Smarter oncology second opinion — AI-powered, expert-reviewed, using your existing NGS report.
Read More
Company
Our TechnologyOur StoryOur TeamCareersOncompass MedicineResourcesContact Us
Solutions
For Oncologists
Services
Second Opinion Service
Get a Second Opinion
Terms of Use | Cookie Policy | Privacy Policy | HIPAA Notice
Company
Our TechnologyOur StoryOur TeamCareersOncompass Medicine
Solutions
For OncologistsFor Partners
Resources
All ResourcesNewsMedia CoveragePublicationsEnhancing NGS
Contact
Get a Second Opinion
Close Cookie Popup
We use cookies
We use cookies to enhance your browsing experience, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies. Learn more in our Cookie Policy.
Accept All Cookies
Reject All
Preferences
Close Cookie Preference Manager
Cookie settings
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage and assist in our marketing efforts. More info
Strictly Necessary (Always Active)
Cookies required to enable basic website functionality.
Accept All Cookies
Save preferences
Made by Flinch 77
Oops! Something went wrong while submitting the form.
Cookies Preferences
Privacy Notice -Second Opinion Service
Effective Date: February 04, 2026
This Privacy Notice explains how Genomate Health, Inc. (“Genomate,” “we,” “us”) collects, uses, and shares personal data in connection with the Second Opinion Service (the “Service”). This Notice applies when you submit an order request, upload records, make payment, and participate in the consultation and related communications.

This Notice does not apply to general browsing of our website or to our marketing contact forms. Those activities are covered by our Website Privacy Policy.

Summary
We encourage you to read this entire Privacy Notice to understand how your information is handled in connection with the Service. If you are short on time, the key points are summarized below.
• We use your information only to provide, support, and operate the second opinion service you request. We do not sell your personal information and we do not use your health information for advertising or unrelated commercial purposes.
• We collect only the information that is reasonably necessary to coordinate the service, enable the consulting oncologist to provide an independent medical opinion, verify authorizations, process payment, and meet legal and security obligations.
• Your information may be shared with licensed consulting oncologists involved in your case and with trusted service providers (such as secure intake, payment, storage, and video consultation providers) who support the operation of the service and are contractually required to protect your data.
• Where applicable, health information is handled in accordance with HIPAA and other relevant healthcare privacy laws. Depending on your location, you may also have rights under applicable US state privacy laws to access, correct, or request deletion of certain personal information, subject to legal and regulatory limits.
• If you have questions about this Privacy Notice, how your information is used, or how to exercise your rights, you may contact us at any time at privacy@genomate.health



1. Who we are and how to contact us

Genomate Health, Inc., 1 Broadway, Cambridge, MA, USA
EU establishment (for EU inquiries): Genomate Health Hungary Kft., Retek utca 34, 1024 Budapest, Hungary
Contact: privacy@genomate.health

If you have questions about this Notice or want to exercise your rights, contact us at privacy@genomate.health


2. Role clarification - Genomate and the consulting oncologist

The Service is provided by a licensed oncologist (the “Consulting Healthcare Provider”), who independently reviews the information submitted and issues a professional medical second opinion. The Consulting Healthcare Provider is responsible for the medical content of the consultation and report and exercises independent clinical judgment.

Genomate does not practice medicine and does not provide medical advice. Genomate operates the technical and administrative infrastructure that enables the service, including secure intake of information, coordination of the consultation workflow, delivery of the report, and related support services.

For purposes of data protection and privacy:
> The Consulting Healthcare Provider (or their clinical practice) acts as the healthcare provider for the consultation and is responsible for maintaining medical records and complying with applicable professional and healthcare privacy obligations.

> Genomate processes personal data and health information to operate and support the service. In doing so, Genomate may act:
• as a service provider or data processor on behalf of the Consulting Healthcare Provider for consultation-related health information; and
• as an independent controller for limited administrative, operational, and security-related data (such as payment coordination, fraud prevention, audit logs, and customer support).

Where the Service is subject to the Health Insurance Portability and Accountability Act (HIPAA), Genomate acts as a business associate of the Consulting Healthcare Provider (or their practice) with respect to protected health information (“PHI”) it handles in order to provide the service, and processes such information only as permitted by applicable agreements and law.

Service availability and location requirements
The Second Opinion Service is offered only in certain U.S. states where the Consulting Healthcare Provider is licensed to provide the consultation. Availability is limited to the states listed at the time of order.

To receive the Service, the patient must be physically located in one of the offered states at the time of the consultation, as required by applicable telehealth and professional licensing laws.

