Privacy Policy

Varient takes data privacy seriously and we are committed to protecting and respecting your privacy in accordance with applicable data privacy regulations such as Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and the EU’s General Data Protection Regulation (GDPR). This privacy notice describes how and why we obtain, store and process personal data. Personal data is information relating to you. This includes information that enables us to identify you, for example, your name, email address, information about your access to our website, as well as any additional information relating to you once you are identifiable.

We will process your personal data fairly, lawfully, and transparently. As the nature of our offering involves the processing of sensitive health information, we want to assure you that we will not process this information without your explicit consent for the purposes outlined in this policy.

This Privacy Notice is current from 17 March 2022. We may update this notice from time to time and we will notify you of any changes. Please do not hesitate to contact us if you have questions in addition to the information provided in this notice – privacy@varientapp.com

When we refer to ‘we’ (or ‘our’ or ‘us’), that means 13623670 Canada Inc., trading as Varient and hereafter referred to as ‘Varient’ throughout this policy. Our headquarters are in Toronto, Ontario, Canada. We are the data controller. Data controller is a term that means we are responsible for determining how and why your personal data is processed.

For more information about who we are and what we do, visit the Varient website.

Personal data refers to information relating to an identified or identifiable person. It does not include data that has been anonymised and cannot be traced to an identified or identifiable person.

Depending on the type and level of engagement you have with us, we may collect the following personal data:

• Identifying and Demographic Information: Full name, date of birth, username, gender, phone number(s) and email address.
• Medical, Health and Genetic Information (Special Categories Personal Data): physical and mental health, doctor certificates, test results, disabilities, family or individual health history, treatment plans, medical information relevant to rare genetic disease, drugs prescriptions and genetic information.
• Racial or ethnic origin (Special Categories Personal Data)
• Digital Images: Photograph used to perform visual confirmation of identification, photographs of medical reports.
• User Preferences and Feedback: opinions and feedback on medications and treatment plans for a given medical condition. Also, feedback provided by users (e.g., in the software directly or after receiving help from support team).
• Usage Information: user activity in relation to the types of Services used, the configuration of user devices, and performance metrics related to use of our Services.
• Website: When you visit the Website, we collect certain information related to your device, such as your device’s IP address, cookies information, referring website, what pages your device visited, and the time that your device visited our website (for more information please see our Cookies Policy).

We will collect and process your sensitive health and genetic data to provide our service and share information to help you to make decisions around your treatment options. In the pursuit of driving new treatment research and development, we are committed to data democratization. We believe that those developing quality-of-life-changing medicines for those with rare diseases should have access to this data to improve the efficiency and efficacy of development of new medicines. As part of our mission of providing this service to you we may also need to process information regarding your ethnicity, as some genetic variants can produce ethnically distinct phenotypes due to other shared genetic variants within your ethnic group. Since we are only collecting information about 1/25000 genes in your body, being able to analyse your variant based on your ethnicity may be critical for future medicine development.

Health, genetic and ethnic information are considered Special Categories Personal Data. We will only process your Special Categories Personal Data after you have given us explicit consent to the processing of those personal data for the purposes specified in the table below. We will not share your sensitive personal data for financial gain nor with third parties like insurance companies.

When you join our waitlist, you will be asked for your email address and gene of interest (not the variant). We will ask for your explicit consent to process your genetic data.

When you sign up for our app and create an account we will separately ask for your explicit consent to:

• de-identify your sensitive personal data to share it with other users of our service to help them to make decisions around their treatment options.
• to share aggregate, anonymised data with pharmaceutical companies, to help those companies to develop new or improved medication for a specific rare genetic disease. We would ensure that the data is anonymised and would only share aggregate statistical data. We would rely on your explicit consent to anonymise the data and perform this statistical analysis.
• to contact you directly about clinical trials that you might be a good candidate for. We will receive information from pharmaceutical companies about a clinical trial they are running and the type of candidate they are looking for. If you have given us your explicit consent to be contacted, we would then email you information about the clinical trial and how to contact the clinical trial for more information. We would NOT share any of your personal or sensitive personal information to the pharmaceutical company. We act as a middleman connecting you to potential clinical trials. Again, we would not do this without your consent, and you could continue to use our service if you decided you would rather not be contacted directly about potential clinical trials.

