OpenChallenges Privacy Policy

Owned by Hayley Sanchez
Last updated: Jun 26, 2023

Jun 23, 2023

Sage Bionetworks (“Sage Bionetworks,” “Sage,” “we,” “us,” or “our”) is a 501(c)(3) nonprofit biomedical research organization in the United States, created to enhance how researchers approach the complexity of human biological information and the treatment of disease. This privacy policy describes how and why we might collect, store, use, and/or share ("process") your personal information when you visit or use our tools, website or services  ("Services"),

Reading this privacy policy will help you understand your privacy rights and choices. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at privacyofficer@sagebase.org.

SUMMARY OF KEY POINTS

This summary provides key points from our privacy policy.  You can read the full text to find out more details about any of these topics. Use  the table of contents below to find the section you are looking for.

Collection of Data

  • Do we collect sensitive categories of data, like health information?..................................................... No

  • Do we collect passive data from your device? ……………………………………………………………………………….Yes

  • Do we process any sensitive personal information?….…………………………………………………………………… No

  • Do we receive any information about you from third parties? …………………………………………………………No

Tracking

  • Do we use cookies and similar technologies? ……………………………………………………..………………………..Yes

  • Do we collect standard log information? …………..…………………………………………………………………..………Yes

  • Do we track your precise device location? ………………………………………………………………………….…………No

Use and Sharing of Data

  • Do we sell or rent your personal information data? ………………………………………………..………………………No

  • Do we use your data for advertising? .………………………………………………………………………………..…………No

  • Can you control who sees your data?……………………………………………………………………………………………Yes

  • Do we retain your data for as long as we need it unless you request deletion? .……..………………………Yes

Communication

  • Will we give you notice if we make changes to our Privacy Policy?  ………………………………………………Yes

  • Do we send you communications?…………………………………………………………………………… Yes, if you opt-in

 

What personal information do we process? When you visit, use, or navigate our Services, we may process your personal information depending on how you interact with Sage Bionetworks and the Services, the choices you make, and the products and features you use. Learn more about personal information you disclose to us. 

Why do we process your personal information? We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law. We may also process your information for other purposes with your consent. We process your information only when we have a valid legal reason to do so. Learn more about why we process your information

How do we keep your personal information safe? We have strong organizational and technical processes and procedures in place to protect your personal information. However, we cannot guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information. Learn more about how we keep your information safe. 

What are your rights? Depending on your location, the applicable privacy law may give you certain rights regarding your personal information. Learn more about your privacy rights

How do you exercise your rights? The easiest way to exercise your rights is by contacting us through privacyofficer@sagebase.org. We will consider and act upon any request in accordance with applicable data protection laws

Want to learn more about what Sage Bionetworks does with any information we collect? Review the privacy policy in full. 

 

PRIVACY POLICY - FULL TEXT 

 

1. INFORMATION WE COLLECT

When you use Sage’s tools,  website and/or services (“Services”), you may provide to us and/or we may collect personal information about you and your use of our Services. “Personal information or personal data” means any information about you that can directly identify you such as your name and contact information or indirect information that could be reasonably linked to you such as your device’s internet protocol address (IP Address). 

We collect information about you in the following ways:

Account Information Provided by You. The personal information that we collect depends on the context of your interactions with the Services, the choices you make, and the products and features you use. The personal information we collect may include the following:

  • names 

  • email addresses 

  • usernames 

  • passwords 

  • contact preferences

All account information that you provide to us must be true, complete, and accurate, and you must notify us of any changes to such account  information.

We also collect information when you update/change your account and when you contact us. If you send us an email or otherwise communicate with us, we may keep a copy of that communication.

Sensitive Information. We do not process sensitive information. 

Usage Data

Like most Services, we collect technical information on your usage of the Services . We may use cookies and similar technologies to record information such as but not limited to: date, time, pages, services, and tools you used, your browser/client type, IP addresses, how you navigate and use he Services how you have found the ervices on the internet, and other Service usage patterns.

