Privacy policy

PatientsLikeMe (https://www.patientslikeme.com) (“Platform”) is a health data tracking and online health community that enables its members to share their data and experiences. The platform is operated by PatientsLikeMe, LLC (“PatientsLikeMe”). This Privacy Policy describes how the information collected from users of the Platform, including individuals who have registered to join (“Members”), may be used.

We reserve the right to modify this policy at any time, and without prior notice, by posting an amended Privacy Policy on the Platform. We will notify Members of changes we make to this Privacy Policy. We also encourage Members to review this policy periodically for any updates.

What is PatientsLikeMe.com?

PatientsLikeMe provides this platform for patients who want to:

• track their health data so they can be an active participant in their own healthcare and symptom management
• create collective knowledge about disease, health, and treatments by:
  • contributing their health data to research
  • sharing their health information with other members of the PatientsLikeMe online Community
  • connecting with other members and providing peer support and being able to share their own experiences with conditions that affect health and wellness
• provide increased awareness and access to healthcare services

Who Might View or Have Access to The Data We Collect?

If you become a Member of the Platform, there are four broad groups of people who might have access to your data.

The Community – This refers to your fellow Members on the platform. You can share your data through your profile and the various social components on the site. By sharing your data, others can learn from it. You can mark some data (such as a condition) to be reserved for your Personal View only and that will not be made visible to the Community.

PatientsLikeMe – We use the data you provide internally, both to improve our services and to conduct our own research.

Our Partners – PatientsLikeMe frequently partners with other institutions to conduct research and manage patient communities. These Partners could include, but are not limited to: universities, pharmaceutical companies, hospital systems, value-based care providers, insurance companies, regulatory bodies (including the US Food and Drug Administration (the FDA)), and other entities.

Vendors – We also contract with various service providers for business and technical services like email delivery, site hosting, marketing, advertising, help desk support, and others.

Details of how these different groups might access or use our data are provided below.

Privacy Settings

There are three privacy levels you may choose for participation on the Platform if you are a Member.

You choose one of these settings:

Public view: The data associated with your username and avatar image is viewable by both non-members and members of PatientsLikeMe; or

Community view: The data associated with your username and avatar image is only viewable on the Platform by other members of PatientsLikeMe; or

Personal view: Some data (as specified by you) will not be viewable on the Platform by anyone but you (For example, you may specify one or more conditions you are tracking should be hidden from your fellow members. Note that the PatientsLikeMe team can see this data when necessary, but other PatientsLikeMe members will not see it.)

Public profiles may be indexed or stored by Internet search engines (e.g., Google) or other independent sites, which means your information might come up in the search results by anyone on the Internet, even after you change to a different privacy level.

You can change your privacy level at any time. None of the privacy levels allows non-members of the community to contact you.

What Kind of Information We Collect

Identifying Data

Data that is identifying or potentially identifying is treated as “Identifying Data.” This data includes:

• userID assigned by the Platform
• Platform password (this is collected as part of registration and stored as a one-way hash so that no one, other than you, knows what your password is)
• Name (Member may provide as part of registration or in a Member's Account Information)
• Date of Birth
• Email address
• Mailing address (may be collected via email, forms, or Private Message with PatientsLikeMe staff as part of Member programs such as t-shirt giveaways and PatientsLikeMe InMotion™)
• IP Addresses
• Geolocation data
• Private Message content for Private Messages between Members
• Any of the above entered as free text

PatientsLikeMe may de-identify Identifying Data. This would include removing identifying information from free text entries like forum posts or comments. Once identifying information is removed, PatientsLikeMe no longer treats the data as Identifying Data.

PatientsLikeMe may aggregate or statistically analyze Identifying Data from more than one member, in which case such resulting aggregated or statistically analyzed data will not be treated as Identifying Data by PatientsLikeMe.