Genomate relies on the information and confirmations provided by users regarding eligibility and location. If it is determined that the patient does not meet the applicable eligibility or location requirements, the Service may be paused, limited, or cancelled in accordance with our Terms and Conditions.

Identity, eligibility, and authorization verification
To protect patient privacy and ensure the Service is delivered in accordance with applicable healthcare and licensing requirements, we may take reasonable steps to verify identity, eligibility, and authority in connection with the Service.

These steps may include, as appropriate:
• verifying contact details such as email address and phone number;
• confirming basic identifying information (such as name and date of birth) for record matching and access control;
• confirming the patient’s state of physical location at the time of the consultation; and
• where the Service is requested or accessed by someone other than the patient, verifying the individual’s relationship to the patient and any claimed legal authority (such as parental authority or healthcare power of attorney), or obtaining the patient’s authorization.

If we are unable to reasonably verify identity, eligibility, or authorization, or if required confirmations or documentation are missing or inconsistent, the Service may be paused, limited, or cancelled, and access to consultation materials or results may be restricted, in accordance with applicable law and our Terms and Conditions.


 3. What personal data we collect

3.1 Data you provide
Depending on how you use the Service, we may collect:
• Identity and contact details: name, email, phone number, address, state, ZIP code, date of birth (if required for matching), and basic identity verification information.
• Patient details (if you are not the patient): patient name and contact details, relationship to the patient, and whether you are a legal representative.
• Medical information you submit: symptoms, diagnosis, treatment history, pathology reports, imaging reports, lab results, molecular/genetic test results, physician notes, and other medical records you upload or describe during the consultation.
• Service logistics: scheduling preferences, communications with our team, and consultation participation details.
• Consents and signatures: the consent checkboxes you complete and your electronic signature, including timestamp and related audit metadata.
• Payment information: transaction status and payment metadata. (Payment card details are generally collected directly by the payment processor, not stored by Genomate.)

3.2 Data we collect automatically
We may collect:
• Device and usage data: IP address, approximate location derived from IP, browser type, device identifiers, and log data related to access and security (for example, authentication events, audit logs, and error logs).

3.3 Data from third parties
We may receive limited data from:
• Payment processors (confirmation of payment, refunds, chargebacks)
• Service providers supporting scheduling, communications, and secure delivery
• The Consulting Healthcare Provider or their practice where needed to deliver the Service


4. Purpose of data processing

We process personal data in connection with the Service only to the extent necessary to provide and operate the Service and to comply with applicable legal and regulatory obligations.More specifically, we use personal data for the following purposes:

To provide the Service
We process personal data to receive and review your request, organize and transmit the information you submit, coordinate scheduling and consultation logistics, and deliver the second opinion report and related communications.

To verify identity and manage authorizations
We process personal data to verify the identity of the patient and any authorized support persons, manage access to consultation materials and results, and document consents, acknowledgments, and HIPAA authorizations where applicable.

To process payments and prevent fraud
We process limited personal and transactional data to confirm payments, issue refunds where applicable, handle disputes, and prevent fraudulent or unauthorized transactions.

To ensure security and operational reliability
We process personal data to protect the confidentiality, integrity, and availability of the Service, including monitoring for security incidents, maintaining audit logs, and ensuring system reliability and continuity.

To provide customer support and operational communications
We process personal data to respond to inquiries, provide service-related communications, and support users before, during, and after the consultation.

To comply with legal and regulatory obligations
We process personal data as necessary to comply with applicable laws and regulations, respond to lawful requests from public authorities, and establish, exercise, or defend legal claims.


5. Legal bases for processing

5.1 General approach
We process personal data in connection with the Service only where a valid legal basis applies and only for the purposes described in this Privacy Notice. The applicable legal basis depends on the nature of the data, the user’s location, and the specific context in which the Service is requested and delivered.This section explains the primary legal bases relied upon under the General Data Protection Regulation (GDPR), as well as the healthcare privacy frameworks applicable in the United States, including HIPAA and state privacy laws such as the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA).

5.2 Legal bases under the GDPR (where applicable)
Where the GDPR applies, Genomate relies on one or more of the following legal bases under Article 6 GDPR for the processing of personal data:
Performance of a contract or pre-contractual measures (Article 6(1)(b) GDPR)
Processing is necessary to take steps at your request prior to entering into a service relationship and to perform the Service once requested. This includes intake of information, coordination of the consultation, delivery of the second opinion report, and related communications.
Legitimate interests (Article 6(1)(f) GDPR)
Processing is necessary for Genomate’s legitimate interests in operating, securing, and improving the Service, including fraud prevention, system security, customer support, quality assurance, and the establishment, exercise, or defense of legal claims. These interests are balanced against your fundamental rights and freedoms, and we apply appropriate safeguards to protect your data.
Consent (Article 6(1)(a) GDPR)
Where required by law or where no other legal basis is appropriate, we rely on your consent. This may include consent to specific disclosures, optional communications, or participation by authorized support persons. You may withdraw your consent at any time, subject to legal or contractual limitations.

