Privacy Policy

PRIVACY POLICY – PART I: BIOSTRAND AS CONTROLLER

I. INTRODUCTION

At BIOSTRAND we attach great importance to the protection of your Personal Data. This privacy policy sets out how we protect your Personal Data and who you can turn to for more information or to invoke your legal rights. 

If you provide us with Personal Data of other persons, please do inform these persons of our privacy policy before entrusting us with their Personal Data. From our side we will use all opportunity we have to inform and reassure you and these persons that Personal Data are safe with us.

We reserve our right to amend our privacy policy from time to time, if legislation or our internal practices so require. At all times you can find the current version of our privacy policy on our website www.biostrand.be.

II. CONTENT OF OUR PRIVACY POLICY – Part I

I. The controller of the processing

II. Purposes and legal basis for the processing of Personal Data 

III. The Personal Data processed and the case being, the necessity of the provision thereof  

IV. Duration of the processing and retention of data

V. Categories of recipients and transfer of Personal Data

VI. Your rights in relation to the processing of your Personal Data

VII. Contact BIOSTRAND in relation to data processing

I. The controller of the processing

The legal entity controlling the processing of your Personal Data is BIOSTRAND BV. BIOSTRAND BV is a Belgian company with limited liability whose registered office is located at Fabrieksstraat 7, 3930 Hamont-Achel, Belgium. BIOSTRAND BV is registered with the Register for Legal Entities in Belgium under number 0719.913.907.

BIOSTRAND is the controller of the processing of your Personal Data because it has determined the purposes and means of the processing.

BIOSTRAND is hereafter referred to as “BIOSTRAND”, “us” or “we”.

When we refer to our Website, we mean “www.biostrand.be”. 

When we refer to the Tool, we mean the Retrieve and Relate App of BIOSTRAND. This Tool works as follows:

Within the BIOSTRAND group a technology has been developed that relates to the identification of characteristic biological sequences in proteins, RNA and DNA, and their different information layers (hereafter HYFTS^TM), which sequences and information layers are contained in a proprietary knowledge database. This knowledge database of HYFTS^TM and HYFT^TM patterns and all related IP are licensed to BIOSTRAND, allowing BIOSTRAND to commercialize a related software service, i.e. the Retrieve and Relate application as a SAAS.

In the Retrieve and Relate application, HYFTS^TM are identified in a set of input sequence data of the Customer, which typically are strings of DNA, RNA or proteins. The input data are indexed, i.e. organized and centered around the HYFTS^TM. Then these input data, which are now organized and indexed, can be compared with selected Third Party Databases which BIOSTRAND equally processed and indexed according to the same HYFT^TM principles in its Reference Database. This turns sequence alignment and assembly into a simple, fast and improved operation. Alternatively, the Customer can enter a text query and receive sequences related to its query from the Reference Database.

II. Purposes and legal basis for the processing of Personal Data 

A. Basic processing by BIOSTRAND

BIOSTRAND processes Personal Data of its customers, as well as of contact persons of its customers, users of its Tool, and of visitors to its Website, for the following purposes:

1. conveying offers, invoicing and administration, management of the customer or sales relationship and delivering the services of BIOSTRAND in particular via the Tool:

2. direct marketing:

3. in relation to personal data of visitors of our Website that fill out the contact page: responding to the visitor’s request sent to us via the contact page. 

Additionally, on our website and for the Tool we may use cookies. For more information in relation to cookies, please revert to the cookie policy and pop up to be found at our Website. 

The legal basis for these processing operations is respectively:

1. For the processing for the purpose of sales:

o To the extent that you are a contact person of our customer or potential customer and your contact details have been provided by the customer or the potential customer for the performance of the contract with the customer or for communicating with or giving follow up to an offer to the customer, our legal basis for the processing of your data is:

* the necessity for the purpose of the legitimate interests pursued by BIOSTRAND and the customer to organize, and interact in relation to, the conclusion or performance of a contract. 