Non-Identifying Data

“Non-Identifying Data” is all information, except Identifying Data, that Members provide about themselves when using the Platform or in other communications with PatientsLikeMe. Examples of Non-Identifying Data that Members may submit include:

• Non-identifying photographs
• Age (unless over 89)
• Location (city, state/province, country)
• Sex
• Gender identity
• Condition/disease information (e.g., first symptom, family history)
• Treatment information (e.g., treatment stop reasons, dosages, side effects, treatment evaluations)
• Symptom information (e.g., severity, duration)
• Outcome scores (e.g., ALSFRS-R, MSRS, PDRS, FVC, PFRS, DailyMe, and MonthlyMe measures (not including free-text associated with this tracking))
• Health measures (e.g., weight, blood pressure, sleep, activity)
• Laboratory results and biomarkers (e.g., CD4 count, viral load, creatinine, images)
• Structured survey responses
• Non-identifying information shared via free text fields (e.g., the forums, treatment evaluations, surveys, annotations, journals, feeds)
• Connections to other people on the Platform (e.g., Followers, Leaders, and Groups)

PatientsLikeMe may aggregate or statistically analyze data, including from more than one Member. The resulting aggregated or statistically analyzed data shall be treated as Non-Identifying Data by PatientsLikeMe.

Platform Use Data

We, our Partners, and our Vendors, use analytics code and may use web tracking technologies such as cookies and pixel tags to understand how Members use our platform and to improve products and services. Such collected data (“Platform Use Data”) can include the URL of the websites you visited before and after you visited our Platform, the type of browser you are using, your Internet Service Provider, what pages in our Platform you visit, what links you click on, date and time of your visit and duration, whether you open email communications we send to you, and whether you interact with advertising or content displayed on the site and third-party sites. The analytics code also collects information about you such as geolocation, age, gender, affinity categories, and interests, which can be used by PatientsLikeMe. You may be able to modify your browser settings to alter which web tracking technologies are permitted when you use the Platform, but this may limit your use of the Platform.

Platform Use Data is typically only used by PatientsLikeMe, and our Vendors. However, when de-identified it may be shared with our research Partners to help them understand how members use and benefit from the site.

Advertising

Some content or applications, including advertisements, on the PatientsLikeMe website are served by third parties, including advertisers, ad networks and servers, content providers, and application providers. These third parties may use cookies, alone or in conjunction with web beacons or other tracking technologies, to collect information about you when you use our website. The information they collect may be associated with your personal information or they may collect information, including personal information, about your online activities over time and across different websites and other online services. They may use this information to provide you with interest-based (behavioral) advertising or other targeted content.

We do not control these third parties' tracking technologies or how they may be used. If you have any questions about an advertisement or other targeted content, you should contact the responsible provider directly. For information about how you can opt out of receiving targeted advertising from many providers, see Choices About How We Use and Disclose Your Information.

In line with the above, PatientsLikeMe currently works with Publisher First, Inc., d/b/a Freestar, to serve advertisements on our site. The Freestar privacy policy may be found here for your review.

How Data is Used and Shared

You should expect that every piece of Non-Identifying Data you submit on PatientsLikeMe.com may be shared with Partners.

Non-Identifying Data may be displayed to the Community on PatientsLikeMe.com, unless you specify that it be reserved for your Personal View and not to be displayed to the Community. This is controlled by the privacy settings you selected. (See the Privacy Settings section of this Privacy Policy above.)

Members are encouraged to share health information but should consider that the more information that is entered, the more likely it is that you could be located or identified.

How Identifying Data is Used

There are only 3 ways Identifying Data is shared with the community.

• The username you created on PatientsLikeMe.com is used throughout the site to represent you and your profile.
• Your avatar image, whether or not it is identifying, is also used to represent you and your profile on the site.
• Any identifying information you choose to share as free text in the various social features of the site will be shared with everybody on the site who chooses to read it.

If you are using the Platform with a special account type other than the regular Patient account type, additional identifying information about you may be shared. For example:

• Doctors or Researchers who were granted an official doctor or research account, will have their full name and affiliation viewable by the Community via their profile;
• PatientsLikeMe employees and contractors may have a Staff account which identifies them as PatientsLikeMe Staff.

We will never sell your identifying information for non-PatientsLikeMe advertising purposes.

PatientsLikeMe uses Identifying Data internally, as needed, for research, for maintenance and operation of the Platform, and to create better tools and more personalized experiences for you. We take steps to protect this Identifying Data and limit access to only those who need it for their job.