5.3 Processing of special category data (health data) under the GDPR
The Service necessarily involves the processing of health data, which constitutes special category personal data under Article 9 GDPR.
Where GDPR applies, such data is processed only where a valid condition under Article 9(2) GDPR is met, including, as applicable:
• your explicit consent for the processing of health data in connection with the Service; and/or
• processing necessary for the provision of healthcare or related services, where permitted by applicable law and subject to appropriate safeguards.

Health data is processed solely for purposes directly related to the provision and operation of the second opinion service and not for unrelated commercial or marketing purposes.

5.4 HIPAA framing (United States)
In the United States, the Service may be subject to the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (HIPAA). Where HIPAA applies:
• The licensed consulting oncologist (or their clinical practice) acts as the healthcare provider for the consultation and is responsible for compliance with HIPAA as a covered entity, including maintaining medical records and issuing a Notice of Privacy Practices.
• Genomate acts as a business associate to the consulting oncologist (or their practice) with respect to protected health information (“PHI”) it handles in order to operate and support the Service.

Genomate processes PHI only as permitted by applicable business associate agreements and HIPAA, including for purposes such as service coordination, secure transmission and storage, identity verification, billing support, and security and compliance activities. Genomate does not use PHI for advertising or marketing purposes.

Nothing in this Privacy Notice limits the rights granted to patients under HIPAA or replaces the Consulting Healthcare Provider’s Notice of Privacy Practices, where applicable.

5.5 US state privacy laws, including California (CCPA/CPRA)
Depending on your state of residence, personal information processed in connection with the Service may be subject to U.S. state privacy laws, including the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA), and similar laws in other states.

For purposes of these laws:

Categories of personal information collected
In connection with the Service, we may collect the following categories of personal information, as defined under applicable state privacy laws:
• identifiers (such as name, contact details, and online identifiers);
• personal information described in applicable state statutes (such as contact and billing information);
• sensitive personal information, including health information and date of birth;
• internet or electronic network activity information (such as access logs, audit logs, and security events); and
• service-related and administrative information associated with the provision of the Service.

Purposes of processing
Personal information is collected and used solely for purposes consistent with providing, operating, securing, and supporting the Service; verifying identity and authorizations; processing payments; complying with legal and regulatory obligations; and preventing fraud and security incidents, as described in this Privacy Notice.

No sale or sharing for advertising
Genomate does not sell personal information and does not share personal information for cross-context behavioral advertising, as those terms are defined under the CPRA and similar state laws.

Sensitive personal information
Where personal information qualifies as “sensitive personal information” under applicable state law, we use such information only as reasonably necessary to provide the Service, ensure security, comply with legal obligations, and perform related operational functions, and not for purposes requiring opt-out rights under those laws.

HIPAA exemption
Certain health information processed in connection with the Service may be exempt from some state privacy laws to the extent it qualifies as protected health information under HIPAA. Where such exemptions apply, HIPAA governs the use and disclosure of that information. Where exemptions do not apply, Genomate honors applicable state-law rights.

Your rights under state privacy laws
Where applicable and subject to statutory limitations, you may have the right to:
• request access to personal information we maintain about you;
• request correction of inaccurate personal information;
• request deletion of certain personal information;
• request to limit the use or disclosure of sensitive personal information, where applicable; and
• opt out of certain processing activities, where required by law (noting that we do not sell or share personal information for advertising).

How to exercise your rights
Requests to exercise applicable state privacy rights may be submitted by contacting us at privacy@genomate.health. We will verify your request and respond within the timeframes required by applicable law.Where required by applicable state law, you may also have the right to appeal our decision. Information on how to submit an appeal, if available, will be provided in our response.

5.6 No automated medical decision-making
Genomate does not make automated medical decisions about patients. Any medical opinions provided as part of the Service are prepared and issued by a licensed consulting oncologist exercising independent professional judgment.