In our view, given the limited use made of your contact details, such interests are not overridden by your interests or fundamental rights and freedoms. Should you consider otherwise, please revert to title VI below on Your legal rights in relation to privacy. 

o To the extent that you are the customer itself, our legal basis for the processing of your data is:

* the necessity for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract.

2. For the processing for direct marketing, our legal basis is either:

* The necessity for the purpose of the legitimate interests pursued by BIOSTRAND to promote sales, reinforce the relationship with the customers, enhance customer loyalty, etc.

We may invoke this legal basis for newsletters and promotions sent by e-mail to our own customers if your e-mail contact details were received directly from you in the context of a sale, and are only used for the promotion of BIOSTRAND’s own similar products. Every newsletter however carries a link allowing you to unsubscribe from the newsletter. 

      Either:

* Your consent.

Your consent will be asked at the moment that we receive your Personal Data (e.g. on the Website). This will normally take the form of a little menu with different consent boxes to tick: 

      “I would like to receive:

      [] e-mail newsletters [subject matter]”

      You may revoke your consent at any moment in accordance with title VI below.

3. For the processing of personal data of visitors of our websites that fill out the contact page, for the sole purpose of responding to the visitor’s request, our legal basis is:

* Necessity for the purpose of the legitimate interests pursued by BIOSTRAND to treat and give follow up to your request. 

Given your initiative to send your request via the contact page (which we assume you want us to reply to) and the limited use made by us of your contact details to reply, such interests are in our view, not overridden by your interests or fundamental rights and freedoms. Should you consider otherwise, please revert to title VI below on Your legal rights in relation to privacy. 

B. Processing in the back end of the Tool

In order to provide the Services to the customers of the Tool, processing operations are taking place in the back end of the Tool:

In the back end of the Tool HYFTS^TM are identified in the input query of the Customer, which typically are strings of DNA, RNA or proteins. The input data are indexed, i.e. organized and centered around the HYFTS^TM. Then these input data, which are now organized and indexed, can be compared with selected Third Party Databases which BIOSTRAND equally processed and indexed according to the same HYFT^TM principles in its Reference Database.

Apart from the processing that BIOSTRAND performs as processor for the Customer (see BIOSTRAND PRIVACY POLICY Part II below), BIOSTRAND is also processing data from the selected Third Party Databases for its own purpose of

4. Scientific research for making its algorithms smarter and more performing.

The information processed in the back end of the Tool for our research purpose may contain personal data if the Customer has entered a search query in the Tool selecting publicly available Third Party Databases containing human genetic information. The data contained in these databases are pseudonymized. BIOSTRAND does not have additional data at its disposal which would allow BIOSTRAND to link the pseudonymized data to individuals, nor will it ever take any measures, or approach any third party in order to try and identify the individual data subjects concerned. Given the practical impossibility for BIOSTRAND to identify these individuals, and the disproportional effort it would take to try and identify these in order to inform these personally on the processing, BIOSTRAND is exempt from its information obligation towards these individuals pursuant to Article 14, 5 (b) GDPR. BIOSTRAND will however take appropriate safeguards, in accordance with GDPR, for the rights and freedoms of the data subjects.

In some circumstances and with BIOSTRAND’s consent, the Customer may also enter a search query in the Tool selecting proprietary Third Party Databases containing human genetic information. In that case, it is the responsibility of the Customer to make sure that such proprietary databases are GDPR compliant, have obtained free informed consent of data subjects where required, and only work with adequately pseudonymized data, before any such data being processed by BIOSTRAND for this purpose. As in the previous paragraph, it will be practically impossible for BIOSTRAND to identify individual data subjects. Therefore, the exemption explained above will apply.

The Customer’s input queries itself are not processed for this purpose.

The legal basis for these further processing operations is 

* The necessity for the purpose of the legitimate interests pursued by BIOSTRAND to conduct scientific research for making its algorithms smarter and more performing.

