Privacy Notice

This Privacy Notice describes how AAVantgarde Bio S.r.l and its group of companies (“AAVantgarde,” “we,” “us”, “our”) may collect and use personal information about you in connection with our business activities, communications and websites, as independent data controllers.

We are committed to safeguarding your personal information (or personal data) in line with all applicable laws, including the UK Data Protection Act 2018, EU General Data Protection Regulation (GDPR) and UK GDPR. AAVantgarde and its group companies are each independent ‘controllers’ of your personal data. This means that each company is responsible for deciding how it holds and uses personal information about you.

This Privacy Notice explains:

In some cases, additional or supplemental privacy notices may be created to apply to certain personal information that we collect and process. For example, more specific information is provided to employees or clinical trial participants.

We may amend this Privacy Notice from time to time, therefore we encourage you to refer to it periodically. If you have any questions, please contact us at [email protected]. If the alterations are material or affect your GDPR rights, we will let you know before the updated version becomes effective so that you may object.

The types of data subjects and personal information we collect

  • Contact Information: including email and physical home and work addresses, mobile and landline phone numbers;
  • Identifiers: including name, title, age, date of birth, tax reference or tax ID number, government-issued identifier such as driver’s license, passport or National Insurance number;
  • Internet: including browser type and version, operating system and platform, browser plug-in types and versions, browsing history, social media posts, device ID, IP address, MAC address, data about how you have interacted with our website;
  • Qualifications: including educational and professional history and qualifications, membership of professional bodies and societies;
  • Sensitive Information: including bank and credit card details, passwords, complaint data;
  • Special Category Data: including health data (e.g. disabilities, dietary requirements), racial or ethnic origin, religious or philosophical beliefs and sexual orientation; and
  • Status: including gender, sex, marital status, nationality, citizenship or location of birth, relationship to others e.g. parent, spouse etc.

We take appropriate steps to keep your personal information accurate, complete and up to date. If you believe your personal information is out of date or incomplete, contact us.

We collect personal information about individuals who visit our website (“Visitors”), people who submit comments, or questions to us (including via our website) (“Enquirers”), potential or current investors (“Investors”), applicants for job roles (“Applicants”), healthcare professionals (“HCPs”), including those with whom we have a contract for services (“Consultants”) and representatives of our business partners and suppliers (“Representatives”) collectively (“Everyone”).

How we use your personal information and the lawful basis

Activity Type of person Categories of data Lawful processing ground(s)

Providing, securing, protecting and improving our website and responding to correspondence

  • Visitors
  • Enquirers
  • Identifiers
  • Contact Information
  • Status
  • Internet
  • Legitimate Interests in running and improving our business
  • Consent
Administering our business relationship with you, your employer or your application
  • Applicant
  • Investors
  • HCPs
  • Consultants
  • Representatives
  • Identifiers
  • Contact Information
  • Status
  • Qualifications
  • Sensitive Information
  • Special Category Data
  • Consent
  • Performance of a Contract
  • Legal Obligation
  • Publicly Available
Delivering and measuring the success of targeted online communications 
  • Visitors
  • Enquirers
  • Internet
  • Legitimate Interests in running and improving our business
  • Consent
Raising awareness of our company, business and activities
  • Investors
  • HCPs
  • Representatives
  • Contact Information
  • Internet
  • Legitimate Interests in keeping stakeholders up to date on our strategy, achievements and progress
Fulfilling legal and/or regulatory obligations and/or requests
  • Everyone
  • All categories
  • Comply with a Legal Obligation
  • Legitimate Interests in responding to compelling voluntary requests for information
Managing your attendance at corporate events
  • Investors
  • HCPs
  • Consultants
  • Representatives
  • Identifiers
  • Contact Information
  • Status
  • Qualifications
  • Special Category Data
  • Consent
  • Performance of a Contract
  • Legal Obligation
  • Vital Interests
  • Publicly Available
Internal audit and compliance purposes
  • Everyone
  • All categories
  • Legitimate Interests in ensuring compliance with internal policies and procedures and the law/regulations
  • Comply with a Legal Obligation
  • Legal Claims

Lawful processing grounds

Comply with a Legal Obligation means processing your personal information where it is necessary for us to comply with a legal obligation.

Consent as the applicable law requires/permits means either: (a) an explicit, specific, informed, freely given unambiguous indication of your agreement to our processing of your personal information; or (b) an indication of your acceptance, following the provision of transparency information and a refusal to exercise your opt-out right (sometimes referred to as “implied consent”).

Legitimate Interests means our interest in conducting and managing our business as shown in the above table. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal information for our legitimate interests by undertaking an assessment. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your Consent or are otherwise required by law to Comply with a Legal Obligation). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.

Performance of a Contract means processing your personal information where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering such a contract.

Additional lawful processing conditions: Special Category Data

Legal Claims means processing your special category data because it is necessary for us to establish, exercise or defend legal claims.

