your preferences and settings, allowing for more efficient navigation.
  • Measurement and Analytics: These technologies help us understand how visitors use our Sites, monitor performance, and identify areas for improvement. Google Analytics is one such tool we use.
  • Advertising and Marketing: These cookies and pixels are used to deliver advertisements that are more relevant to your interests. They also help us measure the effectiveness of our marketing campaigns.
  • Email Tracking: We may use pixels in our marketing emails to track whether an email was opened and whether links within it were clicked. This helps us tailor our communications to be more relevant and engaging.

When you first visit our Sites, you will be presented with an opportunity to manage your cookie preferences. You can choose which categories of cookies to allow or decline (excluding those for "Essential Purposes"). Your choice will be recorded. Please note that limiting cookies may result in a less personalized experience and may prevent you from using certain services or saved settings.

B. Global Privacy Control (GPC) and Do Not Track (DNT) Signals

Herasight's public-facing Sites are configured to honor Global Privacy Control (GPC) and Do Not Track (DNT) signals sent by browsers and extensions. This means if your browser sends such a signal, we will automatically treat it as a request to opt-out of tracking for analytics and targeted advertising purposes. Due to a lack of a consistent industry standard, we cannot guarantee recognition in every case across all browser and extension combinations. To ensure your preferences are honored, we recommend using our Privacy Preference Center as the most reliable method to manage your choices.

C. Herasight Portals

Our secure portals (for patients, providers, etc.) require the use of "Essential," "Functional," and "Analytics" cookies to operate correctly and provide an optimal experience. Cookie choices made on our main website do not apply once you are logged into a portal, and the portals do not recognize GPC/DNT signals. However, our portals do not use advertising cookies, and we do not sell or disclose information from the portals for marketing or advertising purposes.

Section 6: Your Data Privacy Rights

Herasight is committed to ensuring you can exercise full control over your Personal Information. We provide a comprehensive set of rights to all our users, regardless of their location, and offer additional rights as required by specific regulations.

Universal Rights (Available to All Users)

You have the following rights with respect to your Personal Information:

  • The Right to Access: You can request access to the Personal Information we hold about you and receive a copy of it.
  • The Right to Rectification (Correction): You can request that we correct any inaccurate or incomplete Personal Information we hold about you. You are responsible for ensuring the accuracy of the data you provide and for notifying us of any changes.
  • The Right to Erasure (Deletion): You can request the deletion of your Personal Information when it is no longer necessary for the purposes for which it was collected, or when we are no longer legally permitted to process it. This right is subject to our legal and regulatory obligations to retain certain data.
  • The Right to Restrict Processing: You can request that we temporarily suspend the processing of your data in certain circumstances, for example, while we verify its accuracy.
  • The Right to Object: Where our processing is based on our legitimate interest, you have the right to object to that processing. We will then cease processing unless we have compelling legitimate grounds to continue.

Industry-Specific Rights

Given the nature of our work, we recognize your rights extend beyond digital data to the physical, biological materials you may provide. This acknowledgment is central to our ethical framework; we respect your autonomy not just over your information, but over your very biology.

  • The Right to Request Disposal of Biologic Samples: You may request that we dispose of any biologic material (e.g., blood or tissue samples) we have collected from you, unless we are required by law or regulation to retain it for a specific period.
  • The Right to Opt-Out of Research and Development: We may use de-identified samples and data for internal research and development to improve our tests and services. You have the right to opt-out of having your samples and associated data used for these R&D purposes at any time.

A Step-by-Step Guide to Exercising Your Rights

To exercise any of the rights described above, please submit a verifiable request to us by:

Please state clearly in your request the right you wish to exercise. To protect your privacy and security, we may need to verify your identity before processing your request. This may involve asking you to provide a copy of an identity document. We will respond to your request free of charge and within the timeframes required by applicable law.

Your Right to Lodge a Complaint

If you believe that we have infringed upon your data protection rights, you have the right to lodge a complaint with the responsible data protection regulatory authority in your country of residence. For example, individuals in Spain may contact the Spanish Data Protection Agency (AEPD).