 

2. WHY DO WE USE THE  INFORMATION WE COLLECT?

We process your Account Information for a variety of reasons, including: 

  • Authenticating/administering your account 

  • Responding to your requests, questions, and concerns 

  • Requesting feedback to enhance and improve the Services

  • Sending study communications such as newsletters and other materials that may be of interest to you if desired.

We process your Usage Data for a variety of reasons, including: 

  • Maintaining, securing, and enhancing the Services

  • Detecting and remedying disruptions in our systems

  • Performing statistical analysis of usage patterns

  • Operating, maintaining, enhancing, and providing all the features of the Services

 

We only process your personal information when we believe it is necessary and we have a valid legal reason (i.e., legal basis) to do so under applicable law, like with your consent, to comply with laws, to provide you with services, to enter into or fulfill our contractual obligations, to protect your rights, or to fulfill our legitimate business interests.

 

If you are located in the EU or UK, this section applies to you. 

The General Data Protection Regulation (GDPR) and UK GDPR require us to explain the valid legal bases we rely on in order to process your Personal Information. As such, we may rely on the following legal bases to process your personal information:

Consent. In general,  we may process your Personal Information if you have given us permission (i.e., consent) to use your personal information for a specific purpose. You can withdraw your consent at any time. Learn more about withdrawing your consent.

Legal Obligations. We may process your Personal Information where we believe it is necessary for compliance with our legal obligations, such as to cooperate with a law enforcement body or regulatory agency, exercise or defend our legal rights, or disclose your information as evidence in litigation in which we are involved. 

Vital Interests. We may process your Personal Information where we believe it is necessary to protect your vital interests or the vital interests of a third party, such as situations involving potential threats to the safety of any person. 

If you are located in Canada, this section applies to you.

We may disclose your Personal Information if you have given us specific permission (i.e., express consent) to use your personal information for a specific purpose, or in situations where your permission can be inferred (i.e., implied consent). You can withdraw your consent at any time.

In some exceptional cases, we may be legally permitted under applicable law to process your Personal information without your consent, including, for example: 

  • If collection is clearly in the interests of an individual and consent cannot be obtained in a timely way 

  • For investigations and fraud detection and prevention 

  • If it is contained in a witness statement and the collection is necessary to assess, process, or settle an insurance claim 

  • For identifying injured, ill, or deceased persons and communicating with next of kin If we have reasonable grounds to believe an individual has been, is, or may be victim of financial abuse

  • If it is reasonable to expect collection and use with consent would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province

  • If disclosure is required to comply with a subpoena, warrant, court order, or rules of the court relating to the production of records 

  • If it was produced by an individual in the course of their employment, business, or profession and the collection is consistent with the purposes for which the information was produced

  • If the collection is solely for journalistic, artistic, or literary purposes If the information is publicly available and is specified by the regulations 

 

4. HOW DO WE DISCLOSE PERSONAL INFORMATION? 

We may share your Personal Information in specific situations described in this section and/or with the following third parties. 

We do not sell, lease or otherwise disclose the Personal Information we collect about you, except as described here. We share information in the following ways:

Service Providers. We may rely on third-party service providers (Amazon Web Services)  to provide the necessary hardware, software, networking, storage, and related technology required to operate, support and maintain our Services. We require that all service providers agree to put in place reasonable security to keep users' Personal Information confidential and secure, and to process information only for performing tasks on Sage Bionetworks behalf. We do not permit service providers to use or disclose users’ Personal Information, except as necessary to conduct their work. 

The list of service providers used by Sage Bionetworks can be found here

  • Amazon Web Services

  • Terraform Cloud (used to automate the deployment of AWS resources)

  • Docker Hub (used to store the Docker images of the OC stack)

  • GitHub (code repository used during development)

  • Google Docs (source of the data available in the app)

Statistical and Aggregate Information. In accordance with applicable law, we may share aggregate and statistical information derived from users’ usage data with third parties for analysis.