While our website and app are designed for a general audience, we acknowledge that we may process the personal data of people aged under 18. This will only be done with the consent of their parental guardians. If we learn that we have collected personal information from a child under age 18 without their guardian’s consent, we will delete that information as quickly as possible. If you believe that a child under 18 may have provided us Personal Information without their guardian’s consent, please email privacy@varientapp.com. Our privacy team will act upon this information as quickly as possible.

We will only collect and process your personal data where we have a legal basis to do so. As a data controller, the legal basis for our collection and use of your personal data varies depending on the manner and purpose for which we collected it. We will only collect personal data from you when:

• we have your consent to do so
• we have your explicit consent for special category data processing
• we need your personal data to perform a contract with you. For example, to provide you with our service
• pursuing our legitimate interests in a way that you might reasonably expect to be a part of running our business and that does not significantly impact your interests, rights and freedoms
• we have a legal obligation to collect or disclose personal data from you (e.g., in suspected instances of fraud where we need to give personal data to relevant authorities or a government body).

Purpose and Legal Basis Explained:

Purposes To contact you in relation to a service you queried, to respond to your communication to us, respond to enquiries and comments or provide customer service and support

• Legal Basis: The processing is necessary for the performance of a contract or in order to take steps to enter into a contract with you.

Purposes To process your sign up for the waitlist and to register your user account in the app. This would also include the processing of Special Categories of Personal Data (Health and Genetic data)

• Legal Basis: Processing is necessary for the performance of a contract with you. We will only process your Special Categories Personal Data after you have given us explicit consent to the processing of those personal data.

Purposes To de-identify and share the information you shared with us around your rare genetic disease with other users of our service to help them to make decisions around their treatment options. This would also include the processing of Special Categories of Personal Data (Health and Genetic data)

• Legal Basis: Processing is necessary for the performance of a contract with you. This processing will only be carried out with your explicit consent

Purposes To anonymise and analyse the information you shared with us around your rare genetic disease in order to share this with pharmaceutical companies to improve the medication available for rare genetic diseases. This would also include the processing of Special Categories of Personal Data (Health and Genetic data)

• Legal Basis: The processing is necessary for our legitimate interests in improving the medication available for rare genetic diseases and providing this service. Except where such interests are overridden by your interests or fundamental rights and freedoms. This processing will only be carried out with your explicit consent

Purposes: To categorise potential candidates for clinical trials at sign up and to contact them directly with information about clinical trials. This would also include the processing of Special Categories of Personal Data (Health and Genetic data)

• Legal Basis: The processing is necessary for our legitimate interests in improving the medication available for rare genetic diseases and providing this service. Except where such interests are overridden by your interests or fundamental rights and freedoms. This processing will only be carried out with your explicit consent

Purposes To carry out our obligations arising from any agreements entered between you and us.

• Legal Basis: Processing is necessary for the performance of a contract with you.

Purposes To improve and customise your browsing experience when visiting our website via the use of Cookies (See Cookies Policy)

• Legal Basis: You have given consent to the processing of your personal data (non-essential cookies information) through the Cookies Banner available on our website.

Purposes To carry out statistical analysis in order to improve our service and business. Data will be made anonymous before carrying-out statistical analysis.

• Legal Basis: The processing is necessary for our legitimate interests in assessing areas for business improvement as well as improvement of services offered. Except where such interests are overridden by your interests or fundamental rights and freedoms.

Purposes To send technical alerts, updates, security notifications, and administrative communications

• Legal Basis: The processing is necessary for our legitimate interests in protecting our services and maintaining the safety of your data. Except where such interests are overridden by your interests or fundamental rights and freedoms.

Purposes Investigate and prevent fraudulent activities, unauthorised access to our services, and other illegal activities

• Legal Basis: The processing is necessary for our legitimate interests in protecting our services and maintaining the safety of your data. Except where such interests are overridden by your interests or fundamental rights and freedoms.

