Privacy Notice

THIS NOTICE DESCRIBES HOW CLINICAL REFENCE LABORATORY, INC. AND THE AFFILIATED BUSINESSES IT MANAGES (“CRL,” “we,” “our,” or “us”) COLLECTS PERSONAL INFORMATION FROM OR ABOUT YOU when you RECEIVE SERVICES from us or use our websites, applications, social media networks, interactive features, and other services that link to this Notice (our “Platforms”), HOW SUCH INFORMATION MAY BE USED AND DISCLOSED, AND YOUR RIGHTS WITH RESPECT TO SUCH INFORMATION. PLEASE REVIEW THIS NOTICE CAREFULLY.

Residents of certain jurisdictions or states may have specific rights under laws of those jurisdictions. Please click on the links below to see information that is specific to the following jurisdictions:

• EU Privacy Rights
• California

WHY DO WE COLLECT INFORMATION ABOUT YOU?

We provide laboratory testing and related services in the United States, including, without limitation, testing for health and wellness, toxicology, and risk assessment purposes. We collect information about you to provide our services.

WHAT INFORMATION DO WE COLLECT ABOUT YOU?

We receive Personal Information on your consent form or chain of custody when you provide blood, urine, or saliva sample(s) for laboratory testing or when you request laboratory testing from us.

“Personal Information” is data which identifies, describes, is associated with, or could be used to identify you either on its own or in combinations with other readily available data such as your name, birthdate, postal address, email address, telephone number, driver’s license, SSN or government issued identification number, as well as your computer’s IP address, photographs, biometric or geolocation information, or the like.

 

Personal Information does not include anonymous or aggregated data that can no longer be used to identify a specific person, even if combined with other data. We also do not consider business information, such as a person’s business title, employer’s name, work email, work phone number, work address, and other similar information to be Personal Information.

Additionally, the following types of information are not considered Personal Information:

• publicly available information from government records; or
• information excluded from the applicable data privacy law’s scope, including but not limited to PHI covered by HIPAA, information derived from PHI that is de-identified in accordance with HIPAA, and Personal Information we handle in our capacity as a service provider to a business.

If we combine non-personally identifiable information with Personal Information, we will treat such information appropriately, but not all rights may apply to the non-personally identifiable information portion.

HOW WILL WE USE INFORMATION ABOUT YOU?

We may use your information as permitted or required by law. Some of the contexts in which we may use your information include in connection with:

• to fulfill the purposes for which the information was provided (e.g., to provide a service or perform on a contract);
• to identify you in order to respond to requests, provide services or products, personalize information we provide to you, or otherwise as described below;
• to communicate with you about your account or our relationship, such as making announcements about the Platforms or our privacy policies and terms;
• to send push notifications and other information through our Platforms;
• to design, improve and administer our Platforms
• to audit and measure user interaction with our Platforms, so we can improve the relevancy or effectiveness of our content and messaging;
• to develop and carry out marketing, advertising and analytics;
• to provide texts or emails containing information about our products or services, or events or news, that may be of interest to recipients, as permitted by law;
• to deliver content and products or services relevant to your interests, including targeted ads on third party sites;
• to detect security incidents or monitor for fraudulent or illegal activity;
• to enable security measures (such as, to protect our Platforms, customers, and business partners);
• debugging to identify and repair errors;
• to protect our rights and to protect your safety or the safety of others;
• to investigate fraud or respond to government inquiries;
• to complete corporate transactions (from time to time, we sell, buy, merge or otherwise reorganize our businesses, and these corporate restructurings may involve disclosure of Personal Information to prospective or actual purchasers, or the receipt of it from sellers);
• to comply with laws, regulations or other legal process; or
• otherwise use your Personal Information with your consent.

We may also use your Personal Information to:

• provide you with the services and products you request or that have been ordered and/or requested by your healthcare provider;
• process or collect payments for our services; or
• respond to your questions and otherwise provide support you request.

We may use Precise Location Data from your device in accordance with the device’s consent process on some of our Platforms to help us improve your user experience and provide information that is relevant to you, such as nearby collection locations.

When you choose to print or email one of your results from within one of our Platforms, the result file is temporarily stored on your mobile device to aid in more efficient delivery of your result.  The result file will be deleted from your mobile device storage once the action of printing or emailing is complete.

We will only disclose as much information as is necessary to accomplish the described purpose.

You may revoke any authorization you sign at any time. If you revoke your authorization, we will no longer use or disclose your Information except to the extent we have already taken action based on your authorization.

