Privacy and Security Notice

Effective Date: January 15, 2025 (prior versions) (Terms and Conditions of Service)

1. Introduction

This Privacy and Security Notice explains how information is collected, used, and disclosed by xCures, Inc (“xCures,” “we,” “us,” or “our”) in connection with your use of our website at xcures.com (“Website”) and the services that we provide which link to this Notice (collectively, the “Services”).  Users of the Services are referred to as “users,” “you,” or “your.” This Privacy and Security Notice does not apply to the practices of any third parties, which have their own privacy policies. We encourage you to read their privacy policies to learn more about how they collect and process your information.

This Privacy and Security Notice describes how we collect individually identifiable information through the Services, how we use and disclose that information, and your rights with respect to that information. Our obligations with respect to individually identifiable information under this Privacy and Security Notice will continue for as long as we maintain the information. 

Please review this Privacy and Security Notice carefully before using the Services. By using the Services, you acknowledge the practices and policies outlined in this Privacy and Security Notice and agree that we may collect and use your information as described in this Privacy and Security Notice. If you have any questions or concerns about this Privacy and Security Notice, please contact us at privacy@xcures.com or (707) 200-8339.

2. Information We Collect

1.     When you visit the Website or utilize the Services, you may provide personal information to us, either directly or indirectly.  This information includes: 

  • Registration information.  When you sign up for the Services or otherwise create an account with us, you may provide us with your contact information, such as your name, email address, mailing address, and/or phone number.
  • Correspondence information.  If you contact us, such as via webform, email, you may share certain personal information, such as your contact information and any information that you choose to include in such correspondence.
  • Job applicant information.  If you apply to a job on the Website or submit an application, you may provide us with personal information about your work and education history, contact information, as well as any other information that you include in your application and associated documents.
  • Individually identifiable health information as more fully explained in Section 4 below.
  • Automatically collected information when you visit our website, as more fully explained in Section 5 below.

3. Individually Identifiable Information

For purposes of this Privacy and Security Notice, “individually identifiable” information means any information from or about you that either identifies you directly or that makes you identifiable when combined with other information from or about you from any source. Individually identifiable information becomes “de-identified information” when it has been stripped of personal identifiers or otherwise anonymized sufficiently that the individual is no longer identified and cannot be re-identified using reasonable efforts, resources, and technology. We will also follow any applicable legal requirements when creating de-identified information. We may use and disclose de-identified information for any purpose.

4. How We Collect Individually Identifiable Health Information

We may collect your individually identifiable health information in different scenarios.

  • On your behalf, with your consent, as part of your right to access your health information under the Health Insurance Portability and Accountability Act (“HIPAA”), also known as Individual Access Services; 
  • As a “business associate” under HIPAA, on behalf of your health care providers, or other “covered entities” with whom you have a relationship, as described more fully below;
  • On behalf of third-party organizations to whom you have provided consent to store your individually identifiable health information, as part of your right to access your health information under HIPAA;
  • From our third party business partners; or
  • As otherwise authorized or directed by you, such as pursuant to an informed consent for participation in clinical research.

Applicable law and agreements may apply to and further restrict our use and disclosure of certain individually identifiable information that we collect, such as protected health information (“PHI”). Such PHI is subject to requirements under HIPAA, a federal law and set of regulations that protects the confidentiality of your PHI.

PHI

Some of the individually identifiable health information we collect is PHI and continues to be PHI when we maintain it. This may be the case, for example, when we act on behalf of a health care provider that is subject to HIPAA to support the provision of Services, such as for that provider’s treatment purposes. When this is the case, we may only use or disclose PHI as permitted by those health care providers’ Notices of Privacy Practices, our business associate agreements with them, and HIPAA rules. The PHI that we collect about you may be subject to more limited uses and disclosures than those described in this Privacy and Security Notice.

