Privacy policy

PatientsLikeMe (https://www.patientslikeme.com) (“Platform”) is a sharing websiterun by PatientsLikeMe LLC (PatientsLikeMe). This Privacy Policy outlines the type of information the Platform collects from users, including individuals who have registered to join (“Members”), and how and why this information is shared with third parties, including, but not limited to, other Members, pharmaceutical companies, medical device companies, non-profits, and research organizations (“Partners”). This policy also governs Platform Use Data (as described below) that we may collect from Members and other visitors..

We reserve the right to modify this policy at any time, and without prior notice, by posting an amended Privacy Policy and terms on this website. We encourage Members to review this policy periodically for any updates.

If you were a participant in PatientsLikeMe’s DigitalMe™ initiative, then you are participating in a much broader sharing of information that includes biological samples, genetics, and data from a wide variety of sources. Additional information about how DigitalMe data is shared can be found in the DigitalMe Ignite Informed Consent Document, the terms of which govern for DigitalMe participants with respect to any conflict with this Privacy Policy.

Why Do We Share Data

Our goal is to provide a platform for patients who want to share their health information to create collective knowledge about disease, health, and treatments. We know our success in achieving this goal depends on a shared belief in our Openness philosophy. Being open about one’s health is not for everyone, and we strive, with full transparency, to outline the benefits and risks of being part of this sharing site, including those related to privacy.

Your Data Rights, As Expressed by GDPR

All individuals have rights regarding data that is identified or connected to their identity (“Personal Data”). The European Union’s (EU) General Data Protection Regulations (GDPR) describes these rights in law, but PatientsLikeMe believes they apply to all individuals. They include:

• You have the right to clear and transparent communication about your Personal Data. We want to make this policy as clear as possible and provide a friendlier version to help you understand it.
• You have the right to request a copy of your Personal Data in a common digital format. To request this information, please contact our community team.
• You have the right to edit or correct any Personal Data. You can edit most of your information on the Platform. If you need help with this, contact our community team.
• You have the right to request that your Personal Data be deleted. To do this, contact our Community team.
• You have the right to be notified of any breach involving your Personal Data. We will notify the appropriate data protection authority within 72 hours of detecting a breach involving your data. We will notify you as soon as possible after that.
• You have the right to object to the processing of your data. You may decline any consent request to share Personal Data with a Partner and this will have no impact on your use of the service. For clarity, we may still share with our Partners data regarding you that does not identify you and is not connected with you (“De-Identified Data”). You may withdraw consent at any time, though that will not change any processing that has already occurred or research where analysis has started or is completed. You may also request to close your account at any time (see Closing Your Account below).

In some cases, these rights might be restricted. Some examples would include where the information requested compromises the privacy of another individual or is the subject of legal proceedings or investigation. Additionally, processing that has already occurred cannot be undone. Further, these rights to edit, delete, be notified of a breach, and object to processing all apply to Personal Data and do not apply to De-Identified Data that, for example, has been shared by us with our Partners and Vendors.

If you have questions or complaints about our handling of these rights, see the information at the end of this policy.

What are the Legal Bases for Our Collection and Use of Personal Data

PatientsLikeMe believes that the above rights mean that any processing of your Personal Data must have a solid legal basis. GDPR sets out a number of possible bases, three of which apply to PatientsLikeMe and the Platform.

• We need to use some identifying information just to operate the service. This includes your email address, username, password, and IP address, among other items.
• We may use identifying information for research with your consent. We will always ask for your explicit consent before sharing this information with our Partners. This is described further, below.
• In rare cases we may need to share your identifying data to comply with a legal obligation. This is described further, below.

We believe that all processing of any user’s Personal Data should be for a clear and transparent reason.

Who Uses The Data We Collect

There are four broad groups of people with whom we share data, including Personal Data.

The Community – This group is you and your fellow Members on the site. You share data, including possibly Personal Data, through your profile and the various social components on the site. By sharing your data, others can learn from it.

PatientsLikeMe – We use the data you provide internally, both to improve our services and to conduct our own research.