In our view, given the appropriate safeguards taken by either BIOSTRAND, either the Third Party Databases from whom the personal data were obtained, in particular pseudonymisation of the data, and the fact that in many cases the personal data were already included in public databases, such interests are in our view not overridden by your interests or fundamental rights and freedoms. Should you consider otherwise, please revert to title VI below on Your legal rights in relation to privacy. 

C. Processing for legal purposes

Finally, BIOSTRAND also processes Personal Data for legal purposes:

5. Personal data are then processed for legal reasons, compliance (data protection, NIS-legislation) or tax and accounting reasons.

The legal basis of our processing is then to be found in European or national law.

III. The Personal Data processed and the case being, the necessity of the provision thereof  

For customers and users

* Name of the company customer*(1)(2) 

* Address*(1)(2)

* For a company customer: contact persons and/or users* (1)(2)

* E-mail address* (1)(2)

* Telephone and/or mobile number * (1)(2)

* Company entity and legal form* (1)(2)

* Company number* (1)

* VAT number* (1)

* Financial data* (1)

* Login/password (1)

* Contract related information (1)

And the case being:

* Customer complaints and details of the complaints (1)

The Personal Data (1) are processed for the purpose of sales and legally required purposes linked to that purpose. The Personal Data (2) are processed for direct marketing purposes.

The aforementioned Personal Data indicated with a * have to be provided if the customer wants to engage in a sales relationship. The provision of the other Personal Data is entirely on a voluntary basis.

For visitors to the websites

* Name

* Contact details

* Data filled out on the contact page

* Response to request

The provision of these data is entirely on a voluntary basis. However, if you decide to submit a request, you have to fill in a name and electronic contact details. The data are only processed to properly deal with your request.

For other data subjects of whom genetic data are included in Third Party Databases

* Pseudonymized genetic information 

* Own research data on the structure of genetic information

IV. Duration of the processing and retention of data

For customers:

We process your Personal Data for the purpose of sales, as long as necessary in the context of the contracts entered into with you or with your organisation. Personal Data of inactive customers, being after termination of our contracts, are retained for as long as necessary for legal, compliance or tax and accounting reasons or for as long as your purchases could give rise to legal claims.

We process your Personal Data for direct marketing purposes until you oppose to the processing of your Personal Data for that purpose, or if the processing was based on your consent, until you withdraw your consent.

For visitors to the website that fill in the contact page:

We process your personal data as long as necessary to deal with and give follow up to your request. The data are not retained afterwards (unless the case being, in the context of another processing for another purpose as detailed in this Privacy Policy).

For other data subjects of whom genetic data are included in Third Party Databases

Your data are processed and stored as long as this is useful for scientific research purposes subject to appropriate technical and organizational measures in order to safeguard your rights and freedoms, such as in particular pseudonymisation.

V. Categories of recipients and transfer of Personal Data

Following Personal Data may be shared in accordance with this Privacy Policy :

1. All Personal Data with third party processors that provide services for us e.g. suppliers of IT and hosting services who are acting on behalf of BIOSTRAND and with whom BIOSTRAND has entered into adequate processor contracts. These processors will only use the data for the purposes determined by BIOSTRAND and in accordance with this Privacy Policy.

Notwithstanding the foregoing, it is possible that BIOSTRAND must disclose your Personal Data :

2. To the competent authorities (i) when BIOSTRAND is obliged to do so under the law or in the context of legal proceedings and (ii) for the protection and defence of our rights.

BIOSTRAND does not transfer Personal Data outside of the EU for its own purposes :

VI. Your rights in relation to the processing of your Personal Data

In relation to the Personal Data that are processed by BIOSTRAND, you have a number of legal rights:

* You have a right to get access to your Personal Data and to have these data corrected. 

* You may ask BIOSTRAND to erase your Personal Data, or to restrict the processing thereof. 

