Privacy Notice

Effective Date: November 2025

Introduction

Veracyte, Inc. is committed to protecting your privacy. Personal Information means any data that identifies you or can be linked to you, such as your name, contact details, health records, genetic data, or how you interact with our services. 

This Privacy Notice (“Notice,” previously referred to as the “Privacy Policy”) explains how we collect, use, share, and protect your Personal Information when you use our websites, products, and services (our “Services”). It also describes your privacy rights and choices, and how you can contact us with questions. 

Under European privacy laws such as the EU GDPR, UK GDPR, and Swiss FADP, Veracyte is the Data Controller responsible for your Personal Information. We are located at 6000 Shoreline Court, Suite 300, South San Francisco, CA 94080, USA. If you have questions, please contact us at [email protected] or [email protected].

Scope

This Notice covers Personal Information we collect through our Services. However, there are items excluded from this Policy:

  • Personal Information about Veracyte employees or contractors. 
  • Services under a separate written agreement (e.g., customer contracts, research collaborations) with us where the privacy terms in that agreement will govern the processing of your Personal Information for those services.
  • Where a healthcare provider orders a Veracyte Service and where HIPAA applies and Veracyte acts as a Covered Entity and you should see our HIPAA Notice of Privacy Practices. Where you have questions about the Protected Health Information (“PHI”) shared with Veracyte by your healthcare provider, we encourage you to speak with your healthcare provider as their HIPAA Notice of Privacy Practices will apply and are separate from ours.

Changes to This Notice

We may change this Notice to reflect changes in the law or our practices. When we do, we will update the date at the top. Please check this notice now and then to see how we protect your Personal Information.

Notice at Collection

When you use our Services, we collect these categories of Personal Information:

  • Your contact details (like name, email address, phone number)
  • Information about your device and online activity (such as IP address, cookie IDs, or browsing history)
  • Payment information (if you purchase something)
  • Health information (if you use our diagnostic tests)
  • Location data (general location derived from your IP, or precise location if you allow it)
  • Professional information (like job title, employer, or business contact details)

We use Personal Information for purposes that include:

  • Provide and improve our Services (like performing tests and processing payments)
  • Communicate with you (for example sending updates or answering questions)
  • Improve our products and develop new ones (using information that does not identify you)
  • Send you marketing materials, if you agree (you can opt out anytime)
  • Follow laws, protect our business, and keep things secure (like preventing fraud and keeping records)

We do NOT sell Personal Information in exchange for money. However, some laws like the California Privacy Rights Act (“CPRA”), “sale” and “share” may include disclosures for cross-context behavioral advertising, even if no money is exchanged. We may share certain personal identifiers and online activity data with third parties for advertising or analytics – this kind of sharing may be considered a “sale” or “share” under some privacy laws. You have the right to opt out of this sharing (see the “Your Privacy Rights” section below for how to do so).

Personal Information We Collect

We collect Personal Information from a few main sources:

  • Directly from you: For example, when you fill out a form on our site, create an account, make a purchase (providing contact and payment information), or contact us for support, you give us Personal Information.
  • Automatically from your device: When you use our Services, we collect Personal Information automatically via cookies and similar tracking technologies. For example, we get technical data like your IP address, browser type, and how you navigate our site or app.
  • From third parties: We may receive Personal Information about you from others. For example, if your healthcare provider orders one of our tests for you, that provider gives us your Personal Information to perform the service. We might also get your Personal Information from business partners (e.g., co-sponsored events or marketing partners) or from public sources (if allowed by law).
  • Cookies and tracking technologies: We use cookies, web beacons, and similar technologies to collect usage data from your browser or device. These help us understand how you interact with our Services, improve performance, and deliver relevant content. You can manage your cookie preferences via your browser settings or our “Your Privacy Choices” link. We honor Global Privacy Control (“GPC”) signals as valid opt out requests. However, we do not currently recognize or respond to older browser initiated “Do Not Track” signals. See the “Your Privacy Rights” section for more information.

Use of Artificial Intelligence (AI) and Machine Learning (ML)

We use computer tools, including Artificial Intelligence (AI) and Machine Learning (ML), to help with our tests and services. 

