EU 10x Product Privacy Notice
The 10x Genomics Group (“10x”, “we”, “us” or “our”) is committed to the responsible handling and security of personal data and all information entrusted to us. We will process personal data only in accordance with applicable data protection laws, specifically the European Union (EU) General Data Protection Regulation (GDPR).
The purpose of this EU 10x Product Privacy Notice and its Annexes (“Privacy Notice”) is to inform you about how we process your personal data through your use of our software product(s) and associated services as described in the 10x End User Software License and 10x Genomics Cloud Service Terms (collectively “Software Product(s)”) (and sections 2 and 3 and/or applicable Annex(es) herein).
Moreover, this Privacy Notice and its Annexes provide information about the recipients of your personal data (section 4), international data transfers (section 5), erasure of your personal data and retention periods (section 6), your data subject rights (section 7) and about automated decision-making (section 8).
1. Data controller and Data Protection Officer
We are made up of different legal entities, details of which can be found here, which we refer to collectively in the following as the 10x Genomics Group. This Privacy Notice is issued on behalf of the 10x Genomics Group, so when we mention “10x”, “we”, “us” or “our” in this Privacy Notice, we are referring to the relevant group company in the 10x Genomics Group which is the controller for the processing of your personal data. Unless specified otherwise in the Annexes to this Privacy Notice, the data controller for the processing of personal data is:
10x Genomics, Inc. 6230 Stoneridge Mall Road Pleasanton, CA 94588-3260 USA DPO: Eunice Lau Telephone: +1 (925) 401-7300
Our Data Protection Officer can be contacted at privacy@10xgenomics.com.
2. Categories of personal data processed
Unless specified otherwise in the Annex(es) to this Privacy Notice applicable to our Software Product(s), we process the following personal data in the context of your use of our Software Product(s):
- User metadata: city, region and country for each user of our Software Product(s); device; OS; browser type, screen resolution;
- User activity: information about how each user interacts with the Software Product(s) interface.
Please refer to the Annex(es) to this Privacy Notice applicable to our Software Product(s) for specific information on which categories of personal data are processed.
3. Purposes for which your personal data will be processed and legal bases for processing
Unless specified otherwise in the Annex(es) to this Privacy Notice applicable to our Software Product(s), the purposes for which your personal data will be processed and legal bases for processing are as follows:
The processing of your personal data as set forth in section 2 is based on Art. 6(1)(b) GDPR, if the use of our Software Product(s) is related to the execution of a contract or if it is necessary to carry out pre-contractual measures. Otherwise, the processing of your personal data is based on Art. 6(1)(f) GDPR for the purposes of our legitimate interest to enable us to provide you with our Software Product(s). The provision of your personal data is necessary to enable your use of the features of our Software Product(s). If you have provided your consent during the use our Software Product(s), we may also process your personal data on the basis of Art. 6(1)(a) GDPR. Please refer to the Annex(es) to this Privacy Notice applicable to our Software Product(s) for specific information on the purposes for which your personal data will be processed and the legal bases for such processing.
4. Transfer of personal data to recipients We will transfer personal data to third parties only to the extent necessary for the provision of our Software Product(s).
For the purposes set out in this Privacy Notice and unless specified otherwise in the Annexes, we will also transfer personal data to service providers and other third parties who work for us or otherwise assist us in providing our Software Product(s) to you. In addition to having a statutory obligation to comply with all applicable data protection requirements, these service providers are also bound, if applicable, by further contractual obligations agreed with us. This includes, in particular, the obligations set out in Art. 28 GDPR, if the respective recipient of personal data acts as data processor on our behalf. The categories of recipients to whom we may transfer personal data are:
- Group companies of the 10x Genomics Group as set forth in section 1 for the provision of our Software Product(s).
- Third-party provider(s) of IT services for development, hosting, maintenance, of our Software Product(s) and cloud service providers.
Please refer to the Annex(es) to this Privacy Notice applicable to our Software Product(s) for specific information on personal data to recipients.