* To the extent that the processing is based on the legal basis of a legitimate interest or the processing is done for direct marketing purposes, you have the right to oppose to that processing. 

* To the extent that the processing is based on your consent, you have the right to revoke your consent at any time.

Within a duration of maximum 1 month after receipt of your request, we will act upon your request and reply. If for some reason we cannot accommodate your request, we will inform you of the reasons thereof. If we are not in a position to identify you properly, we may ask you to provide a proof of your identity as a prerequisite to accommodating your request.

VII. Contact BIOSTRAND in relation to data processing

In order to invoke your rights under title VI, please contact us at info [at] biostrand.be, or send us a letter at BIOSTRAND BV, Privacy, Fabrieksstraat 7, 3930 Hamont-Achel, Belgium.

If on the other hand you have any questions, remarks or complaints in relation to our privacy policy or how we process your data, do not hesitate to contact us, either by telephone or e-mail.

Privacy manager

Tel: [+32 11 28 69 00]

E-mail: privacy [at] biostrand.be

If you have any complaints in relation to how BIOSTRAND processes your Personal Data, you may file a complaint with the Supervisory Authority: www.gegevensbeschermingsautoriteit.be

PRIVACY POLICY – PART II: BIOSTRAND AS PROCESSOR (Processor Policy)

I. INTRODUCTION

At BIOSTRAND we attach great importance to the protection of personal data. This Policy sets out BIOSTRAND’s commitments as a processor with regard to the Customer Personal Data we process on behalf of a customer (hereafter “the Customer”).

We shall process the Customer Personal Data in a proper and careful way and in accordance with the Customer’s instructions and the Privacy Legislation and other applicable rules concerning the processing of Customer Personal Data.

We reserve our right to amend our Processor Policy from time to time, if legislation or our internal practices so require.

II. CONTENT OF OUR PROCESSOR POLICY

I. Subject matter of the processing

II. Customer Purposes for the processing of Customer Personal Data and processing operations

III. Overview of the Customer Personal Data, which parties expect to process

IV. Duration of the processing and retention period

V. Sub-processors

VI. Transfer of Customer Personal Data

VII. Rights in relation to the processing of Customer Personal Data

VIII. Technical and organisational security measures

IX. Notification of security breaches

X. Return and deletion of the Customer Personal Data

XI. Confidentiality clause

XII. Privacy Manager

I. Subject matter of the processing

The processing considered here below is the processing by BIOSTRAND and/or in the BIOSTRAND Retrieve and Relate App (hereafter “Tool”) of Customer Personal Data such as:

- data of Users or Team Members as defined in the Terms of Service on the one hand, and

- the case being, genetic data on individuals included (i) in the queries the Customer enters into the Tool or (ii) in the results linked to the queries and generated by the Tool, on the other hand. Results are as defined in the Terms of Service (hereafter Results).

These Customer Personal Data are processed on behalf of the Customer and for the Customer’s purposes. This processing either forms an inherent part of the Customer’s use of the Tool, either relates to BIOSTRAND’s support given for the Tool in the event of incidents. Specific processing operations relate to for instance authentication, reading, creation and submission of information under the form of Results, monitoring the usage of the Tool and supporting incidents.

With regard to this processing, BIOSTRAND processes the relevant Customer Personal Data on behalf of its Customer. Therefore, BIOSTRAND qualifies as processor for these processings.

The Customer of BIOSTRAND takes the initiative for the processing: it decides to use the Tool in the context of its research activities. It decides on what queries to enter into the Tool, to use the Tool for their queries and not any other tool, and it selects the Third Party Databases that need to be addressed by the Tool. Hence, it is the Customer that determines the purposes and means of the processing of the Customer Personal Data and thus qualifies as controller with regard to these processings. BIOSTRAND shall only process the Customer Personal Data for the same Customer Purposes upon request of the Customer and in accordance with its instructions.