  • AI means computers can do things like analyze data or make suggestions. 
  • ML is a kind of AI that learns from data and improves over time. 
  • People at Veracyte always check AI or ML results before making important decisions. 
  • We do not use AI to make decisions about you without human review (“Automated Decision Making”).

How We Use Personal Information

We use Personal Information for purposes that include:

  • To provide and improve our Services: This includes using your information to carry out the services or products you requested (for example, performing a diagnostic test and processing your results), to process payments, and to make our Services better and more reliable.
  • To communicate with you: We use your contact information to send service-related updates and respond to your inquiries. For example, we might email you about a test result being ready or answer a question you sent to customer support.
  • For research and development: We may use information (often in a form that does not directly identify you) to improve our existing products and develop new ones. This helps us enhance our testing services and create new innovations.
  • For marketing (with your permission): We may send you promotional materials or newsletters about our products and upcoming events if you have agreed to receive them. You can unsubscribe or opt out of marketing messages at any time.
  • For legal, security, and business operations: We use information as needed to comply with laws and regulations, to enforce our agreements and protect our legal rights, to detect or prevent fraud and security issues, and to operate our day-to-day business (such as performing audits and maintaining records).
  • Social media features: Our Services may include social media features (e.g., Facebook “Like” or Twitter “Share” buttons). These features may collect your IP address and track your interaction with our site, especially if you are logged into your social media account.
  • Third party links: Our site may also contain links to third-party websites. Veracyte is not responsible for the privacy practices of those external sites. We encourage you to review their privacy policies before providing any Personal Information.
  • Legal basis for processing Personal Information: In jurisdictions such as the EU, UK, and Switzerland, we process Personal Information based on legal grounds including: 
    • Performance of a contract (e.g., delivering diagnostic results)
    • Compliance with legal obligations
    • Our legitimate interests (e.g., improving services, fraud prevention)
    • Your consent (e.g., for marketing communications)

How We Share Personal Information

We may share your Personal Information with:

  • Other Veracyte companies and trusted partners who help us provide services (like payment processing or lab work). These partners must protect your information and use it only for our work.
  • Other companies if Veracyte is sold, merges, or is part of a business deal. We will keep your information safe in these cases.
  • Event or marketing partners if you register for an event, webinar, or promotion that we offer with another organization, we might share your Personal Information with that partner (we will let you know at the time of registration if this will happen). Examples are if we co-host a medical conference and you sign up (both Veracyte and the partner might receive your registration details. 
  • Healthcare providers like your doctor, clinic, laboratory, or other healthcare providers needed to provide our Services. For example, when a physician orders a Veracyte test for you, we send the test results (and related information) back to that physician. In general, this kind of sharing with healthcare providers is part of providing our service to you and is permitted by privacy laws. We would only share your health-related information with other healthcare providers outside of this context with your authorization or if required/permitted by law.
  • Legal authorities or others only if required by law, or to prevent fraud or protect safety. For example, in response to a court order, subpoena, or government request. We may also share information if we believe it is necessary to investigate or prevent fraud, security issues, or other harmful activities, or to protect the rights, property, and safety of Veracyte, our customers, or others.

We do not share Personal Information with third parties for their own marketing purposes without your consent. We do NOT sell Personal Information in exchange for money. Any sharing of data for advertising or analytics is done as described above and can be controlled by you (see “Your Privacy Rights” below for opt-out options).

Your Health Information and Diagnostic Services

When we provide clinical services like diagnostic tests (for example, a genomic test that your doctor orders), additional privacy laws may apply to your health information.

