The Chan Zuckerberg Biohub Inc. ("CZ Biohub," "we," " us," or "our") provides the Chan Zuckerberg ID platform ("Services" or "CZ ID") in partnership with the Chan Zuckerberg Initiative, LLC ("CZI"). This Data Privacy Notice ("Privacy Notice") describes the types of information we collect or that is uploaded by website visitors ("Visitors") and registered users ("Users"), and how we use, share, and protect that information.
|Type of Data||What is it?||What’s it used for?||How is it shared?||Your Choices|
|Data you upload to or create using CZ ID|
|Raw Sample Data||Genetic sequence files (ex: FASTA/FASTQ) uploaded by Users.||Upon upload, Raw Sample Data is processed through our data pipeline and all host (ex: human, mosquito) genetic information is filtered out. We always filter out all human genetic information, regardless of host. We use the remaining data, with Sample Metadata, to create Reports and Visualizations showing the microorganisms in your sample. These can be shared with other CZ ID users.||Raw Sample Data is not shared with any other CZ ID user, nor is it ever accessed by anyone working on CZ ID unless specifically requested by a User, such as to debug an issue.||Users can request deletion of Raw Sample Data or their CZ ID account data by contacting us at email@example.com and we will fulfill the request within 60 days.|
|Sample Metadata||Data about Samples annotated by Users (ex: sequencer used, sample collection date).||See above.||
Report Data and Visualizations that Users create can include Sample Metadata. CZ ID Users may choose to share that Report Data and/or Visualizations (including Sample Metadata) with other CZ ID Users.
This data is also shared with technical partners (Chan Zuckerberg Initiative, LLC - CZI LLC) and Service Providers (ex: AWS) that help operate and secure CZ ID. CZI LLC and Service Providers are limited by this Privacy Notice and will not use any data shared with them for any purpose beyond operating and securing CZ ID.
We will never sell your data or share it with anyone that does.
|Report Data||Data about non-host microorganisms that may be contained in the uploaded sample (includes Sample Metadata).||See above.||See above.|
|Visualizations||Analyses created by Users based on Report Data (ex: heatmaps and phylogenetic trees). Can include Sample Metadata.||See above.||See above.|
|Data CZ ID collects|
|User Data||Data about researchers with CZ ID accounts such as name, email, institution, basic information about how they are using CZ ID (ex: search queries), and information provided for user support (ex: resolving support requests).||We use this data only to operate, secure, and improve the CZ ID services.||
Basic CZ ID account information such as name and institution may be visible to other CZ ID Users (ex: with collaborators on a shared project).
This data is also shared with technical partners (CZI LLC) and Service Providers (ex: AWS) that help operate and secure CZ ID.
CZI LLC and Service Providers are limited by this Privacy Notice and will not use any data shared with them for any purpose beyond operating and securing CZ ID.
We will never sell your data or share it with anyone that does.
|Users can request deletion of their CZ ID account data by contacting us at firstname.lastname@example.org and we will fulfill the request within 60 days.|
|Device and Analytics Data||Device Data (ex: browser type and operating system) and Analytics Information (ex: links within CZ ID you click on and how often you log into CZ ID) includes basic information about how Users and Visitors are interacting with CZ ID.||See above.||See above.|
|Visitor Data||Data about visitors (non-Users) to CZ ID pages, such as czid.org and includes basic analytics information (ex: links clicked).||See above.||See above.||This data is not personally identifiable.|
About CZ ID
CZ ID is an online platform designed to enable the research community to research pathogens in metagenomic sequencing and to help further the study of infectious diseases. To do this, CZ ID processes genetic data in order to identify pathogens contained within.
Here’s how CZ ID works: Users submit Upload Data (as described below). This data may contain human and non-human genetic sequences (“Raw Sample Data”; as further defined below), as well as information about those sequences, such as the date the sample was collected and the host species it was collected from (“Sample Metadata” as further defined below). For example, a researcher might upload genetic information from mosquitoes, which are often a source of infectious disease, or from humans, who can be infected by such diseases. CZ ID then processes this Upload Data in order to identify pathogens found within the genetic sequence (e.g., the mosquito may be carrying the chikungunya virus).