RETENTION OF INFORMATION 

CRL retains your Personal Information only for as long as is necessary for our legitimate business purposes. We will retain and use your Personal Information to the extent necessary to comply with our legal, accounting, or reporting obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes and enforce our legal agreements and policies. Additionally, we may continue to store your Personal Information contained in our standard back-ups. We may maintain your information on computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from your jurisdiction. This applies to all categories of Personal Information in use by us.

SELLING/SHARING YOUR INFORMATION 

We do not sell Personal Information. We may disclose your information for the purpose of providing services to you or for the purpose of targeted or cross-context advertising (under California law, this is called “Sharing”):

We may provide your information to our partners to assist us in operating this site, transacting business, and communicating with you. When we do so, we will exercise reasonable care to ensure such partners are prohibited from using information for any other reason and it is maintained securely and privately.

We may disclose your information if we determine disclosure is reasonably necessary to enforce our contracts, this notice, or to otherwise protect our operations, clients, or users.

We may release your information to others (including law enforcement) if we believe such release is reasonably necessary to comply with the law or legal process; enforce or apply the terms of applicable terms of use; detect, prevent, or otherwise address fraud, security, or technical issues; or otherwise protect the rights, property, or safety of others.

We may sell, transfer, and/or disclose your information for lawful purposes, including as part of a business divestiture, sale, merger, or acquisition of all or a part of our business. If another company acquires our company, business, or assets, that company will possess the Personal Information collected by us and will assume the rights and obligations regarding your information as described in this notice. In the event of our insolvency, bankruptcy, or receivership, your Personal Information may also be transferred as a business asset.

SECURING YOUR INFORMATION

CRL takes appropriate measures to protect Personal Information in its possession to ensure a level of security appropriate to the risk of loss, misuse, unauthorized access, disclosure, alteration, and destruction. These measures take into account the nature of the Personal Information and the risks involved in its processing, as well as best practices in the industry for security and data protection.

CRL has adopted physical, technical, and administrative measures that are designed to prevent unauthorized access or disclosure, maintain data accuracy, and ensure appropriate use of Personal Information.

You can help ensure the security of your Information by: 1) logging out of the Platform and closing your browser window, and 2) not divulging your password to anyone. We will never ask you for your password in an unsolicited phone call or in an unsolicited email.

RIGHTS REGARDING YOUR INFORMATION

Depending on where you live, you may have certain rights with respect to your Personal Information that we have collected and used under certain circumstances. This section generally describes these rights and explains how to exercise those rights. The availability of these rights is dependent on your jurisdiction’s privacy laws. Please review your jurisdiction’s privacy laws to determine which rights are available to you.

 

Should you make a request pursuant to your Rights listed above, you can expect the following:

• We will ask to verify your identity. You will need to provide us with certain information such as your name, email address, physical address, or other information, as relevant, so that we can verify that you are who you say you are. Such information may depend on the type and sensitivity of information requested.
• We will confirm our receipt of your request within 10 days. If you have not received a response within a few days after that, please let us know by contacting us at the webpage or phone number listed below.
• We will respond to your request within 45 days. If necessary, we may need additional time to respond, up to another 45 days, but we will reply either way within the first 45-day period and, if we need an extension, we will explain why.
• In certain cases, a Request may be denied. For example, if we cannot verify your identity or if providing you the information could create an unreasonable risk to someone’s security (for example, we do not want very sensitive information disclosed inappropriately). If we deny your request, we will explain why we denied it. If we deny a request, we will still try to provide you as much of the information as we can, but we will withhold the information subject to denial.

FILE A COMPLAINT OR CONTACT US

For more information about this notice, our privacy policies, to exercise any of your rights, as listed on this notice, or if you want to request a hardcopy of our current notice of privacy practices, contact:

Clinical Reference Laboratory, Inc.
Attn: Privacy Officer
8433 Quivira Road
Lenexa, KS 66215
Call (866) 924-5267
privacy@crlcorp.com

CHANGES TO OUR PRIVACY POLICY

We reserve the right to change our privacy practices, as described in this notice, at any time. We reserve the right to apply these changes to any Personal Information which we already have, as well as to Personal Information we receive in the future. Before we make any change in the privacy practices described in this notice, we will post a new notice with the changes at https://www.crlcorp.com/notice-of-privacy-practices. The new notice will include an effective date.

EFFECTIVE DATE AND NOTIFICATION OF CHANGES

This Privacy Policy is effective as of August 6, 2025, and is reviewed periodically. We reserve the right to change this Privacy Policy at any time. If we materially change this Privacy Policy, we will post a prominent notice on this Website. Changes are effective as of the date we post them on the Privacy Policy page of this Website. We encourage you to periodically review this Privacy Policy.

