The Heidelberg Epignostix GmbH (“Epignostix”) developed an AI-based Molecular Neuropathology Classifier (“Tool”) which can be used by medical professionals to predict in particular the central nervous system (“CNS”) tumor class or sarcoma tumor class of new unseen methylation profiles. The Tool can be used as a local copy and installed by the medical professionals (“User”) or via the website of Epignostix. In order to use the Tool and other services of Epignostix via the website, Users must register in the web application by providing personal data.
With this privacy policy, we would like to inform you as a customer and/or User of our website about the categories, scope and purpose of the collection and processing of your personal data by the website operator Epignostix in connection with the use of our Tool and other services.
Personal data is all information that can be used to identify you personally and that can be traced back to you. This includes, for example, your name, address, email addresses, customer and user behaviour. With regard to the other terms, in particular the terms “processing” and “consent”, we refer to the legal data protection definitions according to the General Data Protection Regulation (hereinafter “GDPR”).
I. Controller
The person responsible for data protection as the Controller in the meaning of the GDPR is:
Heidelberg Epignostix GmbH
Köpfelweg 58
69118 Heidelberg
Germany
Website: https://epignostix.com
Email: info@epignostix.com
For questions and/or comments about our Privacy Policy, please contact us by using the aforementioned contact details.
II. Data Protection Officer
The Data Protection Officer of the Controller is:
Alexander Taubitz, Assessor iur.
Zertifizierter Datenschutzbeauftragter (TÜV)
Business Security & Privacy
TÜV Informationstechnik GmbH
TÜV NORD GROUP
Am TÜV 1
45307 Essen
Telephone: +49 201 8999-521 M: + 49 160 888 7521
Email: a.taubitz@tuvit.de
www.tuvit.de
III. General information about the data processing
We process your personal data in connection with our website, content and services. With every visit to our website and registration, our system automatically collects data and information from the computer system of the accessing computer. In doing so, the following data are transmitted:
- The User’s first and last name
- The User’s business contact details (address, e-mail address)
- The User’s Internet service provider
- The User’s IP address
- The date and time of the access
IV. Purpose and legal basis for processing of personal data
In principle, we only process personal data of our Users insofar as this is necessary in order to provide a functional website, as well as our content and services. The processing of the User personal data is carried out in accordance with the provisions of the GDPR.
1. Consent
Art. 6(1)(a) GDPR serves as legal basis insofar as we seek the consent of the data subject for processing operations of personal data.
The processing of the personal data of our users is regularly only carried out after obtaining the consent of the user. An exception applies in cases in which it is not possible to obtain consent in advance for factual reasons and the processing of the data is authorized through statutory provisions.
You have the right to withdraw your declaration of consent under data protection law at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
2. Performance of a contract
Art. 6(1)(b) GDPR serves as legal basis for the processing of personal data, which is necessary for the performance of a contract to which the data subject is party. The same applies to the processing operations that are necessary in order to take steps prior to entering into a contract.
3. Compliance with a legal obligation
Art. 6(1)(c) GDPR serves as legal basis insofar as a processing of personal data is necessary for compliance with a legal obligation to which our company is subject. In the case that vital interests of the data subject or of another natural person necessitate the processing of personal data, Article 6(1)(d) GDPR serves as the legal basis.
4. Legitimate interests
Art. 6(1)(f) GDPR serves as legal basis for the processing if the processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
V. Recipients of the personal data
Within our company, those departments, persons and employees who require your data to fulfil contractual obligations and assert claims arising from the license agreement will have access to it.
In addition, your personal data will be disclosed to selected external service providers. These are
- IT service providers
- sponsors
- Advertising and marketing partners
- Service providers for file and data destruction
- Telecommunications
- Payment service provider
- Auditors
- Accounting service providers
- Payroll service provider
VI. Transfer of personal data to a third country or international organisation
In principle, no personal data is transferred to countries outside the European Union (to so-called third countries) unless this is required by law (e.g. reporting obligations under tax law) or you have given us your consent to do so.
VII. Duration of storage
The collection of the data for the provision of the website and the storage of the data in log files is absolutely necessary for the operation of the website. Consequently, there is no possibility of objection on the part of the user. The data are erased as soon as they are no longer necessary in order to fulfil the purpose of their collection. If the data are collected for the provision of the website, this is the case when the relevant session has ended. If the data are stored in log files, this is the case after seven days at the latest. Further storage beyond this point is possible. In such a case the IP addresses of the users are deleted or altered so that an association with the accessing client is no longer possible.
Storage beyond this point can only occur if this is provided for by the European or national legislator in Union law regulations, laws or other provisions to which the controller is subject. Data are also blocked or erased when a storage period stipulated by the aforementioned standards expires, unless further storage of the data is necessary for the conclusion or performance of a contract.