5. International data transfers When using our Software Product(s) and unless specified otherwise in the Annexes to this Privacy Notice, your personal data may be transferred to countries outside of your country of residence, including the U.S., which may have data protection rules that are different from those of your country. In certain circumstances, courts, law enforcement agencies, regulatory agencies or security authorities in those other countries may be entitled to access your personal data. Some of the non-EU/EEA countries are recognized by the European Commission as providing an adequate level of data protection according to EU/EEA (the full list of these countries is available here). For transfers from the EU/EEA to countries not considered adequate by the European Commission, we have put in place adequate measures to protect your Personal Information, including the use of standard contractual clauses that have been approved by the European Commission. You can obtain a copy of those standard contractual clauses here. You may obtain further information by contacting us under the contact details provided in section 1.
For more information about international data transfers and the implemented safeguards, please contact us at privacy@10xgenomics.com.
6. Erasure of your personal data and retention periods Unless specified otherwise in the Annexes to this Privacy Notice, we will erase your personal data according to standardized processes when your personal data is no longer necessary for the processing in relation to the purposes (Art. 5(1)(e) GDPR) or, in the event that you have objected to their processing and unless we have a compelling legitimate interest to the contrary or, in the event that you have withdrawn your consent, if there is no other legal basis for their processing. In certain cases, e.g., if statutory retention periods apply, your personal data will be first restricted and then erased following the expiration of the retention period.
7. Your data subject rights
You as a data subject have the right to obtain confirmation as to whether or not personal data about you is processed by us and, where that is the case, to request access to the personal data we hold about you and the right to obtain a copy of the personal data undergoing processing (Art. 15 GDPR). If inaccurate personal data are being processed, you have a right to rectification (Art. 16 GDPR). If the statutory conditions for this are met, you have the right to request erasure or restriction of processing of your personal data (Art. 17 und 18 GDPR).
If the processing is based on your consent pursuant to Art. 6(1)(a) or Art. 9(2)(a) GDPR, you have the right to withdraw your consent at any time with effect for the future (Art. 7(3) GDPR). Please note that the withdrawal of your consent does not affect the lawfulness of the processing prior to its withdrawal. Please refer to the Annex(es) to this Privacy Policy applicable to your Software Product(s) for more information on how to withdraw your consent.
If the processing is based on your consent or your personal data is processed for the performance of the contract with you and the processing is carried out by automated means, you have the right to data portability regarding personal data you provided to us (Art. 20 GDPR).
You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data about you which is based on our legitimate interest pursuant to Art. 6(1)(f) GDPR (Art. 21(1) GDPR).
If you wish to exercise your data subject rights, you can contact our Data Protection Officer (using the contact details provided in section 1).
Moreover, you have the right to lodge a complaint with the competent supervisory authority. However, if you have any queries or complaints on the subject of data protection, please do not hesitate to first contact our Data Protection Officer (using the contact details provided in section 1). Insofar as we process your personal data, as described above and unless specified otherwise in the Annexes to this Privacy Notice, you are not contractually or legally obliged to provide us with your personal data. Without your personal data we may not be able to provide our Software Product(s) and associated functionalities to you.
8. No automated individual decision-making
No automated individual decision-making Unless specified otherwise in the Annexes to this Privacy Notice, we will not use your personal data for automated individual decision making within the meaning of Art. 22(1) GDPR.
9. Changes to this Privacy Notice
We will continually review and update this Privacy Notice to accommodate any changes in the law, business decisions or technical progress.
Back to topSoftware Product Annexes
Annex 1
Xenium Explorer Annex
In addition to the main body of this Privacy Notice, the following information relates specifically to the processing of personal data in the context of your use of Xenium Explorer.
-
Categories of personal data processed:
In addition to the categories of personal data set forth in section 2 of the main body of this Privacy Policy, we will also process the following categories of personal data:
- Unique User IDs;
- Experimental metadata: slide ID; panel design ID and gene list for datasets opened in Xenium Explorer;
- Key run statistics: run start time; cell count, transcript count for datasets opened in Xenium Explorer; and
- Xenium Explorer activity: image type imported; number of channels in image and image type; number of key points used, user interface elements used, etc.