6. Sharing your personal data

We share personal data collected in connection with the Service only where necessary for the operation of the Service, the fulfillment of your request, or to comply with applicable legal and regulatory obligations. We do not sell personal data and we do not share personal data for cross-context behavioral advertising.Where applicable, personal data may be disclosed to the following categories of recipients:
a) Consulting Healthcare Providers and clinical support staff
We share relevant personal data and health information with the licensed healthcare providers involved in your case and, where necessary, with members of their clinical or administrative support staff, solely for the purpose of reviewing the information you submit and delivering the second opinion service.

b) Service providers and processors
We may share personal data with third-party service providers that perform services on our behalf and under our instructions, including providers that support:
• secure intake forms and electronic signatures;
• payment processing and billing support;
• secure storage and hosting of information;
• scheduling, communications, and consultation delivery (including video conferencing where used);
• IT operations, security monitoring, and audit logging; and
• customer support tools.

These service providers are contractually required to process personal data only for the purposes of providing their services to us and to implement appropriate technical and organizational measures to protect the data. Where health information is involved and HIPAA applies, such providers act as subcontractors to Genomate under applicable business associate or equivalent agreements.

c) Legal, regulatory, and compliance disclosures
We may disclose personal data where required to do so by law or where we reasonably believe such disclosure is necessary to:
• comply with applicable laws, regulations, court orders, subpoenas, or lawful requests from public authorities;
• cooperate with regulatory or professional oversight bodies;
• protect and defend the rights, property, or safety of Genomate, Consulting Healthcare Providers, users, or others;
• investigate, prevent, or take action regarding suspected fraud, security incidents, or unlawful activity; or
• establish, exercise, or defend legal claims.

d) Business transfers
In the event of a merger, acquisition, restructuring, bankruptcy, or sale of all or part of our assets, personal data may be transferred to a successor entity or acquirer as part of the transaction, subject to applicable data protection and confidentiality obligations.

e) With your instructions or consent
In limited circumstances, we may share personal data with third parties at your direction or with your explicit consent, for example where you authorize sharing of consultation results with a designated support person or healthcare professional.

Use of video conferencing and electronic communications
The Service may involve the use of third-party video conferencing platforms, email, and other electronic communication tools to support consultations and service-related communications. While we select service providers that implement reasonable administrative, technical, and organizational safeguards, no electronic communication method or third-party network can be guaranteed to be completely secure or risk-free.
By participating in the Service, you acknowledge and accept the inherent risks associated with electronic communications and remote consultations, including the possibility of unauthorized access despite reasonable safeguards.


7. Support persons, representatives, and shared access

The Service may allow the participation of a support person (such as a family member or trusted contact) in the consultation process and/or the receipt of service-related communications and results, subject to the conditions described below..

a) Patient control and authorization
Where the patient is the individual requesting the Service, the patient may choose to designate a support person to:
• participate in the consultation; and/or
• receive copies of the second opinion report and related communications.
Such designation is subject to the completion of the applicable consent and authorization steps within the Service workflow. The patient may modify or revoke this authorization at any time prior to delivery of the report, subject to operational limitations.

b) Requests submitted by someone other than the patient
In some cases, the Service may be requested by an individual other than the patient, such as a family member or caregiver.
In these cases:
• If the requester is the patient’s legal representative (for example, a parent of a minor or a person holding a valid healthcare power of attorney), the Service may proceed upon verification of such authority, and the representative may submit information and receive results on the patient’s behalf.
• If the requester is not a legal representative, the Service may proceed only where the patient has provided valid authorization permitting the requester to submit information and/or receive results. We may require the patient to complete additional consent or authorization steps directly.

c) Identity verification and access controls
To protect patient privacy, we implement reasonable measures to verify identity and manage access to Service information, including:
• verification of contact details;
• confirmation of consent and authorization records;
• access controls limiting who may view or receive consultation materials and results.
We may decline or limit shared access where authorization is unclear, incomplete, or inconsistent with applicable law.

d) Scope and limitations of shared access
Shared access is limited to the purposes authorized by the patient or permitted by law. Support persons and representatives are not granted independent rights to control or reuse the patient’s information beyond participation in the Service as authorized.
We are not responsible for how a support person or representative handles information once it has been lawfully shared at the patient’s request or direction.

e) Legal and regulatory considerations
Nothing in this section limits the rights of patients under applicable healthcare privacy laws, including HIPAA, or the obligations of Consulting Healthcare Providers to maintain medical confidentiality and professional standards.