We hope that this sharing of pathogen data will help to create a global dashboard that helps researchers better understand pathogens.
CZ ID also collects information about Users in order to offer the Service. Other than basic information required to create an account (e.g. email address, name), the User determines what information they want to upload onto CZ ID. Please note: CZ ID is not designed for or directed toward children under the age of sixteen.
“Upload Data” is data that Users upload to CZ ID (other than the information Users provide during registration to create an account). As explained below, Upload Data consists of genetic sequence information (human or non-human) and metadata about those genetic sequences (such as time and location of sample collection).
As described in our Terms, Users are required to obtain and maintain all necessary consents, permissions, and authorizations required by applicable laws prior to uploading, sharing, and exporting Upload Data with the Services.
Upload Data includes Sample Data and Sample Metadata.
- Raw Sample Data:“Raw Sample Data” is full genetic sequence data uploaded by Users (i.e. FASTA or FASTQ files). Genetic sequence data contains genetic information about pathogens in the sample and of the host from which the sample was taken. The host could be a human or non-human (e.g., mosquito). Host genetic information is filtered out in order to generate Reports, so Report Data should not contain any human sequence data.
- Sample Metadata:“Sample Metadata” includes information related to the Raw Sample Data, such as the host type (e.g., human or mosquito), upload date, and tissue type and free-text research notes entered by Users. This data should not include personally-identifying information regarding the individual to whom the Raw Sample Data relates.
Upload Data is used for the following purposes:
- To create Report Data (described below), including new reports for Users when we update our Data Pipeline.
- To improve the way CZ ID creates Report Data, including improving our Data Pipeline.
- To debug in the event you reach out to us with a specific issue related to your Upload Data.
We will never sell your data or share it with anyone that does.
Raw Sample Data is never shared with anyone other than the User that uploaded the Sample. Even staff working on CZ ID cannot access this information except as specifically instructed by a User, such as to debug an issue.
In order to advance CZ ID's goal of creating a global pathogen dashboard for researchers, Report Data and Sample Metadata will be made available to all CZ ID users 1 year after Raw Sample Data is uploaded. Before this 1-year anniversary of upload, Users can also choose to share their Report Data and Sample Metadata by creating Projects (groups of Reports) and sharing those Projects with other CZ ID users.
If you have questions about how this 1-year anniversary policy impacts your data, then please reach out to email@example.com.
To the extent that the European Union’s General Data Protection Regulation (“GDPR”) applies, we rely on the following legal bases to use and share personal data within Upload Data:
- The explicit consent of the individual whose data is contained in Raw Sample Data, where such consent has been obtained by the User in accordance with the GDPR; and
- The public interest and our and our Users’ legitimate interest in investigating and stopping the spread of infectious diseases and promoting global health. The use and sharing of personal data within Upload Data furthers the public interest in the area of public health, particularly by helping to protect against serious cross-border threats to health. The processing of personal data within Upload Data is also necessary for scientific research purposes.
Report Data is information CZ ID produced from Upload Data. We generate Report Data by processing Upload Data through our Data Pipeline. The “Data Pipeline” cleans (e.g., by removing duplicate nucleotides) and analyzes (e.g., by matching Raw Sample Data nucleotide sequences with known pathogen sequences) the Upload Data. Report Data may include, for example, data about the pathogen sequences identified in the Raw Sample Data and the frequency of such identification (“Pathogen Data”) or raw numeric counts of non-personally identifying gene expression profiles that were found in the Raw Sample Data (“Gene Counts”).
Once Raw Sample Data has been put through the Data Pipeline, the Report Data that is produced no longer includes any human genetic sequence data, and is not personal data, and does not, on its own, permit association with any specific individual. If you are able to find human sequence data in any Reports in CZ ID, please let us know at firstname.lastname@example.org and we will address it.