If we have a Member's permission, their e-mail address will be used by PatientsLikeMe to send them a variety of notifications, including private message notifications, newsletters, study invitations, and promotional content from PatientsLikeMe and some of our Partners. You may change this setting at signup, on your account page, or by clicking the unsubscribe link at the bottom of any email you receive from PatientsLikeMe. However, all Members receive administrative emails (e.g., password reset), which you cannot opt out of while you remain registered with the Platform.

Additionally, Identifying Data is not shared with or sold to Partners unless explicit consent is given. Specific instances where consent may be requested include:

• Special research projects and studies
• Co-registration with a Partner
• Media interviews of a Member
• Participation in a health management program or sponsored group on PatientsLikeMe

PatientsLikeMe, in some instances, will allow Vendors to have access to Identifying Data for the purpose of operating or improving the Platform or other PatientsLikeMe activities and offerings (such as research studies and managed communities). PatientsLikeMe investigates all engaged Vendors to ensure that their security and privacy practices are compliant with relevant regulations and up to PatientsLikeMe standards. Specific examples where a Vendor may have access to Identifying Data include:

• If you make a request, PatientsLikeMe may provide a Vendor the minimum amount of Identifying Data needed to fulfil the request. Examples include requesting to receive the company newsletter via email, requesting an email response from the PatientsLikeMe support team, or requesting a t-shirt be sent to your postal mail address.

• We may use your identifying information to exclude you from certain PatientsLikeMe advertisements or to present certain advertising, content, or participation opportunities to you.

How Non-Identifying Data is Used

The Non-Identifying Data you add to your profile--except for data that you have marked for Personal View only--is displayed to the Community via your profile pages. (See the Privacy Settings section of this Privacy Policy above.)

Aggregated data (for example, counts of the number of Members with a certain condition or on a particular treatment) is not identifying and is displayed to the Community and shared with Partners. Data that a Member has marked as reserved to their Personal View may be included in such counts.

In addition to serving the individual needs of our Members, PatientsLikeMe and its Partners are interested in better understanding the patient experience and improving treatment options, information sharing, and health outcomes for everyone. For example, we may look at questions such as, “Do certain treatments work better for some types of people versus others?” PatientsLikeMe provides Non-Identifying Data, in individual and aggregate format, to Partners for use in scientific research, product development, managed communities, and market research. When selling this information, PatientsLikeMe removes Members’ Identifying Data (de-identification) to reduce the possibility of re-identification and contractually forbids Partners from trying to re-identify Members.

PatientsLikeMe may periodically ask Members to complete surveys about their experiences (including questions about products and services). Survey responses (possibly in combination with data from the Platform) are analyzed by PatientsLikeMe researchers. Insights from the analysis may be shared with and/or sold to Partners in a way that does not identify any respondent. Member participation in these surveys is not required and refusal to do so will not impact a Member’s experience with PatientsLikeMe.

PatientsLikeMe may report individual adverse event and drug safety information to regulatory Partners like the FDA, CDC, or other bodies (US and international) as well as directly to pharmaceutical and other Partners. When reporting such information, PatientsLikeMe does not provide Identifying Data, although we reserve the right to contact Members for follow-up at the request of agencies or Partners. In this context, the data that PatientsLikeMe reports may include free text or images on the forums or evaluations.

Finally, PatientsLikeMe may use Non-Identifying Data internally or send it to Vendors who assist with operating our services. For example, we may send treatment or condition information to an e-mail provider so that information can be included in messages we send to you. In addition, some Vendors may use Non-Identifying Data to improve their own products and services.

PatientsLikeMe, like other online communities, is a “public forum.” Be aware that Non-Identifying Data, in the right combinations, might be used by other Members of the community to identify you. For example, having a very rare disease might make it easier to identify somebody when gender and state of residence are also known.

For clarity, “public forum” in this context does NOT mean that the content and data are freely usable by third parties. Any uses outside of our Terms of Use and this Privacy Policy are prohibited.

How Platform Use Data is Used

We use Platform Use Data for several purposes:

Authentication: We use Platform Use Data stored in cookies on your computer to indicate that you have logged into your PatientsLikeMe account and to enable you to use certain portions of our Platform.

