Privacy Statement
Privacy Notice
Welcome to biomedion.
We appreciate your interest in our services. We, biomedion GmbH (hereafter referred to as „biomedion“, „we“, or „our“) abide by the principles of the European Data Protection Regulation (GDPR) in our processes and workflows.
This is to inform you to what purpose and on which legal basis we process your personal data (PII) and which rights you have concerning this data processing.
Please take the time to read our privacy notice as it contains important information about how we handle your personal data.
Who is responsible for processing my personal data?
biomedion GmbH, Kemperplatz 1, c/o WeWork, 10785 Berlin, Germany, phone +49 30 7701811-0, e-mail info(at)biomedion.com is the controller for data processing as outlined in Art. 4 No. 7 GDPR, unless otherwise stated.
Who can I contact if I have questions about the processing of my personal data or if I believe that the processing of my data by us violates data protection laws?
If you think that our processing of your data violates your data privacy rights, please contact us at privacy@biomedion.com or by phone at +49 89 9042049-60.
General information
Why am I being informed about the processing of my personal data?
The protection of your personal data is your fundamental right. Therefore, we’re obliged to process your personal data lawfully, fairly and in a transparent manner. We take into account the data protection requirements of the General Data Protection Regulation, which requires us, among other things, to inform you about which personal data we process, for what purposes, and for how long we do so.
What is subject of data privacy?
Personal data, as outlined in Art. 4 No. 1 GDPR, is subject to data privacy under the Data Protection Laws of Germany and the European Union.
What is personal data?
Personal data concerns all matter of information which make use of you as an identified or identifiable person (hereafter referred to also as PII), for example your first name, surname, email address, or usage data such as the IP address or your usage behaviour.
All personal data is used exclusively for the purposes outlined in this privacy notice.
What is the content of this notice?
We have outlined the most important information concerning our typical data processing purposes and clustered it by parties concerned.
The word „data“ in this document pertains solely to personal data in accordance with the data protection laws of Germany, and the European Union.
Information regarding our typical data processing purposes, categorised by relevant parties.
Website visitors - What data do we process if you only visit our website?
When you visit our website, we only process the necessary data in order to display the website in its best possible form on your device. In principle, use of the website is possible without the usage of personal data.
Therefore, we claim, „in principle”, because we process your IP address in the short term, in order to make it possible for you to view the website. The IP address, also called internet protocol address, symbolizes a network location through which a web server or various devices can be addressed and reached. It takes two IP addresses – ours and yours – in order for the data packets (which make up our website) to be put back together on your end and show up as the actual website.
Recipients / Transfer to third countries
Our website is built using our partner, HubSpot, located at 25 First Street, Cambridge, MA 02141, USA (hereinafter "HubSpot"). It is hosted by our partner Colt Technology Services GmbH, located at Gervinusstr. 18-22, 60322 Frankfurt / Main (hereinafter "Colt"). HubSpot uses Cloudflare as a CDN to decrease loading times of our website and increase its performance. Cloudflare, Inc. is located at 101 Townsend St, San Francisco, CA 94107, USA (hereinafter “Cloudflare”). In these cases we concluded the necessary data privacy contracts on the basis of the Standard Contractual Clauses (SCC) to ensure adequate protection of your data.
Some services are hosted on or run through the servers of Amazon Web Services EMEA SARL, located at 38 Avenue John F. Kennedy in 1855 Luxembourg (hereinafter “AWS”).
HubSpot, Colt, Cloudflare and AWS process your data on our behalf or on behalf of our partners as sub-processors and according to our instructions within the European Union (EU), unless we have explicitly described otherwise here. This means that neither HubSpot, Colt, Cloudflare nor AWS may use or exploit your data for themselves, especially not for their own purposes or their own advertising measures. In certain cases your data can still be transferred and processed outside of the EU because of their US based nature.
We would like to point out that AWS complies with the Data Protection Code of Conduct for Cloud Infrastructure Service Providers (CISPE), i.e. the rules of conduct approved by the European Data Protection Board (EDPB) pursuant to Article 40 of the GDPR and adopted by the French data protection supervisory authority CNILL, and thus undertakes to comply with EU data protection standards even when transferring data outside the EU, so that there is an adequate level of protection for your personal data under data protection law.
