Indivumed Data Protection Policy

Effective date: March 20, 2026

This Data Protection Policy (“Policy”) explains how Indivumed GmbH (hereinafter “Indivumed”, “we”, or “us”) collects, uses, stores, and otherwise processes personal data when you:

visit or use our websites,
interact or collaborate with us as a business partner or a potential business partner,
interact with us on social media,
apply for a position with us.

How this Policy is structured

To make this Policy easier to read, we have divided it into several sections. First, we provide general information on how we process personal data. This information applies to all processing activities carried out by us. In the second part, you will find specific information depending on your relationship with us, including when:

you are a visitor to one of our websites,
you are an existing or potential business partner,
you interact with us via our social media channels,
you are applying for a job.

You can access both the general and the relevant specific information by expanding the corresponding sections below. To get information on how we process your personal data, kindly review the section that applies to your relationship with us.

1. Introduction and General Remarks

At Indivumed, your privacy and protection of your personal data is of the highest importance. Personal data means any information about you that can identify you directly or indirectly. This includes your name, email address, phone number, location, IP address, or any other detail that could be linked to you.

We process personal data in accordance with all applicable data protection laws, in particular the EU General Data Protection Regulation (Regulation (EU) 2016/679, hereinafter “GDPR”) and the German Federal Data Protection Act (Bundesdatenschutzgesetz, hereinafter “BDSG”). We pay close attention to data protection aspects in all our online and offline activities.

With respect to personal data you have provided us, we act as controller within the meaning of Article 4(7) GDPR for the processing activities described in this Policy. In accordance with Articles 13 and 14 GDPR, our identifier and contact details are as follows:

Indivumed GmbH
represented by its Managing Director (Geschäftsführer) Prof. Dr. Hartmut Juhl
Falkenried 88, Bldg. D
20251 Hamburg
Germany

Phone: +49 40 4133 83 0
Fax: +49 (40) 41 33 83 14
E-mail: info@indivumed.com

2. Website Users

2.1. Cookies & Similar Technologies

This website uses cookies to ensure that your visit to our website as pleasant as possible. Additionally, cookies allow us to save preferences, conduct marketing activities, measure our website traffic, and implement security features. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services.

Cookies are small text files that your browser stores on your device. They help websites function, remember settings, and understand how the site is used. You can delete cookies at any time and configure your browser not to accept them. You can also manage your cookie consent at using our cookie tool available in the footer of this website.

We also use similar technologies (e.g., pixels/tags, local/session storage, SDKs/scripts, device identifiers/fingerprinting) that function like cookies by storing or accessing information on your device.

For more information on cookies and similar technologies used on this website, please see our Cookie Policy.

2.2 Hosting and Content Delivery

When you visit our website, pages and files are served from Amazon Web Services (AWS). We use Amazon S3 in Frankfurt (eu‑central‑1) to store our website content, and AWS CloudFront together with AWS Global Accelerator to deliver content quickly and reliably worldwide.

2.2.1. What happens when a page loads?

To display a page, your device automatically sends standard technical request information, such as:

IP address
Requested URL
Date and time of the request
Browser and device information (user agent)

This information is technically necessary to deliver the requested content to your device.

We do not enable access or request logging for our Application Load Balancer (ALB), CloudFront, or Amazon S3. This means that the data is processed only temporarily for delivery and security purposes and is not stored by us.

2.2.2 Redirects for website functionality and security

To ensure a secure, stable, and reliable website experience, we may use redirects (e.g. HTTP 301) to forward you to the correct page.

For this purpose, your IP address and basic HTTP header information are processed by AWS Lambda@Edge, which is configured in us‑east‑1 and executed at CloudFront edge locations worldwide.

The legal basis for this processing is our legitimate interest in operating a secure, stable, and functional website (Art. 6(1)(f) GDPR).

We maintain diagnostic logs for this function solely to ensure technical reliability and security. For details on log retention, please refer to section 2.7.

2.2.3 Forms and communication

Communication Form
If you contact us using a form on our website, your message is processed by AWS Lambda (Frankfurt) and then forwarded to our CRM system (Freshsales by Freshworks Inc.) for follow‑up communication.

Freshworks operates globally, including in the EU/EEA, the United States, and India. For the purpose of handling your request, we process:

Technical metadata (IP address, timestamp, form URL),
Any contact or identification data you provide, and
The content of your message.

The legal basis for this processing is Art. 6(1)(b) GDPR (performance of a contract or pre‑contractual processes.).

Newsletter
If you subscribe to our newsletter, we process your email address and, if provided, your name. This information is stored in our CRM system and accessible internally with relevant Indivumed staff solely for sending the newsletter. The legal basis for this processing is your consent (Art. 6(1)(a) GDPR). You may withdraw your consent and unsubscribe at any time using the link provided in each newsletter email.