Non-PHI

Sometimes, the individually identifiable health information we collect or maintain is not PHI. This may be the case, for example, when we maintain individually identifiable health information that we collected from your health care providers at your direction in accordance with HIPAA’s “right of access.” When a HIPAA-covered entity sends us your individually identifiable health information pursuant to HIPAA’s right of access, the information is no longer considered PHI under HIPAA when it is maintained by xCures: (a) to provide Services to you, or (b) on behalf of third parties with whom you have a direct relationship. Instead, it is subject to the practices described in this Privacy and Security Notice, and/or your direct agreements with us or the third parties on whose behalf we are providing services, and other laws applicable to the use of information for health information, such as the Common Rule (Federal Policy for the Protection of Human Subjects). 

5. Information We Collect When You Visit Our Website

When you use the Website, we may collect technical and navigational information about your visit, such as computer browser type, Internet protocol address, pages visited, and average time spent on the site. This information will be used to improve our site design and functionality. We also may use a tracking technology, such as cookies (a small text file placed on your computer to identify your computer and browser) or web beacons (an electronic file placed on a web site that monitors usage) to improve the experience of our site (for example, prepopulating your information for ease of use). You may reset your web browser to refuse all cookies or indicate when a cookie is being sent – however, certain features of the Website or Services may not work if you delete or disable cookies. We will never share PHI or other individually identifiable health information with unauthorized parties through tracking technologies without your consent.

Be advised that third parties, like advertising networks, web analytics companies and social media and networking platforms, may collect information about your online activities over time and across multiple web and mobile platforms.  Their use of tracking technologies when you access our Services may be used to predict or determine a likely association or relationship between two or more devices, or to help them serve you content on other websites and social media platforms.  We are not responsible for third-party tracking technologies used by these third parties, or for the targeted advertisements they may enable to be served to you on other platforms.  We encourage you to check the privacy policies of these third parties to learn more about their privacy practices, and use internet and portable device technologies from third parties that you trust when you access and use our Services.

6. How We Use Information

We may use individually identifiable information to: 

  • Deliver and manage account holder access to the Services
  • Provide the Services to you, your health care providers, or other third parties with whom you have a direct relationship, which may include: enabling you, and/or your providers to collect your medical records in one place; providing information regarding clinical decision support and treatment alternatives; informing you about clinical programs for which you may qualify, such as clinical research, patient support programs, and registries
  • Send communications to our account holders, and provide them with customer service and technical support
  • Bill and collect payment for the Services
  • Carry out our contractual obligations
  • Evaluate and improve the Services
  • Take appropriate action to maintain the security of the Services, safeguard the privacy of individually identifiable information, and adhere to applicable laws, regulations and consensus-based standards associated with human subject research in clinical studies
  • Take actions to enforce our agreements and policies
  • Conduct analyses to create clinical evidence regarding the usage and potential benefits or risks of a medical product
  • Create de-identified information, which we may use for any purpose in accordance with applicable laws, including for product development and/or other purposes for which we may receive remuneration
  • Any other purpose in accordance with your consent, authorization, or otherwise at your direction

We will not use the individually identifiable information we collect through the Services to assert a claim against an individual except for the collection of fees. 

We may use de-identified information for any purpose in accordance with applicable laws.

7. How We Disclose Information to Others

We only disclose individually identifiable information in accordance with applicable laws and frameworks and this Privacy and Security Notice. All disclosures through health information exchanges, including the Trusted Exchange Framework and Common Agreement (“TEFCA”) are in accordance with the permitted and required uses and disclosures specified in participation agreements and applicable guidance. We will not disclose the individually identifiable information we collect through the Services to assert a claim against an individual except for the collection of fees.

We may disclose de-identified information for any purpose in accordance with applicable laws, such as with clinical trial or study sponsors, health plans, nonprofit and patient advocacy organizations, xCures’ virtual tumor board participants, clinical researchers and investigators, and publications.

We will never sell your individually identifiable information or disclose such information to third parties for such third parties’ marketing purposes without your explicit consent.  We will only disclose your individually identifiable information as follows:

Identity Verification

Certain of our Services require that we confirm your identity prior to the provision of such Services.  In order to do so, we utilize a third-party identity verification provider that collects a copy of your driver’s license or other official government ID and images of your face.  We do not collect or store this information which you disclose to the identity verification provider.  For information on how such third-party may use and disclose your personal and/or biometric information, please see their privacy notice at: https://www.clearme.com/privacy-policy.