Our Partners – PatientsLikeMe frequently partners with other institutions to conduct research. These Partners include, but are not limited to: universities, pharmaceutical companies, hospital systems, insurance companies, and regulatory bodies (including the US Food and Drug Administration (the FDA)).

Vendors – We also contract with various service providers for business and technical services like e-mail delivery, site hosting, marketing, help desk support, and others.

Details of how these different groups use our data is provided below.

Privacy Settings

There are two privacy levels a Member may choose for participation on the Platform:

Members only: Platform Members can see the data associated with the Member’s username and avatar image; or

Public: Non-members and Members can see the data associated with the Member’s username and avatar image.

Public profiles may be indexed or stored by Internet search engines (e.g., Google) or other independent sites, which means a Member’s Personal Data may come up in the search results by anyone on the Internet, even after switching privacy levels.

It is strictly against this Privacy Policy and our Terms of Use to use this public data for any purpose other than providing Internet search services. A member choosing to share their health information broadly is NOT consenting to uses outside of our Terms of Use.

Members may change their privacy level at any time. Neither option will allow non-members of the community to contact you.

What Kind of Information We Collect

Restricted Data

When a member enters what could reasonably be used to identify them, that data is treated as “Restricted Data.” Types of Restricted Data that Members may submit on the Platform include:

• userID assigned by the Platform
• Platform password (this is collected as part of registration and stored as a one-way hash so that no one else can know what the password is)
• Name (Member may provide as part of registration or in a Member's Account Information)
• Date of Birth (if in profile)
• Email address (collected as part of registration or in a Member's Account Information)
• Mailing address (may be collected via email, forms, or Private Message with PatientsLikeMe staff as part of Member programs such as t-shirt giveaways and PatientsLikeMe InMotion™
• IP Addresses
• Private message send/receive information
• Private message content for Private Messages between Members
• Any of the above entered as free text

PatientsLikeMe may de-identify Restricted Data, such that it no longer contains identifying information and is no longer Restricted Data, in which case such data shall be treated by PatientsLikeMe as Shared Data (described below). PatientsLikeMe may also remove identifying information from free text entries like forum posts or comments. Once the identifying information is removed, PatientsLikeMe shall treat the free text as Shared Data.

PatientsLikeMe may aggregate or statistically analyze Restricted Data, including from more than one member, in which case such resulting aggregated or statistically analyzed data shall be treated as Shared Data by PatientsLikeMe.

Shared Data

“Shared Data” is all information, except Restricted Data, that Members provide about themselves when using the Platform or in other communications with PatientsLikeMe. Examples of Shared Data that Members may submit include:

• Biographic and demographic information, e.g., non-identifying photographs, biography, gender, age, location (city, state/province, and country);;
• Condition/disease information, e.g., first symptom, family history;
• Treatment information, e.g., treatment stop reasons, dosages, side effects, treatment evaluations, and information on treatment switching;
• Symptom information, e.g. severity, duration;
• Outcome scores over time, e.g., ALSFRS-R, MSRS, PDRS, FVC, PFRS, Mood Map, weight, DailyMe, and MonthlyMe measures (not including free-text associated with this tracking);
• Sensor information, e.g., personal activity trackers;
• Laboratory results and biomarkers, e.g., CD-4 count, viral load, creatinine, voice features, images;
• Individual and aggregated structured survey responses;
• Non-identifying information shared via free text fields, e.g., the forums, treatment evaluations, surveys, annotations, journals, feeds, adverse event reports; and
• Connections to other people on the Platform, e.g., Followers, Leaders, and Groups.

PatientsLikeMe may aggregate or statistically analyze Shared Data, including from more than one member, in which case such resulting aggregated or statistically analyzed data shall also be treated as Shared Data by PatientsLikeMe.

Platform Use Data

We, and our Vendors, may use web tracking technologies such as cookies and pixel tags to understand how members use our platform. Such collected data (“Platform Use Data”) may include the URL of the websites you visited before and after you visited our Platform, the type of browser you are using, your Internet Service Provider, what pages in our Platform you visit, what links you click on, date and time of your visit and duration, and whether you open email communications we send to you. You may be able to modify your browser settings to alter which web tracking technologies are permitted when you use the Platform, but this may limit your use of the Platform.