2.3 International Data Transfers

Our service providers primarily offer EU‑focused data residency options or allow us to select regional processing locations. However, depending on the services or features used as described above (for example, when using certain server‑side services, integrations, or selecting non‑EU account regions), personal data may be transferred to countries outside the EU/EEA, such as the United States or India.

Some of these countries may not provide a level of data protection that is considered equivalent to that under EU law. In such cases, we ensure that appropriate safeguards are in place to protect your personal data.

2.4 Transfers to the United States

On 10 July 2023, the European Commission adopted an adequacy decision for the EU‑U.S. Data Privacy Framework (DPF) (Commission Implementing Decision (EU) 2023/1795). This decision recognizes that certified U.S. organizations provide a level of data protection essentially equivalent to that guaranteed within the EU. Where personal data is transferred to the United States, we rely on:

the EU‑U.S. Data Privacy Framework (DPF), where the recipient is certified under the framework, and
EU Standard Contractual Clauses (SCCs) approved by the European Commission under Decision (EU) 2021/914 of 4 June 2021, where applicable.

2.5 Other International Transfers

For transfers to countries outside the EU/EEA that are not covered by an adequacy decision, we rely on the EU Standard Contractual Clauses (SCCs) and, where required, implement additional supplementary measures to ensure an adequate level of protection in accordance with EU data protection law.

2.6 Consent‑Based Transfers for Analytics and Marketing

Please note that transfers of personal data outside the EU/EEA for statistics or marketing purposes only take place if you have provided your consent.

You may withdraw your consent at any time with future effect via the Cookie Tool in the footer of this website. Your withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

2.7 Retention Periods

2.7.1 Server and service logs

We retain technical server and service logs only for as long as necessary to ensure the security, stability, and performance of our website.

In European regions (including Frankfurt, Ireland, London, Paris, and Stockholm), log retention is configured for 30 days. Logs are used solely for diagnostics, troubleshooting, and performance monitoring and are automatically deleted after this period.

In other regions, certain AWS CloudWatch log groups may not have an automatic retention period configured by default. In these cases, logs may be retained for a longer period. As AWS does not provide a global default retention setting for newly created services or functions, we perform regular manual reviews to ensure that log retention remains limited to what is necessary and compliant with applicable data protection laws. Logs are deleted or retention periods are adjusted once they are no longer required.

Where applicable, server and service logs may contain:

Lambda execution metadata (such as function identifiers and execution timestamps),
error and diagnostic traces, and
non‑persistent technical identifiers and timing information.

These log entries are retained in accordance with the retention periods described above and are not used for analytics, profiling, or marketing purposes.

2.7.2 Analytics and marketing data

Analytics and marketing data is processed and retained only if you have consented to the use of analytics or marketing cookies. You may withdraw your consent at any time with future effect via the cookie settings.

Retention periods for analytics and marketing data are specified in the details section of our Cookie Tool.

3. Business Partners

When you have a business relationship with us, or when we communicate with you for business‑related purposes (for example during business meetings, contract negotiations, discussions regarding potential collaborations, or other pre‑contractual interactions), we process personal data primarily to initiate, manage, and perform our business relationship.

This also includes situations where you contact us via:

the contact form on our website,
e‑mail, telephone, or social media, or
personal or professional networks.

In these contexts, we may process the following personal data:

your name and chosen salutation,
company name and your position or role,
business contact details (company e‑mail address, telephone or fax number),
address and payment details (where applicable), and
financial or transaction history (where applicable).

3.1 Legal Bases for Processing

We process your personal data

to take steps prior to entering into a contract and/or to perform a contract with you (Art. 6(1)(b) GDPR), and
to comply with applicable legal obligations, such as accounting or tax requirements (Art. 6(1)(c) GDPR).

In addition, we may use your business e‑mail address obtained in the course of our business relationship to:

improve customer support,
optimize our offerings, and
inform you about potential collaboration opportunities.

This processing is based on our legitimate interest in maintaining and developing our business relationship (Art. 6(1)(f) GDPR).

You may object to this processing at any time by using the unsubscribe link included in our e‑mails, or contacting us directly (see section 7 for contact details).

3.2 Customer Surveys

Participation in customer surveys is voluntary. If you choose to participate, we process the data you provide solely for the purpose of improving our products and services, based on your consent (Art. 6(1)(a) GDPR). Your data will be retained for this purpose until you withdraw your consent.

3.3 Newsletter

If you subscribe to our newsletter, we process your personal data based on your consent (Art. 6(1)(a) GDPR). You may withdraw your consent at any time without affecting the lawfulness of processing carried out before the withdrawal. Once consent is withdrawn, we will no longer process your data for newsletter purposes and will retain only the necessary information to document your request not to receive further communications.

