Privacy Notice for Human Cell Atlas Data Portal Public Website

Privacy Notice for Human Cell Atlas Data Portal Public Website for Individuals in the European Economic Area

The Human Cell Atlas Data Portal is an unincorporated collaboration of the University of California, Santa Cruz and the Broad Institute without separate legal personality (the “HCA Data Portal”). This service is operated by the University of California, Santa Cruz and the Broad Institute.

This Privacy Notice explains what personal data is collected by the specific service you are requesting, for what purposes, how it is processed, and how we keep it secure. Note that this service collects personal data directly provided by the user, and also collects personal data from users that is provided by other organizations.

This statement is applicable to individuals using HCA Data Portal Services who are located in the European Economic Area (“EEA”).

Your Personal Data We Use

Information you provide directly: HCA Data Portal collects personal information about you called Personal Data. We collect the following data from users of the service, some of which may be personal data:

• IP address
• Client operating system
• Browser version
• Date and time of a visit to the service website
• Statistics on web pages visited
• Referrer header

If support (without logging in) is requested by users of the service we also collect:

• Name
• Email address
• Organization
• Organizational affiliation
• Date and time when a support request is sent

If users login to the service we also collect:

• Name
• Email address
• Organization
• Organizational affiliation
• Website avatar
• Authorization refresh and access tokens

We also collect more sensitive information about you, with your explicit consent, where the processing is necessary to meet a legal or regulatory obligation, the processing is in connection with HCA establishing, exercising or defending legal claims, or is otherwise expressly permitted by GDPR. This sensitive information includes Aggregated transcriptomic and metadata, as well as individual-level transcriptomic and metadata [donor age, biological sex, disease, and sampled organ].

Log, Cookie and Device Data: We also collect log data, which is information collected whenever you visit a website. This log data includes your Internet Protocol address, device type, operating system, browser type and some settings, unique device identifiers, crash data, the date and time of your request, and information about how you used the Service. Depending on how you are accessing the Services, we may also use “cookies” (small text files stored by your computer when you visit our website) or similar technologies. We use Google Analytics. Google Analytics uses cookies to help track the users visit to the site. In addition to log and cookie data, we also collect information about the device you’re using to access the Services, including what type of device it is, what operating system you are using, device settings, unique device identifiers and crash data.

Whether we collect some or all of this information often depends on what type of device you are using and its settings. For example, different types of information are available depending on whether you are using a Mac or a PC, or an iPhone or Android phone. To learn more about what information your device makes available to us, please also check the policies of your device manufacturer or software provider.

Information from Other Sources: We do not obtain information about you from other sources and we do not combine that information with information we collect from you directly. We also obtain more sensitive information about you, with your explicit consent, where the processing is necessary to meet a legal or regulatory obligation, the processing is in connection with HCA establishing, exercising or defending legal claims, or is otherwise expressly permitted by GDPR.

How We Use Your Personal Data and the Lawful Basis for Such Processing

HCA Data Portal processes your Personal Data for the following purposes and bases:

• To provide you with access to the service.
• To develop, test and improve the service.
• To communicate with you regarding support requests.
• Processing and dealing with any complaints or inquiries made by you or legally on your behalf. We do this because it is in our legitimate interest as part of the services offered to you.
• We may also be required to disclose your Personal Data to authorities who can request this information by applicable law.

In certain instances, we may be required to obtain your consent to collect and process your Personal Data for a specific purpose. This depends on the specific category of data collected and the intended use of the data. In these instances, the HCA Data Portal will inform you of the specific category of Personal Data that will be collected and the intended purpose of the collection, and will request that you affirmatively indicate that you consent to the intended collection of your Personal Data for that purpose, prior to collecting the data.

In these instances, if you do not consent to the collection and intended processing purpose, we will refrain from collecting and processing your Personal Data.

Recipients of Your Personal Data

HCA Data Portal may share your Personal Data with the following recipients:

• Service Providers: Vendors that need access to your Personal Data in order to provide HCA Data Portal Services. AWS CloudWatch may collect Personal data for the purposes of logging and monitoring.
• HCA Data Portal Partners and Collaborators: When permitted by law, HCA Data Portal may share Personal Data with EMBL-EBI in order to support the operation of the HCA Data Portal .
• Public and Governmental Authorities: Entities that regulate or have jurisdiction over HCA Data Portal such as regulatory authorities, law enforcement, public bodies, and judicial bodies.

If your Personal Data is shared with a third party, we will require that the third party use appropriate measures to protect the confidentiality and security of your Personal Data.