Platform Use Data is typically only used by PatientsLikeMe and our Vendors. However, when de-identified it may be shared with our research Partners, as we do with Shared Data, to help them understand how members use and benefit from the site.

How Member Data is Used and Shared

Members should expect that every piece of Shared Data they submit (even if it is not currently displayed) may be shared with the Community and Partners. Members are encouraged to share health information but should consider that the more information that is entered, the more likely it is that a Member could be located or identified.

How Restricted Data is Used

There are only 3 ways Restricted Data is shared with the community.

• A Member’s username is used throughout the site to represent them and their profile
• A Member’s avatar image, whether or not it is identifying, is also used to represent them and their profile on the site.
• Any Restricted Information a Member chooses to share as free text in the various social features of the site will be shared with everybody on the site who chooses to read it.

If the Member is acting in a role other than patient, additional restricted information may be shared. For example:

• If a Member registers with, or is switched to, an official doctor or research account, the Member’s full name and affiliation will be viewable to the community via the Member's profile;
• If a Member is acting as a PatientsLikeMe employee, the Member will be identified as such.

We will never sell or share your restricted information for non-PatientsLikeMe advertising purposes.

PatientsLikeMe uses Restricted Data internally, as needed, for research, for maintenance and operation of the Platform, and to create the best possible tools and experience for patients. We take steps to protect this data and limit access to only those who need it for their job.

If we have a member's permission, their e-mail address will be used to send them a variety of notifications, including study invitations, newsletters, and private message notifications. A member may change this setting at signup, on their account page, or by clicking the unsubscribe link at the bottom of any email they receive from PatientsLikeMe. However, all members receive administrative emails (like forgot password messages), and you cannot opt out of administrative emails while you remain registered with the Platform.

Additionally, Restricted Data is not shared with or sold to Partners unless explicit consent is given. Specific instances where consent may be requested include:

• Special research projects and studies
• Co-registration with a non-profit
• Media interviews of a Member

If you were a participant in the PatientsLikeMe DigitalMe initiative, you have consented to having your Restricted Data shared more broadly than described in this Privacy Policy (including broader than may otherwise be permitted under GDPR). Please see the DigitalMe informed consent document for more information.

PatientsLikeMe will share Restricted Data, in some instances, with Vendors for the purpose of operating or improving our services. Before sharing Restricted Data with a Vendor, PatientsLikeMe will investigate potential Vendors to ensure that their security and privacy practices are compliant with relevant regulations and up to PatientsLikeMe standards. Specific examples where Restricted Data may be shared with Vendors include:

• If a Member makes a request, PatientsLikeMe may use Restricted Data, including sharing the Member’s Restricted Data with software/service Vendors, for the purpose of fulfilling the request. Examples include requesting to receive the company newsletter via email, requesting an email response from the PatientsLikeMe support team, or requesting a t-shirt be sent to the Member’s mailing address.
• We may use your restricted information to exclude you from certain PatientsLikeMe advertisements or to present certain participation opportunities to you.

How Shared Data is Used

Shared Data is shared with the Community via Member profile pages and through aggregated reports that are made available to other PatientsLikeMe Members. In some instances, this Shared Data is also viewable to those not registered to join PatientsLikeMe (“Non-members”). We report publicly Shared Data in aggregate, such as the number of patients on a particular treatment or the number of patients experiencing a particular symptom (see public Treatments and Symptoms sections). If a Member chooses to designate their profile as “Public” (see Privacy Settings above), their Shared Data can also be viewed by Non-members and linked with aggregated reports. These public profiles may be used by anyone accessing the website in reports, conference presentations, media mentions, etc.