Publicly Available means processing the special category data which you have volunteered for public consumption e.g. via open public media posts.

Vital Interests means processing your special category data where it is necessary to protect your (or another individual’s) life or death interests and you are incapable of giving Consent.

Our use of cookies and other similar technologies

We use cookies and equivalent technology to enable the website to function effectively and to improve Visitor experience. Some cookies are used to collect Internet information. For more information about our use of cookies, and your options for accepting or declining their use, please see our Cookie Policy. You may change your cookie settings at any time via the cookie consent management tool on our website. 

With whom we may share your personal information and where we may transfer it

The processing related to our websites takes place in the UK. Subject to legally permissible exemptions, the personal data of Everyone will not be disclosed for a purpose other than that for which they were collected but may be communicated to: (a) our affiliates’ authorised staff (including Consultants and Representatives); (b) as legally permissible, further independent data controllers (including professional advisers and accountants) with whom we have appropriate agreements and government and regulatory entities e.g. HMRC. A current list of our processors, as well as other parties to whom personal data may be communicated, is available upon request by contacting us. Further, we may disclose your personal data to third parties to whom we may sell (or buy), transfer or merge part(s) of our business or our assets.

Restricted transfers

Personal data is primarily stored within our companies and on servers located within the European Union and/or the UK or other countries deemed adequate under the GDPR (“Adequate Countries”). However, subject to the provision of suitable safeguards, we have the right to move your personal data and our servers (including those provided by our processors and sub-processors) to outside the Adequate Countries. In the absence of a decision on adequacy by the European Commission or the UK’s Secretary of State (as applicable), the suitable safeguards include guarantees of a contractual or negotiated nature, including Binding Corporate Rules and standard contractual clauses for data protection. In the absence of a decision on adequacy or other suitable safeguards as described above, the transfer to and/or processing of your personal data by third parties outside the Adequate Countries will be carried out only with your Consent.

Other ways we collect your personal information

Other than directly from you, we collect your personal information in a variety of ways, including but not limited to:

  • When you interact with us virtually or in-person by online means;
  • By phone, at meetings or conferences, or any other direct means;
  • Through government agencies, publicly available records and public sources; and/or
  • From industry associations and patient groups.

How long we retain your personal information for

We retain your personal information in accordance with our retention policy which sets out retention periods as may be required by law, or where there is a reason to keep it because of business need, legal action (actual or in reasonable contemplation), or for internal or external investigations. Once a retention period has lapsed, we take appropriate steps to dispose of your personal information.

How we protect your personal information

We adopt a variety of security measures and technologies to help protect your personal information from unauthorised access, use, disclosure, alteration or destruction in line with applicable data protection and privacy laws. We expect our third-party processors to adhere to the same requirements of data protection as stipulated in our contract terms with them.

Your data subject rights regarding your personal information

We comply with data privacy laws and regulations that provide data subjects with a number of rights over their personal information. The rights are referred to in Articles 15-16-17-18-20-21 and 22 GDPR. Depending upon the lawful processing ground relied upon to justify our processing of your personal information you may be entitled to request:

  • Access to your personal information (commonly known as a “data subject access request”) such as to receive a copy of the personal information we hold about you;
  • Correction of the personal information that we hold about you, if the information is incomplete or inaccurate;
  • Erasure of your personal information where there is no good reason for us continuing to process it or where you have exercised your right to object to processing;
  • Objection to processing of your personal information where we are relying on a Legitimate Interests (or those of a third party);
  • Restriction or suspension of processing of your personal information where we are relying on our Legitimate Interests;
  • Transfer (portability) of your personal information to another party where we are relying on your Consent or Performance of a Contract; and
  • Withdrawal of your Consent to the processing or your personal information, where we previously obtained it.

If you would like to exercise your rights, please contact us. We may ask you to verify your identity before fulfilling the request. Verification ensures that your personal data are kept secure. If you would like to make a complaint, please refer to the Contacting us and supervisory authorities section for further information.

Depending on the nature of the request, you may not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

What to do if you do not wish for us to collect or hold your personal information

Where you are given the option to share your personal information with us, you can always choose not to do so. If you object to the processing of your personal information, or if you have provided your Consent to processing and you later choose to withdraw it, we will respect that choice subject to our legal obligations and any legal exemptions which may apply. This could mean that we may not be able to perform the actions necessary to achieve the purposes as set out in this notice or that you may be unable to engage with AAVantgarde.

Contacting us and supervisory authorities

If you have any questions about this Privacy Notice or wish to make a data subject rights request, please email [email protected]. If you are unsatisfied with how we have handled your personal information or request, please contact us in the first instance and we will aim to resolve the matter.

You also have the right to submit a complaint to the supervisory authorities that AAVantgarde’s legal entities have registered with:

  • United Kingdom: Information Commissioner’s Office (ICO)
  • Italy: Garante per la Protezione dei Dati Personali (GDPD)

Last update: October 2024