  • Your healthcare provider’s Role: Your provider or doctor is responsible for telling you about you test and getting your consent. If you have questions about what your doctor or provider shared with us, we encourage you to speak to your doctor or provider.  
  • Performing tests: If your healthcare provider orders a Veracyte test for you, we receive Personal Information about you from that provider (this can include your identifying details and relevant medical history, as well as your specimen sample). We use this information to perform the test and analyze your sample. After the test is completed, we prepare a report of the results. We then share your test results and analysis with the ordering provider (typically, your doctor). In some cases, we may also provide results directly to you, if required by law or if you request it, but usually your provider will explain the results to you.
  • Additional privacy laws: Personal health information related to our diagnostic services is protected by health-specific privacy laws like the Health Insurance Portability and Accountability Act (“HIPAA”) in the U.S. Where HIPAA applies, we will only use your personal health information or treatment, payment, or healthcare operations. We do not use your health information for marketing or sell it. Please see our HIPAA Notice of Privacy Practices. There may be additional privacy laws that also cover the privacy and security of your personal health information. We will follow these laws where they apply to your personal health information.  
  • Use of data and samples for research (de-identified): Sometimes, after your test, we may use your information or leftover sample for research or to improve our services. We de-identify this data by removing details that directly identify you. Once your data is de-identified, it is no longer Personal Information. We may use this de-identified information for research or quality checks. If the law says we need your consent, we will ask you. To be clear, we will never use your identifiable health information for any new or additional purposes beyond providing your test and related services unless we have a lawful basis to do so and, when required, your consent.

California Privacy Rights (CPRA) Notice

If you are a California resident, you have specific privacy rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). This section provides some information for California residents in line with those laws.

In the past 12 months, we have collected all the categories of Personal Information listed in the “Notice at Collection” section above. We have used and disclosed that information for the business purposes described in this Notice. We have not sold Personal Information in exchange for money, and we do not knowingly sell or share Personal Information of individuals under 16 years of age. We have “shared” (as defined by California law) certain identifiers and internet or device information with third parties for advertising purposes, as described earlier (for example, via cookies for analytics and ads).

California Residents’ Privacy Rights

  • Right to Know: Request details about what Personal Information Veracyte has about you, including what was collected, its sources, and who it was shared with.
  • Right to Delete: Ask Veracyte to delete Personal Information collected from you.
  • Right to Correct: Request correction of inaccurate Personal Information.
  • Right to Opt Out: Opt out of the sale or sharing of your Personal Information.
  • Right to Limit Use: Limit certain uses of sensitive Personal Information.
  • Right to Non-Discrimination: You won’t be treated differently for exercising your privacy rights.
  • How to Exercise Rights: Use the contact methods provided (email or phone) to make requests; Veracyte will fulfill them according to California law.
  • Opt-Out Signals Honored: Veracyte honors browser-based opt-out signals (like Global Privacy Control) as valid requests to opt out of sale/sharing.
  • Right to Appeal: If we decline to act on a privacy request you submitted (for example, we cannot fulfill your request to delete or provide data due to an exemption), you have the right to appeal our decision. To submit an appeal, please email us at [email protected] with the subject line “Privacy Request Appeal” and include details of your original request and our response. We will review your appeal and respond within the time frame required by law. If we ultimately deny your appeal, we will inform you of the reason and provide information on how you may further escalate the issue – for instance, by contacting your state’s Attorney General or privacy regulator.

(Note: If you are a California resident, please refer to the entire Notice, as it is intended to comply with CCPA/CPRA requirements.)

California Employment Applicant Privacy Notice

This section applies to job applicants, candidates, and prospective employees who are California residents. It supplements the general Veracyte Privacy Notice and is provided in accordance with the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA).

Categories of Personal Information Collected

We may collect personal information such as your name, contact details, address, employment and education history, information provided in your application or resume, references, and any other information you choose to provide during the recruitment process.

Purpose of Collection and Use

We use this information to evaluate your application, communicate with you, conduct background checks, comply with legal obligations, and manage recruitment and hiring processes.

Retention

If hired, your data will be retained for the duration of employment plus a period required by law. If not hired, your data will be retained for a period required by law after the position is filled or after receipt of your information.

Your Rights

As a California resident, you have the right to request access to, correction of, or deletion of your personal information, and to exercise other rights as described in this Notice. You will not be discriminated against for exercising your privacy rights.

State-Specific Privacy Laws

Veracyte is committed to complying with all applicable U.S. state privacy laws that grant rights to consumers regarding their Personal Information. If you reside in a state with a comprehensive consumer privacy law—such as laws modeled after the California Consumer Privacy Act (CCPA) or similar frameworks—you may have rights that include, but are not limited to, the right to access, delete, correct, and opt out of certain data uses (such as targeted advertising or profiling).