In addition to serving the individual needs of our Members, PatientsLikeMe and its Partners are interested in better understanding the patient experience and improving treatment options and health outcomes for everyone. For example, we may look at questions such as, “Do certain treatments work better for some types of people versus others?” PatientsLikeMe provides Shared Data, in individual and aggregate format, to Partners for use in scientific research and market research. When selling this information, PatientsLikeMe removes Members’ Restricted Data (de-identification) to reduce the possibility of re-identification and contractually forbids Partners from trying to re-identify Members.

PatientsLikeMe may also periodically ask Members to complete surveys about their experiences (including questions about products and services). Survey responses that are non-identifying are analyzed, combined with Members’ Shared Data and shared with and/or sold to Partners. Member participation in these surveys is not required and refusal to do so will not impact a Member’s experience with PatientsLikeMe.

PatientsLikeMe may also report individual adverse event and drug safety information to regulatory Partners like the FDA, CDC, and/or other bodies (US and international) as well as directly to pharmaceutical and biotechnology companies. When reporting such information, PatientsLikeMe does not provide Restricted Data, although we reserve the right to contact Members for follow-up at the request of agencies or Partners. In this context, the data that PatientsLikeMe reports may include free text or images on the forums or evaluations. Some Partners may have adverse event reporting requirements that relate to regulated products that are used by Members of our community and PatientsLikeMe assists such Partners with reporting adverse events to regulatory agencies.

Finally, PatientsLikeMe may use Shared Data internally or send Shared Data to Vendors who assist with operating our services or performing research. This data is used to provide or improve the services offered. For example, we may send treatment or condition information to an e-mail provider so that information can be included in messages we send to you.

PatientsLikeMe, like other Internet communities, is a “public forum.” Members acknowledge and accept that Shared Data might be used by members of the community to identify them in the right combinations. For example, having a very rare disease might make it easier to identify somebody when age and gender are also known.

For clarity, “public forum” in this context does NOT mean that the content and data are freely usable by third parties. Any uses outside of our Terms of Use and this Privacy Policy are prohibited.

How Platform Use Data is Used

We use Platform Use Data for several purposes:

Authentication: We use Platform Use Data stored in cookies on your computer to indicate that you have logged into your PatientsLikeMe account and to enable you to use certain portions of our Platform.

Understand Our Users: We use Platform Use Data to analyze trends, track users' movements around the Platform, and gather demographic information about our user base as a whole. This provides us with the ability to determine aggregate information about our user base and usage patterns. Understanding how people use our Platform allows us to make the Platform better for everybody. We may also use this information, possibly in coordination with one of our research Partners, to do relevant research on user behavior or medical outcomes. We do not sell or provide this usage data to third parties for advertising or marketing purposes, but we sometimes provide our Partners with aggregated usage data of all individuals they have referred to our site. We will only provide personally identifying or identifiable Platform Use Data to Partners with your express consent.

Administer Platform: We use Platform Use Data to help administer the Platform and members’ use of the Platform. We may, in some circumstances, need to review this Platform Use Data in combination with specific Restricted Data to identify and resolve issues for individual users.

Advertising: We may use cookies or Platform Use Data to tailor advertisements about joining PatientsLikeMe, to promote certain participation opportunities to you, or to exclude you from advertising that is not relevant to you, including when you are visiting other sites or platforms.

Closing Your Account

Members are free to stop using this service at any time. If a Member chooses to deactivate their account, PatientsLikeMe will not display or sell the Member’s Personal Data as of the date of deactivation. However, the Member’s Personal Data, including Shared and Restricted Data, will remain in the system unless you contact our community team to request that your data be deleted.

It is important to note that, even if you request deletion, any research conducted, or in progress, prior to deactivation will still include your data. This is important to support things like peer review and the replication of results — important parts of the scientific process. PatientsLikeMe keeps special archives of your data for this purpose in accordance with relevant US and EU/EEA/UK regulations.