Third Party Service Providers

To deliver the Services, we use a variety of third-party service suppliers of technology, internet service hosting, payment processing, technical integration, marketing, analytics, customer service, and customer service and support. We share the minimum necessary individually identifiable information with these third parties for them to provide their services to us. These companies are acting on our behalf and are required, by contract with us, to keep our information confidential and maintain appropriate security safeguards to protect such information, and are only authorized to use and disclose it for specified purposes, which are consistent with this Privacy and Security Notice.

Treating Physicians/Clinicians/Third-Parties As Directed by You

We share individually identifiable information with those treating physicians for whom we are acting as a business associate or as otherwise directed or consented by you, such as pursuant to the “right of access” under HIPAA, or any other purpose that you have authorized, such as to a third party that you have authorized to hold and/or use your information.    

Health Plans

If directed by you or your treating physician, we share individually identifiable information with health plans.  Typically, these disclosures are made to support a patient or treating physician’s request for coverage of an off-label use of a therapy under the patient’s health insurance plan. 

Law Enforcement, Regulatory Authorities, and Civil Proceedings

We resist disclosing individually identifiable information to law enforcement or regulatory authorities unless we determine we must do so under law to comply with a valid court order, subpoena, or search warrant.  We closely scrutinize all law enforcement and regulatory requests.  If we determine that we must comply with a valid law enforcement or regulatory request, we first determine if we can comply after receiving the explicit authorization to make the disclosure.  Otherwise, to the extent feasible, we attempt to comply by limiting disclosure to de-identified information, or by redacting information so that only the minimum necessary individually identifiable information is disclosed.  We also attempt to receive adequate assurances from the requesting law enforcement or government agency that it will protect the confidentiality of the individually identifiable information, and will not disclose it in violation of applicable federal or state confidentiality laws.  While we cannot offer assurance that these efforts will be successful, we will maintain a detailed record of all disclosures we make in response to law enforcement and regulatory requests. 

If xCures is a party to a legal proceeding with an account holder or research participant, we may disclose individually identifiable information to the court or arbitrator for purposes of resolving a civil dispute.  If xCures is not a party to a legal proceeding, we may be required by law to disclose this individually identifiable information pursuant to a valid subpoena, discovery request, or other lawful process.  Even if additional protections are not required by applicable laws, we use our reasonable best efforts to obtain your authorization or seek a qualified protective order to protect individually identifiable information or data before disclosing it in a civil proceeding.   We also use reasonable best efforts to limit disclosures of individually identifiable information or data to the minimum necessary to accomplish their intended purpose.  

We may use or disclose individually identifiable information related to reproductive health care services (as defined in Executive Order 14076) or gender affirming care in accordance with applicable law where we are required to do so in response to a civil or criminal subpoena, court order, search warrant, or other demand for compulsory disclosure, including across state lines, even if a service is paid for entirely out-of-pocket by an individual.

If we receive a civil or criminal subpoena, court order, search warrant or other demand for compulsory disclosure of individually identifiable information, we may be required under applicable laws and frameworks such as the Trusted Exchange Framework and Common Agreement (“TEFCA”) to provide written or electronic notice to the individual(s) whose information is implicated. Where we are required to provide such notice and providing notice is not otherwise prohibited, we will strive to provide it within three business days of receiving the demand for individually identifiable information and provide the affected individual(s) an opportunity to object to the production of the individually identifiable information or seek a protective order or other appropriate remedy consistent with applicable law.

If we disclose individually identifiable information to a law enforcement agency, we may be required under applicable laws and frameworks such as TEFCA to provide written or electronic notice to the individual(s) whose information is implicated. Where we are required to provide such notice and providing notice is not otherwise prohibited, we will strive to provide it within three business days of disclosing the individually identifiable information to the law enforcement agency.

Affiliates

xCures does not have any subsidiaries, is not controlled by a parent entity and is not under common control with any other affiliated entity.  If we have affiliates in the future, xCures will not share individually identifiable or de-identified information with them unless they sign an agreement contractually obligating them to keep disclosed information confidential and to limit their use of information to the purposes permitted in this Privacy and Security Notice.