-
Purposes for which your personal data will be processed and legal bases for processing
In addition to the purposes set forth in section 3 of the main body of this Privacy Notice, we will process the above personal data for the following purposes:
- Business insights and product improvements: We process your personal data to generate insights into our business operations as well as to improve our Software Product(s). This processing is based on Art. 6(1)(f) GDPR for the purposes of our legitimate interest to enable us to enhance our business strategies, operations, and providing you with up-to-date Software Product(s).
-
Transfer of personal data to recipients
In addition to the recipients set forth in section 4 of the main body of this Privacy Notice, we will also transfer personal data to the following third parties to the extent necessary for the provision of Xenium Explorer:
- Provider(s) for product analysis
- Cloud-based data warehousing platform
- Provider(s) for error monitoring and troubleshooting
-
Erasure of your personal data and retention periods
- Personal data will be erased in accordance with section 7 of the main body of this Privacy Notice. Personal data in particular are deleted or anonymized at the latest after the storage period of 5 years in Mixpanel. For details, please click the following link: https://mixpanel.com/legal/privacy-policy/.
Annex 2
Loupe Browser and Loupe VDJ Browser Annex
In addition to the main body of this Privacy Notice, the following information relates specifically to the processing of personal data in the context of your use of Loupe Browser and Loupe VDJ Browser.
-
Categories of personal data processed:
In addition to the categories of personal data set forth in section 2 of the main body of this Privacy Notice, we will also process the following categories of personal data:
- Unique User IDs;
- Experimental metadata: Visium slide ID;
- Key dataset statistics: chemistry, platform, organism, library types, pipeline version, etc.
- Loupe Browser activity: image type imported; reclustering settings, data export settings, differential expression settings, user interface elements used, etc.
-
Purposes for which your personal data will be processed and legal bases for processing
In addition to the purposes set forth in section 3 of the main body of this Privacy Notice, we will process the above personal data for the following purposes:
- Business insights and product improvements: We process your personal data to generate insights into our business operations as well as to improve our Software Product(s). This processing is based on Art. 6(1)(f) GDPR for the purposes of our legitimate interest to enable us to enhance our business strategies, operations, and providing you with up-to-date Software Product(s).
-
Transfer of personal data to recipients
In addition to the recipients set forth in section 4 of the main body of this Privacy Notice, we will also transfer personal data to the following third parties to the extent necessary in the context of your use of Loupe Browser and Loupe VDJ Browser:
- Provider(s) for product analysis
- Cloud-based data warehousing platform
- Google LLC: If you have provided your consent during the use of our Software Product(s) and unless specified otherwise in the Annexes to this Privacy Notice, our Software Product(s) may use functions of the web analysis service Google Analytics. The provider of this service is Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). For the use of Google Analytics, cookies are set in your browser and information (e.g., data from the cookies set, device or browser data, IP address and their website activities) including personal data is collected. This data is transmitted to Google and processed there. Google uses this data to create statistical evaluations of the use of our website by our users and provides us with these evaluations in aggregated form. It is not possible for us to identify individual users from the statistical evaluations. The service transmits personal data to servers located in the U.S. The EU Commission has decided that this country offers an adequate level of data protection (EU-U.S. Data Privacy Framework) under which this service is certified. More information is available here: https://business.safety.google/intl/de/adsdatatransfers/. The storage of Google Analytics cookies and the utilization of this analysis tool are based on your consent pursuant to Art. 6(1)(a) GDPR and Section 25(1) TTDSG. Once you have given your consent, you can revoke it at any time without affecting the legality of the cookies used and data processing carried out on the basis of the consent up to the revocation. The collection of data using cookies and the processing of this data by Google Analytics can also be prevented by downloading and installing the browser plugin available under the following link: http://tools.google.com/dlpage/gaoptout?hl=de. The personal data processed using Google Analytics is deleted or anonymized as soon as the data is no longer required for the purpose of the statistical evaluations. User and event data in particular are deleted or anonymized at the latest after the storage period of 14 months in Google Analytics. For details, please click the following link: https://support.google.com/analytics/answer/7667196?hl=de.
-
Erasure of your personal data and retention periods
Personal data will be erased in accordance with section 7 of the main body of this Privacy Notice. Personal data in particular are deleted or anonymized at the latest after the storage period of 5 years in Mixpanel. For details, please click the following link: https://mixpanel.com/legal/privacy-policy/.