HubSpot has concluded the necessary contracts with their sub-processors Cloudflare, AWS and others. More information about HubSpot’s sub-processors can be found here, their privacy policy can be found here.
The videos on our website are integrated using HubSpot. HubSpot uses New Relic Browser Monitoring to collect performance data about the video playback. New Relic, Inc. is located in 188 Spear St., San Francisco, CA 94105, USA. By playing back one of our videos your IP-address might get transferred to the United States.
CDN Cloudflare
We use Cloudflare on our sites. Cloudflare is a service provided by Cloudflare, Inc., located at 101 Townsend St., San Francisco 94107, California, in the U.S. We use Cloudflare to make our websites faster and more secure. Cloudflare provides a content delivery network, called a CDN, and various security services.
These services are applied when data is transferred between you as a user and us as the provider of our services. In doing so, we use cookies and process your data.
A Content Delivery Network (CDN) is a network of servers connected via the Internet and distributed around the world. We use it to bring our web pages to your screen faster. The way web optimization works using Cloudflare is that Cloudflare makes copies of our websites and places them on its own servers. When you visit our websites, a load balancing system ensures that the largest portions of requested pages are delivered from the exact server that can show you our website the fastest. This is usually a server in a data center near you. This significantly shortens the distance for data transfer from the server to your terminal, and the requested content can be delivered to you much faster. In addition to delivering websites quickly, we also use Cloudflare's security services. This includes Cloudflare blocking threats and limiting abusive bots and crawlers that waste our bandwidth and server resources.
Cloudflare generally only forwards content that is controlled and determined by us. It collects certain information about the use of our websites and processes data that we send or for which we have given appropriate instructions. In most cases, it is IP addresses, security fingerprints, DNS log data and performance data of our websites derived from your browser activity. Log data helps Cloudflare, for example, to detect new threats. This ensures a high level of security protection for our websites.
Cloudflare's bot products use the __cf_bm cookie to recognize and combat automated traffic, safeguarding customer websites from harmful bots. This cookie is placed on devices that visit customer websites secured by Cloudflare's Bot Management or Bot Fight Mode and is essential for these services to operate effectively.
After a 30-minute period of inactivity, the __cf_bm cookie expires. The cookie contains details linked to the computation of Cloudflare's exclusive bot score, and when Anomaly Detection is activated, it also includes a session identifier. Except for the time-related data, all the information within the cookie is encrypted and can only be deciphered by Cloudflare.
Each site visited by an end user generates a unique __cf_bm cookie because Cloudflare doesn't track users across different websites or sessions. Cloudflare independently creates the __cf_bm cookie, which is not associated with any user ID or other identifiers in a customer's web app.
The __cfruid cookie is crucial for the functionality of Cloudflare's Rate Limiting products. This cookie, a key component of our Rate Limiting solution, aids in regulating inbound traffic and offers enhanced insight into the source of a specific request. In essence, this cookie is tied to rate limiting policies and expires after the session.
These cookies are necessary for Cloudflare’s security features and functionality and cannot be deactivated.
Purpose and legal basis
Overall, the web optimizations and blocking of spam software make our websites significantly more powerful and less vulnerable to spam or other attacks. This is also the purpose of the data processing as well as our legitimate interest within the meaning of Art. 6 (1) lit. f DSGVO.
Possibility of objection and removal
You can prevent the setting of cookies by Cloudflare by changing the settings in your browser in such a way that all cookies are blocked. All modern browsers have this functionality but the way to set it is different depending on which browser you use.
In order to ensure an adequate level of data protection when transferring data to the USA and processing it, HubSpot has concluded the necessary contracts with their sub-processor Cloudflare. More information about Cloudflare's privacy policy can be found here.
Server protocol data
Description and extent
In order to meet your data request, our web server must know your IP address, or rather, „process” it. Every time our site is accessed, our system automatically collects data and information about the operating system of your device. The following data is processed:
- information regarding your type of browser and which version you are running
- your operating system
- your internet service provider
- your IP address
- access time and location
- websites which access our website through your system
- websites which your system accesses from our website or services
This data is collated and saved automatically in a web protocol file called log file. This data is not linked to any personal data.