As mentioned above, after 1 year from when Raw Sample Data is uploaded, Report Data (including Sample Metadata) is visible to all CZ ID Users, and they may share it with others beyond CZ ID. This does not include Raw Sample Data - those genetic sequence files are available only to the User that uploaded the Sample.
Users also have the option to share their Report Data with certain third party tools, like Nextclade. You control whether to use this integration or not. If you do, we will collect basic information about your use of that integration, such as how often you use it.
3.Visitor and User Data.
Visitor and User Data is the information we collect from you and your use of CZ ID.
- Visitor Data.This is information collected from visitors to our website, whether or not they are Users (“Visitor Data”).
- User Data.User Data is any information we collect from a User about that User (“User Data”). It may include information necessary to create or access your account such as your name, username, email address, and login credentials.
- Device and Analytics Data.When Visitors and Users visit or use our Service, we may automatically collect Device Data or Analytics Information. “Device Data” includes information about your browser type and operating system, IP address and/or device ID, including basic analytics from your device or browser. “Analytics Information” relates to any of your requests, queries, or use of the Services, such as the amount of time spent viewing particular web pages. We use Google Analytics for this service.
Visitor Data and User Data (including any Personal Data in the Visitor Data and User Data) will be used for the following purposes:
- To identify you, create a profile for Users, and verify User’s identity so you can log in to and use CZ ID.
- To provide you with notices about your account and updates about CZ ID.
- To respond to your inquiries and requests.
- To analyze how Users and Visitors are using CZ ID so we can optimize and improve it.
- To protect the security and integrity of CZ ID.
We (along with CZI LLC) have a legitimate interest in using personal data within Visitor Data and User Data in the ways described in this Privacy Notice operate, secure, and improve CZ ID. This allows us to improve the service that we provide to Users which, in turn, supports research regarding the study of infectious disease with the potential to benefit global public health.
4.Vendors and Other Third Parties.
CZ Biohub and CZIF collaborate closely in order to build, design, and operate CZ ID so that it can be as useful as possible to researchers and the public health community. CZI LLC is our primary technology partner, focusing on CZ ID infrastructure, security, and compliance. The three parties are all data controllers for data within CZ ID and will use data only as described in this Privacy Notice.
We also share Upload Data, Report Data, Visitor Data, and User Data with service providers, including service providers to CZI LLC, such as database providers like Amazon Web Services and customer support providers like Zendesk. We may also share Visitor and User data with analytics vendors that assist us to improve and optimize CZ ID. To learn more about our vendors we use, please see our FAQ or contact us at email@example.com.
If we can no longer keep operating CZ ID or believe that its purpose is better served by having another entity operating it, we will transfer CZ ID and all data existing therein (Upload Data, Report Data, Visitor Data, and User Data) so that the Users can continue to be served. We will always let you know before this happens, and you will have the option to delete your account and any data you’ve uploaded. Should this occur, the entity to which we transfer your data will be obliged to use it in a manner that is consistent with this Privacy Notice and the Terms.
We may disclose Upload Data, Report Data, Visitor Data, and/or User Data if we believe in good faith that such disclosure is necessary (a) in connection with any legal investigation; (b) to comply with relevant laws or to respond to subpoenas or warrants served on us; (c) to protect or defend our rights or property or those of Users; and/or (d) to investigate or assist in preventing any violation or potential violation of the law, this Privacy Notice, or our Terms.
5.How We Protect the Information.
We use industry standard security measures to ensure the confidentiality, integrity and availability of data uploaded into CZ ID. This includes practices like encrypting connections to CZ ID using TLS, hosting CZ ID on leading cloud providers with robust physical security, and ensuring that access to any personal data within CZ ID by staff working on the tool is strictly limited. And as mentioned above, Raw Sample Data is never shared with anyone other than the User that uploaded the Sample. Even staff working on CZ ID cannot access this information except as specifically instructed by a User, such as to debug an issue.