Other Special Cases

There are instances, not covered above, where Shared Data, Restricted Data, and Platform Use Data may be used and disclosed including, but not limited to, the following:

• PatientsLikeMe may use a Member’s data in the case of an emergency or other circumstance that we determine requires a member of the management team to directly contact the Member (for example, a data breach that put the Member at risk would prompt someone to be in touch).
• PatientsLikeMe may share or disclose a Member’s data where required to comply with lawful requests from public authorities, including for national security or law enforcement requests, to comply with legal process, to resolve disputes, to enforce our agreements (including this Privacy Policy and the Terms of Use), or if in our reasonable discretion use is necessary to protect our legal rights or to protect third parties.
• PatientsLikeMe may transfer the Shared Data, Restricted Data, and Platform Use Data to any successor to its business as a result of any merger, acquisition, asset sale, bankruptcy proceeding, or similar transaction or event, with such successor bound by the terms of this Privacy Policy with respect to its use and disclosure of such information.

Other Security Issues

PatientsLikeMe cannot guarantee the identity of any Members with whom a Member may interact in the course of using the Platform or who may have access to a Member’s Shared Data. Additionally, we cannot guarantee the authenticity of any data that Members may provide about themselves.

Finally, Members should know that PatientsLikeMe takes commercially reasonable technical precautions to help keep Member data secure, consistent with applicable EU, UK, and US laws. We take these precautions in an effort to protect your information against security breaches. However, this is not a guarantee that such information may not be accessed, disclosed, altered, or destroyed by breach of such firewalls and secure server software. By using our Platform, you acknowledge that you understand and agree to assume these risks.

In the event of a breach, PatientsLikeMe will notify relevant regulatory authorities within 72 hours of becoming aware of the breach. We will notify you as soon as possible after that.

Risks and Benefits

While our goal is to help patients improve health outcomes, there are no certain benefits to using this website. However, keeping track of personal well-being, treatments, and symptoms has been shown to be helpful in improving overall health.

There are also no known risks to using this website, but there is a possibility that users may feel uncomfortable sharing information online. It is possible that a Member could be identified using information shared on PatientsLikeMe (and/or in conjunction with other data sources). A Member could be discriminated against or experience repercussions as a result of the information shared. For example, it is possible that employers, insurance companies, or others may discriminate based on health information.

Members should understand that anyone can register at PatientsLikeMe and view the Shared Data in the system. If you are reading this Privacy Policy because you have access to a Member’s information, we urge you to recognize and fulfill your responsibility to protect the privacy of that person.

In using the Platform, Members are free to skip any non-required questions or data fields that make them feel uncomfortable.

Questions about the Privacy Policy

If you have questions or comments about our Privacy Policy, please let us know, or contact us at:

PatientsLikeMe LLC
Attn: Privacy and Compliance Dept.
160 Second Street
Cambridge, MA 02142

California Online Privacy Protection Act Notice

On September 27, 2013, California enacted A.B. 370, amending the California Online Privacy Protection Act to require website operators like us to disclose how we respond to "Do Not Track Signals" and whether third parties collect personally identifiable information about users when they visit us.

1. We do not track user activity that does not occur on our site and therefore do not use "do not track" signals.
2. We do not authorize the collection of personally identifiable information from our users for non-PatientsLikeMe advertising purposes through advertising technologies without separate member consent.

California Civil Code Section 1798.83 also permits our members who are California residents to request certain information regarding our disclosure of Personal Data to third parties for their direct marketing purposes. To make such a request, please send an email to privacy@patientslikeme.com. Please note that we are only required to respond to one request per member each year.

Governing Law and Platform Visitors from outside the United States

We and our servers are located in the United States and are subject to the applicable US local and national laws. These laws may not have equivalent privacy protection as those in your country of residence. When we share information about you with our various Partners, the data-sharing agreement includes data protection. We also comply with the EU-US and Swiss Privacy Shield Frameworks.

Those who choose to access the Platform do so on their own initiative and understanding that their use of the Platform and PatientLikeMe’s use of the Shared Data, Restricted Data, and Platform Use Data is subject to EU and US laws and regulations including the GDPR. If users choose to access or use the Platform, they consent to the use and disclosure of information (including GDPR "special category" data such as race, ethnicity, and data concerning health) in accordance with this Privacy Policy and subject to such laws. Transfer of data from residents of the EU/EEA/UK is done under this consent and also for the purposes providing this service to those users, as allowed by Article 49 of the GDPR.