8. International transfer of personal data

The Service is operated through technical and organizational infrastructure that may involve the processing of personal data in different jurisdictions, depending on your location and the nature of the Service.

a) Primary processing locations
As a general rule:
> Personal data relating to individuals located in the United States is stored and processed in the United States, using secure cloud infrastructure hosted in AWS US East (Virginia), and is used for service coordination, consultation delivery, support, and security operations.
> Personal data relating to individuals located in the European Union, European Economic Area, or the United Kingdom is stored and processed within the European Union, using secure cloud infrastructure operated by our service providers in the EU.
Where feasible and appropriate, we configure our service providers to process personal data in region-specific environments and to avoid unnecessary cross-border transfers.

b) Transfers from the EU/EEA/UK
Where personal data originating from the European Union, European Economic Area, or the United Kingdom is transferred to countries outside those regions, including the United States, we ensure that such transfers are subject to appropriate safeguards in accordance with applicable data protection law.
These safeguards may include, as applicable:
• the European Commission’s Standard Contractual Clauses (SCCs), together with supplementary technical and organizational measures where required; and/or
• reliance on an approved adequacy framework, such as the EU-US Data Privacy Framework, where applicable and formally relied upon.

c) Transfers involving health information
Where health information is transferred across borders in connection with the Service, such transfers are limited to what is necessary to provide and support the Service and are subject to additional safeguards appropriate to the sensitivity of the data. These safeguards include access controls, encryption, audit logging, and contractual confidentiality obligations.

d) Transparency and inquiries
If you would like more information about where your personal data is processed or the safeguards applied to international transfers, you may contact us at privacy@genomate.health. We will provide additional information where required by applicable law.



9. Your rights

Your rights in relation to personal data processed in connection with the Service depend on the laws that apply to you and on the role under which your data is processed. This section distinguishes between rights under US healthcare privacy law (HIPAA) and rights under the GDPR for individuals in the European Union, European Economic Area, or the United Kingdom.

9.1 Rights under HIPAA (United States)
Where the Service is subject to the Health Insurance Portability and Accountability Act (HIPAA), patients have specific rights with respect to their protected health information (“PHI”). These rights apply primarily in relation to the consulting oncologist or their clinical practice, as the healthcare provider responsible for the medical record.Subject to applicable limitations and requirements under HIPAA, these rights may include:

Right to access
You have the right to request access to your PHI held by the healthcare provider, including copies of consultation reports and related medical records.

Right to request amendment
You may request that inaccurate or incomplete PHI be amended. The healthcare provider may deny the request in certain circumstances permitted by HIPAA, such as where the information is accurate and complete or was not created by the provider.

Right to an accounting of disclosures
You may request an accounting of certain disclosures of your PHI made by the healthcare provider, as required by HIPAA.

Right to request restrictions
You may request restrictions on certain uses or disclosures of your PHI. The healthcare provider is not required to agree to all requested restrictions, except as required by law.

Right to request confidential communications
You may request that communications regarding your PHI be sent by alternative means or to alternative locations.

Right to receive a Notice of Privacy Practices
Where applicable, you have the right to receive the healthcare provider’s Notice of Privacy Practices, which describes how your PHI may be used and disclosed under HIPAA.
Genomate, where acting as a business associate, supports the Consulting Healthcare Provider in responding to HIPAA rights requests as required by applicable agreements and law. Requests relating to medical records or PHI should generally be directed to the Consulting Healthcare Provider or their practice, unless you are instructed otherwise.

9.2 Rights under the GDPR (EU/EEA/UK)
If you are located in the European Union, European Economic Area, or the United Kingdom, and the GDPR applies, you have the following rights with respect to your personal data, subject to the conditions and limitations set out in the GDPR:

Right of access
You may request confirmation as to whether we process your personal data and, if so, request access to that data and related information.

Right to rectification
You may request that inaccurate or incomplete personal data be corrected.

Right to erasure
You may request deletion of your personal data where, for example, the data is no longer necessary for the purposes for which it was collected, or where processing is based on consent and you withdraw that consent. This right is subject to legal and regulatory retention obligations, including healthcare-related recordkeeping requirements.

Right to restriction of processing
You may request restriction of processing in certain circumstances, such as where the accuracy of the data is contested or where the data is needed for the establishment, exercise, or defense of legal claims.

Right to data portability
Where applicable, you may request that personal data you have provided be made available in a structured, commonly used, and machine-readable format, or transmitted to another controller, where technically feasible.

Right to object
You may object to processing based on legitimate interests, subject to our ability to demonstrate compelling legitimate grounds for the processing.

Right not to be subject to automated decision-making
You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. The Service does not involve automated medical decision-making.

Right to lodge a complaint
You have the right to lodge a complaint with a competent data protection authority if you believe that the processing of your personal data infringes applicable data protection law.