Purpose
Temporary storage of your data on our system is necessary in order to deliver our website packages to your device. This requires us to store your data for the length of your session on our servers.
Furthermore, processing your data in the log files is necessary in order to guarantee that our website functions properly. The data also helps us optimize our web offer, as well as ensuring the security of the information technology of our systems. Your data is not analysed for marketing purposes. This is the reason our interest in processing your data is legitimate.
Legal basis
The legal basis for the temporary storage of your data and creation of log files is our legitimate interest according to Art. 6 (1) lit. f GDPR in ensuring the security of the information technology of our systems.
Storage
The data is erased as soon as it is no longer needed for these purposes. In the case of data collected in order to display the website this happens when the session is terminated.
Log files are deleted after a maximum of 14 days. Storage past that time frame is possible. In that case your IP address is deleted or deleted or anonymized, so that association with your device is no longer possible. Your IP-address is anonymized after its collection. The server’s location is in X, EU.
Objection and purge options
The collection of data for the presentation of the website, as well as the processing of log file data, is mandatory for our online presence. Therefore, you cannot object to the processing of this data.
Strictly necessary cookies – functional cookies and performance cookies
We strive to provide you with an optimal and user-friendly visit to our website, as well as offer you individual and unique services, tailor-made for your needs. For this purpose, we use cookies, as well as tracking programs designed to analyse usage data. These provide us with insight and statistics which help us improve our online presence, our communication with you, and to make our services more attractive and relevant for you.
Below you will also find a note on how to prevent the storage of cookies in your browser settings. Cookies are stored by your browser on your device.
Description and scope
When you access one of our web pages, cookies are stored on your system. A cookie contains a unique set of symbols which enables us to clearly identify your unique browser the next time you access our website.
Purpose
The purpose of using strictly necessary cookies is to make the use of our online offer easier for you. Some of our website functions cannot be offered without the use of cookies. It is necessary to recognize your browser even after a page change. The data processed by the strictly necessary cookies is not used to create user profiles.
The use of these cookies serves the improvement of quality and content on our website. These cookies tell us how our website is used and how we can continually optimize our offer. This is the reason our interest in processing your data is legitimate.
Legal basis
The legal basis for the processing of your data by using strictly necessary cookies as well as the collating and usage of performance analysis is our legitimate interest according to Art. 6 (1) lit. f GDPR in improving the quality and content on our website.
Objection- and purge options in your browser settings
Cookies are saved on your device and transmitted to us from there. Therefore you, as the user, have full control over the use of cookies. You can change the settings of your browser so that no cookies are stored on your device at all. For that you must change the applicable option in the system settings of your browser. This may cause various functions of our online offer to cease to function.
In addition to these cookies, our website uses cookies which enable us to measure your online performance if you are affiliated with a business. The data collated through performance cookies is pseudonymized wherever possible. This data is not stored with your other data. Therefore, assignation of this data to your person is not readily possible. You can learn more about this in the section about Leadfeeder below.
Storage, objection and purge options
You’re the user, and you have full control over the use of cookies, since cookies are stored on your device and transmitted to us from there. Please consult our “cookies overview” for information about when which cookies are automatically deleted from your device. You can change the settings of your browser to deactivate or limit the use of cookies. Stored cookies can be deleted at any time.
If cookies are deactivated for our website, it may cause various functions of our online offer to cease to function.
Leadfeeder – general information
We use Leadfeeder on our website. Leadfeeder is a service of Liidio Oy / Leadfeeder, Mikonkatu 17 C, 00100 Helsinki, Finland (“Leadfeeder”). Leadfeeder is a software tool designed for B2B companies to track the companies related to the website visitors. It's a sales intelligence tool that helps us see what businesses are visiting our website, even if the visitors don't fill out any forms or provide any information about themselves.
Leadfeeder uses a combination of IP address tracking and reverse DNS lookup to determine the company associated with a visitor. It then integrates with other tools like our CRM system to provide more information about the company. If Leadfeader detects a non-business IP address, it filters out and discards the corresponding data.