Security takes ongoing work and we will continue to monitor and adjust our security measures as CZ ID develops. Please notify us immediately at firstname.lastname@example.org if you suspect your account has been compromised or are aware of any other security issues relating to CZ ID.
6.How Long We Retain Data and Data Deletion.
We retain your personal data only as long as is reasonably necessary:
- Raw Sample Data and Sample Metadata is retained until Users delete it from CZ ID. Users may submit deletion requests by emailing email@example.com and we will delete the requested Raw Sample Data and corresponding Report Data (including Sample Metadata) within 60 days.
- Report Data produced by CZ ID will be retained on CZ ID.
- User Data is retained until Users delete their CZ ID account as such data is required to manage the service. Users may submit account deletion requests by emailing firstname.lastname@example.org. We will delete personal data within 60 days following close of your account.
Please note that we do not control, and so cannot delete, personal data that Users have copied outside of CZ ID.
7.Choices About Your Data.
If you are a User, you have the following choices:
- Users are able to request the deletion of User Data that constitutes their personal data or Raw Sample Data that they submitted to CZ ID.
- Users are able to access and download Report Data relating to Upload Data they submitted within CZ ID.
- Users may also object to the processing of User Data in certain circumstances by emailing email@example.com. In such cases, we will stop processing that data unless we have legitimate grounds to continue processing it -- for example, it is needed for legal reasons.
- Users can also contact us by emailing firstname.lastname@example.org should they wish to access, restrict the processing of, or rectify their User Data.
If a User has submitted Upload Data containing your personal data, please see below:
- We require Users who submit Upload Data to ensure they have all necessary consents, permissions, and authorizations to do so. We are unable to relate Upload Data to identifiable individuals and so cannot directly process requests from persons whose personal sequencing data may be contained in Upload Data. As a result, CZ ID is able to receive access, restriction, rectification, objection, or deletion requests only from Users.
- If you believe your information has been uploaded to CZ ID, you should contact the researcher or User that uploaded this information to (i) request access to the information, (ii) object to the processing of the information, or (iii) seek deletion, restriction, or rectification of the information. Similarly, if you previously provided consent to a researcher or User, you may have the right to withdraw that consent. You should contact the researcher or User to make such a withdrawal or otherwise exercise your rights.
Please contact us at email@example.com if you would like to exercise the privacy choices discussed above or if you have any questions. If your data is subject to the EU data protection law (e.g., GDPR) and you wish to raise a concern about our use of your information (and without prejudice to any other rights you may have), you have the right to do so with your local supervisory authority or by emailing us at firstname.lastname@example.org.
CZ ID is a global service. By using CZ ID, Users authorize us to transfer and store the uploaded data outside of your home country, including to the United States, for the purposes described in this Privacy Notice.
If you want to use CZ ID, you must first agree to our Terms, which set out the contract between CZ ID and our Users. We operate in countries worldwide (including in the United States) and use technical infrastructure in the United States to deliver the Services to you. In accordance with the contract between us and our Users, we need to transfer personal data to the United States and to other jurisdictions as necessary to provide the Services. Such transfers are necessary for important reasons of public interest, namely global health and providing information which can be used by researchers to better understand the spread of infectious diseases. Please note that the privacy protections and the rights of authorities to access your information in these countries may not be the same as in your home country.
9.How to Contact Us.
If you have any questions, comments, or concerns with this Privacy Notice, you may contact our Data Protection Officer (DPO) by email at email@example.com or by physical mail at the addresses below.
To comply with article 27 of the GDPR and the UK-GDPR, we have appointed a representative who can accept communications in relation to personal data processing activities falling within the scope of the GDPR or the UK-GDPR. If you wish to contact them, their details are as follows:
Bird & Bird GDPR Representative Services SRL
Avenue Louise 235
Bird & Bird GDPR Representative Services UK
12 New Fetter Lane
London EC4A 1JP
10.Changes to This Privacy Notice.
This Privacy Notice was last updated on the date above. We may update this Privacy Notice from time to time and will provide you with notice of material updates before they become effective.