Business Transfers

If we enter into a merger, acquisition, or the sale of all or part of our assets, the information and data we maintain will likely be part of the assets transferred.  If this happens, we will attempt to notify research participants and account holders, using the most recent e-mail address we have associated with their respective profile.  We will use our reasonable best efforts to ensure that the successor entity maintains commitments that are consistent with this Privacy and Security Notice.

Additional Third Parties

We may also disclose individually identifiable information to any other third party with your consent.

8. How We Secure Individually Identifiable Information

In compliance with applicable laws and frameworks such TEFCA, we implement commercially reasonable safeguards to protect our information systems and the information in our control from unauthorized or illegal access, disclosure, use, modification and destruction. However, please note that no method of data storage is 100% secure and we cannot guarantee the absolute security of information in our control. 

9. How Long We Retain Information

In general, we retain de-identified information in perpetuity.  We retain individually identifiable information for as long as needed to provide the Services, maintain our information systems, and comply with applicable laws.  If required by law to delete or purge individually identifiable information, we delete or purge that information by following internal policies that align to these laws.  

Be advised, given the complexity of our production environment and the security measures in place to safeguard the confidentiality, integrity and availability of all data, it is not feasible for us to destroy or erase all data, particularly those created pursuant to our standard electronic backup and archival procedures.  However, the personnel with access to these retained copies are curtailed and monitored, and access is limited to that reasonably necessary for the performance of their information technology duties (e.g., for purposes of system recovery) or legal duties. All individually identifiable information that is not destroyed as permitted remains subject to the Privacy and Security Notice then in effect.

10. Individuals’ Rights

Individuals whose individually identifiable information we collect can request to exercise any of the following rights. Note we cannot guarantee that we can or will honor requests in all circumstances (for example, a deletion request where we are required by law to maintain the information).

Request a copy of their individually identifiable information.  Individuals may request a copy of certain individually identifiable information that we maintain, such as their Cancer Journey report.

Request that their individually identifiable information be amended, corrected or deleted.  If an individual believes their individually identifiable information is not accurate, timely, complete, relevant or necessary, please let us know that you would like the information to be amended, corrected or deleted.  A member of our team will review the request and, where appropriate, consult with the treating physician or study investigator, to determine if the information needs to be amended, corrected or deleted, and promptly take appropriate action. 

An individual can otherwise also request xCures to delete their health information; however, fulfilling these requests may not be feasible, given regulatory recordkeeping requirements.  We will act on these requests as required by applicable laws, but may decline these requests at our sole discretion in order to comply with our legal and contractual obligations, and to resolve disputes to enforce our legal agreements; we may retain a de-identified copy for research purposes.  If feasible, we may curtail access in health information systems to personnel involved in the performance of information technology duties (e.g., for purposes of system recovery) or legal duties. All health information that is not destroyed as permitted remains subject to the Privacy and Security Notice in effect at the time a request for deletion is made, for as long as we retain that health information.

Direct xCures to share a copy of their individually identifiable information with third parties.  An individual can direct xCures at any time to share a copy of certain individually identifiable information, such as their Cancer Journey, with third parties.  Keep in mind, however, that some requests cannot be fulfilled while the clinical trial or study is ongoing.  xCures will use reasonable efforts to fulfill requests for recurrent updates.

Restrict access to copies of their individually identifiable information.   An individual can also direct xCures not to share certain individually identifiable information, such as their Cancer Journey, with a third party, or to stop sharing updates to such information with a third party.

Revoke xCures’ authorization to request health information.  An individual can revoke an authorization for xCures to request health information on such individua’s behalf.  Revoking this authorization will not impact activities such as the individual’s continued enrollment in current clinical programs, trials or studies, but may limit their ability to participate in future clinical programs.

Request an accounting of disclosures to third parties.  An individual can request an accounting of certain disclosures xCures has made.  Patients cannot request an accounting of de-identified information.

To exercise any of these rights, contact xCures Support Team at privacy@xcures.com.  We strive to acknowledge emails within one business day. Requests are subject to individual verification procedures.  After verifying the request, a member of our team will review your materials, and make a determination as to whether the request can be fulfilled. Please allow up to ten (10) business days after verifying identification for us to make this determination. We will inform you in writing if we need more time, if the request will be granted or the reasons for denial.