The Customer in its capacity as controller shall be responsible to comply with all (legal) obligations vested in the controller. In particular the Customer must make sure (i) to have prior free consent of all data subjects of whom Personal Data are included in the queries and (ii) to only work with Third Party Databases, in particular if proprietary Third Party Databases, that are GDPR compliant, have obtained free informed consent of data subjects where required, and only work with adequately pseudonymized data. The Customer must also observe the data protection rights of data subjects of whom Personal Data are included in the Results gathered via the Tool and the selected Third Party Databases.

II. Customer Purposes for the processing of Customer Personal Data and nature of the processing operations

BIOSTRAND processes Customer Personal Data on behalf of its Customer for the purposes of the Customer.

In the context of these Customer Purposes, BIOSTRAND shall perform the following processing operations for the Customer:

- The delivery of Services to the Customer in accordance with the Terms of Service, being amongst others:

o Authentication on parts of the Tool

o Reading, creation and submission of information (Results) linked to the queries 

o Supporting incidents

III. Overview of the Customer Personal Data, which parties expect to process 

The categories of data subjects are the following:

* Customer’s Users and external users invited to join a Team managed by the Customer in accordance with the Terms of Service;

* Data subjects of whom genetic data are included in a query, or in Results linked to a query.

The following data is processed in order to allow for the Services:

For Customer’s Users and Team Members:

- Contact details

For data subjects of whom genetic data are included in a query, or in Results linked to a query:

- Pseudonymized genetic data

IV. Duration of the processing and retention period

BIOSTRAND shall retain the Customer Personal Data in relation to the Customer, Users and Team Members as long as the Agreement is ongoing. Once the Agreement has been terminated, the Customer Personal Data shall be deleted within one month.

The Customer queries and all personal data included in these queries are not stored by BIOSTRAND. The Results linked to the queries are not stored either. It is for the Customer to organize storage of its queries and Results.

V. Sub-processors

For the Customer Purposes specified under heading II, BIOSTRAND appeals to the following sub-processors which are approved by the Customer:

Facebook

Facebook page is used for active communication with our customers and prospective customers. We may use this platform to provide information about our events. When you visit our Facebook page, your data can be automatically collected and stored for purposes of market research and advertising. These data are used, along with pseudonyms, to create what are known as “user profiles.”

For this purpose, the cookies typically placed on your device store a record of visitor behavior and user interests. Facebook provides further information on this link.

Within the framework of a balancing of interests, the statistical information provided by Facebook about the use of the Facebook page (“Facebook Insights”) is used in accordance with Art. 6 (1) (f) GDPR in the exercise of our overriding legitimate interest in an optimized presentation of our offerings and effective communication with customers and prospective customers.

Data are processed on the basis of an agreement between joint controllers in accordance with Art. 26 GDPR. This agreement can be consulted here: https://www.facebook.com/legal/terms/

Facebook has its registered office in the USA. You can find a link to the opt-out here: https://www.facebook.com/settings?tab=ads

LinkedIn

LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Irland, a subsidiary of LinkedIn Corporation, 1000 W. Maude Avenue, Sunnyvale, CA 94085 USA.

Privacy Policy: https://www.linkedin.com/legal/privacy-policy

Twitter

You’ll find privacy information at Twitter (Twitter Inc., 1355 Market St, Suite 900, San Francisco, CA 94103, USA) here: https://www.twitter.com/privacy.