Section 7: Region-Specific Information and Disclosures

A. For Individuals in the European Economic Area (EEA), UK, and Switzerland

If you are located in the EEA, UK, or Switzerland, you have specific rights under the GDPR and related laws. In addition to the rights listed in Section 6, you have the Right to Data Portability, which allows you to receive your Personal Information in a structured, commonly used, and machine-readable format and to transmit it to another controller. Our processing activities are based on the legal bases outlined in the table in Section 3. When we transfer your Personal Information outside of the EEA, UK, or Switzerland to countries like the United States, we rely on legally-approved transfer mechanisms to ensure your data is protected. These may include your consent or the use of Standard Contractual Clauses (SCCs) as approved by the European Commission.

B. For Residents of California (CCPA/CPRA)

This notice supplements the information in our Policy and applies solely to residents of California. The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with specific rights regarding your Personal Information.

  • Right to Know: You have the right to know what Personal Information we have collected about you, including the categories of information, sources, purposes of collection, and categories of third parties to whom we have disclosed it.
  • Right to Delete: You have the right to request the deletion of your Personal Information, subject to certain exceptions.
  • Right to Correct: You have the right to request the correction of inaccurate Personal Information. Right to Opt-Out of Sale/Sharing: You have the right to opt-out of the "sale" or "sharing" of your Personal Information. As noted, we do not sell PI, but we may "share" it for targeted advertising. You can exercise this right via our Privacy Preference Center or by enabling a GPC signal.
  • Right to Limit Use of Sensitive Personal Information: You have the right to limit our use and disclosure of your Sensitive Personal Information (e.g., health data) to that which is necessary to perform the services you have requested.

To exercise these rights, California residents may contact us at privacy@herasight.com.

C. For Residents of Other U.S. States (e.g., Colorado, Delaware, New Jersey, Oregon)

Residents of states with comprehensive data privacy laws may have rights similar to those granted under the CCPA/CPRA. These may include the right to know, access, correct, delete, and obtain a portable copy of your data, as well as the right to opt-out of processing for targeted advertising. The specific rights available to you will be determined by your state of residence.

Right to Appeal: If we deny your request to exercise one of your privacy rights, you may have the right to appeal our decision. You can do so by replying directly to our denial notification.

To exercise your rights, please contact us via the methods described in Section 6.

Section 8: Additional Policy Information

Children's Privacy

Our Sites are designed for and directed to adults. They are not intended for use by children under the age of 16. We do not knowingly collect Personal Information from anyone under 16, except where a minor is the recipient of our HIPAA-covered clinical services. Any individual under the age of 18 should seek permission from a parent or legal guardian before disclosing any Personal Information through our Sites.

Third-Party Links and Services

Our Sites may contain links to other websites or services that are not operated or controlled by Herasight. This Privacy Policy does not apply to the practices of these third parties. When you use a link to navigate away from our Site, your interaction is subject to that third party's own rules and policies. We are not responsible for the privacy practices or the content of these external sites and encourage you to review their privacy policies before providing them with any Personal Information.

Social Media Integration

Our Sites may include social media sharing buttons (e.g., for Facebook, Twitter, LinkedIn) that allow you to share content directly on those platforms. These features are served by the social media platforms themselves and are governed by their respective privacy policies. While we do not collect data about your use of these platforms through these buttons, the third-party tool that connects you may collect your IP address and other device information as described in its own privacy policy.

Future Changes and Updates to This Policy

We reserve the right to amend this Privacy Policy at any time. All changes are effective immediately upon their posting on this page. For any material changes, we will provide you with advance notice, either via the email address you have provided to us or through a prominent notice on our Site, before the change becomes effective. We will also update the "Last Updated" date at the top of this Policy. We encourage you to review this Policy periodically to stay informed about our privacy practices.

Section 9: Contact Us

If you have any questions about this Privacy Policy, wish to exercise your privacy rights, believe your rights have been violated, or disagree with a decision we have made about your information, please contact us through the appropriate channel below.

General Privacy Inquiries and U.S. Rights Requests:

  • Email: privacy@herasight.com
  • Mail: Privacy Office, Herasight Inc 1007 N Orange St., 4th Floor Suite #2398 Wilmington, Delaware 19801, United States

Formal EU/UK Regulatory Matters:

  • Email: dpo@herasight.com
  • Mail: Data Protection Officer, Herasight Inc 1007 N Orange St., 4th Floor Suite #2398 Wilmington, Delaware 19801, United States

Specific Opt-Out and Disposal Requests: