Why Do We Share Data
Our goal is to provide a platform for patients who want to share their health information to create collective knowledge about disease, health, and treatments. We know our success in achieving this goal depends on a shared belief in our Openness philosophy. Being open about one’s health is not for everyone, and we strive, with full transparency, to outline the benefits and risks of being part of this sharing site, including those related to privacy.
Your Data Rights, As Expressed by GDPR
All individuals have rights regarding data that is identified or connected to their identity (“Personal Data”). The European Union’s (EU) General Data Protection Regulations (GDPR) describes these rights in law, but PatientsLikeMe believes they apply to all individuals. They include:
- You have the right to clear and transparent communication about your Personal Data. We want to make this policy as clear as possible and provide a friendlier version to help you understand it.
- You have the right to request a copy of your Personal Data in a common digital format. To request this information, please contact our community team.
- You have the right to edit or correct any Personal Data. You can edit most of your information on the site. If you need help with this, contact our community team.
- You have the right to request that your Personal Data be deleted. To do this, contact our community team.
- You have the right to be notified of any breach involving your Personal Data. We will notify the appropriate data protection authority within 72 hours of detecting a breach involving your data. We will notify you as soon as possible after that.
- You have the right to object to the processing of your data. You may decline any consent request to share Personal Data with a Partner and this will have no impact on your use of the service. For clarity, we may still share with our Partners data regarding you that does not identify you and is not connected with you (“De-Identified Data”). You may withdraw consent at any time, though that will not change any processing that has already occurred or research where analysis has started or is completed. You may also request to close your account at any time (see Closing Your Account below).
In some cases, these rights might be restricted. Some examples would include where the information requested compromises the privacy of another individual or is the subject of legal proceedings or investigation. Additionally, processing that has already occurred cannot be undone. Further, these rights to edit, delete, be notified of a breach, and object to processing all apply to Personal Data and do not apply to De-Identified Data that, for example, has been shared by us with our Partners and Vendors.
If you have questions or complaints about our handling of these rights, see the information at the end of this policy.
What are the Legal Bases for Our Collection and Use of Personal Data
PatientsLikeMe believes that the above rights mean that any processing of your Personal Data must have a solid legal basis. GDPR sets out a few possible bases, three of which apply to PatientsLikeMe and the Platform.
- We need to use some identifying information just to operate the service. This includes your email address, username, password, and IP address, among other items.
- We may use identifying information for research with your consent. We will always ask for your explicit consent before sharing this information with our Partners. This is described further, below.
- In rare cases we may need to share your identifying data to comply with a legal obligation. This is described further, below.
As with data rights, we believe that all processing of any user’s Personal Data should be for a clear and transparent reason.
Who Uses The Data We Collect
There are four broad groups of people with whom we share data, including Personal Data.
The Community – This group is you and your fellow patients on the site. You share data, including possibly Personal Data, through your profile and the various social components on the site. By sharing your data others can learn from it.
PatientsLikeMe – We use the data you provide internally, both to improve our services and to conduct our own research.
Our Partners – PatientsLikeMe frequently partners with other institutions to conduct research. These Partners include, but are not limited to: universities, pharmaceutical companies, hospital systems, insurance companies, and regulatory bodies (including the US Food and Drug Administration – i.e. the FDA). One key group of Partners are the other members of the Digital Life Alliance — like-minded digital health, science, and technology companies who work closely with PatientsLikeMe to improve health and healthcare around the globe.
Vendors – We also contract with various service providers for business and technical services like e-mail delivery, site hosting, marketing, help desk support, and others.
Details of how these different groups use our data is provided below.
There are two privacy levels a Member may choose for participation at PatientsLikeMe:
Members only: PatientsLikeMe Members can see the data associated with the Member’s username and avatar image; or
Public: Non-members and Members can see the data associated with the Member’s username and avatar image.
Public profiles may be indexed or stored by Internet search engines (e.g. Google) or other independent sites, which means a Member’s Personal Data may come up in the search results by anyone on the Internet, even after switching privacy levels.
Members may change their privacy level at any time. Neither option will allow non-members of the community to contact you.
What Kind of Information We Collect
When a member enters what could reasonably be used to identify them, that data is treated as “Restricted Data.” Types of Restricted Data that Members may submit on the Platform include:
- Name, as collected as part of registration or in a Member’s Account Information;
- Email address, as collected as part of registration or in a Member’s Account Information;
- Password, as collected as part of registration or in a Member’s Account Information;
- Mailing address, as collected via email, forms, or private message as part of Member programs such as t-shirt giveaways and PatientsLikeMe InMotion™;
- Date of birth, as collected in your profile;
- Genome wide single nucleotide polymorphism analyses, whole exome sequencing analyses, or whole genome sequencing analysis;
- IP Address;
- Any of the above entered as free text; and
- Private messages.
PatientsLikeMe may de-identify Restricted Data, such that it no longer contains identifying information and is no longer Restricted Data, in which case such data shall be treated by PatientsLikeMe as Shared Data (described below). Examples of such de-identification include, but are not limited to, using age instead of birthdate or using a zip code instead of a full address. PatientsLikeMe may also remove identifying information from free text entries like forum posts or comments. Once the identifying information is removed, PatientsLikeMe shall treat the free text as Shared Data.
PatientsLikeMe may aggregate or statistically analyze Restricted Data, including from more than one member, in which case such resulting aggregated or statistically analyzed data shall be treated as Shared Data by PatientsLikeMe.
“Shared Data” is all information, except Restricted Data, that Members provide about themselves when using the Platform or in other communications with PatientsLikeMe. Examples of Shared Data that Members may submit include:
- Biographic and demographic information, e.g. non-identifying photographs, biography, gender, age, location (city, state/province, and country);
- Condition/disease information, e.g. diagnosis date, first symptom, family history;
- Treatment information, e.g. treatment start dates, stop dates, stop reasons, dosages, side effects, treatment evaluations, and information on treatment switching;
- Symptom information, e.g. severity, duration;
- Outcome scores over time, e.g. ALSFRS-R, MSRS, PDRS, FVC, PFRS, Mood Map, weight, DailyMe, and MonthlyMe measures;
- Sensor information, e.g. personal activity trackers;
- Laboratory results and biomarkers, e.g. CD-4 count, viral load, creatinine, voice features, images;
- Status of individual genes or variants (mutations);
- Individual and aggregated structured survey responses;
- Non-identifying information shared via free text fields, e.g. the forums, treatment evaluations, surveys, annotations, journals, feeds, adverse event reports; and
- Connections to other people on the Platform, e.g. invited care team members, mentors, feeds, subscriptions.
PatientsLikeMe may aggregate or statistically analyze Shared Data, including from more than one member, in which case such resulting aggregated or statistically analyzed data shall also be treated as Shared Data by PatientsLikeMe.
Platform Use Data
We, and our Vendors, may use web tracking technologies such as cookies and pixel tags to understand how members use our platform. Such collected data (“Platform Use Data”) may include the URL of the websites you visited before and after you visited our Platform, the type of browser you are using, your Internet Service Provider, what pages in our Platform you visit, what links you click on, date and time of your visit and duration, and whether you open email communications we send to you. You may be able to modify your browser settings to alter which web tracking technologies are permitted when you use the Platform, but this may limit your use of the Platform.
Platform Use Data is typically only used by PatientsLikeMe and our Vendors. However, when de-identified it may be shared with our research Partners, as we do with Shared Data, to help them understand how members use and benefit from the site.
How Member Data is Used and Shared
Members should expect that every piece of Shared Data they submit (even if it is not currently displayed) may be shared with the Community and Partners. Members are encouraged to share health information but should consider that the more information that is entered, the more likely it is that a Member could be located or identified.
How Restricted Data is Used
There are only 3 ways Restricted Data is shared with the community.
- A Member’s username is used throughout the site to represent them and their profile
- A Member’s avatar image, whether or not it is identifying, is also used to represent them and their profile on the site.
- Any Restricted Information a Member chooses to share as free text in the various social features of the site will be shared with everybody on the site who chooses to read it.
If the Member is acting in a role other than patient additional restricted information may be shared. For example:
- If a Member registers with, or is switched to, an official doctor or research account, the Member’s full name and affiliation will be viewable to the community via the Member's profile;
- If a Member is acting as a PatientsLikeMe employee, the Member will be identified as such.
We will never sell, share, or use your restricted information for non-PatientsLikeMe advertising purposes.
PatientsLikeMe uses Restricted Data internally, as needed, for research, for maintenance and operation of the Platform, and to create the best possible tools and experience for patients. We take steps to protect this data and limit access to only those who need it for their job.
If we have a member's permission, their e-mail address will be used to send them a variety of notifications, including study invitations, newsletters, and private message notifications. A member may change this setting at signup, on their account page, or by clicking the unsubscribe link at the bottom of any email they receive from PatientsLikeMe. However, all members receive administrative emails (like forgot password messages) and you cannot opt out of administrative emails while you remain registered with the Platform.
Additionally, Restricted Data is not shared with or sold to Partners unless explicit consent is given. Specific instances where consent may be requested include:
- Special research projects and studies
- Co-registration with a non-profit
- Media interviews of a Member
If you are a participant in PatientsLikeMe’s DigitalMe initiative then you have consented to having your Restricted Data shared more broadly than described here (including broader than may otherwise be permitted under GDPR). Please see the informed consent document for more information.
PatientsLikeMe will share Restricted Data, in some instances, with Vendors for the purpose of operating or improving our services. Before sharing Restricted Data with a Vendor PatientsLikeMe will investigate potential Vendors to ensure that their security and privacy practices are compliant with relevant regulations and up to PatientsLikeMe standards. Specific examples where Restricted Data may be shared with Vendors include:
- If a Member makes a request, PatientsLikeMe may use Restricted Data, including sharing the Member’s Restricted Data with software/service Vendors, for the purpose of fulfilling the request. Examples include requesting to receive the company newsletter via email, requesting an email response from the PatientsLikeMe support team, or requesting a t-shirt be mailed to the Member’s residence.
- We may use your restricted information to exclude you from certain PatientsLikeMe advertisements or to present certain participation opportunities to you via social media advertising.
How Shared Data is Used
Shared Data is shared with the Community via Member profile pages and through aggregated reports that are made available to other PatientsLikeMe Members. In some instances, this Shared Data is also viewable to those not registered to join PatientsLikeMe (“Non-members”). We report publicly Shared Data in aggregate, such as the number of patients on a particular treatment or the number of patients experiencing a particular symptom (see public Treatments and Symptoms sections). If a Member chooses to designate their profile as “Public” (see Privacy Settings above), their Shared Data can also be viewed by Non-members and linked with aggregated reports. These public profiles may be used by anyone accessing the website in reports, conference presentations, media mentions, etc.
In addition to serving the individual needs of our Members, PatientsLikeMe and its Partners are interested in better understanding the patient experience and improving treatment options and health outcomes for everyone. For example, we may look at questions such as, “Do certain treatments work better for some types of people versus others?” PatientsLikeMe provides Shared Data, in individual and aggregate format, to Partners for use in scientific research and market research. When selling this information, PatientsLikeMe removes Members’ Restricted Data (de-identification) to reduce the possibility of re-identification and, where possible, contractually forbids Partners from trying to re-identify Members.
PatientsLikeMe may also periodically ask Members to complete surveys about their experiences (including questions about products and services). Survey responses are analyzed, combined with Members’ Shared Data and shared with and/or sold to Partners. Member participation in these surveys is not required and refusal to do so will not impact a Member’s experience with PatientsLikeMe.
PatientsLikeMe may also report individual adverse event and drug safety information to regulatory Partners like the FDA, CDC, and/or other bodies (US and international) as well as directly to pharmaceutical and biotechnology companies. PatientsLikeMe does not provide Restricted Data to such regulatory bodies, although we reserve the right to contact Members for follow-up at the request of agencies or Partners. The Shared Data that PatientsLikeMe reports may include free text or images on the forums or evaluations. In addition, certain areas within our Platform are provided with the support of Partners. These Partners may have adverse event reporting requirements that relate to regulated products that are used by Members of our community and PatientsLikeMe assists such Partners with reporting adverse events to regulatory agencies.
Finally, PatientsLikeMe may use Shared Data internally or send Shared Data to Vendors who assist with operating our services or performing research. This data is used to provide or improve the services offered and to conduct newer multi-omics research. For example, we may send treatment or condition information to an e-mail provider so that information can be included in message we send to you.
PatientsLikeMe, like other Internet communities, is a “public forum.” Members acknowledge and accept that Shared Data might be used by members of the community to identify them in the right combinations. For example, having a very rare disease might make it easier to identify somebody when age and gender are also known.
How Platform Use Data is Used
We use Platform Use Data for several purposes:
Authentication: We use Platform Use Data stored in cookies on your computer to indicate that you have logged into your PatientsLikeMe account and to enable you to use certain portions of our Platform.
Understand Our Users: We use Platform Use Data to analyze trends, track users' movements around the Platform, and gather demographic information about our user base as a whole. This provides us with the ability to determine aggregate information about our user base and usage patterns. Understanding how people use our Platform allows us to make the Platform better for everybody. We may also use this information, possibly in coordination with one of our research Partners, to do relevant research on user behavior or medical outcomes. We do not sell or provide this usage data to third parties for advertising or marketing purposes, but we sometimes provide our Partners with aggregated usage data of all individuals they have referred to our site. We will only provide personally identifying or identifiable Platform Use Data to Partners with your express consent.
Administer Platform: We use Platform Use Data to help administer the Platform and members’ use of the Platform. We may, in some circumstances, need to review this Platform Use Data in combination with specific Restricted Data to identify and resolve issues for individual users.
Closing Your Account
Members are free to stop using this service at any time. If a Member chooses to deactivate his/her account, PatientsLikeMe will not display or sell the Member’s Personal Data as of the date of deactivation. However, the Member’s Personal Data, including Shared and Restricted Data, will remain in the system for up to 3 years unless you contact our community team to request that your data be deleted.
It is important to note that, even if you request deletion, any research conducted, or in progress, prior to deactivation will still include your data. This is important to support things like peer review and the replication of results — important parts of the scientific process. PatientsLikeMe keeps special archives of your data (which include profile, survey, and DigitalMe data) for this purpose in accordance with relevant US and EU/EEA regulations.
Other Special Cases
There are instances, not covered above, where Shared Data, Restricted Data, and Platform Use Data may be used and disclosed including, but not limited to, the following:
- PatientsLikeMe may use a Member’s data in the case of an emergency or other circumstance that we determine requires a member of the management team to directly contact the Member. For examples, a concern of a suicide attempt or a data breach that put the Member at risk would prompt someone to be in touch.
Other Security Issues
PatientsLikeMe cannot guarantee the identity of any Members with whom a Member may interact in the course of using the Platform or who may have access to a Member’s Shared Data. Additionally, we cannot guarantee the authenticity of any data that Members may provide about themselves.
Finally, Members should know that PatientsLikeMe takes commercially reasonable technical precautions to help keep Member data secure, consistent with applicable EU and US laws. We take these precautions in an effort to protect your information against security breaches. However, this is not a guarantee that such information may not be accessed, disclosed, altered, or destroyed by breach of such firewalls and secure server software. By using our Platform, you acknowledge that you understand and agree to assume these risks.
In the event of a breach, PatientsLikeMe will notify relevant regulatory authorities within 72 hours of becoming aware of the breach. We will notify you as soon as possible after that.
Risks and Benefits
While our goal is to help patients improve health outcomes, there are no certain benefits to using this website. However, keeping track of personal well-being, treatments, and symptoms has been shown to be helpful in improving overall health.
There are also no known risks to using this website, but there is a possibility that users may feel uncomfortable sharing information online. It is possible that a Member could be identified using information shared on PatientsLikeMe (and/or in conjunction with other data sources). A Member could be discriminated against or experience repercussions as a result of the information shared. For example, it is possible that employers, insurance companies, or others may discriminate based on health information.
In using the Platform, Members are free to skip any non-required questions or data fields that make them feel uncomfortable.
Governing Law and Platform Visitors from outside the United States
We and our servers are located in the United States and are subject to the applicable US local and national laws. These laws may not have equivalent privacy protection as those in your country of residence. When we share information about you with our various Partners we use contractual data protection clauses which have been approved by the European commission. We also comply with the EU-US and Swiss Privacy Shield Framework.
Attn: Privacy Issues
160 Second Street
Cambridge, MA 02142
California Online Privacy Protection Act Notice
On September 27, 2013, California enacted A.B. 370, amending the California Online Privacy Protection Act to require website operators like us to disclose how we respond to "Do Not Track Signals" and whether third parties collect personally identifiable information about users when they visit us.
- We do not track user activity that does not occur on our site and therefore do not use "do not track" signals.
- We do not authorize the collection of personally identifiable information from our users for non-PatientsLikeMe advertising purposes through advertising technologies without separate member consent.
California Civil Code Section 1798.83 also permits our members who are California residents to request certain information regarding our disclosure of Personal Data to third parties for their direct marketing purposes. To make such a request, please send an email to email@example.com. Please note that we are only required to respond to one request per member each year.
Privacy Shield Frameworks
PatientsLikeMe, Inc. is subject to the regulatory and enforcement authority of the US Federal Trade Commission.
We acknowledge the right of EU and Swiss individuals to access their personal data under the Privacy Shield. Individuals wishing to exercise this right may do so by contacting our community team.
We will also provide EU and Swiss individuals opt-out or opt-in choice before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information, you may do so by contacting our community team.
Pursuant to the Privacy Shield, PatientsLikeMe, Inc. is liable for the onward transfer of personal data to third parties unless we can prove we were not a party to the actions resulting in the damages.
In compliance with the Privacy Shield Principles, PatientsLikeMe, Inc. commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to Privacy Shield. European Union and Swiss individuals with Privacy Shield inquiries or complaints should first contact PatientsLikeMe at: firstname.lastname@example.org.
PatientsLikeMe has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU Privacy Shield, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://www.bbb.org/EU-privacy-shield/for-eu-consumers for more information and to file a complaint. This service is provided free of charge to you.
If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms at https://www.privacyshield.gov/article?id=ANNEX-I-introduction.
GDPR Recourse For Individuals in the EEA
Our representative in the EU for GDPR purposes is Foley Hoag AARPI. You can contact our representative at:
Foley Hoag AARPI
153 rue du Faubourg Saint-Honoré
75008 Paris, France
If you are a resident of the European Union and have a complaint about our use or processing of your Personal Data, you have a right to lodge a complaint with a national Data Protection Authority. Each European Union member nation has established its own Data Protection Authority; you can find out about the Data Protection Authority in your country.
History of Updates/Changes to Terms and Conditions of Use:
- On , updated Privacy Shield compliance language.
- On , updated language to comply with GDPR and clarified some language aimed at researchers considering using PLM data.
- On , clarified language differentiating vendors and partners, as well as cookie and Platform Use Data usage. Also, added new language for biology and multi-omics, updated advertising policies and other minor changes and reorganization.
- On , added statement to explain ways a member can unsubscribe from emails.
- On , additional examples of shared data were added.
- On , the heading to “How Your Data is Used” was changed and clarifying language was added to both the Cookies and How Your Data is Used sections.
- On , the Safe Harbor section was updated.
- On , the following section was added: “EU Safe Harbor”.
- On , the following clauses were added: “We will provide our Partners with anonymized, aggregated community data with the goal of increasing involvement in disease research” and “except in incidents when you have given explicit permission, e.g. in the ALS Registry.”