Privacy: EU/UK

Privacy: EU/UK

GDPR Data Protection Notice

Last Updated: 24 April 2024

  1. INTRODUCTION AND SCOPE

    This data protection notice (this "Notice") describes how Anokion SA, EPFL Innovation Park-L, Chemin de la Dent d’Oche 1A, CH-1024 Ecublens, Switzerland, Anokion US, Inc., Kanyos Bio, Inc., and each of their respective affiliates ("us", "we", or "our") collect, handle, share and use the personal data of users of www.anokion.com (the “Website”), and the personal data of individuals in relation to other interactions, transaction, sites or applications that reference this Notice (the "Services"), such users and individuals being “Data Subjects”.

    This Notice applies only to the personal data of Data Subjects who are resident in the European Economic Area (EEA) or the United Kingdom (UK). Please note that this notice does not apply to our collection of personal data in respect of clinical trials, which shall be subject to a separate data protection notice issued to participants in such trials.

    We shall act as a controller of Data Subjects’ personal data that is collected or received in accordance with this Notice. If we process personal data as a data processor, we will process such personal data in accordance with the terms of the contract we have with the third party for whom we act as data processor, and this Notice shall not apply to the processing of such personal data.

    To receive this notice in another format (for example, audio, large print, braille) please contact us using the contact details in section 11 below.

  2. WHAT PERSONAL DATA DO WE PROCESS AND HOW IS IT COLLECTED

    Data Subject Provided Personal Data

    Data Subjects may provide to us (whether by uploading, email, telephone, post or otherwise) the following types of personal data in relation to the Services, which we may then collect, use, store and/or transfer in accordance with this Notice:

    Type of personal data Personal data includes:

    Contact Data

    • Physical address (billing and delivery)
    • Email address
    • Telephone numbers

    Identity Data

    • First name
    • Last name
    • Position / Title

    Marketing and Communications Data

    • Preferences in receiving marketing from us and third parties
    • Communication preferences

    Automatically Collected Personal Data

    The following types of personal data may be automatically collected or logged when Data Subjects access and use the Services, which we may then collect, use, store and/or transfer in accordance with this Notice:

    Type of personal data Personal data includes:

    Technical Data

    • Internet protocol (IP) address
    • Browser type and version
    • Time zone setting and location
    • Browser plug-in types and versions
    • Operating system and platform
    • Other technology on the devices used to access the Services

    Usage Data

    • Information about how the Services are used

    Third Party Provided Personal Data

    We may also obtain Data Subjects’ personal data from the following third parties:

    Third Party Type of personal data Source of Data

    Investors

    • Contact Data
    • Identity Data
    • General correspondence (including emails)
    • Tax forms
    • Financial/bank transfer information
    • Share register

    Collaboration Partners

    • Contact Data
    • Identity Data
    • General correspondence (including emails)
    • Contracts
    • Purchase orders
    • Tax forms
    • Financial/bank transfer information

    Consultants

    • Contact Data
    • Identity Data
    • Contracts
    • Purchase orders
    • Tax forms
    • Financial/bank transfer information

    Service Providers

    • Contact Data
    • Identity Data
    • Contracts
    • Purchase orders
    • Financial/bank transfer information
    • Tax/regulatory documents

    Special Categories of Personal Data

    We do not collect any special categories of personal data about Data Subjects (this includes details about race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about Data Subjects’ health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.

    Children

    The features, programs, promotions and other aspects of our Services requiring the submission of personal data are not intended for children. We do not knowingly collect personal data from children under the age of 13. If you are a parent or guardian of a child under the age of 13 and believe they have disclosed personal to us, please contact us using the contact details at section 11 below. A parent or guardian of a child under the age of 13 may review and request deletion of such child's personal data as well as prohibit the use thereof.

  3. HOW WE USE PERSONAL DATA

    Purpose Type of personal data Lawful basis for processing Details

    To monitor the use of the Services

    • Technical Data
    • Legitimate interests

    To improve the functionality and content of the Services.

    To provide our products and services

    • Identity Data
    • Contact Data
    • Legitimate interests

    To enable us to provide our products and services to Data Subjects.

    To contact Data Subjects who request such contact

    • Identity Data
    • Contact Data
    • Consent

    To respond to Data Subjects’ contact requests.

    To manage and protect our business and the Services (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)

    • Identity Data
    • Contact Data
    • Technical Data
    • Legitimate interests

    To manage our business and ensure the effective provision of the Services.

    To prevent fraud.

    To undertake identification verification

    • Identity Data
    • Contact Data
    • Legitimate interests

    To protect our business and to prevent fraud.