We will honor valid privacy requests from residents of any U.S. state or applicable jurisdiction where such rights are recognized by law. These rights can be exercised using the contact methods provided in the “Your Privacy Rights” section above. We will not deny you our Services or provide a different level of service if you choose to exercise your rights, except as permitted by applicable law.

This Notice will be updated as needed to reflect changes in our practices or legal obligations, but we do not list individual states to ensure the notice remains current and broadly applicable.

International Data Transfers

Veracyte is headquartered in the United States. If you use our services from outside the U.S., your Personal Information may be transferred to the U.S. or other countries that may have different privacy laws (under European privacy laws, these are called “cross border transfers”). We take steps to ensure that these transfers comply with applicable data protection laws and that your Personal Information remains protected. Under privacy laws outside of the United States, the term Personal Data is used instead of Personal Information. They have the same meaning in this Notice. 

Roles with International Data Transfers

Most of the time, Veracyte acts as the Data Controller (“Controller”). Under European privacy laws, this means we decide why and how your Personal Information is used. We work with trusted partners who act as Data Processors (“Processor”). Under European privacy laws, these Processors must handle your Personal Information only under our instructions and cannot use it for their own purposes.

When Veracyte transfers your data internationally, we generally act as the Controller and use Processors to help provide Services. 

How We Protect Your Personal Information During Transfers

When transferring Personal Information internationally, Veracyte uses legally recognized safeguards, including incorporating legally binding international data transfer contracts when we lawfully share Personal Information with third parties who have a lawful basis to your Personal Information. A type of contract primarily used is the European Union Standard Contractual Clauses (“EU SCCs”). This type of contract is used when the recipient country does not have same level of data protection (known as an “adequacy decision”). 

  • For the EU SCCs, please click here for a copy
  • For the UK GDPR, please click here for a copy.
  • For the Swiss FADP SCCs, no official document has been issued by the Swiss privacy authorities, but you may request a copy of documentation from us by emailing us at [email protected] or [email protected]

Additional Safeguards for Data Transfers

Where required, we implement additional technical and organizational safeguards—such as encryption, pseudonymization, and access controls—to address risks identified by European regulators and comply with guidance from the European Data Protection Board (EDPB), EU Data Protection Authorities, UK ICO, and Swiss privacy authorities.

Transparency and Your Data Transfer Rights

You have the right to request a copy of the relevant SCCs or information about how your data is protected during international transfers. 

Please contact us at [email protected] or [email protected] for more details.

Your Privacy Rights

Depending on where you live or as defined by applicable privacy law, you may have the following rights regarding your Personal Information. We will honor and facilitate these rights in accordance with applicable privacy laws:

  • Access: You have the right to request access to the Personal Information we have collected about you. This includes the right to ask for confirmation that we are processing your information and obtaining a copy of the information we have.
  • Appeal: You have the right to appeal a decision made on your privacy right. Your appeal will be reviewed by individuals not involved in the original decision. We will respond within the timeframe required by law, and if your appeal is denied, we will explain the reason and provide information on further escalation options. 
  • Correction: You have the right to request that we correct or update any Personal Information about you that is inaccurate or outdated.
  • Deletion: You have the right to request that we delete the Personal Information we collected from you. (Please note there may be exceptions – for example, we might retain certain information if required for legal obligations or internal purposes such as fraud prevention.)
  • Limit Use of Sensitive Personal Information: If you have provided sensitive Personal Information (for instance, precise geolocation, genetic data, or certain health information), in some cases you can ask us to limit how we use or disclose that information beyond the purposes allowed by law. (In practice, Veracyte only uses sensitive information for necessary purposes related to providing our Services or as otherwise permitted by law.)
  • Non-Discrimination: You have the right not to be discriminated against for exercising any of your privacy rights. In other words, we will not deny you services, charge you a different price, or provide you with a lower quality of service just because you exercised your privacy rights.
  • Opt-Out of Automated Decision Making: You can ask us not to use automated tools to make decisions about you without human review if this applies to your Personal Information.  Currently, we do not use Automated Decision Making. 
  • Opt-Out of Sale/Sharing: You have the right to opt out of the “sale” of your Personal Information or the sharing of your Personal Information for targeted advertising purposes. 
  • Global Privacy Control (“GPC”) Universal Privacy Opt Out: GPC is a browser setting or extension that automatically tells websites not to sell or share your Personal Information. When you enable GPC, your browser sends this signal to every site you visit – including Veracyte – so you don’t have to opt out individually on every single website. We honor GPC signals as a valid opt-out request. However, we do not currently recognize or respond to older browser “Do Not Track Signals.” You can turn on GPC in your browser or by installing a browser extension. For more information, visit globalprivacycontrol.org/faq. You can also contact us directly to request to opt out. Once you opt out, we will not sell or share your Personal Information for those purposes unless you later choose to opt in.