We may also need to share your Personal Data as required to respond to lawful requests and legal process; to protect our rights and property and those of our agents, customers and others, including to enforce our agreements and policies; and in an emergency, to protect our institutions and the safety of our students, faculty and staff or any third party.

Security

The HCA Data Portal takes appropriate physical, administrative, and technical measures to protect Personal Data that are consistent with applicable privacy and data security laws and regulations.

Retaining and Deleting Your Personal Data

The HCA Data Portal will only retain your Personal Data for the duration necessary for the data collection purposes identified above, unless there is a legal requirement to maintain it for a longer period. Logs are Retained at a minimum for a year to support on-demand audit review, reporting requirements and after-the-fact security investigation.

International Transfer of Your Personal Data

In order to fulfill the intended processing purposes described above, your Personal Data will be transferred outside of the European Economic Area (EEA), specifically to the United States, which does not protect Personal Data in the same way that it is protected in the EEA. Your Personal Data will also be transferred to the EMBL-EBI, United Kingdom.

We will undertake appropriate measures to ensure adequate protection of Personal Data, including utilizing appropriate physical, administrative, and technical safeguards to protect Personal Data, as well as executing standard contractual clauses approved by the European Commission or a supervisory authority under GDPR, or obtaining your consent, where appropriate.

Your Rights

As required by the General Data Protection Regulation and applicable EU Member State and EEA state law, if you are located in the European Economic Area, you have a right to:

• Access your Personal Data, as well as information relating to the recipients of your Personal Data, the purposes of processing your Personal Data, the duration for which the Personal Data will be stored, and the source of Personal Data that has not been provided by you;
• Rectify or correct inaccurate or incomplete Personal Data concerning you, taking into account the purposes of the processing, and the right to have incomplete Personal Data completed;
• Move your Personal Data to another controller or processor. The HCA Data Portal will facilitate the lawful transfer of your data to the extent possible;
• Have your Personal Data erased in certain circumstances;
• Restrict the processing of your Personal Data in certain circumstances;
• Object to the processing of Personal Data in certain circumstances;
• Withdraw your consent to the processing of your Personal Data, should we ask for your consent for the processing of your Personal Data. The withdrawal does not affect the lawfulness of processing based on your consent before its withdrawal.
• Know whether your Personal Data is being used for automated decision-making, including profiling. In those cases, we will give you meaningful information about the logic involved, the significance and the envisaged consequences of such processing for your data, and the right to request human intervention; and
• Lodge a complaint with a supervisory authority.

We may be obligated to retain your Personal Data as required by U.S. federal or state law.

If you wish to exercise your rights, you can contact the HCA Data Portal contact identified below.

You may choose not to visit or use or participate in HCA Data Portal Services. If you choose not to share your Personal Data with us or HCA Data Portal third parties for HCA Data Portal Services your site usage will not be tracked and you will not be able to login to view controlled-access data. You will still be able to view and access open-access data. You may choose to set your web browser to refuse cookies or to alert you when cookies are being sent. If cookies are turned off the portal and browser will continue to function however Google Analytics tracking will not function.

Questions and Complaints

If you have questions or complaints about our treatment of your Personal Data, or have a request to delete your data, please feel free to contact data-help@humancellatlas.org.
Effective Date: This statement is effective as of July 12, 2022.

Privacy Notice for Human Cell Atlas Data Portal Public Website for Individuals outside of the European Economic Area

The Human Cell Atlas Data Portal is an unincorporated collaboration of the University of California, Santa Cruz and the Broad Institute without separate legal personality (the “HCA Data Portal”). This service is operated by the University of California, Santa Cruz and the Broad Institute.

This Privacy Notice explains what personal data is collected by the specific service you are requesting, for what purposes, how it is processed, and how we keep it secure. Note that this service collects personal data directly provided by the user, and also collects personal data from users that is provided by other organizations.

This statement is applicable to individuals using HCA Data Portal Services who are outside of the European Economic Area (“EEA”) and relates to how the HCA Data Portal holds data.

Your Personal Data We Use

Information you provide directly: HCA Data Portal collects personal information about you called Personal Data. We collect the following data from users of the service, some of which may be personal data:

• IP address
• Client operating system
• Browser version
• Date and time of a visit to the service website
• Statistics on web pages visited
• Referrer header

If support (without logging in) is requested by users of the service we also collect:

• Name
• Email address
• Organization
• Organizational affiliation
• Date and time when a support request is sent

If users login to the service we also collect:

• Name
• Email address
• Organization
• Organizational affiliation
• Website avatar
• Authorization refresh and access tokens

We also collect more sensitive information about you, where the processing is necessary to meet a legal or regulatory obligation, the processing is in connection with HCA establishing, exercising or defending legal claims, or is otherwise expressly permitted by applicable law. This sensitive information includes Aggregated transcriptomic and metadata, as well as individual-level transcriptomic and metadata [donor age, biological sex, disease, and sampled organ].