Understand Our Users: We use Platform Use Data to analyze trends, track users' movements around the Platform, and gather demographic information about our user base as a whole. This provides us with the ability to determine aggregate information about our user base and usage patterns. Understanding how people use our Platform allows us to make the Platform better for everybody. It may also be used by our Vendors to improve their products and services. We may use this information, possibly in coordination with one of our Partners, to do relevant analysis on user behavior or medical outcomes. We do not sell this usage data to third parties for advertising or marketing purposes. We sometimes provide our Partners with aggregated usage data of all individuals they have referred to our site. We will only provide your personally identifying or identifiable Platform Use Data to Partners with your express consent.

Administer Platform: We use Platform Use Data to help administer the Platform and Members’ use of the Platform. We may, in some circumstances, need to review this Platform Use Data in combination with specific Identifying Data to troubleshoot and resolve issues for individual users.

Advertising: We may use cookies or Platform Use Data to tailor advertisements about joining PatientsLikeMe, to promote certain advertiser content, participation opportunities, or to exclude you from notifications that are not relevant to you, including when you are visiting other sites or platforms. We may additionally use the information we have collected from you to enable us to display advertisements to our advertisers' target audiences. Even though we do not disclose your personal information for these purposes without your consent, if you click on or otherwise interact with an advertisement, the advertiser may assume that you meet its target criteria.

Choices About How We use and Disclose Your Information

We strive to provide you with choices regarding the personal information you provide to us. We have created mechanisms to provide you with the following control over your information:

Tracking Technologies and Advertising: A cookie is a small data file stored by your browser that can be retrieved by sites at a later time. Personal cookie preferences may be managed by utilizing the PatientsLikeMe Cookie Manager, as described below:

• Required Cookies. Cookies necessary for the core features of PatientsLikeMe to operate properly. These cookies cannot be disable using the PatientsLikeMe Cookie Manager. You may be able to use your browser cookie settings to refuse all cookies, but please note that some parts of this site may then be inaccessible or not function properly.

• Optional Cookies. Cookies that allow PatientsLikeMe and its Partners to evaluate site usage in order to improve its performance and to provide a more personalized user experience. Optional cookie categories can be disabled using the PatientsLikeMe Cookie Manager.

Disclosure of Your Information for Third-Party Advertising: If you do not want us to share your personal information with unaffiliated or non-agent third parties for promotional purposes, you can opt-out by utilizing the PatientsLikeMe Cookie Manager, or by sending us an email with your request to privacy@patientslikeme.com.

Targeted Advertising: If you do not want us to use information that we collect or that you provide to us to deliver advertisements according to our advertisers' target-audience preferences, you can opt-out by utilizing the PatientsLikeMe Cookie Manager, or by sending us an email with your request to privacy@patientslikeme.com. For this opt-out to function, you must have your browser set to accept all browser cookies.

We do not control third parties' collection or use of your information to serve interest-based advertising. However these third parties may provide you with ways to choose not to have your information collected or used in this way. You can opt out of receiving targeted ads from members of the Network Advertising Initiative ("NAI") on the NAI's website.

Residents of certain states may have additional personal information rights and choices. Please see Your State Privacy Rights for more information.

Closing Your Account

You are free to stop using this service at any time.

• You can "deactivate" your account, in which case PatientsLikeMe keeps your data stored so that you can return and reactivate without losing that data. If you choose to deactivate your account, PatientsLikeMe will not display or share your data as of the date of deactivation. PatientsLikeMe will not use your data in any research that begins after the date of your deactivation.
• Alternatively, you can "delete" your account and data, in which case your data is permanently removed from PatientsLikeMe and cannot be recovered.

Note: If you request deactivation or deletion, research that is already in progress or that was conducted prior to your request, will still include your data. This is important to support peer review of the research and replication of results — important parts of the scientific process. PatientsLikeMe keeps special archives of your data for this purpose in accordance with relevant US and EU/EEA/UK regulations.

Other Special Cases

There are instances, not covered above, where your Non-Identifying Data, Identifying Data, and Platform Use Data may be used and disclosed, including, but not limited to, the following:

• PatientsLikeMe may use your data in the case of an emergency or other circumstance that we determine requires a member of the management team to directly contact the Member (for example, a data breach that put the Member’s data at risk).
• PatientsLikeMe may share or disclose your data where required to comply with lawful requests from public authorities, including for national security or law enforcement requests, to comply with legal process, to resolve disputes, to enforce our agreements (including this Privacy Policy and the Terms of Use Agreement), or if in our reasonable discretion, use is necessary to protect our legal rights or to protect third parties.
• PatientsLikeMe may transfer your data to any successor to its business as a result of any merger, acquisition, asset sale, bankruptcy proceeding, or similar transaction or event. Members will be made aware of any changes in the current Privacy Policy that results from such a transfer.