11. Changes to this Privacy and Security Notice

We reserve the right to change this Privacy and Security Notice. When we make material changes, we will notify account holders and research participants by email to the address associated with their account profile.  These notifications will include a link to the updated Privacy and Security Notice.  The updated Privacy and Security Notice will indicate its effective date and include links to the Privacy and Security Notice it is replacing.  

To continue using the Services, account holders will need to signify their acceptance of the updated Privacy and Security Notice and affected research participants may need to accept an updated Participation Agreement or informed consent to the extent required by the applicable IRB. If we make significant changes (for example, a new use or disclosure of individually identifiable information that we have already collected and stored), we will give account holders and affected research participants a reasonable amount of time to consider the changes before they become effective.  If account holders do not accept the updated Privacy and Security Notice, they may be blocked from accessing parts of the Services.  If you are blocked from your xCures account, please contact privacy@xcures.com for assistance with closing your account and getting a machine-readable copy of information that you have the authority to access and download.

12. Personal Representatives

xCures may allow individuals that are recognized as a patient’s “personal representative” or “legal guardian” under applicable state law to give consent for the patient to become a research participant.  xCures recognizes parents of children under the age of majority in the state where they live, or the holder of a medical power of attorney as personal representatives, absent actual knowledge to the contrary.  xCures reserves the right to verify the identity and authority of individuals holding themselves out as the personal representative or legal guardian of a patient.

13. Minors

We do not knowingly market to or solicit information or data from children under the age of 13.  A parent or personal representative of a patient under the applicable legal age of consent must give consent for the patient to become a research participant.   If we obtain actual knowledge that we have collected individually identifiable information about a minor under the applicable legal age of consent without their legal representative’s consent, we will use reasonable efforts to refrain from further using such individually identifiable information and take steps to disable further use or access of it in a retrievable form. However, please note that we may process data from patients under the age of 13 when we are acting in our role as a business associate under HIPAA.

14. Supplemental Privacy Notices

We may provide additional privacy notices that supplement or amend the disclosures contained in this Privacy and Security Notice when account holders or patients access services of xCures that are not described in this Privacy and Security Notice.  Those notices control with respect to the services that they reference when they conflict or are inconsistent with this Privacy and Security Notice.

15. International Data Transfers

We do not knowingly transfer any health information outside of the United States unless that transfer is subject to an agreement for safeguarding the health information, consistent with applicable medical privacy laws in the United States, including HIPAA.  

We do not knowingly transfer any individually identifiable information outside of the United States, except at the direction of a research participant, a treating physician or in accordance with a clinical trial or study protocol that has been approved by an institutional review board, ethics committee, or other entity empowered by local regulations to authorize the use of data for healthcare research.  

We may transfer de-identified information outside the United States as long as the transfer complies with applicable data protection laws.

16. Jurisdiction-Specific Provisions

The services that currently link to this Privacy and Security Notice are intended primarily for users located in the United States, and we only store individually identifiable information or data in our control in data centers located in the United States.  If you are located outside of the United States, or a resident of another jurisdiction, be advised: 

The laws of the United States governing data collection and use may differ from the applicable laws where you are located, and that you will be transferring data to the United States for storage and processing.  By visiting our website, using our services or providing your personal data, you consent to such transfer, storage and processing.

17. Do Not Track

Some browsers have a “do not track” feature that lets you tell websites that you do not want to have your online activities tracked. At this time, we do not respond to browser “do not track” signals.

18. California

California Privacy Act Notice – Use of Information for Marketing. Under California Civil Code Sections 1798.83-1798.83, California residents are entitled to ask us, once per year, for a notice identifying the categories of information which we share with our affiliates and/or third parties for marketing purposes, and providing contact information for these affiliates and/or third parties. Requests will apply to information provided during the previous calendar year (for example, if your request information in 2021, you will receive information regarding 2020).

xCures does not currently have any Affiliates and does not sell or disclose personal information to third parties for such third parties marketing purposes.

19. Prior Versions

The version of the Privacy and Security Notice this replaces can be found at [link].