Expanded Privacy Rights (under EU/UK/Swiss privacy laws)

If you reside in the EU, UK, Switzerland or jurisdictions that provide expanded privacy rights, you may also have the:

  • Right to object to processing (e.g., for direct marketing)
  • Right to restrict processing under certain conditions
  • Right to data portability (receive your data in a structured format)
  • Right to lodge a complaint with your local data protection authority

Protecting Others’ Privacy and Confidentiality

When we fulfill privacy requests, we will not share information that would violate the privacy of other individuals or disclose confidential business information.

How to Exercise Your Privacy Rights:

To make any privacy request (such as accessing or deleting your data) or to ask us a question about your privacy, you can contact us in any of the following ways:

  • Email: Send an email to [email protected] with your request. (For example, you can use the subject line “Privacy Request” and let us know what you need.) If you are an EU, UK, or Swiss resident, you may email us at [email protected]
  • Phone: Call us toll-free at 1-844-558-8372 and let us know what type of request you would like to make.

Excessive Requests:

If you submit numerous or repeated privacy requests, we may charge a reasonable fee or decline to process your request, as permitted by law. 

Verification of Your Identity:

If you submit a request, we will need to verify your identity before we proceed. For example, we might ask you to confirm some basic information we already have on file (to ensure we’re dealing with the correct person). We will never ask for new Personal Information to verify your identity.

Someone Acting on Your Behalf:

If you use an authorized agent (someone acting on your behalf) to make the request, we may ask that agent to show proof of authorization and also verify your identity directly with us. These steps are designed to protect your information from unauthorized access or deletion.

Timeframe for Fulfilling Your Privacy Rights:

We will respond to legitimate requests within the timeframe required by law (for instance, California law generally requires a response within 45 days). If we need more time or cannot fulfill part of your request due to a legal exception, we will let you know and explain the reason. For opt-out of sale/sharing requests submitted through our website, we will honor them as required, and if you have enabled an opt-out preference signal like the GPC in your browser, our site will recognize and respect it automatically.

Data Security

We take appropriate technical and organizational measures to secure your Personal Information and protect it from unauthorized access, loss, or misuse. Examples of technical safeguards include data encryption, audit logging and monitoring, and network security. Examples of organizational safeguards include employee training and data handling policies. However, please understand that no security method is perfect or 100% foolproof. While we strive to protect your data, we cannot guarantee absolute security of Personal Information, especially during transmission over the internet.

Data Retention

We keep your personal information only as long as needed for the reasons it was collected or required by law. For example, we might keep certain transaction records for tax and accounting purposes or retain contact information to manage your preferences. When we no longer need it, we delete it or remove details that identify you.

Children’s Privacy

Our services are not for children under 16. We do not collect information from anyone under 16 without consent. If we find out we have information from a child under 16, we will delete it.  

Your continued use of our Services after we publish an updated Notice will signify that you have read and understood the latest version of the Notice.

Contact Us

If you have questions or concerns about this Notice or your Personal Information, please contact us:

  • Email: [email protected]
  • Mailing Address: Veracyte, Inc. – Privacy Office, 6000 Shoreline Court, Suite 300, South San Francisco, CA 94080, USA

If you are in the European Union, United Kingdom, or Switzerland, you should contact our Data Protection Officer (DPO:

  • Email: [email protected] or write to Veracyte c/o Fieldfisher (EU Data Protection Office), Amerigo-Vespucci-Platz 1, 20457 Hamburg, Germany.

Thank you for reading our Notice. We value your trust and are committed to safeguarding your privacy.