Compliance with Laws. We may be required by law to give your Personal Information in the case of any civil, criminal, administrative, legislative, or other proceedings. We will protect your privacy as much as possible.

Business Transfers. We may share or transfer your account information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company. 

5. HOW LONG DO WE KEEP YOUR INFORMATION? 

We will only keep your Personal Information for as long as it is necessary for the purposes set out in this privacy policy and for potential auditing purposes, unless a longer retention period is required or permitted by law. 

When we have no ongoing legitimate business need to process your Personal Information, we will either delete or anonymize such information, or, if this is not possible (for example, because your Personal Information has been stored in backup archives), then we will securely store your Personal Information and isolate it from any further processing until deletion is possible.

6. HOW DO WE KEEP YOUR INFORMATION SAFE?

 In Short: We aim to protect your Personal Information through a system of organizational and technical security measures. 

We have implemented appropriate and reasonable technical and organizational security measures designed to protect the security of any personal information we process. However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information. Although we will do our best to protect your personal information, transmission of personal information to and from our Services is at your own risk. You should only access the Services within a secure environment. 

7. WHAT ARE YOUR PRIVACY RIGHTS?

In Short: In some regions, such as the European Economic Area (EEA), United Kingdom (UK), and Canada, you have rights that allow you greater access to and control over your personal information. You may review, change, or terminate your account at any time.

In some regions (like the EEA, UK, and Canada), you have certain rights under applicable data protection laws. These may include the right (i) to request access and obtain a copy of your personal information, (ii) to request rectification or erasure; (iii) to restrict the processing of your personal information; and (iv) if applicable, to data portability. In certain circumstances, you may also have the right to object to the processing of your personal information. You can make such a request by contacting us by using the contact details provided in the section "HOW CAN YOU CONTACT US ABOUT THIS NOTICE?" below. 

We will consider and act upon any request in accordance with applicable data protection laws. 

If you are located in the EEA or UK and you believe we are unlawfully processing your personal information, you also have the right to complain to your Member State data protection authority or UK data protection authority.

If you are located in Switzerland, you may contact the Federal Data Protection and Information Commissioner. 

If you are located in Canada, you may contact the Office of the Privacy Commissioner of Canada. 

Withdrawing your consent: If we are relying on your consent to process your personal information, which may be express and/or implied consent depending on the applicable law, you have the right to withdraw your consent at any time. You can withdraw your consent at any time by contacting us by using the contact details provided in the section "HOW CAN YOU CONTACT US ABOUT THIS NOTICE?" below. 

However, please note that this will not affect the lawfulness of the processing before its withdrawal nor, when applicable law allows, will it affect the processing of your personal information conducted in reliance on lawful processing grounds other than consent.

Account Information. If you would at any time like to review or change the information in your account or terminate your account, you can: 

  • Log in to your account settings and update your user account. 

  • Upon your request to terminate your account, we will deactivate or delete your account and information from our active databases. However, we may retain some information in our files to prevent fraud, troubleshoot problems, assist with any investigations, enforce our legal terms and/or comply with applicable legal requirements.

  •  If you have questions or comments about your privacy rights, you may email us at  privacyofficer@sagebase.org.

8. CONTROLS FOR DO-NOT-TRACK FEATURES

Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track ("DNT") feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online. If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this privacy notice. 

9. CHANGES TO OUR PRIVACY POLICY? 

We may change this privacy policy from time to time. Any changes will be posted on this page with an updated revision date. In the event that any changes to this privacy policy materially alter your rights or obligations under this privacy policy, we will make reasonable efforts to notify you.

10. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?

Sage Bionetworks is the controller of your information when it is collected and processed in the context of our sites and services. Our Data Protection Officer (DPO) is responsible for overseeing what we do with your information and ensuring we comply with applicable data protection laws. Our Data Protection Officer may be contacted by emailing privacyofficer@sagebionetworks.org or by writing to Sage Bionetworks, Attention: Data Protection Officer, 2901 Third Avenue, Suite 330, Seattle, WA 98121, United States of America.