We may collect your personal data in one of the following ways:

• When you create an account
• When you contact us with queries or join our waitlist
• When you share test results or other medical reports directly into the app
• When you interact or add additional information directly into the app/website
• When you review our services
• When you visit our website (See our Cookies Policy for more details)

We may also receive personal data about you from some third parties, including:

• Technical Data from third parties, including analytics providers such as Google. Please see further information in the section entitled ‘Marketing preferences, adverts and cookies’ below.

You have several rights under data privacy legislation and Varient is committed to you being able to freely exercise your Rights. Where possible, we have incorporated automated tools on our website that enable you to facilitate your Rights in real-time. Use the Varient Privacy Centre to access and manage the personal data we hold about you and manage your preferences. You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) your rights include, with certain legal restrictions, the below:

Right of Access or Rectification: you have the right to ask us for copies of the personal data we hold about you. You are also entitled to have your personal data corrected or updated if it is inaccurate.

Right to Withdraw Consent: in cases where we are relying on your consent for the processing of your personal data, you have the right to withdraw your consent at any time. In respect of the e-marketing we conduct, an unsubscribe (withdraw consent) option is included with every e-marketing communication we send.

Users located in the UK or European Economic Area (EEA) have the above rights as well as the below under the EU GDPR and UK GDPR.

Right to Data Portability: you have the right to obtain a digital copy of your personal data, request the transfer of your personal data to another company or request to move your data from one IT system to another in a safe and secure way. This right only applies to personal data you provide to us, and we process it with your consent or in order to fulfil our contract with you by automated means. It also only applies to the extent that it does not affect the rights and freedoms of others.

Right to Restriction of Processing: you have the right to restrict the processing of your personal data where you are contesting the accuracy of that information, you have objected to processing (as described below), or where the processing is unlawful. Where processing is restricted, we may need to retain sufficient information about you to ensure that the restriction is respected in future.

Right of Erasure: you have the right to have your personal data erased if we do not have a legitimate reason for retaining your data.

Right to Object to Processing: you have the right to object to the processing of your personal information in certain circumstances such as where your personal data is being processed based on our legitimate interests or the legitimate interests of a third party.

Right to Object to Automated Decision-making including Profiling: you have the right to not be the subject of any automated decision-making or profiling by us.

Cookies Preferences: You can manage cookies as you wish – please visit the Privacy Centre and click Manage Cookies. You can also do so by adjusting your web browser controls. Please consult our Cookie Policy for more information about our use of cookies on the Website and how to accept and reject them.

Right to Complain to Relevant Supervisory Authority: You have a right to lodge a complaint with your local supervisory authority if you have concerns about how we are processing your personal information. We ask that you please attempt to resolve any issue with us first by emailing us directly at privacy@varientapp.com, although you have a right to contact your supervisory authority at any time. You can find the contact details for your local supervisory authority here.

Storing your data

Your personal information is stored securely within our cloud servers. Personal information will be both encrypted at rest and encrypted in transmission. Our cloud service provider offers servers that are physically located globally, so that your personal information will be physically stored in the same geographical region as you. For example, European users’ data will be stored in the EU, while Canadian users’ data will be stored in North America.

Securing your data

The communication between your browser and our website uses a secure encrypted connection wherever your personal data is involved.

We have put in place physical, electronic, and managerial security procedures in the storage and disclosure of your personal data to protect your data. These include pseudonymising personal data where possible, identity and access management procedures, data privacy and secure handling training for all our employees who handle personal information, multifactor authentication procedures, incident detection systems and breach notification processes. Nevertheless, any data transmission over the internet or by any other means can never be fully secure, such is the character of the internet, and provision of personal data by you to us is at your own risk. We take all reasonable measures to protect your personal data by putting appropriate technical and operational security measures in place.

When we disclose your personal data to trusted third parties (for the purposes set out in this notice), We take all reasonable measure to anonymise your data before sharing it with trusted third parties, but in case any information should become identifiable we also require all third parties to have appropriate technical and operational security measures in place to protect your personal data, and we work with them to ensure that your data protection and privacy rights are respected. Where your personal data is shared with a third party, it must only be used for the purposes for which it was supplied.