If you would like to object to future data collection by Twitter, you can set an opt-out cookie here: https://twitter.com/personalization

YouTube

We integrate videos from the “YouTube” platform of provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

Information about the privacy policy: https://policies.google.com/privacy and for the opt-out: https://adssettings.google.com/authenticated

Name of sub-contractor

Amazon; Amazon Web Services (AWS)

We use Amazon; Amazon Web Services (Amazon Web Services, Inc., our mailing address is: Amazon Web Services, Inc., 410 Terry Avenue North, Seattle, WA 98109-5210) as a platform to host our cloud-platform and process all request related thereto. Further information about AWS under https://aws.amazon.com/legal and https://aws.amazon.com/privacy

YouTube

Our website uses plugins from YouTube, which is operated by Google. The operator of the pages is YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. If you visit one of our pages featuring a YouTube plugin, a connection to the YouTube servers is established. Here the YouTube server is informed about which of our pages you have visited.

If you're logged in to your YouTube account, YouTube allows you to associate your browsing behavior directly with your personal profile. You can prevent this by logging out of your YouTube account. YouTube is used to help make our website appealing. This constitutes a justified interest pursuant to Art. 6 (1) (f) GDPR. Further information about handling user data, can be found in the data protection declaration of YouTube under https://www.google.de/intl/de/policies/privacy

Shariff Share Buttons in blog

In order to prevent data from being transferred to service providers without the user’s knowledge, we use the so-called Shariff solution in our blog articles. This solution ensures that no personal data is initially passed on to the providers of the individual social plug-ins when you visit our websites. Only when you click on one of the buttons of the social plugins can data be transferred to the service provider and saved there.

More information about the Shariff solution can be found at https://www.heise.de/ct/artikel/Shariff-Social-Media-Buttons-mit-Datenschutz-2467514.html (in German).

Social Media Features

Our Websites include Social Media Features, such as Facebook or Spotify Like button and Widgets. Some of these features may collect your IP address, which page you are visiting on our sites, and may set a cookie to enable the feature to function properly. Social Media Features and Widgets are either hosted by a third party or hosted directly on our website. Our Privacy Policy does not apply to these features. Your interactions with these features are governed by the privacy policy and other policies of the companies providing them.

If you do not want these companies to associate your visit to our site with your account, please log out of your account.

Google Analytics

The cookies are used to collect information about how visitors use our site. We use the information to compile reports and to help us improve the site. The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they visited. This information is completely anonymous. Information on how to opt-out of Google Analytics can be found at https://tools.google.com/dlpage/gaoptout

Google Web Fonts

For a uniform representation of fonts, this page uses web fonts provided by Google. When you open a page, your browser loads the required web fonts into your browser cache to display texts and fonts correctly. For this purpose, your browser has to establish a direct connection to Google servers. Google thus becomes aware that our web page was accessed via your IP address.

The use of Google Web fonts is done in the interest of a uniform and attractive presentation of our website. This constitutes a justified interest pursuant to Art. 6 (1) (f) GDPR. If your browser does not support web fonts, a standard font is used by your computer. Further information about handling user data, can be found at https://developers.google.com/fonts/faq and in Google's privacy policy at https://www.google.com/policies/privacy/

Google Maps

This site uses the Google Maps map service via iframe. It is operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Thus, when you visit our pages about the plugin a direct connection can be established between your browser and the Google server. This enables Google to receive information that you have visited our site.

This means that Google can associate visits to our pages with your user account. The use of Google Maps is in the interest of making our website appealing and to facilitate the location of places specified by us on the website. This constitutes a justified interest pursuant to Art. 6 (1) (f) GDPR. Further information about handling user data, can be found in the data protection declaration of Google at https://www.google.de/intl/de/policies/privacy/

If you do not want Google to associate your visit to our site with your Google account, please log out of your Google account.

Google reCAPTCHA

We use "Google reCAPTCHA" (hereinafter "reCAPTCHA") on our websites. This service is provided by Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, USA ("Google"). reCAPTCHA is used to check whether the data entered on our website (such as on a contact form) has been entered by a human or by an automated program. To do this, reCAPTCHA analyzes the behavior of the website visitor based on various characteristics.