    To send personal marketing and promotional materials to Data Subjects

    • Identity Data
    • Contact Data
    • Marketing and Communications Data
    • Consent

    To promote our products and services.

    If a Data Subject has provided consent to processing and subsequently withdraws that consent, we may still process that Data Subject's personal data where we have another lawful basis for doing so.

    Where we need to collect personal data by law or under the terms of a contract that we have with a Data Subject and the Data Subject fails to provide that personal data when requested, we may not be able to perform the contract we have with the Data Subject (for example, to provide access to the Services).

  4. SHARING OF PERSONAL DATA

    We may share Data Subjects' information with the following categories of third parties:

    Third Party Description

    Service Providers

    Our service providers include third parties that provide us with services such as IT services, hosting services, administration services, and other business process services, and marketing services. Such third parties will act as our processors.

    Professional advisors

    We may need to provide Data Subjects' personal data to our professional advisers that provide services to us. Our professional advisors include lawyers, accountants, bankers, auditors and insurers. Such third parties may act as our processors or independent controllers.

    Authorities

    We may disclose personal data where required in order to respond to requests from regulatory or governmental authorities, court orders, legal process, or to establish or exercise our legal rights or defend against legal claims. It may also be necessary for use to share personal data in order to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, or as otherwise required by law. In such circumstances, we will take appropriate measures to ensure that the recipient understands the sensitive nature of the personal data that they may receive.

    Other Third Parties

    We may share Data Subjects' personal data with third parties to whom we may choose to transact business with.

    We may share Data Subjects’ personal data with third parties to whom we may choose to sell, transfer or merge parts of our business or our assets (including in relation to restructuring/insolvency situations). Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use Data Subjects’ personal data in the same way as set out in this Notice.

    Data Subjects’ personal data may be a transferred asset in any sale of all or part of our business.

    Affiliates

    Data Subjects’ personal data might also be transmitted within the group of which we are members for internal administrative purposes.

    We require all our data processors and any other third party that we provide Data Subjects' personal data to respect the security of Data Subjects' personal data and to treat it in accordance with applicable law.

    We do not allow our data processors to use Data Subjects' personal data for their own purposes and only permits them to process Data Subjects' personal data for specified purposes and in accordance with our instructions.

    Please see Section 6 below for information on international transfers to such third parties.

  5. MARKETING

    We may send Data Subjects marketing communications (including newsletters) if they have requested such communications from us or if we are otherwise allowed to do so under applicable law.

    Third Party Marketing Companies

    We will obtain Data Subjects' consent before we share their personal data with any company outside of our group of companies for marketing purposes.

    Opt-Out

    If a Data Subject does not wish to receive marketing information from us, the Data Subject can opt-out by contacting us using the contact details at section 11 below or by clicking the opt-out link in our electronic marketing communications.

  6. INTERNATIONAL TRANSFERS

    Data Subjects' personal data collected by us in the UK, EEA or Switzerland may be transferred outside of the UK, the EEA or Switzerland (as applicable) to those third parties specified in section 4 above; however, in such circumstances, to the extent we are required to do so under applicable law, we will ensure contractual or other measures that have been adopted or approved by the UK Government, the European Commission or the Swiss Federal Counsel (as applicable) are taken (such as ensuring applicable standard contractual clauses are in place).

    Data Subjects can obtain more information about the countries to which their personal data is transferred and copies of the additional measures put in place by contacting us using the contact details at section 11 below.

  7. AUTOMATED DECISION MAKING

    We do not make any decisions regarding Data Subjects solely using automated decision making (including profiling) based on Data Subjects’ personal data.

  8. RETENTION OF PERSONAL DATA

    We will only retain Data Subjects' personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

    To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, regulatory requirements, the potential risk of harm from unauthorized use or disclosure of the personal data, the purposes for which we process the personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

    Details of retention periods for personal data are available from us on request using the contact details at section 11 below.

  9. LEGAL RIGHTS

    Data Subjects may have the following rights under applicable data protection laws in relation to their personal data:

    Data Subject's right Description

    Request access to the Data Subject's personal data

    This enables the Data Subject to receive a copy of its personal data that we hold and to check that we are lawfully processing it.

    Data Subjects will not have to pay a fee to access their personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if a Data Subject’s request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with the Data Subject’s request in these circumstances.

    Request correction of the personal data that we hold about the Data Subject

    The Data Subject can require us to correct any mistakes in the Data Subject's personal data.

    The Data Subject must provide us with enough information to identify the Data Subject (e.g., username, institution's details) and let us know the information that is incorrect and what it should be replaced with.

