Notice of Privacy Practices (Patient Privacy Notice)

This Notice of Privacy Practices describes how Variantyx Inc. may use and disclose your protected health information (PHI) and how you can access this information.

 

Company’s legal duties

Variantyx is required by law to maintain the privacy of your protected health information, to provide you with this Notice of our legal duties and privacy practices, and to abide by the terms of this Notice currently in effect.

What data we collect

We collect personally identifiable information (PII) and protected health information as defined under the Health Insurance Portability and Accountability Act (HIPAA) in the following ways:

  • Information that you or your healthcare provider give us and samples you submit – this includes personal, billing, and medical information, as well as biological samples (such as blood, saliva or tissue) needed to order and interpret testing.
  • Information we generate from those samples – we create additional protected health information by processing and analyzing your biological samples, including genetic information, DNA sequencing data, test results, and reports, which we interpret for you and your healthcare provider.

“Healthcare provider” means a doctor or other licensed healthcare professional involved in your care.

How we secure your data

Variantyx is committed to protecting the information you provide us. To prevent unauthorized access or disclosure, to maintain data accuracy, and to ensure the appropriate use of the information, Variantyx has in place appropriate technological and operational procedures to safeguard the information we collect.

Variantyx complies with applicable health information privacy and security laws, including HIPAA.

Your personal (PII) data which is entered by you or your healthcare provider and submitted before or with your bio-sample is stored in servers in the USA. This data could include information like your name, address, billing address, and other medical and personal data.

The bio-samples submitted by you or your healthcare provider are mailed directly to Variantyx lab which is listed on the kit’s shipping label.

The bio-samples are processed and converted to digital information in the United States.

By providing personal information, you acknowledge that your data and DNA samples will be stored and processed in the United States. Furthermore, you understand and accept that your information may be accessed, or viewed by authorized personnel located outside of the United States as part of our global operations. These transfers are conducted in compliance with HIPAA and applicable U.S. law.

How we use your information

Personal information and biological samples provided by you and your healthcare provider for medical analysis will be used for diagnosis or billing purposes. Such uses constitute treatment, payment, and health care operations under HIPAA.

In no case is the personal information provided by our users sold, licensed or otherwise shared by us with advertisers, sponsors, partners or other third parties. We do not sell or license DNA samples, DNA results, DNA reports or any other DNA information, to any third parties without your written authorization where required by law, and we do not sell or license such information to insurance companies under any circumstances.

Variantyx does not disclose any of your personal information except in very limited circumstances which are set out below.

i) In limited circumstances: (a) if required by law, regulatory authorities, legal process or to protect the rights or property of Variantyx or other users (including outside your country of residence); (b) to enforce our Terms and Conditions; (c) to protect our rights, privacy, safety, confidentiality, reputation or property, and/or that of the Varianytyx website, or others; (d) to prevent fraud or cybercrime; (e) to permit us to pursue available remedies or limit the damages that we may sustain; or (f) to investigate rare cases involving reported abuse of our Privacy Policy.

ii) In an acquisition of Company: in the event that Company, or substantially all of its assets or stock are acquired, transferred, disposed of (in whole or part and including in connection with any bankruptcy or similar proceedings), personal information will as a matter of course be one of the transferred assets.

iii) To third-party service providers: We partner with third-party providers to perform essential services, such as payment processing and specialized DNA laboratory analysis. All such partnerships are governed by HIPAA-compliant Business Associate Agreements (BAAs) and strict confidentiality protocols. These third parties are granted access only to the specific data required to perform their functions and are legally prohibited from using it for any other purpose.

Data retention

All patient data, including DNA sequencing data, is maintained in a secure digital storage in accordance with HIPAA standards. We retain patient data and clinical results in full compliance with HIPAA, CLIA, and CAP standards, as well as applicable state and federal laws, and in compliance to internal policies. To meet these regulatory obligations, raw sequence data and signed reports are stored for 20 years, while standard medical records are generally maintained for a 7-year period. While your raw sequence data cannot be deleted during that time, you have the ability as a patient or guardian to request release of a copy of your or your child’s raw sequence data to yourself, your healthcare provider, or another third party via written consent. For more information, please see our Raw Sequence Data page.

Your control over your data

You may choose to restrict the collection or use of your personal information in the following ways:

Access/review/update personal information

If you become aware that personal information we maintain about you is inaccurate, incomplete, misleading, irrelevant or out of date, or if you would like to access, update or review your information, you may contact us using the contact information below. We will attempt to provide the requested information or make requested changes to the extent allowable by applicable privacy or other laws. In any event, we will respond to you as soon as reasonably possible, to advise you of the outcome of your request.

Request restrictions or amendments to personal information 

You may request the amendment of previously provided personal information or restrictions on certain uses or disclosures of your protected health information at any time, as permitted by applicable law, using the contact information below.

Please note that some of the above rights are limited by applicable information protection law and we have the right to collect, process and hold your personal information to perform our legal obligations (for example: data for billing or regarding a diagnosis). We may require you to provide additional information necessary to confirm your identity before we comply with any request made by you.

Your right of access can normally be exercised free of charge, however we reserve the right to charge an appropriate administrative fee where permitted by applicable law, for instance where you request multiple copies of your information.

Your rights under HIPAA

You have the right to:

● inspect and obtain a copy of your protected health information;
● request amendments;
● request restrictions on certain uses and disclosures;
● request confidential communications;
● receive an accounting of disclosures;
● receive a copy of this Notice; and
● be notified following a breach of unsecured protected health information.

Complaints

If you believe your privacy rights have been violated, you may file a complaint with Variantyx or with the U.S. Department of Health and Human Services. Variantyx will not retaliate against you for filing a complaint.

How to get in contact with us

If you have any questions about this Notice of Privacy Practices or wish to exercise your HIPAA rights (including access, amendment, restrictions, or complaints), please contact Company’s Privacy Officer at dpo@variantyx.com. You may also submit general inquiries via our Contact Us page; however, do not send sensitive health information through that form.

Updates to our privacy policy

We reserve the right to change this privacy policy at any time. When we make changes, we will post the changed privacy policy at this site and it will become effective immediately. Your continued access to or use of the Product represents your acceptance of such changed privacy policy.

Effective date: January 2026