The following visitor’s data is aggregated on a business level, so no data of individuals is stored:
- date and time of the visit
- origin / source of the visit
- device metadata
- pages a visitor viewed and how long they spent on the page
- visitor’s ID (set by „_lfa“ cookie)
- IP address
The cookie “_lfa” (lifespan: 2 years) is only set to differentiate between the users and to know which data needs to be discarded in case no business could be identified to match the visitors IP address.
Purpose and Lawfulness
We base the processing of your data in the context of generating leads for our business on our legitimate interest according to Art. 6 (1) lit. f GDPR to be able to know which businesses visit our website and to generate commercial leads. We also take your legitimate interest into account by ensuring that we discard your information as soon as we know that you are not affiliated with a business.
Purge
You can prevent the setting of cookies by Leadfeeder by changing the settings in your browser in such a way that all cookies are blocked. All modern browsers have this functionality but the way to set it is different depending on which browser you use.
This removes Leadfeeder’s ability to exclude you from tracking if you are not affiliated with a business. To learn more about how Leadfeeder works and how they collect and process your data you can visit their website at https://www.leadfeeder.com/privacy/.
Newsletter subscribers
On our website, we offer a free newsletter subscription with relevant updates on marketing topics and our products.
General information
We need your email address in order to send you, our newsletter. Otherwise, we cannot provide you with the newsletter. Our newsletters are always personalized, i.e., we always address you personally. In order to address you personally in our newsletters and event invitations, we also need your last name.
Two-factor authentication („Double Opt-In“) of email addresses and proof of consent
If you subscribe to the newsletter distribution list, we will send you a link and ask you to confirm the registered e-mail address by means of the so-called double opt-in. In this way, we ensure that you have access to the specified e-mail account and that your e-mail address is correct.
Only after clicking on the confirmation link, you are included in our distribution list.
In this case, we save your registration and confirmation time in order to log your registration and, if necessary, to be able to prove your e-mail verification or your consent.
The provision of this data is essential for the receipt of newsletters. Without the provision of this data, we cannot send you newsletters.
For the processing of this data, your consent is obtained, and reference is made to the data protection notice.
Analysis of page opening and click behaviour for success analysis
We analyse the dispatch and receipt of our newsletters in order to constantly optimize the content for you. For this purpose, we primarily record how many users open our newsletters and which articles are clicked on most often by the subscribers. For this purpose, the newsletters contain a small file, the so-called tracking pixel, which is retrieved from the sending server when the newsletter is opened. Upon retrieval we process the following data:
- your e-mail address,
- your traffic data, specifically your IP address, and
- the time stamp.
This analysis of opening and clicking behaviour allows us to understand which content is of interest to you, so that we can adapt our mailings to your needs and interests.
By subscribing to our newsletter and clicking on the confirmation link, you expressly consent to us collecting your data as just described. Without this consent, you cannot use our newsletter subscription.
We will only use your data for internal evaluation purposes and will not pass it on to third parties.
Unsubscribe
You can prevent the sending of newsletters and thus the future analysis of opening and click behaviours at any time by unsubscribing from the newsletters. To do so, click on the unsubscribe button that you can find at the bottom of each newsletter. Alternatively, you can also send a formless request to unsubscribe to privacy@biomedion.com.
Purpose
We process your data for the purposes of sending personalized newsletters with content of interest to you, the recipient, to verify the accuracy of your email address and to prove your consent. A change of these purposes is not planned.
Lawfulness
We base the processing of your data in the context of sending newsletters on your consent according to Art. 6 (1) lit. a GDPR.
The storage of your registration and confirmation time is based on our legitimate interest according to Art. 6 (1) lit. f GDPR to be able to prove that you have subscribed to the distribution list for the sending of newsletters in the event of any legal disputes. With the double opt-in procedure, we also take your legitimate interest into account by ensuring that you have not been registered by unauthorized third parties.
The evaluation of your opening and clicking behaviour is based on your consent.
Purge
Data that you have provided to receive the newsletter or data that can be traced back to you will be deleted upon unsubscription.
