Privacy Policy
Last Updated: November 15, 2023
This Privacy Policy is supplied by The Broad Institute (“Broad,” “we,” “us” or “our”) and describes how Personal Data is collected and used by Broad via the Terra platform and all associated websites (including terra.bio) (“Terra”) developed by Verily, Microsoft and Broad (together with their affiliates, the “Collaborators”). This Privacy Policy applies only to the websites and other online properties that directly link to it, which we refer to herein as the “Services”.
This Privacy Policy applies to Broad where Broad is the “controller” of your Personal Data, i.e., the entity that determines the purposes and means for processing such data. Broad may in some cases process Personal Data on behalf of users of Terra, such as where Users load Personal Data including genomics data to Terra. In that case, Broad is a “processor” with respect to such information, and you should refer to the User’s own privacy notices to receive additional information about their privacy practices.
Certain capitalized terms have the meaning as defined in our Terms of Service, incorporated herein by reference. If you have any questions about Broad’s privacy practices, please email:
1. Personal Data We Collect
When we use the term “Personal Data” we mean information that relates to a specific person, or that can be used to identify a specific person, such as a name or email address. In this Privacy Policy, we do not include Protected Health Information in the definition of Personal Data because, as discussed in Section 2 (Protected Health Information), Protected Health Information has different treatment under the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (“HIPAA”) and other applicable laws. “Protected Health Information” or “PHI” is individually identifiable health information that is protected by HIPAA.
We collect and use Personal Data through your use of the Services in the following ways:
1.a User Account Information/Personally Identifiable Information
When you register with us through the Services and during your use of the Services, we will ask you for Personal Data such as: your name, company or organization name, title, e-mail address.
1.b Information You Provide
When you interact with the Services, you may supply certain Personal Data, such as when you submit a request or post on the Community Forum. The information will vary depending on your interactions, but may include your name and email address and other information you include in the body of your request, post, comment, or other interaction.
When you Connect Content to the Services, such as uploading data for analysis, sharing with specified peers using the Services, developing software tools, or other scientific or research purposes.
1.c. Automatic Data Collection: Cookies and Similar Technologies
When you use the Services, we automatically collect usage data such as the IP address of the device or internet service you use to connect to the Internet, browser type and version, operating system and platform, and referring URLs, which may, in some instances, constitute Personal Data (“Usage Data”).
We use cookies, tracking pixels, and other similar technologies to track activity on our Services and to enhance the functionality of our Services. Cookies are small data files that our web servers send to your browser and which get saved on the hard drive of the computer that you are using to access the Services. If you do not want to allow cookies on your computer, most browsers have a feature that allows you either to automatically decline cookies or to decline or accept particular cookies from particular websites. If you choose to reject cookies from our Services, you may be unable to use certain Services features, and functionality. If you choose to accept cookies from us and our service providers, you are agreeing to let us and our service providers install cookies on your computer. To learn more about cookies, please visit http://allaboutcookies.org. Tracking pixels (also known as web beacons, action tags, or transparent GIF files) collect and store information about your visits to our Services, such as page visits, the duration of the visit, the specific link(s) that you clicked during your visit, and the address of the website from which you arrived at the Services.
We may use services such as Google Analytics to better understand how Users interact with our Services. To learn more about the use of Cookies by Google for analytics and to exercise choice regarding those Cookies, please visit the Google Analytics Opt-out Browser Add-on.
Do Not Track (“DNT”) is a privacy preference that Users can set in certain web browsers. We are committed to providing you with meaningful choices about the information collected on our website for third-party purposes, and that is why we provide the variety of opt-out mechanisms listed above. We do not currently use technology that recognizes “do not track” signals from your Web browser.
2. Protected Health Information
With respect to Terra, Broad is not a Covered Entity as that term is defined under HIPAA. You may not use Terra to Connect Content that includes PHI. You will Deidentify data prior to Connecting it to Terra.
3. How Your Personal Data May be Used
We use Personal Data as described below:
We may use your Personal Data to provide and improve Terra and our other products and services, to ensure contact information is up to date and accurate, to improve our customer service, to reduce risk and prevent fraud, to provide you with a personalized experience on our Services and to communicate with you regarding new service features and related products and services provided by our Collaborators or other partners, events, and other information and notices we believe you may find interesting or useful. We will not sell or provide your information to third parties other than the Collaborators for their own direct marketing purposes.
We use Usage Data collected to provide, maintain, secure, and improve our Services, and to understand your interests when visiting our Services. We may generate statistical information regarding our User-base and use it to analyze our Services or business. Usage Data, such as IP address, may be shared with third-party tools leveraged by Terra in order to enable us to understand how you are using Terra and to improve your user experience by providing onboarding prompts to help you use Terra effectively.