Other Security Issues

PatientsLikeMe cannot guarantee the identity of any Members with whom you may interact in the course of using the Platform or who may have access to your displayed data. Additionally, we cannot guarantee the authenticity of any data that Members may provide about themselves.

PatientsLikeMe takes commercially reasonable technical precautions to help keep Member data secure, consistent with applicable EU, UK, and US laws. We take these precautions in an effort to protect your information against security breaches. However, this is not a guarantee that such information may not be accessed, disclosed, altered, or destroyed by breach of firewalls and secure server software. By using our Platform, you acknowledge that you understand and agree to assume these risks.

In the event of a breach, PatientsLikeMe will notify relevant regulatory authorities within 72 hours of becoming aware of the breach. We will notify affected Members as soon as possible after that.

Risks and Benefits

While our goal is to help patients improve health outcomes, there are no certain benefits to using this website. However, keeping track of personal well-being, treatments, and symptoms has been shown to be helpful in improving overall health.

There is a possibility that you may feel uncomfortable sharing information online. It is possible that you could be identified using information you elect to display on PatientsLikeMe (and/or in conjunction with other data sources). You could be discriminated against or experience repercussions as a result of the information you share. For example, it is possible that employers, insurance companies, or others may discriminate based on health information.

You should understand that anyone can register on PatientsLikeMe and view the data you have elected to share on the Platform.

In using the Platform, you are free to skip any non-required questions or data fields that make you feel uncomfortable.

Links to Other Websites or Apps

The PatientsLikeMe health services hub aims to connect members to useful healthcare resources that may help them in managing their conditions. As a result, PatientsLikeMe may link to or refer to third party websites or services that we do not own or control. Any personal information you provide to them is provided directly to such third party and is subject to the third party’s privacy policy. The PatientsLikeMe Privacy Policy does not apply to other websites or services, and we are not responsible for the privacy practices or content of any websites or services not controlled by us, nor are we responsible for such third party’s use or misuse of your personal information. If you have any concerns, we urge you to review the terms of those other websites or services for more information about their applicable policies.

Questions about the Privacy Policy

If you have questions or comments about our Privacy Policy, please let us know, or contact us at:

PatientsLikeMe LLC
Attn: Privacy and Compliance Dept.
6 Liberty Square, Suite 2602
Boston, MA 02109

Privacy@Patientslikeme.com

Your State Privacy Rights

State consumer privacy laws may provide their residents with additional rights regarding our use of their personal information.

California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia provide (now or in the future) their state residents with rights to:

• Confirm whether we process their personal information.
• Correct inaccuracies in their personal information, taking into account the information's nature processing purpose (excluding Iowa and Utah).
• Data portability.
• Opt-out of personal data processing for:
  • targeted advertising (excluding Iowa);
  • sales; or
  • profiling in furtherance of decisions that produce legal or similarly significant effects (excluding Iowa and Utah).
• Either limit (opt-out of) or require consent to process sensitive personal data.

The exact scope of these rights may vary by state. To exercise any of these rights please send us an email with your request to privacy@patientslikeme.com. To appeal a decision regarding a consumer rights request please send us an email with your notice of appeal to privacy@patientslikeme.com

California Online Privacy Protection Act Notice

On September 27, 2013, California enacted A.B. 370, amending the California Online Privacy Protection Act to require website operators like us to disclose how we respond to "Do Not Track Signals" and whether third parties collect personally identifiable information about users when they visit us.

• We do not track user activity that does not occur on our site and therefore do not use "do not track" signals.

• We do not authorize the collection of personally identifiable information from our users for non-PatientsLikeMe advertising purposes through advertising technologies without separate member consent.

California Civil Code Section 1798.83 also permits our members who are California residents to request certain information regarding our disclosure of Personal Data to third parties for their direct marketing purposes. To make such a request, please send an email to privacy@patientslikeme.com. Please note that we are only required to respond to one request per Member each year.