PatientsLikeMe, LLC complies with the EU-US and the Swiss-US Privacy Shield Frameworks as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information transferred from European Union member countries (including Iceland, Liechtenstein, and Norway), the United Kingdom, and Switzerland transferred to the United States pursuant to Privacy Shield. PatientsLikeMe, Inc. has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program and to view our certification please visit https://www.privacyshield.gov and https://www.privacyshield.gov/list.

PatientsLikeMe, Inc. is subject to the regulatory and enforcement authority of the US Federal Trade Commission.

We acknowledge the right of EU, UK, and Swiss individuals to access their personal data under the Privacy Shield. Individuals wishing to exercise this right may do so by contacting our community team.

We will also provide EU, UK, and Swiss individuals opt-out or opt-in choice before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information, you may do so by contacting our community team.

Pursuant to the Privacy Shield, PatientsLikeMe LLC is liable for the onward transfer of personal data to third parties unless we can prove we were not a party to the actions resulting in the damages.

In compliance with the Privacy Shield Principles, PatientsLikeMe LLC commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to Privacy Shield. European Union, UK, and Swiss individuals with Privacy Shield inquiries or complaints should first contact PatientsLikeMe at: privacy@patientslikeme.com.

PatientsLikeMe has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU Privacy Shield. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/programs/all-programs/bbb-eu-privacy-shield-consumers/ProcessForConsumers for more information and to file a complaint. This service is provided free of charge to you.

If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms at https://www.privacyshield.gov/article?id=ANNEX-I-introduction.

GDPR Recourse For Individuals in the EEA

Our representative in the EU for GDPR purposes is Foley Hoag AARPI. You can contact our representative at:

Foley Hoag AARPI
153 rue du Faubourg Saint-Honoré
75008 Paris, France

If you are a resident of the European Union and have a complaint about our use or processing of your Personal Data, you have a right to lodge a complaint with a national Data Protection Authority. Each European Union member nation has established its own Data Protection Authority; you can find out about the Data Protection Authority in your country.

History of Updates/Changes to Terms and Conditions of Use:

• On Sep 2, 2020, minor updates to sections about data from the EU and UK
• On Aug 19, 2020, minor updates based on annual review to provide increased clarity and reflect changes in business. Updated link to the Council of Better Business Bureaus for Privacy Shield complaints.
• On Sep 17, 2018, updated Privacy Shield compliance language.
• On May 25, 2018, updated language to comply with GDPR and clarified some language aimed at researchers considering using PLM data.
• On Aug 14, 2017, clarified language differentiating vendors and partners, as well as cookie and Platform Use Data usage. Also, added new language for biology and multi-omics, updated advertising policies and other minor changes and reorganization.
• On Mar 20, 2017, added statement to explain ways a member can unsubscribe from emails.
• On Apr 10, 2014, additional examples of shared data were added.
• On Apr 11, 2013, the heading to “How Your Data is Used” was changed and clarifying language was added to both the Cookies and How Your Data is Used sections.
• On Feb 16, 2013, the Safe Harbor section was updated.
• On Mar 5, 2012, this Privacy Policy was revised to clarify language and provide specific examples to help illustrate the meaning of portions of the policy.
• On Aug 25, 2011, the following section was added: “EU Safe Harbor”.
• On Feb 21, 2011, this Privacy Policy was substantially revised to clarify language and provide specific examples to help illustrate the meaning of portions of the policy.
• On Nov 18, 2009, this Privacy Policy was substantially revised to clarify language and provide specific examples to help illustrate the meaning of portions of the policy.
• On Aug 7, 2007, this Privacy Policy was substantially revised and expanded to include additional patient consent language.
• On Mar 26, 2007, this Privacy Policy was substantially revised.
• On Apr 10, 2006, the following clauses were added: “We will provide our Partners with anonymized, aggregated community data with the goal of increasing involvement in disease research” and “except in incidents when you have given explicit permission, e.g. in the ALS Registry.”