VIII. Rights of the data subject
If your personal data are processed, you are a data subject within the meaning of the GDPR and are entitled to the following rights vis-à-vis the controller. To exercise your rights, you can contact us or the data protection officer using the contact details provided above.
1. Right of access
You can obtain a confirmation from the controller as to whether personal data concerning you are processed by us. If such processing is carried out, you can request access to the following information from the controller:
- the purposes for which the personal data are processed;
- the categories of personal data that are processed;
- the recipients/categories of recipients to whom the personal data concerning you have been disclosed or will yet be disclosed;
- the planned period of storage for the personal data concerning you or, if it is not possible to specify this concretely, the criteria used to determine that period;
- the existence of a right to rectification or erasure of personal data relating to you, a right to the restriction of processing by the controller or a right to object to that processing;
- the existence of a right to lodge a complaint with a supervisory authority;
- all available information on the origin of the data if the personal data were not collected from the person concerned;
- the existence of automated decision-making, including profiling (in accordance with Art. 22(1) and (4) of the GDPR) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
2. Right to rectification
You have a right to rectification and/or completion vis-à-vis the controller if the processed personal data concerning you are inaccurate or incomplete. The controller shall perform the rectification immediately.
3. Right to restriction of processing
You can demand a restriction of processing of the personal data concerning you under the following preconditions:
- if you contest the accuracy of the personal data concerning you, for a period that enables the controller to verify the accuracy of the personal data;
- if the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
- if the controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims;
- if you have objected to processing pursuant to Art. 21(1) of the GDPR and the verification whether the legitimate grounds of the controller override yours is still pending.
If the processing of the personal data concerning you has been restricted, these data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. If the restriction of processing has been obtained according to the above-mentioned requirements, you shall be informed by the controller before the restriction of processing is lifted.
4. Right to erasure
You can demand the immediate erasure of the personal data concerning you from the controller and the controller is obligated to erase these data immediately if one of the following grounds applies:
- The personal data concerning you are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
- You withdraw your consent on which the processing was based according to Art. 6(1)(a) or Art. 9(2)(a) of the GDPR and there is no other legal ground for the processing.
- You object to the processing pursuant to Art. 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21(2) of the GDPR.
- The personal data concerning you have been unlawfully processed.
- The erasure of the personal data concerning you is required for compliance with a legal obligation in Union or Member State law to which the controller is subject.
- The personal data concerning you have been collected in relation to the offer of information society services referred to in Art. 8(1) of the GDPR.
5. Right to information
If you have asserted your right to rectification, erasure or restriction of processing vis-à-vis the controller, the controller is obliged to communicate this rectification or erasure of the data or restriction of processing to each recipient to whom the personal data concerning you have been disclosed, unless this proves impossible or involves disproportionate effort. You have the right vis-à-vis the controller to be informed about these recipients.
6. Right to data portability
You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format. You also have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, provided that (1) the processing is based on consent pursuant to Art. 6(1)(a) of the GDPR or Art. 9(2)(a) of the GDPR or on a contract pursuant to Art. 6(1)(b) of the GDPR and (2) the processing is carried out by automated means.
In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. The rights and freedoms of others shall not be adversely affected by this. The right to data portability shall not apply to a processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
7. Right to object
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Art. 6(1)(e) or (f) of the GDPR, including profiling based on those provisions. The controller shall no longer process the personal data concerning you unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. If the personal data concerning you are processed for direct marketing purposes, you shall have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where you object to processing for direct marketing purposes, the personal data concerning you shall no longer be processed for such purposes. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you have the option to exercise your right to object by automated means using technical specifications.
8. Right to withdraw the declaration of consent under data protection law
You have the right to withdraw your declaration of consent under data protection law at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
9. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence or place of work or of the place of the alleged infringement, if you believe that the processing of personal data relating to you violates the GDPR. The supervisory authority to whom the complaint was lodged shall inform the complainant of the progress and the outcome of the complaint and possibility of a judicial remedy pursuant to Art. 78 of the GDPR.
IX. Provision of personal data
In order to use the Tool and other services, you must provide personal data. Without this data, we will generally not be able to provide any of our services nor a fully functioning website.
X. Automated individual decision including profiling
In principle, we do not use solely automated decision-making in accordance with Art. 22 GDPR to provide our services or establish and conduct business relationships. Should we use these procedures in individual cases, we will inform you separately about this and about your rights in this regard, insofar as this is required by law.