Governing Law and Platform Visitors from outside the United States

We and our servers are located in the United States and are subject to the applicable US local and national laws. These laws may not have equivalent privacy protection as those in your country of residence. When we share information about you with our various Partners, the data-sharing agreement includes data protection clauses. PatientsLikeMe, LLC adheres to the EU-U.S. DPF Principles with regard to personal data transferred from the European Union and the United Kingdom and the Swiss-U.S. DPF Principles with regard to personal data transferred from Switzerland. We also comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.

Be aware that the European Court of Justice (ECJ) has determined that no data transferred to the United States can be adequately protected from the United States government and that the United States does not provide adequate judicial remedies against the United States government for invasions of Europeans’ privacy.

Those who choose to access the Platform do so on their own initiative and understanding that their use of the Platform and PatientLikeMe’s use of the Non-Identifying Data, Identifying Data, and Platform Use Data is subject to EU, UK, and US laws and regulations including the GDPR. If users choose to access or use the Platform, they consent to the use and disclosure of information (including GDPR "special category" data such as race, ethnicity, and data concerning health) in accordance with this Privacy Policy and subject to such laws. Transfer of data from residents of the EU/EEA/UK is done under this consent and also for the purpose of providing this service to those users, as allowed by Article 49 of the GDPR.

PatientsLikeMe, LLC complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. PatientsLikeMe, LLC has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. PatientsLikeMe, LLC has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/s/

PatientsLikeMe LLC is subject to the regulatory and enforcement authority of the US Federal Trade Commission.

We acknowledge the right of EU, UK, and Swiss individuals to access their personal data under the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF. Individuals wishing to exercise this right may do so by contacting our community team.

We will also provide EU, UK, and Swiss individuals opt-out or opt-in choices before we share their data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information, you may do so by contacting our Community team.
Pursuant to the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, PatientsLikeMe LLC is liable for the onward transfer of personal data to third parties unless we can prove we were not a party to the actions resulting in the damages.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, PatientsLikeMe, LLC commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK individuals and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact PatientsLikeMe, LLC at:
privacy@patientslikeme.com.

PatientsLikeMe, LLC complies with the EU-U.S. Data Privacy Framework program (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework program (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. PatientsLikeMe, LLC has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. PatientsLikeMe, LLC has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework program Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/s/

PatientsLikeMe, LLC has further committed to refer unresolved privacy complaints under the DPF Principles to an independent dispute resolution mechanism, Data Privacy Framework Services, operated by BBB National Programs. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/programs/all-programs/dpf-consumers/ProcessForConsumers for more information and to file a complaint. This service is provided free of charge to you.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/G-Arbitration-Procedures-dpf?tabset-35584=2

General Data Protection Regulation (GDPR)

All individuals have rights regarding their data. The European Union’s (EU) General Data Protection Regulations (GDPR) describes these rights in law. They include:

• You have the right to clear and transparent communication about your data. We want to make this policy as clear as possible and provide a friendlier version to help you understand it.
• You have the right to request a copy of your data in a common digital format. To request this information, please contact our community team.
• You have the right to edit or correct your data. You can edit most of your information on the Platform. If you need help with this, contact our community team.
• You have the right to request that your data be deleted. To do this, contact our community team.
• You have the right to be notified of any breach involving your data. We will notify the appropriate data protection authority within 72 hours of detecting a breach involving your data. We will notify you as soon as possible after that.
• You have the right to object to the processing of your data. You may decline any consent request to share your identifying data with a Partner and this will have no impact on your use of the service. For clarity, we may still share with our Partners data regarding you that does not identify you and is not connected with you. You may request to close your account at any time (see Closing Your Account above).

In some cases, these rights might be restricted. Some examples would include where the information requested compromises the privacy of another individual or is the subject of legal proceedings or investigation. Additionally, processing that has already occurred cannot be undone. If you have questions or complaints about our handling of these rights, see the information at the end of this policy.

What are the Legal Bases for Our Collection and Use of Your Data?

GDPR sets out a number of possible bases, three of which apply to PatientsLikeMe and the Platform:

• We need to use some identifying information just to operate the service. This includes your email address, username, password, and IP address, among other items.
• We use your data for research with your consent, as described in this Privacy Policy. We will always ask for your additional, explicit consent before sharing identifying information with our Partners. This is described further, below.
• In rare cases we may need to share your data to comply with a legal obligation. See "Other Special Cases" above.