Newsletter service provider
We use HubSpot’s built in tools to provide you our newsletter. HubSpot is located at 25 First Street, Cambridge, MA 02141, USA (hereinafter "HubSpot"). As our service provider, HubSpot processes your personal data on our behalf and according to our instructions within the European Union (EU).
Customers, business partners and their employees
If you are our customer or business partner or an employee of our customers or business partners, we process your data in order to establish and execute contractual relationships with you or with your company, as well as to fulfil legal requirements. As a customer or business partner or as an employee of our customers or business partners, you are required by law and by contract to provide us with the relevant data. Without the corresponding information, a customer or business relationship with us can neither be established nor carried out.
Purpose
We process your data for the establishment and implementation of business relationships. We do not anticipate any change of the aforementioned purposes.
Lawfulness
In the context of contracts with natural persons the legal basis for the processing is the preparation and execution of a contract according to Art. 6 (1) lit. b GDPR. For contracts with legal persons the legal basis is our legitimate interest according to Art. 6 (1) lit. f GDPR in being able to communicate with contact persons relevant to the contract.
In the context of tax and commercial law regulations we are legally obliged to process your data. In the event of any examination, enforcement or dismissal of claims the legal basis for data processing is our legitimate interest according to Art. 6 (1) lit. f GDPR, which is based on the enforcement of or defence against claims.
Forwarding
Primary recipients of your data for the purpose of processing payments are banks. Insofar as we are obligated or authorized to transmit data, public authorities and offices may be recipients of your data within the scope of their duties. In individual cases, your data may be transferred to collection service providers, lawyers and courts.
Storage
All data relevant to contracts and accounting are stored in accordance with the retention periods under tax and commercial law.
Interested parties and communication partners
If you contact us by calling us, sending us an e-mail, fax or letter, or by using the contact form provided on our website, we will process your data (e.g. name, e-mail address, message content) in order to process your request. The provision of data is necessary in order to process your request. Without providing data, communication is not possible.
Purpose
We process your data for the purposes of efficient and effective communication. We do not anticipate any change of the aforementioned purposes.
Lawfulness
The legal basis for the processing of your data is our legitimate interest according to Art. 6 (1) lit. f GDPR in being able to communicate efficiently and effectively with interested parties and other communication partners. Furthermore, as the operator of this website, we are legally obliged to provide you with an effective means of contact.
Purge
Inquiries and communications are erased automatically after a minimum period of six calendar years from the end of the last company financial year they relate to.
Job applicants and employment relationships
If you apply for a job with us or for a position to be placed by us, we process your personal data (so-called application data) in principle only insofar as this is necessary for the decision regarding the establishment of an employment relationship with you. The provision of data is required for applicants. It is not possible to submit an application without providing data.
Only persons authorized to make decisions will have access to your application data. As a rule, these are members of the respective management and team leads.
We ask you to apply through our job portal HRworks https://www.biomedion.com/en/careers.
Purpose
The processing of your application data serves the purpose of deciding on the establishment of an employment relationship. A change of this purpose is not intended or planned.
Lawfulness
The processing is therefore carried out in the context of pre-contractual measures for an employment relationship sought with the application according to Art. 6 (1) lit. b GDPR.
Purge and storage
In the case of advertised positions, your personal application data will be deleted - irrespective of the outcome of your application - after six months have elapsed following a decision on filling the position.
After a possible rejection, you have the option to consent to a storage period exceeding the aforementioned purge period of six months, provided that you are also interested in other positions and thus to be included in our talent pool.
If you give us such consent, we will retain your application data for a period of one additional year, provided that you apply for a position with us. In this case, you may revoke your consent at any time. If you apply for a position to be placed by us, we will retain your documents until you revoke your consent. If you revoke your consent, your application data will be deleted accordingly. The legal basis for processing beyond the usual retention period is your consent.
If you submit an unsolicited application, we will consider this as your consent to be included in our talent pool and will retain your application data for a period of one year if you apply for a position with us, unless you clearly inform us in your application that you do not want this. If you apply to be included in the talent pool as part of the placement process, we will retain your records until you withdraw your consent.
In any case, you can revoke your consent at any time without cause by clicking on this logo at the lower left corner of each page.