Complaints
Where applicable, you also have the right to lodge a complaint with a competent supervisory authority. We encourage you to contact us first so that we can address your concerns directly and promptly.If your inquiry relates specifically to medical records or protected health information maintained by the consulting oncologist, we may direct you to the relevant healthcare provider to ensure your request is handled in accordance with applicable healthcare privacy laws.

You may contact us by email at privacy@genomate.health. We promise to respond to any valid requests within a maximum of 30 days, unless this is particularly complicated or if you have made multiple requests, in which case we will respond within a maximum of 60 days, prior to which you will be contacted about the delay.

Alternatively, you can also submit your request to exercise your rights by post, at the following address:
Genomate Health, Inc.
1 Broadway, Cambridge, MA
United States of America

Given the global reach of our Website, we strongly recommend that you contact us by email at the address provided above. We cannot guarantee the arrival on time by post. If you, however, choose to submit a request through the mail, we recommend that you mail your request with confirmation of receipt.

If you are located in the European Union, you have the right under Article 77 of the General Data Protection Regulation (GDPR) to lodge a complaint with a Data Protection Authority (DPA) if you believe that our processing of your personal data infringes applicable data protection law.

For EU data subjects, Genomate Health Hungary Kft. serves as our representative entity in the European Union. 
Genomate Health Hungary Kft.
Retek utca, 34
Budapest, 1054
Hungary

The competent supervisory authority in Hungary is:
Hungarian National Authority for Data Protection and Freedom of Information (NAIH)
Szilágyi Erzsébet fasor 22/C,
1125 Budapest, Hungary
Website: https://www.naih.hu
Phone: +36 1 391 1400
Email: ugyfelszolgalat@naih.hu

You may also find a full list of EU data protection authorities and their contact details at the official EDPB website: https://edpb.europa.eu/about-edpb/about-edpb/members_enWe encourage you to contact us first with any questions, concerns, or complaints regarding the processing of your personal data. You can reach our Data Protection Officer at:  privacy@genomate.health

If we do not resolve your complaint, you may contact JAMS, our independent dispute resolution provider, free of charge, as described in the Data Privacy Framework participation and notice section (section 12). For HR personal data transferred under the EU-U.S. Data Privacy Framework in the context of an employment relationship, you should instead contact your local EU Data Protection Authority. We will cooperate with the EU DPA panel and comply with their advice, and this route is free of charge to you.

How to submit a rights request
Email privacy@genomate.health with your request and the country you reside in. We may ask for limited additional information to verify your identity. We respond within 30 days (or 60 days if permitted and necessary due to complexity, in which case we will notify you). If we cannot fully comply, we will explain why and the options available to you.
We are committed to addressing your privacy concerns and will make every effort to resolve any issue promptly and transparently.
For personal data subject to the DPF, access, correction, amendment, or deletion requests can also be submitted to privacy@genomate.health and will be handled in accordance with the DPF Principles.

9.3 Exercising your rights
To exercise your rights under HIPAA or the GDPR, or to obtain further information, you may contact us at privacy@genomate.health. We may request additional information to verify your identity and determine the applicable legal framework.
Where requests relate to medical records or PHI maintained by the Consulting Healthcare Provider, we may direct you to the appropriate healthcare provider to ensure your request is handled in accordance with applicable law.
We will respond to valid requests within the timeframes required by applicable law.


10. Duration of retention of personal data

We retain personal data collected in connection with the Service only for as long as necessary to fulfill the purposes for which it was collected, including the provision of the Service, compliance with legal and regulatory obligations, and the establishment, exercise, or defense of legal claims.Retention periods vary depending on the type of data, the role under which it is processed, and applicable legal requirements.

a) Clinical records and consultation materials
Medical records, consultation reports, and related clinical documentation are maintained by the consulting oncologist or their clinical practice as the healthcare provider responsible for the medical record. Such records are retained in accordance with applicable healthcare laws, professional standards, and record retention requirements, including those under HIPAA and relevant state law.Genomate may retain limited copies of clinical information as necessary to operate and support the Service (for example, for secure delivery, quality assurance, or dispute resolution), subject to contractual obligations and retention controls. Where such copies are retained, access is restricted and the data is deleted or de-identified when no longer required for these purposes, unless continued retention is required or permitted by law.

b) Administrative and operational data
Personal data related to service administration, including intake records, consent and authorization logs, identity verification data, customer support communications, billing metadata, audit logs, and security records, is retained for as long as necessary to:
• operate and support the Service;
• comply with legal, tax, accounting, and regulatory obligations;
• maintain security and prevent fraud; and
• manage disputes or enforce agreements.
In the absence of specific legal retention requirements, such data is retained for a limited period consistent with our internal retention policies and then securely deleted or anonymized.

