Privacy Notice
Last Modified: March 2024
Table of contents
- SCOPE OF THE PRIVACY NOTICE
- DATA CONTROLLER
- HOW WE COLLECT YOUR PERSONAL DATA
- PURPOSES AND LEGAL BASES
- HOW LONG WE STORE YOUR PERSONAL DATA
- HOW WE SHARE PERSONAL DATA
- TRANSFERS TO THIRD COUNTRIES
- CONTROL OVER YOUR INFORMATION
- OBLIGATION TO PROVIDE PERSONAL DATA
- AUTOMATED DECISION MAKING AND PROFILING
- THIRD PARTY WEBSITES AND SERVICES
- YOUR RIGHTS AS A DATA SUBJECT
- COOKIES & TRACKING
- CHANGES TO THIS PRIVACY NOTICE
- CONTACT US
Thank you for your interest in BioThrust! This privacy notice explains how information about you, that directly identifies you, or that makes you identifiable („personal data„) is collected, used, disclosed, and otherwise processed by BioThrust in connection with our services.
1. Scope of the privacy Notice
BioThrust GmbH („BioThrust“, „we“ or „us„) is committed to protecting your personal data. With this privacy notice, we would like to inform you as a data subject („you„, „customer“ or „user„) comprehensively about how we handle your personal data.
Personal data means any information that can be used to directly or indirectly identify a natural person or that is likely to make a person identifiable („personal data„). By way of example, a person can be identified by reference to an identifier such as a name, an identification number, location data or by reference to individual physical, physiological, economic or cultural identity characteristics.
Processing of personal data means any operation or set of operations which is performed on personal data or on sets of personal data. It does not matter whether the data processing is automated or not. Processing may include, for example, the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data.
This privacy notice applies to the processing of your personal data when you visit our websites, including but not limited to „biothrust.de“, or contact us by post, e-mail or telephone (together, the „Service„).
2. Data Controller
We are the controller of the processing of personal data described in this privacy notice. This means that BioThrust determines the purposes and means of the processing of your personal data. You can contact the following address for all data protection inquiries:
BioThrust GmbH
Pauwelsstraße 17
52074 Aachen
Germany
E-Mail: contact@biothrust.de
3. How we collect your personal data
We collect and process various personal data from you depending on the specific processing situations. We may collect the following personal data you provide in connection with our Service:
- When you use our website or communicate with us by email („Log Data“). When you visit our website or receive, open or otherwise use emails from us, we may collect Log Data. This data includes your internet protocol (IP) address, operating system, browser details such as type, device ID and configuration, unique identifiers, device type and version (e.g., manufacturer, device, screen size, resolution, operating system, browser and its version), your internet speed, the referring URL, the date and time of your visit, the time you spent using our Services and errors that may occur during your visit to our Services.
- Analytics. We analyze the use of our website and email communications to improve the user-friendliness of our website, to analyze user data in order to get to know the preferences of our website visitors and to better personalize our offer. We may collect Log Data, your email address, approximate location (based on your IP address), your behavior when visiting our website, such as what elements you click on, and opening- and clicking behavior of any emails we send you.
- Communication. When you contact us through any communication channel, including for „support“ functions, we may collect your name, salutation, the company you belong to, your email address, your mailing address, your phone number, the nature of your request, the content of your messages, device information, or any other information you provide to us.
- Social Media: When you interacts with us through various social media networks, such as when you „Like“ us on LinkedIn or follows us or share our content on LinkedIn, Instagram or other social networks, we may receive some information about you that you have permitted the social network to share with third parties. The data we receive is dependent upon your privacy settings with the social network. You should always review and, if necessary, adjust your privacy settings on third-party websites and social media networks and services before sharing information and/or linking or connecting them to other services.
- Service Providers: Our service providers that perform services solely on our behalf, such as displaying the contact form for BioThrust, collect personal data and often share some or all of this information with us.
In most cases, we collect personal data directly from you, e.g., when you visit our website, use our Services or contact us by email. As with most digital platforms, we and our third-party providers collect your data automatically when you use our Services.
We may receive personal data from our business partners who you have given permission to share personal data with us.
In some cases, we collect your data from third parties, such as when a friend sends you an invitation to visit our website.
Detailed information on the processing activities we carry out, the categories of personal data, the legal bases, the purposes and the duration of the processing in each case can be found in Appendix 1.