In the unfortunate event of a personal data breach, we will notify you and any applicable regulator when we are legally required to do so.

Retaining your data

We will retain your personal data for as long as we have a relationship with you. If or when you decide to delete your account, we will delete your data upon your request. As part of the offboarding process we will ask for your consent to continue to process your data for the same purposes as described in this policy (to share your de-identified information with other users of our service to help them to make decisions around their treatment options). Again, we will only continue to process your information with your consent, if you do not consent your information will be deleted.

We may keep certain information for a period of time afterwards where we have an ongoing business need to retain it, in accordance with our data retention policies and practices. For example, where you ask to be unsubscribed from marketing communications, we may keep a record of your email address and the fact that you have unsubscribed to ensure that you are not sent any further emails in the future.

We sometimes share your personal data with our trusted categories of third parties we use to conduct our business, for example, to provide our Privacy Centre services to you; to handle feedback and complaints; and to help us understand your behaviour in order to customise and maximise our services, marketing, and offers to you. However, we will never share sensitive personal data with third parties without your explicit consent.

Our trusted categories of third parties include website hosts and service providers. To see our list of sub processors please click here to see sub processor list.

We may share your personal data with law enforcement upon request for the purposes of preventing fraud and anti-money laundering.

We may also share your personal data with our professional advisers including lawyers, bankers, auditors, and insurers who provide consultancy, banking, legal, insurance and accounting services.

The personal data we collect from you may be transferred to, and stored at, destinations outside the European Economic Area ("EEA") using legally provided mechanisms to lawfully transfer data across borders. It may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. Such staff may be engaged in, among other things, the provision of our services to you. We will take all steps necessary to ensure that your data is treated securely and in accordance with this privacy notice.

If personal data is transferred outside the EEA, the protection offered by the GDPR will travel with your data and we will ensure at least one of the following measures are adhered to:

1. The non-EEA country's protections are deemed adequate by the EU.
2. We take the necessary measures to provide appropriate safeguards, such as including specific clauses in the agreed contract with the non-European importer of the personal data.
3. We rely on specific grounds for the transfer (derogations) such as the consent of the individual.

Please contact us if you want further information on the countries to which we may transfer personal data and the specific mechanism used by us when transferring your personal data outside the EEA – privacy@varientapp.com

We may send you information about clinical trials that you might be a good candidate for, if you have created an account with us, and you have not opted out of receiving these communications.

We may use your personal data (as outlined in the ‘Personal Data We Collect’ section) to form a view on what we think you may like, or what may be of interest to you, and to send you details of services which may be relevant for you.

We will ask you for your preferences in relation to receiving marketing communications by email.

You will always have full control of your marketing preferences. If you do not wish to continue receiving marketing information from us (or any third party, if applicable) at any time:

• you can unsubscribe or ‘opt-out’ by using the unsubscribe button and following the link included in the footer of any marketing email; or
• account holders may withdraw their consent by simply logging in to the Varient Privacy Centre and managing their preferences.

We will process all opt-out requests as soon as possible, but please note that due to the nature of our IT systems and servers it may take a few days for any opt-out request to be implemented.

Our website uses cookies to distinguish you from other users of our website and to keep track of your visits. They help us to provide you with the very best experience when you browse our website and to make improvements to our website. They also help us and our advertising networks to make advertising relevant to you and your interests.

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of our website may become inaccessible or not function properly.

You can manage cookies as you wish – please visit the Privacy Centre and click Manage Cookies. For detailed information on the cookies which we and our third-party providers use and the reasons why we use them, please refer to our Cookie Policy.

Our website may include links to and from the websites of our partner networks, advertisers, and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to their websites.

From time to time, we may change this privacy notice. If there are any significant changes we will post updates on our website, applications or let you know by email at privacy@varientapp.com.

We welcome feedback and are happy to answer any questions you may have about your data.

You can contact us by email: privacy@varientapp.com

This notice was most recently updated: 15 December 2022