c) Data subject requests and complaints
Records relating to privacy requests, complaints, or inquiries are retained for as long as necessary to document compliance with applicable law and to respond to or resolve the request or complaint.

d) Deletion and legal limitations
Where you request deletion of personal data, we will assess the request in light of applicable legal and regulatory obligations. Certain data may not be deleted immediately or at all where retention is required or permitted by law, including healthcare recordkeeping requirements, audit obligations, or the need to establish, exercise, or defend legal claims.
Where deletion is not possible, we will restrict processing and limit access to the data as required by applicable law.


11. Security of personal data

Genomate implements appropriate technical and organizational measures designed to protect personal data processed in connection with the Service against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access.

These measures are proportionate to the nature of the data processed, including health information, and are designed to support confidentiality, integrity, and availability in line with applicable data protection and healthcare privacy laws.

a) Administrative safeguards
We maintain internal policies and procedures governing data protection, access control, incident response, and employee confidentiality. Access to personal data is limited to authorized personnel and service providers who require such access to perform their duties in connection with the Service.
Personnel with access to personal data are subject to confidentiality obligations and receive appropriate training on privacy, security, and data protection requirements.

b) Technical safeguards
We use technical measures appropriate to the sensitivity of the data, which may include:
• access controls and authentication mechanisms;
• encryption of data in transit and, where appropriate, at rest;
• logging and monitoring of system access and activity;
• secure configuration and maintenance of systems supporting the Service; and
• regular review of system security and risk management measures.

c) Organizational safeguards
We engage service providers that are required by contract to implement appropriate security measures and to process personal data only in accordance with our instructions. Where health information is involved and HIPAA applies, such providers are subject to business associate or equivalent contractual obligations.We periodically assess our security practices and take reasonable steps to address identified risks, taking into account the evolving nature of security threats.

d) Incident management
We maintain procedures to detect, respond to, and investigate suspected security incidents involving personal data. Where required by applicable law, we will notify affected individuals and relevant authorities of a data breach within the timeframes prescribed by law.

e) No absolute guarantee
Despite the safeguards we implement, no method of transmission over the internet or method of electronic storage is completely secure. Accordingly, while we take reasonable and appropriate steps to protect personal data, we cannot guarantee absolute security.

If you believe that your personal data has been accessed or disclosed without authorization, please contact us promptly at privacy@genomate.health.


12. Use by minors

The Service is not intended for individuals under the age of 18.Personal data relating to a minor may be submitted only where the Service is explicitly offered for that purpose and only by a parent or legal guardian or other individual with lawful authority to act on behalf of the minor. In such cases, additional verification and consent requirements may apply.

If you believe that personal data relating to a minor has been submitted to the Service without appropriate authorization, please contact us at privacy@genomate.health, and we will take appropriate steps in accordance with applicable law.


13. Data Privacy Framework

Genomate Health, Inc complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) as set forth by the U.S. Department of Commerce.  Genomate Health, Inc has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF.  If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit Data privacy framework website.

Genomate Health employees located in the United States may provide services and support to customers, partners, or users located in the European Union (EU), European Economic Area (EEA), Switzerland, and the United Kingdom. To provide such services, Genomate Health may process or access Personal Data originating from these regions.

Genomate Health complies with the EU-U.S. Data Privacy Framework (DPF) Principles as issued by the U.S. Department of Commerce. These principles apply to Personal Data physically or remotely transferred from the EEA.