4. With Whom May Broad Share Your Personal Data?
We share Personal Data with the following categories of recipients:
Service Providers
We may rely on various third-party service providers and contractors to provide services that support the Services and our operations, including, without limitation, maintenance of our databases, distribution of emails and newsletters on our behalf, data analysis, payment processing and other services of an administrative nature. Such third parties may have access to your Personal Data for the purpose of performing the service for which they have been engaged.
Compliance with Laws and Law Enforcement
Broad cooperates with government and law enforcement officials and private parties to enforce and comply with the law. We may disclose Personal Data and other User information when we, in our sole discretion, have reason to believe that disclosing this information is necessary to identify, contact, or bring legal action against someone who may (either intentionally or unintentionally) be causing injury to or interference with our rights or property, Users of our Services, or anyone else who could be harmed by such activities. We may also disclose User information when we believe, in our sole discretion, that such disclosure is required by applicable law. We also may be required to disclose an individual’s Personal Data in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.
Vendors and Service Providers
We use various third-party service providers, such as Google Cloud, Microsoft Azure, AppCues, and MixPanel, that assist us in providing Terra. For example, we may use third-party vendors to store and authenticate account credentials, store and analyze system logs, send email communications, and for hosting and storing information collected through our Platform. We may need to share your information with these vendors and service providers to enable them to provide these services to us. These service providers and vendors are required to only use your information to provide their services to us and in a manner consistent with this Policy.
Business Transactions
If any of the Collaborators sell all or part of their business or makes a sale or transfer of assets or is otherwise involved in a merger or business transfer, the Collaborator may transfer your Personal Data to a third party as part of that transaction.
5. Information You Share With Other Users; Forums
Our Services allow you to share Content you Connect to the Services with other Users of the Services and third parties who are not Users of the Services, including but not limited to, service providers. Broad is not responsible for such other Users’ and third parties’ use of your Content. You understand and acknowledge that, if you choose to share Content you Connect to the Services with other Users of the Services or third parties, such Connected Content might be copied or redistributed by those authorized Users and third parties. Any copies, relevant metadata, and derived results made by authorized Users will persist in the authorized User’s account, and thereby may continue to be accessible to third parties such as service providers, even after you remove information from your account or delete your account. Please review our Terms of Service for additional information relating to Connecting Content to the Services.
6. Links and Third Party Applications; Other Privacy Terms and Conditions
On the Services, we may provide links to websites or applications maintained by third parties, which we believe you may find useful. Broad is not responsible for the privacy practices of these other websites or applications and we encourage you to review the privacy policies of each of those other websites or applications before using such websites and applications. If you click on these third-party links, these other websites or applications may place their own cookies or other files on your computer, collect data, or solicit Personal Data from you. Other websites and applications will have different policies and rules regarding the use or disclosure of the Personal Data you submit to them. We make no representation with regard to the policies or business practices of any websites or applications to which you connect through a link from the Services, and are not responsible for any material contained on, or any transactions that occur between you and any such website or application.
As a processor, Broad stores the Content you Connect to the Services, which can include genomic sequence data (DNA, RNA, etc.), derived from humans or other organisms, that you submit to the Services along with metadata and other information related to such sequence data. You agree to and accept full responsibility for obtaining all necessary permissions and informed consents from the donors of all samples from which your submitted sequence data is derived.
You may also be permitted to upload your own software and data, including reference genomes, to the Services in the course of using the Services. You agree to and accept full responsibility for obtaining all permissions, consents, and rights necessary for uploading and using any such software and data to and with the Services. The software you upload must comply with the Terra “Terms of Use Policy”.
7. Children’s Privacy
We are committed to protecting privacy of young people using our Services. We do not knowingly collect Personal Data on the Services from children under age 13. We believe children should get their parents’ or guardians’ consent before giving out any Personal Data. If you become aware that we have collected Personal Data from a child without parental consent, please notify us promptly. If we become aware that a child under age 13 has provided us with Personal Data without parental consent, we will take steps to remove it.
8. Data Processed in the United States
Broad is a United States based company and therefore we must abide by the laws and regulations of the United States. By Connecting Content to the Services, you understand and consent to the collection, use, processing and transfer of such Content to the United States, which may not offer the same level of data protection as the country where you reside, in accordance with the terms of this Privacy Policy. As described further in Section 9, where required by applicable law, we have instituted suitable safeguards to ensure the adequacy of the privacy protections in place with respect to any data transfers.
9. Notice to Individuals Located in the European Economic Area, United Kingdom, or Switzerland
Our processing of Personal Data about individuals located in the European Economic Area, United Kingdom, and Switzerland may be within the scope of the European Union’s General Data Protection Regulation (EU Regulation 2016/679) (“EU GDPR”), its incorporation into the laws of England and Wales, Scotland, and Northern Ireland by virtue of the UK European Union (Withdrawal) Act 2018, the Data Protection Act 2018 and/or the Swiss Federal Act on Data Protection, as applicable (together, the “GDPR”). This portion of our Privacy Policy applies only to our processing of Personal Data that is within the scope of the GDPR (“GDPR Processing Activities”).