This analysis starts automatically as soon as the website visitor enters the website. For the analysis, reCAPTCHA evaluates various information (e.g. IP address, how long the visitor has been on the website, or mouse movements made by the user). The data collected during the analysis will be forwarded to Google.
The reCAPTCHA analyses take place completely in the background. Website visitors are not advised that such an analysis is taking place. Data processing is based on Art. 6 (1) (f) GDPR.

The website operator has a legitimate interest in protecting its site from abusive automated crawling and spam. For more information about Google reCAPTCHA and Google's privacy policy, please find the links here and here.

Survey Monkey

We use SurveyMonkey (SurveyMonkey Europe UC, 2nd Floor, 2 Shelbourne Buildings, Shelbourne Road, Dublin, Ireland) to conduct surveys. We conduct the surveys in order to continuously improve our range of services according to your feedback. That’s why your opinion is very important to us. If you decide to participate in the survey, SurveyMonkey will collect information about your device, IP address, the version of your operating system, and information on the browser type.

As part of the survey, we may query the gender, age, status, and position of the participants for purely statistical purposes. We do this in order to be able to include social components in assessments of the results and to optimize them accordingly. In addition, you may voluntarily provide your first and last name as well as an e-mail address (“voluntary information”). We usually request this information when we offer a prize drawing among the participants.

We need your voluntary information in order to contact you in the event that you win a prize. However, this information will be deleted once the prize drawing is completed. The processing of your data is based on consent, Art. 6 (1) (a). Participation is on a voluntary basis. You can contact us at any time to request the erasure of your survey data, including personal data. Individual responses cannot be corrected after the fact once the survey has been submitted, however.

SurveyMonkey collects your information on our behalf in order to create reports with which we can analyze your satisfaction with our services offering and evaluate your suggestions. We would like to point out that SurveyMonkey uses cookies. Information on this, as well as the duration of storage, can be found here. We also want to point out that SurveyMonkey usually transmits the data to a server in the USA and stores it there.

You can find information about opting out of cookies here.

Hotjar

We use Hotjar in order to better understand our users’ needs and to optimize this service and experience. Hotjar is a technology service that helps us better understand our users' experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our service with user feedback.

Hotjar uses cookies and other technologies to collect data on our users’ behavior and their devices (in particular device’s IP address (captured and stored only in anonymized form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), preferred language used to display our website). Hotjar stores this information in a pseudonymized user profile.

Neither Hotjar nor we will ever use this information to identify individual users or to match it with further data on an individual user. For further details, please see Hotjar’s Privacy Policy. You can opt-out to the creation of a user profile, Hotjar’s storing of data about your usage of our site, and Hotjar’s use of tracking cookies on other websites by following this opt-out link.

HubSpot

HubSpot uses a tracking tool to help us determine how many of you have opened our newsletters and which of the links they contain have been clicked. HubSpot is a service of Hubspot Inc., is an American company with a branch in Ireland (Contact: HubSpot, 2nd Floor 30 North Wall Quay, Dublin 1, Ireland, Tel.: +353 1 5187500). Technical information is collected in the course of this, such as information about your browser, the system you use, and your IP address and time of retrieval.

This information is used for the technical improvement of the services. The legal basis for this is Article 6 (1) (1) (f) GDPR since we have a legitimate interest in learning user behavior as it involves the opening of our newsletters. This permits us to optimize our services and to operate the newsletter service economically as well. We use HubSpot to report on and manage website activity. This service uses cookies for tracking activity across our site. You can view the privacy policy of this service provider at https://legal.hubspot.com/privacy-policy

Stripe

Stripe is used to handle all transactions related to subscriptions and invoicing. (Stripe, 9th Floor, 107 Cheapside, London, EC2V 6DN). You can view the privacy policy of this service provider at https://stripe.com/en-be/privacy

These sub-processors are at least bound by the same obligations by which BIOSTRAND is bound under this Policy.

BIOSTRAND shall refrain from sharing any Customer Personal Data to any sub-processor not in the sub-processor list.