CALIFORNIA CONSUMER PRIVACY ACT AND CALIFORNIA PRIVACY RIGHTS ACT 

The California Consumer Privacy Act (CCPA), which has been amended by the California Privacy Rights Act (CPRA), is a law intended to enhance privacy rights and consumer protection for residents of the state of California. The CCPA and CPRA apply to certain business entities that do business in California. For further details on the types of Personal Information we have collected about you, the sources of that information, how we use the information (e.g., our business or commercial purposes for collecting or selling Personal Information), other individuals and business with whom we share Personal Information, and the specific pieces of Personal Information that we have collected about you, please visit the Information We Collect section above.

The following rights apply to all California residents (but not including legal entities, such as companies):

If you are a California resident, you have certain rights regarding your Personal Information that is covered under the CCPA. Please review each of the rights, below, and the section that follows for more information applicable to these rights.

• The Right to Know
• The Right to receive (“access”) a copy of your Personal Information
• The Right to Correct
• The Right to request deletion of your Personal Information
• The Right to opt out of certain disclosures (“sharing”) of your Personal Information (for more information about your right to opt-out, please see our notice of Right to Opt-Out)
• The Right to limit the use or disclosure of your sensitive Personal Information. We collect sensitive Personal Information either (i) when we collect your IP address when you visit a website related to your health information or (ii) if you are an employee or contractor of CRL. Please view our cookie notice With regard to subsection (ii), we do not use your sensitive Personal Information for any purpose that is subject to limitation. In addition, we may collect sensitive Personal Information as part of protected health information. Please note that such sensitive Personal Information is subject to our HIPAA Notice of Privacy Practices and not subject to the CPRA. For more information on how we use and disclose your protected health information, please visit CRL’s Notice of Privacy Practices.

These rights will not apply, however, if CRL does not collect any Personal Information about you or if all of the information we collect is exempt from the statute (for example, the CCPA and CPRA do not protect information that is already protected by certain other privacy laws such as HIPAA and do not protect information that is already publicly available).

Requests under CPRA

To make a request under the CPRA you may:

Use the applicable online forms above or Contact Us

“Shine the Light” Law

Under California Civil Code Section 1798.83, California residents with whom we have an established business relationship are entitled to request and receive, free of charge, once per calendar year, information about the Personal Information we shared, if any, with other businesses for their own direct marketing uses during the prior year.

EUROPEAN PRIVACY RIGHTS – DATA PRIVACY FRAMEWORK FOR EU-U.S. AND UK EXTENTION 

CRL complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce (collectively, the “Frameworks”). CRL has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (“EU-U.S. DPF Principles”) with regard to the processing of Personal Information received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/. The U.S. Department of Commerce Data Privacy Framework List is available https://www.dataprivacyframework.gov/s/participant-search.

Rights

Individuals whose Personal Information is covered by the EU Data Privacy Framework policy have the right to access the Personal Information that CRL maintains about them as specified in the EU-U.S. DPF Principles. Individuals may contact us to correct, amend or delete such Personal Information if it is inaccurate or has been processed in violation of the EU-U.S. DPF Principles (except when the burden or expense of providing access, correction, amendment, or deletion would be disproportionate to the risks to the individual’s privacy, or where the rights of persons other than the individual would be violated). Individuals may also have the right to limit the use and disclosure of their Personal Information (opt out) under certain circumstances, such as marketing. Requests to access, correct, amend, delete, or limit the use and disclosure of Personal Information (opt out) may be submitted as set forth in the RIGHTS REGARDING YOUR INFORMATION section above.

Accountability for Onward Transfers

Under the Frameworks, we are responsible for the processing of Personal Information that we receive from our customers and subsequently transfer to a third party acting as an agent on our behalf. We comply with the EU-U.S. DPF Principles for all onward transfers of Personal Information from the EU and United Kingdom (UK), including the onward transfer liability provisions.

ARBITRATION AND ENFORCEMENT

With respect to Personal Information received or transferred pursuant to the Frameworks, we are subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, we may be required to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

In compliance with the DPF Principles, CRL commits to resolve DPF Principles related complaints about our collection or use of your Personal Information. Individuals with inquiries or complaints regarding our DPF Policy should first contact CRL's US Privacy Office. CRL has a policy of responding to individuals within forty-five (45) days of an inquiry or complaint.

 

If you do not receive timely acknowledgement of your DPF Principles related complaint from us, or if we have not addressed your DPF principles related complaint to your satisfaction you may contact our U.S. based third party dispute resolution provider (free of charge), JAMS.

 

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may be able to invoke binding arbitration for some residual claims not resolved by other redress mechanisms.

See https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf for further information.