Job application with HRworks
If you apply to us, the application data you provide us with (e.g. contact and communication data, application documents, CV, certificates and any records made during the application process) will be processed exclusively for the purpose of carrying out the application process, insofar as this is necessary for the decision on an employment relationship. As part of the application process, your application data is only accessible to the personnel managers or the employee responsible for disciplinary matters.
We have contracted the company HRworks GmbH, Waldkircher Str. 28, 79106 Freiburg, Germany (hereinafter "HRworks") for the hosting and technical provision of our application forms or our job portal including personnel management system. We have concluded the agreement with HRworks required under data protection law for commissioned processing. According to this agreement, HRworks undertakes to ensure the necessary protection of your data and to process it in accordance with the applicable data protection regulations exclusively on our behalf and in accordance with our instructions. Your data will not be passed on to third parties beyond this.
Purpose
The processing of your application data serves the purpose of deciding on the establishment of an employment relationship. A change of this purpose is not intended or planned.
Lawfulness
The processing is therefore carried out in the context of pre-contractual measures for an employment relationship sought with the application according to Art. 6 (1) lit. b GDPR.
Purge
We store your data on the servers hosted by HRworks for as long as is necessary to achieve the respective storage purpose, i.e. until the respective application process is completed. The deletion of the data transmitted by you will generally take place after six months if your application is rejected. This does not apply if you have expressly consented to longer storage in accordance with Art. 6 (1) lit. a GDPR.
The applicant has the option to revoke his/her consent to the processing of personal data at any time. The revocation can be made at any time at the following e-mail address privacy@biomedion.com. All personal data stored in the course of your application will be deleted in this case.
Our service providers
We use service providers, in particular for the provision, maintenance, and care of IT systems. Our service providers process your personal data on our behalf and according to our instructions within the European Union (EU), unless we have explicitly described otherwise in this privacy policy.
We have concluded the EU standard contractual clauses with non-European providers. We would like to point out that these providers thereby agree to comply with the data protection standards of the EU, so that there is an appropriate level of protection for your data under data protection law.
Security
This website uses SSL encryption for the purposes of security and to protect the transmission of confidential contents, for example enquiries you send to us as the website operators. You can recognize an encrypted connection by the fact that the address line in the browser changes from “http://” to “https://”, and by the padlock symbol in your browser address bar. When SSL encryption is activated, the data you transmit to us cannot be read by third parties.
Automated decision-making
As a responsible company, we do not use automatic decision-making or profiling.
What rights do I have?
You have the right to obtain confirmation as to whether or not personal data is processed by us, which categories of data it is, as well as other information, such as the purpose of the processing, the recipient or categories of recipient to whom the data have been or will be disclosed as well as the period for which the data will be stored, and other information outlined in Article 15 GDPR.
You have the right to demand we supply all your personal data or correct any incorrect personal data (Right of access / Right of rectification).
You have the right to request the immediate purge of personal data, or alternatively request a restriction of the processing of your personal data. (Right to be forgotten / Right to erasure).
You have the right to receive all personal data with which you provided us in a structured, commonly used and machine-readable format as well as request the data be transmitted to another controller (Right of portability).
You have the right to withdraw your given consent at any time without cause, in perpetuity. When you withdraw your consent, we are no longer allowed to process any personal data to which use you formerly consented, in perpetuity. Please direct all permission withdrawal requests to privacy@biomedion.com (Right of withdrawal).
In case we process your personal data based on our legitimate interests, you can object to their future use at any time on grounds relating to your particular situation. However, we may not always be able to comply, for example in case legal regulation requires us to process your data (Right to object).
In case your objection concerns direct marketing, you have a general right to object. In that case we will abide by your right to object without you having to make your case concerning special circumstance. Please direct all objections to privacy@biomedion.com.
In addition, you have the right to enter a formal complaint with the responsible supervisory authority. The supervisory authority for us is the The Berlin Data Protection Commissioner (BlnBDI). However, you can also contact your local regulatory body or that of your employer.
You can contact BlnBDI at Alt-Moabit 59-61, 10555 Berlin, phone at +49 30 13889-0 or online at https://www.datenschutz-berlin.de/.