XI. Use of cookies
Description and scope of the data processing: Our website uses cookies and other related technologies (for convenience all technologies are referred to as “cookies”). Cookies are text files that are placed and stored on the user’s computer system in or via a web browser. When a user accesses a website, a cookie can be saved in the operating system of the user. This cookie contains a characteristic string that enables a clear identification of the browser when the website is accessed again. We use cookies to identify a registered user and these cookies (known as session cookies) are only valid for one session.
Legal basis for the data processing: The legal basis for the processing of personal data with the use of cookies is Article 6(1)(f) of the GDPR.
Purpose of the data processing: We use what are known as session cookies. These cookies ensure that certain parts of the website work properly and that your user preferences remain known. By placing functional cookies, we make it easier for you to visit our website. This way, you do not need to repeatedly enter the same information when visiting our website. Therefore, the user data collected by technically necessary cookies are not used for the creation of user profiles and are only used to identify a registered user (session cookies), as mentioned above. These purposes also constitute our legitimate interest in the processing of personal data pursuant to Art. 6(1)(f) of the GDPR.
Duration of storage, possibility of objection and erasure: Cookies are stored on the computer of the user, from which they are transmitted to our site. As a user, you therefore have full control over the use of cookies. You can deactivate or limit the transmission of cookies by changing the settings in your web browser. Cookies that have already been stored can be deleted at any time. This can also be automated. If you do delete the cookies in your browser, they will be placed again after your consent when you visit our website again. If cookies are deactivated for our website, it is possible that not all functions of the website can be used to their full extent.
XII. Contact form and e-mail contact
Description and scope of the data processing: Our website contains contact forms that can be used to make contact electronically. If a user chooses this option, the data entered into the input mask are transmitted to us and stored. These data are: (a) last name, (b) first name, (c) e-mail address and (d) message text. The date and time are also recorded. Within the framework of the sending process your consent to the processing of data is obtained and reference is made to this privacy policy. Alternatively, contact can also be established via the e-mail address provided. In this case, the user’s personal data transmitted in the e-mail are stored. There is no data transfer to third parties in this context. The data are used exclusively for the processing of the conversation.
Purpose of the data processing: The processing of the personal data from the input mask serves the sole purpose of handling the established contact. In the case that contact is established via e-mail this also constitutes the necessary legitimate interest in the processing of the data. Other personal data processed during the sending process serve the purpose of preventing a misuse of the contact form and ensuring the security of our information technology systems.
Duration of storage: The data are erased as soon as they are no longer necessary in order to fulfil the purpose of their collection. For the personal data from the input mask of the contact form and the data sent via e-mail, this is the case when the respective conversation with the user has ended. The conversation has ended if it can be concluded from the circumstances that the issue in question has been resolved.
Possibility of objection and erasure: The user has the right to withdraw consent to the processing of personal data at any time. If a user contacts us via e-mail, that user can object to the storage of that user’s personal data at any time. In such a case the conversation cannot be continued. You can withdraw your consent at any time by sending an email to info@epignostix.com. All personal data that was stored in the course of the establishment of contact will be erased in this case.
XIII. Use of hCapatcha
We use the hCaptcha security service (hereinafter “hCaptcha”) on our website. This service is provided by Intuition Machines, Inc., a Delaware US Corporation (“IMI”). hCaptcha is used to check whether user actions on our online service (such as submitting a login or contact form) meet our security requirements. To do this, hCaptcha analyzes the behavior of the website or mobile app visitor based on various characteristics. This analysis starts automatically as soon as the website or mobile app visitor enters a part of the website or app with hCaptcha enabled. For the analysis, hCaptcha evaluates various information (e.g. IP address, how long the visitor has been on the website or app, or mouse movements made by the user). The data collected during the analysis will be forwarded to IMI. Data processing is based on Art. 6(1)(b) of the GDPR: the processing of personal data is necessary for the performance of a contract to which the website visitor is party (for example, the website terms) or in order to take steps at the request of the website visitor prior to entering into a contract. Our online service (including our website, mobile apps, and any other apps or other forms of access offered by us) needs to ensure that it is interacting with a human, not a bot, and that activities performed by the user are not related to fraud or abuse. In addition, processing may also be based on Art. 6(1)(f) of the GDPR: our online service has a legitimate interest in protecting the service from abusive automated crawling, spam, and other forms of abuse that can harm our service or other users of our service. IMI acts as a “data processor” acting on behalf of its customers as defined under the GDPR, and a “service provider” for the purposes of the California Consumer Privacy Act (CCPA). For more information about hCaptcha’s privacy policy and terms of use, please visit the following links: https://www.hcaptcha.com/privacy and https://www.hcaptcha.com/terms
Cookie policy
Our cookie policy can be found under here.