3.4 Storage Periods

We store your personal data only for as long as necessary for the purposes described above, including:

the performance of a contract,
the pursuit of legitimate interests, and
compliance with legal obligations (e.g. statutory retention requirements under accounting or tax law in accordance with Art. 6(1)(c) GDPR).

4. Social Media Contacts

When you interact with us on social media (for example, by following, commenting, or engaging in any similar way), we process only aggregated, anonymized insights for statistical and growth‑related purposes, and we do not internally process any data that can identify you. If you contact us directly via social‑media messaging or provide information in a way that identifies you, we will process that data solely to respond to your request and in accordance with this Policy.

The social media platforms you use to contact us, on the other hand, process your personal data for their own purposes and under their own responsibility, in accordance with their respective policies. Please note that these platform specific processing activities fall outside our control and do not bind us. We encourage you to review the relevant platform’s privacy notice to understand how your data is handled on their side.

5. Job Applicants

When you apply for a position at Indivumed, we collect and process personal data that is necessary to evaluate your suitability for the role and, where applicable, to establish an employment relationship.

For these purposes, we use

contact details and application documents (e.g. CV, certificates, qualifications, cover letter, responses to application questions), and
where applicable, bank account details (e.g. for reimbursement of travel or other application‑related expenses).

5.1 Legal Basis

The processing of your personal data is based on Art. 6(1)(b) GDPR, as it is necessary to take steps prior to entering into an employment contract.

For the purposes described above, your personal data is processed by Indivumed’s HR department, and relevant hiring managers or department heads involved in the recruitment process.

Your personal data may also be transferred to our external service providers of applicant management or recruitment systems. These providers act as processors and are bound by data processing agreements in accordance with Art. 28 GDPR.

Kindly note that access to your personal data is strictly limited to persons directly involved in recruitment decisions in order to ensure confidentiality.

5.2 Retention Periods

The retention period for your personal data depends on the outcome of your application.

5.2.1 Unsuccessful applications

If your application does not progress further, your personal data will be retained for six (6) months after the conclusion of the recruitment process and will then be permanently deleted. As an exception, certain data may be retained for longer periods where required to comply with statutory retention obligations, for example in connection with expense reimbursements (e.g. up to 6 years under the German Fiscal Code and 10 years under the German Commercial Code).

5.2.3 Successful applications

If your application is successful and you enter into an employment relationship with us, your application data will be transferred to your personnel file and further processed in accordance with Art. 88 GDPR and applicable employment related laws.

5.2.3 Talent pool / future vacancies

If your application is not successful, we may ask for your separate and explicit consent to retain your application data for consideration for future vacancies. In such cases, your data will only be retained if you explicitly agree (Art. 6(1)(a) GDPR). You may withdraw your consent at any time with future effect, and if consent is withdrawn, your data will be deleted without delay unless another lawful retention obligation applies.

6. Your Rights as Data Subject

Under GDPR and BDSG, you have the following rights with regard to the processing of your personal data:

6.1 Right of Access (Art. 15 GDPR)

You have the right to request confirmation whether we process your personal data and receive clear information about the purposes of processing, the types of data involved, who receives the data, and how long we store it. You may also request a copy of your personal data in a structured, commonly used, and machine-readable format.

6.2 Right to Rectification (Art. 16 GDPR)

If you believe that the personal data we process about you is inaccurate or incomplete, you have the right to request the correction of inaccurate personal data and the completion of incomplete personal data.

6.3 Right to Erasure (“Right to be Forgotten”) (Art. 17 GDPR)

You may request that we delete your personal data when, for example, it is no longer needed for the purposes for which it was collected, you withdraw your consent, or you believe the processing is unlawful. This right may be limited when we are required by law to retain certain information.

6.4 Right to Restrict Processing (Art. 18 GDPR)

You may request that we restrict the processing of your personal data in certain situations, such as when you dispute the accuracy of the data or have objected to its processing.

6.5 Right to Data Portability (Art. 20 GDPR)

If your personal data is processed based on your consent or a contract and handled by automated means, you may request to receive it in a structured, commonly used, machine‑readable format or have it transferred directly to another controller where technically feasible.

6.6 Right to Object (Art. 21 GDPR)

If we process your personal data based on our legitimate interests (Art. 6(1)(f) GDPR), you can object to such processing at any time. We will stop processing unless we demonstrate compelling legitimate grounds or need the data for legal claims.

6.7 Right to Lodge a Complaint (Art. 77 GDPR)

You can lodge a complaint with a supervisory authority if you believe that the processing of your data violates data protection laws. You may contact the authority in your habitual residence, place of work, or where the alleged infringement occurred in your opinion. You can refer to the list of supervisory authorities of the European Data Protection Board to find the contact information of the corresponding authority.

To exercise your rights, please refer to Section 7 below for our contact details.