We rely on separate and overlapping bases to process your Personal Data. We will use the Personal Data provided through or collected on the Services only for the purposes described in this Privacy Policy. Our legal bases for processing your Personal Data include providing you with the information or Services that you have requested in a secure manner, furthering our legitimate business interests, and your consent, if applicable.
Legitimate business interests that we rely on in processing your Personal Data include (i) improving and customizing the Services for you, (ii) understanding how the Services are being used, (iii) exploring ways to develop and grow our Services, (iv) ensuring the safety and security of the Services, and (v) enhancing protection against fraud, spam, harassment, intellectual property infringement, crime and security risks. Without the ability to collect and process your Personal Data, we would not be able to achieve those interests. We may also use your Personal Data for purposes, including scientific research, that are compatible with the purposes for which such data were initially collected.
If our processing is based solely on consent, you have the right to withdraw your consent. You may withdraw your consent by contacting us as set forth in the “Contact Us” section below. Please note that, in certain cases, we may continue to process your Personal Data after you have withdrawn consent, if we have a legal basis to do so. For example, we may retain certain information if we need to do so to comply with an independent legal obligation, or if it is necessary to do so to pursue our legitimate interest in keeping the Services safe and secure, or if deleting the information would undermine the integrity of a research study in which you are enrolled.
When you enter your Personal Data through one of the Services, the data is being transferred to, stored, and processed in the United States. Please be aware that the United States, and possibly other countries to which your Personal Data may be transferred, have not been determined by the appropriate government authorities to provide adequate safeguards for the protection of Personal Data. Where such transfers take place, they will be in accordance with the GDPR and Broad will take steps to maintain the privacy of your Personal Data as described in this Privacy Policy. If Broad transfers your Personal Data outside the EEA, UK, or Switzerland, we will do so in reliance on mechanisms recognized under the GDPR including Standard Contractual Clauses, your informed consent, or other legal circumstances as permitted by EU, UK, or Swiss data protection law. If you are an Enterprise Licensed User, this may include our Data Processing Addendum. You may request a copy of the Standard Contractual Clauses or further information on the specific mechanism relevant to any such transfer of your Personal Data by contacting us as set forth in the “Contact Us” section below.
We will retain your Personal Data for as long as is necessary for the purposes set out in this Privacy Policy (for example, if you have an account, for as long as your account is active), unless a longer period is required under applicable law or is needed to resolve disputes or protect our legal rights. To determine the appropriate retention period for personal data, we also consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
If your Personal Data is processed for GDPR Processing Activities, you have the right to (1) confirm with us whether your personal data is processed, and if it is, to request access to that personal data, (2) object to the processing of your personal data, (3) obtain a copy of the Personal Data Broad holds about you in an easily accessible format and receive any details required to be provided to you under applicable law, (4) correct or update your Personal Data, if inaccurate or incomplete, (5) limit collection and use of your Personal Data under certain circumstances (for example, if you think it is inaccurate), (6) request deletion of your Personal Data, subject to Broad’s need to keep such data to comply with legal requirements, to preserve the integrity of a research study, or to allow itself to defend itself from legal claims, among other bases for denying a request to delete, and (7) ask us not to process your personal data for direct marketing purposes, including profiling if it is related to such direct marketing. In addition, if you are based in the EU, you have the right to lodge a complaint with the relevant supervisory authority, details of which are on the European Data Protection Board (EDPB) website, depending on the country in which you are based (https://edpb.europa.eu/edpb_en). If you are based in the UK and you have concerns about our handling of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (www.ico.org.uk), which is the UK’s supervisory authority for data protection issues.
Please note that the rights described are not all absolute and we reserve all of our rights available under applicable laws. If you have questions about the processing of your Personal Data or rights associated with your Personal Data, see the section “Contact Us” below.
In some instances, the provision of your personal data is required in order for us to enter into a contract or comply with our legal obligations and if you do not provide this personal data, we may not be able to provide our Services to you. In all other cases, your provision of personal data is voluntary.
We do not use automated decision making processes. We use certain registration data, including demographics, for the purposes of product improvement and user research for the legitimate interests of running and developing our business.
10. Privacy Policy Changes
This Privacy Policy may be updated periodically. We will notify you of any material changes to this Privacy Policy by posting the revised policy on the Services. You are advised to periodically review this page to ensure continuing familiarity with the most current version of our Privacy Policy. Any changes to our Privacy Policy will become effective upon our posting of the revised Privacy Policy on the Services. Use of the Services following such changes constitutes your acceptance of the revised Privacy Policy then in effect. You will be able to determine when this Privacy Policy was last revised by checking the “Last Updated” information that appears at the top of this page.
11. Contact Us
If you have any questions about our privacy practices, you may contact us using the following email address: privacy@broadinstitute.org.
You may contact our Data Protection Officer at: whedglon@broadinstitute.org.
You may contact our EU/UK Representative at: whedglon@broadinstitute.org.