4. Purposes and legal bases
The purposes and legal bases for processing your personal data may vary from case to case. In principle, we process your personal data in accordance with the provisions of the General Data Protection Regulation („GDPR„) and the Federal Data Protection Act („BDSG„) for the following purposes and based on the following legal bases:
- For the performance of a contract or prior to entering into a contract
We process your personal data in order to fulfill contractual or quasi-contractual obligations or to provide you with information at your request in advance of a possible conclusion of a contract, e.g., to provide services or customer support or to answer inquiries. The legal basis for the processing is Art. 6 para. 1 lit. b GDPR.
- Fulfillment of a legal obligation
Insofar as we are subject to legal obligations that require the processing of your personal data for their fulfillment, we process your personal data for this purpose (e.g., a legal obligation to store data). The legal basis for the processing is Art. 6 para. 1 lit. c GDPR.
- Our legitimate interests
We also process your personal data to pursue our legitimate interests (such as our legal or economic interests), unless your conflicting interests or fundamental rights and freedoms, which require the protection of your personal data, prevail. The legal basis for the processing is Art. 6 para. 1 lit. f GDPR.
- On the basis of your consent
In some cases, we process your personal data on the basis of your consent. If we require your consent, we will inform you in advance which personal data we intend to use and how we will use it. You are not obliged to give us your consent. If you have given us your consent to collect, use or disclose your personal data in a certain way, you have the right to withdraw your consent at any time with effect for the future. Please note that neither the refusal nor the withdrawal of your consent will have any adverse consequences for you. However, we may not be able to provide you with certain services for which data processing is necessary without your consent. The legal basis for your consent is Art. 6 para. 1 lit. a GDPR.
Detailed information on the legal bases and the purposes can be found in Appendix 1.
5. How long we store your personal data
We only process your personal data for as long as is necessary to fulfill the purposes for which it was collected. This also applies to the fulfillment of our legitimate interests or statutory retention and documentation obligations that we must observe. Once the purposes have been fulfilled, your personal data will generally be deleted.
The statutory retention and documentation obligations are generally between two and ten years and result, for example, from Section 147 of the German Fiscal Code (Abgabenordnung) or Section 257 of the German Commercial Code (Handelsgesetzbuch).
Upon request, we will delete the data collected and stored for the use of our website, unless we are legally required to keep this data or we need this data to protect, enforce or assert our rights. We will delete the data ourselves within a certain cycle, unless there is a special interest in continued storage in individual cases, e.g., in the event of cyber-attacks.
When determining the retention period required in individual cases, we take into account the scope, nature and sensitivity of the data, the potential risk of damage through unauthorized use or disclosure, the purposes for which we process your personal data and the applicable legal provisions.
Insofar as statutory retention and documentation obligations or the protection of our legitimate interests, which outweigh your conflicting interests, require longer storage, for example in the event of legal disputes, your personal data will be stored and processed for a longer period of time.
6. How we share personal data
We may share your personal data with the following:
- Service providers and consultants:
We share your personal data with contractors and service providers who are subject to appropriate non-disclosure and confidentiality agreements, which may include payment service providers, web hosting and maintenance providers, technology support providers, email communications providers, analytics providers, data storage providers, customer relationship software providers, competition management, and web and video hosting providers and developers. All service providers used are subject to a duty of confidentiality and are obliged to process your personal data only on our behalf and in accordance with our instructions, unless they process your data themselves as data controllers (e.g., if we use the services of lawyers and tax advisors).
- Joint venture and group companies:
We may act as a joint venture or be integrated into a group of companies. It is therefore possible that we may pass on your personal data to one of these companies and their group companies, or potential investors, for example to provide services and to monitor and support the success of the joint venture or group of companies. If necessary, we will ensure to conclude corresponding data protection agreements with these companies. Depending on the situation, it is conceivable that these companies may process your data as controllers, i.e., determine the means and purposes of processing themselves.
- Corporate transactions:
We may share any personal data we collect if we sell or transfer all or part of our business or assets (including any shares in the business) or any part or combination of our products, services, businesses and or assets. In such a case, we will use reasonable endeavors to ensure that any transferred data is processed in accordance with this privacy notice.
- Law enforcement agencies, prosecuting authorities and other government and public authorities:
We may disclose your personal data to third parties if required to do so by law or if we reasonably believe that such action is necessary to (i) comply with applicable laws and respond to requests from law enforcement authorities; (ii) detect or respond to potential civil or criminal violations, such as violations of agreements or laws; or (iii) otherwise protect the rights, property or personal safety of us, our team members or others.
- With your consent:
We may share or disclose your personal information with third parties if you give your consent to do so. For example, with your consent or at your direction, we may include your testimonial on our website or in service-related publications.
Detailed information about the service providers we use can be found in Appendix 2.