    Request erasure of the Data Subject's personal data

    This enables the Data Subject to ask us to delete or remove the Data Subject's personal data where there is no permitted reason for us to continue to process it.

    The Data Subject can ask us to erase the Data Subject's personal data where:

    • the Data Subject does not believe that we need the Data Subject's personal data in order to process it for the purposes set out in this Notice;
    • if the Data Subject has given us consent to process the Data Subject's personal data, the Data Subject withdraws that consent and we cannot otherwise legally process the Data Subject's personal data;
    • the Data Subject objects to our processing and we do not have any legitimate interests that mean we can continue to process the Data Subject's personal data; or
    • the Data Subject's personal data has been processed unlawfully or has not been erased when it should have been.

    Object to processing of the Data Subject's personal data

    Where we are relying on a legitimate interest (or those of a third party) and there is something about the Data Subject's particular situation that makes the Data Subject want to object to processing on this ground as the Data Subject feels it impacts on the Data Subject's fundamental rights and freedoms.

    The Data Subject also has the right to object where we are processing the Data Subject's personal data for direct marketing purposes.

    In some cases, we may demonstrate that we have compelling legitimate grounds to process the Data Subject's personal data which override the Data Subject's rights and freedoms.

    Request restriction of processing of the Data Subject's personal data

    This enables the Data Subject to ask us to suspend the processing of the Data Subject's personal data in the following scenarios:

    • if the Data Subject wants us to establish the accuracy of the personal data;
    • where our use of the personal data is unlawful but the Data Subject does not want us to erase it;
    • where the Data Subject needs us to hold the personal data even if we no longer require it as the Data Subject needs it to establish, exercise or defend legal claims; or
    • the Data Subject has objected to our use of the personal data, but we need to verify whether we have overriding legitimate grounds to use it.

    Request the transfer of the Data Subject's personal data to the Data Subject or to a third party

    The Data Subject can require us to provide to the Data Subject, or a third party the Data Subject has chosen, the Data Subject's personal data in a structured, commonly used, machine-readable format.

    This right only applies to automated personal data that the Data Subject initially provided consent for us to use or where we used the personal data to perform a contract with the Data Subject.

    Withdraw consent at any time where we are relying on consent to process the Data Subject's personal data

    This will not affect the lawfulness of any processing carried out before the Data Subject withdraws its consent.

    If the Data Subject withdraws its consent, we may not be able to provide the Data Subject with access to the Services or certain functionalities. We will advise the Data Subject if this is the case at the time that the Data Subject withdraws consent.

    To exercise any of the rights set out above, please contact us using the contact details provided in section 11 below. Where the Data Subject has any such rights under applicable laws, we will respond to any such rights that a Data Subject wants to exercise within one (1) month of receiving the request, unless the request is complex, in which case it may take longer.

    We may need to request specific information from a Data Subject to help it confirm that Data Subject's identity and that Data Subject's right to access its personal data (or to exercise any of its other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact the Data Subject to ask it for further information in relation to its request to speed up our response.

    Please be aware that there are exceptions and exemptions that apply to some of the rights, which we will apply in accordance with the applicable data protection laws.

    In addition to the above rights, Data Subjects’ have the right to lodge a complaint with a supervisory authority.

  10. LINKS TO OTHER WEBSITES

    Our Website may contain links to other websites. These websites may have separate privacy and data collection practices, independent of our practices, and Data Subjects’ use and access to such sites is subject to those terms and policies. We have no responsibility or liability for these independent policies or actions and we are not responsible for the privacy practice or the content of such websites.

  11. HOW TO CONTACT US

    To ask any questions regarding this Notice or to exercise any rights, please contact us using the following contact details:

    Address: Anokion SA, EPFL Innovation Park-L, Chemin de la Dent d’Oche 1A, CH-1024 Ecublens, Switzerland, FAO Data Privacy Office

    Email: info@anokion.com

    If you are resident in the EU, you may also contact our EU representative:

    Address: Pfizer Manufacturing Ireland Unlimited Company, Operations Support Group, Ringaskiddy, Co Cork, Ireland, FAO Data Privacy Office

  12. AMENDMENTS TO THIS NOTICE

    This Notice may be revised from time to time, including where we add new features and services, as laws change, and as industry privacy and security best practices evolve. We display a “Last Updated” date in at the top of this Notice so it is clear when there has been a change. If we make any change to this Notice regarding use or disclosure of personal data, we will provide notice on the Website and as otherwise required. Small changes or changes that do not significantly affect Data Subjects’ privacy interests may be made at any time and without prior notice.