Log, Cookie and Device Data: We also collect log data, which is information collected whenever you visit a website. This log data includes your Internet Protocol address, device type, operating system, browser type and some settings, unique device identifiers, crash data, the date and time of your request, and information about how you used the Service. Depending on how you are accessing the Services, we may also use “cookies” (small text files stored by your computer when you visit our website) or similar technologies. We use Google Analytics. Google Analytics uses cookies to help track the users visit to the site. In addition to log and cookie data, we also collect information about the device you’re using to access the Services, including what type of device it is, what operating system you are using, device settings, unique device identifiers and crash data.

Whether we collect some or all of this information often depends on what type of device you are using and its settings. For example, different types of information are available depending on whether you are using a Mac or a PC, or an iPhone or Android phone. To learn more about what information your device makes available to us, please also check the policies of your device manufacturer or software provider.

Information from Other Sources: We do not obtain information about you from other sources and we do not combine that information with information we collect from you directly. We also obtain more sensitive information about you, with your explicit consent, where the processing is necessary to meet a legal or regulatory obligation, the processing is in connection with HCA establishing, exercising or defending legal claims, or is otherwise expressly permitted by applicable law.

How We Use Your Personal Data and the Lawful Basis for Such Processing

HCA Data Portal processes your Personal Data for the following purposes and bases:

• To provide you with access to the service.
• To develop, test and improve the service.
• To communicate with you regarding support requests.
• Processing and dealing with any complaints or inquiries made by you or legally on your behalf. We do this because it is in our legitimate interest as part of the services offered to you.
• We may also be required to disclose your Personal Data to authorities who can request this information by applicable law.

Recipients of Your Personal Data

HCA Data Portal may share your Personal Data with the following recipients:

• Service Providers: Vendors that need access to your Personal Data in order to provide HCA Data Portal Services. AWS CloudWatch may collect Personal data for the purposes of logging and monitoring.
• HCA Data Portal Partners and Collaborators: When permitted by law, HCA Data Portal may share Personal Data with EMBL-EBI in order to support the operation of the HCA Data Portal.
• Public and Governmental Authorities: Entities that regulate or have jurisdiction over HCA Data Portal such as regulatory authorities, law enforcement, public bodies, and judicial bodies.

We may also need to share your Personal Data as required to respond to lawful requests and legal process; to protect our rights and property and those of our agents, customers and others, including to enforce our agreements and policies; and in an emergency, to protect our institutions and the safety of our students, faculty and staff or any third party.

Security

The HCA Data Portal takes appropriate physical, administrative, and technical measures to protect Personal Data that are consistent with applicable privacy and data security laws and regulations.

Retaining and Deleting Your Personal Data

The HCA Data Portal will only retain your Personal Data for the duration necessary for the data collection purposes identified above, unless there is a legal requirement to maintain it for a longer period. Logs are Retained at minimum for a year to support on demand audit review, reporting requirement and after the fact security investigation.

Your Rights

You have a right to:

• Access your Personal Data, as well as information relating to the recipients of your Personal Data, the purposes of processing your Personal Data, the duration for which the Personal Data will be stored, and the source of Personal Data that has not been provided by you;
• Rectify or correct inaccurate or incomplete Personal Data concerning you, taking into account the purposes of the processing, and the right to have incomplete Personal Data completed;

We may be obligated to retain your Personal Data as required by U.S. federal or state law.

If you wish to exercise your rights, you can contact the HCA Data Portal contact identified below.

You may choose not to visit or use or participate in HCA Data Portal Services. If you choose not to share your Personal Data with us or HCA Data Portal third parties for HCA Data Portal Services your site usage will not be tracked and you will not be able to login to view controlled-access data. You will still be able to view and access open-access data. You may choose to set your web browser to refuse cookies or to alert you when cookies are being sent. If cookies are turned off the portal and browser will continue to function however Google Analytics tracking will not function.

Questions and Complaints

If you have questions or complaints about our treatment of your Personal Data, or have a request to delete your data, please feel free to contact data-help@humancellatlas.org.
Effective Date: This statement is effective as of July 12, 2022.