7. Transfers to third countries
It is possible that we or one of our service providers may process or access your data in or from a country outside the European Economic Area, (e.g., to carry out maintenance work). If this is the case, we ensure that your data is still subject to an appropriate level of protection by applying one or more of the following security mechanisms:
- An adequacy decision exists from the European Commission for the relevant country (e.g., the United Kingdom) or the relevant company (e.g., companies certified under the EU-US Data Privacy Framework). With such a decision, the European Commission determines that a level of data protection that is essentially the same as in the European Union can be expected.
- We conclude the standard contractual clauses issued by the European Commission, if necessary in conjunction with appropriate additional measures. The decision and the sample text of these standard contractual clauses can be found here.
- The transfer takes place within the framework of suitable guarantees, such as binding corporate rules.
8. Control over your information
Email Communications. From time to time, we may send you emails regarding updates to our Services, notices about our organization, or information about products and services we offer that we think may be of interest to you. If you wish to unsubscribe from such emails, simply click the „unsubscribe link“ provided at the bottom of the email communication. Note that you cannot unsubscribe from certain services-related communications (e.g., confirmations of transactions, technical or legal notices).
Additional rights may be granted under applicable data protection law. Please also see the region-specific disclosure applicable to you.
9. Obligation to provide personal data
You are generally not required by law or contract to provide us with your personal data. However, some information, such as your name, address, payment information and information on your requested Services may be necessary for the performance of our contractual obligations. Without providing this information, you might not be able to request or use certain Services or enter a contract with us.
10. Automated decision making and profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, if the decision is not necessary for the conclusion or performance of a contract, is not required by mandatory legal provisions or is not based on your express consent.
BioThrust does not use any automated decision-making processes, including profiling, unless we have explicitly informed you of such processes.
11. Third party websites and services
The Services may contain integrations or links to third party websites or services, including those of our business partners. By interacting with these third parties, you are providing information directly to the third party and not BioThrust. Please note that BioThrust is not responsible for the privacy practices of these third parties or any entity that it does not own or control. We encourage you to review the privacy notices and online terms of those third parties to learn more about how they handle your personal data.
12. Your rights as a data subject
Below you will find a list of your rights regarding the processing of your personal data:
- Right of access
According to Article 15 GDPR, you have the right to request confirmation from us as to whether personal data concerning you is being processed by us. If this is the case, you have the right to information about this personal data, in particular (i) information on the categories of personal data, the purposes of the processing and information on how we determine the retention and storage periods, (ii) information on the recipients or categories of recipients to whom we disclose your personal data, in particular recipients in third countries, and (iii) under certain circumstances, a copy of the data that is the subject of the processing.
- Right to rectification:
Pursuant to Article 16 GDPR, you have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you.
- Right to erasure:
In accordance with Article 17 GDPR, you have the right to request that we erase your data without undue delay if (i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, (ii) your data are processed on the basis of your consent and you withdraw your consent, (iii) you have objected to processing pursuant to Article 21 para. 1 GDPR and there are no overriding legitimate grounds for the processing, or you have objected to the processing pursuant to Article 21 para. 2 GDPR, (iv) your personal data are being processed unlawfully, or (v) the erasure of your personal data is necessary for compliance with a legal obligation to which we are subject.
- Right to restriction of processing:
According to Art. 18 GDPR, you have the right to request the restriction of processing. This means that you can demand that we restrict the purposes of the processing. The right to restriction exists if (i) you have contested the accuracy of the personal data, (ii) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead, (iii) we no longer need the personal data for the purposes of the processing, but they are required by us, for example for the establishment, exercise or defense of legal claims, or (iv) you have objected to processing pursuant to Article 21 para. 1 GDPR, you have objected to processing pending the verification whether our legitimate grounds override yours.
- Right to information:
According to Article 19 GDPR, you have the right to request information about the recipients of data to whom a correction, deletion or restriction of the processing of your personal data has been communicated.
- Right to lodge a complaint:
You have the right to lodge a complaint with the competent supervisory authority against the processing of your personal data or any other decision by BioThrust.
The supervisory authority responsible for us is Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen, Postfach 20 04 44, 40102 Düsseldorf, Germany; Phone: +49 (0)211 / 38424 – 0.
- Contact:
To exercise your rights as a data subject, you can contact us informally by post, fax or e-mail using the contact details provided in sections 2 and 15.