BIOSTRAND undertakes to inform the Customer in accordance with the Terms of Service of any change to the aforementioned list (addition or replacement of a sub-processor). The Customer has the opportunity to object to such changes in writing and in a reasoned manner within 30 days upon receipt of BIOSTRAND’s notice.

VI. Transfer of personal data

BIOSTRAND shall not transfer Customer Personal Data, to a country outside the European Economic Area (i.e. the European Union, Liechtenstein, Iceland and Norway), unless requested by the Customer. In such case however, the Customer will make sure to have taken sufficient measures in accordance with GDPR in order to justify this transfer of personal data outside of the EEA. The Customer is accountable for any transfer under its control.

VII. Rights in relation to the processing of Customer Personal Data

BIOSTRAND commits to deliver the necessary assistance to the Customer, taking into account the nature of the processing, with:

1) the fulfilment of the Customer’s duty to answer a request of a data subject for exercising the data subject's rights laid down in Chapter III of the GDPR;

2) taking the appropriate measures for the safety of the Customer Personal Data and reporting any breaches to the safety and security of Customer Personal Data of which it becomes aware:

3) the Customer carrying out a data protection impact assessment, in case the Customer considers such assessment to be (legally) required.

If the Customer wishes to call upon the assistance of BIOSTRAND, the Customer will promptly notify BIOSTRAND by e-mail and by telephone. 

VIII. Technical and organizational security measures

BIOSTRAND undertakes to implement the following appropriate technical and organisational security measures necessary for the protection of Customer Personal Data:

-Encryption at Rest
Personal data within Biostrand is encrypted at rest in accordance with industry standards.
-Encryption in Transit
All requests of personal data must be made over the Transport Layer Security protocol (TLS).
-Principle of least privilege
Any user, program, or process should have only the bare minimum privileges necessary to perform its function.

When determining the appropriate technical and organisational security measures, BIOSTRAND shall take into account (i) the state of the art, (ii) the implementation costs related to these measures, (iii) the nature, scope, context and purposes of the processing, (iv) the risks involved for the data subjects’ rights and freedoms, in particular in case of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or non-authorised access to Customer Personal Data transmitted, stored or otherwise processed, and (v) the probability that the processing shall have an impact on the rights and freedoms of the Data Subjects.

BIOSTRAND shall update these measures on a regular basis.

IX. Notification of security breaches

BIOSTRAND shall implement technical measures to:

- monitor security events in relation to Customer Personal Data, and

- detect data breaches.

In the event of a data breach, BIOSTRAND shall notify the controller- Customer without undue delay after becoming aware of the data breach and shall provide – to the extent possible - the Customer with all information needed to inform the competent authorities if deemed necessary by the Customer. 

The Customer however shall be responsible for its notification obligations toward the competent authorities and/or data subjects.

BIOSTRAND shall retain any incident logs related to a data breach for six (6) months.

X. Return and deletion of Customer Personal Data

Upon termination of the Agreement, BIOSTRAND shall remove all Customer Personal Data in relation to the Customer, Users and Team Members within one month.

BIOSTRAND does not store Customer queries or Results. It is the Customer’s obligation to store queries and Results in its own systems.

XI. Confidentiality clause

BIOSTRAND shall maintain the Customer Personal Data confidential and thus not disclose any Customer Personal Data to third parties, without the prior written agreement of the customer. Exception to this rule is however that the Results are generated by automatic means in the Tool. The Tool can generate similar or same Results upon similar or same queries of other customers. Therefore and in that hypothesis, Results are not considered confidential information.

BIOSTRAND will ensure that its employees, engaged in the performance of the Agreement, are informed about the confidential nature of the Customer Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements.

XII. Privacy Manager

BIOSTRAND has appointed a Privacy Manager. The Privacy Manager can be contacted as follows:

Tel: [+32 11 28 69 00]

E-mail: privacy [at] biostrand.be