Genomate Health adheres to the following DPF Principles for all such transfers:
• Notice – Individuals are informed about the purposes for which their personal data is collected and used, how to contact Genomate Health, the types of third parties to which the data may be disclosed, and available choices for limiting its use or disclosure.
• Choice – Individuals are given the opportunity to opt out of having their personal data disclosed to a third party or used for a purpose materially different from that for which it was originally collected. For personal data subject to the DPF, individuals may opt out of: (a) disclosures to third parties not acting as agents, or (b) uses for purposes materially different from those for which the data was collected. Submit opt-out requests to privacy@genomate.health. For sensitive data, we obtain opt-in consent where required by the DPF.
• Accountability for onward transfer – Genomate Health ensures that any onward transfers of personal data to third parties are conducted in compliance with the DPF Principles, with appropriate contractual safeguards in place. When we transfer personal data to third-party agents, we remain responsible under the DPF Principles if those agents process such personal data in a manner inconsistent with the Principles, unless we prove we are not responsible for the event giving rise to the damage.
• Security – Personal data is protected against loss, misuse, unauthorized access, disclosure, alteration, and destruction through appropriate technical and organizational measures.
• Data integrity and purpose limitation – Personal data is limited to what is relevant for the purposes of processing and is kept accurate, complete, and up to date as required for those purposes.
• Access – Individuals have the right to access their personal data held by Genomate Health and to correct, amend, or delete it where it is inaccurate or processed in violation of the DPF Principles.
• Recourse, enforcement, and liability – Genomate Health maintains procedures for verifying compliance with the DPF Principles and provides independent recourse and enforcement mechanisms to resolve complaints and disputes, as detailed in this Policy.
• Types of personal data we process: user account and professional identity data, contact details, authentication and audit logs, Service usage data, and support communications collected from healthcare professionals using the Service. Patient data may be processed on behalf of healthcare providers to generate reports, as described in this Privacy Policy.
• U.S. entities or U.S. subsidiaries also adhering: Genomate Health, Inc. is the certifying U.S. entity. Genomate Health has no other U.S. subsidiaries adhering to the Principles. If this changes, we will update this notice.
• Commitment and scope: Genomate Health commits to apply the DPF Principles to all personal data received from the EU/EEA in reliance on the EU-U.S. DPF, when such data is transferred to the United States.
• Purposes of processing: we process personal data to provide, secure, and support the Service; manage accounts and authentication; generate and deliver Genomate reports; provide customer support; meet regulatory and security obligations; and improve service performance, as detailed in the sections above.
• How to contact us: privacy@genomate.health. For EU inquiries, you may also contact our EU establishment: Genomate Health Hungary Kft., Retek utca 3, 1024 Budapest, Hungary.
• Third parties: we disclose personal data to service providers and other recipients as 
• Public authority requests: we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

How to exercise DPF choices and rights: please contact us at privacy@genomate.health. We will respond consistent with the DPF and applicable law.

Recourse, enforcement & liability
In compliance with the EU-U.S. Data Privacy Framework (DPF) Principles, Genomate Health commits to resolve complaints concerning your privacy and our collection or use of Personal Data transferred to the United States under this Policy.
Individuals in the European Union with inquiries or complaints regarding our compliance with the DPF should first contact the Genomate Privacy Office at privacy@genomate.health

Genomate Health has further committed to cooperate with and refer unresolved DPF-related complaints to JAMS, an independent dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://www.jamsadr.com/dpf-dispute-resolution  for more information and to file a complaint. This service is provided free of charge to you.If your DPF complaint cannot be resolved through the above channels, under certain conditions you may be entitled to invoke binding arbitration for some residual claims not otherwise resolved by other redress mechanisms.

For more information, please visit the Data Privacy Framework website at https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction.

The U.S. Federal Trade Commission (FTC) has jurisdiction over Genomate Health’s compliance with the Data Privacy Framework.


14. Changes to this Privacy Notice

We may update this Privacy Notice from time to time to reflect changes in our practices, the operation of the Service, or applicable legal and regulatory requirements.
Any updates will be posted on our website and will become effective as of the “Last updated” date shown at the top of this Privacy Notice. Where changes materially affect how personal data is processed or where required by applicable law, we will take additional steps to notify users or obtain consent, as appropriate.

We encourage you to review this Privacy Notice periodically to stay informed about how your personal data is handled in connection with the Service.


15. Contact information

If you have any questions about this Privacy Notice, the processing of your personal data, or wish to exercise your rights under applicable law, you may contact us at: privacy@genomate.health

Genomate Health, Inc.
1 Broadway, Cambridge, MA, United States

For individuals located in the European Union, European Economic Area, or the United Kingdom, you may also contact our EU establishment:
Genomate Health Hungary Kft.
Retek utca 34
1024 Budapest, Hungary

Award banner - genomeweb, best place to work 2025
Company
About Genomate®
Our Story
Our Team
Oncompas Medicine
Careers
Contact
Solutions
For Oncologists
For Partners
Order a Report
Services
For Patients
Order a Second Opinion
Resources
Browse
Publications
News
Events
Enhancing NGS
Precision Care Pledge
The Genomate® Report can be used and clinically interpreted only by physicians or other qualified healthcare professionals. Genomate® is a clinical decision support software and is not intended to diagnose, treat, cure, prevent, or mitigate any condition. None of the statements contained herein have been evaluated by the U.S. Food and Drug Administration. Learn more.