RIGHT TO OBJECT ACCORDING TO ART. 21 GDPR
OBJECTION ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION
ACCORDING TO ARTICLE 21 PARA. 1 GDPR, YOU HAVE THE RIGHT TO OBJECT, ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION, AT ANY TIME TO PROCESSING OF YOUR PERSONAL DATA WHERE SUCH PROCESSING IS FOR THE PURPOSES OF OUR LEGITIMATE INTERESTS, INCLUDING PROFILING BASED ON THOSE INTERESTS (E.G., FOR CREDITWORTHINESS ASSESSMENT). FURTHER PROCESSING OF YOUR PERSONAL DATA WILL THEN NO LONGER TAKE PLACE UNLESS WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING WHICH OVERRIDE YOUR INTERESTS, RIGHTS AND FREEDOMS, OR THE PROCESSING SERVES THE ESTABLISHMENT, EXERCISE OR DEFENSE OF LEGAL CLAIMS.
YOU ALSO HAVE THE RIGHT TO OBJECT TO PROCESSING FOR DIRECT MARKETING PURPOSES AT ANY TIME:
CONTACT OPTION
YOU CAN DECLARE YOUR OBJECTION INFORMALLY BY POST OR E-MAIL, ADDRESSED TO:
BioThrust GmbH
Pauwelsstraße 17
52074 Aachen
Germany
Email: contact@biothrust.de
13. Cookies & Tracking
Cookies are small text files that are stored on your end device (e.g., PC/laptop, tablet or smartphone). These text files are downloaded from your browser when you visit our website. If a cookie is not deleted automatically (for example, immediately after your visit to our website), the cookie and the information stored in it will be sent back to the respective website that generated it (first party cookie) or to another website to which it belongs (third party cookie), when you call up this website again with the same end device or browser. In this way, the website „recognizes“ that it deals with the same user and enables the provision of certain functionalities, such as customizing the display of content on the website. Cookies can, for example, „remember“ your preferences, tell how you use a page, and/or customize the offers displayed in part to your preferences.
We also include other tracking technologies under the term „cookie“. For example, it is possible to identify you on the basis of your „digital fingerprint“, i.e., the combination of technical data, the device used, the location of access, etc. It is also possible, for example, to incorporate so-called pixels into the website in order to track you. In fact, however, these technologies serve similar purposes, so they are dealt with together below.
Depending on the specific purpose, a further distinction is made between the different types of cookies.
Functional cookies. We use several functional cookies on our website. When we use functionally necessary cookies, we process your personal data in order to provide basic functions of our websites and the services you have requested, as well as to temporarily store your cookie settings. Without the use of these cookies, we would not be able to provide the website or there would be functional limitations.
Non-functional cookies. We use several non-functional cookies on our website. These cookies are not functionally necessary for the operation of our website and include, for example, cookies to analyze user behavior on websites, cookies to enable a better user experience by embedding videos from other websites, or cookies to show you advertisements.
More details on the processing of personal data through cookies. For more information on the cookies we use, the processing purposes, the types of data, as well as storage duration and recipients, please refer to „Cookie settings“. You can access these via the cookie banner or the tab at the end of the website.
Cookie declaration
14. Changes to this privacy notice
We reserve the right to change this privacy notice from time to time in our sole discretion. We will notify you about material changes in the way we treat personal data by placing a prominent notice on our website, or through other appropriate communication channels. It is your responsibility to review this privacy notice periodically. All changes shall be effective from the date of publication unless otherwise provided.
15. Contact us
If you have any questions or requests in connection with this privacy notice or other privacy-related matters, please send an email to contact@biothrust.de.
Appendix 1
Description of the processing operations
| Processing operation and categories of personal data | Processing purposes | Legal basis | Retention perod (storage period) |
|---|---|---|---|
Visiting our Website
collectively "Log Data" |
|
The processing is necessary for our legitimate interest in providing a secure, needs-based website. |
At least seven days, up to 30 days. |
When you contact us:By contact form:
By telephone:
By e-mail:
|
|
Depending on the reasons for which you contact us:If you have contacted us through the contact form
otherwise
or
Regarding the documentation of our communication and your consent:
|
Up to three years after your request has been answered. |
Analytics
Collectively "Analytics Data" |
|
Your consent |
|
Newsletters, company and marketing communication
|
|
or, in cases where we received your email address through an order and send you marketing communication regarding similar products or services, and you have not objected to the processing,
|
We store your data until you unsubscribe from the newsletter or we have not sent you a newsletter for more than 17 months. If you unsubscribe from the newsletter, your data will be deleted within 7 days with the following exceptions. |
Appendix 2
| Service Provider | Description of the service | Existence or absence of an adequacy decision or reference to the adequate or appropriate safeguards |
|---|---|---|
| Hubspot |
|
HubSpot, Inc. is certified according to the EU-US Data Privacy Framework. |
| Hetzner | Website Hosting |