GDPR Recourse For Individuals in the EEA

Our representative in the EU for GDPR purposes is Foley Hoag AARPI. If you are a resident of the EEA, you can contact our representative at:

Foley Hoag AARPI
153 rue du Faubourg Saint-Honoré
75008 Paris, France

If you are a resident of the European Union or the UK and have a complaint about our use or processing of your data, you have a right to lodge a complaint with a national Data Protection Authority. The UK and each European Union member nation has established its own Data Protection Authority; you can find out about the Data Protection Authority in your country.

History of Updates/Changes to Terms and Conditions of Use:

• On Mar 1, 2024, Updates have been applied throughout the Privacy Policy in support of the evolving strategy of PatientsLikeMe, including but not limited to the launching of managed communities and advertising.
• On Sep 12, 2023, Updates have been applied to the section of the agreement Governing Law and Platform Visitors from outside the United States. These changes have been made to comply with the EU-US Data Privacy Framework (DPF) launched by the Commerce department effective July 17, 2023 as the successor regime to Privacy Shield. These changes have been made with guidance provided during renewal of BBB Data Privacy Frameworks Services with the Data Privacy Framework Services at BBB National Programs and the DPF Program self-certification via the Office of Digital Services Industries Data Privacy Framework (DPF) Team Industry and Analysis at the U.S. Department of Commerce, International Trade Administration.
• On Jun 13, 2023, updated to: clarify Privacy Setting definitions; call out in a second place that PatientsLikeMe collects geolocation data; point out that PatientsLikeMe may post links to third-party websites or services that are not covered by this Privacy Policy; point out that PatientsLikeMe may send emails that contain promotional content; correct text to indicate that no Vendors use Identifying Data for the Vendor's own purposes; and make minor edits.
• On Aug 19, 2021, added explanation of new privacy level ("Personal View") and made wording changes that follow from that throughout. Changed descriptions of data classifications to move away from the old classification of Restricted and Shared and move toward classifications that reflect how the data is used and how the Member controls the use. Added notice that the European Court of Justice (ECJ) found US privacy protections inadequate. Changed corporate postal mail address. Updated the change of control requirements to require PatientsLikeMe’s new owners to provide members with notice of any changes to the Privacy Policy that results from such transfer. Other minor wording changes to improve clarity.
• On Sep 2, 2020, minor updates to sections about data from the EU and UK
• On Aug 19, 2020, minor updates based on annual review to provide increased clarity and reflect changes in business. Updated link to the Council of Better Business Bureaus for Privacy Shield complaints.
• On Sep 17, 2018, updated Privacy Shield compliance language.
• On May 25, 2018, updated language to comply with GDPR and clarified some language aimed at researchers considering using PLM data.
• On Aug 14, 2017, clarified language differentiating vendors and partners, as well as cookie and Platform Use Data usage. Also, added new language for biology and multi-omics, updated advertising policies and other minor changes and reorganization.
• On Mar 20, 2017, added statement to explain ways a member can unsubscribe from emails.
• On Apr 10, 2014, additional examples of shared data were added.
• On Apr 11, 2013, the heading to “How Your Data is Used” was changed and clarifying language was added to both the Cookies and How Your Data is Used sections.
• On Feb 16, 2013, the Safe Harbor section was updated.
• On Mar 5, 2012, this Privacy Policy was revised to clarify language and provide specific examples to help illustrate the meaning of portions of the policy.
• On Aug 25, 2011, the following section was added: “EU Safe Harbor”.
• On Feb 21, 2011, this Privacy Policy was substantially revised to clarify language and provide specific examples to help illustrate the meaning of portions of the policy.
• On Nov 18, 2009, this Privacy Policy was substantially revised to clarify language and provide specific examples to help illustrate the meaning of portions of the policy.
• On Aug 7, 2007, this Privacy Policy was substantially revised and expanded to include additional patient consent language.
• On Mar 26, 2007, this Privacy Policy was substantially revised.
• On Apr 10, 2006, the following clauses were added: “We will provide our Partners with anonymized, aggregated community data with the goal of increasing involvement in disease research” and “except in incidents when you have given explicit permission, e.g. in the ALS Registry.”