Privacy Policy

We take the protection of your personal data very seriously and process it in accordance with applicable data protection laws, particularly the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). This privacy policy explains what personal data we collect, how we process it, for what purposes, and what rights you have as a data subject. We implement appropriate technical and organizational measures to ensure data security and privacy by design.

The data controller responsible for processing your personal data is VIONIS LABS, Deutschland. You can contact us at info@vionislabs.com for all data protection matters. Our Data Protection Officer can be reached at the same address. We are registered with the Berlin Chamber of Commerce and comply with German data protection regulations. For urgent data protection matters, please contact us immediately.

We collect and process the following categories of personal data: (a) Identity data: name, title, company, position, (b) Contact data: email, phone, address, (c) Technical data: IP address, browser type, device information, (d) Usage data: website interactions, service usage patterns, (e) Communication data: correspondence, meeting notes, project discussions, (f) Professional data: skills, experience, project requirements, (g) Financial data: billing information, payment details (processed by secure payment providers).

We process personal data based on the following legal grounds under GDPR Article 6: (a) Consent (Art. 6(1)(a)) for marketing communications and optional services, (b) Contract performance (Art. 6(1)(b)) for service delivery and customer management, (c) Legal obligation (Art. 6(1)(c)) for tax, accounting, and regulatory compliance, (d) Legitimate interests (Art. 6(1)(f)) for business operations, security, and service improvement. Special category data is processed only with explicit consent or other lawful basis under GDPR Article 9.

We process your personal data for the following purposes: (a) Service delivery and project management, (b) Customer relationship management and support, (c) Contract administration and billing, (d) Legal compliance and regulatory reporting, (e) Business development and marketing (with consent), (f) Website functionality and user experience improvement, (g) Security monitoring and fraud prevention, (h) Internal business operations and quality assurance, (i) Research and development of AI solutions (anonymized data only).

We retain personal data only as long as necessary for the stated purposes or as required by law: (a) Customer data: duration of business relationship plus 3 years, (b) Contract data: 10 years per German commercial law, (c) Financial records: 10 years per tax regulations, (d) Marketing data: until consent withdrawal or 3 years of inactivity, (e) Website analytics: 26 months maximum, (f) Security logs: 12 months, (g) Correspondence: 3 years after last contact. Data is automatically deleted after retention periods expire.

Our website uses cookies and similar technologies: (a) Essential cookies: necessary for website functionality, cannot be disabled, (b) Performance cookies: anonymous usage statistics and site optimization, (c) Functional cookies: enhanced user experience and preferences, (d) Marketing cookies: personalized content and advertising (with consent). You can manage cookie preferences in your browser settings or our cookie banner. Third-party cookies from Google Analytics, social media plugins, and other services are subject to their respective privacy policies.

We use Google Analytics to understand website usage and improve user experience. Data processed includes page views, session duration, traffic sources, and user behavior patterns. IP addresses are anonymized, and data is stored on Google servers. You can opt out using Google Analytics Opt-out Browser Add-on. We also use other analytics tools like Hotjar for heatmaps and user feedback. All analytics comply with data protection requirements and user consent preferences.

With your consent, we may send marketing communications about our services, industry insights, and events. You can subscribe to our newsletter, webinar invitations, and product updates. We use email marketing platforms like Mailchimp, which comply with GDPR. You can unsubscribe at any time using the link in our emails or by contacting us directly. We do not sell, rent, or share your data with third parties for their marketing purposes.

We share personal data with trusted third-party service providers who assist in our operations: (a) Cloud hosting providers (AWS, Azure) for data storage, (b) Payment processors for billing and transactions, (c) Email service providers for communications, (d) Analytics providers for website optimization, (e) Professional service providers (legal, accounting), (f) Subcontractors for project delivery (under strict confidentiality). All third parties are contractually bound to protect your data and process it only for specified purposes.

Some of our service providers are located outside the European Economic Area (EEA). We ensure adequate protection through: (a) European Commission adequacy decisions, (b) Standard Contractual Clauses (SCCs), (c) Binding Corporate Rules (BCRs), (d) Certification schemes and codes of conduct. We regularly review transfer mechanisms and update safeguards as needed. You can request information about specific transfers and safeguards by contacting our Data Protection Officer.

We implement comprehensive security measures to protect your personal data: (a) Technical measures: encryption in transit and at rest, secure protocols (TLS/SSL), access controls, firewalls, regular security updates, (b) Organizational measures: staff training, confidentiality agreements, data handling procedures, incident response plans, (c) Physical measures: secure facilities, restricted access, surveillance systems. We conduct regular security assessments and penetration testing. Despite our efforts, no system is 100% secure; we promptly address any identified vulnerabilities.

In the event of a personal data breach that poses risks to your rights and freedoms, we will notify you within 72 hours of becoming aware of the breach. The notification will include: (a) Nature and scope of the breach, (b) Likely consequences and risks, (c) Measures taken to address the breach, (d) Recommendations for protecting yourself. We will also notify relevant supervisory authorities as required by law. We maintain detailed incident response procedures and regularly test our breach response capabilities.

We may use automated decision-making for: (a) Fraud detection and security monitoring, (b) Service personalization and recommendations, (c) Marketing segmentation and targeting, (d) Quality assurance and performance optimization. We do not make solely automated decisions with significant legal or similar effects without human involvement. You have the right to request human review of automated decisions, express your point of view, and contest the decision. We will explain the logic and significance of automated processing when requested.

Under GDPR, you have the following rights regarding your personal data: (a) Right of access: obtain confirmation and copies of your data, (b) Right to rectification: correct inaccurate or incomplete data, (c) Right to erasure: request deletion in certain circumstances, (d) Right to restrict processing: limit how we use your data, (e) Right to data portability: receive your data in a structured format, (f) Right to object: oppose processing based on legitimate interests, (g) Right to withdraw consent: revoke consent for consent-based processing. To exercise these rights, contact us at info@vionislabs.com with proof of identity.

If you believe we have violated data protection laws or handled your personal data improperly, you have the right to lodge a complaint with a supervisory authority. In Germany, you can contact your local data protection authority or the Federal Commissioner for Data Protection and Freedom of Information (BfDI). You can also contact the supervisory authority in your country of residence, work, or where the alleged violation occurred. We encourage you to contact us first so we can address your concerns directly.

We may update this privacy policy to reflect changes in our practices, legal requirements, or business operations. We will notify you of material changes by email or prominent website notice at least 30 days before the changes take effect. Continued use of our services after changes constitutes acceptance of the updated policy. We maintain previous versions of our privacy policy for reference. The current version is always available on our website with the effective date clearly indicated.